On Jan 22, 11:18*pm, f1f1 wrote:
> Hello, I am wondering if anyone can suggest a solution. *This is the
> scenario:
>
> Have a huge public IP block. *Would like to assign subnets of that to
> several remote offices. *Obvious problem is that they are not behind
> my router, but I would like their internet traffic to go through it
> none the less. *Is there even a way to do that?


Unless I'm misunderstanding your requirement, this is trivial. Just
put a firewall at each remote site, plus one at the central site, and
set up a VPN tunnel between each of the remote firewalls and the
central one. Then make sure the routing and firewall rules are such
that all traffic is forwarded to the central site.

The resulting network *is* all behind your main firewall/router. The
VPN happens to be physically using the Internet, but that's basically
invisible to anyone in your network (except for the people configuring
the VPN stuff, of course). You might as well have run a dedicated
piece of wire to each remote office.

You will need to deal with the usual reliability issues, as well as
explaining the extra bandwidth costs to management, and extra delay in
Internet access to the users, but presuming you have some reasonable
justification for this, those should be a minor issues.

A number of basic VPN devices also exist, which may be less expensive
or easier to deploy in some scenarios. Cisco has a few whitepapers on
their Easy VPN series of gear, which you might find useful.

Alternatively, for just the VPN aspect of things, all you really need
is a basic PC running Linux, all the VPN and IPsec stuff you might
want is there for free. You'll have to determine if that meets your
service level goals, of course.

A somewhat different, but often better, approach is to install
firewalls at each site, and manage them centrally. You can still VPN
inter-site traffic between the firewalls, but you don't have to bounce
all internet traffic through the central site. With central
management, you can usually set up one policy that's applied to all
the firewalls.

"robertwessel2@yahoo.com" writes:

> Unless I'm misunderstanding your requirement, this is trivial.

Agreed. I used to use stunnel. Now I use OpenVPN with my "ISP" to get
a fixed IP address.

--
Posted via a free Usenet account from http://www.teranews.com

On Jan 22, 10:25 pm, "robertwess...@yahoo.com"
wrote:
> On Jan 22, 11:18 pm, f1f1 wrote:
>
> > Hello, I am wondering if anyone can suggest a solution. This is the
> > scenario:
>
> > Have a huge public IP block. Would like to assign subnets of that to
> > several remote offices. Obvious problem is that they are not behind
> > my router, but I would like their internet traffic to go through it
> > none the less. Is there even a way to do that?
>
> Unless I'm misunderstanding your requirement, this is trivial. Just
> put a firewall at each remote site, plus one at the central site, and
> set up a VPN tunnel between each of the remote firewalls and the
> central one. Then make sure the routing and firewall rules are such
> that all traffic is forwarded to the central site.
>
> The resulting network *is* all behind your main firewall/router. The
> VPN happens to be physically using the Internet, but that's basically
> invisible to anyone in your network (except for the people configuring
> the VPN stuff, of course). You might as well have run a dedicated
> piece of wire to each remote office.
>
> You will need to deal with the usual reliability issues, as well as
> explaining the extra bandwidth costs to management, and extra delay in
> Internet access to the users, but presuming you have some reasonable
> justification for this, those should be a minor issues.
>
> A number of basic VPN devices also exist, which may be less expensive
> or easier to deploy in some scenarios. Cisco has a few whitepapers on
> their Easy VPN series of gear, which you might find useful.
>
> Alternatively, for just the VPN aspect of things, all you really need
> is a basic PC running Linux, all the VPN and IPsec stuff you might
> want is there for free. You'll have to determine if that meets your
> service level goals, of course.
>
> A somewhat different, but often better, approach is to install
> firewalls at each site, and manage them centrally. You can still VPN
> inter-site traffic between the firewalls, but you don't have to bounce
> all internet traffic through the central site. With central
> management, you can usually set up one policy that's applied to all
> the firewalls.

Yeah, Thank you. I was hoping to be able to avoid the added level of
complexity of a tunnel solution. I did reach the conclusion that that
very likely is the only way. Thanks very much for your time!