How to set IP Network Restrictions for your Reach Portal 

Overview

This document serves to explain how to implement network restrictions that can influence student behaviour in Reach. It is designed to explain how it works and what you need in order to implement this within your school.

What can Network Restrictions achieve for you in Reach?

Network Restrictions can be used to influence student permissions or actions in Reach in the following way:

1. Where students are permitted to sign back into school from an off campus leave event using their mobile device Reach can use Network Restrictions to ensure that this occurs only when the student is using your identified network. This ensures that the student must be in the proximity of your network in order to sign back into school.
2. Student SISO to any on-campus location using their mobile device can be restricted in the same manner (ie. they must be on your WiFi network in order to sign into an on campus location)
   
3. Reach can monitor parent approvals to leave requests and generate a warning flag when a parent approval to a leave request is provided from an on campus IP address. This flag may indicate a student is attempting to impersonate a parent in order to approve their own leave request. ARTICLE: IP Alerts for Suspicious Leave Approvals in Reach
   

Network Basics

When connected to the internet your device receives an IP address from a DHCP server. This is typically controlled by the local access point for smaller networks, or by a central DHCP server managed by your IT administrators.When connected to external networks, this IP address is allocated by your service provider.  Reach can examine the IP address of the device that a Boarder is using at the time of any operation and, based on your requirements, allow or prevent an action from occurring.

Public versus Private Networks

A public network simply refers to a network which is controlled by someone other than you or your school.  A private network simply refers to a network which is controlled by you or your school.  Public networks tend to have globally accessible IP addresses. Private networks almost always have IP addresses that are NOT accessible directly via the internet. They have to use something called NAT to send and receive data.Private networks addresses tend to look like:

• 10.1.1.23 or
  
• 192.168.0.65 and so on
  

Each IP address consists of four parts (octets). In the example above they are, 10, 1, 1 and 23 or 192, 168, 0 and 65.

Implementing Restrictions

In order for Reach to know who to restrict you need to tell Reach how to calculate the Boarder’s IP address. Using the examples above, let’s restrict Boarder’s so they can ONLY access SISO events if they are on any one of the two above networks.  The first network is 10.1.1.0. This covers all IP address from 10.1.1.1 through to 10.1.1.255.  The second network is 192.168.0.0.  This covers all IP addresses from 192.168.0.1 through to 192.168.0.255.  Instead of you having to write:

• 192.168.0.1
  
• 192.168.0.2
  
• 192.168.0.3 and so on, then
  
• 10.1.1.1
  
• 10.1.1.2, etc.
  

We can allow you to write these ranges of IP address very simply. See the table below:

As you can see, the *’s mean ANY IP address that is valid at that part of the IP address.  A /24 for example means that we want 10.1.1.ANYTHING or 192.168.0.ANYTHING to be considered part of your restriction.  In order to implement the above restrictions to the two networks we would simply write:

• 10.1.1.0/24
  
• 192.168.0.0/24
  

This tells Reach that we should use the /24 matching pattern. In this case it will look at the Boarder’s IP address and see if it matches 10.1.1.ANYTHING or if it matches 192.168.0.ANYTHING.  Some schools have LARGE networks. These networks can span thousands of IP addresses but thankfully, Reach can use the pattern matching to very easily accommodate. For example, say they have 10.1.1.0 through 10.1.7.0.  That’s A LOT of IP addresses, but can be simply written as:

• 10.1.1.0/24
  
• 10.1.2.0/24
  
• 10.1.3.0/24
  
• 10.1.4.0/24
  
• 10.1.5.0/24
  
• 10.1.6.0/24
  
• 10.1.7.0/24
  

Or, even simpler:

• 10.1.0.0/16
  

This will cover ALL the IP address networks AND allow the school to grow (say they wanted to add 10.1.8.0/24 and so on) without having to update Reach at all.  Reach can accommodate infinite variations with infinite combinations such as:

• 10.0.0.0/8
  
• 192.168.0.0/16
  
• 172.169.56.0/24 and so on
  

How to set your School IP credentials

IP Address can also be set to create a Geo-Fence

In the network settings section you can also create a geo-fence using your campus IP address details so that students who are permitted to sign themselves back in from off campus leave events must be on the campus network in order to sign back in to campus.

Conclusion

Reach can calculate the IP address pattern of any Boarder’s device to ensure that they are physically present at your school. We can work with any number of networks and most importantly, we can save you time by allowing you to write simple IP address notations that save you having to define every single valid IP address on your network.

If you still are unsure about what your restrictions should be, please don’t hesitate to contact us at support.reach.cloud.