I rent an office in a building where the owner controls the ISP, modem, and router. I want to sequester the machines in my office from the rest of the users in the building. I’d also love to access my office machines from home.
Is Remote Access VPN mode on Firewalla a good candidate for this (with the office serving as the server). And will this require any port-forwarding or special settings on the building’s router?
I know I’ll need two Firewalla devices for this. And Remote Access only works one way.
I’m just hoping to not need anything special from the building’s router to do this.
You can use site-to-site or remote access. Given one site has a reachable public IP. This means, it is highly unlikely your office side will have, since it is fully controlled under their management. If the other side you can have a public IP and control port forwarding, you can use that as a hub. Then both site to site or remote access will work
If you want many computers at home to use the same VPN yes, it’s easier with 2 firewallas, one at the office where you enable the firewalla VPN server (site-to-site) and the other one at home where you enable the client and set which devices you need to access that VPN. Unfortunately, yes you need to forward the VPN port to the VPN server at your office, you can try disguising it using a common port (ie 443) when you’ll ask to the owner but, if you’re not allowed to create any port forwarding at all, then I’m afraid you’re out of luck.
I’m not sure if what you’re asking is entirely possible.
I believe you would need to connect the firewalla between the modem and the router. The firewalla will act as the new router (distributing DCHP) and your current router should be configured as an access point. This will encrypt the whole network.
There may be a way to separate/partition a subnet off the current router through the firewalla, but that’s a bit outside my scope.
The firewalla would certainly allow you to login to the office network remotely, however.
Difficult to say if I could talk the owner into opening a port for me. But, if I did have a 2nd device at home, and set up a public IP there, would that work for Site-to-Site? or do both sides need a public IP?
Ok. Interesting. I have minimal networking knowledge, so I could be misunderstanding how this works. I was hoping to use the Purple in Bridge mode with connections in this order:
Building Modem
Building Router
In-wall Cat-6 receptacle in my room
Firewalla Purple in Bridge Mode
TP-Link Switch
Multiple computers within my office subnet.
I’d love to know whether I have the wrong methodology here.
I would treat the Cat cable coming into your office as the “ISP”. Pretend that is coming from the internet provider directly. Then, use the FWP in router mode, and everything behind it on the LAN side as your internal network. So:
Buliding Cat6 ->FWP → TPLink Switch → this would be your office subnet.
This would segment all of your devices away from the rest of the building.
I’m not sure if double-nat may be an issue, hopefully someone has some knowledge in that space.
I previously had a router connected to the Building Cat6 and used that to create my subnet. Other people in the building were using routers this way too.
The building router had some weird issues that went away when I replaced my individual router with a switch.
My understanding was that my router was interfering with the primary router. With both trying to assign IPs on the network. Do I have a wrong understanding of how that works?
This makes the most sense to me. But wouldn’t the main router recognize the machines behind the firewalla and try to assign them DCHP also? Would this cause conflict between firewalla DHCP and the primary router?
Sounds like a podunk setup from the building side. However, I’ve seen an enterprise IT shop come to a halt before when there is a ‘rogue’ router/DHCP server. When a DHCP request comes across the quickest response wins. If the rogue is serving a different CIDR then there will be issues. If a rogue is serving the same CIDR, then you get over lapping IPs. Either way, will definitely cause some chaos.
You will not need two devices actually! all you need is the one in office. This machine will create a VPN server which you will login to remotely using VPN client software on your home PC