DatastormUser Logo
HomeDiscussion ForumsArticlesFAQsDealersISPsMotosat

Satellite VPN using a hardware solution

by John Watson

VPN is an abbreviation for Virtual Private Network. The problem begins like this:

There is a local area network somewhere, like a sales office or plant headquarters that has

between several computers and several hundred computers connected together in a private LAN. All these “Local Area Network” computers can see each other, and can access the Internet using a gateway router, but cannot be seen from outside the company. Network Address Translation, NAT, makes this possible. This could be a small home office with a DSL or Cable router, or a large enterprise with a T1 or ACM line and a Cisco or SonicWall router. The problem is that I, in my motor home, with my satellite connection, need access to all those computers and printers as if I was still present in that office. One more problem, this cannot be at the expense of exposing the corporation’s computers to the Internet, or sending un-encrypted data over a satellite. Besides that, getting public routable IP addresses for all those machines is not desirable.

Here’s my solution. At the main office, where a Windows 2000 Server computer did the Routing and Network Address Translation, insert a SonicWall Pro-200 firewall appliance between the T1 Internet connection and the main network switch. Then change the DHCP tables so that all the computers use the new SonicWall as their gateway, instead of the Windows Server.

In the motor home, I upgraded to a DW4020 router. This makes the connection to the Internet look more like a telephone jack, and less like a USB connection. Then I placed a SonicWall TELE3 between the Hughes DW4020 and my network hub. Next came the software configuration.

Note, the DW4020 has since been upgraded to a DW7000 and the SonicWall is now a TZ170. Functionality remains the same.

By configuring the two SonicWall boxes to share the same ‘secret key’ they made a secure connection between each other. Then all my IP addresses that were of the form 192.168.16.x could be seen at the main office, and my computer in the motor home could see all their addresses of the form 192.168.4.x. I had arrived. But it was still slower than it was before VPN, and it wasn’t great then. The support department at SonicWall explained that a Static IP for the motor home was not necessary, as my box contacted the home office, and they had a static IP. But there is a performance issue there. In that configuration, the SonicWall must discover that there is a NAT box between the SonicWall boxes. And if this NAT is compatible, which the 4020 is, then the data proceeds, wrapped in TCP packets. Briefly, the TCP protocol sends data in groups of up to 1500 characters and if the data fails to arrive, TCP will resend the packet. All this helpful processing adds delay. The SonicWalls would prefer to use UDP protocol, directing packets of data between the machines and taking the responsibility of replacing lost data itself, as this happens infrequently. But for the home office to direct UDP packets to me, I would need a static IP, and the BW4020 would have to be re-programmed in some way to remove the NAT function. One more web setup, and with the service selection of 1 static IP, that was done.

One little techie note here on the number of IP’s provided. Feel free to skip this paragraph unless you are curious. When you sign up for a single IP address, the 4020 is programmed to use a 4 IP subnet. The first and last address are not useable, for reasons that date back to be beginnings of the Internet. The 2nd address is used by the 4020, and that becomes your gateway address. The 3rd address is your ‘single’ IP address. I assigned that to the SonicWall. Then the SonicWall uses DHCP to assign local area address of the form 192.168.16.x to each computer. There is a limit of 5 computers, due to licensing on the smaller TELE3 box. If I had selected the 5 IP service then I would have been assigned an 8 IP subnet.

Now things worked better than before, and the company decided to place order-entry computers in two remote sales offices. Following the same plan as the motor home, but substituting a DSL line for the satellite, that went well. They used a non-static IP model, but since there was no satellite delay they were satisfied. With everything working so well, another Pro-200 box was purchased for the Camden NJ plant to simplify printing. We had been using translated port numbers to communicate with network printer controllers. Now all the Camden computers were part of our network, just as if we had a dedicated T1 line directly to the plant, which would have cost a fortune. We even allowed access to the Internet during break times, and turned it off automatically.

The only problem was that my connection at the motor home was so much more capable and robust than the home connections of the MIS director, the Engineering VP, and the Controller. More SonicWall TELE3s were purchased. My crystal ball sees more VoIP boxes in their future as well, but that is another story. Now I’m testing software that filters email packets at the network level to remove viruses and verifies that computers have the latest virus protection updates before allowing access to the public Internet.

About the author: John is a programmer/consultant who fulltimes in his motorhome.

Webspace provided by and ©Copyright 2003-2013 by Don Bradner, All Rights Reserved.
29-Jul-21    E-Mail    Site design by Arcata Pet Software