#295104 - 12/03/2007 11:40
Some help on a little project of mine please...
|
carpal tunnel
Registered: 20/05/2001
Posts: 2616
Loc: Bruges, Belgium
|
Hi Guys, It’s been a while since I’ve tinkered with PC’s, and now the opportunity has come up for a nice little project, and I’ve decided to go ahead with it. This is the situation: My father-in-law has a doctor’s practice. In his practice he currently has two secretaries, who each have their own PC. Both of these PC’s are hardwired to a Linksys router. This router is also fed with internet via an external Thomson 510 ADSL modem. My father-in-law himself uses a laptop which is wirelessly also connected to the linksys router. He also has another practice in a different city, in which he works two days a week. In that pratice he works alone, his secretaries remain a the ‘main’ office. He also sometimes works from home. This is the current setup: All my father-in-law really needs is his one access .mdb file. This file is used for everything: filing patients, making invoices, insurance companies, etc. Currently, this file is located physically on one of the secretaries PC’s. (I’ll call it SEC1 PC from here on). The other secretary works on the same file, via the LAN. (SEC2 PC) She uses nothing that is locally installed. My father-in-law then also connects his laptop to the network, and daily uses some synchronisation software to create his daily backup onto his laptop. This also enables him to use this database when he works in the other city. One other thing he syncs is his outlook appointments onto his PC (to put on his IPAQ). No really a very complicated setup. However, I would like to improve this setup. For one, I would like to use a central server, where this .mdb and outlook stuff should be located. The way I see it, I’ve got two ways of doing this (not really knowing anything about Linux, or else –I agree- there would be a third option): I could run a small server with two disks in RAID 1 (for data integrity purposes), running windows 2003 server. I'd also like to use an extra backup of some sort (weekly or even daily, on an external HD which would be disconnected wjen not in use). I guess Windows 2003 has some backup software on board which could do this, no? OR I could use a NAS, like the Infrant ReadyNAS. But of couse, that would mean I would have to use a different, VPN server capable router (see below). This would add to the complication, and would not necessaritly be any cheaper, OR faster I think... What do you guys think? Windows 2003 (my preferred setup), or go the NAS route? The second thing I would like to implement, is a VPN tunnel to his second practice and his home address, so he could always secure and in real-time, access that .mdb file and his appointments both at his second practice and at home. I’ve got several questions regarding this VPN, because that’s something I’ve never done before. I would like to use D-Link DGL-4300 routers, on all of the three addresses. Why? Because I use this router myself, I know what it can do and I’ve experienced this router as very flexible and stable. It’s also got gigabit Ethernet ports which is nice (and would actually be used in this setup) This router cannot be used as a VPN server (only VPN pass-through), but I don’t think this would be necessary, because the windows 2003 would take on that part, correct? In case I would use a NAS, I would need to use another router I suppose, one that does support VPN. I see VPN basically consists out of two protocols PPTP and Ipsec. PPTP seems easier to implement, seems more flexible, but is also said to hold greater risks. Is this true? Which protocol would you use? I would also need very simple ADSL model, to connect to the D-Link router. That Thomson modem is no good. It works for Internet, but yesterday I tried to install UltraVNC onto his office computers, but somehow this modem doesn’t allow this. Using UltraVNC viewer from those PC’s to another PC did work, but not the other way around. The router’s port’s were configured correctly. I even tried directly connecting the modem to the PC (remove the linkSys altogether), and though I did have internet access, VNC still didn’t work. This Thomson model is a very simple and basic model, in which little on nothing, apart from the account login and password can be configured. So my guess is this modem will have to go. Any thoughts on which modem I should replace it with? So this is my project basically. Probably a walk in the park for most of you, but challenging enough for me to be fun. I also more or less got carte blanch with regards to cost, so that’s not really an issue. What do you guys think?
_________________________
Riocar 80gig S/N : 010101580 red Riocar 80gig (010102106) - backup
|
Top
|
|
|
|
#295105 - 12/03/2007 12:03
Re: Some help on a little project of mine please...
[Re: BartDG]
|
carpal tunnel
Registered: 19/01/2002
Posts: 3584
Loc: Columbus, OH
|
Question about this MDB file... Is it separated into a front-end and back-end database? If so, is it self-created or from a vendor?
I've had good success with using mysql as the backend database for MS Access apps. MySQL server will run on both windows and linux and is significantly more stable for a network environment than an Access mdb file. You then simply link the tables through odbc and you'll never know it's there.
If you were to run MySQL or some other database of your choice, you could remotely connect to it through an SSH tunnel as opposed to a full VPN.
I had a similar situation for our reps when on the road. We have a customer database with an access front-end and mysql back-end. I wrote a little script that detects whether they are on the local network or not and if not, opens a ssh tunnel with putty and starts the database and automatically relinks the tables. Works great for our needs.
_________________________
~ John
|
Top
|
|
|
|
#295106 - 12/03/2007 12:11
Re: Some help on a little project of mine please...
[Re: BartDG]
|
carpal tunnel
Registered: 19/01/2002
Posts: 3584
Loc: Columbus, OH
|
A quick addendum: You could use the D-Link DI-824VUP router for the home office as opposed to the one you reference and the software should be very similar. Then you could use the VPN capabilites built-in to the router.
_________________________
~ John
|
Top
|
|
|
|
#295107 - 12/03/2007 12:23
Re: Some help on a little project of mine please...
[Re: JBjorgen]
|
carpal tunnel
Registered: 20/05/2001
Posts: 2616
Loc: Bruges, Belgium
|
Quote: Question about this MDB file... Is it separated into a front-end and back-end database? If so, is it self-created or from a vendor?
Whoa... I have to be honest: I have no idea. My girlfriend created this database herself in access. I have to admit that I don't know what the difference is between a front-end or back-end database. I'll ask her to be sure.
Quote:
I've had good success with using mysql as the backend database for MS Access apps. MySQL server will run on both windows and linux and is significantly more stable for a network environment than an Access mdb file. You then simply link the tables through odbc and you'll never know it's there.
This sounds very nice! So you're saying I should run MySQL (have heard about this, but don't really know what it is... again: ), and link the tables to that? Could you expain this a bit more please? The way I was thinking to do it, was by simply putting this .MDB file onto the server, and giving access to it from the three different PC's. Since five people can work into one .MDB file at the same time, I didn't think this would be a problem. What would then actually be the benefit of using mySQL?
Quote:
If you were to run MySQL or some other database of your choice, you could remotely connect to it through an SSH tunnel as opposed to a full VPN.
Again: Seems I'm in for quite some fun. On the other hand, I also expect to learn a lot from it. So, here's one thing I can learn already...: what is the difference between those two?
Quote:
I had a similar situation for our reps when on the road. We have a customer database with an access front-end and mysql back-end. I wrote a little script that detects whether they are on the local network or not and if not, opens a ssh tunnel with putty and starts the database and automatically relinks the tables. Works great for our needs.
Sounds very nice, but a but too much for our needs. Besides, I know my way around hardware a but, but could code myself out of a wet paper bag. So writing scripts myself will not be possible.
_________________________
Riocar 80gig S/N : 010101580 red Riocar 80gig (010102106) - backup
|
Top
|
|
|
|
#295108 - 12/03/2007 12:24
Re: Some help on a little project of mine please...
[Re: JBjorgen]
|
carpal tunnel
Registered: 20/05/2001
Posts: 2616
Loc: Bruges, Belgium
|
Quote: A quick addendum: You could use the D-Link DI-824VUP router for the home office as opposed to the one you reference and the software should be very similar. Then you could use the VPN capabilites built-in to the router.
Well, this was one of the things I was wondering about: would it be better to use a Windows 2003 for a VPN setup, or a router which can do VPN? My guess is the first, because for what I would like to do, I would need Windows 2003 server anyway, or not? (another reason is that a software solution is usually a lot more flexible than a hardware solution, is doesn't this apply in this case?)
_________________________
Riocar 80gig S/N : 010101580 red Riocar 80gig (010102106) - backup
|
Top
|
|
|
|
#295109 - 12/03/2007 15:47
Re: Some help on a little project of mine please...
[Re: BartDG]
|
carpal tunnel
Registered: 20/12/1999
Posts: 31597
Loc: Seattle, WA
|
I once tried to use the built-in Windows Server 2003 VPN features, using PPTP to tunnel in through the internet router. This worked, but it had one important drawback: Only one person can dial into the VPN at a time. If you have two users who need to VPN into the local office, you'll need to use a different method. Reason: PPTP VPN, when traversing NAT, encrypts the packets that tell it what the internal (nat-ed) addresses are. So you can get the router passing through the VPN packets just fine, but it can't tell the difference between one person's VPN connection and the next person's VPN connection. So what happens is, you get this all working, one guy connects to the VPN and is working fine. Then the second guy tries dialing into the VPN and the first guy's connection mysteriously drops, but the second guy works fine for a while. Until the first guy tries re-dialing... I gave up, said fuck it, replaced the cheapo router with a SonicWall TZ-170 with the client licenses for multiple VPN connections, and gave all the VPN users a disc to install the SonicWall VPN client software. Everything Just Worked after that. I could VPN as many simultaneous users as I'd paid client licenses for. I think that I was asking for similar help on this BBS during that time. It would have been almost exactly two years ago. Perhaps some of the information in that thread would help. Anyone got a link to it?
|
Top
|
|
|
|
#295110 - 12/03/2007 15:53
Re: Some help on a little project of mine please...
[Re: tfabris]
|
carpal tunnel
Registered: 25/12/2000
Posts: 16706
Loc: Raleigh, NC US
|
A lot of home routers these days are VPN endpoints. You shouldn't need to go to the expense of buying a SonicWall.
In fact, the DD-WRT replacement firmware for Broadcom routers includes VPN capabilities. Others might, too. That means you can get a VPN-enabled router for $50 or less.
Edited by wfaulk (12/03/2007 16:01)
_________________________
Bitt Faulk
|
Top
|
|
|
|
#295111 - 12/03/2007 17:24
Re: Some help on a little project of mine please...
[Re: tfabris]
|
carpal tunnel
Registered: 20/05/2001
Posts: 2616
Loc: Bruges, Belgium
|
Quote: Only one person can dial into the VPN at a time. If you have two users who need to VPN into the local office, you'll need to use a different method.
Reason: PPTP VPN, when traversing NAT, encrypts the packets that tell it what the internal (nat-ed) addresses are. So you can get the router passing through the VPN packets just fine, but it can't tell the difference between one person's VPN connection and the next person's VPN connection.
This is indeed an important drawback. Even though I would never need more than two (theoretically three, but usually only one) simultaneous users, it's probably better to do it right first time without cutting corners. I take it this was a limitation of the PPTP protocol, and not Windows 2003's fault?
Quote:
I think that I was asking for similar help on this BBS during that time. It would have been almost exactly two years ago. Perhaps some of the information in that thread would help. Anyone got a link to it?
Yes, that would probably be very helpful! Cheers!
_________________________
Riocar 80gig S/N : 010101580 red Riocar 80gig (010102106) - backup
|
Top
|
|
|
|
#295112 - 12/03/2007 17:25
Re: Some help on a little project of mine please...
[Re: wfaulk]
|
carpal tunnel
Registered: 20/05/2001
Posts: 2616
Loc: Bruges, Belgium
|
So I get it you guys suggest using a router which can do VPN IPsec server instead of just VPN pass through? If so, that rules out that d-link 4300 I referred to earlier. But no worries, I'm open to suggestions: which router would be a good one at a fair price? Things I would need on this router: wireless capability, a gigabit switch, and now also VPN IP sec server stuff. All the rest I would need (like port forwarding and stuff) is so common with even the cheapest routers these days I won't even bother to post it. I'm don't really stick with one brand: I just want a solution that works.
_________________________
Riocar 80gig S/N : 010101580 red Riocar 80gig (010102106) - backup
|
Top
|
|
|
|
#295113 - 12/03/2007 17:35
Re: Some help on a little project of mine please...
[Re: BartDG]
|
carpal tunnel
Registered: 20/12/1999
Posts: 31597
Loc: Seattle, WA
|
Quote: I take it this was a limitation of the PPTP protocol, and not Windows 2003's fault?
Correct.
Basically, it means: Trying to tunnel through a NAT router to a VPN server is really limited. You're better off getting a router that can work as a VPN endpoint itself. As was mentioned above, there are some cheap routers that work this way, or can be firmware-flashed to work this way.
|
Top
|
|
|
|
#295114 - 12/03/2007 19:02
Re: Some help on a little project of mine please...
[Re: tfabris]
|
carpal tunnel
Registered: 20/05/2001
Posts: 2616
Loc: Bruges, Belgium
|
Quote:
Quote: I take it this was a limitation of the PPTP protocol, and not Windows 2003's fault?
Correct.
Basically, it means: Trying to tunnel through a NAT router to a VPN server is really limited. You're better off getting a router that can work as a VPN endpoint itself. As was mentioned above, there are some cheap routers that work this way, or can be firmware-flashed to work this way.
Thanks, that crystal clear.
One more question though (this probably sounds very dumb to somebody who already knows this): My guess is I only need one of those VPN server capable routers? On the 'client' side, all I probably need to do is setup a VPN connection through windows? I mean, I don't need such a VPN router on both ends? (so on those ends, I could use a D-link 4300?)
_________________________
Riocar 80gig S/N : 010101580 red Riocar 80gig (010102106) - backup
|
Top
|
|
|
|
#295115 - 12/03/2007 19:22
Re: Some help on a little project of mine please...
[Re: BartDG]
|
carpal tunnel
Registered: 20/12/1999
Posts: 31597
Loc: Seattle, WA
|
In theory, yes, all you need at the client end is to set up a VPN connection through Windows, as long as the router at the head-end is configured properly (and it's of a type that really can accept a standard VPN connection instead of something proprietary).
Note that I tried to do that very thing two years ago with a cheap Linksys router that was, in theory, supposed to be able to work as a VPN endpoint. I couldn't get it to work. I gave up and went with SonicWall, which was more expensive, but which Just Worked.
My recommendation is to look online at the user manuals for the router you're thinking of getting (or the user manuals for the replacement flash software, if you're going that route), and make sure the instructions explicitly show how to set up such a situation, indicating that it's a supported feature. If you can find that info, then you're probably OK to buy that router.
|
Top
|
|
|
|
#295116 - 12/03/2007 19:40
Re: Some help on a little project of mine please...
[Re: BartDG]
|
carpal tunnel
Registered: 29/08/2000
Posts: 14493
Loc: Canada
|
Quote: Things I would need on this router: wireless capability, a gigabit switch, and now also VPN IP sec server stuff. All the rest I would need (like port forwarding and stuff) is so common with even the cheapest routers these days I won't even bother to post it.
Heh.. Even my CAD$22.50 cheapie wireless-G routers have VPN endpoint functionality. I haven't used it (yet), but it probably works like everything else on it.
Cheers
Attachments
295742-vpn.jpg (289 downloads)
|
Top
|
|
|
|
#295117 - 12/03/2007 19:49
Re: Some help on a little project of mine please...
[Re: tfabris]
|
carpal tunnel
Registered: 20/05/2001
Posts: 2616
Loc: Bruges, Belgium
|
Thanks for the info! Quote:
Note that I tried to do that very thing two years ago with a cheap Linksys router that was, in theory, supposed to be able to work as a VPN endpoint. I couldn't get it to work. I gave up and went with SonicWall, which was more expensive, but which Just Worked.
I've never heard of SonicWall over here, so I guess that brand is not all that common ever here. (though I do see they've got a UK and German site) I wasn't going to use Linksys either. I've had bad experiences with it in the past. I was thinking more of Draytek, more in particular the 2600g model which can do about anything I want it to. The only thing it lacks is an internal gigabit switch it seems. Which I think is a shame, because all the PC's I'm going to connect it to have built-in gigabit ethernet connections. It seems gigabit routers are still pretty rare for consumer or semi-professional use. Shame.
Quote:
My recommendation is to look online at the user manuals for the router you're thinking of getting (or the user manuals for the replacement flash software, if you're going that route), and make sure the instructions explicitly show how to set up such a situation, indicating that it's a supported feature. If you can find that info, then you're probably OK to buy that router.
That's good advice, thanks!
_________________________
Riocar 80gig S/N : 010101580 red Riocar 80gig (010102106) - backup
|
Top
|
|
|
|
#295118 - 12/03/2007 20:05
Re: Some help on a little project of mine please...
[Re: BartDG]
|
pooh-bah
Registered: 12/02/2002
Posts: 2298
Loc: Berkeley, California
|
I've seen this complaint here and elsewhere about the lack of gigabit home routers. Not a single home router is capable of routing at anything close to 100bT speeds. Assuming you own some duct tape and a patch cable, the only valid complaint is that you don't want to deal with two wall warts.
Matthew
|
Top
|
|
|
|
#295119 - 12/03/2007 20:11
Re: Some help on a little project of mine please...
[Re: matthew_k]
|
carpal tunnel
Registered: 29/08/2000
Posts: 14493
Loc: Canada
|
Quote: I've seen this complaint here and elsewhere about the lack of gigabit home routers. Not a single home router is capable of routing at anything close to 100bT speeds.
Sure: client-to-client.
Quote:
Assuming you own some duct tape and a patch cable, the only valid complaint is that you don't want to deal with two wall warts.
Space. Power consumption. Survival of mankind, and all of that.
Edited by mlord (12/03/2007 20:30)
|
Top
|
|
|
|
#295121 - 12/03/2007 20:55
Re: Some help on a little project of mine please...
[Re: BartDG]
|
pooh-bah
Registered: 12/02/2002
Posts: 2298
Loc: Berkeley, California
|
Quote: Sure: client-to-client.
I know cisco likes to make claims about layer 3 switches, I always tend to work with classic vocabulary of layer 2 being switching and layer 3 being routing.
Quote: ...(small one)...(even smaller one)... and the fact that it doesn't look so...neat.
Well, I guess we differ, as I'm off the opinion that nothing looks neater than a full rack o' hardware with lots o' blinken' lights.
But in all seriousness. Routers come and go, switching hardware comes and goes, but rarely do your VPN or routing needs change at the same time as your number of computers or speed of ethernet changes. The simplicity of one device will cost you each time you want to upgrade one of the underlying components.
Matthew
|
Top
|
|
|
|
#295122 - 12/03/2007 21:10
Re: Some help on a little project of mine please...
[Re: matthew_k]
|
carpal tunnel
Registered: 20/05/2001
Posts: 2616
Loc: Bruges, Belgium
|
Fair enough. But I figured, since I'm re-doing this while setup anyway, I might as well immediately do it the right way, so my father-in-law will set until his retirement. Guess it's not going to happen, and I'll end up with 100 bT. Oh well, I can think of worse things.
_________________________
Riocar 80gig S/N : 010101580 red Riocar 80gig (010102106) - backup
|
Top
|
|
|
|
#295123 - 12/03/2007 21:27
Re: Some help on a little project of mine please...
[Re: tfabris]
|
old hand
Registered: 16/02/2002
Posts: 867
Loc: Oxford, UK
|
Quote: I gave up, said fuck it, replaced the cheapo router with a SonicWall TZ-170
Seconded. The VPN "just works" on these and you can distribute the VPN client to as many users as you want. They've recently stopped bundling the single VPN client licence with the low-end 10 user models but the licence is £20+tax in the trade so not a biggie I guess.
I recently snagged an unlimited user TZ170 with 6-months sonicwall warranty remaining off eBay for about £65 - while I don't need the unlimited user licence, the Enhanced OS has very granular configuration options. Not that that's doing down the Standard OS - that's actually better in terms of user friendliness, truth be told.
|
Top
|
|
|
|
#295124 - 12/03/2007 21:42
Re: Some help on a little project of mine please...
[Re: BartDG]
|
old hand
Registered: 16/02/2002
Posts: 867
Loc: Oxford, UK
|
The Draytek Vigor is a good router. On the surface they look overpriced (eBay is your friend) but they use the Windows VPN client and are a doddle to setup. I still prefer the Sonicwall TZ170 personally.
Rather than shifting .mdb data across the wire, personally I would simply use Server 2003's remote desktop connection and merely use the travelling PC as a terminal. AFAIK, you get a bundled 1-user administrator licence for remote desktop. The benefits are that you're reducing the risk of corrupting the .mdb file if your remote connection drops, you are not carrying possibly sensitive data around on a laptop that is easily lost/stolen, everything is taking place on the local server so your remote connection speed just limits your screen updating speed, your remote PC requirements are minimal.
As far as remote desktop goes router-wise, VPN is the more secure option. Not recommended but if you know the IP range(s) you will appear on remotely, you could take the risk and use port forwarding I suppose (choose a strong password and keep the server patched!).
|
Top
|
|
|
|
#295125 - 13/03/2007 02:55
Re: Some help on a little project of mine please...
[Re: AndrewT]
|
carpal tunnel
Registered: 06/10/1999
Posts: 2591
Loc: Seattle, WA, U.S.A.
|
Quote: ... Rather than shifting .mdb data across the wire, personally I would simply use Server 2003's remote desktop connection and merely use the travelling PC as a terminal. AFAIK, you get a bundled 1-user administrator licence for remote desktop. The benefits are that you're reducing the risk of corrupting the .mdb file if your remote connection drops, you are not carrying possibly sensitive data around on a laptop that is easily lost/stolen, everything is taking place on the local server so your remote connection speed just limits your screen updating speed, your remote PC requirements are minimal.....
I read down through the discussion waiting to see someone make the point you make here re: "rather than shifting .mdb data across the wire." And I would say that this is doubly important if, as seems the case, this is a monolithic MS-Access application -- no separation of data and interface. I've never seen folks less happy than some cases of people trying to run monolithic MS-Access apps natively off of a disk far, far away. Separating out data into something like MySQL could improve this, but, for many folks that adds too much complexity relative to scale of what is being done. Remote control (RDP, Terminal services, Citrix) lets you be fairly content with an unmodified LAN-oriented app.
Once your network/VPN bits are sorted out, you might try an A-B comparison. From your remote PC, open the MDB from whatever directory you have shared on box "X". Then run box X from same client via RDP -- opening yoru MDB in that RDP session -- and see if you aren't happier. And no data sloshing around
_________________________
Jim
'Tis the exceptional fellow who lies awake at night thinking of his successes.
|
Top
|
|
|
|
#295126 - 13/03/2007 06:33
Re: Some help on a little project of mine please...
[Re: AndrewT]
|
carpal tunnel
Registered: 18/01/2000
Posts: 5683
Loc: London, UK
|
Quote: The Draytek Vigor is a good router. ... I still prefer the Sonicwall TZ170 personally.
At work, we have a Sonicwall as the VPN "server", and the company recommends Drayteks as VPN clients to it.
_________________________
-- roger
|
Top
|
|
|
|
#295127 - 13/03/2007 10:48
Re: Some help on a little project of mine please...
[Re: Roger]
|
carpal tunnel
Registered: 19/01/2002
Posts: 3584
Loc: Columbus, OH
|
We use a SonicWall Pro 2040 with Enhanced OS here at the office and TZ-710's at each VPN endpoint. Works fantastic, but is a little overkill for what you're doing. Here's the link to Tony's thread. I believe I originally recommended the SonicWall there. Glad it's still working out ok. From that same thread, the inexpensive store where I purchase mine.
|
Top
|
|
|
|
#295128 - 13/03/2007 12:56
Re: Some help on a little project of mine please...
[Re: JBjorgen]
|
carpal tunnel
Registered: 20/05/2001
Posts: 2616
Loc: Bruges, Belgium
|
Cheers for the info John! I'll have a good look. I've also been looking at the SonicWALL website, and albeit more expensive than an ordinary router, I still think these devices are priced reasonably. I believe the best choice would be either the SonicWALL TZ 150 Wireless or the SonicWALL TZ 170 Wireless. (European pages with detailed spec PDF's here (150) and here (170)Which one would be the best choice for what I want to use it for? Remember, I would normally never need any more VPN connections than three. (usually only one, possibly two) What is the difference between those two? I see the 150 only supports site-to-site VPN tunnels (which is what I need I think), and optionally also Global VPN account licences (what is this?). The 170 wireless seems to support both? There is also talk about 10 node support (2), 25 node (10) and unlimited node support of the 170. I don't see this in the 150's spec sheet. What exactly is this, and do I need it? I also see both these routers have anti-virus, andti-spyware and intrusion prevention features built-in. Very cool! Of those first two, I never knew this was possible in hardware. Is this reliable? (anti-vir and anti-spyware I mean) Does this mean I do no need to install an anti-virus package on the pc's anymore?? Any other important differences between those routers? As always, a big thanks for any info you guys can provide!
_________________________
Riocar 80gig S/N : 010101580 red Riocar 80gig (010102106) - backup
|
Top
|
|
|
|
#295129 - 13/03/2007 13:24
Re: Some help on a little project of mine please...
[Re: BartDG]
|
carpal tunnel
Registered: 30/10/2000
Posts: 4931
Loc: New Jersey, USA
|
Just FYI, I have a used SonicWall TZ 170 (non wireless) available for sale if interested. It's a US model. I don't know what would be different other than the power adapter.
It's a 25-user model and has 2 VPN licenses. I don't know how to transfer ownership, but if worst comes to worst, I can just provide the login details for the update/software package service.
I would let it go for $200. I have attached a screen shot of the main status page.
Attachments
295801-170tz.gif (329 downloads)
_________________________
-Rob Riccardelli 80GB 16MB MK2 090000736
|
Top
|
|
|
|
#295130 - 13/03/2007 13:36
Re: Some help on a little project of mine please...
[Re: robricc]
|
carpal tunnel
Registered: 20/05/2001
Posts: 2616
Loc: Bruges, Belgium
|
Quote: Just FYI, I have a used SonicWall TZ 170 (non wireless) available for sale if interested. It's a US model. I don't know what would be different other than the power adapter.
Thanks for the offer Rob. (good price too!), but sorry, I really need a wireless model.
Quote:
It's a 25-user model and has 2 VPN licenses.
What does this mean? 25 users can connect to this router, but only two of them can be outside clients via VPN? (the 23 others are on the local LAN I mean?)
Quote:
I have attached a screen shot of the main status page.
Thanks for the pic. The gives me some idea of the interface.
Cheers!
_________________________
Riocar 80gig S/N : 010101580 red Riocar 80gig (010102106) - backup
|
Top
|
|
|
|
#295131 - 13/03/2007 13:39
Re: Some help on a little project of mine please...
[Re: BartDG]
|
carpal tunnel
Registered: 30/10/2000
Posts: 4931
Loc: New Jersey, USA
|
Quote:
Quote:
It's a 25-user model and has 2 VPN licenses.
What does this mean? 25 users can connect to this router, but only two of them can be outside clients via VPN? (the 23 others are on the local LAN I mean?)
I'm pretty sure it means there can be 25 local users and 2 VPN users simultaneously. We only have about 16 local nodes, so the limits were never tested.
_________________________
-Rob Riccardelli 80GB 16MB MK2 090000736
|
Top
|
|
|
|
#295132 - 13/03/2007 13:53
Re: Some help on a little project of mine please...
[Re: robricc]
|
carpal tunnel
Registered: 20/05/2001
Posts: 2616
Loc: Bruges, Belgium
|
Quote: I'm pretty sure it means there can be 25 local users and 2 VPN users simultaneously. We only have about 16 local nodes, so the limits were never tested.
That would be more than sufficient for me as well. I would rather have seen three VPN users, but two would do. 25 users is overkill. I need no more than 5.
Thx for the info!
_________________________
Riocar 80gig S/N : 010101580 red Riocar 80gig (010102106) - backup
|
Top
|
|
|
|
#295133 - 13/03/2007 14:01
Re: Some help on a little project of mine please...
[Re: BartDG]
|
carpal tunnel
Registered: 30/10/2000
Posts: 4931
Loc: New Jersey, USA
|
Just to be clear, the router originally came with 1 VPN license. A second license was purchased at a later date. No matter what SonicWall model/package you purchase, there is always the option to upgrade things through mysonicwall.com as your needs grow. It's a pretty neat system.
_________________________
-Rob Riccardelli 80GB 16MB MK2 090000736
|
Top
|
|
|
|
#295134 - 13/03/2007 14:11
Re: Some help on a little project of mine please...
[Re: robricc]
|
carpal tunnel
Registered: 20/05/2001
Posts: 2616
Loc: Bruges, Belgium
|
Great! Thanks for the clarification!
_________________________
Riocar 80gig S/N : 010101580 red Riocar 80gig (010102106) - backup
|
Top
|
|
|
|
#295135 - 13/03/2007 14:12
Re: Some help on a little project of mine please...
[Re: BartDG]
|
old hand
Registered: 16/02/2002
Posts: 867
Loc: Oxford, UK
|
Remember, I would normally never need any more VPN connections than three. (usually only one, possibly two)Bear in mind that these are *simultaneous* connection licences, you can have as many client PC's configured ready for VPN as you like. I see the 150 only supports site-to-site VPN tunnels (which is what I need I think), and optionally also Global VPN account licences (what is this?). Site-to-site VPN is for a semi-permanent "nailed-up" VPN connection between 2 remote sites - you don't want that. Group VPN is what you will be using from your remote PC. If you're contemplating buying new then give www.tekdata.co.uk a call - their support people are very clued up on Sonicwall products and they may even save you buying more than you need.
|
Top
|
|
|
|
#295136 - 13/03/2007 15:29
Re: Some help on a little project of mine please...
[Re: BartDG]
|
carpal tunnel
Registered: 20/12/1999
Posts: 31597
Loc: Seattle, WA
|
Quote: That would be more than sufficient for me as well. I would rather have seen three VPN users, but two would do. 25 users is overkill. I need no more than 5.
I just read back over my old thread about Sonicwall. I'd forgotten how much trouble I went to in order to set it up!
Clarification on the way Sonicwall handles VPN: You can purchase VPN-user-license "packs" that you add on to the router as you need them. At least that's the way it worked on the TZ170 I had.
Looking back on my old thread, I see a few things that tripped me up, so learning from my experience might help. If you do decide to go the sonicwall route, here were the two big things that I wasted most of my time on:
- Trying to put the VPN server in a DMZ was more hassle than it was worth and I couldn't get it to work. Instead, I had to put my DSL Modem into "bridge" mode so that the sonicwall box was the internet-facing appliance.
- Trying to configure the Windows VPN client to connect to the sonicwall VPN was more hassle than it was worth and I couldn't get it to work. Instead, I simply had to purchase a few licences for the proprietary sonicwall VPN client, then give the users burned CDs of the sonicwall client software.
Something else looking back that I'm realizing... Back then, I didn't understand how simple it was to set up a RADIUS server. So I actually had to punch in user names and passwords for each VPN client into both the 2003 server and the sonicwall box individually. If you set up the 2003 server properly, then tell the sonicwall box that it's got a RADIUS server to talk to, then you don't need to manage the usernames and passwords in two places. You just set up users on the 2003 server and set the proper permissions. I should have done it that way.
|
Top
|
|
|
|
#295137 - 13/03/2007 15:46
Re: Some help on a little project of mine please...
[Re: tfabris]
|
carpal tunnel
Registered: 30/10/2000
Posts: 4931
Loc: New Jersey, USA
|
Quote: - Trying to configure the Windows VPN client to connect to the sonicwall VPN was more hassle than it was worth and I couldn't get it to work. Instead, I simply had to purchase a few licences for the proprietary sonicwall VPN client, then give the users burned CDs of the sonicwall client software.
SonicWall Global VPN client is freely downloadable here. I don't know if that was always the case, but it has been for at least the past year or two.
_________________________
-Rob Riccardelli 80GB 16MB MK2 090000736
|
Top
|
|
|
|
#295138 - 13/03/2007 16:46
Re: Some help on a little project of mine please...
[Re: tfabris]
|
carpal tunnel
Registered: 20/05/2001
Posts: 2616
Loc: Bruges, Belgium
|
Quote:
Clarification on the way Sonicwall handles VPN: You can purchase VPN-user-license "packs" that you add on to the router as you need them. At least that's the way it worked on the TZ170 I had.
This is one of the reasons (the other is cost) I'm still in doubt whether to buy one of the SonicWALL routers or a Draytek one. I'll read some more reviews on the web on both and then make up my mind.
Quote:
- Trying to put the VPN server in a DMZ was more hassle than it was worth and I couldn't get it to work. Instead, I had to put my DSL Modem into "bridge" mode so that the sonicwall box was the internet-facing appliance.
This is the way I've been planning to do the whole setup all along. So that's not a problem for me.
Quote:
- Trying to configure the Windows VPN client to connect to the sonicwall VPN was more hassle than it was worth and I couldn't get it to work. Instead, I simply had to purchase a few licences for the proprietary sonicwall VPN client, then give the users burned CDs of the sonicwall client software.
I don't like this all that much, but this point has been rendered unimportant by Rob's response below. On the other hand, I would prefer things not to use proprietary stuff.
Quote:
Something else looking back that I'm realizing... Back then, I didn't understand how simple it was to set up a RADIUS server.
Valid point, but this setup will be for four users maximum, and will never change anymore. So this won't be necessary for what I'm planning to do.
I have been reading up on the thread of your experiences. Very informative! And I understand about 80% of what is said in that thread, so I guess it's not all that bad.
_________________________
Riocar 80gig S/N : 010101580 red Riocar 80gig (010102106) - backup
|
Top
|
|
|
|
#295139 - 13/03/2007 16:47
Re: Some help on a little project of mine please...
[Re: robricc]
|
carpal tunnel
Registered: 20/12/1999
Posts: 31597
Loc: Seattle, WA
|
Quote: SonicWall Global VPN client is freely downloadable here. I don't know if that was always the case, but it has been for at least the past year or two.
Yes, the client software is freely downloadable. That's not where the restriction lies. It's the Sonicwall appliance that needs the licenses added to it. Doesn't matter if you have a billion people trying to connect, it'll only let in X number of people, where X is the number of licenses you purchased for that appliance.
|
Top
|
|
|
|
#295140 - 13/03/2007 17:00
Re: Some help on a little project of mine please...
[Re: BartDG]
|
carpal tunnel
Registered: 20/12/1999
Posts: 31597
Loc: Seattle, WA
|
Quote: this setup will be for four users maximum, and will never change anymore.
ROFLMAO
Oh, I'm sorry, you were serious?
Yeah, um... Change and expansion is inevitable in all networking systems. No matter how much you expect it to stay static.
In my experience, networked systems have only two directions to go: Expansion and upgrade, or complete dismantling if the company goes out of business. They never just get smaller and they never stay the same.
Quote: I have been reading up on the thread of your experiences. Very informative! And I understand about 80% of what is said in that thread, so I guess it's not all that bad.
Hey, that's a better comprehension level than my 2%.
|
Top
|
|
|
|
#295141 - 13/03/2007 17:17
Re: Some help on a little project of mine please...
[Re: tfabris]
|
carpal tunnel
Registered: 20/05/2001
Posts: 2616
Loc: Bruges, Belgium
|
Quote:
Quote: this setup will be for four users maximum, and will never change anymore.
ROFLMAO
Oh, I'm sorry, you were serious?
Yeah, um... Change and expansion is inevitable in all networking systems. No matter how much you expect it to stay static.
Normally, I would agree with you. But not in this case, because this is not a 'company' network. My father-in-law works for himself, with only one secretary to help. One of his daughters (not my GF) is also working for him now on a temporary basis because she is out of work ATM and he wanted to help out. So the normal situation is 2 persons, that's it. He's worked like this for 15 years now, and I'm pretty sure it'll stay like that for the next 10 years or so he still has to go before his retirement.
Quote:
In my experience, networked systems have only two directions to go: Expansion and upgrade, or complete dismantling if the company goes out of business. They never just get smaller and they never stay the same.
Well, this will probably be the exception which confirms the rule then.
Quote:
Quote: I have been reading up on the thread of your experiences. Very informative! And I understand about 80% of what is said in that thread, so I guess it's not all that bad.
Hey, that's a better comprehension level than my 2%.
Cheers!
_________________________
Riocar 80gig S/N : 010101580 red Riocar 80gig (010102106) - backup
|
Top
|
|
|
|
#295142 - 13/08/2007 15:13
Re: Some help on a little project of mine please...
[Re: BartDG]
|
carpal tunnel
Registered: 20/05/2001
Posts: 2616
Loc: Bruges, Belgium
|
Hi Guys! Dragging up this old thread again, because 'implementation day' is quickly approaching, and I'm trying to cover as much theoretical ground as I can... I finally decided to do the VPN tunnelling via Draytek 2800G DSL routers, which should be very much up to this task. Now, this is probably a stupid question to you expect users our there, but here goes anyway... Trying to do the following: setup a VPN between two Draytek 2800G routers, obviously in a different geographical location. I've read the VPN LAN to LAN FAQ here, and I understand what it says. There's just one thing that puzzles me. The FAQ says : it is essential different subnets are used for each connecting network. I understand this, and also understand how and why this would be necessary. However, do I need to setup this subnet somewhere in the router's web interface? And, if so, where? (see this DrayTEK routers webinterface HERE)Of does the subnet simply follow the IP subnet the router is set to?? Eg. it should be something like this: Location 1: 192.168. 1.0 (= subnet) Router IP : 192.168. 1.1 subnetmask : 255.255.255.0 NAT IP range behind router: 192.168.1.50 to 192.168.1.100 (which means 50 devices can be connected to the router, which should be MORE than enough) Location 2: 192.168. 2.0 (= subnet) Router IP : 192.168. 2.1 subnetmask : 255.255.255.0 NAT IP range behind router: 192.168.2.50 to 192.168.2.100 Now, my back to my question: I can setup the router IP, I can setup the subnetmask.... but where do I setup the subnet itself?? Or again, will it simply follow the subnet I choose with the router's IP? Thanks in advance!
_________________________
Riocar 80gig S/N : 010101580 red Riocar 80gig (010102106) - backup
|
Top
|
|
|
|
#295143 - 13/08/2007 15:31
Re: Some help on a little project of mine please...
[Re: BartDG]
|
carpal tunnel
Registered: 20/12/1999
Posts: 31597
Loc: Seattle, WA
|
You set up the subnets in the DHCP server. That's the thing responsible for assigning addresses to its clients.
When I set up my VPN, I discovered very quickly that I couldn't give my main company network the address range of 192.168.0 or 192.168.1 because those ranges were so common among the people who were dialing in. So there would be address conflicts and confusion after they connected. So my main network became 192.168.2, its DHCP server assigned their VPN connections unique addresses in that .2 range when they connected.
Out at the remote end, their local LANs should be set up as 192.168.1 or .0 or 10.something. If the VPN appliance on their side of the WAN connection *is* the DHCP server, then set it to dole out addresses in those ranges.
|
Top
|
|
|
|
#295144 - 13/08/2007 16:20
Re: Some help on a little project of mine please...
[Re: BartDG]
|
carpal tunnel
Registered: 25/12/2000
Posts: 16706
Loc: Raleigh, NC US
|
Quote: I can setup the router IP, I can setup the subnetmask.... but where do I setup the subnet itself?? Or again, will it simply follow the subnet I choose with the router's IP?
When you set the router's LAN-side IP address and netmask, you define the subnet. There is no need to specify the network manually; it's trivially inferable. For verification, go to "Diagnostics->Routing Table" and you'll see your subnet.
On the other hand, it looks like the router requires that you manually configure the subnet or subnets of the remote LAN into the VPN rules. It's under "VPN and Remote Access->LAN to LAN->4. TCP/IP Network Settings->Remote Network IP and Remote Network Mask".
_________________________
Bitt Faulk
|
Top
|
|
|
|
#295145 - 13/08/2007 16:24
Re: Some help on a little project of mine please...
[Re: tfabris]
|
carpal tunnel
Registered: 20/05/2001
Posts: 2616
Loc: Bruges, Belgium
|
Ah, ok! Thanks Tony!
So, just to see if I get this correctly, when transposing all this to my D-Link router at home (to have another example): this one is set at : Router IP address: 192.168.0.1 DHCP IP Address Range 192.168.0.100 to 192.168.0.199
In this case, the subnet is the DHCP address range (100 to 199), and not the entire 254 addresses available through the 192.168.0.x IP number?
Only: in this case, the router's IP is not part of the subnet then... does that matter in any way? Or not at all? Thanks!
_________________________
Riocar 80gig S/N : 010101580 red Riocar 80gig (010102106) - backup
|
Top
|
|
|
|
#295146 - 13/08/2007 16:24
Re: Some help on a little project of mine please...
[Re: tfabris]
|
carpal tunnel
Registered: 25/12/2000
Posts: 16706
Loc: Raleigh, NC US
|
Quote: You set up the subnets in the DHCP server.
No. A DHCP server does not define your network any more than a computer with a static IP address defines your network. You have to make sure that the DHCP server is handing out IP addresses within the range defined by your existing IP network configuration, but it does not define the network itself. The network is defined logically; it's not really defined by any configuration file. You just have to make sure that all IP addressing configuration, whether via DHCP, static IP address assignment, routers, other routing, etc. all confirm to the plan you've made.
_________________________
Bitt Faulk
|
Top
|
|
|
|
#295147 - 13/08/2007 16:25
Re: Some help on a little project of mine please...
[Re: BartDG]
|
carpal tunnel
Registered: 25/12/2000
Posts: 16706
Loc: Raleigh, NC US
|
Tony has pushed you in the wrong direction. Forget what you think you learned.
_________________________
Bitt Faulk
|
Top
|
|
|
|
#295148 - 13/08/2007 16:30
Re: Some help on a little project of mine please...
[Re: wfaulk]
|
carpal tunnel
Registered: 20/05/2001
Posts: 2616
Loc: Bruges, Belgium
|
Quote: On the other hand, it looks like the router requires that you manually configure the subnet or subnets of the remote LAN into the VPN rules. It's under "VPN and Remote Access->LAN to LAN->4. TCP/IP Network Settings->Remote Network IP and Remote Network Mask".
Ah... so I do need to enter it manually? No worries. But erm... I know what my WAN IP is. I also know what the 'Remote Gateway IP' is (the IP of the remote router). But what is the 'Remote Network IP' and the 'Remote Network mask' ? Is that the 'begin' and 'end' value of the remote subnet? Thanks!
_________________________
Riocar 80gig S/N : 010101580 red Riocar 80gig (010102106) - backup
|
Top
|
|
|
|
#295149 - 13/08/2007 16:42
Re: Some help on a little project of mine please...
[Re: BartDG]
|
carpal tunnel
Registered: 25/12/2000
Posts: 16706
Loc: Raleigh, NC US
|
Okay, you have a router whose internal IP address is 192.168.1.1 and another whose internal IP address is 192.168.2.1. This implies that your two networks are 192.168.1.0/255.255.255.0 and 192.168.2.0/255.255.255.0, respectively. (Actually, it doesn't imply the netmask, but you already told us those.) On the 192.168.1.1 router, the remote network and netmask are 192.168.2.0 and 255.255.255.0. On the 192.168.2.1 router, the remote network and netmask are 192.168.1.0 and 255.255.255.0. Each router wants to know what network it's supposed to be expecting on the remote side.
_________________________
Bitt Faulk
|
Top
|
|
|
|
#295150 - 13/08/2007 16:54
Re: Some help on a little project of mine please...
[Re: wfaulk]
|
carpal tunnel
Registered: 20/05/2001
Posts: 2616
Loc: Bruges, Belgium
|
Quote: Okay, you have a router whose internal IP address is 192.168.1.1 and another whose internal IP address is 192.168.2.1. This implies that your two networks are 192.168.1.0/255.255.255.0 and 192.168.2.0/255.255.255.0, respectively. (Actually, it doesn't imply the netmask, but you already told us those.) On the 192.168.1.1 router, the remote network and netmask are 192.168.2.0 and 255.255.255.0. On the 192.168.2.1 router, the remote network and netmask are 192.168.1.0 and 255.255.255.0. Each router wants to know what network it's supposed to be expecting on the remote side.
Ok, now it's clear to me Bit! Thanks! The Remote Networks mask is obviously the subnetmask (duh! Stupid of me!).
Thanks for the info, this should allow me to setup the VPN now!
_________________________
Riocar 80gig S/N : 010101580 red Riocar 80gig (010102106) - backup
|
Top
|
|
|
|
#295151 - 13/08/2007 17:11
Re: Some help on a little project of mine please...
[Re: BartDG]
|
carpal tunnel
Registered: 20/05/2001
Posts: 2616
Loc: Bruges, Belgium
|
Just to add to that: I wasn't wrong then when I stated the subnet is determined by the IP number the router is given? (as you say, when the router's IP address is 192.168.1.1, the subnet is 192.168.1.x, when the router's IP address is 192.168.2.1, the subnet is 192.168.2.x, when the router's IP address is 192.168.3.1, the subnet is 192.168.3.x, etc...) Correct?
_________________________
Riocar 80gig S/N : 010101580 red Riocar 80gig (010102106) - backup
|
Top
|
|
|
|
#295152 - 13/08/2007 17:26
Re: Some help on a little project of mine please...
[Re: BartDG]
|
carpal tunnel
Registered: 25/12/2000
Posts: 16706
Loc: Raleigh, NC US
|
Well, like I said, the network definition is really abstract; it exists only in what you think it is, not in any one configuration file. However, if there was to be a single point of definition, it would have to be the router's configuration, as all traffic except local traffic has to go through the router. Of course, it's just as possible for the router's configuration to be incorrect as it is for any other computer's configuration to be incorrect, but the router being incorrect would affect all the other computers on the network, while any other computer being wrong would affect only the individual computer.
But, yes, you can infer the network from a (correct) IP address along with its netmask. However, something that isn't immediately obvious to practical beginners is that a network can contain more or fewer IP addresses than just the 256 defined by changing the final number. If the netmask is bigger, the network will be smaller, and vice versa. A 255.255.255.0 netmask, which is the most common netmask that novices will encounter, implies that the network is the first three numbers static, with the last number running from 0 to 255, so it's easy to infer that a computer with that netmask has a network that is the first three numbers of its IP address followed by a zero. (The network is traditionally referred to be the lowest number in the sequence, which is unusable by a computer on the network.) If the netmask were, for example, 255.255.255.240, that would imply a network with only 16 IP addresses, and if a computer in that network had an IP address of 192.168.5.67, the network's range would be 192.168.5.64-79, with the network being named 192.168.5.64. On the other hand, if the netmask were 255.255.240.0, that would be a network of 4096 IP addresses, and the same IP address would imply a range of 192.168.0.0 through 192.168.15.255.
Confused yet?
_________________________
Bitt Faulk
|
Top
|
|
|
|
#295153 - 13/08/2007 17:39
Re: Some help on a little project of mine please...
[Re: wfaulk]
|
carpal tunnel
Registered: 20/05/2001
Posts: 2616
Loc: Bruges, Belgium
|
Yes and no. I understand what subnetmasking is. I tried to grasp the theory behind it a few months ago just because I think it's interesting to know about. But indeed, it's not very simple. I did understand however that a lot of network admins don't understand it 100% either, and because of this use some sort of online subnet calculator to find the correct subnet and mask they need for their project. (for the record: I don't think you're one of those! ) Thanks again for the info, it should work out now!
_________________________
Riocar 80gig S/N : 010101580 red Riocar 80gig (010102106) - backup
|
Top
|
|
|
|
#295154 - 13/08/2007 17:47
Re: Some help on a little project of mine please...
[Re: BartDG]
|
carpal tunnel
Registered: 25/12/2000
Posts: 16706
Loc: Raleigh, NC US
|
Quote: I did understand however that a lot of network admins don't understand it 100% either, and because of this use some sort of online subnet calculator to find the correct subnet and mask they need for their project. (for the reference: I don't think you're one of those!)
I understand it, but I still use a calculator because the math is sort of irritating. It's actually fairly easy to memorize the majority of it, but I don't use it often enough for it to stick in my memory.
_________________________
Bitt Faulk
|
Top
|
|
|
|
#295155 - 13/08/2007 21:29
Re: Some help on a little project of mine please...
[Re: wfaulk]
|
carpal tunnel
Registered: 20/05/2001
Posts: 2616
Loc: Bruges, Belgium
|
Bitt, I just re-read your first reponse to my question again, and only now realised you already gave the answer then: You said: Quote:
When you set the router's LAN-side IP address and netmask, you define the subnet. There is no need to specify the network manually; it's trivially inferable.
It's only now I remembered again that subnets are defined by the subnetmask. As I said, I spent some time grasping the theory of subnetting a while ago. It was quite embarassing having to conclude I seemed to had forgotten the essence of it so quickly. I just wanted to thank you again for reminding me.
Cheers!
_________________________
Riocar 80gig S/N : 010101580 red Riocar 80gig (010102106) - backup
|
Top
|
|
|
|
|
|