• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

TBH I'm kinda jealous (COVID-19 and IPv4 related)

E

Exterous

Super Moderator
I was talking to a University today and I was surprised and jealous of how easy it was for them to massively scale their VPN capacity. Took them about 1 day to re-allocate two basically unused /20 CIDR ranges of public IPs and attach them to two pairs of two new VMs using their VPN license - which is licensed by site due to their number of remote locations. And they have two /21s as backup they could make work with a little more effort. Need to grow from 4,000 VPN connections to 16,000 VPN connections using public IPs? NBD. I asked if that would be enough and he chuckled "We'll be able to get more if we need to." I guess internet is easy when you own several /16s and /17s
 
Exterous said:
I was talking to a University today and I was surprised and jealous of how easy it was for them to massively scale their VPN capacity. Took them about 1 day to re-allocate two basically unused /20 CIDR ranges of public IPs and attach them to two pairs of two new VMs using their VPN license - which is licensed by site due to their number of remote locations. And they have two /21s as backup they could make work with a little more effort. Need to grow from 4,000 VPN connections to 16,000 VPN connections using public IPs? NBD. I asked if that would be enough and he chuckled "We'll be able to get more if we need to." I guess internet is easy when you own several /16s and /17s
Click to expand...
That seems strange though, they're using public IPs as VPN addresses? Why not just 10-space it?
 
[DHT]Osiris said:
That seems strange though, they're using public IPs as VPN addresses? Why not just 10-space it?
Click to expand...

I would assume consistency and scoping. They deploy public IPs to computers in their buildings and so those ranges are already part of any access rule sets for their myriad of services. Any service deployed to the private IP space usually has significant routing restrictions so trying to track down the owner\rule for every service would be much more difficult
 
Exterous said:
I would assume consistency and scoping. They deploy public IPs to computers in their buildings and so those ranges are already part of any access rule sets for their myriad of services. Any service deployed to the private IP space usually has significant routing restrictions so trying to track down the owner\rule for every service would be much more difficult
Click to expand...
Funny you say that, we use public IP space for our computers (all statically defined btw, don't ask), and VPNs are all privately scoped. It's shockingly difficult to manage/maintain.
 
Exterous said:
I know you said 'don't ask' but....why??
Click to expand...
I work IT for a college on a university campus, uni IT runs the networking, DNS, and DHCP systems. DNS and DHCP are these weirdie in-house BIND and unix-ey back-end I think? Definitely not simple windows DNS/DHCP. They have a goofy front-end webpage where you register/fiddle with systems to get them on the network. Gotta statically define all of them.

It's a huge headache, and a source of like half of my work-hours, either setting shit up, tearing shit down, or un-fucking someone's screwups.
 
Nothing wrong with BIND -- it is falling a bit out of fashion these days but it essentially ran the internet for most of the earlier 2000's. It's definitely not "weird." Seems like there is just a communications breakdown or an unwillingness to learn to use the tools that have been provided to you.
 
extide said:
Nothing wrong with BIND -- it is falling a bit out of fashion these days but it essentially ran the internet for most of the earlier 2000's. It's definitely not "weird." Seems like there is just a communications breakdown or an unwillingness to learn to use the tools that have been provided to you.
Click to expand...
Let's be clear about something, I have no issue with BIND. I also have no issue using the tools provided to me. The tool works well enough, for what it is, it just takes an inordinate amount of time rather than DHCP, especially when you're running a college that runs a fair amount of reimaging every day.

Believe me when I say, the way networking is done on this campus is indeed 'weird', not because they're using BIND though.
 
[DHT]Osiris said:
Let's be clear about something, I have no issue with BIND. I also have no issue using the tools provided to me. The tool works well enough, for what it is, it just takes an inordinate amount of time rather than DHCP, especially when you're running a college that runs a fair amount of reimaging every day.

Believe me when I say, the way networking is done on this campus is indeed 'weird', not because they're using BIND though.
Click to expand...
Fair enough -- although BIND is a DNS server and has little to do with DHCP.
 
That seems odd why would they need so many external IPs for VPN? Can't you just have everyone connect to the same IP and wouldn't the client IPs be internal IPs? Why would you use external IPs for work computers, that seems like a nightmare to manage security wise as each PC would need it's own firewall as they are basically connecting straight to the internet instead of through a NAT.
 
Red Squirrel said:
That seems odd why would they need so many external IPs for VPN? Can't you just have everyone connect to the same IP and wouldn't the client IPs be internal IPs? Why would you use external IPs for work computers, that seems like a nightmare to manage security wise as each PC would need it's own firewall as they are basically connecting straight to the internet instead of through a NAT.
Click to expand...

Because its a big University? And they have the IP space to spare. And the IP space is still behind the campus network security layer. Traffic flows, encrypted, from the client device to campus and then through the campus firewall\ips\whatever to the internet and then back. You can also bifurcate traffic if the local VPN client knows what IP space campus uses so anything that goes to that IP space goes to campus and anything not in that space isn't forced to route through the campus connection (so 8,000 users streaming Netflix won't clog the campus connection for those trying to pull research data from their instruments)
 
Exterous said:
Because its a big University? And they have the IP space to spare. And the IP space is still behind the campus network security layer. Traffic flows, encrypted, from the client device to campus and then through the campus firewall\ips\whatever to the internet and then back. You can also bifurcate traffic if the local VPN client knows what IP space campus uses so anything that goes to that IP space goes to campus and anything not in that space isn't forced to route through the campus connection (so 8,000 users streaming Netflix won't clog the campus connection for those trying to pull research data from their instruments)
Click to expand...
Yup, natting is for the poors. Campuses have so many /16's they give the printers and IOT devices public addresses 😀
 
Just trying to wrap my head around how that works security wise, as normally you have a router, the router has 1 internet facing IP, then everything on the other side of the router is the internal network, and would use 10.x.x.x IPs and connect to the router. When you go online you are connecting from the router's external IP. You can connect out but nobody can connect to you unless you do a port forward. But if everything is external IPs then it's like having each computer plugged into a switch and straight to the modem. (or whatever box a bigger network would use to connect to the ISP)

Or do you still do like a 1:1 NAT where each machine has an internal IP which maps to an external IP and you still go through a router? At least that way the machines arn't exactly straight on the internet and you don't have to worry about users disabling the firewall or running VNC or whatever.
 
Red Squirrel said:
Just trying to wrap my head around how that works security wise, as normally you have a router, the router has 1 internet facing IP, then everything on the other side of the router is the internal network, and would use 10.x.x.x IPs and connect to the router. When you go online you are connecting from the router's external IP. You can connect out but nobody can connect to you unless you do a port forward. But if everything is external IPs then it's like having each computer plugged into a switch and straight to the modem. (or whatever box a bigger network would use to connect to the ISP)

Or do you still do like a 1:1 NAT where each machine has an internal IP which maps to an external IP and you still go through a router? At least that way the machines arn't exactly straight on the internet and you don't have to worry about users disabling the firewall or running VNC or whatever.
Click to expand...
Nah, everything's live routable, and the network is being advertised out to the globe (usually with a globally accessible DNS as well). You DO put everything behind the FW, which is where everything routes to.

So for instance, I can do an nslookup from my home computer and find my workstation's IP address, but I still can't hit it unless I'm VPN'd in (or if I poked a hole through the FW).

It's identical to a NAT'd net, you just skip the NAT part.
 
[DHT]Osiris said:
Yup, natting is for the poors. Campuses have so many /16's they give the printers and IOT devices public addresses 😀
Click to expand...

Heh - yep. I think it was about a year ago that one I was working with moved all their printers to private IP space because a bunch of printers got exploited and started printing out spam

And there were the Crestron room scheduling touch screen devices that shipped with SIP enabled (WHY???? There is no speaker or microphone!!) that got moved because they kept getting calls from Africa
 
We did that test today, some people were having issues with distorted audio and eventual dropout. Wonder if it is their home internet issue since it worked fine for me.
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top