Results 1 to 5 of 5

Thread: vpn hardware solution

  1. #1
    Larry Erickson
    Guest

    vpn hardware solution

    Hello, first let me say that I am not a network expert at all, and
    also thanks to whoever takes the time to read this. I work for a
    company that makes industrial monorail systems for the laundry
    industry. We will go into large industrial buildings and install many
    different network devices including computers, plcs, and remote IO
    devices. All of our devices need to have static IP address. We need
    to troubleshoot our devices remotely and most often we accomplish them
    by making the facility provide us with a dedicated phone line to our
    main PC, which although slow, is very reliable and simple to set up.
    Some customer are unwilling to give us phone lines and give us only a
    network connection and set up a VPN for us. This works but currently
    it seems that different IP departments set up VPNs differently, and
    sometimes we need special software to connect. We also don't know
    how to make these VPN's work without changing all of our network
    devices IP address (sometimes over 100 devices) to match the IPs of
    the VPN we are given. We would love to always go with VPN
    connections over a phone line because of the speed and other features
    we could use of having our systems on the internet, but would like
    them to work the same all the time and not require us to change the IP
    addresses of our devices. We were wondering if there was perhaps a
    hardware solution for this. Perhaps we could provide our customer
    with some type of VPN router that we tell our customers to just give
    internet too? Should we have too network cards in our main PC? I
    really have no idea how this type of networking works, but I feel that
    a solution for a problem exists. Thanks.

    Larry

  2. #2
    jack masters
    Guest

    Re: vpn hardware solution

    Larry Erickson wrote:
    > Hello, first let me say that I am not a network expert at all, and
    > also thanks to whoever takes the time to read this. I work for a
    > company that makes industrial monorail systems for the laundry
    > industry. We will go into large industrial buildings and install many
    > different network devices including computers, plcs, and remote IO
    > devices. All of our devices need to have static IP address. We need
    > to troubleshoot our devices remotely and most often we accomplish them
    > by making the facility provide us with a dedicated phone line to our
    > main PC, which although slow, is very reliable and simple to set up.
    > Some customer are unwilling to give us phone lines and give us only a
    > network connection and set up a VPN for us. This works but currently
    > it seems that different IP departments set up VPNs differently, and
    > sometimes we need special software to connect. We also don't know
    > how to make these VPN's work without changing all of our network
    > devices IP address (sometimes over 100 devices) to match the IPs of
    > the VPN we are given. We would love to always go with VPN
    > connections over a phone line because of the speed and other features
    > we could use of having our systems on the internet, but would like
    > them to work the same all the time and not require us to change the IP
    > addresses of our devices. We were wondering if there was perhaps a
    > hardware solution for this. Perhaps we could provide our customer
    > with some type of VPN router that we tell our customers to just give
    > internet too? Should we have too network cards in our main PC? I
    > really have no idea how this type of networking works, but I feel that
    > a solution for a problem exists. Thanks.
    >


    Same problem here, different customers have different VPN
    implementations, IP ranges and restrictions. Most customers will not let
    you put anything on their network that connects directly to the internet
    and is outside their direct control. The current solution is to use a
    separate (minimal) virtual machine for each customer, and let the
    customers' IT support install whatever they deem necessary on that to
    get a VPN link working. VM goes back to the office, gets installed on a
    common server, and whoever needs to do support for that customer
    connects to the VM.

    If you like to keep your static IP address layout the same across
    multiple installations, you will need to separate your control network
    completely from the client's network, in case a client also uses that
    range on their network (a good idea anyway for other reasons) and run
    another tunnel (e.g. VPN or SSH with port forwarding) into that. Most
    major network vendors sell boxes that can be (ab)used for that,
    alternatively a small headless PC-like device (Soekris or similar) with
    two network adapters and Linux will do the job.

    J.

  3. #3
    Larry Erickson
    Guest

    Re: vpn hardware solution

    On Sep 11, 5:25*am, jack masters <jcfmast...@yahoo.com> wrote:
    > Larry Erickson wrote:
    > > Hello, first let me say that I am not a network expert at all, and
    > > also thanks to whoever takes the time to read this. * I work for a
    > > company that makes industrial monorail systems for the laundry
    > > industry. *We will go into large industrial buildings and install many
    > > different network devices including computers, plcs, *and remote IO
    > > devices. *All of our devices need to have static IP address. *We need
    > > to troubleshoot our devices remotely and most often we accomplish them
    > > by making the facility provide us with a dedicated phone line to our
    > > main PC, which although slow, is very reliable and simple to set up.
    > > Some customer are unwilling to give us phone lines and give us only a
    > > network connection and set up a VPN for us. *This works but currently
    > > it seems that different IP departments set up VPNs differently, and
    > > sometimes we need special software *to connect. *We also don't know
    > > how to make these VPN's work without changing all of our network
    > > devices IP address (sometimes over 100 devices) to match the *IPs of
    > > the VPN we are given. *We would love to always go with *VPN
    > > connections over a phone line because of the speed and other features
    > > we could use of having our systems on the internet, but would like
    > > them to work the same all the time and not require us to change the IP
    > > addresses of our devices. *We were wondering if there was perhaps a
    > > hardware solution for this. *Perhaps we could provide our customer
    > > with some type of VPN router that we tell our customers to just give
    > > internet too? *Should we have too network cards in our main PC? *I
    > > really have no idea how this type of networking works, but I feel that
    > > a solution for a problem exists. *Thanks.

    >
    > Same problem here, different customers have different VPN
    > implementations, IP ranges and restrictions. Most customers will not let
    > you put anything on their network that connects directly to the internet
    > and is outside their direct control. The current solution is to use a
    > separate (minimal) virtual machine for each customer, and let the
    > customers' IT support install whatever they deem necessary on that to
    > get a VPN link working. VM goes back to the office, gets installed on a
    > common server, and whoever needs to do support for that customer
    > connects to the VM.
    >
    > If you like to keep your static IP address layout the same across
    > multiple installations, you will need to separate your control network
    > completely from the client's network, in case a client also uses that
    > range on their network (a good idea anyway for other reasons) and run
    > another tunnel (e.g. VPN or SSH with port forwarding) into that. Most
    > major network vendors sell boxes that can be (ab)used for that,
    > alternatively a small headless PC-like device (Soekris or similar) with
    > two network adapters and Linux will do the job.
    >
    > J.


    Thanks a lot for your response. It is nice to know that other people
    have similar situations. I am pretty unfamiliar with virtual machines
    so I have a couple more questions.
    First, what is the reason most customers will not let you connect
    directly to the internet? Is is security, cost, or another reason?
    Is there anything that can be done to make this idea more appealing to
    customers? Also if you could connect directly to the internet, what
    would be the best way to remotely connect?

    We do like to keep all of our static IP address layouts the same
    across all our installations. As far as the virtual machine solution
    goes, what do you recommend using for a windows platform. I think you
    were saying to set up our normal network setting on our main pc, and
    then install a virtual machine on that pc also which the customers IT
    department installs their VPN link software. We then connect through
    the VPN to our pc's virtual machine, in which we can access our other
    network devices somehow. In your last paragraph, are you saying
    that we should always be using two network cards, or use a hardware
    solution that can provide the same thing? Sorry for all the
    questions, and again thanks for responding.

    Larry

  4. #4
    Larry Erickson
    Guest

    Re: vpn hardware solution

    On Sep 11, 5:25*am, jack masters <jcfmast...@yahoo.com> wrote:
    > Larry Erickson wrote:
    > > Hello, first let me say that I am not a network expert at all, and
    > > also thanks to whoever takes the time to read this. * I work for a
    > > company that makes industrial monorail systems for the laundry
    > > industry. *We will go into large industrial buildings and install many
    > > different network devices including computers, plcs, *and remote IO
    > > devices. *All of our devices need to have static IP address. *We need
    > > to troubleshoot our devices remotely and most often we accomplish them
    > > by making the facility provide us with a dedicated phone line to our
    > > main PC, which although slow, is very reliable and simple to set up.
    > > Some customer are unwilling to give us phone lines and give us only a
    > > network connection and set up a VPN for us. *This works but currently
    > > it seems that different IP departments set up VPNs differently, and
    > > sometimes we need special software *to connect. *We also don't know
    > > how to make these VPN's work without changing all of our network
    > > devices IP address (sometimes over 100 devices) to match the *IPs of
    > > the VPN we are given. *We would love to always go with *VPN
    > > connections over a phone line because of the speed and other features
    > > we could use of having our systems on the internet, but would like
    > > them to work the same all the time and not require us to change the IP
    > > addresses of our devices. *We were wondering if there was perhaps a
    > > hardware solution for this. *Perhaps we could provide our customer
    > > with some type of VPN router that we tell our customers to just give
    > > internet too? *Should we have too network cards in our main PC? *I
    > > really have no idea how this type of networking works, but I feel that
    > > a solution for a problem exists. *Thanks.

    >
    > Same problem here, different customers have different VPN
    > implementations, IP ranges and restrictions. Most customers will not let
    > you put anything on their network that connects directly to the internet
    > and is outside their direct control. The current solution is to use a
    > separate (minimal) virtual machine for each customer, and let the
    > customers' IT support install whatever they deem necessary on that to
    > get a VPN link working. VM goes back to the office, gets installed on a
    > common server, and whoever needs to do support for that customer
    > connects to the VM.
    >
    > If you like to keep your static IP address layout the same across
    > multiple installations, you will need to separate your control network
    > completely from the client's network, in case a client also uses that
    > range on their network (a good idea anyway for other reasons) and run
    > another tunnel (e.g. VPN or SSH with port forwarding) into that. Most
    > major network vendors sell boxes that can be (ab)used for that,
    > alternatively a small headless PC-like device (Soekris or similar) with
    > two network adapters and Linux will do the job.
    >
    > J.



    Thanks a lot for your response. It is nice to know that other people
    have similar situations. I am pretty unfamiliar with
    virtual machines so I have a couple more questions. First, what is
    the reason most customers will not let you
    connect directly to the internet? Is is security, cost, or another
    reason? Is there anything that can be done to make
    this idea more appealing to customers? Also if you could connect
    directly to the internet, what would be the best way
    to remotely connect?

    We do like to keep all of our static IP address layouts the same
    across all our installations. As far as the virtual
    machine solution goes, what do you recommend using for a windows
    platform. I think you were saying to set up our
    normal network setting on our main pc, and then install a virtual
    machine on that pc also which the customers IT
    department installs their VPN link software. We then connect through
    the VPN to our pc's virtual machine, in which we can
    access our other network devices somehow. In your last paragraph,
    are you saying that we should always be using two
    network cards, or use a hardware solution that can provide the same
    thing? Sorry for all the questions, and again thanks for
    responding.

    Larry


  5. #5
    jack masters
    Guest

    Re: vpn hardware solution

    Larry Erickson wrote:

    >
    > Thanks a lot for your response. It is nice to know that other people
    > have similar situations. I am pretty unfamiliar with
    > virtual machines so I have a couple more questions. First, what is
    > the reason most customers will not let you
    > connect directly to the internet? Is is security, cost, or another
    > reason? Is there anything that can be done to make
    > this idea more appealing to customers? Also if you could connect
    > directly to the internet, what would be the best way
    > to remotely connect?


    Various security concerns; from the customers' point of view: 'There is
    something on my network that is connected directly to the internet; I
    have no control over setup, security updates etc., so I am not happy."
    If you do not have to be connected to the customer's own network (e.g.
    for SCADA systems that the customer wants to see from his desktop) there
    is normally no problem besides the cost of a separate connection. If
    there *is* a need to be connected to the customers' network, the best
    solution is to have the customer put in a firewall between your network
    and theirs. That puts updates and firewall maintenance responsibility on
    them too ;)

    >
    > We do like to keep all of our static IP address layouts the same
    > across all our installations. As far as the virtual
    > machine solution goes, what do you recommend using for a windows
    > platform. I think you were saying to set up our
    > normal network setting on our main pc, and then install a virtual
    > machine on that pc also which the customers IT
    > department installs their VPN link software. We then connect through
    > the VPN to our pc's virtual machine, in which we can
    > access our other network devices somehow.


    Correct. We use VMWare, it is OS-independent for what we use (Windows VM
    running under Linux or Windows). Install VMWare on a laptop, let the
    customer play around in a VM to set up VPN, and copy the VM off the
    laptop later. On the server in the office you end up with a collection
    of VMs, if customer X needs support fire up the VM for customer X and
    connect. Caveat: most VPNs restrict any other network access as long as
    the VPN is connected, so if you have to copy files back and forth
    between office and site you have to copy them to the VM first, connect,
    then copy to site.

    > In your last paragraph,
    > are you saying that we should always be using two
    > network cards, or use a hardware solution that can provide the same
    > thing? Sorry for all the questions, and again thanks for
    > responding.
    >


    Matter of personal preference, and budget. I prefer a separate device
    (e.g. I can also use it as a DHCP server for connecting laptops on-site,
    and set it up as a proper firewall between control network and generic
    office network), but a solution with two network cards, one inside the
    customer's network and one on the control network can work too. Beware
    of routing pitfalls if the customer's IP ranges overlap yours.
    If you have the customer give you VPN access they might even be able to
    put a firewall/router in that gives you direct access; otherwise you
    will have to set things up so that you have access through their VPN to
    a single IP address on the second network card, run a VPN or SSH server
    on your machine, and route through there into the rest of the control
    network.
    Standard boxes exist that can do this (Cisco ASA series comes to mind,
    other brands have similar things, but there you are talking fairly
    serious money). If you have the expertise in-house (or can borrow it
    from somewhere) to set up a small Soekris board it might be more
    cost-effective.
    And nobody says you can't have a back-up modem line attached to the same
    box, as a back-up in case the VPN doesn't work. At one site we have a
    little GSM modem that has come in handy when somebody dug up both the
    primary *and* the back-up network lines near a customer's site.

    All in all, it depends on how much money you want to spend, and how much
    time in setting it up. A second-network-card solution might be a bit of
    a pain to get set up, but if it is well-documented you start seeing the
    savings with the next site.

    J.

Similar Threads

  1. Help VPN connection to Linksys RV082 VPN Router
    By alexid in forum Networking Forum
    Replies: 2
    Last Post: 06-20-08, 08:31 AM
  2. Strange XP issue
    By burple in forum Software Forum
    Replies: 22
    Last Post: 01-18-08, 07:20 AM
  3. VPN Connections
    By Maambo in forum Wireless Networks & Routers
    Replies: 0
    Last Post: 07-14-07, 02:43 PM
  4. Adding VPN Router to Existing Network
    By sheider in forum Wireless Networks & Routers
    Replies: 5
    Last Post: 01-17-07, 08:28 AM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •