This document serves to explain how to implement network restrictions that can influence student behaviour in Reach. It is designed to explain how it works and what you need in order to implement this within your school.
Network Restrictions can be used to influence student permissions or actions in Reach in the following way:
When connected to the internet your device receives an IP address from a DHCP server. This is typically controlled by the local access point for smaller networks, or by a central DHCP server managed by your IT administrators.When connected to external networks, this IP address is allocated by your service provider. Reach can examine the IP address of the device that a Boarder is using at the time of any operation and, based on your requirements, allow or prevent an action from occurring.
A public network simply refers to a network which is controlled by someone other than you or your school. A private network simply refers to a network which is controlled by you or your school. Public networks tend to have globally accessible IP addresses. Private networks almost always have IP addresses that are NOT accessible directly via the internet. They have to use something called NAT to send and receive data.Private networks addresses tend to look like:
Each IP address consists of four parts (octets). In the example above they are, 10, 1, 1 and 23 or 192, 168, 0 and 65.
In order for Reach to know who to restrict you need to tell Reach how to calculate the Boarder’s IP address. Using the examples above, let’s restrict Boarder’s so they can ONLY access SISO events if they are on any one of the two above networks. The first network is 10.1.1.0. This covers all IP address from 10.1.1.1 through to 10.1.1.255. The second network is 192.168.0.0. This covers all IP addresses from 192.168.0.1 through to 192.168.0.255. Instead of you having to write:
We can allow you to write these ranges of IP address very simply. See the table below:
/8 | /16 | /24 | /32 |
10.*.*.* | 10.1.*.* | 10.1.1.* | 10.1.1.1 |
192.*.*.* | 192.168.*.* | 192.168.0.* | 192.168.0.1 |
As you can see, the *’s mean ANY IP address that is valid at that part of the IP address. A /24 for example means that we want 10.1.1.ANYTHING or 192.168.0.ANYTHING to be considered part of your restriction. In order to implement the above restrictions to the two networks we would simply write:
This tells Reach that we should use the /24 matching pattern. In this case it will look at the Boarder’s IP address and see if it matches 10.1.1.ANYTHING or if it matches 192.168.0.ANYTHING. Some schools have LARGE networks. These networks can span thousands of IP addresses but thankfully, Reach can use the pattern matching to very easily accommodate. For example, say they have 10.1.1.0 through 10.1.7.0. That’s A LOT of IP addresses, but can be simply written as:
Or, even simpler:
This will cover ALL the IP address networks AND allow the school to grow (say they wanted to add 10.1.8.0/24 and so on) without having to update Reach at all. Reach can accommodate infinite variations with infinite combinations such as:
IP Address can also be set to create a Geo-Fence
In the network settings section you can also create a geo-fence using your campus IP address details so that students who are permitted to sign themselves back in from off campus leave events must be on the campus network in order to sign back in to campus.
Reach can calculate the IP address pattern of any Boarder’s device to ensure that they are physically present at your school. We can work with any number of networks and most importantly, we can save you time by allowing you to write simple IP address notations that save you having to define every single valid IP address on your network.
If you still are unsure about what your restrictions should be, please don’t hesitate to contact us at support.reach.cloud.