Router Lab

Router Lab: Set up firewall and router

with a DMZ
1. NETWORK OVERVIEW
Server B
192.168.127.2

Client B
192.168.127.3

Client C
10.10.10.2

DMZ

Server A

Port 3

192.168.127.0

131.204.128.2

10.10.10.0

Port 4
Port 2

Internet

131.204.128.127

Port 1
172.25.25.0

Use a switch to simulate the Internet

Client A
172.25.25.2

1. Submit one report for each group. On the first page please include your group number
(same as the number on your router). Also please list your group members (along with
the IP address used in the Lab) in the format as below:
Harry Porter - 131.204.128.2
2. Please provide screenshots of configuration and ping result for each step as required.

Router Lab
3. Please read the Guideline of Router Configuration carefully. Important information is
included.

Router Lab

2. Lab Steps

2.1 Part 1
2.1.1 Step 1
Step 1: Establish routing between 4 subnets: 131.204.128.0/24, 192.168.127.0/24, 10.10.10.0/24,
172.25.25.0/24.Show that each subnet can ping the other three. NAPT needs to translate the
192.168.127.0/24, 10.10.10.0/24 and 172.25.25.0 to 131.204.128.127 for outside access. Show the routing
table and config file. Show ping to demonstrate the effect of routing.
For a group with 2 members, server A, B and client C must be completed which means you may need
one more machine.
For a group with 3 members, server A, B and client C must be completed.
For a group with 4 members, server A ,B and client A, C must be completed.
If the group has more than 4 people, the 5 th student should establish a client B in subnet
192.168.127.0/24 .
Section 8.2.4 is a guideline on how to do the lab.
Screenshots are required for each step.

2.1.2 Step 2
Step 2: Establish a firewall so that the three inside subnets can read 131.204.128.2 but outside subnet
cannot read inside subnets. Show the firewall effect by using ping.

2.2 Part 2
2.2.1 Step 3
Step 3: Punch a hole in the firewall so that outside computer can access the web server@ 192.168.127.2.
(You can use firewall wizard in Adtran 3120). The NAPT lets the DMZ web server have the outside IP
address of 131.204.128.127. Show the firewall effect by using ping and Wireshark.

2.2.2 Step 4

Router Lab

Step4: Establish the DMZ so that both the outside (131.204.128.2) and inside (10.10.10.0, 172.25.25.0)
can access 192.168.127.2; however the 192.168.127.2 cannot access 10.10.10.0 and 172.25.25.0. And
10.10.10.0, 192.168.127.0, and 172.25.25.0 can access 131.204.128.2. Show the DMZ effect by using ping.

2.3 Bonus Steps

Make the two servers to be real server: Each performs DNS server: one @ 192.168.127.2 and the other @
131.204.128.2; You need to demonstrate that both servers work correctly.
DNS server can be downloaded from BIND9 or powerDNS website. Help can be found @
http://www.wegotserved.co.uk/2008/03/04/installing-php-for-iis-on-windows-home-server/
http://www.iis.net/php
A latest BIND installation tutorial is posted in this file.
If the DNS server cannot work, then modify the hosts file in c:\winnt\system32\drivers\etc\hosts
Show the DNS server and client functions using Wireshark. Submit the BIND conf files.
Some examples:
Figure 1-1: Client performed nslookup on servera and response

Figure 1-2: Wireshark of nslookup from client to servera and response

Figure 1-3: Client performed nslookup on server and response

Router Lab

Figure 1-4: Wireshark of nslookup from client to serverb and response

2.4 Guideline of Router Configuration

1. Connect the router with your PC. And youd better disable the wireless network when you doing
this lab, or at least do not connect to the AU Wifi.
2. Configure your Local connection like following:

Router Lab

3. Now you can visit the Router configuration page @10.10.10.1. (You may has problem with using
Chrome browser when the router is factory default status, so just use Firefox or IE or something
else).
4. The login username is: admin, and the password: password.

Router Lab

5. Now the user interface is here:

Router Lab

6. First we will start with the routing table:

A default static route should be added (figure is just an example not the answer):

7. Since we have 3 subnets, now we should do the vlan configuration:

First, go to the ports, click the ports you want to configure.

Router Lab

Then you will have its MAC address:

Now, go to Vlans, click add new VLAN:

For each vlan you should do the configuration like this:

Use the MAC address you just find, and assign this VLAN a name and IP (figure is just a sample):

10

Router Lab

Eventually you will have a vlan setting like this:

8. Then since the vlan has been created, we should assign the ports to vlan.
10

Router Lab
You should assign it according to the Network overview section.
The following figure is just a sample (not correct answer).

Change the VLAN membership then click the checkboxes and click apply.
Now, go to Routing Tables, see what entries you have now.
9. Then click the IP interfaces to assign an IP address for each port.
Dont forget the eth/0 should have an IP address!

11

12

Router Lab

10. Finally we come to the Firewall section.

For each vlan, it has a security policy sets which is the security zones.

Like for the Private:

There are 3 policies (the factory default will not have all of them).

12

Router Lab

And press the button to add your own policy:

There are many types of policies, the advanced can be used to do everything, but using
Filter/Allow/etc.. to do the same thing is more clearly.

13

14

Router Lab

If you use the advanced type, you will find some blanks need to be filled in your new policy:

When the action is Allow, which means allow some traffic from a range of sources to a range of
destinations (both of them can be one or more IP addresses and can be based on protocol and port
number).
When the action is Discard, which means some traffic from a range of sources to a range of
destinations will be discarded.(Same function to the Filter type)
When the action is NAT:

14

Router Lab

15

By moving your mouse to the question symbol, you will see the demonstration of each blanks
function.
Whats more, the advanced type need one/more traffic selector to do the work.

11. You must save your configuration before restart the router otherwise all the works will be gone!
By: Utilities- Configuration Click the Save!!!!
12. After all the steps, download your configuration file and print it out. This would be the important
evidence to show you have finished the lab!!!

16

Router Lab

How to Install BIND DNS Server in Windows 7

http://drupalmotion.com/article/dev-environment-install-and-configure-bind-dns-serverwindows-7
1. Download BIND (latest release now is 9.10.3)
2. Let's start with the Installation:

In the installer window, leave the default name "named" and enter in your password.

16

Router Lab

17

3. In System Properties => Environment Variables, find the variable PATH and append the string ;
%SYSTEMROOT%\SysWOW64\dns\bin; (in case of Windows 64 bits) or;%SYSTEMROOT
%\system32\dns\bin; for Windows 32 bits.

4. Search for the DOS prompt cmd.exe and important!, right click and "Start as administrator". Now
browse to:
C:\Windows\SysWOW64\dns\etc
or in Windows 32 bits:
C:\Windows\system32\dns\etc

5.. By default the dns\etc folder is empty. Not for long. Execute the command:
rndc-confgen -a

18

Router Lab

This will create a file rndc.key.

In some tutorials you will see an extra step to create an rndc.conf file. That is not needed. If you do it,
you will end up probably with messages like this when trying to "rndc reload":
WARNING: key file (rndc.key) exists, but using default configuration file (rndc.conf) (See)
Also you don't need to create a resolv.conf file, since Bind will look in the registry for the required
nameserver information.
6. BIND Configuration files:
Let's configure Bind. It's better to run notepad commands directly from the already opened "Admin"
shell, so you won't have Access denied problems later when saving the file.
notepad named.conf
Copy/paste this configuration:
options {
directory "c:\windows\SysWOW64\dns\etc";
allow-transfer { none; };
};
logging{
channel my_log{
file "named.log" versions 3 size 2m;
severity info;
print-time yes;
print-severity yes;
print-category yes;
};
category default{
my_log;
};
};
At the beginning, is useful a verbose log with severity: info. Later when you get the DNS server
working, change it to severity: warning.
All the options for the logging are explained here.
There is no controls statement, so the default configuration will be Bind running on127.0.0.1 port 953.
If you are curious, the full list of statements that can be used (with default values in bold).
Use that IP in your DNS configuration of your Internet Connection, and you will start using Bind to
resolve DNS lookups.

18