Hello.
Below is a simplified version of our WAN connections, with a default route pointing at the private network, this private network then connects to the internet. We also have our own direct internet connection that is not currently used for outbound web traffic.
The private network uses the 10.0.0.0/8 and the 172.16.0.0/12 ranges but there are also some destinations on public addresses that need to go through the private network to be accessed, not all of these are known to us and we are unlikely to be able to identify them all. It is managed by a 3rd party company.
Every solution we have come up with is messy or unworkable in some way, so I have come here asking what others would do. Maybe a fresh set of eyes would be able to come up with a better solution?
Our ideas were:
1) Create a static route to the 10 and 172.16 networks and anything that is listed in the firewall pointing towards the private network that are on public addresses. Change the default route directly to the internet.
Problems: Addresses will be missed and we would have to identify these as they are reported. This is bad for business continuity but is probably the tidiest solution in the long run?
2) Create a request form for faster internet connectivity to individual sites that are work related. We can then direct requests to these sites straight out the internet.
Problems: If someone wanted to quickly look something up on the internet during their lunch break, they will be stuck using the slow connection. Users, such as purchasing, would have a legitimate business use to access a very wide range of sites are unlikely to put a request in for every site (I wonder if they would bother at all?). Messy, constant admin overhead. IMO it makes us look bad too.
2 can be done two ways, static routes to each IP address (which will result in a huge list of routes) or through the proxy server. If anything is not proxy compliant we would then still have to add static routes, and I don't like things in 2 locations. We could always insist that anything is not proxy compliant than it must go out through the private network but then it makes us look bad?
Can anyone else think of an alternative solution? Both of ours have rather large flaws and in a perfect world we like neither of them. Out of the 2 suggested above, what would you go for?
Thanks.
Below is a simplified version of our WAN connections, with a default route pointing at the private network, this private network then connects to the internet. We also have our own direct internet connection that is not currently used for outbound web traffic.
The private network uses the 10.0.0.0/8 and the 172.16.0.0/12 ranges but there are also some destinations on public addresses that need to go through the private network to be accessed, not all of these are known to us and we are unlikely to be able to identify them all. It is managed by a 3rd party company.
Every solution we have come up with is messy or unworkable in some way, so I have come here asking what others would do. Maybe a fresh set of eyes would be able to come up with a better solution?
Our ideas were:
1) Create a static route to the 10 and 172.16 networks and anything that is listed in the firewall pointing towards the private network that are on public addresses. Change the default route directly to the internet.
Problems: Addresses will be missed and we would have to identify these as they are reported. This is bad for business continuity but is probably the tidiest solution in the long run?
2) Create a request form for faster internet connectivity to individual sites that are work related. We can then direct requests to these sites straight out the internet.
Problems: If someone wanted to quickly look something up on the internet during their lunch break, they will be stuck using the slow connection. Users, such as purchasing, would have a legitimate business use to access a very wide range of sites are unlikely to put a request in for every site (I wonder if they would bother at all?). Messy, constant admin overhead. IMO it makes us look bad too.
2 can be done two ways, static routes to each IP address (which will result in a huge list of routes) or through the proxy server. If anything is not proxy compliant we would then still have to add static routes, and I don't like things in 2 locations. We could always insist that anything is not proxy compliant than it must go out through the private network but then it makes us look bad?
Can anyone else think of an alternative solution? Both of ours have rather large flaws and in a perfect world we like neither of them. Out of the 2 suggested above, what would you go for?
Thanks.
