topic Re: Organization of Internet access via a remote gateway in Firewall and Security Management

Organization of Internet access via a remote gateway

Sergey_Anikeev — Fri, 17 Feb 2023 08:39:18 GMT

Hello colleagues!

Please help me understand how this scheme can be implemented?

There is an SMS Gaia R81.10 which manages three gateways:
GW1 - R77.30
GW2 - R77.30
GW3 - R81.10

User PC1, which is on the network behind GW3, has access to the Server, which is on the network behind GW1 via Site-to-Site VPN.

How can I make the second User PC2 machine (in same subnet) access the Internet via GW2 and not have access to the Server?

Re: Organization of Internet access via a remote gateway

G_W_Albrecht — Fri, 17 Feb 2023 09:43:09 GMT

By using firewall rules ! If you know the User PCs IPs this is rather simple; but you could also use IA for a large client number.

Re: Organization of Internet access via a remote gateway

Sergey_Anikeev — Fri, 17 Feb 2023 09:53:36 GMT

Yes, but how to make traffic for UserPC2 to the Internet go through GW2?
So far I've figured out what to do with two VPN Communities, for example:
1. Mesh Community - GW3+GW1
2. Star Community - GW2 (Center) + GW1 (Satellite)

and VPN Routing

But at the same time the connection between GW3 and GW1 disappears

Re: Organization of Internet access via a remote gateway

G_W_Albrecht — Fri, 17 Feb 2023 10:02:31 GMT

As you should know, R77.30 is out of support for a time now... It does make no sense to me to send traffic for UserPC2 thru VPN to Site 2 and thru TP to the internet as this will slow down traffic ! Why not go from GW3 using R81.10 TP to the internet ? Server access can be regulated using rules, so why use two VPN Domains at all ?

Re: Organization of Internet access via a remote gateway

Sergey_Anikeev — Fri, 17 Feb 2023 10:02:37 GMT

That is, need to:

It is necessary that PC1 traffic goes
PC1->GW3->GW1->Server

At the same time , PC2 traffic was going
PC2->GW3->GW2->Internet

Re: Organization of Internet access via a remote gateway

Sergey_Anikeev — Fri, 17 Feb 2023 10:07:50 GMT

The main reason is for the machine PC2 to have internet access under a certain white ip i.e. via GW2

Re: Organization of Internet access via a remote gateway

G_W_Albrecht — Fri, 17 Feb 2023 10:13:45 GMT

What is a white IP ? Usually, you are NATing clients behind the GW IP. Do you want to change the clients source country using VPN or a similar trick to achive what ?

Re: Organization of Internet access via a remote gateway

Sergey_Anikeev — Fri, 17 Feb 2023 10:17:32 GMT

By white ip, I mean the external ip address of the gateway GW2.
Yes, the goal is to change the country for the client.

Re: Organization of Internet access via a remote gateway

G_W_Albrecht — Fri, 17 Feb 2023 10:26:57 GMT

I strongly have to warn you that such an action is mostly taken for criminal reasons ! At least i did not yet encounter honest reasons for such a demand except for undercover police forces 😉

Re: Organization of Internet access via a remote gateway

Sergey_Anikeev — Fri, 17 Feb 2023 10:35:13 GMT

OK, I'll take that into consideration, but I think it's irrelevant. 🙂

Re: Organization of Internet access via a remote gateway

G_W_Albrecht — Fri, 17 Feb 2023 11:14:49 GMT

Sorry, i do not understand your answer ! Why is that irrelevant if we take performance from 2 GWs for RA VPN that is only needed to hide the clients source country ? And why hide it at all ? To cheat CP GeoLocation rules and be able to attack ?

Re: Organization of Internet access via a remote gateway

Sergey_Anikeev — Fri, 17 Feb 2023 11:25:45 GMT

I have no purpose to use this option for illegal purposes.
In addition, there are simpler ways to do this.

Re: Organization of Internet access via a remote gateway

G_W_Albrecht — Fri, 17 Feb 2023 12:21:14 GMT

Very good, but why use this option at all ? Simplest way is RA VPN wire mode to GW2. But i would suggest to upgrade the R77.30 GWs first !