Documents
Resources
Learning Center
Upload
Plans & pricing Sign in
Sign Out

network-guide

VIEWS: 11 PAGES: 27

									         Networking Guide
  Billing Appliance IA-50, IA-100
             And IA-250

Revision 2.51b Updated November 2004




    © 2004, Billing Solutions Limited.   1
                         Copyright

Copyright © 2004 Billing Solutions Limited – all rights
reserved. No part of this publication or any part of the
Billing Appliance software or hardware (models IA-50, IA-
100 and IA-250) and included documentation may be
reproduced, transmitted, transcribed, stored in a retrieval
system, or translated into any language or computer
language, in any form or by any means, electronic,
mechanical, magnetic, optical, chemical, manual or
otherwise, without the prior written permission of Billing
Solutions Limited.

                        Disclaimer

Billing Solutions Limited makes no representations or
warranties, either expressly or implied, with respect to
the contents of this Networking guide.
All brand and product names mentioned in this guide are
trademarks and or registered trademarks of their respective
owners.

                          WARNING

 Plugging and unplugging Serial port console connections
 while the Billing Appliance is running can under certain
circumstances ‘hang the box’. This appears to be an earth
      level related issue and is not apparent in all
configurations especially with rack mounted IA-100, a dual
   IA-50 device. ‘Plugging’ a serial cable in and thus
  ‘pulling the earth down’ is more likely to cause this
  effect than UN plugging. Using the supplied null modem
     cable reduces the chance of this issue arising.

  Use the NetConfig program over the eth2 or eth0 Ethernet
 port connections in preference to the serial port console
                 for network configuration.

                      Certifications.

The Billing Appliance models IA-50 and IA-100 are certified
to the following certifications.

FCC part 15 Class A
CE and NZ C-Tick.




         © 2004, Billing Solutions Limited.             2
                             Contents

1 Networking Conceptual Overview ……………………………………………………………… 4

2 Configuring HyperTerminal for serial console access
 to the Billing Appliance ……………………………………………………………………………… 5

3 Configuring Putty for Secure connections over Ethernet
 to the Billing Appliance ………………………………………………………………………………… 7

4 Configuring the Billing Appliance passwords with
 NetConfig ………………………………………………………………………………………………………………………… 10

5 Configuring the Billing Appliance Broadband Settings
 with Putty ……………………………………………………………………………………………………………………… 11

6 Configuring the Billing Appliance System Files with
 Putty …………………………………………………………………………………………………………………………………… 12
  6.1 SQUID web proxy config file …………………………………………………………… 12
  6.2 DHCP server configuration file …………………………………………………… 12

7 Secure Network Connections to the Billing Appliance
 Software Web Interface ……………………………………………………………………………………… 13

8 Logging in to the Web GUI Billing Software ……………………………… 15
  8.1 Passwords …………………………………………………………………………………………………………… 16

9 Custom Firewall Rules ……………………………………………………………………………………… 17
  9.1 Details ………………………………………………………………………………………………………………… 18

10 UPS controlled shutdown with the Rhalt.exe program
 for Microsoft Windows ………………………………………………………………………………………… 19

11 VLAN and Network Switch Configuration
   11.1 Allied Telesyn Rapier-i switch Configuration…………… 20
   11.2 EDIMAX 24 port Configuration …………………………………………………… 22

12 Integration with Microsoft Small Business Server …………… 23

13 Troubleshooting …………………………………………………………………………………………………… 24

14 Appendix NetConfig 2.15 Updates
   14.1 Backup, Load / Save Settings & Web GUI ………………………… 25
   14.2 Software Update, Download via HTTP …………………………………… 26
   14.3 Installation of a Downloaded Software Update ………… 27




           © 2004, Billing Solutions Limited.                  3
      Networking Conceptual Overview

       |     Broadband connection
       |     Fiber, ADSL, isdn, frame etc.
       |
       |                            Serial port
       |
                                      Billing
Broadband         (nat) eth0         Appliance
 router       rj45 Ethernet
       .                  eth2 |     | eth1
       ........................|.....|........
                               | . |         .
     Billing      DHCP server | . |      Multiple
   Management 10.1.0.x         |... |    Billing
  Web console subnet 10.1.0/24 | units
                                     |      .
                                            .
DHCP Server per room         Network        .
10.1.1.x – 10.1.50.x     Switch 802.1Q .
                             Vlan’s |
                room1__||||......           .
                room2___|||          |   Multiple
                room3____||          |   Switches
                room._____|          |
                                     |
                               Network
                           Switch 802.1Q
                               Vlan’s |
                  room.__||||......
                  room.___|||             .
                  room.____||             .
                  room._____|             . Multiple
                                          . Switches


See the section on Switch Configuration and VLAN’s for
further details on how the VLAN’s are utilised for
broadband allocation and billing purposes.




           © 2004, Billing Solutions Limited.            4
Configuring HyperTerminal for serial console access
             to the Billing Appliance.

Note: Warning on page 2 of this guide re plugging rather
than un plugging serial cables while system is in operation
can cause a lock up under certain circumstances.

Use the supplied 9 pin female to female null modem cable to
access the billing system console.




A VT100 terminal emulation is required and 9600/8/N/1 settings.




           © 2004, Billing Solutions Limited.                     5
Login ID:netconfig with the first password ‘NETCONFIG’ , note the
second password is ‘netconfig’ and can be changed by the netconfig
utility. See the section titled Setting passwords with netconfig.




The network settings and screens within NetConfig are identical when
used over the serial port or when NetConfig is run over a Ethernet
connection with Putty (or any other SSH client). See the section
titled Configuring the Billing Appliance Broadband Settings with
Putty.




           © 2004, Billing Solutions Limited.                        6
Configuring the Putty client for Secure connections
       over ethernet to the Billing Appliance




The putty program suite and the required keys can be copied of the
supplied CDROM to a suitable folder on any Windows based PC or
laptop. See the contents of the Putty folder which includes the full
release of Putty and its associated help files, license and tools,
psftp and puttygen are required to load new keys into the billing
system.

The eth2 management subnet Ethernet port can be connected to with the
supplied crossover cable and as shipped is running a DHCP service
that will allocate client addresses. The billing system by default
(this address can be changed with the NetConfig utility) is at
address 10.1.0.1 for an IA-50. Subsequent IA-50’s on the same
management subnet should be configured in incrementing IP address
order and the DHCP scope/configuration altered accordingly.




A profile must be set up for the secure encrypted ssh connection.




Two private keys files are provided on the CDROM under the keys
folder. They are identical keys protected by different pass phrases,


           © 2004, Billing Solutions Limited.                       7
bill_key.ppk is protected by a pass phrase of bi11k3y (numbers 1 &
3), and Bill_key2.ppk id protected by a pass phrase of billing. These
pass phrases can be changed with the puttygen.exe program which can
also generate new keys. New keys can be uploaded to the billing
appliance for user id’s billing, webadmin and usgadmin. See the
Billing User Guide for more details. User id netconfig is protected
by the same private key / public key pair with an additional password
that can be changed with the NetConfig utility itself.




This example shows a profile with the Auto-login username set to
‘netconfig’; this is used to connect to the appliance and run the
NetConfig utility. A separate profile should be set up in an
identical way with the username set to ‘billing’ to be used for
access to the Web GUI billing software. See page 13 of this Guide.




This promt is for the NetConfig password that can be changed by the
NetConfig utility. This password prompt appears after the private key
password has been accepted which is only prompted for on acceptance
of the private key itself.




           © 2004, Billing Solutions Limited.                        8
Note: Because a private and public key pair are used for
authentication with the billing appliance, and SSH tunnels are used
to access the web based billing interface which is also password
protected, the access is available via the broadband interface eth0
which provides for remote support by systems which have the private
key installed.

Be sure to protect this private key because if it is compromised then
a new key pair will need to be generated and installed. This can be
done with the SFTP utility while logged in with the existing keys.

In the case of the NetConfig utility a second level password is
required which similarly to the web billing interface passwords can
be changed with the NetConfig utility, however the NetConfig login
key can not be changed with SFTP only the second level password may
be changed while logged into NetConfig.

The extra layer of SSH certificate based authentication and strong
encrypted tunnels is required to protect access to the billing system
management interface and billing database.

The extra configuration hurdle of dealing with this at least provides
for remote management access where required. Pin holing a TCP port
(8022) from whatever external IP address is used to TCP port 8022 of
the external IP address of the billing system (eth0) is required for
this to work.




           © 2004, Billing Solutions Limited.                     9
  Configuring the Billing Appliance passwords with
                     NetConfig.




Netconfig Password is the second level password for NetConfig, after
the pass phrase used for protection of the private key file.

Billing Password is the password prompted for by the web based
billing interface for all but the manager functions.

Manager Password is the password that is prompted for within the
Setup functions of the web based billing interface. These are screens
that allow entry of the billing plan, loading billing plans into
rooms within the billing database and various system settings and
restart/shutdown of the billing appliance.




           © 2004, Billing Solutions Limited.                    10
      Configuring the Billing Appliance Broadband
                  Settings with Putty




Refer to the Networking Conceptual Overview on page 4 for a
reference.

Gateway is the next hop router

Forwarding name server is the best choice up stream DNS server for
the local billing appliance DNS server to forward DNS requests to, it
is worth mentioning that DNS will fall back to querying the root name
servers when requests to a local forwarder fail and this not only
overloads an already overloaded Internet Backbone set of root servers
but can also fail due to time out’s within a busy Internet. Any
upstream router should be configured to pass all appropriate ICMP
unreachable etc codes back to the billing appliance for correct
operation, failure to do so can result in unusually high CPU loadings
and error logging from the local billing appliance DNS server.

SMTP & Pop Servers are transparent proxy forwarders that can be
switched on and off on a per room basis by the billing system web
interface for transparent redirecting of SMTP and pop3 traffic. The
usual requirement is for SMTP, where most SMTP servers deny public
relaying for non-local network traffic, which means that the
broadband supplier’s SMTP server, is usually the best choice here.
Transparent proxy of pop3 traffic is really only useful where the
billing system is used as a security appliance with proxy only
setting’s where local subnets have access to a DNS proxy, a HTTP
proxy, a SMTP proxy, a POP3 proxy and maybe a custom firewall rule
for outbound traffic with all inbound traffic denied by the NAT rule.

 eth0 is on the broadband supply network and eth2 settings allow
multiple (254) billing appliance’s to share a common management
subnet.




           © 2004, Billing Solutions Limited.                      11
Configuring the Billing Appliance System Files




The web proxy configuration file provides for proxy peering and many
other squid proxy features such as black hole listing of ‘bad sites’

The DHCP server configuration file allows for subnet scope
declarations to offer none or more client allocations. A later
release of the billing appliance firmware will offer an interface
on/off DHCP server choice per VLAN.




Save to a USB key drive if present as well as the local file system.




           © 2004, Billing Solutions Limited.                       12
Secure Network Connections to the Billing Appliance
              Software Web Interface




This example shows how to set up a network connection profile with
Putty for secure access to the Web GUI. Note the addition of a
tunnelled local port for TCP 8001 to the billing appliance web server
on 127.0.0.2:80

See page 7 of this guide for details on how to set up the Putty
client from the supplied CDROM.




           © 2004, Billing Solutions Limited.                     13
Secure Network Connections to the Billing Appliance
              Software Web Interface




Entering the pass phrase for the billing key.




Now logged in this screen is not used again until exit.




           © 2004, Billing Solutions Limited.             14
         Logging in to the Web Billing Software




Note that the connection to the web based billing software is to the
tunnel set up in the SSH Putty client at http://127.0.0.1:8001 ,
where multiple billing appliances are to be managed on a single
management subnet the local port should reflect some idea of which
appliance is to be managed eg 8001,8002,800.. These are determined
when the SSH tunnel is configured.




           © 2004, Billing Solutions Limited.                    15
         Logging in to the Web Billing Software
                       Passwords.




This password is sent over the SSH encrypted tunnel. Default password
and ID’s are billing BILLING for billing only operations and manager
MANAGER




See the Billing Solutions Quick start and User Guides for further
details on how to set up billing plans and general operation of the
Billing software.




           © 2004, Billing Solutions Limited.                    16
                        Custom Firewall Rules.




The firewall rules applied per room/vlan.
An example set of rules with the custom firewall rule from the above screenshot
added.
Note: to use custom firewall rules either apply them to the default room and have
the room set for ‘use defaults’ or apply the rule to an individual room that has
the ‘use defaults’ set to ‘no’. See the Billing system user guide for further
details and also the IPFW2 man page at
http://www.freebsd.org/cgi/man.cgi?query=ipfw&apropos=0&sektion=0&manpath=FreeBSD+5
.2.1-RELEASE+and+Ports&format=html

01502    0         0 pipe 1500 ip from not 10.1.0.0/16 to 10.1.5.0/24 out via vlan5
01503    0         0 pipe 1501 ip from 10.1.5.0/24 to not 10.1.0.0/16 in via vlan5
01504    0         0 fwd 127.0.0.1,3128 tcp from 10.1.5.0/24 to any dst-port 80
01505    0         0 fwd 127.0.0.1,3128 tcp from 10.1.5.0/24 to any dst-port 3128
01506    0         0 fwd 127.0.0.1,3128 tcp from 10.1.5.0/24 to any dst-port 8080
01507    0         0 fwd 127.0.0.1,25 tcp from 10.1.5.0/24 to any dst-port 25
01509    0         0 allow ip from not 10.1.0.0/16 to 10.1.5.0/24
01510    0        0 allow ip from 10.1.5.0/24 to any dst-port 5001-5009,3389

Note that the custom firewall rule is applied to the last rule and affects outbound
connections made from a room with inbound connections blocked by the NAT.




             © 2004, Billing Solutions Limited.                                17
                  Custom Firewall Rule Details.
The traffic shaper pipes, these control the bandwidth.

01502     0        0 pipe 1500 ip from not 10.1.0.0/16 to 10.1.5.0/24 out via vlan5
01503     0        0 pipe 1501 ip from 10.1.5.0/24 to not 10.1.0.0/16 in via vlan5


The transparent proxy rules, shown are web ports 80,8080 & 3128 as well as an SMTP
rule on port 25. A pop3 transparent proxy on port 110 is also available.
Note: The transparent proxies cane be enabled selectively on a per room basis. See
the Billing User’s guide for details on how to apply these from the Billing web
interface.

01504     0        0   fwd   127.0.0.1,3128 tcp from 10.1.5.0/24 to any dst-port 80
01505     0        0   fwd   127.0.0.1,3128 tcp from 10.1.5.0/24 to any dst-port 3128
01506     0        0   fwd   127.0.0.1,3128 tcp from 10.1.5.0/24 to any dst-port 8080
01507     0        0   fwd   127.0.0.1,25 tcp from 10.1.5.0/24 to any dst-port 25


The final rules allow traffic to and from the room, note that the broadband
connection has a NAT rul that denies all inbound connections with the exception of
TCP port 8022 for management connections to the SSH server so these rules control
outbound and return traffic. This rule pair uses the custom firewall rule shown on
the previous page.

01509    0         0 allow ip from not 10.1.0.0/16 to 10.1.5.0/24
01510    0        0 allow ip from 10.1.5.0/24 to any dst-port 5001-5009,3389

The standard firewall rule pair when a setting of ‘none’ is applied to a room
under custom firewall rule. This allows the room to make connections anyware but
not to another room.
01609    0          0 allow ip from not 10.1.0.0/16 to 10.1.6.0/24
01610    0         0 allow ip from 10.1.6.0/24 to not 10.1.0.0/16




              © 2004, Billing Solutions Limited.                                   18
 UPS controlled shutdown with the Rhalt.exe program
               for Microsoft Windows.




Under the folder UPS on the CDROM is a Microsoft Windows
executable program rhalt.exe

This program can be used to shut the Billing
Appliance down when configured to do so from UPS
control software. The connections are only enabled
from clients within the management subnet on the
eth2 port with network address’s in the range
10.1.0/24.




         © 2004, Billing Solutions Limited.                19
VLAN and Network Switch Configuration

Rapier-i series switch configuration
A configuration file is supplied for the 24 port Rapier-i series
switch that sets port 24 for an uplink port to the billing system and
ports 1 through 23 correspond to room index's 1 through 23.

A partial configuration file is supplied for the 48-port version.
Customisation of these configuration files can be carried out as long
as the billing system receives vlan tagged packets on the Ethernet
port eth1 with billing based on vlan id 1 is the uplink port and vlan
id's 2 through 51 correspond to room index's 1 through 50. The
management room and corresponding subnet is billed against room index
0 and is available as non-vlan tagged packets on the billing system
Ethernet interface eth2.

The switch configuration file's are provided on the included CDROM.

For untwisted copper pairs set the speed to 10mbs half duplex.
Otherwise set the speed & duplex to match the cabling.
---------------------------------
# SWITCH (pre-VLAN) configuration
#
#
set switch port=1 speed=10mhalf
set switch port=2 speed=10mhalf
.
.
set switch port=24

Vlan ID's are created for each room/port. The billing system
allocates a virtual interface per Vlan, Vlan1..Vlan50 where Vlan1 is
vid2.
---------------------------------
#
# VLAN general configuration
#
create vlan="room1" vid=2
create vlan="room2" vid=3
.
.
create vlan="room23" vid=24


Ports are added to the Vlan's. The switch port 24 is used in this
case to connect all traffic through to the eth1 interface on the
Billing Appliance so all vlan's include port 24 as a tagged member.
---------------------------------
#
# VLAN port configuration
#
# default vlan

set vlan="1" port=24 frame=tagged

# room1 to 22 vlans 2 to 23
# mgmt vlan port 23

add vlan="2" port=24 frame=tagged
add vlan="2" port=1
add vlan="3" port=24 frame=tagged

           © 2004, Billing Solutions Limited.                    20
add vlan="3" port=2
.
.
add vlan="24" port=24 frame=tagged
add vlan="24" port=23




           © 2004, Billing Solutions Limited.   21
                EDIMAX 24 port Configuration
IP: 10.254.254.254

*VLAN Configure
 VLAN Mode: 802.1Q
            IngressFilter1    IngressFilter2
Port PVID NonMember Pkt       Untagged Pkt
PORT1 2     Forward           Forward
PORT2 3     ""                ""
PORTn n+1   ""                ""
...
PORT24 1    ""                ""

*VLAN Groups
 VLAN   Name[room1]     VLAN ID:[2   ] (1~4096)
 PORT   Member
 PORT1 Untagged
 PORT2 No
 ....23 No
 PORT24 Tagged

VLAN groups for rooms 2 through 23 are configured in a similar way to
VLAN group room1 with port 24 always the tagged member with the room
port untagged and other ports not included in the group.

 VLAN Name[DEFAULT]     VLAN ID:[1   ]
 PORT   Member
 PORT1 Untagged
 ....23 ""
 PORT24 Tagged




           © 2004, Billing Solutions Limited.                    22
  Integration with Microsoft Small Business & ISA
                      Server.


       |     Broadband connection
       |     Fiber, ADSL, isdn, frame etc.
       |
       |                           Serial port
       |
                                       Billing
Broadband      (nat) eth0             Appliance
 router    rj45 Ethernet
                       eth2 |
                            |
                            |
   Billing     DHCP server |
  Management 10.1.0.x       |
 Web console Subnet 10.1.0/24
                            |
                            |Additional
                            |network card
                             Microsoft
                           Windows Small
                         Business and ISA
                              Server.
                                  |
                                Network
                                Switch
                Client1__||||.............
                Client2___|||
                Client3____||
                Client4_____|

 Adding an additional network card to the existing small
business server leaves the existing network configuration
as it was with the ISA server configuration set to use the
additional network card and Billing Appliance for all non-
           local network and Internet traffic.




           © 2004, Billing Solutions Limited.          23
                       Trouble Shooting.

Problem: Booting the system while connected with a serial
cable from a laptop with a USB to serial converter and even
some systems with an on board serial port can result in the
system stopping during boot at the following line.
atkbdc0: <Keyboard controller (i8042)> at port 0x64,0x60 on isa0

Solution: Boot the system without a serial cable connection
instead connecting to the eth2 Ethernet port with a DHCP
assigned client address and use the supplied Putty SSH
client to access Netconfig or the Billing Appliance Web
interface.

Problem: Removing the USB backup key while the system has
it mounted as a back up drive causes a system panic or
unexpected halt.

Solution: When first installing the Billing Appliance
insert the supplied USB key and do not remove without first
shutting down the appliance. System backups occur every 6
hours of each day for the room database and once a day for
the system log files. The backups are rolled over on a
monthly basis e.g. days 1-31 repeating. System settings can
be written to the USB drive from the NetConfig utility. If
no USB drive is present the system continues to do Backup
to the local file store.




           © 2004, Billing Solutions Limited.                      24
             Appendix NetConfig Updates.
    Version 2.15 adds extended Backup Restore and
              Software Update Functions.




Backup Config writes the network settings and Web GUI to
the first USB drive present as well as the local file
system in the appliance. Separate Load functions are
available to restore network settings or Web GUI from a USB
drive providing the ability to clone configurations.




         © 2004, Billing Solutions Limited.             25
             Appendix NetConfig Updates.
          Software Update Download via HTTP




A fully qualified hostname and a path name are required to
download a software update file from a Web server into the
appliance. This version of NetConfig requires the update
file to be at the located at the base of the web site
folder tree e.g. www.server.com/update-file




         © 2004, Billing Solutions Limited.             26
            Appendix NetConfig Updates.
   Installing Software Update downloaded via HTTP




Installation of the software update is carried out by a
separate menu option shown here.

Note: To view history lines generated by the NetConfig
program simply scroll back the terminal window.




         © 2004, Billing Solutions Limited.               27

								
To top