Remote office sending Internet traffic through my location - TCP-IP

This is a discussion on Remote office sending Internet traffic through my location - TCP-IP ; Hello, I am wondering if anyone can suggest a solution. This is the scenario: Have a huge public IP block. Would like to assign subnets of that to several remote offices. Obvious problem is that they are not behind my ...

+ Reply to Thread
Results 1 to 4 of 4

Thread: Remote office sending Internet traffic through my location

  1. Remote office sending Internet traffic through my location

    Hello, I am wondering if anyone can suggest a solution. This is the
    scenario:

    Have a huge public IP block. Would like to assign subnets of that to
    several remote offices. Obvious problem is that they are not behind
    my router, but I would like their internet traffic to go through it
    none the less. Is there even a way to do that?

  2. Re: Remote office sending Internet traffic through my location

    On Jan 22, 11:18*pm, f1f1 wrote:
    > Hello, I am wondering if anyone can suggest a solution. *This is the
    > scenario:
    >
    > Have a huge public IP block. *Would like to assign subnets of that to
    > several remote offices. *Obvious problem is that they are not behind
    > my router, but I would like their internet traffic to go through it
    > none the less. *Is there even a way to do that?



    Unless I'm misunderstanding your requirement, this is trivial. Just
    put a firewall at each remote site, plus one at the central site, and
    set up a VPN tunnel between each of the remote firewalls and the
    central one. Then make sure the routing and firewall rules are such
    that all traffic is forwarded to the central site.

    The resulting network *is* all behind your main firewall/router. The
    VPN happens to be physically using the Internet, but that's basically
    invisible to anyone in your network (except for the people configuring
    the VPN stuff, of course). You might as well have run a dedicated
    piece of wire to each remote office.

    You will need to deal with the usual reliability issues, as well as
    explaining the extra bandwidth costs to management, and extra delay in
    Internet access to the users, but presuming you have some reasonable
    justification for this, those should be a minor issues.

    A number of basic VPN devices also exist, which may be less expensive
    or easier to deploy in some scenarios. Cisco has a few whitepapers on
    their Easy VPN series of gear, which you might find useful.

    Alternatively, for just the VPN aspect of things, all you really need
    is a basic PC running Linux, all the VPN and IPsec stuff you might
    want is there for free. You'll have to determine if that meets your
    service level goals, of course.

    A somewhat different, but often better, approach is to install
    firewalls at each site, and manage them centrally. You can still VPN
    inter-site traffic between the firewalls, but you don't have to bounce
    all internet traffic through the central site. With central
    management, you can usually set up one policy that's applied to all
    the firewalls.


  3. Re: Remote office sending Internet traffic through my location

    "robertwessel2@yahoo.com" writes:

    > Unless I'm misunderstanding your requirement, this is trivial.


    Agreed. I used to use stunnel. Now I use OpenVPN with my "ISP" to get
    a fixed IP address.

    --
    Posted via a free Usenet account from http://www.teranews.com


  4. Re: Remote office sending Internet traffic through my location

    On Jan 22, 10:25 pm, "robertwess...@yahoo.com"
    wrote:
    > On Jan 22, 11:18 pm, f1f1 wrote:
    >
    > > Hello, I am wondering if anyone can suggest a solution. This is the
    > > scenario:

    >
    > > Have a huge public IP block. Would like to assign subnets of that to
    > > several remote offices. Obvious problem is that they are not behind
    > > my router, but I would like their internet traffic to go through it
    > > none the less. Is there even a way to do that?

    >
    > Unless I'm misunderstanding your requirement, this is trivial. Just
    > put a firewall at each remote site, plus one at the central site, and
    > set up a VPN tunnel between each of the remote firewalls and the
    > central one. Then make sure the routing and firewall rules are such
    > that all traffic is forwarded to the central site.
    >
    > The resulting network *is* all behind your main firewall/router. The
    > VPN happens to be physically using the Internet, but that's basically
    > invisible to anyone in your network (except for the people configuring
    > the VPN stuff, of course). You might as well have run a dedicated
    > piece of wire to each remote office.
    >
    > You will need to deal with the usual reliability issues, as well as
    > explaining the extra bandwidth costs to management, and extra delay in
    > Internet access to the users, but presuming you have some reasonable
    > justification for this, those should be a minor issues.
    >
    > A number of basic VPN devices also exist, which may be less expensive
    > or easier to deploy in some scenarios. Cisco has a few whitepapers on
    > their Easy VPN series of gear, which you might find useful.
    >
    > Alternatively, for just the VPN aspect of things, all you really need
    > is a basic PC running Linux, all the VPN and IPsec stuff you might
    > want is there for free. You'll have to determine if that meets your
    > service level goals, of course.
    >
    > A somewhat different, but often better, approach is to install
    > firewalls at each site, and manage them centrally. You can still VPN
    > inter-site traffic between the firewalls, but you don't have to bounce
    > all internet traffic through the central site. With central
    > management, you can usually set up one policy that's applied to all
    > the firewalls.


    Yeah, Thank you. I was hoping to be able to avoid the added level of
    complexity of a tunnel solution. I did reach the conclusion that that
    very likely is the only way. Thanks very much for your time!

+ Reply to Thread