[AG-TECH] NAT and bridge traffic
Nagykaldi, Zsolt F. (HSC)
Zsolt-Nagykaldi at ouhsc.edu
Wed Sep 12 13:37:56 CDT 2007
Definitely begs for a VPN solution. Joe will set up a demo for you soon.
Zsolt
---
Zsolt Nagykaldi, PhD
Assistant Professor of Research
Clinical IT Specialist
University of Oklahoma Health Sciences Center
Department of Family & Preventive Medicine
900 N.E. 10th Street
Oklahoma City, OK 73104
Phone: (405) 271-8000 ext.1-32208
Fax: (405) 271-2784
________________________________
From: owner-ag-tech at mcs.anl.gov on behalf of George Estes
Sent: Wed 9/12/2007 8:56 AM
To: Joseph Stone
Cc: ag-tech at mcs.anl.gov
Subject: Re: [AG-TECH] NAT and bridge traffic
Thanks Joe,
We are helping a large number of K-12 schools setup Access Grid nodes in their schools. Many of these schools are using NAT. We've found some of the network administrators at the schools don't have the ability, or willingness, to re-configure the NAT router. So we looking for an alternative. Any help you could give would be appreciated.
Thanks,
George
At 06:21 PM 9/11/2007 -0500, Joseph Stone wrote:
Yes. I've kicked around the idea with Zsolt about doing a session over the AG, perhaps in my venue server. Caveat: It currently has been tested and is set up for 2.4
I think I now know how to make it work with a 3.0 environment but would need time to get it there. I can discuss this more.
My current boss needs to know I plan to share the experience before I can solidly commit.
Joe
On Sep 11, 2007, at 3:35 PM, George Estes wrote:
Joe,
Would you be willing to share your experience in setting up the OpenVPN/Bridge?
Thanks,
George
X-Envelope-From: Zsolt-Nagykaldi at ouhsc.edu
X-Envelope-To: <gestes at ncsa.uiuc.edu>
Subject: RE: [AG-TECH] NAT and bridge traffic
Date: Tue, 11 Sep 2007 12:51:27 -0500
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [AG-TECH] NAT and bridge traffic
Thread-Index: Acf0ljzjI12+VmBDQr2sxHVMjKfGHQABTNuN
From: "Nagykaldi, Zsolt F. \(HSC\)" <Zsolt-Nagykaldi at ouhsc.edu>
To: "George Estes" <gestes at ncsa.uiuc.edu>
Cc: <ag-tech at mcs.anl.gov>
X-OriginalArrivalTime: 11 Sep 2007 17:51:27.0882 (UTC) FILETIME=[60C30EA0:01C7F49C]
X-Proofpoint-Virus-Version: vendor=fsecure engine=4.65.5502:2.3.11,1.2.37,4.0.164 definitions=2007-09-11_04:2007-09-11,2007-09-11,2007-09-11 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 ipscore=0 phishscore=0 bulkscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx engine=3.1.0-0708230000 definitions=main-0709110068
X-Scanned-By: milter-spamc/1.12.383 .383 (rimantadine.ncsa.uiuc.edu [141.142.2.77]); Tue, 11 Sep 2007 12:52:16 -0500
X-Spam-Status: NO, hits=4.50 required=4.90
X-Null-Tag: aefa1a49861c3a28f7ff4601584732f4
X-NCSA-MailScanner-Information: Please contact help at ncsa.uiuc.edu for more information, rimantadine.ncsa.uiuc.edu
X-NCSA-MailScanner: Found to be clean
X-Deliver-To: gestes
OpenVPN allows you to put your remote client computer "physically" and very securely on an ad-hoc local network. Therefore, as the most simple setup, you can run an OpenVPN server on the same machine that you use for the bridge server and handle remote clients as local network clients, allowing access to the bridge for a range of local IPs only (e.g. 10.10.x.x), in addition to your regular bridge access over the Internet. For intricate technical details of fine-tuning the bridge server, I would encourage you to contact Joe at stone004 at umn.edu.
Zsolt
---
Zsolt Nagykaldi, PhD<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />
Assistant Professor of Research
Clinical IT Specialist
University of <?xml:namespace prefix = st1 ns = "urn:schemas-microsoft-com:office:smarttags" />Oklahoma Health Sciences Center
Department of Family & Preventive Medicine
900 N.E. 10th Street
Oklahoma City, OK 73104
Phone: (405) 271-8000 ext.1-32208
Fax: (405) 271-2784
________________________________
From: George Estes [mailto:gestes at ncsa.uiuc.edu]
Sent: Tue 9/11/2007 12:08 PM
To: Nagykaldi, Zsolt F. (HSC)
Cc: ag-tech at mcs.anl.gov
Subject: RE: [AG-TECH] NAT and bridge traffic
Zsolt,
What's the basic setup for using OpenVPN with a bridge?
Thanks,
George
At 10:46 AM 9/11/2007 -0500, Nagykaldi, Zsolt F. \(HSC\) wrote:
It is generally a pain in the back to establish connections to bridge servers in a NAT -ed environment. Port forwarding is one of your options, however there are a number of issues: 1) A large number of ports may need to be forwarded depending on the bridge setup and how many bridges you want to access (security implications); 2) Some older Cisco firewalls without a decent GUI may give you a hard time to create the appropriate rules to do what you need.
My suggestion is to forget about ports and use OpenVPN on the bridge and the client machine to go through the NAT -ed network and everything in between your computer and the bridge. We have a significant experience with this and pretty good results. Your absolute expert (who came up with the combined bridge/Open VPN server solution) is Joe Stone (stone004 at umn.edu). I can also help, if needed.
Zsolt
---
Zsolt Nagykaldi, PhD<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />
Assistant Professor of Research
Clinical IT Specialist
University of <?xml:namespace prefix = st1 ns = "urn:schemas-microsoft-com:office:smarttags" />Oklahoma Health Sciences Center
Department of Family & Preventive Medicine
900 N.E. 10th Street
Oklahoma City, OK 73104
Phone: (405) 271-8000 ext.1-32208
Fax: (405) 271-2784
________________________________
From: owner-ag-tech at mcs.anl.gov on behalf of George Estes
Sent: Tue 9/11/2007 9:00 AM
To: ag-tech at mcs.anl.gov
Subject: [AG-TECH] NAT and bridge traffic
Hello,
Could someone with experience in this area tell me the issues/problems with receiving traffic from a bridge server if I'm behind a NAT. I've looked through the ag-tech mailing list and there's talk of problems but I can't find specifics.
Thanks,
George
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mcs.anl.gov/pipermail/ag-tech/attachments/20070912/df45369c/attachment.htm>
More information about the ag-tech
mailing list