IP address for VPN router

I was reading the manual for a Linksys RV042 router & it stated that the router should have a different IP address than other PC's or devices on the network. I sort of thought "DAH". But then it said if the network is the default "192.168.1.0" then the router's IP should be, according to their example, something like "192.168.2.1", to avoid any conflict between the VPN IP address and the local IP address,

If the router uses "192.168.1.1" as its local IP address & the static IP that the ISP gives you for the public IP & the router is the DHCP server also, where would there be a conflict. It wouldn't give out "192.168.1.1" to a PC or device again.

I am having problems getting 2 RV042 to connect thru a gateway-to-gateway VPN tunnel. So far I haven't been successful so this is one of the things I am exploring.

Thanks!!!
LVL 1
BlinkrAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Full_SpectrumCommented:
I think what they are saying is if you have 2 routers make sure they dont have the same ip address. By default alot of them come with a set IP address of 192.168.1.1.

Go to one of your routers interface and change the routers address to 192.168.2.1.

Now you are able to view both of the routers interfaces by the addresses 192.168.2.1 and 192.168.1.1.
Rob WilliamsCommented:
Not sure how familiar you are with VPN's so ....

>192.168.1.0 refers to the network ID, that is all addresses will be 192.168.1 to 192.168.254 on this network segment.

>The LAN IP of the router needs to be in the same subnet/segment as your PC's so if you are currently using 192.168.1.0 you may want to continue by assigning the router a 192.168.1.1 (or I prefer 192.168.1.254) address

>One potential problem is a remote user connecting to your network must be on a different network segment. Thus if you choose 192.168.1.0 no other connecting user from another 192.168.1.0 network will be able to connect via VPN. Thus, to avoid conflicts down the road, as at some point you may not be able to re-configure the remote network, choose something less common for your local network. Perhaps a LAN IP of 192.168.111.254 This becomes especially important if you use the QuickVPN client and you have no control over what networks the mobile users will be connecting from.

>You also cannot have the same subnet on either side of your router- LAN and WAN. I looked at your previous posts and this might be the case if you are using a DSL modem that does NAT. Regardless the DSL will have to be put in Bridged mode so the WAN side of the modem can have a proper public/WAN IP. Otherwise the VPN connection will not work.

>Finally make sure your LAN DHCP range does not include any manually assigned IP's such as your router, servers, or print servers.

Hope this helps to explain. Please advise if you need clarification.
--Rob
Microsoft Azure 2017

Azure has a changed a lot since it was originally introduce by adding new services and features. Do you know everything you need to about Azure? This course will teach you about the Azure App Service, monitoring and application insights, DevOps, and Team Services.

BlinkrAuthor Commented:
The main site that has the server that the other sites will be accessing has a static IP from our ISP. One of the other sites that will be connecting also has a static IP from the same ISP. One of the other sites has DSL. I haven't installed the router there, so I don't know what I will need to change on that one.

>One potential problem is a remote user connecting to your network must be on a >different network segment. Thus if you choose 192.168.1.0 no other connecting user >from another 192.168.1.0 network will be able to connect via VPN. Thus, to avoid >conflicts down the road, as at some point you may not be able to re-configure the >remote network, choose something less common for your local network. Perhaps a >LAN IP of 192.168.111.254 This becomes especially important if you use the QuickVPN >client and you have no control over what networks the mobile users will be >connecting from.

I have used QuickVPN to try to connect & haven't had any success. But the routers at my local sites also use the 192.168.1.0 IP's as well, so that probably has something to do with it. I tried connecting the tunnel from one of the sites that is using 192.168.20.1 yesterday, but couldn't get it connected. There are a couple of things I need to check at both sites when I get back to them that may correct things. I was thinking about changing the local IP's at home & try to connect using QVPN, because only having a couple of PC's on my network it would be easier to play with the IP's there. I'm not sure if some other setting (other than the VPN settings) may be blocking my connection.

So if my local site is using 192.168.20.0 subnet, my router should have it's IP set to something like 192.168.20.1 or 192.168.20.254, correct?? And be a totally different IP, like 192.168.5.1??

Thanks for the links!!! I will check thru them tonite. If you have any other suggestions, I would be very grateful.


Rob WilliamsCommented:
>>"I have used QuickVPN to try to connect & haven't had any success. But the routers at my local sites also use the 192.168.1.0 IP's as well, so that probably has something to do with it. "
Yup! <G> Both ends of a VPN must be on a different subnet.

>>"There are a couple of things I need to check at both sites when I get back to them that may correct things."
I suggest enabling the remote management feature while setting this up. Firstly it ensures you have the router's WAN configuration set up properly, and secondly saves a lot of running around. When the VPN is working it will show "disconnect" (allows you to break the connection) on the VPN summary page.

>>"I was thinking about changing the local IP's at home & try to connect using QVPN, because only having a couple of PC's on my network it would be easier to play with the IP's there. I'm not sure if some other setting (other than the VPN settings) may be blocking my connection."
Your local router, at home, should also have "IPSEC pass-through enabled"

>>"So if my local site is using 192.168.20.0 subnet, my router should have it's IP set to something like 192.168.20.1 or 192.168.20.254, correct??"
Yes, LAN IP right !

>>"And be a totally different IP, like 192.168.5.1??"
I assume you are referring to the remote site? If so yes.

Since you have 1 static and 1 dynamic link the first link above is the one that applies to you.





BlinkrAuthor Commented:
A couple of questions:

Under "Remote Security Group Type", you can designate "IP address of a single computer, an entire subnet, or an IP range of computers". I really don't want the other sites to have access to anything but the server running the app that they will be using. Would it be better to use the "IP address of a single computer" for this Remote Security Group Type on each of the connecting sites?? Then enter the IP of the server at the main site?? I have already designated "an entire subnet", but that can be easily changed since I have only visited 1 of the sites so far & I have to go back there anyway.

Also, this server has 2 NICs, so would it be any advantage to assigning different IP's to each card, or do you have to??

The manual also mentioned that even though the ISP didn't require it, but I should enter some sort of domain name in the box at the top of the setup screen. At the top of the screen, there are 2 boxes: first is for the "Host Name" & the 2nd is for the "Domain Name". It stated that it did not need to be a registered domain name but for some reason one part stated that this was needed, AND under the instructions for the "Setup" page that "leaving these fields blank will work." So needless to say, I'm a little confused. What would be your suggestion for this??

I hope I'm not being too much of a pest with all of these questions, but I find that info from someone that actually does what you are trying to learn is much better than just reading books & articles.

Thanks so much for your help!!! Everything certainly has been VERY useful!!!
Rob WilliamsCommented:
>>"Would it be better to use the "IP address of a single computer" for this Remote Security Group Type on each of the connecting sites?? "
That is better if you want to restrict access.

>>"Also, this server has 2 NICs, so would it be any advantage to assigning different IP's to each card, or do you have to??"
Are both cards enabled? If so they must have different IP's. Usually one would be in the same subnet as the local computers and the other would be a different subnet and connect to the router/Internet. Very important the router points to the latter. Make sure your server can connect to the Internet before getting the VPN configured.

>>""Host Name" & the 2nd is for the "Domain Name""
Leave these blank as they are not needed. I often under host put a name of some sort to identify the unit. This is something like a city name, just to help keep me organized, but will not affect your connection.

>>"I hope I'm not being too much of a pest with all of these questions"
Not at all. Once you have one working you will wonder what all the fuss was about, but hid site is 20/20. The configuration is a little bit flexible so long as you make all VPN settings the same on both routers except for the obvious ones that have to be opposites. When possible for your initial set up choose defaults.
BlinkrAuthor Commented:
>>"Also, this server has 2 NICs, so would it be any advantage to assigning different IP's to each card, or do you have to??"
Are both cards enabled? If so they must have different IP's. Usually one would be in the same subnet as the local computers and the other would be a different subnet and connect to the router/Internet. Very important the router points to the latter. Make sure your server can connect to the Internet before getting the VPN configured.

I thought this was so, but needed to ask anyway.

By saying this "Very important the router points to the latter", did you mean that the router points to the internet or the 2nd NIC??

>>Usually one would be in the same subnet as the local computers and the other would be a different subnet and connect to the router/Internet.

I had one NIC plugged into a wire going to the router & the other was going to a switch on the local network. But I didn't set the IP's for them. That maybe one of the reasons VPN isn't working now. The users on the local network are getting to the server without any trouble. But I just need to get the remotes connected.

Yea, after I get one working I probably WILL wonder why I was making so much out this stuff!!!!

Thanks again!!
Rob WilliamsCommented:
>>"By saying this "Very important the router points to the latter", did you mean that the router points to the internet or the 2nd NIC??"
I guess both :)  I meant the VPN points to the second NIC. The routers WAN will of course have to point to the Internet/DSL.

>>"I had one NIC plugged into a wire going to the router & the other was going to a switch on the local network. But I didn't set the IP's for them. That maybe one of the reasons VPN isn't working now. The users on the local network are getting to the server without any trouble. But I just need to get the remotes connected."
The way you have it set up is fine. You can do it with 1 or 2 NIC's. In a situation like this I usually use 1. The NIC's will need different IP's. In either case make sure the workstations can connect to the Internet first to verify connectivity. If you can't get out you won't get in.

By the way, here is a typical VPN configuration for the Dynamic IP end:
http://www3.ns.sympatico.ca/malagash/Downloads/RV042/vpn.htm

Have you set up a DDNS service for the dynamic IP end? If not you can use the current WAN/Internet IP for testing. You can find it by connecting to http://www.whatismyip.com from the remote site.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Rob WilliamsCommented:
Thanks Chris. Good luck.
--Rob
BlinkrAuthor Commented:
If anything comes up that is related this this topic, is it fine for me to post it here for you to answer??
Rob WilliamsCommented:
Best bet is to post a new question so more people see it, as this will go more or less dormant after awhile. If you want to bring it to my attention, send an e-mail, including a link to the question, to the address in my profile (click on RobWill)
BlinkrAuthor Commented:
I would sort of like to have the outside sites just have access to the server using that is running the app they need. So I guess it would be best to have one of the servers NICs going to the router & the other NIC connected to the local network for the users that need to connect to the server for their use of the app. All users within the local network have internet thru the switch I have everuone connected to. That switch also connects to the router to get out onto the net.

But I should give each NIC a different IP. Should these be from different subnets? Such as VPN NIC: 192.168.3.1 & local NIC: 192.168.2.1? Or can I use something like: 192.168.1.1 & 192.168.1.2 for each? Maybe you have a better suggestion for these.

You also stated that "...make sure your LAN DHCP range does not include any manually assigned IP's such as your router, servers, or print servers" I have a printer on the local network (networkable printer) that everyone on the local network uses. It has an IP of 192.168.1.125. The LAN DHCP server (the router) has a range of 192.168.1.100-150 for all of the users. The server is 192.168.1.1. Should I change this printer to something like 192.168.1.50, which is out of the DHCP range but still in the LAN subnet. Or do you think it will be fine where it is? We haven't had any problems with this setup.

Thanks!! I apologize for posting more questions after I've given the points!! ;))
Rob WilliamsCommented:
You can have issues with 2 network cards configured for the same subnet, and it offers no additional security (except different firewall configurations). There really is no need in this case of 2 cards. Any resources on your network can be controlled with permissions for users or groups and the VPN can be set up with just access the the one IP rather than the subnet. Two network cards can work fine in different configurations, but I believe in keeping things as simple as possible. If you don't need it, don't add it. The simpler the configuration the easier it is to troubleshoot a year from now when you have a problem.

Yes I would move the Printer IP outside of the DHCP range or change the DHCP range. Often good to decide on a grouping for your IP's such as:
Servers x.x.x.1-10
Printers x.x.x.20-50
Static User IP's x.x.x.100-150
DHCP Users IP's 151-200
Routers x.x.x.240-254

You say your DHCP server is the router. If possible I would highly recommend changing so that the server is the DHCP server, assuming it is a proper server operating system, like Server 2000/20003.  Using the servers DHCP service allows you far more control, stability, and allows for central management.
BlinkrAuthor Commented:
>>You say your DHCP server is the router. If possible I would highly recommend changing so that the server is the DHCP server, assuming it is a proper server operating system, like Server 2000/20003.  Using the servers DHCP service allows you far more control, stability, and allows for central management.
I've configured the server (Windows 2k3) as a stand-alone server because all it is needed for is this one app. I would sort of like to keep it that way until they decide to do their own email & website. So if I make the server the DHCP server then everyone has to log into the server when they startup & I will have to make sure we have enough user licenses, also. The only reason that they have put in a server to begin with was because we couldn't get more than one Remote Desktop access to this program with Windows XP. So you can see where this isn't a normal Windows 2k3 Server network environment. So I would like to keep the router doing the DHCP stuff. But what you say makes alot of sense & would be the correct thing to do in another environment. I will keep this note for the future when they decide to do a full blown network with all of the internet goodies.

The groups you listed are a very good idea. I believe I will take you up on that. After all, you are the expert here!!!

As far as the 2 network cards, I will disable one & setup the VPN's to just access the server only. This makes sense also. AND I can switch over the additional NIC if something goes wrong with the one I'm using. I don't know if this is a problem or not but when I installed the Terminal Server, it noted that I had 2 NICs & told me to make the other one active & on the net. Will this create a problem if I disable one, AND will there be problem with Terminal Server & the 5 device CAL's I installed with only 1 NIC?? Something else: do you know how to change Terminal Services Device CAL's into User CAL's??? I think I made a mistake in ordering Device instead of User CAL's.

Thanks for sticking with me on this!!!
Rob WilliamsCommented:
In your situation I can see leaving the router as the DHCP server, though users do not have to log on to the server or even be a domain member to make DHCP requests. The IP's are handed out before logon takes place.

You could leave your 2 NIC's enabled. If one points to the Internet and one the LAN (common) they are likely on different subnets. Usually this is done if you want to insert the server between the Internet and the users to control access.

I don't know how you convert the CAL's seems to me you have the option during installation, as you do with basic server configuration, but after the fact i don't know. You may have to call MS. Are you sure they are not in Per User mode? Terminal server automatically is set up with 120 day temporary licenses which can only be per device. When you add your purchased CAL's they are usually installed in per user mode. When you are looking at your TS licensing manager console are you looking at your temporary licenses or purchased licenses?

For the record, from MS:
Q. Will I be allowed to switch between Windows Device CAL's and Windows User CAL's? What about TS CAL's?

If your Windows CAL's are covered under Software Assurance (SA), you have a one-time right to convert Device CAL's to User CAL's mid-contract. You can also convert those Windows CAL's from Device CAL's to User CAL's, or vice versa, when you renew your SA contract. If your Windows CAL's are not covered under SA, you may not switch; your choice is permanent. This also applies to TS CAL's.

BlinkrAuthor Commented:
Oh, I wasn't aware that users didn't have to login to get their IP from the Win 2k3 server.

I don't have any reason to limit the users to internet access. If I wanted to keep someone off, I would just do it from the router. I had to that for another client. So putting the VPN connection on one of the NIC's & making the Security Group Type (Local or Remote) use "single IP address" wouldn't keep them from seeing the LAN at the location with the server, correct?? That was the reason for ordering the server with 2 NICs.

I have seen posts on this list that have referred to changing the CAL's from device to user by doing some sort of registry edit. I haven't been able to find in the last couple of searches I have done. I was referring to TS CAL's. Windows 2k3 Server came with 5 users, so I think we have enough of those. But I may have to get more TS CAL's in the near future. I will get User CAL's then. But I will only need them for those accessing the server from the VPN connections anyway, correct???

I'm not sure about the SA's. I bought them retail over the net. I'm looking at the "MS Open License Order Confirmation" now. It doen't say anything about SA in it. How can I tell, or should I just contact MS about this?? I probably should just call them about it. I probably will just keep it the way it is & if I need anymore TS licenses, just get User CAL's from now on. I had read about the 120 day "trial" users when I was getting info on the TS.

Thanks again!!
Rob WilliamsCommented:
>>"Oh, I wasn't aware that users didn't have to login to get their IP from the Win 2k3 server."
They can't logon until they have already received their IP address. One of the concerns with DHCP can be that an unauthorized user can plug into an unattended network outlet and be on your network in minutes. Still has to deal with authentication.

>>"wouldn't keep them from seeing the LAN at the location with the server, correct?? "
I am not aware of a way of restricting users by NIC. If both NIC's are of the same subnet users can at least ping all devices, however your Group permissions and Active Directory control what they have access to.

Guessing you don't have SA (Software Assurance). It is not too popular these days. If you purchase SA on something like Windows XP it guarantees you of free upgrade to new version within 3 years, however you pay something like 50% more and if no new software is released you are out of luck. I'll probably be shot down by someone for that definition, but MS licensing and SA is a field of it's own. I know several small computer support/sales firms that have 1 person that does nothing but licensing. You can also mix per user and per server/device CALs.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Networking

From novice to tech pro — start learning today.