unnumbered mode and generic networking training.. =P

Well I HAVE learned a ton about networking from troubleshooting my
client's system. I remember in audio tech they always said "think
signal path". Well I can do that fine, but it's a bit different when
the path is laden with devices that need an address to talk to the
next bit along the line.

Anyway, the saga to date is..

Hapless programmer stuck with troubleshooting an errant DSL router.
Router is the gateway on a static IP block. Router feeds a hardware
firewall, which feeds a hub which includes a Win2k server. Everybody
wants to be the DHCP server. Router and Firewall both are doing NAT.
There's no reason why this arrangement should work, from my googling
and posting here and elsewhere.

Managed to get everything working after the outage.

I got a break today, when they reported the network down again. I went
to the server room and discovered the lights were out on the firewall.
Saints be Praised! It committed suicide on me! Surge protector's
"Surge" light was lit. From my best estimate, there was a line surge
that the Sonicwall was unprotected from for some reason or another.

Bought a Netgear firewall to bring down and install tomorrow.

Here's the thing I'm confused about:

In the previous configuration, Actiontec 1524 was DHCP server to the
firewall. The DHCP server was configured to provide the addresses
available in the User Configured portion of the IP block. And it was
doing NAT. Therefore, the firewall was picking up the first available
User-Configured IP, which happened to also be the address our MX
record points to.

From my understanding, a call to an address in the User Configured
range (say for instance, the IP referenced by our MX record) first
finds the gateway (the DSL router). The gateway figures out that it
needs to route the IP inside. Through magic or luck, the Exchange
Server hears the call to its IP and scoops up our mail.

This assumption was insufficient, it appears. My client demanded I get
SOME connectivity, so with their understanding of the consequences I
wired the router directly up to the hub, relying on NAT to protect us
from the most clumsy attacks while I bought a new firewall.

No mail! Or rather, no POP mail. I can send fine, can't receive. HTTP
works great (which of course, to the users mean the Internet is back
up). Also, VPN seems to be down (VPN handled by Win2k, address to
connect is the same as the MX record).

So, if you're not asleep, here is my current assumption.

There is a setting on the Actiontec called "UnNumbered Mode". From the
description the tech gave me, this means the router is basically
transparent and the user defined IPs are assigned at a point past the
router.

In the previous configuration, DHCP on the router was assigning the
public IPs to the inside (i.e., user-defined IPs were .169-.173, and
that was the range assigned for DHCP to deliver). This meant the
firewall picked up the first one (MX address and VPN address).
Requests for that MX IP found the gateway first, and then looked
inside. Since this Unnumbered Mode was switched on, the firewall's
"WAN IP" was visible and resolvable to the IP required for the MX
record and VPN. The firewall then was able to hang out the request for
the Exchange Server (or Terminal Server) to respond to. All was well.

How am I doing? Does this sound reasonable? Are there any pieces I'm
missing?

The system was configured by a friend of my slimy, erstwhile business
partner. Since I've divorced him, I also lost the network guy. I gave
the office manager a stern lecture saying they REALLY need to locate a
networking resource to help them with this crap since even though they
cost more they'd get this stuff figured out in 1/10th of the time it
takes me. They nodded their heads and sent me off to google. sigh.
Well, at least they trust me.

Thanks as always for your generous help

Brian Link, Minnesota Countertenor
----------------------------------
"Insert pithy sig here"



Brian Link