Need advice on how multiple 1-1 VPN networks can be best set up

Toggle sidebar Toggle sidebar
R

Requient

Reputable
May 5, 2014
7
0
4,510
Hi everyone.

As per the title, what are good ways of achieving the following setup:
1) A central server (possibly with static public IP), such that
2) Multiple external systems (such as industrial equipment connected to routers OR computer systems themselves) can be configured to connect to (1)
3) And that the central server itself can see each of the external systems, but the external systems cannot see one another.

To put things into perspective, my company is looking to offer remote services to our customers. If computer systems are involved, we could likely use teamviewer. But where industrial equipment is concerned, we will require a way to resolve the IP address, and also make a one-time configuration at our customers' ends. For this, we are thinking of pre-configuring a router which we can then install and connect to the other equipment. Of course, our customers should not be able to access and see each other even though connected to us - this is the part for which I do not have an answer to.
 
Sort by date Sort by votes
B

bill001g

Titan
Aug 9, 2012
28,318
2,754
125,640
Sounds like your pretty standard firewall based vpn setup. This is a extremely common setup for a company that provides a managed service to a customer. Because only very large companies have routable IP addresses inside their company you are likely going to have to do lots of NAT, likely both the source and destination addresses. This alone tends to make it so 2 customers networks can not see each other but it is pretty trivial to put in firewall rules to prevent it on the central device.

Although you can likely do this with consumer routers I would look at commercial firewalls it will be much simpler since they are designed for this function. I know we send very small juniper netscreen firewalls to the remote location the central firewall we are in the process of moving to palo alto. The brand of equipment does not make a huge difference, ours tend to be dictated by politics and change from time to time.

I suspect your major issue is going to be dealing with the customers that will not let you place equipment on their premise or they require you to place it behind their firewall. Smart customers will assume you are stupid and allow other customers to access their network and they will have firewall rules to prevent it.
 
Upvote 0 Downvote
R

Requient

Reputable
May 5, 2014
7
0
4,510
Thanks bill001g for your response.

You mentioned using firewall rules and a commercial firewall.
If I understand this right, does it mean that on my server which I am expecting my clients to connect to, I get a commercial firewall and using those rules, I ensure they do not see each other?
If so, what are the firewall software I can consider?

On the customer side, what are the routers I can consider to fulfill the purpose of connecting to my server?
Would appreciate some keywords that I can google up to get me started - I'm not really sure of the appropriate terms to describe my requirements.

Thanks.
 
Upvote 0 Downvote
B

bill001g

Titan
Aug 9, 2012
28,318
2,754
125,640
I would not load the software on the server, it can be done but it tends to not work as well as a dedicated box. It really depends on your OS linux is much easier to get firewall/vpn software. It is generally much easier to get configuration example when you do it on dedicated firewalls.

I would put a hardware filewall infront of the server. To the server it would take the place of the internet router....but it greatly depends on how you have things designed. All the remote location would connect to this firewall via vpn and then the firewall would control which traffic could go where. By default most firewalls do not allow any traffic so you just put rules in that say the remote sites could access the server since you did not put a rule in saying they could access each other it would not be allowed.

I forget the current firewall our company uses at the main office they like to change the hardware for who knows what reason. It is a large juniper device but which model they have today I would have to check. I know it has more than 500 vpn tunnels running off it They use juniper SSG5 devices at the customer locations in most cases.

The first thing to learn is purely how to put in a multi location vpn. This would be the same setup as if you had a company with a main office and a bunch of branch offices. You will find lots of example of vpn config for that. The only thing that makes this different is you want the remote office to only talk to the main one not to each other. That if a pretty simple firewall rule.

......you are jumping into a very complex issue. It seems pretty simple until you run into a customer who does not fit your design. A nasty example would be how are you going to handle if one of the customers just happens to use the same ip block as your server. The NAT get extremely complex sometimes

 
Upvote 0 Downvote
You must log in or register to reply here.

TRENDING THREADS

Latest posts

Moderators online

Share this page

COMPANY
RESOURCES
FOLLOW
Top Bottom