I have a question for you computer networking experts out there...

I have 3 pieces of industrial equipment that are networked together. They need to be monitored remotely over the internet. The location in which they are installed does not have a dedicated wired internet connection but has access to a building-wide public wireless network.

I don't want these 3 industrial devices to be able to access the internet, get viruses, etc. What I want is to be able to remotely connect my PC as another node on their private network (over the internet), monitor them, and then disconnect. I'm not in the same building - I'm miles away.

My initial thought was to use:
1) a VPN router, either with some sort of client software on my PC, or a matching router at my end, whatever is necessary, AND
2) a wireless bridge (to connect the VPN router to the public wireless network)

Here is a drawing of what I was picturing:
But, I am a bit uncertain as to whether this would work. Specifically, I don't know how to be certain that the VPN traffic will pass through the miscellaneous (unknown) devices in the public wireless network. I also don't know how I would connect to the VPN router remotely (since it's behind the wireless router (marked with ? in the drawing) and bridge, I don't think it would have an IP address that I could access from the internet). And, I want to make sure that the 3 pieces of industrial equipment can't see the internet.

I've been reading manuals for VPN routers all day but I'm not really seeing how to configure them to implement something like this.

I could probably convince the appropriate people to make some minor changes to the configuration of the building wireless network if necessary, but I'd need to be certain of what had to be done before I ask.

If anyone has any pointers/suggestions on this, I would be very appreciative!

__________________

1989 250TD Wagon 5-speed, 160,000mi ::: Dark gray metallic / black cloth
1984 190D-2.2 5-speed, 287,000mi ::: Silver-blue metallic / black MB-tex ::: SOLD

What OS are they on? If windows, you can use logmein which works well. Just set the firewall to accept your workstation ip and no others. In order for any VPN to work, the servers are going to have to have some sort of internet access.

__________________
99 ML320
94 SL600
92 SL500
95 E320 Cabriolet
87 560SEC
86 300SDL Grease Car
80 380SLC Euro

13 Fiat Abarth
02 Maserati Spyder Cambiocorsa
00 BMW Z3
90 Rolls Royce Silver Spur
80 Ferrari 308 GTSI
88 Jaguar XJS12 H&E Edition
99 Land Rover Discovery

Thanks for the reply. Unfortunately, I can't install anything on the 3 pieces of equipment (or otherwise modify them), which makes it harder. They run an old version of windows embedded (not a full implementation of windows).

So, the new piece of networking gear I introduce (a VPN router or whatever) needs to take care of the details somehow...

I don't need to get onto those pieces of equipment (so a remote login or remote desktop kind of approach is not what I'm looking for) - I just need to be on their network. They are monitored through proprietary software over TCP/IP so I just have to be able to see them on the network. I will run the software on my PC and it will talk to these devices and do whatever it is that it needs to do.

__________________

1989 250TD Wagon 5-speed, 160,000mi ::: Dark gray metallic / black cloth
1984 190D-2.2 5-speed, 287,000mi ::: Silver-blue metallic / black MB-tex ::: SOLD

Just a wild stab and I know when PP has the time he will know what to do but I think you can use SSH Sentinel to connect to the VPN on the older Winders boxes.

Good call. I was going to mention SSH, but he still has to have it installed on the host boxes. Give me a day and I'll figure something out.

__________________
99 ML320
94 SL600
92 SL500
95 E320 Cabriolet
87 560SEC
86 300SDL Grease Car
80 380SLC Euro

13 Fiat Abarth
02 Maserati Spyder Cambiocorsa
00 BMW Z3
90 Rolls Royce Silver Spur
80 Ferrari 308 GTSI
88 Jaguar XJS12 H&E Edition
99 Land Rover Discovery

Any further info on the older Windoz version ??
Most had some limited remote desktop capabilites.

The VPN router only provides the connection, you would need to put some form of PC at the remote site. Got an old laptop/PC laying around ?? You'd need a pretty basic setup.

Then you'd connect into it and use it to monitor the remote site.
LogMeIN, RDP or any other remote connection products, do a Google search

Does the remote site see the internet with a fixed IP ??
A lot of points have IPs that change, mine does but rarely, then look at DynDNS or some other product to monitor it.

__________________
KLK, MCSE

1990 500SL

I was always taught to respect my elders.
I don't have to respect too many people anymore.

I'm glad that you asked these questions; they help to clarify what I need to achieve.

While it would technically work to buy another computer, put it on the remote network, and then RDP into it, for a variety of reasons I can't put another computer at the remote site (mainly, there is no place to put one, either from a space standpoint or from a security standpoint, and some political resistance to this idea as well). The industrial equipment can't be RDP-ed into either.

So, for this particular scenario, assume for now that it's not possible to RDP into a computer that is at the remote location. Instead, I want my own computer in my office to act as if it is located at the remote site (not all the time, just when I need to check on things).

I think the VPN router will do this for me; in the manual for the Cisco RV082 VPN router, they say (I'm paraphrasing a bit):
The VPN capability creates encrypted “tunnels” through the Internet, allowing traveling users to securely connect into your office network from offsite. Users connecting through a VPN tunnel are attached to your company’s network just as if they were in the building.

My wife VPNs into her office from our house, and it does exactly this. Start the connection, and all of our local home network devices (printers, NAS, PCs) disappear, and her work network is there instead (office printers, other computers, network shares, etc.). It's like being at her office, but less boring . Disconnect and things are back to normal.

This is exactly what I want - for my computer in my office to appear as if it's in the same building, on the same network as these three pieces of industrial equipment. The monitoring software I need to use can then run on my office PC. So I think I'm on the right track with a device like this. But, I'm not sure how to hook it up with the wireless network in the middle (vs. having the VPN router on a static IP directly exposed to the internet, which I think I could bumble my way through from the examples in the router manuals).

My best guess at the moment is to:

1. Buy one of these VPN routers and a wireless bridge
2. Put them on the wireless network with a static IP for the router (by this I mean static relative to the local side of the wireless network, not the internet)
3. Get the administrator of the wireless network router to configure it to forward the ports associated with VPN tunnels to this static IP (I think these are ports 50, 51 and 500, but this is all new to me ).
4. If the building's public wireless network doesn't have a static IP on the internet, then use the DynDNS service on the VPN router to give me a name I can use to connect to it. (good tip - thanks!)
5. Configure the firewall in the VPN router to block the industrial equipment from accessing the internet.
6. Connect the industrial equipment to the VPN router's LAN ports, and the wireless network to the WAN port via the wireless bridge.
7. Run VPN client software on my PC to create the VPN tunnel, putting my PC on the remote network.

I have no idea if this will actually work though... I've never had to do any networking this elaborate before.

I really appreciate all of the responses; I know this is a weird / complicated situation with a lot of restrictions - that's why I feel fortunate to have your help!

__________________

1989 250TD Wagon 5-speed, 160,000mi ::: Dark gray metallic / black cloth
1984 190D-2.2 5-speed, 287,000mi ::: Silver-blue metallic / black MB-tex ::: SOLD

re DynDNS there are other alternatives too, one of the router companies provides it built in, never used it.
I've had good luck with DynDNS so I don't bother.

I still think you don't quite understand something, the VPN device/router whatever creates the doorway for YOUR PC to connect to a DEVICE on the other side. It does not transfer network traffic from the other side through the tunnel to your PC.
You need to connect to something there, a device, a PC something to see the local traffic. (There may be specialized VPN / routers that do this, I've never seen on, but it will not be your normal VPN/Router.

I set up a lot of VPNs, I usually call them remote users. Many of my clients have one or several people that work predominately remote.
I also support most of those clients through the same connection.

For me to manage that VPN router remotely (I turn off remote administration), I have to remote into a server on the inside, and use it to administrate the router itself.

Now here's a fun thing, somewhat unrelated, but think it through.
When I set these up I need to test them, but you can't properly test them from within the network.
So I VPN into my home/office network logging into a desktop there, then I fire up VPN on it back into the client and Remote desktop into another machine at the client.

__________________
KLK, MCSE

1990 500SL

I was always taught to respect my elders.
I don't have to respect too many people anymore.

I somewhat understand the situation and I'm sorry it's outside of my skill set.

I think you're saying you small LAN of old quasi-MS machines are on their own TCP/IP network.

I believe a competent IT guy (or gal) could take care of it & it sounds like there is at least one person, probably more who know what they are doing and are helping you already on this thread.

I don’t think this is going to work.

For a VPN you need a public IP address on your VPN, witch means that the ports you use (probably TCP/UDP 500 and 4500) are forwarded from the public network gateway to your VPN router. Administrators of public networks are not likely to do that.

A workaround can be to set up a computer in the remote location with a remote access program (like Teamviewer).

Rob

Yes, this could very well be a source of confusion for me. From what I had read, I had assumed that the VPN router would effectively put my computer on the remote network.

The thing that made me think I could do this was that my wife's work VPN operates in this way. When she connects to her office from home, we're still working on our home PC, but have access to all of her office's network resources. It doesn't appear as if we connect to a specific device in her office - we're just somehow on her office's network from home. But I don't know what equipment exists in her office to make this all happen.

Thanks for having the patience to explain things to me!

__________________

1989 250TD Wagon 5-speed, 160,000mi ::: Dark gray metallic / black cloth
1984 190D-2.2 5-speed, 287,000mi ::: Silver-blue metallic / black MB-tex ::: SOLD

Actually Her network operates as I explained it.
She is connecting to devices on the corporate network, shares, printers, E-mail server ...

But she cannot she general network traffic occuring behind their router, it does not allow that traffic out.
Only the traffic specific to Her VPN connection.

__________________
KLK, MCSE

1990 500SL

I was always taught to respect my elders.
I don't have to respect too many people anymore.

Oh - now I see what you are saying. And it makes me think I haven't explained things very well.

So there's this software I need to run on my PC to monitor these pieces of equipment. It doesn't need to 'spy' on the general network traffic or anything like that - instead, it makes TCP connections with each piece of equipment, queries them, and they send a response, and then the connection closes.

I need to put my PC on the same network as the industrial devices so that it can see the devices in order to query them (e.g. so that they show up if I do a "net view" from a command prompt on my PC). I also need to be able to create network shares to access files on them (e.g. with a "net use" command from a command prompt on my PC).

I apologize for being unclear earlier; as you've probably guessed, this is outside the realm of my networking knowledge. Thank you again for your helpfulness!

__________________

1989 250TD Wagon 5-speed, 160,000mi ::: Dark gray metallic / black cloth
1984 190D-2.2 5-speed, 287,000mi ::: Silver-blue metallic / black MB-tex ::: SOLD

First, My Pleasure.

I think you're getting it now.

You will need to Share those directories on the PCs too.
You can only 'Net Use' to a share.

But if that gets you the info you need it might do it.

__________________
KLK, MCSE

1990 500SL

I was always taught to respect my elders.
I don't have to respect too many people anymore.

Sounds like your wife is using Citrix or similar. You're going to have to setup a client server (telnet) or other way to VPN in.

__________________
99 ML320
94 SL600
92 SL500
95 E320 Cabriolet
87 560SEC
86 300SDL Grease Car
80 380SLC Euro

13 Fiat Abarth
02 Maserati Spyder Cambiocorsa
00 BMW Z3
90 Rolls Royce Silver Spur
80 Ferrari 308 GTSI
88 Jaguar XJS12 H&E Edition
99 Land Rover Discovery