User Login      + Register  

Network Topology  SecureOffice  xoops  29-Nov-2020 17:20  0  911 reads

Table_of_Contents

1      WAN Versus LAN Network Topology

2      Configure Network Topology

2.1                Configure WAN Network Topology

2.1.1    Configure LAN Ethernet Interface

2.1.2    Configure WAN Ethernet Interface

2.2                Configure LAN Network Topology

List of Figures

Figure 1:       WAN Network Topology

Figure 2:       LAN Network Topology

Figure 3:       RFC 1918 Private Address Space

Figure 4:       LAN Configuration Section

Figure 5:       Web GUI Password Prompt

Figure 6:       Web GUI Status Page

Figure 7:       Internet Traffic Graph

Figure 8:       WAN Protocol Selection

Figure 9:       OpenWrt Firewall Allow GUI

List of Tables

Table 1:       WAN versus LAN Network Topology

1      WAN Versus LAN Network Topology

The recommended SecureOffice installation is shown below in Figure 1, where the dashed box is the integrated OpenWrt / FreeSwitch / FusionPBX / VmWare network appliance which replaces your wireless router and functions as a firewall / router / network server. All elements in Figure 1 apart from SecureOffice, the Cable / ADSL modem, Ethernet Switch and a pair of SIP phones are optional and dependent on user needs / requirements. Alternatively, SecureOffice can be configured as a server on your existing LAN, retaining your existing network topology, shown in Figure 2.

Figure 1: WAN Network Topology

The minimum hardware requirements for WAN topology consists of your existing Cable / ADSL(or other) modem to connect to the internet, SecureOffice appliance, a 10/100/1000M Ethernet Switch and a pair of standard SIP phones which may be free applications for Android devices or PC software. Note that WAN topology requires two ethernet interfaces for SecureOffice hardware.

Figure 2: LAN Network Topology

The minimum hardware requirements for LAN topology consists of your existing Cable / ADSL(or other) modem to connect to the internet, your existing router, SecureOffice appliance and a pair of standard SIP phones which may be free clients for Android devices or personal computers (Windows / Linux). LAN topology trusts the security of your existing router (may not be a good idea) and requires only one ethernet port for SecureOffice hardware.

The pros / cons of WAN versus LAN topology are:

Feature

WAN Topology

LAN Topology

Notes

 

 

 

 

Replaces existing router services

Yes

No

Move / clone services provided by existing router to SecureOffice

Ethernet interfaces required

Two, PC choice restricted, slightly higher cost

One, more PC choices, lower cost.

Suggest choose two Ethernet interfaces to allow easily switching from LAN to WAN topology. If choose single ethernet interface, can later add a USB Ethernet interface for WAN with slight reduction of internet and services performance.

Configure existing router firewall for uPNP SecureOffice ports.

No

Yes

SecureOffice uses uPNP for SecurePBX and media server applications such as MiniDLNA (free)

Ethernet 10/100/1000 GB Switch required

Yes

No

Switches are inexpensive, required if wired LAN size greater than one.

Table 1: WAN versus LAN Network Topology

2      Configure Network Topology

Network topology is configured using the following instructions, for initial configuration or when changing topologies.

For network installations already having a router, it is recommended to initially choose LAN topology to minimize disruption to your local network and move existing router services such as DNS, DHCP from your router to SecureOffice incrementally, verifying each service before changing to WAN topology.

For new network installations (no existing router), it is necessary to choose WAN topology.

Independent of whether the network is configured using the OpenWrt web GUI (browser on a PC) or using command line, the network topology is configured by altering the contents of file "/etc/config/network". This section is solely concerned with basic Ethernet interface configuration, setting IP addresses and how they are acquired for the LAN and WAN Ethernet interfaces.

Configuration will use a combination of command line and web browser GUI. There are many other aspects of the network that can be configured, such as IPV6, VLANs and VPN that are not discussed here. Configuration will be done using IPV4 addresses. A full reference for network configuration possibilities is available at the OpenWrt wiki.

2.1                Configure WAN Network Topology

SecureOffice is connected directly to the internet through your Cable / DSL modem or other device. The following information is required for WAN configuration:

  • How your internet connection is accessed. Your internet provider can provide this. Examples are DSL (modem connects to phone line) and Cable (modem connects to coaxial - round cable).
  • Any login credentials (userID, password) and settings required for connecting to the internet, supplied by your internet provider.
  • Many modern cable modems are configured by your ISP, requiring no login credentials and automatically provide the WAN IP address to OpenWrt using DHCP.

Devices on your network such as PC's, Tablets, IP cameras are connected to SecureOffice LAN, wired or WiFi.

2.1.1    Configure LAN Ethernet Interface

The default settings for SecureOffice LAN (eth0) are: Protocol: Static, IP Address: 192.168.10.1, NetMask: 255.255.255.0, DHCP Server: Enabled.

For new installations, it is recommended to keep the default settings. When replacing an existing router, especially if your LAN has devices with static IP addresses, it is easiest to use the same LAN settings as the router being replaced, otherwise, you will have to duplicate all existing static IP address assignments on SecureOffice.

If the default LAN settings are acceptable, skip to the next step, "Configure WAN Ethernet Interface".

The chosen LAN address must fall within the RFC 1918 Private Address space.

Figure 3: RFC 1918 Private Address Space

Using command line access, enter the following commands to change the LAN configuration section for SecureOffice:

config interface 'lan'

option ifname 'eth0'

option type 'bridge'

option proto 'static'

option ipaddr '<desired LAN address>'

option netmask '<desired netmask>'

option dns '<desired LAN address>'

option ip6assign '60'

Figure 4: LAN Configuration Section

  • Enter "nano /etc/config/network"
  • change only the following entries: "option ipaddr '<desired LAN address>'", "option dns '<desired LAN address>'" and "option netmask '<desired netmask>'". For most users (moderate size LAN, 253 device addresses), the default netmask of "255.255.255.0" is adequate.
  • Enter "CTL+o" (together) to save file and "CTL+x" to exit nano.
  • Enter "/etc/config/network restart" for new settings to take effect.

Important: If you change the LAN address using a SSH console, OpenWrt web GUI or WiFi, you will lose network connectivity and must reconnect using the new LAN address.

2.1.2    Configure WAN Ethernet Interface

Now that SecureOffice LAN is configured, the OpenWrt web GUI can be used to configure the WAN (eth1) Internet interface.

From a PC on the same LAN as SecureOffice, enter the configured LAN address (default 192.168.10.1) into your web browser address field and press enter. SecureOffice will prompt for your root password, as shown below.

Figure 5: Web GUI Password Prompt

Type your root password (default: "admin_54321", you should have previously configured a new one) and press enter. You will see the main router status page, a portion of which is shown in the screenshot below.

Figure 6: Web GUI Status Page

Navigation to configuration sections in subsequent instructions will be of the form: "Tab1->Tab2->Tab3, etc". For example: "Status->Realtime Graphs->Traffic->eth1" will show the network traffic for eth1 (WAN, Internet), as shown below:

Figure 7: Internet Traffic Graph

Using the web GUI, select "Network->Interfaces->WAN". The Protocol dropdown field will allow you to select your Internet connection type and other tabs will allow you to configure your WAN (Internet) interface as required by your ISP (Internet Service Provider). WAN interface types are shown in the screenshot below:

Figure 8: WAN Protocol Selection

It is easiest to copy the settings from your existing router, or, do an internet search: "your internet provider connection setup", or consult your internet provider (help pages, tech support). Another option is to search "OpenWrt 'your internet provider'" since SecureOffice uses standard OpenWrt and, odds are, given the widespread popularity of OpenWrt, many customers of your internet provider are already using OpenWrt.

After making changes, click the "Save & Apply" button in the web GUI to save changes.

To verify WAN settings, enter "ping yahoo.com" from a command prompt (console, or, via SSH client). A response should come from the site, or, a failure message will be displayed. Keep researching and altering WAN settings until you get a ping response example:

"PING yahoo.com (206.190.36.45): 56 data bytes" and "64 bytes from 98.139.183.24: seq=0 ttl=53 time=34.677 ms"

If all else fails, contact your ISP technical support department.

2.2                Configure LAN Network Topology

SecureOffice connects to the internet through your existing router, as a device with a static IP address on your existing LAN. Any virtual machines providing public services hosted by SecureOffice must also have static IP LAN addresses. The SecureOffice WAN port will be connected to your LAN using a port on your existing router. The SecureOffice LAN port (if supported by hardware) is left disconnected and not used, unless another private LAN is required for other uses, outside of the scope of this document.

When using LAN Topology, the existing router must provide the following functionality:

  • Firewall, forward UDP ports 5060-5080 (SIP telephony), 49142-65535 (RTP SIP telephony) to the static WAN IP address of SecureOffice on your local LAN.
  • If other public services are configured for SecureOffice, the required ports must be forwarded to the static IP address of the server providing the service in the router firewall. For example, websites and email server virtual machines.
  • Dynamic DNS client (unless DDNS is handled by SecureOffice), configured with domain name if you have public services such as external SecurePBX extensions (SIP phones), email or web servers.
  • It is beyond the scope of this document how to configure your existing router, although the DDNS section above may be useful.

SecureOffice in LAN topology must be configured with a static WAN IP address outside of the DHCP assignment range of the router, but within LAN address space of your existing router.

Determine the address of your existing router (usually the IP address that you use to access its web configuration page).

Access the configuration page of your existing router to determine the existing LAN subnet (eg: 255.255.255.0), DHCP address assignment range, for example 192.168.1.100 to 192.168.1.250.

With the above information, choose a static WAN IP address for SecureOffice outside of the router DHCP assignment range, but not ending with the router base (.1) or broadcast (.255) addresses and not yet assigned (unique) on LAN. For example: 192.168.1.2 or 192.168.1.251.

Using console command line access mode (monitor / keyboard or SSH client), edit "nano /etc/config/network" and change the wan configuration section to read as follows, then, save:

config interface 'wan'

option proto 'static'

option ifname 'eth1'

option ipaddr '<desired LAN address>'

option netmask '<netmask from existing router>'

option gateway '<IP address of existing router>'

option dns '<IP address of existing router>'

The ifname (interface name) should be 'eth1' for dual ethernet port and 'eth0' for single ethernet port hardware.

By default, access to the SecureOffice web configuration GUI using the WAN interface and secure shell access is disabled by the OpenWrt firewall. For LAN topology, firewall rules must be added to allow access.

Using console command line access mode (monitor / keyboard or SSH client), edit "nano /etc/config/firewall", scroll (down arrow key) to the end of the file. Enter the information shown below, then, save and exit ("CTL +o", "CTL + x").

config rule

option target 'ACCEPT'

option src 'wan'

option proto 'tcp'

option dest_port '80'

option name 'allow-http'

 

config rule

option target 'ACCEPT'

option src 'wan'

option proto 'tcp'

option dest_port '443'

option name 'allow-https'

 

config rule

option enabled '1'

option target 'ACCEPT'

option src 'wan'

option proto 'tcp udp'

option dest_port '22'

option name 'support-SSH'

Figure 9: OpenWrt Firewall Allow GUI

Enter "/etc/init.d/firewall restart; ifup wan" (to apply the configuration changes)

SecureOffice should now be visible on your LAN. To test this, from SecureOffice console, enter "ping <the address of your router>". A valid reply should be received. If not, follow the troubleshooting steps below. Note that ping runs continuously and can be stopped by entering "CTL+c" (together) from the console.

To verify SecureOffice WAN internet settings, enter "ping yahoo.com" or another website on the internet from a SecureOffice command prompt (console, or, via SSH client). A response should come from the site, or, a failure message will be displayed. Keep researching and altering WAN (/etc/config/network) settings until you get a ping response. Example:

"PING yahoo.com (206.190.36.45): 56 data bytes" and "64 bytes from 98.139.183.24: seq=0 ttl=53 time=34.677 ms".

The SecureOffice configuration GUI should now be accessible from your LAN. To test this, enter the configured SecureOffice WAN (the_LAN_address_you_chose_above) into a web browser address field and confirm the SecureOffice web configuration page (password first) is displayed.

Possible ping failure reasons are:

  • The assigned SecureOffice LAN IP address is not unique to your LAN. To check this, disconnect the SecureOffice WAN port from your LAN and "ping <LAN_address_you_chose_above>". If there is a valid response, choose another (unique to your LAN) address and try again.
  • Your hardware has more than one Ethernet port and you configured the wrong one. Single port systems have only eth0 which must be assigned to the WAN. For dual port systems, eth0 is LAN and eth1 is WAN. To test this, connect the Ethernet cable to the other port and try again.

If all else fails, search the internet for "openwrt whatis the problem"

Note: if your existing router is not capable of being a DDNS client, and you require DDNS, it is possible to configure DDNS to be a client from SecureOffice on the LAN, as explained in the DDNS configuration section.

Rating 0/5
Rating: 0/5 (0 votes)
Votes are disable!
Print article
The comments are owned by the author. We aren't responsible for their content.

Technologies Used:

Design by: XOOPS UI/UX Team