I work from home through an IPSEC tunnel to a Nortel VPN switch.
Recently the switch configuration was altered such that the Nortel VPN client routes everything except RFC1918 Class C addresses up the tunnel. Unfortunately, I chose RFC1918 Class A addresses for my local LAN long ago, so I've lost access to local shares and printers while the tunnel is established.
It wouldn't be all that painful to renumber the local LAN to RFC1918 Class C, but I'm curious as to alternative solutions - perhaps involving adding a router (I have a couple spare). Any suggestions?
And the switch configuration relating to the LAN isn't under your control?
;-) I work at a "Class A" (actually, classes were abolished in 1993 with the advent of CIDR), so there was no incentive to use one at home. My home net predates both RFC1918 and RFC1597, and I originally used a block in the 223.250.6.x range (which still hasn't been allocated by IANA). Less numbers to remember? No, I use hostnames. Less numbers to type when configuring things? How often do you do that? Adequate number of IP addresses? Actually, I use a 255.255.252.0 mask at home, not that I'll ever have 1000 hosts there. And two of my ISPs use RFC1918 addresses for customer (rather than public) services - one has their DNS and mail servers in the 10.200.0.0/16 block for some bizarre reason.
Disadvantage of using a switch as the connection to the world.
Depends on how paranoid you are.
I certainly wouldn't be thrilled to know that packets from my net are leaving the house, even if the ISP is dropping them into the bit bucket.
A router, or a switch of your own - your owning the routers would reduce the hardware cost and might add versatility, but how much are you paying for power? My connection to the world goes through a firewall which is the remains of a 386SX laptop - no display, no keyboard, and not much else. Last time I measured it, it was drawing 30 VA. Do the math - that's about 260 KWH for the year, or about $35 at the "last kilowatt-hour rate" for me.
I've forgotten my reason - no doubt it was bizarre.
Indeed, but if that were the case my Netscreen would drop them first.
Apparently I failed to explain clearly.
The tunnel runs from my laptop to my employer's VPN switch. The intent of the client configuration enforced by the switch is to prevent my laptop having simultaneous access to the corporate intranet and public internet. The VPN client on my laptop routes everything except
192.168.0.0/16 up the tunnel, and disconnects the tunnel if I mess with the routing table. Since my local LAN isn't 192.168.x.x, it's unreachable while the tunnel is up.
The two most common reasons for choosing the "Class A" range of RFC1918 are: 1) it's the first one listed in the tables of such addresses; and
2) people think it's impressive - forgetting that the address doesn't appear on the Internet, and no one else is going to know you are using it.
That's done with procedure/policy here. The system I have to connect to the company net has one network interface - to that net only. My home systems are on a different net, physically isolated from the company computer - the classic "air gap". I can also get in to the company net via SSH over the Internet, but the number of hoops to jump through makes using the company box preferable. Yes, that means two data links in the house.
Got it. I've got a minor advantage that I have 'root' (admin user) on all systems here, including the company box, which would allow me to do a lot of things. The company box has a non-routable address (they see no reason why I need a real address), and if I'm really desperate to reach the Internet without using my own systems, I can SSH into a system at work, and reach out from there.
More likely down to my habit of changing default settings - most home networking gear comes out of the box set to 192.168.x.x, like the NAT router I was using before deciding to invest in a firewall. Not that I have any faith in security by obscurity, but a lot of poorly coded malware falls over if the system isn't bog-standard (especially in the windoze world). This is not the first time I've been bitten - legitimate software has been known to fall over because I didn't install windoze where it is 'supposed' to be...
No such luxury here. I could create separate networks that only touch at the Netscreen. However, it's a low-end model, so that involves switching it to 'home/work mode' - which wipes the config so I get to start over :-(
On the odd occasion I need to reach the Internet while working, I can use the corporate gateway via the tunnel. What I can't do is get hardcopy on a local printer, or grab something off the local file server
- at least not without dropping the tunnel.
Unless there's a trick that hasn't occurred to me (hence my original post), my choices are:
Renumber the local network to 192.168.x.x
Use the Netscreen to create a second local network
Use one of the spare routers to create a second local network
Status Quo
Only 2 and 4 make sense to me. 1 is almost as painful as 2, but doesn't segregate home/work. 3 uses more electricity but provides weaker segregation than 2. 4 is tolerable but not ideal.
RFC1918 isn't the only set of addresses you can use. For example, you could use 169.254.0.0/16 (link-local RFC3927) though it probably wants manual configuration, 192.0.2.0/24 (test net) or even 198.18.0.0/15 (benchmark net), if you know what you are doing.
I know a person whose home network is 192.168.64.0/18 (192.168.64.0 -
192.168.127.255) that has hosts on 192.168.x.255 (where x is 64 to 126) only. Perfectly normal - but anyone who sees it has a head explosion.
:-(
That's the disadvantage of having the VPN. Of course, I run into a similar thing with the company box, as it has no printer either (it does, but it's located down the hall from my office at work). On the rare occasion I need to print something locally, it gets saved to a floppy, and sneaker netted to one of the other systems.
How many systems? I'm assuming these are static (otherwise, DHCP would be a single file change), but for me it would be four files per system (/etc/sysconfig/network, /etc/hosts, /etc/rc.d/init.d/firewall and /etc/hosts.allow) and three of the four would be carbon copies on all systems. I could swap networks here in less time than it would take to think about it - maybe ten minutes total.
No experience
This wouldn't correct the problem about local file access or printing.
Why would 1 be so hard?
The segregation needed depends on the company requirements. I can't say one way or the other.
Cute - so they look like broadcast addresses until you check the mask.
Yeah. Low-end Netscreens run the same OS as their enterprise brethren, but tend to have some silly restrictions. There's at least one mid-size box at work that's running out of steam for the task, maybe I can scrounge it at some point...
Done that - bit of a pain as I normally have a DVD drive in the laptop bay so have to swap in the floppy, but workable. The bigger issue is screen real estate - the laptop has SFA, while my desktop has 2 x 19". I'd be more efficient using the desktop for documentation, and the laptop for remote system configuration.
OK, I'm procrastinating. It's ~14 systems using DHCP reservations on the Netscreen - maybe 30 minutes, plus a few more restarting Samba on the file server to avoid resetting it's nice uptime counter.
Nor here - at least not on the model I have at home.
Unless I used NAT - which would also be required under option 2.
Status Quo satisfies current company requirements - but there are potential advantages to segregating all *my* systems against whatever the kid's windoze boxes might unleash. Teenagers are quite the challenge when it comes to user awareness training.
I'm not entirely acclimatised to this work from home gig - I miss my Lab. It's all in the basement, but if I fire it up, guess who pays the power bill :-(
One of my favorite tricks for grabbing an unused address on a somebody else's LAN if it's an emergency and I can't get anyone that knows what addresses are free. Hardly anyone uses those addresses.
That's true, but it's not a very big deal -- export it to text before the conversion and then you can cut and past the peices back into the new config via the command line. All you really have to do is search and replace the zone names to reflect the new ones.
I missed the start of the thread, but home/work should work fine if you're trying to segregate from the kid's network. NS says you can't communicate between home/work but I've proven that wrong in the field -- however unless you *try*, it will indeed keep the networks separated. But home can't get on the VPN, so that is useful.
However I've found a far more flexible option is to put in a FG60 for folks working at home with kids. You have separate interfaces (internal, DMZ, WAN1, WAN2) that can be arbitrarily configured any way you like (add in VLANS if you want to get crazy with zones) with total control over all traffic between all zones with mulitple site-to-site VPNS. You can even block p*rn and other nefarious sites for the kids, AV all your mail and browse traffic, block whatever IMs you want, and put IPS on the works, block some adware, and log and track all the kids browse and email traffic. For around $1K for hardware and the first year of subscriptions.
Most people swear that they _are_ broadcasts - and ignore the netmask as a typo, because everyone knows the only masks are /24, /16 or /8. ;-)
?SFA? Star Fleet Academy? ;-)
I don't have the desk space to put more monitors - I've got a 15 inch on the company box, and a 20 on the desktop. The wife's workstation has a similar layout. I'm running X on these systems, so I can be running a lot of tasks at the same time (there's 20 nxterms open on the big one, and 9 on the company box). That gives me enough effective space.
I don't use Samba - does it keep it's own timer? If it's just the box itself, I'd expect it to just be restarting services - no need to reboot for that.
No kids here, but I know what you mean.
Most of my work from home is firefighting - it saves the 25 minute drive in to work if I can reach in from the house and kick what's necessary. Thus, my home electrical bill isn't that bad - probably an extra $250 a year - and that doesn't buy that much gas/etc. in comparison.
Yes, I imagine taking that approach would speed things up, even if I needed a couple of iterations to get it right. I have a goodly collection of shell scripts we used for building and manipulating NS configs before the company agreed to invest in NSM. I still run the one that TFTPs the config daily and emails me if it's changed.
[snip]
I understood you have full control of work -> home policy, but cannot create home -> work policy. That would meet my needs, are you saying it's not the case?
At roughly 4x what I have invested in the Netscreen, I would certainly expect far more flexibility :-) However, I have my eye on a pair of 208s that are likely to be swapped out soon...
My laptop has 1920 x 1200 on the panel in only 15.4" wide screen. The laptop doesn't *look* huge, but the workspace is *awesome* in practice. I love this screen. :-) And the best part is, wherever I go, it's right there with me. Plus I work only on the built-in keyboard, so I'm used to it, and I have an identical optical mouse and pad in my travel bag. So, onsite I'm immediately comfortable and don't feel constrained.
I'm saying we tricked a NS into breaking that principle, but in a normal configuration, you won't likely see that happen. So, forget I said anything. :-)
Well if you're comparing used hardware without support against new hardware with support and AV/IPS/SPAM/filtering subscriptions, that might account for the price difference. :-)
208s are very nice boxes, just don't expect to do any Deep Inspection with them. Stateful packet inspection only.
You might feel differently if you did all your work from home, as opposed to mostly firefighting ;-)
No, I'm referring to OS uptime. Restarting services _should_ be sufficient, but anomalous behavior has been a problem in the past. After all, Samba _is_ emulating M$ Networking, and generally does a fine job - so one can forgive a few foibles that may well be down to the windoze clients in any case.
I have the windoze boxes set to Ghost themselves to the file server every 4 hours, so if the kids contract something nasty I just roll back. Setting it up was a pain - Ghost had no problem saving to real windoze or Samba, but could only restore from windoze - claimed the file I just browsed to didn't exist when I tried to restore from Samba.
Symantec support promptly dropped the ball ("Samba is not supported"). It turns out Ghost sets irrational file permissions which windoze "fixes" automatically, but Samba has to be told to do so via a mask.
#1 son just left, wanted me to type the admin password on his box so he could install some P2P cruft. I told him I'd research the risks on the weekend and then we'd discuss it...
Not likely - I don't let things like that slide, as they are frequently indicative of a design issue that will bite you in other ways. Did you open a case?
I'm not - my 5GT was new when I bought it on eBay, and I was able to negotiate support and subscriptions for it at very reasonable rates in conjunction with a hardware order. Sure I had leverage not available to all, but the bottom line is just that...
No? Not supported, or not enough horsepower? (I don't 'own' any 208s at work, so don't have much experience with them)
No, in fact we were trying to achieve that functionality, but in the end we didn't need it, but at the same time didn't care if it was there. Lots of other more important tickets to worry about.
So you've managed to make great purchase there, kudos. :-) As long as the GT does what you nee, you're all set.
The 5GT is basically a CPU based box more than a purely ASIC box like the
5XT, 5XP, or any of the bigger boxes . That's why it has AV as well as DI. There is no AV on the bigger boxes, because they don't have the CPU horsepower (or system membory) for it. DI is implemented on bigger boxes, but it seriously, seriously impacts the performance of the box because it's done in the general purpose CPU, which was never scaled for that in the first place since the GPCPU requirements for an ASIC box are laughably small and they were all (except for the new ISG line) designed before DI was ever thought of . So you take a box with 200Mbps of stateful inspection firewall throughput and d very nearly that much 3DES throughput cranking through their excellent ASIC, and just strangle it down into low double or perhaps single digits -- nobody at NS will fess up exactly what the number is so far in my experience anyway, and I've never benchmarked it. They basically just say "don't do it" when pressed. And that's just single packet deep inspection, not data re-assembly required for AV or more advanced IPS.
That's the major difference between NetScreens and Fortigates, and the reason Ken Xie left NS to start Fortinet. He knew they had to inspect the entire packet in silicon to compete in the next generation, and NS didn't want to invest in it because of the upcoming IPO. So, he left and stated his own company. Result: Fortigates do all their content inspection and content reassembly in ASIC and therefore can scale those services much more efficiently than a NS can, while still retaining all the advantages of an ASIC box vs a general purpose computer with an OS and software running on it -- those very advantages are the main reasons that NetScreens had such a solid, low-cost product and gained such market share in the first place.
I'm only running this at 1600 x 1200 on the big monitor, and 1024 x 768 on the small one - due to my eyes. I've run 2048 x 1536 on the 21 inch, but it doesn't feel as easy on the eyes after several hours. I've tried some TFT monitors for two weeks, and was not impressed. Sharp and clear, yes, but simply not as comfortable. I'm not sure why.
I use three types of keyboards - a Sun 4, and 5, and a Keytronics that resembles the original IBM 101 key. I don't use windoze, so I don't need the extra windoze specific keys any more than I use the L keys on the Sun keyboards.
fsck.ext3: No such file or directory while trying to open /dev/all
At work, there are three 21 inch monitors on the desk area. No, it's not much difference.
Basic system should be minimally effected - at most, restarting networking and any firewall should do the trick. The only time it gets complicated is when the hostname changes (all systems I work with other than the ISP side of my home firewall are using static addresses). Samba - from the _very_ limited stuff I know about it, I thought it used basic networking from the O/S, and the only tricks might be it remembering windoze neighborhood crap. I would from a first assumption think this would also be cured with a restart.
Hopefully not overwriting the previous N images - lest they discover something a day or two from now, and all you have is contaminated backups.
Minor surprise. A number of companies I have contacts with who are using windoze are using Samba (and have been for years) for reliability. One was even the source of a good chuckle, when an ex-employee turned them in to the Software Publishers Association for running unlicensed software. They had the needed workstation licenses, but none for the file servers. Of course not - the servers were running a GPL Linux distribution and Samba. So much fun was had by the admin - even though the SPA shouldn't have been allowed into the building without the required search warrant.
Wonder if he's ever tested his ghost backups -- I've been fighting for hours trying to ghost a 2GB drive up to a larger partition on another drive because Windows 2000 Server keeps running out of space. Should be simple, but...
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.