Routing and VPN troubles...

From: Mitch (bitblock) (mitch_at_bitblock.com)
Date: 05/01/04

  • Next message: Artyom V. Viklenko: "Re: Routing and VPN troubles..."
    To: freebsd-net@freebsd.org, freebsd-isp@freebsd.org
    Date: Fri, 30 Apr 2004 15:30:42 -0700
    
    

    There are about a 1000 different lists - hope this is the right two - if
    not, any suggestions welcome!

    The crux of my problem, is that I need to configure a VPN network in a
    star - one central node, many outside nodes... easy right?

    The problem is that I need the individual "rays" or "spokes" to be able to
    communicate with each other SELECTIVELY.

    I've tried to get this config working with BSD boxes - I have about 50
    spokes to deal with right now and that number will hopefully grow....

    I've been looking at the two problems separately, but I'll describe the
    whole mess, and then hope you are more inspired than I am.

    PC1 (192.168.1.10)<--\
    PC2 (192.168.1.11)<-->(192.168.1.1)FBSD 1(10.1.1.2)<-->ADSL<------\
                                                                      |
    PC3 (192.168.2.10)<--\ |
    PC4 (192.168.2.11)<-->(192.168.2.1)FBSD 2(10.1.1.3)<-->ADSL<----\ |
                                                                    | |
    PC5 (192.168.3.10)<--\ | |
    PC6 (192.168.3.11)<-->(192.168.3.1)FBSD 3(10.1.1.4)<-->ADSL<--\ | |
                                                                  | | |
                                                               <--/ / /
             INTERNET <---> (SOME PUBLIC IP) FBSD 4 (10.1.1.1) <---/ /
                                                               <----/

    In actual fact, the 10.1.1.X addresses are all public addresses on a subnet.
    PC1 and PC2 need full access to PC3 - 6.
    PC3 needs access to certain ports on PC 5.

    That is the essence of the firewalling / port filtering of the VPN - like
    can I trest the virtual VPN interfaces as normal interfaces for purposes of
    writing firewall rules?

    Second problem. To do this, 10.1.1.2 and 10.1.1.3 need to communciate with
    10.1.1.4 to set up these vpn's. The problem is that we have ADSL over ATM.
    ATM manages data flow by configured path. Consider FBSD 4 to be on dedicated
    vlans with each of FBSD 1 - 3.
    All remote nodes have a "path" to the router, not each other... so FBSD 4
    needs to be able to establish VPN's with FBSD 1 - 3 and route between the
    VPN's.

    If I can use FBSD 4 for this, and if I can treat the virtual interfaces as
    normal ones in ipfw, then I can do what I want - right?

    I can probably alter my layout and use of IP addresses and so on somewhat,
    but the key is that routing has to be performed on a single interface in
    order to redirect traffic from the hosts that can't see each other.

    Does that make the problem clear?

    For starters, there are really FBSD 1 - 50 (not just 1 - 3) ;-)

    At present, I've got a variety of hardware and software (Linksys SX41 /
    Netgear / etc.) deployed in place of FBSD 1 - 3 and FreeBSD in place of FBSD
    4... I have a couple of test machines to work with though and figure if I
    can get 3 working I can get the rest working too.

    I've heard something about /32 subnetting, not sure how that works, or what
    has to be done to enable it...

    I've been looking for any information on that I can find on that subject -
    might solve the problem another way if I can make my endpoint routers (1 -
    3) communicate through regular IP by forcing them to bounce through the
    router - but I've been told the router has to support this function as a
    router woudl normally ignore traffic bound for the same subnet as it comes
    from - right?

    If you know it's impossible, that's ok... I tried ;-) Any alternatives?
    PPPOE instead of VPN between the gateway's?

    Thanks in advance.

    Hope I'm not asking to much, or that the challenge is worthy ;-)

    m/

    _______________________________________________
    freebsd-isp@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-isp
    To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org"


  • Next message: Artyom V. Viklenko: "Re: Routing and VPN troubles..."

    Relevant Pages

    • Routing and VPN troubles...
      ... That is the essence of the firewalling / port filtering of the VPN - like ... can I trest the virtual VPN interfaces as normal interfaces for purposes of ... Consider FBSD 4 to be on dedicated ... All remote nodes have a "path" to the router, ...
      (freebsd-net)
    • Routing and VPN troubles...
      ... There are about a 1000 different lists - hope this is the right one - if ... That is the essence of the firewalling / port filtering of the VPN - like ... can I trest the virtual VPN interfaces as normal interfaces for purposes of ... the router, not each other... ...
      (freebsd-net)
    • NAT, VPN and other SOHO router advice
      ... FreeBSD box that I'd like to make more of a router. ... FBSD box will have to be the router. ... I need to get my FBSD box acting as a router for the machines on the ... Vigor router has set up on it a LAN-to-LAN PPTP VPN (enough acronyms ...
      (freebsd-questions)
    • Re: Specing routers: 1721 vs 831
      ... we have a central office with no more than 50 employees. ... and the number of connections to other sites that dictate the router. ... > Cisco router would only need Ethernet interfaces. ... what if we also want to terminate roaming laptop client VPN ...
      (comp.dcom.sys.cisco)
    • Re: HIPAA and firewalls
      ... >compliant manner using VPN. ... this is a bad and expensive method of purchasing a router. ... the VPN is setup in 5 steps. ... network IP block to both sides of the VPN tunnel. ...
      (comp.security.firewalls)