Internet access for external client
Guys
Need some assistance on providing internet access at a branch site for clients. Any thoughts and suggestions welcome and appreciated
We have a number of branch offices connected over ISP managed MPLS network, any-2-any. I am looking at implementing some kind of internet access at the branch offices, either wired or wireless. We manage all the L1 and L2 connectivity at the sites, and the L3 side at our hub offices, of which we have 2, mainly for internet traffic etc, which isnt provided by our MPLS ISP
Currently all internet traffic for all sites goes to our data centre and is routed out through our firewall. Routing isnt an issue here, its more the best way to set this up securely.
My initial thoughts were to set aside a whole bunch of ports on a seperate PVLAN that would connect the clients to the network (I am not conerned about the clients talking to each other, as long as they cant reach the local vlans). But the problem may lie at the firewall end, as I will need to specify specific hosts for port 80, 443 traffic only. Would a seperate DHCP scope, of say a /28, allowing 16 hosts only be an idea? Then I wouldnt have to mess around with firewall changes for different hosts all the time
Thanks
Need some assistance on providing internet access at a branch site for clients. Any thoughts and suggestions welcome and appreciated
We have a number of branch offices connected over ISP managed MPLS network, any-2-any. I am looking at implementing some kind of internet access at the branch offices, either wired or wireless. We manage all the L1 and L2 connectivity at the sites, and the L3 side at our hub offices, of which we have 2, mainly for internet traffic etc, which isnt provided by our MPLS ISP
Currently all internet traffic for all sites goes to our data centre and is routed out through our firewall. Routing isnt an issue here, its more the best way to set this up securely.
My initial thoughts were to set aside a whole bunch of ports on a seperate PVLAN that would connect the clients to the network (I am not conerned about the clients talking to each other, as long as they cant reach the local vlans). But the problem may lie at the firewall end, as I will need to specify specific hosts for port 80, 443 traffic only. Would a seperate DHCP scope, of say a /28, allowing 16 hosts only be an idea? Then I wouldnt have to mess around with firewall changes for different hosts all the time
Thanks
Comments
-
burbankmarc Member Posts: 460Where is the MPLS connection terminated on your local network?
Couldn't you just add a proxy server and have all their traffic go through that? -
networker050184 Mod Posts: 11,962 ModWhy not just get MPLS and internet access at each site? That is what I would do. I don't see the pointing of routing everything to the hub just to hit the internet.An expert is a man who has made all the mistakes which can be made.
-
burbankmarc Member Posts: 460Well if he has major budget constraints then it might not be feasible to get an internet drop at each facility.
If it's not then that is the ideal way to go. Cable/DSL is pretty cheap..like $50/month. I'd still suggest a proxy for granular control of web browsing. -
networker050184 Mod Posts: 11,962 ModI'd just use the same circuit for internet and site to site traffic. As long as you put some good QoS polices in place you won't have to worry about internet traffic stealing your bandwidth.An expert is a man who has made all the mistakes which can be made.
-
colink24 Member Posts: 43 ■■□□□□□□□□Our MPLS provider does not provide us with internet services, hence the reason for routing the traffic via our data centre and an internet provider.
We already have a proxy server for internet access. My problem is securing the traffic once I leave the LAN.
I could just setup DSL as mentioned, but I was hoping to use a better service. This is definitely an option though. I just wanted to see how I would go about the setup and what my options would be -
networker050184 Mod Posts: 11,962 ModOur MPLS provider does not provide us with internet services, hence the reason for routing the traffic via our data centre and an internet provider.
We already have a proxy server for internet access. My problem is securing the traffic once I leave the LAN.
I could just setup DSL as mentioned, but I was hoping to use a better service. This is definitely an option though. I just wanted to see how I would go about the setup and what my options would be
Have you asked them if they can provide internet over the same circuit? It seems kind of odd to me that they wouldn't. I wouldn't buy one that didn't personally.An expert is a man who has made all the mistakes which can be made. -
burbankmarc Member Posts: 460I'm still a little confused about your topology and why security is such a concern. Do you have a diagram you could share?
-
colink24 Member Posts: 43 ■■□□□□□□□□networker050184 wrote: »Have you asked them if they can provide internet over the same circuit? It seems kind of odd to me that they wouldn't. I wouldn't buy one that didn't personally.
This was the setup when I joined. Perhaps the cost was too high, or they didnt want to put extra proxy's/firewalls at branch offices.
I will post up a topolgy tomorrow when back in the office. I think I may have explained it a little weird. My issues with security is that I could have external clients walking into my branch office and being able to reach pretty much any network service outside of the LAN, when all I want to provide is web access - this may be more of a service provider/MPLS thing tbh