2000 server, vpn, static IP

Hi guys, I'm not a full time IT guy, so bear with me.

We have a Windows 2000 server machine which serves as basic fileserver.
It, along with our 10 Win2k client machines, all get their IP
addresses from our DSL routers DHCP. Everything is hooked through a
switch and works fine.

We just upgraded to 3mbps DSL and they gave us 5 static IPs (had dynamic
IP before).

We want to set up a VPN and I've done one before with the old setup
(though temporary), but I want to know if I should still use DHCP from
the router or set up DHCP on the server and any other hints to keeping a
simple but effective LAN and VPN.

In a small business (<10 employees), what are other uses for 5 static IPs?

~~Eric

 

Servers should never be on a dynamic IP address.

Run DHCP off the server, disable it on the router.

Five web sites with SSL.

There are quite a few uses for static public IP addresses, but if you
don't need them, don't use them.

Jeff

 

Yea, I'll get right on that..

~~Eric

 

No uses at all. There is no benefit of having 5 Public IP#s from the ISP as
far as the Private LAN is concerned. Those 5 addresses go *outside* your
network. Since this is DSL,..they would all get bound to the DSL NAT Device
and you could then use Static NAT to make certain internal machines
available to the outside,....which is an *extremely bad* idea for someone
who isn't a full time IT guy who may not know all the security risks
involved in that, and who may not know for what reasons that might be done
and when it would be appropriate.

 

OK, so what I want is a VPN with an IP address that doesn't change on a
whim. If I set up DHCP on the server, then set the modem/router to no
longer handle DHCP and to use the static IP, then that would work right
(the router would have to go through the server right..with its second NIC)?

I just want to know how people do simple VPNs with small setups like ours.

Thanks for any help

~~Eric

 

The description is confusing. You have an DSL router that connects to
a server, then the server is routing to the internal network? You
could do this easier with the router plugged into a switch (or a
router with an internal switch), and all internal devices, including
the server, also plugged into the switch.

Install the VPN server-side, install the VPN client, configure the VPN
user and policy, open and redirect the appropriate ports in your
firewall and get to work.

I'm not sure what part of this you're having troubles with. Have you
tried configuring a VPN and run into problems? If so, what were the
problems?

Jeff

 

NIC)?


No. You will not go "through" the Windows Server for anything Internet
related and it will only have one NIC. The DSL NAT Device will be the VPN
Server. In fact the DSL NAT Device is "everything" all in one box as far as
the Internet is concerned.

The DSL NAT Device:
1. Has all the Public IP#s
2. Performs NAT for the LAN
3. Is effectively your "Firewall"
4. Is the VPN Server (assuming it has those features,... some dont')
5. Is the DHCP Server although I recommend you use the Windows Server for
that, as did Jeff.

Your Windows Server would just have one nic and act no different than any
other machine on the network. You will not go "through" the Windows Server
for anything Internet related. It is only concerned with the LAN and
nothing "Internet-wise".

The Windows Server does:
1. Proovides Domain logins for the LAN
2. Provide DNS for the LAN, forwards other DNS Queries to the ISP's DNS
3. Provides WINS for the LAN (if you use it)
4. Provides DHCP for tha LAN
5. Provides "File Serving" for the LAN
6. Can do other things too, but I don't want to get too carried away with
it....

 

Thank you both. The main issue I was having is not having a static
address to be able to access the DSL router from the internet. We have
had a VPN in the past, but it was a pain because our router's IP was
dynamic.

I had to call our ISP to get the static IP address range today and he
helped me set the DSL router to use them...well, we turned off NAT and
DHCP on the router and since the 2000 server wasn't running DHCP, it got
kindof screwy. I changed it all back to how it was.

Tomorrow morning I'll try setting up the dhcp/dns on the win 2000
server, disabling DHCP on the router, and setting up the static IP again.

Jeff, I do have everything running through a switch.

thanks guys, I;m not new to networking, but sadly I don't get to spend
enough learning everything..sorry about my semantics.

~~Eric

 

You can't turn NAT off on the DSL Device,...you *need* that,..but you don't
need DHCP on the DSL Device. I never said to turn off NAT.

I know that Jeff and I have gave slightly different suggestions, but that is
because there is more than one way to do things. You eventually have to
decide for yourself how you are going to do things.

 

No, no, I meant I had called the ISP *before* I wrote to the newsgroup
and that's when we had turned off NAT..we turned it right back on as
soon as we had access back in yesterday.

Anyways, now DHCP on DSL router is off and NAT is on. I set up DHCP on
the server using a 192.168.5.*** scope...server is ...5.1 and the leases
go from ...5.2 to ...5.30

I set the internal DSL router's address to 192.168.5.30 and also made a
'reservation' for it on the DHCP settings, though I wasn't sure if that
was necessary. The DSL router doesn't show up on the DHCP lease list,
but it works fine..I assume because it's not using DHCP to get its
address. Same with a big printer/copier we have that won't
automatically get an address.

OK, so I also went to DHCP server option #6 to add a DNS, which I added
the routers address 192.168.5.30, so I don't have to manually set DNS
for every client.

The clients have all default TCPIP settings except I have to add the
default gateway address in. Is it possible to have the client
automatically figure out the gateway by some setting on the server?

Thanks again for the help. Things are working good. Just trying to
figure the best way to set a few last settings.

~~Eric

oh, we have no WINS, domain, or AD set up right now

 

Oh wait, I just set up the server option 3 to add the DSL as a
router...duh..works fine.

~~Eric

 

If you have a Domain, then the DNS for *all* machines must be the AD/DNS
(typically the Domain Controller). On the AD/DNS you then add the ISP's DNS
IP# to the Forwarder's List.

The DSL Device does not need to be Reserved. You should be using the entire
IP# Range in the DHCP Scope, then the use Exclusions to limit which
addresses are given out to other machines. The DSL Device should use an
address that is within one of the Exclusions. In DHCP the Reservations and
Exclusions are not the same thing.

To use the addresses as you described it would be....
Example:
Full Range: 192.168.5.1 -- 192.168.5.254
Exclusion #1: 192.168.5.1 -- 192.168.5.1
Exclusion #2: 192.168.5.30 -- 192.168.5.254
Reservations: <none>

This allows 192.168.5.2 thru 192.168.5.29 to be given out to other machines.
I probably would have arranged them a little differently myself,..but that
would work.

 

I gotcha, I changed it to 192.168.5.1-192.168.5.50, and excluded 5.1-5.3
for the server, router and static IP printer.

Thanks for all of your help

~~Eric

 

Sounds good. Yea, you can adjust those Exclusions as needed along the way
as long as you remeber to release/renew (or just reboot) the workstation
that you might "step on" after you adjust of create a new Exclusion.

Good luck with it!

 

Thanks again Phillip,

One more question. The server has 2 NICs, one onboard and one gigabit I
recently put in. I had disabled the onboard after I got the pro1000,
but thought I could put it to use when setting the VPN up today. The
pro1000 is 192.168.5.1 and runs to the switch. I plugged the onboard
NIC (192.168.5.2) straight into the DSL router (planning on using a NAT
pinholes to forward to 192.168.5.2). Both have same subnet and default
gateway addresses.

Also, this way I could set up the PPTP filters correctly on the RAS
settings for this interface.

But now when I browse the LAN from the server, it slows down. I set the
onboard NIC to a higher metric and when accessing the internet, only the
pro1000 sends and receives. But browsing slows down and the onboard NIC
blinks away (on the card not the icon), though it doesn't seem to
send/receive packets.

I just want to use the 10/100 for VPN, setting only the required filters
for PPTP VPN access. What else do I need to do to not have this card
interfere with my other and only function as VPN?

Am I right to assume I can't just the one NIC for VPN and LAN, because I
couldn't set the filters without blocking LAN access?

Thanks

~~Eric

 

Don't run 2 Nics. Never run two Nic when they are on the same subnet
(192.168.2.1 & 192.168.5.2).

Even running two Nic with different subnets requires proper planning and the
proper physical topology to accomidate it. It is not something that you just
do "off the cuff" some morning <g>.

Also the Gigabit Nic will do you no good at all of the Switch Port it
connects to is not also Gigabit and the Cat5 cable between them is at least
Cat5E or better. In addition, an improperly functioning Gigabit Nic is
often *slower* than a 10/100 Nic that is correctly functioning.

Here are some things to consider with running multiple Nics in different
situations.

175767 - Expected Behavior of Multiple Adapters on Same Network
http://support.microsoft.com/default.aspx?scid=kb;EN-US;175767

157025 - Default Gateway Configuration for Multihomed Computers
http://support.microsoft.com/default.aspx?scid=kb;en-us;157025&Product=win2000

272294 - Active Directory Communication Fails on Multihomed Domain
Controllers
http://support.microsoft.com/default.aspx?scid=kb;en-us;272294

191611 - Symptoms of Multihomed Browsers
http://support.microsoft.com/default.aspx?scid=kb;EN-US;191611

Microsoft Windows XP - Multihoming Considerations
http://www.microsoft.com/resources/documentation/windows/xp/all/reskit/en-us/prcc_tcp_qpzj.asp?

 

OK< so I'll just set it up with the one Gigabit card (onboard NIC is
totally disabled) and make the router NAT pinholes for ports 1723 and 47
to point to it. I'll set no filters on the interface. In this
situation you are relying on NAT and strength of username/passwords,
account lockouts, etc...right?

We just got an SMC gigabit switch and I had run all cat5e when we
renovated the office. Our newer workstations came with gigabit and
they really fly with the server now.

thanks

~~Eric

 

I don't know what "pinholes" are.
"47" is not a port, it is a Protocol (aka GRE Protocol)
I suggested that the NAT Device be the VPN Device,...not the Wndows Server.