[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Firewall and remote machine



Hello Anders,
What you describe is  a VPN... Your 'Server B' would establish a VPN (IPSec)
connection into 'Server A' network.  The twist is that you are trying to do
this through a uncooperative firewall, it is pretty common to use SSH
tunneling for such purpose.
The VPN:  Acting like a router.
If you had another block of IP Addresses available, you could just use
normal routing and make the VPN act like a "split router".  But you don't
mention that you have another block of IP's, and you do mention NAT...  I
assume your goal is to use "real" IP's (as that is what you are trying to
accomplish?).
The VPN:  Acting like a bridge.
Another solution that would not require any extra subnets is a bridge.
Basically have the two servers ('Server A' and 'Server B') bridge the two
remote networks.  In this case, the clients will act as if they are directly
at the same location as 'Server A'.  From a client routing perspective, the
distance is eliminated.  Assuming that your 193.2.2.x subnet has enough free
IP's for all the clients, you would just give clients IP addresses like you
would normally at your 'Server A' location and let the bridge hide the
10.0.0.x network.  You could even use your existing DHCP resources from the
'Server A' location.
The choice between router / bridge is pretty well documented out there.
Basically how much control you want over traffic.   Bridge is easier (less
subnets) but can be more wasteful (especially broadcast traffic).  Bridge
sounds ideal for your needs.
Now, to get through the uncooperative firewall, you could use SSH tunneling
for the VPN.  If the firewall is cooperative, you would just use IPSec
directly between the two OpenBSD machines... but if you can't get a "clear
path" then piggyback on SSH tunneling.
Summary
===========
To sum this up, what I would suggest as one solution:
"I want to create a IPSec VPN that is tunneled over SSH that bridges two
remote networks."  No NAT involved, other than the 10.0.0.x network you are
"borrowing" your physical link from.
"man brconfig" on OpenBSD has a section on "IPSEC BRIDGE".
>From my perspective, you are correct that PF has nothing or little to do
with your need :)  When I mention "bridge" I mean the simple version of it
(not a router), not a "transparent firewall".
  Stephen Gutknecht
  currently in Port Orchard, Washington USA
-----Original Message-----
From: Anders Rosvoldaunet [mailto:[email protected]] 
Sent: Tuesday, November 26, 2002 5:15 PM
To: [email protected]
Subject: Firewall and remote machine
I'm putting up a temporary network in a couple of weeks that will be
operative for just a few days. The problem is that the Internet connection
at the location where I'm putting it up is behind a firewall, more
specifically it's a WAN behind a Novell Bordermanager server that I don't
have access to. I do however, have access to a server A running OpenBSD
connected direcetly to the Internet at another location just a few hops away
from the firewall (and I've got lots of IP addresses for this server as
well). What I want to do, is basically to "tunnell" all the traffic through
this machine, so that the clients won't notice that they're behind a strict
NAT'ing firewall. I'm not sure if this is possible at all, but here's a
simple figure of how I imagine the situation;
The machine at the 'remote' location with unfirewalled Internet access has
IP addresses 193.2.2.1 to 193.2.2.255 The machines connecting to the
firewalled wide area network get IP adressess 10.0.0.1 to 10.0.0.255 The
firewall running Novell Bordermanager has the external IP address 212.2.2.1
I first hook up another server B with two NICs running OpenBSD to the
firewalled network, it's external interface gets IP 10.0.0.2 through DHCP,
it'll then 'appear' on the Internet as 212.2.2.1. I connect the internal
interface on server B to a switch, and connect the clients that form the
temporary network to this switch. So far so good, I can now simply run NAT
on server B, and it'll work fairly good, but what I want is unique IP
addresses for all the machines. To sum up what the situation might be like;
client (193.2.2.56) --Local Area Network--> (193.2.2.1 - internal interface)
server B running OpenBSD behind firewall (external interface -
10.0.0.2) --Wide Area Network--> (10.0.0.1 - internal interface) firewall
running Novell BorderManager (external interface - 212.2.2.1) --Internet-->
(193.2.2.2) server A with unfirewalled Internet access and many IP addresses
running OpenBSD (193.2.2.2) --Internet--> www.somesite.com (12.23.23.23)
sees the client accessing it as 193.2.2.56.
In an ideal situation, the client won't even notice the firewall, a
traceroute to www.somesite.com should be something like;
1    <1 ms    <1 ms    <1 ms  193.2.2.1
2    18 ms    19 ms    19 ms  193.2.2.2
--*snip*--
9    58 ms    56 ms    61 ms  www.somesite.com [12.23.23.23]
As mentioned earlier, I'm not sure how to do this, or even if it's possible
at all. If it is, I would be glad to get some advice how to accomplish it.
Final commentary; I apologize if this message should have been sent to
another mailing list than pf in the first place, but I recon this problem as
a mixture between tunnelling and use of pf.
Sincerely yours,
Anders Rosvoldaunet
[email protected]