I have this exact problem. I use several machines in my home network to
do my job (primarily down the vpn) but my family also have computers and
do "their" thing. It would be silly to use name servers thousands of
miles away for them, and those dns servers wouldn't even resolve
important names like our local ISP's POP server. So here's what I do:
-set up a linux box to be my firewall.
-run the vpn client on the firewall such that all machines in my home
network can route through it.
-set up a forwarding dns server on the firewall such that requests for
my work domain are satisfied by servers down the vpn tunnel; queries for
the WWW use my ISP's servers, and my local addresses are served by the
dns server on the firewall.
-set up a dhcp server on the linux firewall such that local machines are
dynamically registered in dns.
This works great and if people are really interested I can share my
config files.
Things I haven't done (cause I'm lazy):
-set up two pools of dhcp addresses such that only my "work" machines
get addresses from a designated subnet.
-set up routing tables so that only machines from my "work" subnet are
routable down the tunnel.
That would protect my employer's network from all the trojans and
virus's that my kids bring home on their windoze boxes.
There are several great firewall dists fro linux but I just use fc9 with
shorewall for now. My logs show that for 18 hrs of most days somone is
trying to get in and noone ever has...
wcn
Shawn wrote:
Royce's question regarding name resolution triggered a neuron for me...
When I establish a VPN connection to a remote network, I need name
resolution to work for servers there. At the moment the only way to
do this seems to be to change my /etc/resolv.conf file to use their
nameserver. But that means that all name requests are now going
through their network - even for things that have nothing to do with
their network.
I have set up a script to establish the VPN connection, backup my
resolv.conf file and replace it with one that has the remote name
server. But there's probably a better way.
Any tips?
Shawn
_______________________________________________
clug-talk mailing list
[email protected]
http://clug.ca/mailman/listinfo/clug-talk_clug.ca
Mailing List Guidelines (http://clug.ca/ml_guidelines.php)
**Please remove these lines when replying
_______________________________________________
clug-talk mailing list
[email protected]
http://clug.ca/mailman/listinfo/clug-talk_clug.ca
Mailing List Guidelines (http://clug.ca/ml_guidelines.php)
**Please remove these lines when replying
