IAC-BOX Network Integration Version 2.0.1 English 24.07.2014 In this HOWTO the basic network infrastructure of the IAC-BOX is described. IAC-BOX Network Integration TITLE
Contents Contents... 1 1. Hints... 2 2. Network Integration... 3 3. Interfaces... 4 3.1. Office-LAN... 4 3.2. Surf-LAN... 4 3.3. Management-LAN... 5 4. Other Network Devices... 5 5. Plug & Play... 6 6. Port Forwarding/DNAT... 6 7. Routing... 7 IAC-BOX Network Integration s 1 7
1. Hints Please note the following hints: The Surf-LAN needs to be bridged (not mandatory if IAC-BOX is installed in routing mode) Proxy DHCP, Proxy ARP and similar services must not be enabled at the Surf-LAN Office-LAN and Surf-LAN must be separated properly IAC-BOX Network Integration s 2 7
2. Network Integration On the picture below you can see a common network structure with IAC- BOX. In this example, the third interface of the IAC-BOX (Management-LAN) is connected to the DMZ. The Office LAN interface serves only as an uplink to the WAN. The access points in the Surf-LAN must be bridged to ensure the correct operation of the IAC-BOX. Routing and NAT in the Surf-LAN is not allowed, the same applies to functions like proxy DHCP and proxy ARP. IAC-BOX Network Integration s 3 7
3. Interfaces 3.1. Office-LAN The Office-LAN interface is used as uplink to the WAN and it its the interface which is used to manage the IAC-BOX. The default settings for the Office- LAN are: IP Address: 192.168.1.1 Subnet Mask: 255.255.255.0 Default Gateway: 192.168.1.254 DNS Server: 192.168.2.1 3.2. Surf-LAN Das Surf-LAN Interface stellt die Verbindung zum Client/Gäste Netzwerk dar in welchem sich die Benutzer an der IAC-BOX authentifizieren müssen. Dafür macht die IAC-BOX im Surf-LAN DHCP. Die Standard-Einstellungen für das Surf-LAN sind: Geschützter DHCP Bereich: 172.29.0.0/20 (standardmäßig aktiviert)ungeschützter DHCP Bereich: 172.30.0.0/22 Fehlerursache in Verbindung mit der PMS-Konfiguration ist der Umstand, dass die IAC-BOX keine Verbindung mit dem PMS-System herstellen kann. Die Ursache dafür kann entweder sein, dass das PMS-System im Netzwerk gar nicht erreichbar (Ping) ist, oder dass eine Verbindung über den angegebenen Port nicht erlaubt ist (Connection Refused). Hier ist die Konfiguration des PMS-Systems zu überprüfen. Um dies testen zu können, versuchen Sie mit einem Client eine Telnet- Verbindung zum PMS-System herzustellen (Bsp.: telnet 192.168.1.10 9099). Eine genauere Beschreibung des geschützten bzw. ungeschützten DHCP Bereichs finden Sie in dem folgenden HowTo auf Seite 4: http://www.iacbox.com/uploads/media/howto_netzwerk_migration_de. pdf IAC-BOX Network Integration s 4 7
3.3. Management-LAN The optional Management-LAN allows you to separate the uplink and the administration of IAC-BOX. Therefore the Office-LAN can be use for the uplink only and the administration of the system can be done via Management-LAN (connected to DMZ). The default settings for the Management-LAN are: IP Address: 10.10.10.254 Subnet Mask: 255.255.255.0 4. Other Network Devices Since the Surf-LAN must be bridged, the network devices are not allowed to modify the traffic between the clients and the IAC-BOX. This is because the IAC-BOX needs the original client IP and client MAC in order to function properly. There are the following options to configure acces points and other network devices in the Surf-LAN: Manual configuration of the network settings directly on the devices The devices get their network settings via DHCP from the IAC-BOX (like normal clients) For each device there is a static lease configured on the IAC-BOX. The devices will get the configured static lease per DHCP. Thereby network settings outside of the default Surf-LAN range are possible. Note that the access points do not need to be online for the operation of the IAC-BOX. IAC-BOX Network Integration s 5 7
5. Plug & Play The plug & play of IAC-BOX allows devices to still connect to the customer logon site without having network settings within the default Surf-LAN range. This fuction is realized with ARP and DNS spoofing. In order to make it possible for specific network devices to communicate with each other (e.g. access points, access point controller, etc.), they can be excluded from the plug & play of IAC-BOX. Therefore, enter the MAC address of the devices in the WebAdmin menu Modules/Plug & Play Ignored Devices as ignored devices. 6. Port Forwarding/DNAT Port forwarding/dnat allows you to make network devices in the Surf-LAN accessible from the Office-LAN/Management-LAN. For example to manage access points, switches and other network devices without beeing connected to the Surf-LAN. Therefore it is important that the device to manage has the IAC-BOX Surf- LAN site configured as gateway. Otherwise it is not possible to establish a connection. Example: Surf-LAN access point with the IP address 172.30.0.10 should be managed from the Office-LAN. Therefore the following DNAT rule is defined in the WebAdmin menu Security/Port Forwarding: - Destination IP address: 172.30.0.10 - Local Port: 9080 (between 9000 and 65000) - Destination Port: 80 (Web-Interface of the access point) - Protocol: TCP - Interface: Office-LAN With this DNAT rule, the access point will be accessable from the Office- LAN via the Office-LAN IP address of the IAC-BOX and the configured local port (e.g. 192.168.1.1:9080). IAC-BOX Network Integration s 6 7
7. Routing By special routes on the IAC-BOX, certain services and other network components, such as server and printer, can be made accessible. By default, two routes are already predefined, one for the Office-LAN and one for the Management-LAN (if enabled). For both of them the firewall protection is enabled. These routes are necessary so that the devices from the Surf-LAN can not access the Office-LAN and Management-LAN. Example 1: You want to make some devices/services within an isolated network (192.168.22.0/24) behind the Office-LAN (192.168.1.0/24) accessable for devices in the Surf-LAN (172.30.3.254/22). The configuration for the new route is as follows: - Destination Address: 192.168.22.0 - Gateway: 192.168.1.250 - Subnet Mask: 255.255.255.0 - Firewall Protection: deactivated Beispiel 2: You want to connect a PMS system (10.10.20.5) to the IAC-BOX which is located in an isolated network (10.10.20.0/24) behind the Management- LAN (10.10.10.0/24). The configuration for this route is as follows: - Destination Address: 10.10.20.5 - Gateway: 10.10.10.200 - Subnet Mask: 255.255.255.255 (host route) Firewall Protection: activated (the PMS system should be connected to the IAC-BOX but should not be accessable from the Surf-LAN) IAC-BOX Network Integration s 7 7