If you and the other end have full IPv6 access, then you can get a nice IPv6 block and the firewall can accept that block. As long as the block is yours only,

and your not worried about someone being able to spoof at or close to your dest. point, this would solve it with out addition of extra layer of openVpn,

or ipsec issues with openSwan and "maybe" compatible routers (10-18 years ago this drove me nuts, but maybe its better now). You could also buy a movable ipv4 class,

but if you were coming from a few POP's best to get a few ipv6 classes, give them to peer point FW, and have them config it once and be done with it. But if you 

set up at an additional pop, then your waiting for another admin FW request to occur on their time frame. In this later case, openSwan is probably only easy solution,

provided peering FW is dead on reliable  with openSwan road warrior configs, say with 509 certs, etc.

-tl

On Sat, Sep 3, 2016 at 11:05 AM, Giles Orr via talk <talk@gtalug.org> wrote:

I think I'm having trouble finding an answer to my questions largely
because I don't fully know how to express them, so I'm going to try to
do so here and see if another member of this list can take my English
language fuzzy logic and turn it into question(s) that can more easily
be answered ...

I'm running application servers that have to make queries to servers
behind a firewall. The firewall (not in my control) has to be
configured to admit IP addresses. Getting addresses added to the
firewall can be slow. So it seems to me the best way to do this would
be to set up a couple of proxy servers with fixed/known IPs so that
the application servers (fluctuating headcount and IPs) could make
their requests through the proxy servers - which are known to the
firewall.

This makes sense in my head so far. But here's the problem: I'd like
to send all network traffic from the application servers through the
proxy servers, regardless of content, port, destination, anything.
But in saying that, it begins to sound more like "routing" than
"proxying", and enforcing this seems like it might be tricky on the
open internet. And authentication of some sort would seem to be
needed to prevent bad actors using the proxy to access stuff behind
the firewall.

A VPN is a possibility, but not one I'm enthusiastic about: I tackled
OpenVPN a few months back, and after a day and a half and very little
progress my brains started to slide out my ears. But if that's what I
need to do, I'll get back on it.

Thanks!

--
Giles
http://www.gilesorr.com/
gilesorr@gmail.com
---
Talk Mailing List
talk@gtalug.org
https://gtalug.org/mailman/listinfo/talk