Internet access for external client

Guys

Need some assistance on providing internet access at a branch site for clients. Any thoughts and suggestions welcome and appreciated

We have a number of branch offices connected over ISP managed MPLS network, any-2-any. I am looking at implementing some kind of internet access at the branch offices, either wired or wireless. We manage all the L1 and L2 connectivity at the sites, and the L3 side at our hub offices, of which we have 2, mainly for internet traffic etc, which isnt provided by our MPLS ISP

Currently all internet traffic for all sites goes to our data centre and is routed out through our firewall. Routing isnt an issue here, its more the best way to set this up securely.

My initial thoughts were to set aside a whole bunch of ports on a seperate PVLAN that would connect the clients to the network (I am not conerned about the clients talking to each other, as long as they cant reach the local vlans). But the problem may lie at the firewall end, as I will need to specify specific hosts for port 80, 443 traffic only. Would a seperate DHCP scope, of say a /28, allowing 16 hosts only be an idea? Then I wouldnt have to mess around with firewall changes for different hosts all the time

Thanks

Find more posts tagged with

Comments

burbankmarc

Where is the MPLS connection terminated on your local network?

Couldn't you just add a proxy server and have all their traffic go through that?

networker050184

Why not just get MPLS and internet access at each site? That is what I would do. I don't see the pointing of routing everything to the hub just to hit the internet.

burbankmarc

Well if he has major budget constraints then it might not be feasible to get an internet drop at each facility.

If it's not then that is the ideal way to go. Cable/DSL is pretty cheap..like $50/month. I'd still suggest a proxy for granular control of web browsing.

networker050184

I'd just use the same circuit for internet and site to site traffic. As long as you put some good QoS polices in place you won't have to worry about internet traffic stealing your bandwidth.

colink24

Our MPLS provider does not provide us with internet services, hence the reason for routing the traffic via our data centre and an internet provider.

We already have a proxy server for internet access. My problem is securing the traffic once I leave the LAN.

I could just setup DSL as mentioned, but I was hoping to use a better service. This is definitely an option though. I just wanted to see how I would go about the setup and what my options would be

networker050184

colink24 wrote: »

Our MPLS provider does not provide us with internet services, hence the reason for routing the traffic via our data centre and an internet provider.

We already have a proxy server for internet access. My problem is securing the traffic once I leave the LAN.

I could just setup DSL as mentioned, but I was hoping to use a better service. This is definitely an option though. I just wanted to see how I would go about the setup and what my options would be

Have you asked them if they can provide internet over the same circuit? It seems kind of odd to me that they wouldn't. I wouldn't buy one that didn't personally.

burbankmarc

I'm still a little confused about your topology and why security is such a concern. Do you have a diagram you could share?

colink24

networker050184 wrote: »

Have you asked them if they can provide internet over the same circuit? It seems kind of odd to me that they wouldn't. I wouldn't buy one that didn't personally.

This was the setup when I joined. Perhaps the cost was too high, or they didnt want to put extra proxy's/firewalls at branch offices.

I will post up a topolgy tomorrow when back in the office. I think I may have explained it a little weird. My issues with security is that I could have external clients walking into my branch office and being able to reach pretty much any network service outside of the LAN, when all I want to provide is web access - this may be more of a service provider/MPLS thing tbh