[ANSS-netops] cell modems and first of the month
Richard Godbee
rwg at vt.edu
Fri Dec 2 20:35:59 UTC 2011
On Dec 2, 2011, at 1:51 PM, David Slater wrote:
> **On the Mikrotik we don't use NAT for cellular sites at all.**
>
> With multiple PPTP tunnnels and OSPF routing it makes the small
> mobile subnet look like its just another site on our private network.
This, this, a thousand times this!
I use OpenVPN instead of PPTP and don't use multiple tunnels for failover, but the concept is the same.
Having all of your equipment look like they're connected to each other with no NAT or firewalls in-between makes life so much easier. As an added bonus, the VPN gives you "free" encryption and authentication, which prevents data from being corrupted in transit.
If you've got a station on someone else's Internet connection and that someone believes in blocking everything by default at the firewall, all you have to do is get them to allow the IP/port pair used by the VPN tunnel, and then traffic to/from your station will ride inside of that VPN tunnel, invisible to the firewall.
As an example, this is one of our stations (~180 miles away) that's on an wireless ethernet connection behind two layers of NAT (not ours), which would otherwise block all attempts to connect to that station:
> [root at cannonball ~]# traceroute -N 1 -I jsrw.vpn
> traceroute to jsrw.vpn (172.17.2.70), 30 hops max, 40 byte packets
> 1 jsrw.VPN (172.17.2.70) 28.967 ms 23.558 ms 24.155 ms
>
> [root at cannonball ~]# telnet jsrw.vpn 33333
> Trying 172.17.2.70...
> Connected to jsrw.VPN (172.17.2.70).
> Escape character is '^]'.
Through the VPN tunnel, it all Just Works(tm).
Richard
--
Richard Godbee, Unix Systems Administrator
Department of Geosciences, Virginia Tech
4044 Derring Hall (0420), Blacksburg, VA 24061
rwg at vt.edu / +1.540.231.7002 / +1.540.231.3386 (FAX)
More information about the ANSS-netops
mailing list