Multiple VPN connections

I am looking for recommendations for an ADSL2+ capable router (line
speed currently 16Mbit) that will permit external access to two remote
users simultaneously. One on a continuous basis, and one on an ad-hoc
basis.

The continuous access is currently achieved by forwarding ports 500 and
4500 to an internal IP address, at which sits a Cisco 800-series router,
which connects a number of wireless hotspots, which are part of The
Cloud's wireless network. They provide wireless access to guests at a
hotel. (Despite all logic suggesting that this should be an outbound
connection, it doesn't work without the port forwarding, which is weird.
I do not manage, or have any control of the Cisco box)

The second, ad-hoc, connection is for remote access support for the
hotel front-of-house software, which is achieved by 'Microsoft VPN'. I
admit, I don't know what Microsoft VPN is, and am assuming that it is a
normal VPN made significantly less secure, but I suspect it may also
require the use of the two ports previously mentioned.

If this is the case, I need to forward incoming connections on those
ports based on the source address, so if the connection comes from
A.B.C.D, forward to internal address X.Y.Z.Q, otherwise forward to
X.Y.Z.P - Something easily achievable via IPtables from the command
line of any linux box, but not something previously done by me, because
I have never really got into virtual private networks, because SSH works
so well.

Any particular ideas for routers that can implement this cleanly,
without otherwise SNAFU'ing what is otherwise a normal NAT'd single-IP
broadband connection?

Another alternative I have got is to forward the ports to one of the
various linux boxes currently doing menial tasks like internal DNS,
Squid proxies, equipment monitoring, and file and SQL serving, and let
it's IPtables take care of it, but there must be an easier way.

Jim

In article <4a09a415$0$517$(E-Mail Removed)>,
Jim Howes <(E-Mail Removed)> wrote:
>I am looking for recommendations for an ADSL2+ capable router (line
>speed currently 16Mbit) that will permit external access to two remote
>users simultaneously. One on a continuous basis, and one on an ad-hoc
>basis.

Draytek 2820?

It has native PPTP server support to allow remote users access to the LAN.

They're not cheap though, but do generally work.. (Typically £130)

>The continuous access is currently achieved by forwarding ports 500 and
>4500 to an internal IP address, at which sits a Cisco 800-series router,
>which connects a number of wireless hotspots, which are part of The
>Cloud's wireless network. They provide wireless access to guests at a
>hotel. (Despite all logic suggesting that this should be an outbound
>connection, it doesn't work without the port forwarding, which is weird.
> I do not manage, or have any control of the Cisco box)

You may still have to do this though. (ie the port forwarding)

>The second, ad-hoc, connection is for remote access support for the
>hotel front-of-house software, which is achieved by 'Microsoft VPN'. I
>admit, I don't know what Microsoft VPN is, and am assuming that it is a
>normal VPN made significantly less secure, but I suspect it may also
>require the use of the two ports previously mentioned.

It's probably PPTP as that's fairly standard in the MS world.

>If this is the case, I need to forward incoming connections on those
>ports based on the source address, so if the connection comes from
>A.B.C.D, forward to internal address X.Y.Z.Q, otherwise forward to
>X.Y.Z.P - Something easily achievable via IPtables from the command
>line of any linux box, but not something previously done by me, because
>I have never really got into virtual private networks, because SSH works
>so well.

You may be confusing port forwarding with VPNs - you don't generally
need to port-forward with a VPN.

However a remote VPN user may have full access to all hosts on the LAN
without additional firewalling...

>Any particular ideas for routers that can implement this cleanly,
>without otherwise SNAFU'ing what is otherwise a normal NAT'd single-IP
>broadband connection?

Work out if you really need a VPN or just port forwarding. You may
find that the remote support people expect to VPN directly into the MS
server(s) in which case you may need to allow VPN pass-through, but you
can firewall remote VPN connections to an IP address.

>Another alternative I have got is to forward the ports to one of the
>various linux boxes currently doing menial tasks like internal DNS,
>Squid proxies, equipment monitoring, and file and SQL serving, and let
>it's IPtables take care of it, but there must be an easier way.

Do it in the router..

Gordon

Gordon Henderson wrote:
> Draytek 2820?
>
> It has native PPTP server support to allow remote users access to the LAN.

Very nice, but no ADSL modem built in. Presumably there is another
model with ADSL2+ available, (wireless is not a requirement, nor is a
second WAN)

Jim

"Jim Howes" <(E-Mail Removed)> wrote in message
news:4a09a869$0$517$(E-Mail Removed)...
> Gordon Henderson wrote:
>> Draytek 2820?
>>
>> It has native PPTP server support to allow remote users access to the
>> LAN.
>
> Very nice, but no ADSL modem built in. Presumably there is another
> model with ADSL2+ available, (wireless is not a requirement, nor is a
> second WAN)
>
> Jim
>

beg to differ Jim, my 2820n has ADSL2 built in...if it didn't, I wouldn't
be posting this ;-)

P.

"Jim Howes" <(E-Mail Removed)> wrote in message
news:4a09a869$0$517$(E-Mail Removed)...
> Gordon Henderson wrote:
>> Draytek 2820?
>>
>> It has native PPTP server support to allow remote users access to the
>> LAN.
>
> Very nice, but no ADSL modem built in. Presumably there is another
> model with ADSL2+ available, (wireless is not a requirement, nor is a
> second WAN)

My V2820 has an ADSL modem built-in. This may be limited to 8Mbit/sec, and
you might be able to get more from your ISP. In which case a V2910 with an
external modem will do the job. Probably more cheaply than Cisco ...

--
Graham J

"Graham J" <(E-Mail Removed)> wrote in message
news:4a09c7e0$0$2537$(E-Mail Removed)...
>
> "Jim Howes" <(E-Mail Removed)> wrote in message
> news:4a09a869$0$517$(E-Mail Removed)...
>> Gordon Henderson wrote:
>>> Draytek 2820?
>>>
>>> It has native PPTP server support to allow remote users access to the
>>> LAN.
>>
>> Very nice, but no ADSL modem built in. Presumably there is another
>> model with ADSL2+ available, (wireless is not a requirement, nor is a
>> second WAN)
>
> My V2820 has an ADSL modem built-in. This may be limited to 8Mbit/sec,
> and you might be able to get more from your ISP. In which case a V2910
> with an external modem will do the job. Probably more cheaply than Cisco
> ...

my 2820n is currently pulling 15megabits/sec from BeThere ;-)

P.

Andy Burns wrote:
> Jim Howes wrote:
>
>> Gordon Henderson wrote:
>>> Draytek 2820?
>>>
>>> It has native PPTP server support to allow remote users access to the
>>> LAN.
>>
>> Very nice, but no ADSL modem built in. Presumably there is another
>> model with ADSL2+ available, (wireless is not a requirement, nor is a
>> second WAN)
>
> All the Vigor 2820 models have ADSL2+ build in, you can choose models
> with/without WiFi, with/without voice ports, if you don't need 2nd WAN
> (3G over USB or another ADSL via USB modem) then just don't use it.

Aha, dabs.com are lacking that information. Thankyou.