Re: Firewall for broadband connection
From: Leythos (void_at_nowhere.org)
Date: 11/17/04
- Next message: LB: "Re: Allow all "high UDP" or not ?"
- Previous message: J Warren: "ZoneAlarm pro blocking access to its own servers?"
- In reply to: René: "Re: Firewall for broadband connection"
- Next in thread: René: "Re: Firewall for broadband connection"
- Reply:(deleted message) René: "Re: Firewall for broadband connection"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 17 Nov 2004 21:36:41 GMT
In article <419bb713$0$44076$5fc3050@dreader2.news.tiscali.nl>,
spamisnietleuk@hotmail.com says...
> <I cut the VPN and VNC explanation here>
>
> I now fully understand how it works. At least, I fully understand what You
> have explained (except for one detail, I'll ask that later on).
> I found two other devices that are available in a shop in the Netherlands
> which might be of interest. One cheaper than the Hotbrick, the other one a
> bit more expensice. They are from Linksys and can be seen on
> http://www.linksys.com/products/product.asp?grid=34&scid=29&prid=433 and
> http://www.linksys.com/products/product.asp?grid=34&scid=29&prid=607. Both
> have, if I have understood the things written there correctly, hardware
> support for VPN, i.e. a processor in the device that handles this. There are
> some tutorial-like things on their site, I am going to study them, same goes
> for the product manuals.
The BEFSX and BEFVP units support connections in IPSec mode between
their LAN side and another networks LAN side through the IPSec tunnel.
This means that once the WAN side has an internet connection you can
setup router to router IPSec tunnels inside the units that will let you
connect to the other network without the need for client type VPN
software / solutions.
These units can also connect their WAN ports to other types, but, if you
want a site-to-site VPN solution then you can use one at each location
with a tunnel connected between them - using each device to tunnel to
the other.
One thing to remember, these units don't like doing IPSec over a Dynamic
WAN IP Address. No matter how you configure it, unless there is constant
traffic between each side and the other, they will time-out and not
reconnect until traffic starts again. One other thing - when using them
with Dynamic WAN addresses, the renegotiating period (time it takes to
rebuild the tunnel) is very long (30+ seconds), with a fixed IP on each
WAN port it's almost not noticeable.
> One thing I still do not understand is the following (if You could throw
> just a little light on it, it would be very nice, even though I might find
> out about it when studying all those texts). Suppose my father's computer is
> turned on and online on the internet, having an IP address I do not know. I
> want to make some adjustments on his computer, so I go online as well. We
> both have routers with hardware VPN-capability (so not his computer has the
> important IP-address I do not know, but his routers has)(You see, I have
> understood that)(his computer has an IP address given to him by the
> DHCP-server in the router). I go online and my router also get's an IP
> address. How do those two routers manage to find each other? Do they do
> portscans on a lot of computers to pick out their "brother/sister"? Or do we
> have to "help" them by telling them the addresses?
You've got two things here:
1 WAN Port on Router A - gets IP from ISP's DHCP Service - this will
change and you have no way to pre-determine what it will be
2 LAN Port on Router A - provides dynamic addresses to nodes behind the
router. Again, you have no way to pre-determine what address will be
assigned to a specific node. If you are going to provide external (From
the Internet) to a node, you must give that node a fixed IP in the same
network as the other nodes. As an example, the normal DHCP from Linksys
is 192.168.0.100~199, you could set the fixed node as 192.168.0.10. This
would allow you to reach the internal node at .10 once you created a
FORWARDING RULE that does FORWARD TCP/UDP PORT XXXXX to 10.
The same is true on the other router.
One thing, make sure that you don't use the default IP network on either
router - security thing here.
Make sure that you use DIFFERENT IP Networks on each router - meaning
that you can make LAN on Router A - 192.168.10.0 with 255.255.255.0 and
LAN on Router B - 192.168.20.0 with 255.255.255.0. When you do the IPSec
tunnels between networks you'll be glad you did it that way.
If you want to do a Windows XP PPTP connection to your Dad's computer,
then you need a couple other things:
Setup a INBOUND PPTP VPN in the START/SETTINGS/Network Connections/New
Connection Wizard on his side. Then you have to FORWARD the PPTP ports
from his router to his computer: Linksys has a document on how to do
this
http://linksys.custhelp.com/cgi-bin/linksys.cfg/php/enduser/entry.php
Enter PPTP in the SEARCH box, and select ANSWER ID 737 Setting up a PPTP
server behind a Linksys Router.
On your end, you need to do a VPN setup in the Network Connections also,
but you are going to pick something like "Connect to my network at
work".
Now, the kicker here - you have to know his PUBLIC IP Address in order
to connect. You can use Dynamic DNS to register your IP with a name, but
I've not done that since I have multiple fixed IP to use.
If you have any more questions, please let me know.
-- -- spamfree999@rrohio.com (Remove 999 to reply to me)
- Next message: LB: "Re: Allow all "high UDP" or not ?"
- Previous message: J Warren: "ZoneAlarm pro blocking access to its own servers?"
- In reply to: René: "Re: Firewall for broadband connection"
- Next in thread: René: "Re: Firewall for broadband connection"
- Reply:(deleted message) René: "Re: Firewall for broadband connection"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
