2000 server, vpn, static IP

Discussion in 'Server Networking' started by em, Mar 28, 2005.

  1. em

    em Guest

    Hi guys, I'm not a full time IT guy, so bear with me.

    We have a Windows 2000 server machine which serves as basic fileserver.
    It, along with our 10 Win2k client machines, all get their IP
    addresses from our DSL routers DHCP. Everything is hooked through a
    switch and works fine.

    We just upgraded to 3mbps DSL and they gave us 5 static IPs (had dynamic
    IP before).

    We want to set up a VPN and I've done one before with the old setup
    (though temporary), but I want to know if I should still use DHCP from
    the router or set up DHCP on the server and any other hints to keeping a
    simple but effective LAN and VPN.

    In a small business (<10 employees), what are other uses for 5 static IPs?

    ~~Eric
     
    em, Mar 28, 2005
    #1
    1. Advertisements

  2. em

    Jeff Cochran Guest

    Servers should never be on a dynamic IP address.
    Run DHCP off the server, disable it on the router.
    Five web sites with SSL. :)

    There are quite a few uses for static public IP addresses, but if you
    don't need them, don't use them.

    Jeff
     
    Jeff Cochran, Mar 28, 2005
    #2
    1. Advertisements

  3. em

    em Guest

    Yea, I'll get right on that..

    ~~Eric
     
    em, Mar 28, 2005
    #3
  4. No uses at all. There is no benefit of having 5 Public IP#s from the ISP as
    far as the Private LAN is concerned. Those 5 addresses go *outside* your
    network. Since this is DSL,..they would all get bound to the DSL NAT Device
    and you could then use Static NAT to make certain internal machines
    available to the outside,....which is an *extremely bad* idea for someone
    who isn't a full time IT guy who may not know all the security risks
    involved in that, and who may not know for what reasons that might be done
    and when it would be appropriate.
     
    Phillip Windell, Mar 28, 2005
    #4
  5. em

    em Guest

    OK, so what I want is a VPN with an IP address that doesn't change on a
    whim. If I set up DHCP on the server, then set the modem/router to no
    longer handle DHCP and to use the static IP, then that would work right
    (the router would have to go through the server right..with its second NIC)?

    I just want to know how people do simple VPNs with small setups like ours.

    Thanks for any help

    ~~Eric
     
    em, Mar 28, 2005
    #5
  6. em

    Jeff Cochran Guest

    The description is confusing. You have an DSL router that connects to
    a server, then the server is routing to the internal network? You
    could do this easier with the router plugged into a switch (or a
    router with an internal switch), and all internal devices, including
    the server, also plugged into the switch.
    Install the VPN server-side, install the VPN client, configure the VPN
    user and policy, open and redirect the appropriate ports in your
    firewall and get to work. :)

    I'm not sure what part of this you're having troubles with. Have you
    tried configuring a VPN and run into problems? If so, what were the
    problems?

    Jeff
     
    Jeff Cochran, Mar 28, 2005
    #6
  7. NIC)?


    No. You will not go "through" the Windows Server for anything Internet
    related and it will only have one NIC. The DSL NAT Device will be the VPN
    Server. In fact the DSL NAT Device is "everything" all in one box as far as
    the Internet is concerned.

    The DSL NAT Device:
    1. Has all the Public IP#s
    2. Performs NAT for the LAN
    3. Is effectively your "Firewall"
    4. Is the VPN Server (assuming it has those features,... some dont')
    5. Is the DHCP Server although I recommend you use the Windows Server for
    that, as did Jeff.

    Your Windows Server would just have one nic and act no different than any
    other machine on the network. You will not go "through" the Windows Server
    for anything Internet related. It is only concerned with the LAN and
    nothing "Internet-wise".

    The Windows Server does:
    1. Proovides Domain logins for the LAN
    2. Provide DNS for the LAN, forwards other DNS Queries to the ISP's DNS
    3. Provides WINS for the LAN (if you use it)
    4. Provides DHCP for tha LAN
    5. Provides "File Serving" for the LAN
    6. Can do other things too, but I don't want to get too carried away with
    it....
     
    Phillip Windell, Mar 28, 2005
    #7
  8. em

    em Guest

    Thank you both. The main issue I was having is not having a static
    address to be able to access the DSL router from the internet. We have
    had a VPN in the past, but it was a pain because our router's IP was
    dynamic.

    I had to call our ISP to get the static IP address range today and he
    helped me set the DSL router to use them...well, we turned off NAT and
    DHCP on the router and since the 2000 server wasn't running DHCP, it got
    kindof screwy. I changed it all back to how it was.

    Tomorrow morning I'll try setting up the dhcp/dns on the win 2000
    server, disabling DHCP on the router, and setting up the static IP again.

    Jeff, I do have everything running through a switch.

    thanks guys, I;m not new to networking, but sadly I don't get to spend
    enough learning everything..sorry about my semantics.

    ~~Eric
     
    em, Mar 29, 2005
    #8
  9. You can't turn NAT off on the DSL Device,...you *need* that,..but you don't
    need DHCP on the DSL Device. I never said to turn off NAT.

    I know that Jeff and I have gave slightly different suggestions, but that is
    because there is more than one way to do things. You eventually have to
    decide for yourself how you are going to do things.
     
    Phillip Windell, Mar 29, 2005
    #9
  10. em

    em Guest

    No, no, I meant I had called the ISP *before* I wrote to the newsgroup
    and that's when we had turned off NAT..we turned it right back on as
    soon as we had access back in yesterday.

    Anyways, now DHCP on DSL router is off and NAT is on. I set up DHCP on
    the server using a 192.168.5.*** scope...server is ...5.1 and the leases
    go from ...5.2 to ...5.30

    I set the internal DSL router's address to 192.168.5.30 and also made a
    'reservation' for it on the DHCP settings, though I wasn't sure if that
    was necessary. The DSL router doesn't show up on the DHCP lease list,
    but it works fine..I assume because it's not using DHCP to get its
    address. Same with a big printer/copier we have that won't
    automatically get an address.

    OK, so I also went to DHCP server option #6 to add a DNS, which I added
    the routers address 192.168.5.30, so I don't have to manually set DNS
    for every client.

    The clients have all default TCPIP settings except I have to add the
    default gateway address in. Is it possible to have the client
    automatically figure out the gateway by some setting on the server?

    Thanks again for the help. Things are working good. Just trying to
    figure the best way to set a few last settings.

    ~~Eric

    oh, we have no WINS, domain, or AD set up right now
     
    em, Mar 29, 2005
    #10
  11. em

    em Guest

    Oh wait, I just set up the server option 3 to add the DSL as a
    router...duh..works fine.

    ~~Eric
     
    em, Mar 29, 2005
    #11
  12. If you have a Domain, then the DNS for *all* machines must be the AD/DNS
    (typically the Domain Controller). On the AD/DNS you then add the ISP's DNS
    IP# to the Forwarder's List.
    The DSL Device does not need to be Reserved. You should be using the entire
    IP# Range in the DHCP Scope, then the use Exclusions to limit which
    addresses are given out to other machines. The DSL Device should use an
    address that is within one of the Exclusions. In DHCP the Reservations and
    Exclusions are not the same thing.

    To use the addresses as you described it would be....
    Example:
    Full Range: 192.168.5.1 -- 192.168.5.254
    Exclusion #1: 192.168.5.1 -- 192.168.5.1
    Exclusion #2: 192.168.5.30 -- 192.168.5.254
    Reservations: <none>

    This allows 192.168.5.2 thru 192.168.5.29 to be given out to other machines.
    I probably would have arranged them a little differently myself,..but that
    would work.
     
    Phillip Windell, Mar 29, 2005
    #12
  13. em

    em Guest


    I gotcha, I changed it to 192.168.5.1-192.168.5.50, and excluded 5.1-5.3
    for the server, router and static IP printer.

    Thanks for all of your help

    ~~Eric
     
    em, Mar 29, 2005
    #13
  14. Sounds good. Yea, you can adjust those Exclusions as needed along the way
    as long as you remeber to release/renew (or just reboot) the workstation
    that you might "step on" after you adjust of create a new Exclusion.

    Good luck with it!
     
    Phillip Windell, Mar 29, 2005
    #14
  15. em

    em Guest



    Thanks again Phillip,

    One more question. The server has 2 NICs, one onboard and one gigabit I
    recently put in. I had disabled the onboard after I got the pro1000,
    but thought I could put it to use when setting the VPN up today. The
    pro1000 is 192.168.5.1 and runs to the switch. I plugged the onboard
    NIC (192.168.5.2) straight into the DSL router (planning on using a NAT
    pinholes to forward to 192.168.5.2). Both have same subnet and default
    gateway addresses.

    Also, this way I could set up the PPTP filters correctly on the RAS
    settings for this interface.

    But now when I browse the LAN from the server, it slows down. I set the
    onboard NIC to a higher metric and when accessing the internet, only the
    pro1000 sends and receives. But browsing slows down and the onboard NIC
    blinks away (on the card not the icon), though it doesn't seem to
    send/receive packets.

    I just want to use the 10/100 for VPN, setting only the required filters
    for PPTP VPN access. What else do I need to do to not have this card
    interfere with my other and only function as VPN?

    Am I right to assume I can't just the one NIC for VPN and LAN, because I
    couldn't set the filters without blocking LAN access?

    Thanks

    ~~Eric
     
    em, Mar 31, 2005
    #15
  16. Don't run 2 Nics. Never run two Nic when they are on the same subnet
    (192.168.2.1 & 192.168.5.2).

    Even running two Nic with different subnets requires proper planning and the
    proper physical topology to accomidate it. It is not something that you just
    do "off the cuff" some morning <g>.

    Also the Gigabit Nic will do you no good at all of the Switch Port it
    connects to is not also Gigabit and the Cat5 cable between them is at least
    Cat5E or better. In addition, an improperly functioning Gigabit Nic is
    often *slower* than a 10/100 Nic that is correctly functioning.

    Here are some things to consider with running multiple Nics in different
    situations.

    175767 - Expected Behavior of Multiple Adapters on Same Network
    http://support.microsoft.com/default.aspx?scid=kb;EN-US;175767

    157025 - Default Gateway Configuration for Multihomed Computers
    http://support.microsoft.com/default.aspx?scid=kb;en-us;157025&Product=win2000

    272294 - Active Directory Communication Fails on Multihomed Domain
    Controllers
    http://support.microsoft.com/default.aspx?scid=kb;en-us;272294

    191611 - Symptoms of Multihomed Browsers
    http://support.microsoft.com/default.aspx?scid=kb;EN-US;191611

    Microsoft Windows XP - Multihoming Considerations
    http://www.microsoft.com/resources/documentation/windows/xp/all/reskit/en-us/prcc_tcp_qpzj.asp?
     
    Phillip Windell, Mar 31, 2005
    #16
  17. em

    em Guest

    OK< so I'll just set it up with the one Gigabit card (onboard NIC is
    totally disabled) and make the router NAT pinholes for ports 1723 and 47
    to point to it. I'll set no filters on the interface. In this
    situation you are relying on NAT and strength of username/passwords,
    account lockouts, etc...right?

    We just got an SMC gigabit switch and I had run all cat5e when we
    renovated the office. Our newer workstations came with gigabit and
    they really fly with the server now.

    thanks

    ~~Eric
     
    em, Mar 31, 2005
    #17
  18. I don't know what "pinholes" are.
    "47" is not a port, it is a Protocol (aka GRE Protocol)
    I suggested that the NAT Device be the VPN Device,...not the Wndows Server.
     
    Phillip Windell, Mar 31, 2005
    #18
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.