If you and the other end have full IPv6 access, then you can get a nice IPv6 block and the firewall can accept that block. As long as the block is yours only, and your not worried about someone being able to spoof at or close to your dest. point, this would solve it with out addition of extra layer of openVpn, or ipsec issues with openSwan and "maybe" compatible routers (10-18 years ago this drove me nuts, but maybe its better now). You could also buy a movable ipv4 class, but if you were coming from a few POP's best to get a few ipv6 classes, give them to peer point FW, and have them config it once and be done with it. But if you set up at an additional pop, then your waiting for another admin FW request to occur on their time frame. In this later case, openSwan is probably only easy solution, provided peering FW is dead on reliable with openSwan road warrior configs, say with 509 certs, etc. -tl On Sat, Sep 3, 2016 at 11:05 AM, Giles Orr via talk <talk@gtalug.org> wrote:
I think I'm having trouble finding an answer to my questions largely because I don't fully know how to express them, so I'm going to try to do so here and see if another member of this list can take my English language fuzzy logic and turn it into question(s) that can more easily be answered ...
I'm running application servers that have to make queries to servers behind a firewall. The firewall (not in my control) has to be configured to admit IP addresses. Getting addresses added to the firewall can be slow. So it seems to me the best way to do this would be to set up a couple of proxy servers with fixed/known IPs so that the application servers (fluctuating headcount and IPs) could make their requests through the proxy servers - which are known to the firewall.
This makes sense in my head so far. But here's the problem: I'd like to send all network traffic from the application servers through the proxy servers, regardless of content, port, destination, anything. But in saying that, it begins to sound more like "routing" than "proxying", and enforcing this seems like it might be tricky on the open internet. And authentication of some sort would seem to be needed to prevent bad actors using the proxy to access stuff behind the firewall.
A VPN is a possibility, but not one I'm enthusiastic about: I tackled OpenVPN a few months back, and after a day and a half and very little progress my brains started to slide out my ears. But if that's what I need to do, I'll get back on it.
Thanks!
-- Giles http://www.gilesorr.com/ gilesorr@gmail.com --- Talk Mailing List talk@gtalug.org https://gtalug.org/mailman/listinfo/talk