Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Sergey_Anikeev
Contributor

Organization of Internet access via a remote gateway

Hello colleagues!

Please help me understand how this scheme can be implemented?

There is an SMS Gaia R81.10 which manages three gateways:
GW1 - R77.30
GW2 - R77.30
GW3 - R81.10

User PC1, which is on the network behind GW3, has access to the Server, which is on the network behind GW1 via Site-to-Site VPN.

How can I make the second User PC2 machine (in same subnet) access the Internet via GW2 and not have access to the Server?

1.JPG

0 Kudos
12 Replies
G_W_Albrecht
Legend Legend
Legend

By using firewall rules ! If you know the User PCs IPs this is rather simple; but you could also use IA for a large client number.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Sergey_Anikeev
Contributor

Yes, but how to make traffic for UserPC2 to the Internet go through GW2?
So far I've figured out what to do with two VPN Communities, for example:
1. Mesh Community - GW3+GW1
2. Star Community - GW2 (Center) + GW1 (Satellite)

and VPN Routing

2.JPG

 


But at the same time the connection between GW3 and GW1 disappears

 

0 Kudos
G_W_Albrecht
Legend Legend
Legend

As you should know, R77.30 is out of support for a time now... It does make no sense to me to send traffic for UserPC2 thru VPN to Site 2 and thru TP to the internet as this will slow down traffic ! Why not go from GW3 using R81.10 TP to the internet ? Server access can be regulated using rules, so why use two VPN Domains at all ?

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Sergey_Anikeev
Contributor

The main reason is for the machine PC2 to have internet access under a certain white ip i.e. via GW2

0 Kudos
G_W_Albrecht
Legend Legend
Legend

What is a white IP ? Usually, you are NATing clients behind the GW IP. Do you want to change the clients source country using VPN or a similar trick to achive what ?

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Sergey_Anikeev
Contributor

By white ip, I mean the external ip address of the gateway GW2.
Yes, the goal is to change the country for the client.

0 Kudos
G_W_Albrecht
Legend Legend
Legend

I strongly have to warn you that such an action is mostly taken for criminal reasons ! At least i did not yet encounter honest reasons for such a demand except for undercover police forces 😉

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Sergey_Anikeev
Contributor

OK, I'll take that into consideration, but I think it's irrelevant. 🙂

0 Kudos
G_W_Albrecht
Legend Legend
Legend

Sorry, i do not understand your answer ! Why is that irrelevant if we take performance from 2 GWs for RA VPN that is only needed to hide the clients source country ? And why hide it at all ? To cheat CP GeoLocation rules and be able to attack ?

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Sergey_Anikeev
Contributor

I have no purpose to use this option for illegal purposes.
In addition, there are simpler ways to do this.

0 Kudos
G_W_Albrecht
Legend Legend
Legend

Very good, but why use this option at all ? Simplest way is RA VPN wire mode to GW2. But i would suggest to upgrade the R77.30 GWs first !

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Sergey_Anikeev
Contributor

That is, need to:

It is necessary that PC1 traffic goes
PC1->GW3->GW1->Server

At the same time , PC2 traffic was going
PC2->GW3->GW2->Internet

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events