Re: LAN access while VPN is up

From: Triffid (triffid_at_nebula.net)
Date: 11/03/05 

Date: Wed, 02 Nov 2005 19:04:54 -0500

Somebody. wrote:

> "Triffid" <triffid@nebula.net> wrote in message
> news:vcV9f.4903$LF3.485510@news20.bellglobal.com...
>
>>
>>Moe Trin wrote:
>>
>>
>>>I know a person whose home network is 192.168.64.0/18 (192.168.64.0 -
>>>192.168.127.255) that has hosts on 192.168.x.255 (where x is 64 to 126)
>>>only. Perfectly normal - but anyone who sees it has a head explosion.
>>
>>Cute - so they look like broadcast addresses until you check the mask.
>
>
> One of my favorite tricks for grabbing an unused address on a somebody
> else's LAN if it's an emergency and I can't get anyone that knows what
> addresses are free. Hardly anyone uses those addresses.
>
>
>>>>No such luxury here. I could create separate networks that only touch at
>>>>the Netscreen. However, it's a low-end model, so that involves switching
>>>>it to 'home/work mode' - which wipes the config so I get to start over
>>>>:-(
>
>
> That's true, but it's not a very big deal -- export it to text before the
> conversion and then you can cut and past the peices back into the new config
> via the command line. All you really have to do is search and replace the
> zone names to reflect the new ones.

Yes, I imagine taking that approach would speed things up, even if I
needed a couple of iterations to get it right. I have a goodly
collection of shell scripts we used for building and manipulating NS
configs before the company agreed to invest in NSM. I still run the one
that TFTPs the config daily and emails me if it's changed.

[snip]
> I missed the start of the thread, but home/work should work fine if you're
> trying to segregate from the kid's network. NS says you can't communicate
> between home/work but I've proven that wrong in the field -- however unless
> you *try*, it will indeed keep the networks separated. But home can't get
> on the VPN, so that is useful.

NS says:

"The Work and Home zones allow you to segregate users and resources in
each zone. In this mode, default policies allow traffic flow and
connections from the Work zone to the Home zone, but do not allow
traffic from the Home zone to the Work zone".

I understood you have full control of work -> home policy, but cannot
create home -> work policy. That would meet my needs, are you saying
it's not the case?

> However I've found a far more flexible option is to put in a FG60 for folks
> working at home with kids. You have separate interfaces (internal, DMZ,
> WAN1, WAN2) that can be arbitrarily configured any way you like (add in
> VLANS if you want to get crazy with zones) with total control over all
> traffic between all zones with mulitple site-to-site VPNS. You can even
> block porn and other nefarious sites for the kids, AV all your mail and
> browse traffic, block whatever IMs you want, and put IPS on the works, block
> some adware, and log and track all the kids browse and email traffic. For
> around $1K for hardware and the first year of subscriptions.

At roughly 4x what I have invested in the Netscreen, I would certainly
expect far more flexibility :-) However, I have my eye on a pair of 208s
that are likely to be swapped out soon...

Triffid

Relevant Pages
Loading