Wednesday, March 11, 2020

Best practices for accessing multiple clients on different ports behind the LAN side of a router which is securely connected to a VPN on its WAN side

Hello you all! I have a question regarding some best practice tips and tricks on how to access clients on a LAN behind a router.

Here’s a quick overview over what I want to accomplish:

We at my company are currently in the process of developing and “IoT” device. One or multiple of these devices will be connected to a router by NetModule (for now). The router is an LTE router and it routes all traffic into a VPN provided by our ISP which again is connected to our onsite firewall (for now – I am aware that this is by far not the best solution to this).

The reason for this is that we want to be able to access these routers and devices while they are deployed in the field in case, we need to configure something more. I set up the firewall to block any traffic except for the bare minimum of SSH, HTTP(S) and ICMP so we can test a little bit.

I can access the router no problem via the “public” IP it has inside the VPN tunnel (10.x.x.x – so a private range IP on the WAN side of the router).

Next to the normal IP-Tables firewall the router also supports stuff like NAPT for Port translation and all different kinds of routing possibilities like static, extended or multipath routes, multicast via IGMP Proxy or static routs ect.

Next to all of that it also supports different VPN protocols as either server or a client. So, my question would be what would be the best way to approach making the devices in the LAN of the router reachable?

I’ll limit the access to the LAN of the router to a specific part of our company network and we’ll have made sure to isolate and segment all that stuff so no worries on that side. I just want to have some input on how to make x clients with x ports accessible without compromising much security and without exposing everything to the WAN.

Thanks so much in advance! And I hope you all will have a great rest of the week!



No comments:

Post a Comment