#295134 - 13/03/2007 14:11
Re: Some help on a little project of mine please...
[Re: robricc]
|
carpal tunnel
Registered: 20/05/2001
Posts: 2616
Loc: Bruges, Belgium
|
Great! Thanks for the clarification!
_________________________
Riocar 80gig S/N : 010101580 red Riocar 80gig (010102106) - backup
|
Top
|
|
|
|
#295135 - 13/03/2007 14:12
Re: Some help on a little project of mine please...
[Re: BartDG]
|
old hand
Registered: 16/02/2002
Posts: 867
Loc: Oxford, UK
|
Remember, I would normally never need any more VPN connections than three. (usually only one, possibly two)Bear in mind that these are *simultaneous* connection licences, you can have as many client PC's configured ready for VPN as you like. I see the 150 only supports site-to-site VPN tunnels (which is what I need I think), and optionally also Global VPN account licences (what is this?). Site-to-site VPN is for a semi-permanent "nailed-up" VPN connection between 2 remote sites - you don't want that. Group VPN is what you will be using from your remote PC. If you're contemplating buying new then give www.tekdata.co.uk a call - their support people are very clued up on Sonicwall products and they may even save you buying more than you need.
|
Top
|
|
|
|
#295136 - 13/03/2007 15:29
Re: Some help on a little project of mine please...
[Re: BartDG]
|
carpal tunnel
Registered: 20/12/1999
Posts: 31597
Loc: Seattle, WA
|
Quote: That would be more than sufficient for me as well. I would rather have seen three VPN users, but two would do. 25 users is overkill. I need no more than 5.
I just read back over my old thread about Sonicwall. I'd forgotten how much trouble I went to in order to set it up!
Clarification on the way Sonicwall handles VPN: You can purchase VPN-user-license "packs" that you add on to the router as you need them. At least that's the way it worked on the TZ170 I had.
Looking back on my old thread, I see a few things that tripped me up, so learning from my experience might help. If you do decide to go the sonicwall route, here were the two big things that I wasted most of my time on:
- Trying to put the VPN server in a DMZ was more hassle than it was worth and I couldn't get it to work. Instead, I had to put my DSL Modem into "bridge" mode so that the sonicwall box was the internet-facing appliance.
- Trying to configure the Windows VPN client to connect to the sonicwall VPN was more hassle than it was worth and I couldn't get it to work. Instead, I simply had to purchase a few licences for the proprietary sonicwall VPN client, then give the users burned CDs of the sonicwall client software.
Something else looking back that I'm realizing... Back then, I didn't understand how simple it was to set up a RADIUS server. So I actually had to punch in user names and passwords for each VPN client into both the 2003 server and the sonicwall box individually. If you set up the 2003 server properly, then tell the sonicwall box that it's got a RADIUS server to talk to, then you don't need to manage the usernames and passwords in two places. You just set up users on the 2003 server and set the proper permissions. I should have done it that way.
|
Top
|
|
|
|
#295137 - 13/03/2007 15:46
Re: Some help on a little project of mine please...
[Re: tfabris]
|
carpal tunnel
Registered: 30/10/2000
Posts: 4931
Loc: New Jersey, USA
|
Quote: - Trying to configure the Windows VPN client to connect to the sonicwall VPN was more hassle than it was worth and I couldn't get it to work. Instead, I simply had to purchase a few licences for the proprietary sonicwall VPN client, then give the users burned CDs of the sonicwall client software.
SonicWall Global VPN client is freely downloadable here. I don't know if that was always the case, but it has been for at least the past year or two.
_________________________
-Rob Riccardelli 80GB 16MB MK2 090000736
|
Top
|
|
|
|
#295138 - 13/03/2007 16:46
Re: Some help on a little project of mine please...
[Re: tfabris]
|
carpal tunnel
Registered: 20/05/2001
Posts: 2616
Loc: Bruges, Belgium
|
Quote:
Clarification on the way Sonicwall handles VPN: You can purchase VPN-user-license "packs" that you add on to the router as you need them. At least that's the way it worked on the TZ170 I had.
This is one of the reasons (the other is cost) I'm still in doubt whether to buy one of the SonicWALL routers or a Draytek one. I'll read some more reviews on the web on both and then make up my mind.
Quote:
- Trying to put the VPN server in a DMZ was more hassle than it was worth and I couldn't get it to work. Instead, I had to put my DSL Modem into "bridge" mode so that the sonicwall box was the internet-facing appliance.
This is the way I've been planning to do the whole setup all along. So that's not a problem for me.
Quote:
- Trying to configure the Windows VPN client to connect to the sonicwall VPN was more hassle than it was worth and I couldn't get it to work. Instead, I simply had to purchase a few licences for the proprietary sonicwall VPN client, then give the users burned CDs of the sonicwall client software.
I don't like this all that much, but this point has been rendered unimportant by Rob's response below. On the other hand, I would prefer things not to use proprietary stuff.
Quote:
Something else looking back that I'm realizing... Back then, I didn't understand how simple it was to set up a RADIUS server.
Valid point, but this setup will be for four users maximum, and will never change anymore. So this won't be necessary for what I'm planning to do.
I have been reading up on the thread of your experiences. Very informative! And I understand about 80% of what is said in that thread, so I guess it's not all that bad.
_________________________
Riocar 80gig S/N : 010101580 red Riocar 80gig (010102106) - backup
|
Top
|
|
|
|
#295139 - 13/03/2007 16:47
Re: Some help on a little project of mine please...
[Re: robricc]
|
carpal tunnel
Registered: 20/12/1999
Posts: 31597
Loc: Seattle, WA
|
Quote: SonicWall Global VPN client is freely downloadable here. I don't know if that was always the case, but it has been for at least the past year or two.
Yes, the client software is freely downloadable. That's not where the restriction lies. It's the Sonicwall appliance that needs the licenses added to it. Doesn't matter if you have a billion people trying to connect, it'll only let in X number of people, where X is the number of licenses you purchased for that appliance.
|
Top
|
|
|
|
#295140 - 13/03/2007 17:00
Re: Some help on a little project of mine please...
[Re: BartDG]
|
carpal tunnel
Registered: 20/12/1999
Posts: 31597
Loc: Seattle, WA
|
Quote: this setup will be for four users maximum, and will never change anymore.
ROFLMAO
Oh, I'm sorry, you were serious?
Yeah, um... Change and expansion is inevitable in all networking systems. No matter how much you expect it to stay static.
In my experience, networked systems have only two directions to go: Expansion and upgrade, or complete dismantling if the company goes out of business. They never just get smaller and they never stay the same.
Quote: I have been reading up on the thread of your experiences. Very informative! And I understand about 80% of what is said in that thread, so I guess it's not all that bad.
Hey, that's a better comprehension level than my 2%.
|
Top
|
|
|
|
#295141 - 13/03/2007 17:17
Re: Some help on a little project of mine please...
[Re: tfabris]
|
carpal tunnel
Registered: 20/05/2001
Posts: 2616
Loc: Bruges, Belgium
|
Quote:
Quote: this setup will be for four users maximum, and will never change anymore.
ROFLMAO
Oh, I'm sorry, you were serious?
Yeah, um... Change and expansion is inevitable in all networking systems. No matter how much you expect it to stay static.
Normally, I would agree with you. But not in this case, because this is not a 'company' network. My father-in-law works for himself, with only one secretary to help. One of his daughters (not my GF) is also working for him now on a temporary basis because she is out of work ATM and he wanted to help out. So the normal situation is 2 persons, that's it. He's worked like this for 15 years now, and I'm pretty sure it'll stay like that for the next 10 years or so he still has to go before his retirement.
Quote:
In my experience, networked systems have only two directions to go: Expansion and upgrade, or complete dismantling if the company goes out of business. They never just get smaller and they never stay the same.
Well, this will probably be the exception which confirms the rule then.
Quote:
Quote: I have been reading up on the thread of your experiences. Very informative! And I understand about 80% of what is said in that thread, so I guess it's not all that bad.
Hey, that's a better comprehension level than my 2%.
Cheers!
_________________________
Riocar 80gig S/N : 010101580 red Riocar 80gig (010102106) - backup
|
Top
|
|
|
|
#295142 - 13/08/2007 15:13
Re: Some help on a little project of mine please...
[Re: BartDG]
|
carpal tunnel
Registered: 20/05/2001
Posts: 2616
Loc: Bruges, Belgium
|
Hi Guys! Dragging up this old thread again, because 'implementation day' is quickly approaching, and I'm trying to cover as much theoretical ground as I can... I finally decided to do the VPN tunnelling via Draytek 2800G DSL routers, which should be very much up to this task. Now, this is probably a stupid question to you expect users our there, but here goes anyway... Trying to do the following: setup a VPN between two Draytek 2800G routers, obviously in a different geographical location. I've read the VPN LAN to LAN FAQ here, and I understand what it says. There's just one thing that puzzles me. The FAQ says : it is essential different subnets are used for each connecting network. I understand this, and also understand how and why this would be necessary. However, do I need to setup this subnet somewhere in the router's web interface? And, if so, where? (see this DrayTEK routers webinterface HERE)Of does the subnet simply follow the IP subnet the router is set to?? Eg. it should be something like this: Location 1: 192.168. 1.0 (= subnet) Router IP : 192.168. 1.1 subnetmask : 255.255.255.0 NAT IP range behind router: 192.168.1.50 to 192.168.1.100 (which means 50 devices can be connected to the router, which should be MORE than enough) Location 2: 192.168. 2.0 (= subnet) Router IP : 192.168. 2.1 subnetmask : 255.255.255.0 NAT IP range behind router: 192.168.2.50 to 192.168.2.100 Now, my back to my question: I can setup the router IP, I can setup the subnetmask.... but where do I setup the subnet itself?? Or again, will it simply follow the subnet I choose with the router's IP? Thanks in advance!
_________________________
Riocar 80gig S/N : 010101580 red Riocar 80gig (010102106) - backup
|
Top
|
|
|
|
#295143 - 13/08/2007 15:31
Re: Some help on a little project of mine please...
[Re: BartDG]
|
carpal tunnel
Registered: 20/12/1999
Posts: 31597
Loc: Seattle, WA
|
You set up the subnets in the DHCP server. That's the thing responsible for assigning addresses to its clients.
When I set up my VPN, I discovered very quickly that I couldn't give my main company network the address range of 192.168.0 or 192.168.1 because those ranges were so common among the people who were dialing in. So there would be address conflicts and confusion after they connected. So my main network became 192.168.2, its DHCP server assigned their VPN connections unique addresses in that .2 range when they connected.
Out at the remote end, their local LANs should be set up as 192.168.1 or .0 or 10.something. If the VPN appliance on their side of the WAN connection *is* the DHCP server, then set it to dole out addresses in those ranges.
|
Top
|
|
|
|
#295144 - 13/08/2007 16:20
Re: Some help on a little project of mine please...
[Re: BartDG]
|
carpal tunnel
Registered: 25/12/2000
Posts: 16706
Loc: Raleigh, NC US
|
Quote: I can setup the router IP, I can setup the subnetmask.... but where do I setup the subnet itself?? Or again, will it simply follow the subnet I choose with the router's IP?
When you set the router's LAN-side IP address and netmask, you define the subnet. There is no need to specify the network manually; it's trivially inferable. For verification, go to "Diagnostics->Routing Table" and you'll see your subnet.
On the other hand, it looks like the router requires that you manually configure the subnet or subnets of the remote LAN into the VPN rules. It's under "VPN and Remote Access->LAN to LAN->4. TCP/IP Network Settings->Remote Network IP and Remote Network Mask".
_________________________
Bitt Faulk
|
Top
|
|
|
|
#295145 - 13/08/2007 16:24
Re: Some help on a little project of mine please...
[Re: tfabris]
|
carpal tunnel
Registered: 20/05/2001
Posts: 2616
Loc: Bruges, Belgium
|
Ah, ok! Thanks Tony!
So, just to see if I get this correctly, when transposing all this to my D-Link router at home (to have another example): this one is set at : Router IP address: 192.168.0.1 DHCP IP Address Range 192.168.0.100 to 192.168.0.199
In this case, the subnet is the DHCP address range (100 to 199), and not the entire 254 addresses available through the 192.168.0.x IP number?
Only: in this case, the router's IP is not part of the subnet then... does that matter in any way? Or not at all? Thanks!
_________________________
Riocar 80gig S/N : 010101580 red Riocar 80gig (010102106) - backup
|
Top
|
|
|
|
#295146 - 13/08/2007 16:24
Re: Some help on a little project of mine please...
[Re: tfabris]
|
carpal tunnel
Registered: 25/12/2000
Posts: 16706
Loc: Raleigh, NC US
|
Quote: You set up the subnets in the DHCP server.
No. A DHCP server does not define your network any more than a computer with a static IP address defines your network. You have to make sure that the DHCP server is handing out IP addresses within the range defined by your existing IP network configuration, but it does not define the network itself. The network is defined logically; it's not really defined by any configuration file. You just have to make sure that all IP addressing configuration, whether via DHCP, static IP address assignment, routers, other routing, etc. all confirm to the plan you've made.
_________________________
Bitt Faulk
|
Top
|
|
|
|
#295147 - 13/08/2007 16:25
Re: Some help on a little project of mine please...
[Re: BartDG]
|
carpal tunnel
Registered: 25/12/2000
Posts: 16706
Loc: Raleigh, NC US
|
Tony has pushed you in the wrong direction. Forget what you think you learned.
_________________________
Bitt Faulk
|
Top
|
|
|
|
#295148 - 13/08/2007 16:30
Re: Some help on a little project of mine please...
[Re: wfaulk]
|
carpal tunnel
Registered: 20/05/2001
Posts: 2616
Loc: Bruges, Belgium
|
Quote: On the other hand, it looks like the router requires that you manually configure the subnet or subnets of the remote LAN into the VPN rules. It's under "VPN and Remote Access->LAN to LAN->4. TCP/IP Network Settings->Remote Network IP and Remote Network Mask".
Ah... so I do need to enter it manually? No worries. But erm... I know what my WAN IP is. I also know what the 'Remote Gateway IP' is (the IP of the remote router). But what is the 'Remote Network IP' and the 'Remote Network mask' ? Is that the 'begin' and 'end' value of the remote subnet? Thanks!
_________________________
Riocar 80gig S/N : 010101580 red Riocar 80gig (010102106) - backup
|
Top
|
|
|
|
#295149 - 13/08/2007 16:42
Re: Some help on a little project of mine please...
[Re: BartDG]
|
carpal tunnel
Registered: 25/12/2000
Posts: 16706
Loc: Raleigh, NC US
|
Okay, you have a router whose internal IP address is 192.168.1.1 and another whose internal IP address is 192.168.2.1. This implies that your two networks are 192.168.1.0/255.255.255.0 and 192.168.2.0/255.255.255.0, respectively. (Actually, it doesn't imply the netmask, but you already told us those.) On the 192.168.1.1 router, the remote network and netmask are 192.168.2.0 and 255.255.255.0. On the 192.168.2.1 router, the remote network and netmask are 192.168.1.0 and 255.255.255.0. Each router wants to know what network it's supposed to be expecting on the remote side.
_________________________
Bitt Faulk
|
Top
|
|
|
|
#295150 - 13/08/2007 16:54
Re: Some help on a little project of mine please...
[Re: wfaulk]
|
carpal tunnel
Registered: 20/05/2001
Posts: 2616
Loc: Bruges, Belgium
|
Quote: Okay, you have a router whose internal IP address is 192.168.1.1 and another whose internal IP address is 192.168.2.1. This implies that your two networks are 192.168.1.0/255.255.255.0 and 192.168.2.0/255.255.255.0, respectively. (Actually, it doesn't imply the netmask, but you already told us those.) On the 192.168.1.1 router, the remote network and netmask are 192.168.2.0 and 255.255.255.0. On the 192.168.2.1 router, the remote network and netmask are 192.168.1.0 and 255.255.255.0. Each router wants to know what network it's supposed to be expecting on the remote side.
Ok, now it's clear to me Bit! Thanks! The Remote Networks mask is obviously the subnetmask (duh! Stupid of me!).
Thanks for the info, this should allow me to setup the VPN now!
_________________________
Riocar 80gig S/N : 010101580 red Riocar 80gig (010102106) - backup
|
Top
|
|
|
|
#295151 - 13/08/2007 17:11
Re: Some help on a little project of mine please...
[Re: BartDG]
|
carpal tunnel
Registered: 20/05/2001
Posts: 2616
Loc: Bruges, Belgium
|
Just to add to that: I wasn't wrong then when I stated the subnet is determined by the IP number the router is given? (as you say, when the router's IP address is 192.168.1.1, the subnet is 192.168.1.x, when the router's IP address is 192.168.2.1, the subnet is 192.168.2.x, when the router's IP address is 192.168.3.1, the subnet is 192.168.3.x, etc...) Correct?
_________________________
Riocar 80gig S/N : 010101580 red Riocar 80gig (010102106) - backup
|
Top
|
|
|
|
#295152 - 13/08/2007 17:26
Re: Some help on a little project of mine please...
[Re: BartDG]
|
carpal tunnel
Registered: 25/12/2000
Posts: 16706
Loc: Raleigh, NC US
|
Well, like I said, the network definition is really abstract; it exists only in what you think it is, not in any one configuration file. However, if there was to be a single point of definition, it would have to be the router's configuration, as all traffic except local traffic has to go through the router. Of course, it's just as possible for the router's configuration to be incorrect as it is for any other computer's configuration to be incorrect, but the router being incorrect would affect all the other computers on the network, while any other computer being wrong would affect only the individual computer.
But, yes, you can infer the network from a (correct) IP address along with its netmask. However, something that isn't immediately obvious to practical beginners is that a network can contain more or fewer IP addresses than just the 256 defined by changing the final number. If the netmask is bigger, the network will be smaller, and vice versa. A 255.255.255.0 netmask, which is the most common netmask that novices will encounter, implies that the network is the first three numbers static, with the last number running from 0 to 255, so it's easy to infer that a computer with that netmask has a network that is the first three numbers of its IP address followed by a zero. (The network is traditionally referred to be the lowest number in the sequence, which is unusable by a computer on the network.) If the netmask were, for example, 255.255.255.240, that would imply a network with only 16 IP addresses, and if a computer in that network had an IP address of 192.168.5.67, the network's range would be 192.168.5.64-79, with the network being named 192.168.5.64. On the other hand, if the netmask were 255.255.240.0, that would be a network of 4096 IP addresses, and the same IP address would imply a range of 192.168.0.0 through 192.168.15.255.
Confused yet?
_________________________
Bitt Faulk
|
Top
|
|
|
|
#295153 - 13/08/2007 17:39
Re: Some help on a little project of mine please...
[Re: wfaulk]
|
carpal tunnel
Registered: 20/05/2001
Posts: 2616
Loc: Bruges, Belgium
|
Yes and no. I understand what subnetmasking is. I tried to grasp the theory behind it a few months ago just because I think it's interesting to know about. But indeed, it's not very simple. I did understand however that a lot of network admins don't understand it 100% either, and because of this use some sort of online subnet calculator to find the correct subnet and mask they need for their project. (for the record: I don't think you're one of those! ) Thanks again for the info, it should work out now!
_________________________
Riocar 80gig S/N : 010101580 red Riocar 80gig (010102106) - backup
|
Top
|
|
|
|
#295154 - 13/08/2007 17:47
Re: Some help on a little project of mine please...
[Re: BartDG]
|
carpal tunnel
Registered: 25/12/2000
Posts: 16706
Loc: Raleigh, NC US
|
Quote: I did understand however that a lot of network admins don't understand it 100% either, and because of this use some sort of online subnet calculator to find the correct subnet and mask they need for their project. (for the reference: I don't think you're one of those!)
I understand it, but I still use a calculator because the math is sort of irritating. It's actually fairly easy to memorize the majority of it, but I don't use it often enough for it to stick in my memory.
_________________________
Bitt Faulk
|
Top
|
|
|
|
#295155 - 13/08/2007 21:29
Re: Some help on a little project of mine please...
[Re: wfaulk]
|
carpal tunnel
Registered: 20/05/2001
Posts: 2616
Loc: Bruges, Belgium
|
Bitt, I just re-read your first reponse to my question again, and only now realised you already gave the answer then: You said: Quote:
When you set the router's LAN-side IP address and netmask, you define the subnet. There is no need to specify the network manually; it's trivially inferable.
It's only now I remembered again that subnets are defined by the subnetmask. As I said, I spent some time grasping the theory of subnetting a while ago. It was quite embarassing having to conclude I seemed to had forgotten the essence of it so quickly. I just wanted to thank you again for reminding me.
Cheers!
_________________________
Riocar 80gig S/N : 010101580 red Riocar 80gig (010102106) - backup
|
Top
|
|
|
|
|
|