Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations bkrike on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

retranslator 2

Status
Not open for further replies.
piti

piti

Technical User
Apr 12, 2001
627
SK
hi
my boss has purchased a cheap internet connection that allows him to browse only our national domain, but he wants to browse the complete net, so i need to make our office gateway computer into some kind of retranslator, so he can use it like proxy, but not just http

inet -- [cable] ---- [lin box] ---- [adsl] ---- [boss ;-)]
|
|
|
|
[LAN]

he also wants access to the office mail and db server, that are on the lan, this is already running, now i need the browsing stuff set up without interferring with the lan access
is that possible? how?
thanks
 
Sort by date Sort by votes
OK, just tell us everything about your entire network and firewall and proxy setup and we can help.

"Surfinbox Shares" - A fundraising program that builds revenue from dialup Internet users.
 
Upvote 0 Downvote
well what do you mean with everything? i'm currently running mdk 9.1 (debian is in the testing phase) on the linbox, using 3 internet connections - L1 cable 512/128(default), L2 microwave 128/128 (email traffic) and L3 adsl 1024/128 (internal use only)
proxy: squid bound to the local ip range only
firewall: iptables script
isn't this irrelevant? i do not want exact commands, i only need push in the right direction as "googling" with any keywords combination was not helpful
 
Upvote 0 Downvote
piti, your network is unusual, which is why I asked for the details. You haven't told us how your squid is setup, which network segments are the "local" segments, is your boss sitting on the LAN segment or at the other end of the DSL, and which routes and IPTables rules are enforcing your Boss' use of only the "local domain".

Your diagram implies that you are one end of the DSL and your Boss is at the other end. I'm almost certain this isn't what you meant, but we are not mind readers. Is your Boss sitting on the LAN segment???

Hardly irrelevant material, IMHO.

Please take just a little more time to explain what you know and what you don't know. It's a pain in the arse, but it's necessary to get you an answer.

Still happy to help....

"Surfinbox Shares" - A fundraising program that builds revenue from dialup Internet users.
 
Upvote 0 Downvote
well sorry, i thought the diagram and the description was clear ;-)

the setup of squid is default, allowing only http(s) requests from office lans (192.168.1.XXX, 10.0.0.XXX) without authorization

local segments - i assume you want to know what's our office part - it's the linux machine and my 2 lans (i put there only one to simplify things)
cable, adsl and mw lines are our connection to the internet - not as part of our office network connecting local segments

no boss is not on the lan, he wants access from home connecting via adsl we have in office - therefore i put him at the other end of adsl line

i don't know how his isp manages that he can access only the national domain, he neither

maybe i should add that he wants not just browsing capabilities also ftp and ssh access to some servers outside national domain

hope that's all [ponder] and again sorry for not giving all the info you needed[peace]
 
Upvote 0 Downvote
I'm sorry, I'm not understanding the ADSL to your boss. Normally ADSL is between you and an ISP. If you ARE THE ISP then that's another situation.

So if I understand the install, you have ADSL from your office to an ISP (and the Internet) and your Boss has ADSL from home to the ISP (but not the Internet?!). Is the Boss' other end of his ADSL terminated into a company network instead of an ISP?

I'm struggling to understand the topology. I cannot anticipate a scenario in which an ISP would build an ADSL that only allowed an ADSL user to browse only one "company". Do you mean domain??? Still looking for more....


"Surfinbox Shares" - A fundraising program that builds revenue from dialup Internet users.
 
Upvote 0 Downvote
well yes, i have adsl between me and my isp (isp1), boss has his line, i don't think it's adsl, and his own isp (isp2)

with "connecting via adsl" i mean he uses the ip of our adsl line to send requests to and receive answers on

no the boss' line has nothing to do with the company network

the purchased package from the isp2 has unlimited data amount, but it's limited only to the national tld (in this case it's .sk for slovakia)
 
Upvote 0 Downvote
AHA! OK, so he may be subject to a country's content/proxy filter.... Can he SSH to your box?

If yes, then you can have him set up a VPN tunnels between your box and his.

I have had some outstanding experiences using OpenVPN and I would recommend it.

he'll need to do some work on his end to get OpenVPN- including a possible compile of the OpenVPN and maybe, ack, a kernel for linux - but he'll be able to reach everything by routing his requests through your router.

Essentially, on linux, you both will need TUN/TAP support built into your kernel (as a module or static). Then compile OpenVPN. SKIP the Compression Lib for now. Windows compiles are supposed to work, or you can take their OpenVPN Windows binary.

To get setup, he'll need to route ALL of his non-local traffic (by IP) through you. He'll suffer some performance issues with any .sk local domains, but he'll get access to everything on any port. You could make it route traffic locally by allowing certain IPs or networks to use his local IP service as the routed gateway for the local IPs - but that can turn into a maintenance nightmare if your boss is a dolt. Your decision on that one.

Hope this helps.




"Surfinbox Shares" - A fundraising program that builds revenue from dialup Internet users.
 
Upvote 0 Downvote
By the way, I'm not a lawyer or otherwise informed of the local and international regulations against or in favor of doing what I said in the prior message. I have presented this discussion with the express intent of sharing concepts in networking.

I do not endorse or support any tasks you might undertake that are in any way illegal or contrary to the proper use of your respective network and Internet access services.

I expressly disavow any responsibility or liability, in whole or in part, for your use or misuse of my discussion.

Anything you attempt will be done without my prior agreement, endorsement or support.

I will comply with law enforcement officials who would care to inquire about the nature of such a connection should it be deemed to be illegal.

That's my disclaimer.

"Surfinbox Shares" - A fundraising program that builds revenue from dialup Internet users.
 
Upvote 0 Downvote
i do not have ssh port open on any of my external interfaces, but i can open it and try what you are suggesting
as there is not a linux on his side i hope those beta winbuilds for w2k will work ;-)

i don't think this is in any way illegal, maybe i should consult our lawyer first

thanx for you help and patience
 
Upvote 0 Downvote
well i open what's needed to be open ;-)
i'm just looking for more info on the vpn tunnels, so i understand it before aplying
 
Upvote 0 Downvote
Thanks thedaver for recommending OpenVPN. I was in a desperate need of a VPN solution and OpenVPN only took me an hour to configure for it to work.

//Daniel
 
Upvote 0 Downvote
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top