Making another network see and access another one!

[htcz]

you are best off doing this at the firewall. not to one or another pc. If your firewall is cli based, like say a cisco asa, then yes it can be done at a command line through either telnet or ssh. That is the way I would recommend setting it up when you need site a access to site b.

No, I dont think its possible with a firewall........that or I would have to set up a rule for each and every PC FROM site A and TO site B. Including services such as FTP, etc

Another thought I just had if 192.168.1.4 from 80.39.34.23 (Site A) connects to 90.34.23.12 (Site B) which has 192.168.100.100 (the router), on that side I would get a new IP called 192.168.100.78 (70s range is reserved for VPN connections) I couldnt get a PC on Site B (lets say 192.168.100.23) to ping 192.168.1.4 because it still would not see it! This would be a PC to PC VPN connection.

What is the difference when I have a VPN connection between routers?

[sc302 Veteran]

many routers or firewalls have this capability already built in.

[sc302 Veteran]

No, I dont think its possible with a firewall........that or I would have to set up a rule for each and every PC FROM site A and TO site B. Including services such as FTP, etc

Another thought I just had if 192.168.1.4 from 80.39.34.23 (Site A) connects to 90.34.23.12 (Site B) which has 192.168.100.100 (the router), on that side I would get a new IP called 192.168.100.78 (70s range is reserved for VPN connections) I couldnt get a PC on Site B (lets say 192.168.100.23) to ping 192.168.1.4 because it still would not see it! This would be a PC to PC VPN connection.

What is the difference when I have a VPN connection between routers?

I have many vpn's setup through my firewalls, whether it be cisco, juniper, sonicwall, etc. So yes it can be done through the firewall, it depends what you have. Most true firewalls have this feature built in, even many "routers" have this feature built in. I quote routers because they really are firewalls...current firewalls are nothing more than routers with a bunch more features.

No you don't setup a rule for each pc....there is something called a default route that gets created during the vpn process.....this tells everyone trying to communicate across to use the vpn to get to the otherside, everything else either communicate locally or use the internet.

[htcz]

leave subnetting and masks out of this. lets not complicate it any more than it needs to be.

I agree.....for now. There a another detail that does (ultimately) involve subnetting but I think I should understand these simple concepts first and THEN move on to the complication of subnetting (Instead of subnetting I may be able to do it with VLANs...)

BTW, I dont mind explaining the situation if it helps at all! :) I just am looking for other purposals other than VPNs

[sc302 Veteran]

OK, VPN is going to be the most cost effective solution in your scenerio

MPLS will be the next, but it will cost some as this involves the telephone company to install a line connecting to their network from each location and they maintain the line to their network as well as other equipment to handle the hand off from the mpls into your network. There are more costly solutions than this that also involve your phone company installing solutions.

Most small businesses will take the VPN route as being the most cost effective where they don't incur any additional costs of maintaining a line just for office traffic. The only cost out of pocket is the cost of the hardware to maintain the connection and a internet connection at each location, you can add more cost by putting maintenance on the hardware in case of failure. But as was said, you probably already have the equipment to handle this...all you would have to give is the model number for the equipment and we can check it out, this tells us nothing about who you are or what you do.

Hell you could even take two old pc's and make 2 pfsense firewalls with this capability. Wouldn't cost you anything as I am sure you have some old p3's or p4's laying around.

[htcz]

I deserve Neowin artist of the year :p

No seriously, this is basically what I need to do.

Tick 1 in NO WAY SHAPE OR FORM can access that Red Circle end client. I need Tick 1 and Tick 2 to communicate. What I want to avoid (well I cant do directly) is having anything to do with the router(s) on the side of Tick 2 and Red Circle.

[ANON86364]

I was going to suggest something similar - Untangle.

[sc302 Veteran]

hamachi. this is a one to one connection, or a mesh as they call it.

https://secure.logme...i/download.aspx

[ANON86364]

Wow so you basically only want one computer to communicate to another computer on a different network. And here I thought you were wanting to connect two whole networks.. My suggestion of Hamachi a few posts back is well enough..........

[htcz]

OK, VPN is going to be the most cost effective solution in your scenerio

MPLS will be the next, but it will cost some as this involves the telephone company to install a line connecting to their network from each location and they maintain the line to their network as well as other equipment to handle the hand off from the mpls into your network. There are more costly solutions than this that also involve your phone company installing solutions.

Most small businesses will take the VPN route as being the most cost effective where they don't incur any additional costs of maintaining a line just for office traffic. The only cost out of pocket is the cost of the hardware to maintain the connection and a internet connection at each location, you can add more cost by putting maintenance on the hardware in case of failure. But as was said, you probably already have the equipment to handle this...all you would have to give is the model number for the equipment and we can check it out, this tells us nothing about who you are or what you do.

We are actually looking at the options of doing this. Currently we are looking at routers NetModule NB2500 to be on our side (Tick 1) and NetModule NB1600 (Tick 2) to be on the other side(s). They are both indeed VPN routers as you can see and "self configured" :) I was just wondering if there are other ways or options but as you and many other have commented it seems that this is the only way.

Hell you could even take two old pc's and make 2 pfsense firewalls with this capability. Wouldn't cost you anything as I am sure you have some old p3's or p4's laying around.

Emulation this ability on our side would be very intresting to see how it works but I was thinking of making 2 OpenWRT VMs (which I think have VPN capabilities) and making a VPN tunnel.

[htcz]

Hamachi requires a 3rd party server (Hamachi's own) and thats something I dont think is wanted.

[ANON86364]

I don't know if there is a better way of stating that VPN is the best solution.

If you did get VPN hardware, I would suggest proven reliable equipment: Cisco SMB routers or your own hardware with pfsense or Untangle. I don't know what that NetModule stuff is or why you would want that over anything already mentioned.

[ANON86364]

Hamachi requires a 3rd party server (Hamachi's own) and thats something I dont think is wanted.

No it doesn't

[htcz]

I don't know if there is a better way of stating that VPN is the best solution.

If you did get VPN hardware, I would suggest proven reliable equipment: Cisco SMB routers or your own hardware with pfsense or Untangle. I don't know what that NetModule stuff is or why you would want that over anything already mentioned.

Did you see what the hardware was actually?

Those routers, besides the exterior, on the software interior side run OpenWRT.

[htcz]

No it doesn't

But I have to install Hamachi on Tick 1 AND Tick 2 right?

It just doesnt magically work (I remember using Hamachi on the Xbox; Good times)

[sc302 Veteran]

Yes hamachi would have to be installed on the 2 computers.

There are many different vpn solutions, openvpn, smoothwall, monowall, all have their different flavors of establishing a vpn connection. if your netmodules have vpn capability, I would use them. It is better to stay with the same product or brand being that it makes configuration and troubleshooting the same on both devices.

From a cost perspective VPN is the way to go.

[ANON86364]

But I have to install Hamachi on Tick 1 AND Tick 2 right?

It just doesnt magically work (I remember using Hamachi on the Xbox; Good times)

Yes, you install it on both computers. Are you saying you are in fact looking for something that magically works?

[htcz]

There are many different vpn solutions, openvpn, smoothwall, monowall, all have their different flavors of establishing a vpn connection. if your netmodules have vpn capability, I would use them. It is better to stay with the same product or brand being that it makes configuration and troubleshooting the same on both devices.

Yes, they are both preconfigured to work with each other (from what I gather) on a VPN standpoint.

Yes hamachi would have to be installed on the 2 computers.

Yes, you install it on both computers. Are you saying you are in fact looking for something that magically works?

Well, i wouldnt say that but VPN routers are the closest thing to "magically works" (ala Apple).

Thats not possible as the end clients arent PCs; They have embedded OSs (problably ARM, would have to confirm that) so software wise, it would have to be on the network device (like these routers Ive pointed out :) )

Im off to home so not sure Ill be able to reply later or during the weekend. Thanks for all your help! :)

[sc302 Veteran]

Yes, you install it on both computers. Are you saying you are in fact looking for something that magically works?

I was granted a wish the other day and magically my backups started working, i didn't do squat other than pray to the llama gods.

[ANON86364]

Yes, they are both preconfigured to work with each other (from what I gather) on a VPN standpoint.

[...]

Well, i wouldnt say that but VPN routers are the closest thing to "magically works" (ala Apple).

Thats not possible as the end clients arent PCs; They have embedded OSs (problably ARM, would have to confirm that) so software wise, it would have to be on the network device (like these routers Ive pointed out :) )

Networking and anything that "magically works" should not be used together IMHO. You should want to be the one who configures it.

If you want to do as little as possible, then I suppose those devices you linked are fine, but not what I would use.

[htcz]

If you want to do as little as possible, then I suppose those devices you linked are fine, but not what I would use.

If you have any industrial VPN routers in your head, go ahead and list them! :)

[sc302 Veteran]

I mentioned some brands before...

How bout a cisco asa 5505 or a 5510, or a sonicwall tz170 or tz180 or even a tz210, maybe a juniper sa vpn appliance. I have had the liberty to play with a vpn solution by netmotion, it is pretty slick, client based vs site based, but very expensive, it is designed for mobile clients using cellular service to connect into the network...what is slick about it is that if you loose signal the vpn client holds the connection until the signal comes back, this is very important to those with citrix or rdp connections. Those specific connections do not end, causing end users to loose work or having to re sign on, it pauses the connection like it is frozen while there is no signal and when your signal comes back it is as if you never dropped out of the session. Biggest complaint with netmotion is that their screen freezes, and I have to constantly explain that it is supposed to do that because you lost signal (users drive around with laptops always on and connected in their cars).

[htcz]

I mentioned some brands before...

How bout a cisco asa 5505 or a 5510, or a sonicwall tz170 or tz180 or even a tz210, maybe a juniper sa vpn appliance. I have had the liberty to play with a vpn solution by netmotion, it is pretty slick, client based vs site based, but very expensive, it is designed for mobile clients using cellular service to connect into the network...what is slick about it is that if you loose signal the vpn client holds the connection until the signal comes back, this is very important to those with citrix or rdp connections. Those specific connections do not end, causing end users to loose work or having to re sign on, it pauses the connection like it is frozen while there is no signal and when your signal comes back it is as if you never dropped out of the session. Biggest complaint with netmotion is that their screen freezes, and I have to constantly explain that it is supposed to do that because you lost signal (users drive around with laptops always on and connected in their cars).

Those look like great products (I think one is even cheaper than the models we were looking at but again) I dont see nothing of this size:

http://www.netmodule.com/Products/NB1600-Wireline.aspx

The end device is NOT a PC: This has 2 digital outputs and a RS-232 which Ive been communicated are needed. Also the USB port is a plus because if not network transfers are required and as you see that is impossible (red line) for the client at hand to transfer from inside his own network.

[htcz]

Another thought I just had if 192.168.1.4 from 80.39.34.23 (Site A) connects to 90.34.23.12 (Site B) which has 192.168.100.100 (the router), on that side I would get a new IP called 192.168.100.78 (70s range is reserved for VPN connections) I couldnt get a PC on Site B (lets say 192.168.100.23) to ping 192.168.1.4 because it still would not see it! This would be a PC to PC VPN connection.

I apoligize if I missed the answer to this question :)

[sc302 Veteran]

how exactly are you setting up your pc to pc vpn? You may not be allowing IP traffic across the vpn (as simple as that may sound it isnt that simple). What are you using? As you can imagine there are a million and one different vpn solutions and some are much more configurable than others.

For instance if it were cisco, it would probably be a nat issue. the vpn traffic needs to be taken out of nat or be put into a no nat rule. Also another issue would be if the pc had an interface that has the same ip range as the vpn'd network. Though it could be one of the 15 other rules needed to have a successful tunnel up...that is just one that gets missed.