If that's the case you should write ~/.ssh/config files for each user.

There are other options -- check man ssh_config for the rest.

Now your user can just type 'ssh work' to start the connection.

Thats a good idea... tho I think for real bone heads I would write a little applescript.. then all they have to do it click...

--Zed :cool:

My router is a NetGear WGR614 v3... it allows me to do port forwarding to any internal IP address: For example, it will forward 1501 --> 192.168.0.5. But, it won't do 1501 --> 192.168.0.5:8080.

Do I need a router that can do more than forward 1501 --> 192.168.0.5 ?


Good idea... I'll turn them off for the time being.


So, it looks like this is how I'll edit the private>etc>sshd_config file on each internal work Mac so that it will listen for SSH on Port 1501 (or whatever port number I assign):

Port 1501
#Protocol 2,1
#ListenAddress 0.0.0.0
#ListenAddress ::

And, I'll write a custom config file for each home user's machine that reads per the instructions given. Where exactly should I locate this file, should it be invisible, and exactly how should I name it?

I appreciate the hand-holding here.

GS

I have the same WiFi router at home.

What you can do is change the ssh port for the machine that it's being forwarded to. Edit the port in /etc/ssh_config to match the port coming from the router. This should make the machine answer ssh requests without having to get a new router that forwards port to port. This will, however "break" ssh behind the WiFi router. If you want to ssh from one machine inside the router to another, you have to know and remember which port sshd is listening on the remote machine. I don't know if you can specify 2 different ports for ssh to listen on in /etc/ssh_config.

Another way would be to set up port forwarding on the destination machine. Set up a forward that any request coming to port 1501 automatically gets redirected to port 22. I think that would work too. Again, you should be able to do this in /etc/ssh_config. Read the man pages for ssh_config for more info about the settings.

That firewall/router will be just fine..

It will forward connections from the internet on specific ports to Internal systems on the same port..

--Zed :cool:

Right... understood... and the above edits I wrote about should do this.


I don't know how to do this (yet), but this seems like it would solve both problems at the same time... I'll look into this... thanks!

GS

Ooops! Yep, you sure did! :)

OK... so I need more hand holding than I thought... could someone direct me to a good place to learn how to forward external listening ports on a system to another internal port?

I'm beginning to think I need to enroll in some kind of a OSX Unix class somewhere to learn this stuff... any suggestions?

this is what i do and i like it from a security stand point, but then again i am the only one that logs on from the outside world.

Believe it or not, I was actually getting to that point... :-)

Thanks everyone for the great advice and response to this thread.

We've finally decided that we are:

1) NOT going to SSH to each machine from outside

2) NOT going to utilize VPN pass-through to a VPN server inside

3) ARE going to buy a VPN-endpoint router than can support multiple VPN IPSec tunnel connections directly to the router, from which the home user can access his work machine and all other network resources.

We're looking at buying the NetGear ProSafe FVS318 VPN Firewall. I'd love some comments or feedback from anyone familiar with this device. I've heard great things on this side, but always will consider more info.

We're also considering using our existing NetGear WGR614 as a second router on the network for the sole purpose of providing fast wireless access to the network (rather than purchasing a much more expensive wireless VPN firewall and getting rid of the existing wireless router).

In setting up the wireless router (which will no longer be the primary router on the network), would I assign it a unique IP address on the new VPN router, and then use the wireless router's DCHP server to dynamically assign wireless IP addresses? Just looking for some suggestions here so that I can minimize potential problems.

Thanks again!!!!

Well I have to say that you've made the right choice... I know it means spending money but in the end the extra security and functionality will be worth it...

I'm also glad that with all the discussion we did not put you off completely! :D

I've not tried that router that you suggest, but I'm sure others here have....

As for using the existing wireless router.. well you can still use it and just turn off the DSL routing side and instead point it at the new firewall/router.. it does not matter which one does the DHCP/DNS... as long as one of them does and not BOTH :)

Try drawing a network diagram so that you are clear how things will connect up, and maybe post it here for comments..I use omnigraffle for my diagrams.

Cheers,
--Zed :cool:

OK... I did the deed... I just purchased a NetGear FVS318 VPN Firewall router for my company office, and I have a NetGear WGR614 router at my home.

I've successfully made an IPSec VPN connection from my home to the office (using VPN Tracker client software). And, I can successfully reach any of the internal systems at the office (all running OSX Panther) by typing their local private/NAT IP address in the finder's "Connect to Server" window after the VPN connection with the router is made.

However, I am unable to "browse" the office network, or have any of the office systems show up in Rendezvous (i.e. iChat), or see any of the network/shared printers.

The office VPN Firewall router has local address 192.168.0.1, and the home router has local address 192.168.2.1. Both home and office use subnet 255.255.255.0.

Can anyone suggest a way to browse the office network (i.e. using in the connect to server window OR the network icon in a finder window)? Do I need to reset the home router address to one compatible with the office network (e.g. 192.168.0.99)? And if I do that, do I need to turn off the DHCP server on the home network to prevent conflicts? (FYI, both routers have RIP capability for multiple router communication, but I've got no clue how to use that yet).

Or is this functionality not possible on OSX using VPN? I have enabled NetBIOS on the VPN Firewall, but that didn't make a difference (and we're not using Winblows systems anyways). I was hoping that the home user would have the same experience as if he were sitting in the office at work... including printing to printers around the office and iChatting with co-workers at their desks (I know we can do Internet iChat via AIM, but I'm trying to avoid that).

Thanks!!
GS

It just dawned on me that I was so happy to make the VPN connection yesterday, that I didn't check to see if there was a firewall problem preventing me from browsing the office network...

I know that I need 5297-98 open for iChat, but are there other ports I need to open to browse the network and see printers? Or does that all come in through port 500 (IPSec VPN connection)?

Thanks again!
GS