Solved

VPN Firewall to route between 2 VLANS?

Posted on 2008-11-02
6
2,979 Views
Last Modified: 2012-06-27
Hello, can anyone tell me if this is possible. As per the attached diagram I am after this kind of network where my routing provider (left side of cloud) connects to a VPN/Firewall device (it currently connects directly to the public vlan of the switch). The VPN/Firewall would be physically connected to each VLAN, so the different nodes on the VPN/Firewall device would have to have separate IPs (I think?)

Normally, I think, the uplink connects to a switch and a VPN device sits on the switch and would connect to a different switch for VPN traffic. I would like the firewall/vpn device to be first in that chain. The 2 staff VPN devices will create a VPN with the vpn/firewall device and route vpn traffic to the vpn/internal VLAN. All public traffic (non-vpn) gets routed to the public vlan on the same switch.

I'm really just trying to release the packet filtering burden from the switch and individual machines.

The public and VPN VLANS are on the same switch. VPN vlan nodes have internal non-routable IPs, the public nodes have public routable IPs. I only want to spend ~ £100-£150 on the VPN/Firewall device. Second-hand/ebay items are fine.

Just confirmation that there are devices which are capable of what I am asking for (in that price range), maybe even hinting at example devices, would be a great help.
flow-vpn-EE.png
0
Comment
Question by:Alcedema
  • 3
  • 3
6 Comments
 
LVL 18

Accepted Solution

by:
deimark earned 500 total points
ID: 22865343
IN short, from what I understand, its possible for you to do what you are looking for here.

Any small VPN device should do for this, but ones i have experience with are:

Check Point UTM-1 Edge
Juniper SSG5/SSG20/NS5GT

I also hear that draytek routers are also good for VPNs, but I am not too sure if you can get a decent bit of kit for the money you are looking at, however, ebay is probably the best option for the light in cash. :D

Each of which will offer full IPSEC functionality and also cater for the VLANs/multiple internal ports.

You are right as well, each inside connection on the firewall, will need to have its own IP for the public and VPN nets.  You can still do all your vlanning on the switches if you want, but the firewall will be doing the security.
0
 

Author Comment

by:Alcedema
ID: 22866465
Thanks, my main concern is the device knowing which port to send either VPN or normal (public) data.. that must be selectable.

I'll have a look at the Junipers and Drayteks to familiarise myself.
0
 
LVL 18

Expert Comment

by:deimark
ID: 22866603
I assume that your different VLAns have different subnets assigned?  If yes, then that will be how the firewall will decide where to send the traffic.

If its for the VPN net, it will route it through the VPN port, else it will use the public VLAN.

0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 

Author Comment

by:Alcedema
ID: 22884197
Thanks, that's great. I'm looking at drayteks at the moment and just one thing concerns me. Even though you can vlan the lan ports, you still assign one "lan ip" to the vpn router (doesn't appear to be one per port, just one overall). Does this affect it in anyway, especially where that IP address may only be in one of the subnets and not the others.

Thanks.
0
 
LVL 18

Expert Comment

by:deimark
ID: 22887384
Not had a lot of experience on the drayteks, so someone else may be able to assist, however the Check Point Edge or smaller SSGs all do what you need with no fuss.

You should be able to pick up older NS5GTs on ebay quite cheaply, which although older, have the functionality you are looking for
0
 

Author Closing Comment

by:Alcedema
ID: 31512563
Great, thanks!
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

There are times where you would like to have access to information that is only available from a different network. This network could be down the hall, or across country. If each of the network sites have access to the internet, you can create a ne…
Security is one of the biggest concerns when moving and migrating your data from your on-premise location to the Public Cloud.  Where is your data? Who can access it? Will it be safe from accidental deletion?  All of these questions and more are imp…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now