Jeff L. -- networking question -- slightly OT

Jeff,

I want to connect 2 wired networks securely via the internet and am
considering VPN routers. I realize "wired" is sl. OT, but belive you
can help with this question. One network receives internet access via
ADSL, while the other uses wireless broadband. A dry line is not an
option in my location.

Both networks are wired, and at different locations. Both networks
have Win'ME, W2K, and Win'XP machines, as well as both print servers
and printer sharing via connected computers. I would like to connect
the 2 networks so that they will appear as one large network.

When connecting machines on the 2 networks, I would want the the
internet connection to be secure, and I'd like to avoid additional
software, so I am thinking routers that have built-in VPN, (VPN
end-points?) I need to completely restrict internet access on some of
the machines, but continue to allow full local LAN connectivity (those
machines would not necessarily need to connect to the other portion of
the network (via VPN or otherwise).

I would need 8 or fewer LAN ports on each router, and would only need
2 or 3 simultaneous VPN connections between the 2 networks.

Your thoughts and opinions on proper hardware would be appreciated.
I've found a number of routers that appear to be appropriate, but I
have very limited personal knowledge of these particular routers and
would like some pointers in the right direction. Even though the
internet connections top out at around 1.5 Mbps down/ 768Kbps up, I
would like to find appropriate routers with the highest throughput.

Many thanks,

Bob Clark

Bob <(E-Mail Removed)> hath wroth:

>Jeff,

Don't do that. If the question is interesting and I have time, I'll
answer. Sticking my name in the subject is like saying you don't want
input from anyone else.

Slightly off topic? More like way far off topic.

>I want to connect 2 wired networks securely via the internet and am
>considering VPN routers. I realize "wired" is sl. OT, but belive you
>can help with this question. One network receives internet access via
>ADSL, while the other uses wireless broadband.

What are the speeds in both directions? Apparently the ADSL is
1500/768Kbit/sec. What's the wireless speed? The reason I ask is
that your preformance is limited by the slowest speed.

>I would like to connect
>the 2 networks so that they will appear as one large network.

That's exactly what a VPN does.

>When connecting machines on the 2 networks, I would want the the
>internet connection to be secure,

Most VPN's use either PPTP or IPSec encryption. IPSec is more secure,
but also more complex to setup.

>and I'd like to avoid additional
>software,

Microsloth likes to terminate their VPN's in their servers. Not
recommended.

>so I am thinking routers that have built-in VPN, (VPN
>end-points?)

Yep. Router to router makes the system transparent without screwing
around with anything on the LAN. However, there's a not so small
requirement. Your two networks MUST be on different Class C IP
blocks. If one end is running 192.168.1.xxx, then the other should be
on 192.168.2.xxx. (with a netmask of 255.255.255.0). Some routers
will work with idential network blocks but you must be very careful
not to duplicate IP's and you'll find some oddities.

>I need to completely restrict internet access on some of
>the machines, but continue to allow full local LAN connectivity (those
>machines would not necessarily need to connect to the other portion of
>the network (via VPN or otherwise).

That's a different issue. Just make sure that the router has a MAC or
IP address filter and you block access. Where it gets sticky is
trying to block access to the other side of the VPN but allow internet
access for a given client computah. It's not possible because they
use the same gateway IP.

>I would need 8 or fewer LAN ports on each router, and would only need
>2 or 3 simultaneous VPN connections between the 2 networks.

With a router to router VPN connection, there is only one connection.
However, you may want to have mobile clients on the internet connect
to the VPN from outside. That will require additional connections.
Most boxes will do 5 or 10. Check the specs.

>Your thoughts and opinions on proper hardware would be appreciated.
>I've found a number of routers that appear to be appropriate, but I
>have very limited personal knowledge of these particular routers and
>would like some pointers in the right direction.

That's easy. Sonicwall and Netscreen. Both are expensive as in $500
and up for each end. Worth the price, methinks. I've used much
cheaper Linksys BEFVP41 VPN routers and was not thrilled.

http://www.sonicwall.com/products/tz170.html
http://www.sonicwall.com/support/tz1...mentation.html

http://www.sonicwall.com/support/pdf...sonicwalls.pdf

http://www.juniper.net/products/inte...s_5series.html
http://www.juniper.net/products/inte...eet/110002.pdf

>Even though the
>internet connections top out at around 1.5 Mbps down/ 768Kbps up, I
>would like to find appropriate routers with the highest throughput.

Sorry. I don't have any benchmarks.

--
Jeff Liebermann (E-Mail Removed)
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558

>What are the speeds in both directions? Apparently the ADSL is
>1500/768Kbit/sec. What's the wireless speed? The reason I ask is
>that your preformance is limited by the slowest speed.

Wireless is 1300/650 Kbit/sec.

>That's easy. Sonicwall and Netscreen. Both are expensive as in $500
>and up for each end. Worth the price, methinks. I've used much
>cheaper Linksys BEFVP41 VPN routers and was not thrilled.

I had looked at sonic wall, hadn't seen the netscreen. I wondered
about the Linksys, and I think you've answered that question. Do you
have any knowledge of the netgear VPN routers? Are they in the same
category as the Linksys? However, the $500 pricetag at each end for
the sonicwall would not be prohibitive in this particular application.

>That's a different issue. Just make sure that the router has a MAC or
>IP address filter and you block access. Where it gets sticky is
>trying to block access to the other side of the VPN but allow internet
>access for a given client computah. It's not possible because they
>use the same gateway IP.

If I understand you correctly, this won't be a problem. On the
machines that I need to block internet access, they need to be able to
see and be seen on the "local" LAN, but they would not need to access
or be accessed by the "remote" LAN. The unblocked machines would need
local LAN access, internet access, and access to the remote LAN.
Would MAC filtering allow this? Could a NAS device be configured to
allow it to be accessed both locally and remotely?

For that matter, if there is any appropriate software available, I
could dedicate one of the old hangar queen computahs to routing
duties, if a -600mhz P3 would be fast enough to not restrict
throughput.

>Don't do that. If the question is interesting and I have time, I'll
>answer. Sticking my name in the subject is like saying you don't want
>input from anyone else.

I understand. However, after months of lurking, I've found your
answers in areas that you are familiar to be both informative and
concise, and that isn't meant to demean any of the other knowlegable
posters on this group.

Thanks for your time,

Bob Clark

Bob <(E-Mail Removed)> hath wroth:

>Wireless is 1300/650 Kbit/sec.

It's going to run at the 650Kbit/sec speed. With layers of
encapsulation and encryption, even slower.

>Do you
>have any knowledge of the netgear VPN routers?

Yes. They have a line of VPN routers. I haven't done much with them.
The customers that pay me to setup their VPN pretzel want it to work
out of the box, the first time, and without any subsequent suprises.
One hickup and the cost if far more than the cost of the routers. They
are perfectly willing to pay for the best to avoid problems.
Therefore, I avoid the cheapo routers. If you like to try Netgear, I
suggest you look at some of the VPN problems in the Netgear forums at:
http://forum1.netgear.com/support/viewforum.php?f=4
I did, and did not like the large number of post installation
problems.

>Are they in the same category as the Linksys?

Well, Netgear does have a rather solid looking metal box. Linksys is
plastic. Other than that, methinks they're about the same.

>However, the $500 pricetag at each end for
>the sonicwall would not be prohibitive in this particular application.

Do the math. Pretend you have a failure of some sort a few months
downstream. What would you charge to troubleshoot and fix it? What
will it cost the company in lost productivity? One of my former
customers carried computer downtime insurance because failures were so
costly.

>If I understand you correctly, this won't be a problem. On the
>machines that I need to block internet access, they need to be able to
>see and be seen on the "local" LAN, but they would not need to access
>or be accessed by the "remote" LAN. The unblocked machines would need
>local LAN access, internet access, and access to the remote LAN.
>Would MAC filtering allow this?

You missed the important issue. I can't block any machine from
getting to the remote LAN without also blocking its access to the
internet.

>Could a NAS device be configured to
>allow it to be accessed both locally and remotely?

The NAS boxes I've played with do not have an ACL (access control
list). They rely on the Windoze DC (domain controller) or AD (active
directory) to deal with access issues. They may have local passwords
for shares and directories but there's no means of filering by IP
address. You could stuff a router (with NAT disabled) betweent the
NAS box and rest of the LAN, and control access using the router
configs.

Incidentally, I've been playing with Buffalo Linkstation NAS boxes.
Wonderful product. I've been furiously replacing SAMBA and Windoze
servers with NAS for customers that don't run applications on the
server.
| http://www.buffalotech.com/products/...&categoryid=16

>For that matter, if there is any appropriate software available, I
>could dedicate one of the old hangar queen computahs to routing
>duties, if a -600mhz P3 would be fast enough to not restrict
>throughput.

I use Freesco for a Linux based router. WAN-LAN thruput of my PII/450
with a pair of Pro100 cards is about 35Mbit/sec with a mess of filter
rules.
http://www.freesco.org

--
Jeff Liebermann (E-Mail Removed)
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558

>You missed the important issue. I can't block any machine from
>getting to the remote LAN without also blocking its access to the
>internet.

I think we are saying the same thing, I'm just not expressing myself
very clearly. The machines that I want to completely block from the
internet do not need access to the remote LAN, nor does the remote LAN
need access to these particular machines. The blocked machines only
need access to the local LAN.

>Do the math. Pretend you have a failure of some sort a few months
>downstream. What would you charge to troubleshoot and fix it? What
>will it cost the company in lost productivity? One of my former
>customers carried computer downtime insurance because failures were so
>costly.

As I stongly suspected, the old rule of getting what you pay for still
applies.

>Incidentally, I've been playing with Buffalo Linkstation NAS boxes.
>Wonderful product. I've been furiously replacing SAMBA and Windoze
>servers with NAS for customers that don't run applications on the
>server.

Great food for thought. The VPN connect is my first priority, but
this NAS may be useful as well. The so-called networked programs that
we are using all run on the local machines, with the "server" only
hosting the data files. The main point of this whole endeavor is to
be able to run one of these particular programs off-site, while
accessing the onsite data files. If the NAS can be mapped as a
network drive, it should work. It sounds as though a NAS might be an
option for eliminating those times when a worker shuts down the wrong
computer.

Thanks for your time and the useful info,

Bob