How to enable server-side LDAPS for your AWS Managed Microsoft AD directory | AWS Security Blog
The office has two ISP connections, one from AT&T and one from Comcast. Each has an ISP-provided router in the equipment cabinet in the office. Each has download and upload speeds between 500 Mb/s and 1 GB/s. There are two identical Netgate 2100 firewalls attached to these two routers. Because these are not high-powered routers, the effective upload and download speeds of the two ISPs are limited to about 500 Mb/s.
The two firewalls have a WAN interface with two ports: one a gigabit Ethernet port and the other a 2.5Gb/s SFP port. We don't use the latter because neither ISP goes that fast and given the needs of the office there is no need to pay for faster service. Each firewall also has four gigabit ports labeled LAN1 … LAN4 which you might think are four LAN ports but no. The four ports are connected to an internal managed switch which have been configured as interfaces to independent VLANs.
This router has four Ethernet ports numbered 1 through 4. AT&T provides us with 5 static IP addresses currently 108.252.250.1 through 108.252.250.5 with a gateway address of 108.252.250.6 out of a 108.252.250.0/29 subnet. The two remaining addresses, 108.252.250.0 and 108.252.250.7 are reserved by AT&T.
The router is configured to provide one of these IP addresses to each device connected (directly or indirectly) to one of the router Ethernet ports. Each static address can be reserved to a particular device by configuring its MAC address in the firewall to prevent that devices IP address from changing if the connections to the firewall are changed. If more than five devices are connected to the router, the router provides addresses from the range 192.168.1.64 and 192.168.1.253. 192.168.0.0/16 is a range of private IP addresses on the internet which cannot be routed so the firewall must provide connectivity using NAT and therefore the public IP address sent to the internet is not this internal IP but rather an address provided by AT&T.
Port 1 on the router is connected to the WAN port of firewall 1 and port 4 on the router is connected to the WAN port of firewall 2. The WAN port on firewall 1 gets the IP address 108.252.250.2 and the WAN port on firewall 2 gets the IP address 108.252.250.5.
The management UI for this router is at 192.168.1.254.
This router has six Ethernet ports numbered 1 through 6. Comcast provides us with a single static IP address, 50.215.17.53, with a gateway address of 50.215.17.54 however strangely the firewall is configured with a /29 subnet but I don't remember why. This might indicate that we might actually have more addresses, but probably not. Any other devices connected to the Comcast router are given internal addresses from the 10.1.10.2 through 10.1.10.253 range taken from the 10.1.10.0/24 subnet. IP addresses in this range get connectivity through NAT and are not publicly visible.
The firewalls are connected to port 1 and port 2 of the router for firewall 1 and firewall 2. Because of this the IP given to firewall 2 is not static and therefore cannot be used to run an VPN connection. Actually since the assignment of the public IP is relatively stable it could be but the tunnel would need to be reconfigured if the dynamic IP changes.
The management interface of this router is at 10.1.10.1.
The equipment cabinet contains three switches:
The managed switch has 24 interface ports and 2 additional LAN interfaces each of which has a gigabit port and an SFP+ port (that we don't use). An unmanaged switch has ports for a single network where all packets received on any port can potentially be received by any other port (or in some cases group of ports). The destination port(s) are determined by the MAC address of the devices connected to them. In almost all cases, this network consists of a single subnet identified by a single CIDR block of addresses.
A managed switch can have many subnets identified by CIDR blocks where subnets are identified by tagging the packets going into and out of the switch with an integer tag. The switch has logic to add tags to incoming packets, screen which tags go to which ports, and to strip tags out of packets if they are going to untagged ports.
In the case of our switch, there are four subnets identified by the tags 11, 12, 13, and 14. There is also a trunk subnet identified by the tag 1. The subnets are:
| Tag | Subnet | Firewall interface | Switch Ports | Usage | Notes |
| 11 | 10.10.31.0/24 | COMPUTERS | 8-24 | Computers (wired and wireless) | 1 |
| 12 | 10.10.32.0/24 | PHONES | 6-7 | Office phones | 2 |
| 13 | 10.10.33.0/24 | SHARED | 3-5 | Printers, NAS (Synology) | 3 |
| 14 | 10.10.34.0/24 | WIRELESS | 1-2 | Guest computers, mobile phones, etc. | 4 |
There are two Netgate 2100 firewalls in the office. These are configured to provide security for the office networks and to provide additional services needed by the office network. In summary, they are:
| Name | ATT IP Address | Comcast IP Address | Login page color | Sync IP | ||||
| 1 | fw1.liminalcap.com | 108.252.250.2 | 50.215.17.53 | blue | primary | 10.10.10.2 | ||
| 2 | fw2.liminalcap.com | 108.252.250.5 | 10.1.10.202 (dynamic) | green | backup | 10.10.10.3 |
Check the firewall(s) at least weekly:
Other notes