Jeff L. -- networking question -- slightly OT

Bob hath wroth:

Don't do that. If the question is interesting and I have time, I'll answer. Sticking my name in the subject is like saying you don't want input from anyone else.

Slightly off topic? More like way far off topic.

What are the speeds in both directions? Apparently the ADSL is

1500/768Kbit/sec. What's the wireless speed? The reason I ask is that your preformance is limited by the slowest speed.

That's exactly what a VPN does.

Most VPN's use either PPTP or IPSec encryption. IPSec is more secure, but also more complex to setup.

Microsloth likes to terminate their VPN's in their servers. Not recommended.

Yep. Router to router makes the system transparent without screwing around with anything on the LAN. However, there's a not so small requirement. Your two networks MUST be on different Class C IP blocks. If one end is running 192.168.1.xxx, then the other should be on 192.168.2.xxx. (with a netmask of 255.255.255.0). Some routers will work with idential network blocks but you must be very careful not to duplicate IP's and you'll find some oddities.

That's a different issue. Just make sure that the router has a MAC or IP address filter and you block access. Where it gets sticky is trying to block access to the other side of the VPN but allow internet access for a given client computah. It's not possible because they use the same gateway IP.

With a router to router VPN connection, there is only one connection. However, you may want to have mobile clients on the internet connect to the VPN from outside. That will require additional connections. Most boxes will do 5 or 10. Check the specs.

That's easy. Sonicwall and Netscreen. Both are expensive as in $500 and up for each end. Worth the price, methinks. I've used much cheaper Linksys BEFVP41 VPN routers and was not thrilled.

Sorry. I don't have any benchmarks.

Wireless is 1300/650 Kbit/sec.

I had looked at sonic wall, hadn't seen the netscreen. I wondered about the Linksys, and I think you've answered that question. Do you have any knowledge of the netgear VPN routers? Are they in the same category as the Linksys? However, the $500 pricetag at each end for the sonicwall would not be prohibitive in this particular application.

If I understand you correctly, this won't be a problem. On the machines that I need to block internet access, they need to be able to see and be seen on the "local" LAN, but they would not need to access or be accessed by the "remote" LAN. The unblocked machines would need local LAN access, internet access, and access to the remote LAN. Would MAC filtering allow this? Could a NAS device be configured to allow it to be accessed both locally and remotely?

For that matter, if there is any appropriate software available, I could dedicate one of the old hangar queen computahs to routing duties, if a -600mhz P3 would be fast enough to not restrict throughput.

I understand. However, after months of lurking, I've found your answers in areas that you are familiar to be both informative and concise, and that isn't meant to demean any of the other knowlegable posters on this group.

Thanks for your time,

Bob Clark

Bob hath wroth:

It's going to run at the 650Kbit/sec speed. With layers of encapsulation and encryption, even slower.

Yes. They have a line of VPN routers. I haven't done much with them. The customers that pay me to setup their VPN pretzel want it to work out of the box, the first time, and without any subsequent suprises. One hickup and the cost if far more than the cost of the routers. They are perfectly willing to pay for the best to avoid problems. Therefore, I avoid the cheapo routers. If you like to try Netgear, I suggest you look at some of the VPN problems in the Netgear forums at:

did, and did not like the large number of post installation problems.

Well, Netgear does have a rather solid looking metal box. Linksys is plastic. Other than that, methinks they're about the same.

Do the math. Pretend you have a failure of some sort a few months downstream. What would you charge to troubleshoot and fix it? What will it cost the company in lost productivity? One of my former customers carried computer downtime insurance because failures were so costly.

You missed the important issue. I can't block any machine from getting to the remote LAN without also blocking its access to the internet.

The NAS boxes I've played with do not have an ACL (access control list). They rely on the Windoze DC (domain controller) or AD (active directory) to deal with access issues. They may have local passwords for shares and directories but there's no means of filering by IP address. You could stuff a router (with NAT disabled) betweent the NAS box and rest of the LAN, and control access using the router configs.

Incidentally, I've been playing with Buffalo Linkstation NAS boxes. Wonderful product. I've been furiously replacing SAMBA and Windoze servers with NAS for customers that don't run applications on the server. |

I use Freesco for a Linux based router. WAN-LAN thruput of my PII/450 with a pair of Pro100 cards is about 35Mbit/sec with a mess of filter rules.

I think we are saying the same thing, I'm just not expressing myself very clearly. The machines that I want to completely block from the internet do not need access to the remote LAN, nor does the remote LAN need access to these particular machines. The blocked machines only need access to the local LAN.

As I stongly suspected, the old rule of getting what you pay for still applies.

Great food for thought. The VPN connect is my first priority, but this NAS may be useful as well. The so-called networked programs that we are using all run on the local machines, with the "server" only hosting the data files. The main point of this whole endeavor is to be able to run one of these particular programs off-site, while accessing the onsite data files. If the NAS can be mapped as a network drive, it should work. It sounds as though a NAS might be an option for eliminating those times when a worker shuts down the wrong computer.

Thanks for your time and the useful info,

Bob