Workgroup Client Bridge Configuration

I am struggling to find the proper configuration for a Workgroup Client
Bridge (WCB) connecting several wired machines to a working Access Point
(AP), all on the same NAT 192.A.B.x subnet.

I can get the WCB to associate (SSID) and authenticate (WEP) with the
AP, can ping the WCB from anywhere on the network, but cannot connect to
internet from the machine connected via the WCB.

The network configuration is:

Internet >> Firewall (Public IP, running NAT) >> Switch supports LAN
(192.A.B.a thru .g) >>

>> AP (192.A.B.x) supports wireless clients (192.A.B.p thru
..t) >>

>> WCB (192.A.B.y) supports remote wired client

The AP metrics are IP = 192.A.B.x, subnet 255.255.255.0, with default
gateway = ISP public default GW IP 216.C.D.E

The WCB metrics are IP = 192.A.B.y, subnet 255.255.255.0, and here is
the question....

What should the default gateway be for the WCB?

- the ISP public default gateway IP 216.C.D.E?
- the AP's private IP 192.A.B.x ?
- 0.0.0.0 ?
- other ?

Thanks.

Is there another way to ask this question that is more likely to garner
a constructive response? Can't believe it's over the collective heads
of this august group...

Thanks.



RWM wrote:
> I am struggling to find the proper configuration for a Workgroup Client
> Bridge (WCB) connecting several wired machines to a working Access Point
> (AP), all on the same NAT 192.A.B.x subnet.
> I can get the WCB to associate (SSID) and authenticate (WEP) with the
> AP, can ping the WCB from anywhere on the network, but cannot connect to
> internet from the machine connected via the WCB.
>
> The network configuration is:
>
> Internet >> Firewall (Public IP, running NAT) >> Switch supports LAN
> (192.A.B.a thru .g) >>
>
> >> AP (192.A.B.x) supports wireless clients (192.A.B.p thru
> .t) >>
>
> >> WCB (192.A.B.y) supports remote wired client
>
> The AP metrics are IP = 192.A.B.x, subnet 255.255.255.0, with default
> gateway = ISP public default GW IP 216.C.D.E
>
> The WCB metrics are IP = 192.A.B.y, subnet 255.255.255.0, and here is
> the question....
>
> What should the default gateway be for the WCB?
> - the ISP public default gateway IP 216.C.D.E?
> - the AP's private IP 192.A.B.x ?
> - 0.0.0.0 ?
> - other ?
>
> Thanks.

On Tue, 14 Feb 2006 17:59:10 -0500, RWM <(E-Mail Removed)> wrote:

>Is there another way to ask this question that is more likely to garner
>a constructive response? Can't believe it's over the collective heads
>of this august group...

Yes. I make it a habit of ignoring questions that don't bother to
specify the hardware maker and model numbers. Supplying the absolute
minimum amount of information just makes it more difficult to answer.

>RWM wrote:
>> I am struggling to find the proper configuration for a Workgroup Client
>> Bridge (WCB) connecting several wired machines to a working Access Point
>> (AP), all on the same NAT 192.A.B.x subnet.

My guess would be Cisco hardware. Do I get a gold star?

>> I can get the WCB to associate (SSID) and authenticate (WEP) with the
>> AP, can ping the WCB from anywhere on the network,

OK, you have a successful wireless link. I'll assume that since it's
a Cisco workgroup bridge, that it can bridge more than one MAC
address. Depending on model numbers and configuration, there are a
large number of "bridges" that will only bridge one MAC address.
Probably not a problem here.

>> but cannot connect to
>> internet from the machine connected via the WCB.
>>
>> The network configuration is:
>>
>> Internet >> Firewall (Public IP, running NAT) >> Switch supports LAN
>> (192.A.B.a thru .g) >>
>>
>> >> AP (192.A.B.x) supports wireless clients (192.A.B.p thru
>> .t) >>
>>
>> >> WCB (192.A.B.y) supports remote wired client

You asked about other ways to ask your question. I have a problem
with word wrapped diagrams that I have to unscramble to decode. I
suggest you change to a top down drawing instead of trying to wrap it
across the page. Converting your mess into something readable.
There's also no reason to mangle non-routeable IP addresses. I'll
throw in my own assumed numbers for the LAN side.

Internet
|
Firewall WAN=216.xxx.xxx.xxx
^ LAN=192.168.1.1
|
Switch
| |
| |--<-- 192.168.1.2 thru 192.168.1.10 clients
^
|
Access Point 192.168.1.200
|
|
Workgroup Client Bridge 192.168.1.201
|
^
|----<--- 192.168.1.15 client computah

You've indicated that you can ping the Workgroup client bridge from
anywhere on the network.

Does that include both the clients directly connected to the switch as
well as the single client connected to the WCB?

Can they also all ping the access point IP address?

Can they all ping the switch IP address (if it has one).

Can they all ping the firewall IP address?

Is the switch a dumb 10/100 ethernet switch, or a Cisco 2948 Layer 3
switch, or something in between? If it's configurable, are there any
VLAN's or filters running that might prevent proper operation?

>> The AP metrics are IP = 192.A.B.x, subnet 255.255.255.0, with default
>> gateway = ISP public default GW IP 216.C.D.E

Wrong. The default gateway of EVERYTHING that's on the LAN side of
the router should point to the LAN side IP address of the router,
192.168.1.1. Pointing to something on the internet won't work because
nothing on the LAN knows how to get to the IP on the internet without
first going through the router.

>> The WCB metrics are IP = 192.A.B.y, subnet 255.255.255.0, and here is
>> the question....
>>
>> What should the default gateway be for the WCB?

192.168.1.1 (Router LAN IP address)

>> - the ISP public default gateway IP 216.C.D.E?
>> - the AP's private IP 192.A.B.x ?
>> - 0.0.0.0 ?
>> - other ?

--
# Jeff Liebermann 150 Felker St #D Santa Cruz CA 95060
# 831-336-2558 (E-Mail Removed)
# http://802.11junk.com (E-Mail Removed)
# http://www.LearnByDestroying.com AE6KS

Jeff Liebermann wrote:
> On Tue, 14 Feb 2006 17:59:10 -0500, RWM <(E-Mail Removed)> wrote:
>
>
>>Is there another way to ask this question that is more likely to garner
>>a constructive response? Can't believe it's over the collective heads
>>of this august group...
>
>
> Yes. I make it a habit of ignoring questions that don't bother to
> specify the hardware maker and model numbers. Supplying the absolute
> minimum amount of information just makes it more difficult to answer.

Fair enough. Point taken.

>
>
>>RWM wrote:
>>
>>>I am struggling to find the proper configuration for a Workgroup Client
>>>Bridge (WCB) connecting several wired machines to a working Access Point
>>>(AP), all on the same NAT 192.A.B.x subnet.
>
>
> My guess would be Cisco hardware. Do I get a gold star?
>

Agreed, "WCB" is a Cisco giveaway, but no, this is a Senao 3054cb3
bridge and 2611cb3 AP, both operating in 802.11b mode.

>
>>>I can get the WCB to associate (SSID) and authenticate (WEP) with the
>>>AP, can ping the WCB from anywhere on the network,
>
>
> OK, you have a successful wireless link. I'll assume that since it's
> a Cisco workgroup bridge, that it can bridge more than one MAC
> address. Depending on model numbers and configuration, there are a
> large number of "bridges" that will only bridge one MAC address.
> Probably not a problem here.
>
>

The 3054cb3 will bridge multiple MAC addresses.


>>>but cannot connect to
>>>internet from the machine connected via the WCB.
>>>
>>>The network configuration is:
>>>
>>> Internet >> Firewall (Public IP, running NAT) >> Switch supports LAN
>>>(192.A.B.a thru .g) >>
>>>
>>> >> AP (192.A.B.x) supports wireless clients (192.A.B.p thru
>>>.t) >>
>>>
>>> >> WCB (192.A.B.y) supports remote wired client
>
>
> You asked about other ways to ask your question. I have a problem
> with word wrapped diagrams that I have to unscramble to decode. I
> suggest you change to a top down drawing instead of trying to wrap it
> across the page.


Point taken. Perhaps a list FAQ is in order... ASCII visualizations
are not a specialty.


Converting your mess into something readable.
> There's also no reason to mangle non-routeable IP addresses.

Understood, but easier to type.


I'll
> throw in my own assumed numbers for the LAN side.
>
> Internet
> |
> Firewall WAN=216.xxx.xxx.xxx
> ^ LAN=192.168.1.1

OK, except this been configured LAN = WAN address for ~ five years.
> |
> Switch
> | |
> | |--<-- 192.168.1.2 thru 192.168.1.10 clients

Yes.

> ^
> |
> Access Point 192.168.1.200

Yes.

> |
> |
> Workgroup Client Bridge 192.168.1.201

Yes, except .199

> |
> ^
> |----<--- 192.168.1.15 client computah

Yes.
>
> You've indicated that you can ping the Workgroup client bridge from
> anywhere on the network.

Yes.

>
> Does that include both the clients directly connected to the switch as
> well as the single client connected to the WCB?

Yes, and from wireless clients accessing via the AP.


>
> Can they also all ping the access point IP address?

Yes.

>
> Can they all ping the switch IP address (if it has one).


It's IP-less. It's a pair of 8-port 10/100 switches.

>
> Can they all ping the firewall IP address?

Yes, with the caveat that its LAN address is its public WAN address.

>
> Is the switch a dumb 10/100 ethernet switch, or a Cisco 2948 Layer 3
> switch, or something in between? If it's configurable, are there any
> VLAN's or filters running that might prevent proper operation?

Pair of dumb 8-ports; up a notch from prior 10-speed hubs...

>
>
>>>The AP metrics are IP = 192.A.B.x, subnet 255.255.255.0, with default
>>>gateway = ISP public default GW IP 216.C.D.E
>
>
> Wrong. The default gateway of EVERYTHING that's on the LAN side of
> the router should point to the LAN side IP address of the router,
> 192.168.1.1. Pointing to something on the internet won't work because
> nothing on the LAN knows how to get to the IP on the internet without
> first going through the router.
>
>

OK, now this is interesting, in that the net has worked fine as
previously indicated with WAN IP = LAN IP.


>>>The WCB metrics are IP = 192.A.B.y, subnet 255.255.255.0, and here is
>>>the question....
>>>
>>> What should the default gateway be for the WCB?
>
>
> 192.168.1.1 (Router LAN IP address)

Understood, with the above caveat that with the exception of the Senao
bridge, it works as is with the LAN IP = WAN IP = public.

(I should also mention that there is a fallback Proxim Rangelan2 bridge
working on that segment now, with the gateway = WAN IP.)

>
>
>>> - the ISP public default gateway IP 216.C.D.E?
>>> - the AP's private IP 192.A.B.x ?
>>> - 0.0.0.0 ?
>>> - other ?
>
>

Thanks sincerely for your response, Jeff. While making the indicated
changes, any view as to why it works "as is"?

- Bob Mann

On Tue, 14 Feb 2006 19:30:33 -0500, RWM <(E-Mail Removed)> wrote:

>Agreed, "WCB" is a Cisco giveaway, but no, this is a Senao 3054cb3
>bridge and 2611cb3 AP, both operating in 802.11b mode.

So much for my gold star.

>The 3054cb3 will bridge multiple MAC addresses.

The 3054CB3 will bridge multiple MAC addresses. However I'm not so
sure about the 2611DB3 operating in client mode. Digging....
Ah, the data sheet mumbles something about "Multi-Client Bridge
Functionality" which I guess means it will bridge more than one MAC
address. In any case, it should work with your one client computah
with just one MAC.

>Point taken. Perhaps a list FAQ is in order... ASCII visualizations
>are not a specialty.

Nope. Just my personal preferences and experiences.
There are tools available to do ASCII drafting but I never use them.

>Converting your mess into something readable.
>> There's also no reason to mangle non-routeable IP addresses.

>Understood, but easier to type.

I once wasted about an hour trying to troubleshoot what turned out to
be a subnet mask problem. I couldn't figure out what was happening
because the person with the question camouflaged all the IP addresses
in various ways. Once I pried the real IP addresses out of him, the
answer was obvious. In any case, there's no security reason to hide
non-routeable IP addresses.

>> Internet
>> |
>> Firewall WAN=216.xxx.xxx.xxx
>> ^ LAN=192.168.1.1

>OK, except this been configured LAN = WAN address for ~ five years.

That can only work if the router/firewall/NAT device has dual IP
addresses (alias) for the LAN interface. For example, if the WAN port
was 216.216.216.111, while the LAN port was BOTH 216.216.216.1 and
192.168.1.1. I've seen this done and it does work, but only with high
end or Linux routers.

However it does cause problems with some Windoze and Mac clients that
do not appreciate having a default gateway that is outside of the
netmask range. For example, if the client's LAN IP is 192.168.1.2,
but the gateway is 216.216.216.1, some operating systems just will not
push packets at the gateway. Fortunately, this has become somewhat
common with VPN's, so the later operating systems all accomidate this
arrangement.

I think there are some potential security implication by having
clients use the WAN side IP instead of the LAN side. I wanna do some
reading first before I proclaim this to be a problem.

Any chance the PC on the wireless link is some ancient junker running
Windoze 95 or 98 first edition?

So, what does your DHCP server deliver to the client? What does:
IPCONFIG
look like?

Also, it would be interesting to see the routing table. Dump:
ROUTE PRINT
and see where the default gateway points.

Also, what's the make and model of firewall/router/NAT box ?

>> Does that include both the clients directly connected to the switch as
>> well as the single client connected to the WCB?
>Yes, and from wireless clients accessing via the AP.
>> Can they also all ping the access point IP address?
>Yes.

So you can literally ping anything from anywhere on the LAN side. That
means the LAN side is working (as you noted). The problem could only
be a routeing problem going to the internet.

>> Can they all ping the firewall IP address?
>Yes, with the caveat that its LAN address is its public WAN address.

That's not the way it's normally done. If the router does NAT, the
LAN side IP address must be a LAN address. As I previously mentioned,
there may be a 2nd IP address which might be routeable, but that's
rather unusual. Is this network part of a larger VPN based enterprise
LAN? If so, the routeable IP address on router may actually be a
tunnel to elsewhere on a corporate LAN.

>>>>The AP metrics are IP = 192.A.B.x, subnet 255.255.255.0, with default
>>>>gateway = ISP public default GW IP 216.C.D.E

>> Wrong. The default gateway of EVERYTHING that's on the LAN side of
>> the router should point to the LAN side IP address of the router,
>> 192.168.1.1. Pointing to something on the internet won't work because
>> nothing on the LAN knows how to get to the IP on the internet without
>> first going through the router.

>OK, now this is interesting, in that the net has worked fine as
>previously indicated with WAN IP = LAN IP.

If it's running NAT, it should have an IP address on the LAN side. Try
setting the gateway to 192.168.1.1 (or whatever) on the PC going
through the wireless link and see if that magically fixes things.


>>>> What should the default gateway be for the WCB?
>> 192.168.1.1 (Router LAN IP address)

>Understood, with the above caveat that with the exception of the Senao
>bridge, it works as is with the LAN IP = WAN IP = public.

In theory, the Senao radios are a bridge which works on the MAC layer
and know nothing about IP addresses. Unless there's some filtering
going on, I can't think of anything I could do in the Senao bridge
radios to allow pings, but no internet access. The MAC address for
the WAN IP and the LAN IP would be the same so anything sent to there
router should be accepted. Weird.

>(I should also mention that there is a fallback Proxim Rangelan2 bridge
>working on that segment now, with the gateway = WAN IP.)

You must like antique wireless hardware. Frequency hoppers are
ancient. Well, if it works with the Proxim Rangelan2, then is should
work with the Senao. Offhand, I can't think of any reason it
shouldn't work. So far, the only thing that's either wrong or odd is
the use of the WAN side IP as the gateway.

>Thanks sincerely for your response, Jeff. While making the indicated
>changes, any view as to why it works "as is"?

I just did a fast check on my office W2K box to see if I could put the
gateway outside the LAN netmask range. Yep. It works. So, it's not
a problem, just an unusual way of setting up a network. It should
work as is, but it's not usually done like that. That leaves the
question of what inside the Senao bridge radios is causing the
problem.

Can you test the computer that's going through the wireless link with
a direct ethernet connection? I'm just curious if it works without
the wireless. If it does work with an ethernet cable, then it has to
be something screwy in the Senao radios (by process of elimination).

Good luck.
--
# Jeff Liebermann 150 Felker St #D Santa Cruz CA 95060
# 831-336-2558 (E-Mail Removed)
# http://802.11junk.com (E-Mail Removed)
# http://www.LearnByDestroying.com AE6KS

Jeff Liebermann wrote:

> On Tue, 14 Feb 2006 19:30:33 -0500, RWM <(E-Mail Removed)> wrote:
>
>
>>Agreed, "WCB" is a Cisco giveaway, but no, this is a Senao 3054cb3
>>bridge and 2611cb3 AP, both operating in 802.11b mode.
>
>
> So much for my gold star.
>
>
>>The 3054cb3 will bridge multiple MAC addresses.
>
>
> The 3054CB3 will bridge multiple MAC addresses. However I'm not so
> sure about the 2611DB3 operating in client mode. Digging....
> Ah, the data sheet mumbles something about "Multi-Client Bridge
> Functionality" which I guess means it will bridge more than one MAC
> address. In any case, it should work with your one client computah
> with just one MAC.
>
>
>>Point taken. Perhaps a list FAQ is in order... ASCII visualizations
>>are not a specialty.
>
>
> Nope. Just my personal preferences and experiences.
> There are tools available to do ASCII drafting but I never use them.
>
>
>>Converting your mess into something readable.
>>
>>>There's also no reason to mangle non-routeable IP addresses.
>
>
>>Understood, but easier to type.
>
>
> I once wasted about an hour trying to troubleshoot what turned out to
> be a subnet mask problem. I couldn't figure out what was happening
> because the person with the question camouflaged all the IP addresses
> in various ways. Once I pried the real IP addresses out of him, the
> answer was obvious. In any case, there's no security reason to hide
> non-routeable IP addresses.
>
>
>>> Internet
>>> |
>>> Firewall WAN=216.xxx.xxx.xxx
>>> ^ LAN=192.168.1.1
>
>
>>OK, except this been configured LAN = WAN address for ~ five years.
>
>
> That can only work if the router/firewall/NAT device has dual IP
> addresses (alias) for the LAN interface. For example, if the WAN port
> was 216.216.216.111, while the LAN port was BOTH 216.216.216.1 and
> 192.168.1.1. I've seen this done and it does work, but only with high
> end or Linux routers.
>

The firewall is an original SonicWall device; not sure if it has dual IP
capability for the LAN interface, in any case it only allows one IP to
be specified.


> However it does cause problems with some Windoze and Mac clients that
> do not appreciate having a default gateway that is outside of the
> netmask range. For example, if the client's LAN IP is 192.168.1.2,
> but the gateway is 216.216.216.1, some operating systems just will not
> push packets at the gateway. Fortunately, this has become somewhat
> common with VPN's, so the later operating systems all accomidate this
> arrangement.

This is an interesting observation, in that I have never been able to
successfully create a VPN link through the Sonic in this configuration.

>
> I think there are some potential security implication by having
> clients use the WAN side IP instead of the LAN side. I wanna do some
> reading first before I proclaim this to be a problem.
>
> Any chance the PC on the wireless link is some ancient junker running
> Windoze 95 or 98 first edition?

A mix of WinXP, Win2K and one ancient Win98SE machine.

>
> So, what does your DHCP server deliver to the client? What does:
> IPCONFIG
> look like?

They are all static IPs; no DHCP enabled anywhere on the network.


>
> Also, it would be interesting to see the routing table. Dump:
> ROUTE PRINT
> and see where the default gateway points.

These are from a working wireless client (via the 2611CB3 functioning as
the AP):

C:\>ipconfig /all

Windows 2000 IP Configuration

Host Name . . . . . . . . . . . . : ARIES-2
Primary DNS Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Local Area Connection 2:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intersil PRISM Wireless LAN
PC Card
Physical Address. . . . . . . . . : 00-02-3B-3A-1C-56
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.168.101
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 216.251.112.1
DNS Servers . . . . . . . . . . . : 216.251.95.2
216.251.41.2

C:\>route print
================================================== =========================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2000003 ...00 02 3b 3a 1c 56 ...... Intersil PRISM Wireless LAN PC Card
================================================== =========================
================================================== =========================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 216.251.112.1 192.168.168.101 1
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.168.0 255.255.255.0 192.168.168.101 192.168.168.101 1
192.168.168.101 255.255.255.255 127.0.0.1 127.0.0.1 1
192.168.168.255 255.255.255.255 192.168.168.101 192.168.168.101 1
224.0.0.0 224.0.0.0 192.168.168.101 192.168.168.101 1
255.255.255.255 255.255.255.255 192.168.168.101 192.168.168.101 1
Default Gateway: 216.251.112.1
================================================== =========================
Persistent Routes:
None

>
> Also, what's the make and model of firewall/router/NAT box ?
>


SonicWall/10 (the original FW appliance)



>>>Does that include both the clients directly connected to the switch as
>>>well as the single client connected to the WCB?
>>
>>Yes, and from wireless clients accessing via the AP.
>>
>>>Can they also all ping the access point IP address?
>>
>>Yes.
>
>
> So you can literally ping anything from anywhere on the LAN side. That
> means the LAN side is working (as you noted). The problem could only
> be a routeing problem going to the internet.
>
>
>>>Can they all ping the firewall IP address?
>>
>>Yes, with the caveat that its LAN address is its public WAN address.
>
>
> That's not the way it's normally done. If the router does NAT, the
> LAN side IP address must be a LAN address. As I previously mentioned,
> there may be a 2nd IP address which might be routeable, but that's
> rather unusual. Is this network part of a larger VPN based enterprise
> LAN? If so, the routeable IP address on router may actually be a
> tunnel to elsewhere on a corporate LAN.

No, it's a plain vanilla (well, with a twist) SOHO network.

>
>
>>>>>The AP metrics are IP = 192.A.B.x, subnet 255.255.255.0, with default
>>>>>gateway = ISP public default GW IP 216.C.D.E
>
>
>
>>>Wrong. The default gateway of EVERYTHING that's on the LAN side of
>>>the router should point to the LAN side IP address of the router,
>>>192.168.1.1. Pointing to something on the internet won't work because
>>>nothing on the LAN knows how to get to the IP on the internet without
>>>first going through the router.
>
>
>>OK, now this is interesting, in that the net has worked fine as
>>previously indicated with WAN IP = LAN IP.
>
>
> If it's running NAT, it should have an IP address on the LAN side. Try
> setting the gateway to 192.168.1.1 (or whatever) on the PC going
> through the wireless link and see if that magically fixes things.
>


I have tried this (as well as 0.0.0.0) on the bridged machine, with no
joy, but that is with the unusual firewall gateway IP. I will change
that and give it a try.

>
>
>>>>> What should the default gateway be for the WCB?
>>>
>>>192.168.1.1 (Router LAN IP address)
>
>
>>Understood, with the above caveat that with the exception of the Senao
>>bridge, it works as is with the LAN IP = WAN IP = public.
>
>
> In theory, the Senao radios are a bridge which works on the MAC layer
> and know nothing about IP addresses. Unless there's some filtering
> going on, I can't think of anything I could do in the Senao bridge
> radios to allow pings, but no internet access. The MAC address for
> the WAN IP and the LAN IP would be the same so anything sent to there
> router should be accepted. Weird.
>
>
>>(I should also mention that there is a fallback Proxim Rangelan2 bridge
>>working on that segment now, with the gateway = WAN IP.)
>
>
> You must like antique wireless hardware. Frequency hoppers are
> ancient.

But you know, no one else has them, so they are relatively secure both
by design and limited user population.

You should see my tin cup and string setup. And sneakernet still
works, too.


> Well, if it works with the Proxim Rangelan2, then is should
> work with the Senao. Offhand, I can't think of any reason it
> shouldn't work. So far, the only thing that's either wrong or odd is
> the use of the WAN side IP as the gateway.
>
>
>>Thanks sincerely for your response, Jeff. While making the indicated
>>changes, any view as to why it works "as is"?
>
>
> I just did a fast check on my office W2K box to see if I could put the
> gateway outside the LAN netmask range. Yep. It works. So, it's not
> a problem, just an unusual way of setting up a network. It should
> work as is, but it's not usually done like that. That leaves the
> question of what inside the Senao bridge radios is causing the
> problem.
>
> Can you test the computer that's going through the wireless link with
> a direct ethernet connection? I'm just curious if it works without
> the wireless. If it does work with an ethernet cable, then it has to
> be something screwy in the Senao radios (by process of elimination).

Any of the laptops works hard-wired, so I was sort of warming (cooling?)
to that possibility... I have seen a certain flakiness manifest on
occasion with the Senao radios (CB, AP and cards).


>
> Good luck.


Thanks, Jeff. I'll report back.

- Bob

On Tue, 14 Feb 2006 22:13:14 -0500, RWM <(E-Mail Removed)> wrote:

>The firewall is an original SonicWall device; not sure if it has dual IP
>capability for the LAN interface, in any case it only allows one IP to
>be specified.

It doesn't. Single IP address per interface. I have a bunch of the
original SOHO-10 routers in service and on my router pile. They are
excellent routers but rather slow. Add a few filters and they can't
do more than about 1Mbit/sec WAN to LAN.

I'm not sure if the original SOHO can even be configured as a non-NAT
router. I can fire one up on Thurs and check.

>> However it does cause problems with some Windoze and Mac clients that
>> do not appreciate having a default gateway that is outside of the
>> netmask range. For example, if the client's LAN IP is 192.168.1.2,
>> but the gateway is 216.216.216.1, some operating systems just will not
>> push packets at the gateway. Fortunately, this has become somewhat
>> common with VPN's, so the later operating systems all accomidate this
>> arrangement.
>
>This is an interesting observation, in that I have never been able to
>successfully create a VPN link through the Sonic in this configuration.

I have several VPN's running through a somewhat later Sonicwall TELE
router. No problems. I also a have a few where the router both
initiates and terminates the VPN. No need to go through the router. I
vaguely recall that there had to be some tweaking of GRE (general
router encapsulation protocol) and redirecting the ports used by IPSec
VPN pass-thru to get it to work through the router.

>> Any chance the PC on the wireless link is some ancient junker running
>> Windoze 95 or 98 first edition?
>
>A mix of WinXP, Win2K and one ancient Win98SE machine.

I mean't the one computah that's going through the Seneo wireless. Is
it a Windoze 98SE machine?

>> So, what does your DHCP server deliver to the client? What does:
>> IPCONFIG
>> look like?
>
>They are all static IPs; no DHCP enabled anywhere on the network.

Well, that's understandable. As soon as someone setup the Sonicwall
to *NOT* use NAT, it turned off the internal DHCP server. No way for
the internal server to deliver routeable IP's. Using the Sonicwall as
in "gateway" mode (I think that's the correct term for NAT turned
off), will function, but that's not the way it's usually done. Is
there a good reason why NAT and DHCP are off?

>These are from a working wireless client (via the 2611CB3 functioning as
>the AP):
> DHCP Enabled. . . . . . . . . . . : No
> IP Address. . . . . . . . . . . . : 192.168.168.101
> Subnet Mask . . . . . . . . . . . : 255.255.255.0
> Default Gateway . . . . . . . . . : 216.251.112.1
> DNS Servers . . . . . . . . . . . : 216.251.95.2
> 216.251.41.2

Amazing. Well, that will work if the Windoze client allows a gateway
that's outside the netmask. I'll confess that this is the first time
I've seen it done like this.

>Network Destination Netmask Gateway Interface Metric
> 0.0.0.0 0.0.0.0 216.251.112.1 192.168.168.101 1
> 192.168.168.0 255.255.255.0 192.168.168.101 192.168.168.101 1
> 192.168.168.255 255.255.255.255 192.168.168.101 192.168.168.101 1
>Default Gateway: 216.251.112.1

Well, the local LAN and gateway all route correctly.

>SonicWall/10 (the original FW appliance)

Original? There were huge numbers of firmware updates on the SOHO/10.
The bin files in my collection show 5.170 as the latest version. There
are some later versions (5.6) but my support subscription expired long
ago and I was too cheap to renew.
https://www.mysonicwall.com
However, I don't think there's anything broken in the Sonicwall. My
best guess is that the Senao bridges are doing something, but I can't
figure out what it might be.

>> If it's running NAT, it should have an IP address on the LAN side. Try
>> setting the gateway to 192.168.1.1 (or whatever) on the PC going
>> through the wireless link and see if that magically fixes things.

>I have tried this (as well as 0.0.0.0) on the bridged machine, with no
>joy, but that is with the unusual firewall gateway IP. I will change
>that and give it a try.

The machine at the end of the wireless bridge should be configured the
same way as the others. Bridges don't know anything about IP
addresses and therefore cannot really mess with the IP layer stuff. It
should be totally transparent.

>But you know, no one else has them, so they are relatively secure both
>by design and limited user population.

I have a bunch. Paid about $500/ea for them. I installed most of
them in 1999 to 2000. Most are still in service.

>Any of the laptops works hard-wired, so I was sort of warming (cooling?)
>to that possibility... I have seen a certain flakiness manifest on
>occasion with the Senao radios (CB, AP and cards).

Yeah. If that's the case, it has to be Senao. Much as I object to
your LAN IP layout, it does work. That leaves Senao.

How about doing something disgusting? Setup one Seneo as an access
point. No router, no DHCP on the access point. Setup the other end
as an ordinary wireless client. No bridging, just a simple client.
Kinda crude, but has fewer things to go wrong than a transparent
bridge. Personally, I would rip out the Senao radios and replace them
with a pair of WAP54G bridge radios and be done with it.


--
# Jeff Liebermann 150 Felker St #D Santa Cruz CA 95060
# 831-336-2558 (E-Mail Removed)
# http://802.11junk.com (E-Mail Removed)
# http://www.LearnByDestroying.com AE6KS

Jeff Liebermann <(E-Mail Removed)> hath wroth:

>Original? There were huge numbers of firmware updates on the SOHO/10.
>The bin files in my collection show 5.170 as the latest version. There
>are some later versions (5.6) but my support subscription expired long
>ago and I was too cheap to renew.
> https://www.mysonicwall.com

I finally found a login that worked. The latest for Sonicwall/10 is
5.1.7.0 as of Nov 2001. 5.6 is for something else.

Release notes, which apparently don't require a login:

http://www.sonicwall.com/ReleaseNote...Notes5170.html

Duh... Is there some chance that the wireless linked computer exceeded
the 10 user limit on the Sonicwall? The way it acts is kinda stupid.
Instead of expiring the ARP table for old connections and replacing
them with the latest connection, it just accumulates them until it
runs out. The older versions of the firmware gave no error message.
Just no connection to the internet. The easiest temporary fix was to
power cycle the Sonicwall, wait forever for it to boot, and then hope
that your machine is first in line before it runs out. The client
count is displayed on the first page (general) of the setup.



--
Jeff Liebermann (E-Mail Removed)
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558

Jeff Liebermann wrote:
> On Tue, 14 Feb 2006 22:13:14 -0500, RWM <(E-Mail Removed)> wrote:
>
>
>>The firewall is an original SonicWall device; not sure if it has dual IP
>>capability for the LAN interface, in any case it only allows one IP to
>>be specified.
>
>
> It doesn't. Single IP address per interface. I have a bunch of the
> original SOHO-10 routers in service and on my router pile. They are
> excellent routers but rather slow. Add a few filters and they can't
> do more than about 1Mbit/sec WAN to LAN.
>
> I'm not sure if the original SOHO can even be configured as a non-NAT
> router. I can fire one up on Thurs and check.
>
>
>>>However it does cause problems with some Windoze and Mac clients that
>>>do not appreciate having a default gateway that is outside of the
>>>netmask range. For example, if the client's LAN IP is 192.168.1.2,
>>>but the gateway is 216.216.216.1, some operating systems just will not
>>>push packets at the gateway. Fortunately, this has become somewhat
>>>common with VPN's, so the later operating systems all accomidate this
>>>arrangement.
>>
>>This is an interesting observation, in that I have never been able to
>>successfully create a VPN link through the Sonic in this configuration.
>
>
> I have several VPN's running through a somewhat later Sonicwall TELE
> router. No problems. I also a have a few where the router both
> initiates and terminates the VPN. No need to go through the router. I
> vaguely recall that there had to be some tweaking of GRE (general
> router encapsulation protocol) and redirecting the ports used by IPSec
> VPN pass-thru to get it to work through the router.
>
>
>>>Any chance the PC on the wireless link is some ancient junker running
>>>Windoze 95 or 98 first edition?
>>
>>A mix of WinXP, Win2K and one ancient Win98SE machine.
>
>
> I mean't the one computah that's going through the Seneo wireless. Is
> it a Windoze 98SE machine?
>

Yes, the desktop is a Win98SE machine, though I tend to set up and test
the link with a Win2K laptop so I can hot-swap networking specs and IPs.


>
>>>So, what does your DHCP server deliver to the client? What does:
>>> IPCONFIG
>>>look like?
>>
>>They are all static IPs; no DHCP enabled anywhere on the network.
>
>
> Well, that's understandable. As soon as someone setup the Sonicwall
> to *NOT* use NAT, it turned off the internal DHCP server. No way for
> the internal server to deliver routeable IP's. Using the Sonicwall as
> in "gateway" mode (I think that's the correct term for NAT turned
> off), will function, but that's not the way it's usually done. Is
> there a good reason why NAT and DHCP are off?


OK, but the Sonic/10 (5.1.7.0 FW, 6 current conections) is in "NAT
Enabled" mode and DHCP is NOT enabled.


>
>
>>These are from a working wireless client (via the 2611CB3 functioning as
>>the AP):
>> DHCP Enabled. . . . . . . . . . . : No
>> IP Address. . . . . . . . . . . . : 192.168.168.101
>> Subnet Mask . . . . . . . . . . . : 255.255.255.0
>> Default Gateway . . . . . . . . . : 216.251.112.1
>> DNS Servers . . . . . . . . . . . : 216.251.95.2
>> 216.251.41.2
>
>
> Amazing. Well, that will work if the Windoze client allows a gateway
> that's outside the netmask. I'll confess that this is the first time
> I've seen it done like this.
>
>
>>Network Destination Netmask Gateway Interface Metric
>> 0.0.0.0 0.0.0.0 216.251.112.1 192.168.168.101 1
>> 192.168.168.0 255.255.255.0 192.168.168.101 192.168.168.101 1
>> 192.168.168.255 255.255.255.255 192.168.168.101 192.168.168.101 1
>>Default Gateway: 216.251.112.1
>
>
> Well, the local LAN and gateway all route correctly.
>
>
>>SonicWall/10 (the original FW appliance)
>
>
> Original? There were huge numbers of firmware updates on the SOHO/10.
> The bin files in my collection show 5.170 as the latest version. There
> are some later versions (5.6) but my support subscription expired long
> ago and I was too cheap to renew.

Right, it is running the final 5.1.7.0 FW.


> https://www.mysonicwall.com
> However, I don't think there's anything broken in the Sonicwall. My
> best guess is that the Senao bridges are doing something, but I can't
> figure out what it might be.
>
>
>>>If it's running NAT, it should have an IP address on the LAN side. Try
>>>setting the gateway to 192.168.1.1 (or whatever) on the PC going
>>>through the wireless link and see if that magically fixes things.
>
>
>>I have tried this (as well as 0.0.0.0) on the bridged machine, with no
>>joy, but that is with the unusual firewall gateway IP. I will change
>>that and give it a try.
>
>
> The machine at the end of the wireless bridge should be configured the
> same way as the others. Bridges don't know anything about IP
> addresses and therefore cannot really mess with the IP layer stuff. It
> should be totally transparent.
>
>
>>But you know, no one else has them, so they are relatively secure both
>>by design and limited user population.
>
>
> I have a bunch. Paid about $500/ea for them. I installed most of
> them in 1999 to 2000. Most are still in service.

Yes, they are bulletproof and the XR 500mw radios have great coverage;
mine have been running without a hiccup since 1999.

What I meant by "no one" is not very many people in the non-professional
war-driver/AP-snooping crowd have them; not really consumer wireless gear.

>
>
>>Any of the laptops works hard-wired, so I was sort of warming (cooling?)
>>to that possibility... I have seen a certain flakiness manifest on
>>occasion with the Senao radios (CB, AP and cards).
>
>
> Yeah. If that's the case, it has to be Senao. Much as I object to
> your LAN IP layout, it does work. That leaves Senao.
>
> How about doing something disgusting? Setup one Seneo as an access
> point. No router, no DHCP on the access point.


OK, this is the way the 2611CB3 is set up now; as an AP, no DHCP.


> Setup the other end
> as an ordinary wireless client. No bridging, just a simple client.

If it was a laptop with PCMCIA slot, I would go that way, but the remote
client is a desktop, so I am using the 3054CB3 as a wireless adapter.


> Kinda crude, but has fewer things to go wrong than a transparent
> bridge. Personally, I would rip out the Senao radios and replace them
> with a pair of WAP54G bridge radios and be done with it.

That will be the reluctant next step. The 2611CB3 in access point mode
works fine, so I may first just try a replacement for the 3054CB3
wireless adapter.

Again, thanks.

Jeff Liebermann wrote:
> Duh... Is there some chance that the wireless linked computer exceeded
> the 10 user limit on the Sonicwall? The way it acts is kinda stupid.
> Instead of expiring the ARP table for old connections and replacing
> them with the latest connection, it just accumulates them until it
> runs out. The older versions of the firmware gave no error message.
> Just no connection to the internet. The easiest temporary fix was to
> power cycle the Sonicwall, wait forever for it to boot, and then hope
> that your machine is first in line before it runs out. The client
> count is displayed on the first page (general) of the setup.


The 5-series F/W throws and logs (on the Sonic and in Syslog) an error
if the number of IPs exceeds to license limit of 10, so I don't think
that's the issue. The bridged workstation would be IP # 8.