hypercube
asked on
Simple Router Management, Subnets and VLANs e.g. RV0xx
Usually, I'm using simple commodity routers for connecting networks: ISP, MPLS, etc. and as firewalls for hosted "3rd party" services like a Guest Wireless, 3rd party VPN terminators, etc.
In some cases there are only public addresses so management has to be done with those addresses. Modems or a router acting as a modem are an example of this.
But, in other cases, there are separate private subnets (a standalone firewall would be an example).
I would prefer to close off the public side and only access the private/LAN side of these devices.
I'm wondering what other people do in this situation.
Using the firewall example, here's what I've done:
Set up the 3rd party application on a new public address and a new private subnet.
Since I prefer to not provide management access on the public side, set up a pair of VLANs so I can access the firewall from the local office subnet.
Also, using RV0xx routers I find that the VLANs don't separate the 2 private IP addresses assigned to the router.
Either address is accessible from any LAN port.
????
In some cases there are only public addresses so management has to be done with those addresses. Modems or a router acting as a modem are an example of this.
But, in other cases, there are separate private subnets (a standalone firewall would be an example).
I would prefer to close off the public side and only access the private/LAN side of these devices.
I'm wondering what other people do in this situation.
Using the firewall example, here's what I've done:
Set up the 3rd party application on a new public address and a new private subnet.
Since I prefer to not provide management access on the public side, set up a pair of VLANs so I can access the firewall from the local office subnet.
Also, using RV0xx routers I find that the VLANs don't separate the 2 private IP addresses assigned to the router.
Either address is accessible from any LAN port.
????
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Missed that you had asked about the VPN comment I made. With a VPN and access controls, you don't need the jump server. However, the management of certain types of devices is something you don't want to do over a VPN (i.e. what if the connection drops while saving configuration changes).
With accessing the jump box from the outside, you have a lot of options: RDP (which giltjr mentioned), GoToAssist (which you mentioned), or a RMM tool (such as Labtech which you can utilize VNC, ScreenConnect, etc). None of these options are wrong. I personally would not go with GoToAssist unless that was the organization standard tool. RDP of course requires that you open ports on the firewall. GoToAssist (and similar tools) are probably the only ones that won't require opening firewall ports (assuming you're not doing super restrictions for internal machines going outside)
With accessing the jump box from the outside, you have a lot of options: RDP (which giltjr mentioned), GoToAssist (which you mentioned), or a RMM tool (such as Labtech which you can utilize VNC, ScreenConnect, etc). None of these options are wrong. I personally would not go with GoToAssist unless that was the organization standard tool. RDP of course requires that you open ports on the firewall. GoToAssist (and similar tools) are probably the only ones that won't require opening firewall ports (assuming you're not doing super restrictions for internal machines going outside)
ASKER
What I generally do is to have a workstation on site. So this is a little like a "jump box" except it's on the main LAN (and whatever other LANs I might choose). Then I can use GoToAssist to reach it (and others). Then, there are a couple of options:
1) add a NIC to the workstation if it's nearby the firewall and set up a link that's on a separate subnet and firewall VLAN.
2) use the main LAN to connect to the VLAN on the firewall.
1) add a NIC to the workstation if it's nearby the firewall and set up a link that's on a separate subnet and firewall VLAN.
2) use the main LAN to connect to the VLAN on the firewall.
ASKER
Thanks all!
ASKER
ISP <> Internet Switch <> Multiple public addressed devices
public address 1<> Main Firewall <> Main LAN
public address 2<> dedicated firewall <> 3rd party VPN <> Main Lan
The question is: "How to manage the dedicated firewall?" The interface between the dedicated firewall and the 3rd party VPN is in some unique subnet range. So, one way is this:
public address 2<> dedicated firewall <> VLAN2 <> 3rd party VPN <> Main LAN
<> deidicated firewall <> VLAN1 <> Main LAN
Another way is this:
public address 2 <> dedicated firewall <> 3rd party VPN <> Main LAN
<> Jump box <> RDP???
So how does one RDP to the jump box? What's the access path and method generally?
I haven't thought about this.
I guess I could run GoToAssist or something on the jump box and run through the dedicated firewall?
Is that better than accessing the dedicated firewall from the public side? (perhaps it is).