Fourier-1.math.ucsb.edu

Hostname IP Room/Host OS Model Short Description User
Fourier-1 128.111.088.035 Heaviside OPNsense   NAT gateway Infrastructure
Fourier-1 010.254.129.001       Internal IP for 128.111.88.35 Infrastructure

Fourier-1 is a NAT gateway for the 10.254.129.0/24 subnet. This subnet contains devices that we do not allow unfettered access from the Internet -- mainly printers.

To administer Fourier-1, access https://10.254.129.1 from a machine on the NATted subnet.

BINAT

External access to printers behind Fourier-1 is done via bidirectional NAT.

To set up a printer requires configuring three things on Fourier-1:
  • A virtual IP, via Interfaces, Virtual IPs, Settings.
    • Use "IP alias" mode.
    • The interface should be "WAN"
    • The address should have the same subnet mask as the network it's on, e.g. 128.111.88.21/24
    • Make sure "Deny service binding" is checked.
  • A one-to-one NAT rule, via Firewall, NAT, One-to-one.
    • The interface should be "WAN"
    • The type should be "BINAT"
    • The external network should be set to the external IP address, e.g. 128.111.88.21
    • The source should be "Single host or Network", with the value set to the internal IP with a /32 mask; e.g. 10.254.129.21/32.
    • The destination should be "any"
    • The category should be "printing"
    • (Note that the easiest way to set this all up is just to start by duplicating an existing NAT rule.)
  • Incoming filter rules. These are already set up so it's only necessary to add the new printer to the correct alias.
    • Go to Firewall, Aliases
    • Edit "Printers"
    • Add the new internal IP address.

Redundancy

It's possible, and probably a good idea, to add a second redundant firewall. The name "fourier-2" has been reserved for this purpose. A device with two ethernet interfaces on the wired network will be required.

------

* Set ALLOWTOPICVIEW = AdminGroup

Edit AttachPrint versionHistory: r1BacklinksView wiki textEdit wiki textMore topic actions