Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
A
A
Alexey Povarov2016-10-27 12:52:17
Computer networks
Alexey Povarov, 2016-10-27 12:52:17

How to split WAN by IP addresses?

Hello, friends!
There is an office network organized as follows:
96b3a6f6d79d49beb06842f232dce0b7.jpg
We want to have separate access to video surveillance from the outside. Separate, that is, not connected to the office network, so that if an intruder gains access to video surveillance, he could not get inside the office network at the same time.
What we have come up with so far is as follows:0d6322c5677e4ca08994347722c78305.jpg
We have two ISPs in case there is an outage with one of them. We do not touch provider 1, order a second IP address from provider 2, collect what is shown in the second figure (after replacing the "Something" block with something working) and disconnect the office network switch from the video surveillance switch. The logic is as follows: we will access video surveillance at the second IP address of provider 2, nothing will change for the rest of the network (its protection is provided further - by a router and a proxy server). Well, and accordingly, in order not to clog the Internet channel, access to video surveillance from the internal network should also be carried out not "via the Internet", but inside the "Something" block.
Therefore, the "something" block must:
1.
2. Be able to forward ports. Apparently, this will already be a router, on the WAN of which a cord with an ip address for video surveillance will come. It is also desirable that it forwards ports only for a set of ip-addresses from which it is accessed, and "denies" the rest of the ip-addresses.
3. Conduct data exchange between networks within themselves, and not "via the Internet."
Our router can also be replaced with the "Something" block, if it is more correct.
Please tell me what equipment or set of equipment we need to buy, and where to look for the necessary settings?
Thank you!

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

6 answer(s)
Report
A
Artem @Jump, 2016-10-27
Tag

How to split WAN by IP addresses?
Routes and firewall.
Please tell me what equipment or set of equipment we need to buy
None.

Report
V
VitGun, 2016-10-27
@VitGun

And why VPN with certificate authorization did not please?

Report
A
Andrey Korytov, 2016-10-27
@AKorytov

It seems to me that everything can be done much easier, especially since you have Mikrotik. Look in the direction of DMZ, it seems to me that this is exactly what you need, in Mikrotik it is configured for once, there is a lot of information in Google.

Report
A
Alexey Povarov, 2016-10-27
@BostonGeorge

Alex Suvoroff : Thank you so much for your reply! There is one more thing: everything that enters the router is redirected to a proxy, where almost everything is prohibited, including our access to video surveillance, so from what was available, we assembled this scheme Do ac68c100c36843768ed16494b3d11fe8.jpg
you think it will work correctly ? Naturally, taking into account your comment about the additional route rule, i.e. we will access video surveillance from the internal network only through the router port corresponding to IP1

Report
R
Raul Duke, 2016-10-28
@dushako

I would look towards setting up VLANs. Video surveillance - in one VLAN'e, office network - in another. In addition, your VLAN equipment (including 802.1q) supports.
PS And in order to have access to viewing video surveillance from the office network, we access the video server via external IP using the "loopback".
d1d2b2b068244427b4108fc3b7485fe1.jpg

Report
N
nApoBo3, 2016-11-15
@nApoBo3

Switch the second switch to the router. Set up firewall and routing on the router.
There are two attack options, the first is a perimeter attack, i.e. an attempt to take control of the router from the outside, a second attack on services outside the "border" of the router. If you want to secure the network and believe that the services in the video surveillance network may be vulnerable, then you should treat it as an untrusted network and configure the firewall accordingly (i.e. consider that this is the second Internet of the same kind).
But we should not forget that having gained access to the video surveillance network, an attacker can use a very sophisticated attack based on video surveillance data, ranging from password spying to cunning social engineering.

Similar questions
G
g0r42021-10-25 11:07:42
How does the provider see DoH/DoT traffic? 1Reply
V
Vlad Golubev2013-12-13 21:30:50
How to bypass the Internet access restriction on a work computer? 4Reply
D
Danil2018-08-06 12:13:35
How to check the number of collisions in a network? 2Reply
J
Jafo2016-03-16 19:49:05
The virtual machine (win) must tell the host (win) that it is functioning normally. How? 3Reply
V
Vladimir Kivva2016-03-17 09:46:55
Why does the channel in pppt fade over time, the udpxy picture starts to pour? 1Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question