[vpn-help] Multiple VPN clients behind a Fios Actiontec router

Roper, Andrew aroper at bcsvoicedata.com
Thu Jan 19 11:42:00 CST 2012


Mark,

Juniper used to have a cool little firewall for home users called the Netscreen-HSC. However, these are no longer available new. In your case, it sounds like you need to do a hardware-based site-to-site VPN to overcome the limitations that will be imposed by the FiOS router. I would recommend a business-class device, possibly an SSG-5, or something similar that has advanced VPN capabilities. The new device would be setup like any other client with a NAT-ed address from the FiOS router and the VPN would be configured to use NAT-traversal. You would have a new network behind the firewall for the machines accessing the work network. If these same machines will also have a need to access services in the "FiOS" network then this may present a problem. But, the larger question is why is that the case? Prudent security practices would have it that you keep these networks separate. Work machines should remain as work machines and home machines as home machines. A workable solution would be to have two NICs with one talking to one network and the other talking to the other network. You would use client-based routing to get to the work network and leave the default gateway as the FiOS router for all the FiOS services. Personally, I would take this a step further and virtualize those workstations and bind those VMs to the second NIC that is talking to the new "work" VPN firewall and this method would completely contain the work environment while allowing the host PC to have access to all the other FiOS network services. It sounds complicated, because it is - a little, but it would need to be if you are unable to dedicate machines to work and to play. Mixing the two is a dangerous combination from a security perspective and is not allowed in our environment. As a security consultant I would advise against others doing the same. It's one thing if your home machine gets some nasty malware, it's something entirely worse if that bug gets into the corporate network. 

That's my professional opinion and you are, obviously, free to do whatever. But, I don't think you really have much choice. It's either break the Verizon router and lose some services, or deal with one client connected at a time, or implement a solution that provides a way around that but that has its own limitations. However, if the work and play machines are one-in-the-same then you are limited to the first two options unless you are willing to go through what I mentioned in the first paragraph.

Hope this helps.

-Andrew

-----Original Message-----
From: Mark A. DeMichele [mailto:demi at intellipro.com] 
Sent: Thursday, January 19, 2012 11:32 AM
To: Whit Blauvelt; Roper, Andrew
Cc: vpn-help at lists.shrew.net
Subject: RE: [vpn-help] Multiple VPN clients behind a Fios Actiontec router

Do you have any suggestions on what I would use for the "VPN Client/router"?

Would that config require my local machines to be on a different local network than the ISP-provided router?  If so, I think I may lose various Fios features.  Or does that "VPN client/router" just work as a tunneling device for the VPN and the ISP-provided router gives out the local addresses?

Sorry, I'm not a network guy, just a programmer that gets by doing some networking stuff.

-----Original Message-----
From: Whit Blauvelt [mailto:whit at transpect.com]
Sent: Thursday, January 19, 2012 11:25 AM
To: Roper, Andrew
Cc: Mark A. DeMichele; vpn-help at lists.shrew.net
Subject: Re: [vpn-help] Multiple VPN clients behind a Fios Actiontec router

> That worked fine with only one VPN client machine connected to my 
> office server. However, as soon as I added another machine, it would 
> disconnect the first machine.

Can you set up your side so that it's:

various local machines > switch > VPN client/router > ISP-provided router > Net > office VPN server? 

One tunnel should be enough. That's assuming one of your home machines is running something some variant of *nix to be the router though.

Whit



More information about the vpn-help mailing list