Archived from groups: comp.dcom.lans.ethernet (More info?)

Hello folks!

My wife will be telecommuting in the next few weeks, and her employer
is furnishing a router and a computer for her to use at home. We have
cable internet access and they want her to use the existing connection
(won't install/pay for a separate connection).

Can their router/computer be installed into our existing connection
without our home computer having to be on their router? Since her
company logs all internet traffic, I do not wish for them to have any
access to any information about our home computer.

Any advise/ideas you can give will be greatly appreciated!

Archived from groups: comp.dcom.lans.ethernet (More info?)

In article <9068100a.0406251040.7235dee@posting.google.com>,
sicorican <sicorican@yahoo.com> wrote:
:My wife will be telecommuting in the next few weeks, and her employer
:is furnishing a router and a computer for her to use at home. We have
:cable internet access and they want her to use the existing connection
won't install/pay for a separate connection).

:Can their router/computer be installed into our existing connection
:without our home computer having to be on their router? Since her
:company logs all internet traffic, I do not wish for them to have any
:access to any information about our home computer.

If they aren't paying for an extra connection, then their router must
be an "ethernet router" (i.e., two ethernet interfaces) rather than
a "cable modem" (one ethernet, one cable interface). So what you do
is put a cheap NAT'ing router attached to your cable modem's LAN, with
the company's box plugged into one port and your systems plugged into
other ports.

Their router likely has VPN capabilities. Depending on the NAT'ing router
you get, you might break that VPN. With a relatively modern NAT'ing router
you can -likely- make the appropriate adjustements, so that udp 500,
ESP (protocol 50), AH (protocol 51), GRE (protocol 47), udp 4500, udp 10000,
or whatever other ports required, are directed to their box instead of your
own. But that might require some co-operation on their end (e.g., to
enable 'nat-traversal'), which I would say they are -morally- obliged to
undertake [they shouldn't just take over your home connection like that!],
but whether they will or not...

In summary: it depends. It's not that it can't be done, but it requires
some co-operation if they are putting in a VPN.
--
Warning: potentially contains traces of nuts.

Archived from groups: comp.dcom.lans.ethernet (More info?)

Walter Roberson wrote:
> In article <9068100a.0406251040.7235dee@posting.google.com>,

(snip)

> If they aren't paying for an extra connection, then their router must
> be an "ethernet router" (i.e., two ethernet interfaces) rather than
> a "cable modem" (one ethernet, one cable interface). So what you do
> is put a cheap NAT'ing router attached to your cable modem's LAN, with
> the company's box plugged into one port and your systems plugged into
> other ports.

> Their router likely has VPN capabilities. Depending on the NAT'ing router
> you get, you might break that VPN. With a relatively modern NAT'ing router
> you can -likely- make the appropriate adjustements, so that udp 500,

Well, they have to adjust the VPN to whatever IP address you
tell them you have. Most likely port forwarding from your own
NAT router into the VPN supporting router should do it. Yes, it
would be best not to run your home traffic through the VPN.

(snip)

> In summary: it depends. It's not that it can't be done, but it requires
> some co-operation if they are putting in a VPN.

-- glen

Archived from groups: comp.dcom.lans.ethernet (More info?)

In article <z92Dc.94964$2i5.79195@attbi_s52>,
glen herrmannsfeldt <gah@ugcs.caltech.edu> wrote:
:Walter Roberson wrote:
:> In article <9068100a.0406251040.7235dee@posting.google.com>,

:> Their router likely has VPN capabilities. Depending on the NAT'ing router
:> you get, you might break that VPN. With a relatively modern NAT'ing router
:> you can -likely- make the appropriate adjustements, so that udp 500,

:Well, they have to adjust the VPN to whatever IP address you
:tell them you have.

There is some detail we haven't been told -- such as whether the
company router is expecting to get the outside IP via DHCP or if it
is expecting a [more or less] static IP that is publically routable
so that the remote end can initiate inward connections.


:Most likely port forwarding from your own
:NAT router into the VPN supporting router should do it.

On most of the NAT routers that I have seen, port forwarding
would not necessarily be sufficient -- in that for those routers,
when they say "port' forwarding, they mean only TCP or UDP with
no possibility of GRE, ESP, or AH forwarding. (For example, the Cisco PIX
series does finally support a weak GRE forwarding, if you turn off
outgoing VPNs, but it doesn't have ESP or AH forwarding from it's outside
IP.)

--
Are we *there* yet??

Archived from groups: comp.dcom.lans.ethernet (More info?)

Thank you for all the help!

I'll post the info as I get it...

So far, it appears that it will be a VPN through a Linksys BEFSR41
router.
I'm still trying to get specific information.

I'm thinking about getting another Linksys BEFSR41 router and
connecting our home pc and her company's router to it. What do you
guys think about that?

Also, what's the difference between setting a VPN "passthrough" and
"port forwarding"? Could I use either of those settings to insure
that her company could not monitor our home pc's traffic?


Thank you again!

Archived from groups: comp.dcom.lans.ethernet,comp.protocols.tcp-ip (More info?)

(adding comp.protocols.tcp-ip, closer to where this really belongs)

sicorican wrote:

> Thank you for all the help!

> I'll post the info as I get it...

> So far, it appears that it will be a VPN through a
> Linksys BEFSR41 router.

I would expect BEFVP41, the VPN version.

> I'm still trying to get specific information.

> I'm thinking about getting another Linksys BEFSR41 router and
> connecting our home pc and her company's router to it. What do you
> guys think about that?

You want to make sure that your home machines aren't part
of the VLAN. Most obvious, as you say, would be to connect
the VPN router to a non-VPN router, so that only VPN hosts
are on the VPN side of the router.

It might be that the BEFVP41 can run both VPN and non-VPN nets
at the same time, which would save the cost of an additional
router. Hosts would be identified by subnet, or IP address,
as to VPN membership. Check the manual for that.

> Also, what's the difference between setting a VPN "passthrough" and
> "port forwarding"? Could I use either of those settings to insure
> that her company could not monitor our home pc's traffic?

The configuration I am used to would have a subnet on
the local network routed through the VPN router. Each home
would have its own VPN subnet. (Different than other VPN users
of the company, and also different than the home non-VPN net.)

It might be that there are other ways to do it when only one
host in the house wants to use the VPN. There are plenty of
private subnets to go around, if you use a small enough netmask.

-- glen

Archived from groups: comp.dcom.lans.ethernet (More info?)

sicorican wrote:

> My wife will be telecommuting in the next few weeks, and her employer
> is furnishing a router and a computer for her to use at home.  We have
> cable internet access and they want her to use the existing connection
> (won't install/pay for a separate connection).

Sounds like a cheap company. I was recently doing some work for a company,
where I set up employees in their home office. The company supplied an
ADSL line & router, which the employees were permitted to use for personal
use. The work computers had VPN software installed. I set up the company
provided work computers, but the employees could also plug their own
computers into the router.

I have a problem with companies, who expect employess to provide resources,
without compensation. Many companies will also pay "rent" to the employee,
to offset the added use of utilities etc.