Bridge between Wired and Wireless networks for a single device?

EDIT 18/05/2011: Thanks for your answers, bridge mode IS the solution in most cases for this problem, but I can't use it because it breaks my web server. I am now looking at setting up a specific route as a solution and thats taken care of in a new question here: https://superuser.com/questions/285293/setting-up-a-route-between-wlan-and-lan-on-a-checkpoint-500w Please help if you can. Save my sanity!

(Please note, this question has been heavily edited!)

This was originally a question about getting iTunes Home Sharing to work - using the iPhone (or an iPad) as a remote to control iTunes on a desktop computer. The remote device, in this case an iPhone, is on a wireless network and the desktop PC is on a wired network.

Both wired and wireless networks are handled by a single device which is an all in one business-class firewall and router, a checkpoint safe@office 501w.

The problem was trying to pair 'remote' with 'iTunes' resulted in, well - nothing. No log entries, the software either side saying nothing about anything, just a complete blank.

I found a solution - described in the edit below - the device was throwing up a firewall to protect the wired network from the wireless one, which makes sense if you think about it - to get on my wired network you have to be in my house, so its a good chance I either know who you are or you're stealing my hardware anyway...

You can technically get on the wireless from outside, though you'd have to get around the mac address filtering which I hear is not actually impossible, so it makes sense to firewall the main wired network from that access.

I found 'bridge' mode and enabled it and it all worked straight away, but I quickly turned it off again - I don't want a full, perma-bridge between the wireless and wired if at all possible, I just want a bridge or route from the iPhone or iPad to the computer.

So thats now the question - not how to get it working, thats been solved - but how to get it working without potentially leaving a gaping network security hole?

EDIT 03/04/2011:

OK - It works, except I think I may have enabled it to work at a cost of some other security. I was looking around the firewall settings, specifically wireless network and had the option to either configure it in "Firewall Mode" or "Bridge Mode" - the explanation being:

To protect your wired LAN from being accessed by wireless users, select Firewall Mode. If you
prefer to grant full access from the wireless LAN to the LAN, bypassing firewall protection,
select Bridge Mode.

I probably should have spotted this about 6 months ago... switching to bridge mode works. HOWEVER, I really would prefer not to allow broad access between Wifi and Wired, i'd rather just allow access between the two as needed... I do use mac address control and its unlikely that anyone who lives within range is a hacker hellbent on accessing my files, but i'd rather stick with good practice.

So the question should now be - how can I emulate this bridge mode ONLY FOR device(s) I specify?

Codecraft

Posted 2011-03-29T11:26:39.883

Reputation: 91

A further thought - I have also tried this having completely disabled windows 7 firewall - still nothing! – None – 2011-03-29T11:31:50.880

Has the iPhone connected to your WIFI or has it maybe picked up a public hotspot? That's a problem where I live as the hotspot signal is pretty strong in our flat. – None – 2011-03-29T11:53:26.487

Its definately on my own WIFI. – None – 2011-03-29T11:59:59.180

Do you have Bonjour for Windows installed? (should come with iTunes) – None – 2011-03-29T13:10:27.330

Yes, version 2.0.4.0 - No idea what it is, but its there. – None – 2011-03-29T13:14:51.950

2Pretty sure this is not programming related... – esqew – 2011-04-02T17:22:41.927

I have the same problem. And I think it's because my router is.. just a bad router. My suspicions is that the WiFi and the Ethernet connections isn't "shared" inside the router. For me, Home Sharing works if a wired device tries to talk with an other wired device. And the same is for WiFi (WiFi to WiFi works). I really hope someone have a solution on this problem. – None – 2011-04-02T17:29:13.317

I'm reasonably sure you are describing the problem I am having - but just can't fix. Its not actually a bad router, at least in my case - its a very good one. Since theoretically, someone outside my home COULD get onto my wifi network if they got through the security, keeping the wired protected from it is a good idea. However it is in this case, if this is the problem - then it is a little bit 'too' protected... I allow other things to work from wifi to wired by setting rules, but no rules i've tried are allowing this particular problem to be solved. – None – 2011-04-02T20:47:29.100

Are the wireless clients and the wired clients on the same network range? Is the wireless provided by a wireless access point or by a wireless router? – emgee – 2011-04-02T22:02:44.923

The magic checkpoint box is a firewall and router for both wired and wireless as well as VPN. It is probably important to note that it does give an 10.0.0.x IP to wired clients and a 192.168.x.x IP to wireless ones.... which I have thought could be the problem but have been unable to solve. – Codecraft – 2011-04-03T20:41:52.673

Alright, I was just having an explore around the firewall settings and have managed to get it working - however I think it may be at the cost of some security - please see my question edit (03/04/2011) – Codecraft – 2011-04-03T20:49:08.097

You could set up a DMZ (De-Militarized Zone) within your routers settings. – None – 2011-11-04T06:53:53.557

Answers

Adding my own answer because sadly none of the ones here so far are near the mark. The solution was found to be setting up a bridge between wireless and wired networks on the same device, which are firewalled by default (to prevent someone getting on your wireless and accessing your devices).

For anyone in the same situation (based on firmware 8.0.36x) - login to your checkpoint admin panel and click:

NETWORK
MY NETWORK
and then EDIT (next to WLAN/Wireless LAN).
Select WIRELESS WIZARD and skip through to the 'Wireless Security' section of the resultant popup window, you will then be able to switch from FIREWALL MODE to BRIDGE MODE. Bridge mode allows wireless network devices to have full access rights to anything on your wired network.

So that works - but I really hope someone can come up with a better answer that doesn't involve a full network bridge. Surely better to be able to specifically punch a hole in your firewall for specific IP's or devices than to allow everything through - just in case someone gets on your wifi?

Codecraft

Posted 2011-03-29T11:26:39.883

Reputation: 91

look here for windows firewall settings http://support.apple.com/kb/HT2553

also not knowing your router config and or capabilities i would look to make sure that there is an "any/any" kind of policy for going from WLAN to LAN and vice versa.

I hope this helps.

Jason Bugs Adams

Posted 2011-03-29T11:26:39.883

Reputation:

iTunes already allowed through; i've tried this having turned windows firewall off completely and its no go. Thanks for trying, but no coconut for you! – None – 2011-04-02T20:44:21.940

This may or may not be the case, but the last update I installed for iTunes broke Bonjour for Windows, it just wouldn't install, automatically or manually.

The way I understand it is that Bonjour helps Apple devices or services find eachother on the network, and without it, I haven't been able to use the Remote app either.

If this is the case, an update may rectify the situation (though it hasn't for me, it still won't successfully install)

Azz

Posted 2011-03-29T11:26:39.883

Reputation: 3 777

So as far as I could tell, Bonjour is running without issue - but I what else it does so I couldn't say for absolutely sure. I reinstalled it from the Apple website but still nothing. I've just been checking and opening a whole bunch of other ports on my firewall but no joy, and nothing in the log suggesting any blocked communication between the iPhone and the PC. – Codecraft – 2011-04-03T20:30:12.277

The User Manual for your router specifies that the firewall does allow well-configured wireless devices to access the network. They should then have the same rights on the network as any other computer, wired or wireless.

Quoting from the section "Troubleshooting Wireless Connectivity" on page 199 :

I cannot connect to the WLAN from a wireless station. What should I do?

Check that the SSID configured on the station matches the Safe@Office appliance's SSID. The SSID is case-sensitive.

Check that the encryption settings configured on the station (encryption mode and keys) match the Safe@Office appliance's encryption settings.

If MAC filtering is enabled, verify that the MAC address of all stations is listed in the Network Objects page (see Viewing and Deleting Network Objects on page 138).

harrymc

Posted 2011-03-29T11:26:39.883

Reputation: 306 093

All of the wireless devices have access to the internet via the router, the problem is that in this case - without using bridge mode as I have now found out - they don't have access to the wired network, where the PC running iTunes is. – Codecraft – 2011-04-04T13:03:35.183

To clarify - I was hoping to find a solution now that doesn't involve creating a non-firewalled bridge between Wifi and Wired, on the off-chance that someone finds a way to connect. I don't want to expose the contents of my server or my NAS. – Codecraft – 2011-04-04T13:10:38.500

I don't know your router, but every router I have ever used gave wireless-connected computers the same rights on the network as any other computer. Once you are in, you are totally in. I believe that either some parameter on the router is bad, or you need to try another router, or the iPhone software you are using is not working correctly with Windows. – harrymc – 2011-04-04T13:29:06.180

Its not just a NAT router like you'd get from your local computer store to connect to your broadband, its a firewall designed for small business use as well. Having security between wifi and wired is sensible, if you think about it! The problem is that I can only presently work out how to either remove that security entirely or have one network completely separated from the other, when i'm really looking to punch an iTunes sized hole in the security between the two networks. – Codecraft – 2011-04-04T13:42:03.027

Do you have the latest firmware? – harrymc – 2011-04-04T14:05:58.117

So far as I know - the device is supposed to auto update; though I did have to manually do it when I first bought it due to it shipping with an out of date, buggy version. – Codecraft – 2011-04-04T19:55:30.877

Better check it out. – harrymc – 2011-04-04T20:12:56.890

Bought subscription, updated firmware. No change. – Codecraft – 2011-05-18T15:38:49.760

Can you make rules that allow only the ports needed by Bonjour or the Remote app to access the LAN? Possibly limit access to this rule by MAC address? Not sure about the MAC address or not. Here is a list from Apple of used ports by their products.

http://support.apple.com/kb/ts1629

Tony

Posted 2011-03-29T11:26:39.883

Reputation: 1

You'd think so - I tried this with no luck, but maybe I didn't get all of the right ports open. It should work, for instance accessing the control panel for the firewall itself was disabled for wifi but it was easy enough to use a rule to open it. For now i'm just working in bridge mode and be damned! – Codecraft – 2011-04-27T09:07:38.943

Here is another KB article I found! Specifies the ports. http://support.apple.com/kb/TS1741

– Tony – 2011-04-27T14:07:06.350

I actually spoke to someone at the manufacturer of the firewall while I was resolving a subscription issue and trying to get the new firmware. They suggested setting up a security rule that allows WLAN to LAN, and LAN to WLAN. Makes sense, didn't work though. – Codecraft – 2011-05-18T15:39:55.297