ARTICLE: How To Set IP Network Restrictions

ARTICLE: How To Set IP Network Restrictions

How to set IP Network Restrictions for your Reach Portal 

Overview

This document serves to explain how to implement network restrictions that can influence student behaviour in Reach. It is designed to explain how it works and what you need in order to implement this within your school.

What can Network Restrictions achieve for you in Reach?

Network Restrictions can be used to influence student permissions or actions in Reach in the following way:

  1. Where students are permitted to sign back into school from an off campus leave event using their mobile device Reach can use Network Restrictions to ensure that this occurs only when the student is using your identified network. This ensures that the student must be in the proximity of your network in order to sign back into school.
  2. Student SISO to any on-campus location using their mobile device can be restricted in the same manner (ie. they must be on your WiFi network in order to sign into an on campus location)
  3. Reach can monitor parent approvals to leave requests and generate a warning flag when a parent approval to a leave request is provided from an on campus IP address. This flag may indicate a student is attempting to impersonate a parent in order to approve their own leave request. ARTICLE: IP Alerts for Suspicious Leave Approvals in Reach

Network Basics

When connected to the internet your device receives an IP address from a DHCP server. This is typically controlled by the local access point for smaller networks, or by a central DHCP server managed by your IT administrators.When connected to external networks, this IP address is allocated by your service provider.  Reach can examine the IP address of the device that a Boarder is using at the time of any operation and, based on your requirements, allow or prevent an action from occurring.

Public versus Private Networks

A public network simply refers to a network which is controlled by someone other than you or your school.  A private network simply refers to a network which is controlled by you or your school.  Public networks tend to have globally accessible IP addresses. Private networks almost always have IP addresses that are NOT accessible directly via the internet. They have to use something called NAT to send and receive data.Private networks addresses tend to look like:

  • 10.1.1.23 or
  • 192.168.0.65 and so on

Each IP address consists of four parts (octets). In the example above they are, 10, 1, 1 and 23 or 192, 168, 0 and 65.

Implementing Restrictions

In order for Reach to know who to restrict you need to tell Reach how to calculate the Boarder’s IP address. Using the examples above, let’s restrict Boarder’s so they can ONLY access SISO events if they are on any one of the two above networks.  The first network is 10.1.1.0. This covers all IP address from 10.1.1.1 through to 10.1.1.255.  The second network is 192.168.0.0.  This covers all IP addresses from 192.168.0.1 through to 192.168.0.255.  Instead of you having to write:

  • 192.168.0.1
  • 192.168.0.2
  • 192.168.0.3 and so on, then
  • 10.1.1.1
  • 10.1.1.2, etc.


We can allow you to write these ranges of IP address very simply. See the table below:

/8
/16
/24
/32
10.*.*.*
10.1.*.*
10.1.1.*
10.1.1.1
192.*.*.*
192.168.*.*
192.168.0.*
192.168.0.1


As you can see, the *’s mean ANY IP address that is valid at that part of the IP address.  A /24 for example means that we want 10.1.1.ANYTHING or 192.168.0.ANYTHING to be considered part of your restriction.  In order to implement the above restrictions to the two networks we would simply write:

  • 10.1.1.0/24
  • 192.168.0.0/24


This tells Reach that we should use the /24 matching pattern. In this case it will look at the Boarder’s IP address and see if it matches 10.1.1.ANYTHING or if it matches 192.168.0.ANYTHING.  Some schools have LARGE networks. These networks can span thousands of IP addresses but thankfully, Reach can use the pattern matching to very easily accommodate. For example, say they have 10.1.1.0 through 10.1.7.0.  That’s A LOT of IP addresses, but can be simply written as:

  • 10.1.1.0/24
  • 10.1.2.0/24
  • 10.1.3.0/24
  • 10.1.4.0/24
  • 10.1.5.0/24
  • 10.1.6.0/24
  • 10.1.7.0/24

Or, even simpler:

  • 10.1.0.0/16

This will cover ALL the IP address networks AND allow the school to grow (say they wanted to add 10.1.8.0/24 and so on) without having to update Reach at all.  Reach can accommodate infinite variations with infinite combinations such as:

  • 10.0.0.0/8
  • 192.168.0.0/16
  • 172.169.56.0/24 and so on

How to set your School IP credentials

Setting your school's IP network credentials provides Reach with the network addresses that represent your campus locations.  Devices using this WIFI network will then be identified as using the school's network or being on campus.Setting these credentials requires access to the System Configuration menu in Reach. Go to System Configuration > Network


IP Address can also be set to create a Geo-Fence

In the network settings section you can also create a geo-fence using your campus IP address details so that students who are permitted to sign themselves back in from off campus leave events must be on the campus network in order to sign back in to campus.


Conclusion

Reach can calculate the IP address pattern of any Boarder’s device to ensure that they are physically present at your school. We can work with any number of networks and most importantly, we can save you time by allowing you to write simple IP address notations that save you having to define every single valid IP address on your network.


If you still are unsure about what your restrictions should be, please don’t hesitate to contact us at support.reach.cloud.


    • Related Articles

    • ARTICLE: IP address Alerts for Suspicious Leave Approvals in REACH

      During the approval procedure for leave requests one of the many things that REACH monitors and records in your audit log.  One of the important items that we monitor and record is the IP address of all participants. The IP address is the digital ...
    • ARTICLE: Leave Types Configuration

      Go To: System Configuration > Leave Types The Leave Type configuration is one of the most important structural settings in Reach. Here, Leave Types are created, cloned and all settings are managed. Also, you can control whether you wish to make ...
    • ARTICLE: General System Configuration

      Items in System Configuration >> General, are the base settings of primary elements within Reach that apply across all modules. There are many actionable 'General Setting' items that can be set and edited to suit your schools specific preferences ...
    • ARTICLE: Reach Student Primer

      Welcome to Reach Student Life Management The Reach platform is a student management system that is designed specifically for boarding schools. It helps your school to manage an extensive range of residential activities including leave, rollcalls, ...
    • ARTICLE: Manage Leave Icons Explained

      The Manage Leave screen is the epicentre of the leave module. All leave items will be displayed on this screen from the moment they are created until the moment that it is completed with a Sign In / Sign Out (SISO) or if unused when the return time ...