this is bogus, this is the same as
deny 0.0.0.0/0 0.0.0.0/0 log -the /0 netmask says ignore every numbr.
>but my dial-in users could not authenticate. I got PM 1 deny UDP ... and it's
>local (assigned from the pool) ip.
If this filter is on the INPUT side of the WAN port it should not be your
dialin users - if done correctly. The filter as you have it above is
incorrect and would block ALL packets so anything they tried to do going to
the outside world would never get back to them.
>I'm subnetting my network with 255.255.255.224 .
>The assigned pool starts at the second block. The first block is reserved to m
>computers.
>Megazone told me to use:
>
> deny 200.255.96.0/27 0.0.0.0/0 log
That's because when you asked the question you sounded like you were doing
the filters on the dialin lines, not the WAN port. You want to use
deny 200.255.96.0/24 0.0.0.0/0 log
on the WAN port INPUT filter.
>It works, but just protect the first subnet from spoofing, right ?
Yes.
>is that they block what come from the wan port, so why if I use 200.255.96.0/32,
This is also bogus, I'm really not sure what will happen when you say to
block the network address of a C net.
>my dial in users can't authenticate? The PM consider the dial-in ports
And it if has an impact on authentication you have some problems. If
you RADIUS server is on your network with the PMs and both are in the
same side of the WAN port, nothing in the outside world should be needed.
You should be able to unplug that WAN port and still authenticate - IF
your network design is correct.
-MZ
-- Livingston Enterprises - Chair, Department of Interstitial Affairs Phone: 800-458-9966 510-426-0770 FAX: 510-426-8951 megazone@livingston.com For support requests: support@livingston.com <http://www.livingston.com/> Snail mail: 6920 Koll Center Parkway #220, Pleasanton, CA 94566