doing the impossible: connecting 2 PCs over protected LANs

there are 2 LANs: LAN1 and LAN2 .

Both LANs are connected to internet by ADSL.

Connection is protected by severe firewalls.

I want to connect PC1 in LAN1 to PC2 in LAN2 using HTTP and an external
dedicated server (with static IP) mounting Linux.

The external dedicated server should store packets sent by PC1 to PC2
locally and send them to PC2 on request by PC2, and viceversa.

Slow connection speed is not a problem.

I'd like to know:

1. if this can be done (I am pretty confident about this point)

2. if it has already been done, using which software

Thank you

Peppe Polpo



peppepolpo

On 10 Feb 2006 12:54:29 -0800, peppepolpo
<(E-Mail Removed)> wrote:
>
> there are 2 LANs: LAN1 and LAN2 .
>
> Both LANs are connected to internet by ADSL.
>
> Connection is protected by severe firewalls.
>
> I want to connect PC1 in LAN1 to PC2 in LAN2 using HTTP and an external
> dedicated server (with static IP) mounting Linux.
>
> The external dedicated server should store packets sent by PC1 to PC2
> locally and send them to PC2 on request by PC2, and viceversa.
>
> Slow connection speed is not a problem.
>
> I'd like to know:
>
> 1. if this can be done (I am pretty confident about this point)
>
> 2. if it has already been done, using which software
>
Probably using ssh port forwarding through whatever ports are allowed by
the firewalls (80?).
Do you have any control over the firewalls? If not, do you care that
you might (lose your job|be expelled from your school) for circumventing
those firewalls?

--
I wonder if I should put myself in ESCROW!!

>Probably using ssh port forwarding through whatever ports are allowed by
the firewalls (80?).

as far as I know all calls originated from outside the firewalls are
blocked

>Do you have any control over the firewalls?

no

>If not, do you care that you might (lose your job|be expelled from your school) for circumventing those firewalls?

no such a danger. I have full support of the "authorities in charge".

Peppe

peppepolpo wrote:
> >Probably using ssh port forwarding through whatever ports are allowed by
> the firewalls (80?).
>
> as far as I know all calls originated from outside the firewalls are
> blocked
>
> >Do you have any control over the firewalls?
>
> no

Well, that would seem to eliminate any tunnels or ssh using a port that
is "shared" with any other protocols. You could try making a tunnel
"around/through" the FWs, but those admins will not like it (even if
they know about it) and you can never know when/how it might get
broken. I take it powers-that-be and you are comfortable allowing port
80 SYNs out and the response back in.

> >If not, do you care that you might (lose your job|be expelled from your school) for circumventing those firewalls?
>
> no such a danger. I have full support of the "authorities in charge".

This is how I understand your possible/allowed setup (fixed font
ascii):

+------------------------------------------------+
| |
| INTERNET |
| |
+------------------------------------------------+
| |
| |
| |
FW1-----DMZ FW2
| | |
| DEDICATED LINUX |
| (HTTP SERVER?) |
LAN1 LAN2
| |
| |
PC1 PC2

Thus both FW1 and FW2 will allow connections out (SYN) on port 80 and
will allow the response back in to the requesting host.

The Linux box with a static (public?) IP will act as an http "courier"
by storing PUTs from either PC1 or PC2 and allowing GETs from PC1 and
PC2 (only?). You probably don't want to rely on in-memory storage, so
PUTs will write to disk. GETs will fetch from disk.

Sounds like you just need a light weight http server on a minimal,
hardened and access contolled (firewalled) Linux box. You could
implement further acls within the http server and use SSL/TLS if the
data needs to be encrypted. Software is handy, well understood by
everyone, and setup will only deviate from a standard one if you need
to impose acls. Probably requires no change on FWs except a
route/forwarding entry on FW1 to Linux box. A switch in front of FW1
would even eliminate that if Linux box has a public IP.

It's clunky and certainly not transparent from either PC1 or PC2 --
ie., all "shared" communications will go through Linux server and will
be quite obvious. Without contol of the firewalls I don't see how you
can readily get around this. May be useful to be explicit anyway
(hopefully) as there is less chance that it holds surprises for anyone.

This can be a pretty bare bones http server or you could use something
like Zope (just the basic setup without any add-ons) if you need
something more sophisticated. Even Apache with all it's bells and
whistles is overkill for something like this. Zope is too, but is
pretty easy to set up for such a basic purpose and adds fine grained
acls, server side code, and db storage of data rather than numerous
files lying about.

In any case, I would be inclined to use an http server on the dedicated
Linux box.

Will something like this suit your needs or were you hoping for
something more "transparent"?

cheers,
prg

The project you exposed seems exactly what I have in mind.

I found several applications in sourceforge that - if I understand well
(I am no network expert) - do the tunnel/bridge/forwarding (many names
are used).

Also, I found a company that - for a very reasonable fee - provides
exactly the service I need, with the "transpond" server, the client
software and all.

As I don't have much time do setup and test my own dedicated server, I
guess I will choose the service they offer.

Thank you for your suggestions.

Peppe