Re: LAN access while VPN is up
Available news archives: comp.lang.tcl - comp.lang.python - comp.security.firewalls - sci.crypt - comp.lang.php - comp.lang.javascript
Google
 
Web news.hping.org


comp.security.firewalls archive

Re: LAN access while VPN is up

From: Triffid <triffid@nebula.net>
Date: Mon Oct 31 2005 - 03:16:34 CET




Moe Trin wrote:



> In the Usenet newsgroup comp.security.firewalls, in article


> <umi8f.7715$ki7.572410@news20.bellglobal.com>, Triffid wrote:


> 


> 


>>Recently the switch configuration was altered such that the Nortel VPN


>>client routes everything except RFC1918 Class C addresses up the tunnel.


> 


> 


> And the switch configuration relating to the LAN isn't under your control?


> 


> 


>>Unfortunately, I chose RFC1918 Class A addresses for my local LAN long


>>ago,


> 


> 


> ;-)    I work at a "Class A" (actually, classes were abolished in 1993


> with the advent of CIDR), so there was no incentive to use one at home.


> My home net predates both RFC1918 and RFC1597, and I originally used a


> block in the 223.250.6.x range (which still hasn't been allocated by IANA).


> Less numbers to remember? No, I use hostnames. Less numbers to type when


> configuring things? How often do you do that?   Adequate number of IP


> addresses? Actually, I use a 255.255.252.0 mask at home, not that I'll


> ever have 1000 hosts there. And two of my ISPs use RFC1918 addresses


> for customer (rather than public) services - one has their DNS and


> mail servers in the 10.200.0.0/16 block for some bizarre reason.



I've forgotten my reason - no doubt it was bizarre.



>>so I've lost access to local shares and printers while the tunnel


>>is established.


> 


> 


> Disadvantage of using a switch as the connection to the world.


> 


> 


>>It wouldn't be all that painful to renumber the local LAN to RFC1918


>>Class C,


> 


> 


> Depends on how paranoid you are.


> 


> 


>>but I'm curious as to alternative solutions - perhaps involving adding


>>a router (I have a couple spare). Any suggestions?


> 


> 


> I certainly wouldn't be thrilled to know that packets from my net are


> leaving the house, even if the ISP is dropping them into the bit bucket.



Indeed, but if that were the case my Netscreen would drop them first.



Apparently I failed to explain clearly.



The tunnel runs from my laptop to my employer's VPN switch. The intent 


of the client configuration enforced by the switch is to prevent my 


laptop having simultaneous access to the corporate intranet and public 


internet. The VPN client on my laptop routes everything except 


192.168.0.0/16 up the tunnel, and disconnects the tunnel if I mess with 


the routing table. Since my local LAN isn't 192.168.x.x, it's 


unreachable while the tunnel is up.



> A router, or a switch of your own - your owning the routers would reduce


> the hardware cost and might add versatility, but how much are you paying


> for power?  My connection to the world goes through a firewall which is


> the remains of a 386SX laptop - no display, no keyboard, and not much


> else. Last time I measured it, it was drawing 30 VA. Do the math - that's


> about 260 KWH for the year, or about $35 at the "last kilowatt-hour rate"


> for me.


> 


>         Old guy


Received on Mon Nov 21 02:36:24 2005