Disaster Recovery as a Service is one go-to solution that revolutionizes DR planning. Implementing DRaaS could be an efficient process, easily accessible to non-DR experts. Learn about monitoring, testing, executing failovers and failbacks to ensure a "healthy" DR environment.
Solved
DI-808HV VPN Router and VPN Server Setup
Posted on 2006-06-18
Greetings;
The topography of my network is at http://test.bachandbach.com/Visio-Network%20Topography.pdf
My forte is programming and not networking. Any assistance on getting VPN to work and clueing me in on what I need to obtain to make it work would be most helpful.
I want to allow one or more users to connect to my LAN using VPN through a DI-808HV VPN Broadband Router. I have attempting several tries using the manual which came with the router, the D-Link site and looking at a few posts in this forum. I'm not have good luck.
In the mean time I am going to attempt to tell ther VPN router to forward incoming packets for port 1723 to the specific box accepting incoming connections.
A specific question I have in this scenario, what is meant by a VPN Server? Does this refer to software on the box accepting connections or the VPN router or something else entirely? If its software on the box accepting connections is in built-in to Windows XP Pro SP2 or do I need to obtain a license for separate software?
Much thanks ... David
The topography of my network is at http://test.bachandbach.com/Visio-Network%20Topography.pdf
My forte is programming and not networking. Any assistance on getting VPN to work and clueing me in on what I need to obtain to make it work would be most helpful.
I want to allow one or more users to connect to my LAN using VPN through a DI-808HV VPN Broadband Router. I have attempting several tries using the manual which came with the router, the D-Link site and looking at a few posts in this forum. I'm not have good luck.
In the mean time I am going to attempt to tell ther VPN router to forward incoming packets for port 1723 to the specific box accepting incoming connections.
A specific question I have in this scenario, what is meant by a VPN Server? Does this refer to software on the box accepting connections or the VPN router or something else entirely? If its software on the box accepting connections is in built-in to Windows XP Pro SP2 or do I need to obtain a license for separate software?
Much thanks ... David
[X]
Welcome to Experts Exchange
Add your voice to the tech community where 5M+ people just like you are talking about what matters.
- Help others & share knowledge
- Earn cash & points
- Learn & ask questions
-
6
5
2
13 Comments
Check this out
1. http://www.windowsnetworking.com/j_helmig/xpvpnsrv.htm
2.
http://www.windowsnetworking.com/j_helmig/vpn.htm
3.
http://www.onecomputerguy.com/networking/xp_vpn_server.htm
4.
http://en.wikipedia.org/wiki/Virtual_private_network
All queries answered .
If you liked it.
Reps
points
1. http://www.windowsnetworking.com/j_helmig/xpvpnsrv.htm
2.
http://www.windowsnetworking.com/j_helmig/vpn.htm
3.
http://www.onecomputerguy.com/networking/xp_vpn_server.htm
4.
http://en.wikipedia.org/wiki/Virtual_private_network
All queries answered .
If you liked it.
Reps
points
Active 3 days ago
The simplest way to set up the VPN, would be to configure the D-Link to accept incoming PPTP VPN connections. The following link is quite specific as to how to set up th DI-808HV and the Windows client:
http://support.dlink.com/faq/view.asp?prod_id=1439&question=DI-804HV%20/%20DI-808HV
As for the rest of the configuration, leave DHCP enabled on the 808HV as you have now. On the other routers make sure it is disabled.
I fail to see the advantage of adding the BEFSR41. There is no need for it at all. If you need additional ports for multiple computers just add a basic switch, or you could use the 4 LAN ports only of the BEFSR41.
As for the wireless router, the WRT54G, it could be configured as an access point. To do so:
-do not configure the WAN section
-assign it's LAN configuration an IP in the same subnet as the existing 808HV LAN, such as 192.168.1.2
-again, make sure DHCP is disabled
-connect a cable between one of the LAN ports of the 808HV and one of the LAN ports of the WRT54G. Do not connect to the WAN port of the WRT54G
-now configure the wireless as you would normally. All users can connect and receive a DHCP IP from the 808HV and will be able to share local resources
-I believe both of these devices are auto-detect but check that a connection light come on on each when you plug in the cable. If not you will need a cross-over cable
As for Windows XP firewall settings. The connecting client will be using an outgoing connection. If any changes are required the firewall will ask if you want to allow the service. Click un-block and it will make any necessary configuration changes.
On the XP machines on the 192.168.1.x network. They will only need firewall adjustments if you wish to allow sharing of services. I assume you will want file and print sharing. When you enable file and print sharing it should automatically be configured, but if not open the firewall and make the necessary changes:
control panel | Windows Firewall |Exceptions |check File and Printer sharing. You shouldn't have any problem with the VPN user accessing the shares but if you do , go back to the exception page, highlight File and Print Sharing and click edit, then change Scope. Check the box "any computer (including those on the Internet)". The 808HV will actually not allow any Internet users access to the computer except the VPN users.
http://support.dlink.com/faq/view.asp?prod_id=1439&question=DI-804HV%20/%20DI-808HV
As for the rest of the configuration, leave DHCP enabled on the 808HV as you have now. On the other routers make sure it is disabled.
I fail to see the advantage of adding the BEFSR41. There is no need for it at all. If you need additional ports for multiple computers just add a basic switch, or you could use the 4 LAN ports only of the BEFSR41.
As for the wireless router, the WRT54G, it could be configured as an access point. To do so:
-do not configure the WAN section
-assign it's LAN configuration an IP in the same subnet as the existing 808HV LAN, such as 192.168.1.2
-again, make sure DHCP is disabled
-connect a cable between one of the LAN ports of the 808HV and one of the LAN ports of the WRT54G. Do not connect to the WAN port of the WRT54G
-now configure the wireless as you would normally. All users can connect and receive a DHCP IP from the 808HV and will be able to share local resources
-I believe both of these devices are auto-detect but check that a connection light come on on each when you plug in the cable. If not you will need a cross-over cable
As for Windows XP firewall settings. The connecting client will be using an outgoing connection. If any changes are required the firewall will ask if you want to allow the service. Click un-block and it will make any necessary configuration changes.
On the XP machines on the 192.168.1.x network. They will only need firewall adjustments if you wish to allow sharing of services. I assume you will want file and print sharing. When you enable file and print sharing it should automatically be configured, but if not open the firewall and make the necessary changes:
control panel | Windows Firewall |Exceptions |check File and Printer sharing. You shouldn't have any problem with the VPN user accessing the shares but if you do , go back to the exception page, highlight File and Print Sharing and click edit, then change Scope. Check the box "any computer (including those on the Internet)". The 808HV will actually not allow any Internet users access to the computer except the VPN users.
Active 3 days ago
Hi ded9;
In looking at the first link you mention (http://www.windowsnetworking.com/j_helmig/xpvpnsrv.htm) I read the following text:
============ START OF TEXT
When you connect directly via a modem, using a phone-line, or via broadband ( cable modem or DSL/ADSL modem), your systems is getting an Internet IP-address assigned.
when you connect via a router (often the functions of Modem and Router are integrated into a single box, called ADSL-router ) then the router will have an Internet IP-address assigned, while all connected systems will use a local network IP-address, the router handles the communication from the PC's to the internet via IP-address translation (NAT), but that makes it impossible to connect from the internet through the router to a system on the LAN, no connection can be established from the Internet to a VPN-server on the local network.
============ END OF TEXT
This would indicate it is impossible to establish a VPN connection when the VPN Server is a local resource behind a router.
Hi RobWill;
One aspect I do not understand in the DI-808HV instructions is the assignment of the Virtual IP of PPTP Server. This instructions state:
============ START OF TEXT
Insert the Virtual IP of the PPTP Server (IE 192.168.2.1). This must be different from the LAN IP Address.
============ ENDOF TEXT
My LAN addresses are from 192.168.1.100 to 192.168.1 199 and are assigned by the VPN router'S DHCP. If I assign the box accepting incoming connections to, for example, 192.168.2.1 this might satisfy the requirements of the VPN server via the VPN router, however, I would then not have access from other computers on my LAN to the computer accepting incoming connections and visa versa. (Very confused).
The User Name and Password I enter in the configuration for PPTP Server, does this need to match the user id and password in one of the user accounts on the box accepting incoming connections?
Much thanks ... David
In looking at the first link you mention (http://www.windowsnetworking.com/j_helmig/xpvpnsrv.htm) I read the following text:
============ START OF TEXT
When you connect directly via a modem, using a phone-line, or via broadband ( cable modem or DSL/ADSL modem), your systems is getting an Internet IP-address assigned.
when you connect via a router (often the functions of Modem and Router are integrated into a single box, called ADSL-router ) then the router will have an Internet IP-address assigned, while all connected systems will use a local network IP-address, the router handles the communication from the PC's to the internet via IP-address translation (NAT), but that makes it impossible to connect from the internet through the router to a system on the LAN, no connection can be established from the Internet to a VPN-server on the local network.
============ END OF TEXT
This would indicate it is impossible to establish a VPN connection when the VPN Server is a local resource behind a router.
Hi RobWill;
One aspect I do not understand in the DI-808HV instructions is the assignment of the Virtual IP of PPTP Server. This instructions state:
============ START OF TEXT
Insert the Virtual IP of the PPTP Server (IE 192.168.2.1). This must be different from the LAN IP Address.
============ ENDOF TEXT
My LAN addresses are from 192.168.1.100 to 192.168.1 199 and are assigned by the VPN router'S DHCP. If I assign the box accepting incoming connections to, for example, 192.168.2.1 this might satisfy the requirements of the VPN server via the VPN router, however, I would then not have access from other computers on my LAN to the computer accepting incoming connections and visa versa. (Very confused).
The User Name and Password I enter in the configuration for PPTP Server, does this need to match the user id and password in one of the user accounts on the box accepting incoming connections?
Much thanks ... David
Active 3 days ago
David I haven't set up the D-Link but VPN's require different subnets on the 2 ends of the tunnel. This is so that any routing devices know where to send the packets. If they were the same it wouldn't know where to send a packet to the local or remote network. In the case of the D-Link I would say the office (192.168.1.0), the D-Link virtual network (192.168.2.0) and the remote site (192.168.x.0) all have to be different. However, that doesn't mean the devices cannot connect. Unlike a local network where they all have to be on the same subnet, the purpose of a router is to allow communications between 2 subnets. Therefore you shouldn't have any problem.
As for the user name and password, they do not need to match anything. Assign whatever you like on the router and that is what the user will need to connect to the VPN router. However, once connected when they try to access a resource such as a file share they will be asked to provide an acceptable network/windows user name and password for the first connection. Depending on how the D-Link works if the user is already logged on to their computer with acceptable credentials they may be passed on. The other extreme is they have to provide a domain name with user name and password such as MyDomain.abc\MyName or MyName@MyDomain.abc
Also:
>>"This would indicate it is impossible to establish a VPN connection when the VPN Server is a local resource behind a router."
Is your modem a combined modem and router ? If not just ignore, if it is you will need to log on to the modem and change it from NAT mode to Bridge mode, effectively making it a basic modem.
As for the user name and password, they do not need to match anything. Assign whatever you like on the router and that is what the user will need to connect to the VPN router. However, once connected when they try to access a resource such as a file share they will be asked to provide an acceptable network/windows user name and password for the first connection. Depending on how the D-Link works if the user is already logged on to their computer with acceptable credentials they may be passed on. The other extreme is they have to provide a domain name with user name and password such as MyDomain.abc\MyName or MyName@MyDomain.abc
Also:
>>"This would indicate it is impossible to establish a VPN connection when the VPN Server is a local resource behind a router."
Is your modem a combined modem and router ? If not just ignore, if it is you will need to log on to the modem and change it from NAT mode to Bridge mode, effectively making it a basic modem.
Active 3 days ago
Hi RobWill;
The Comcast Cable modem I have is a SUREboard sb5100 modem. It has 1 cable input, 1 Ethernet port and 1 USB port. The USB port isn't in use. This does not sound like a router.
So ... if the office LAN has a subnet of 192.168.1.0, BUT the specific box designated as the PPTP server within the LAN has a subnet of 192.168.2.0 this doesn't preclude the sharing of resources between the PPTP server box and other boxes on the LAN?
The computer with the VPN client uses a Verizon broadband wireless connection. I will check what the IP is next time but I suspect it is a public IP.
Much thanks ... David
The Comcast Cable modem I have is a SUREboard sb5100 modem. It has 1 cable input, 1 Ethernet port and 1 USB port. The USB port isn't in use. This does not sound like a router.
So ... if the office LAN has a subnet of 192.168.1.0, BUT the specific box designated as the PPTP server within the LAN has a subnet of 192.168.2.0 this doesn't preclude the sharing of resources between the PPTP server box and other boxes on the LAN?
The computer with the VPN client uses a Verizon broadband wireless connection. I will check what the IP is next time but I suspect it is a public IP.
Much thanks ... David
Active 3 days ago
I deactivated the entry in the Virtual Server administration of the D-Link router to handle PPTP traffic.
Active 3 days ago
The current IP of the Verizon broadband wireless is 70.199.59.10 which is a public IP.
Much thanks ... David
Much thanks ... David
Active 3 days ago
>>"SUREboard sb5100 modem"
Maybe Surfboard 5100 ? If so it's a basic modem and you will have no problem.
>>" if the office LAN has a subnet of 192.168.1.0, BUT the specific box designated as the PPTP server within the LAN has a subnet of 192.168.2.0 this doesn't preclude the sharing of resources between the PPTP server box and other boxes on the LAN?"
The virtual IP can be outside of the local subnet , but the configured LAN IP of the router must stay within the LAN subnet, i.e. 192.168.1.0 The D-ling will handle the routing between the 192.168.1.0 and 192.168.2.0 subnets. I suspect this is so that it can properly assign an IP to the VPN client.
>>"The computer with the VPN client uses a Verizon broadband wireless connection. I will check what the IP is next time but I suspect it is a public IP."
The WAN IP would be public but the LAN needs to be other than 192.168.1.0 or 192.168.2.0
If they have any problem connecting, try using a wireless connection, if possible, just as a test.
>>" deactivated the entry in the Virtual Server administration of the D-Link router to handle PPTP traffic."
Why?
Maybe Surfboard 5100 ? If so it's a basic modem and you will have no problem.
>>" if the office LAN has a subnet of 192.168.1.0, BUT the specific box designated as the PPTP server within the LAN has a subnet of 192.168.2.0 this doesn't preclude the sharing of resources between the PPTP server box and other boxes on the LAN?"
The virtual IP can be outside of the local subnet , but the configured LAN IP of the router must stay within the LAN subnet, i.e. 192.168.1.0 The D-ling will handle the routing between the 192.168.1.0 and 192.168.2.0 subnets. I suspect this is so that it can properly assign an IP to the VPN client.
>>"The computer with the VPN client uses a Verizon broadband wireless connection. I will check what the IP is next time but I suspect it is a public IP."
The WAN IP would be public but the LAN needs to be other than 192.168.1.0 or 192.168.2.0
If they have any problem connecting, try using a wireless connection, if possible, just as a test.
>>" deactivated the entry in the Virtual Server administration of the D-Link router to handle PPTP traffic."
Why?
Hi Pal
You have not read the full article it further says
possible solution: if you can get from your ISP ( Internet Service Provider ) 2 IP-addresses,
one for the router and one for a second system and if you can configure the router to allow
to connect onto the local network to the VPN-server, to which the 2nd Internet IP-address
is assigned to.
please read the full article
Reps
You have not read the full article it further says
possible solution: if you can get from your ISP ( Internet Service Provider ) 2 IP-addresses,
one for the router and one for a second system and if you can configure the router to allow
to connect onto the local network to the VPN-server, to which the 2nd Internet IP-address
is assigned to.
please read the full article
Reps
Active 3 days ago
Hi RobWill;
Oops! ... I stand corrected ... it is SURFboard ... Thank you!
I deactivated the PPTP routing because it was something I tried not knowing what effect it might have. Since it does not appear to have an effect (at least at the moment) I reversed the change I made earlier which was to activate it. I like to keep administration as clean, neat and straight forward as possible.
To answer your ealier question as to why I have a LinkSys router, it was an extra router and I'm using it to expand the number of available Ehternet ports I have ... there is no other reason than this.
Ok. I did successfully connect to ... something ... from my VPN client. I say "something" because during the time I was connected I checked the status of the D-Link VPN router but it showed no VPN connections. I also checked the status of the box enabled to receive connections and it showed none. But I did successfully become authenticated on the client machine and when I executed the ipconfig command I saw 192.168.2.2 as the second IP associated with my laptop. (The first IP was public corresponding to the Verizon broadband wireless card.) So, progress has been made, I think. This is the first time I've connected to ... something.
On the VPN server box in the TCP properties of the VPN network object I indicated an address range from 192.168.2.1 through 192.168.2.250 which corresponds to the Vitural VPN Server subnet of 192.168.2.0. The LAN IP for this same box I left at 192.168.1.xxx where xxx is dynamically assigned via DHCP from the VPN router.
Does networking usually seem this complex?
I will continue this tomorrow evening.
Hi ded9;
Yes! ... I did read the entire article. I will investigate a second public IP from Comcast as a later resort if other solutions fail.
Much thanks ... David
Oops! ... I stand corrected ... it is SURFboard ... Thank you!
I deactivated the PPTP routing because it was something I tried not knowing what effect it might have. Since it does not appear to have an effect (at least at the moment) I reversed the change I made earlier which was to activate it. I like to keep administration as clean, neat and straight forward as possible.
To answer your ealier question as to why I have a LinkSys router, it was an extra router and I'm using it to expand the number of available Ehternet ports I have ... there is no other reason than this.
Ok. I did successfully connect to ... something ... from my VPN client. I say "something" because during the time I was connected I checked the status of the D-Link VPN router but it showed no VPN connections. I also checked the status of the box enabled to receive connections and it showed none. But I did successfully become authenticated on the client machine and when I executed the ipconfig command I saw 192.168.2.2 as the second IP associated with my laptop. (The first IP was public corresponding to the Verizon broadband wireless card.) So, progress has been made, I think. This is the first time I've connected to ... something.
On the VPN server box in the TCP properties of the VPN network object I indicated an address range from 192.168.2.1 through 192.168.2.250 which corresponds to the Vitural VPN Server subnet of 192.168.2.0. The LAN IP for this same box I left at 192.168.1.xxx where xxx is dynamically assigned via DHCP from the VPN router.
Does networking usually seem this complex?
I will continue this tomorrow evening.
Hi ded9;
Yes! ... I did read the entire article. I will investigate a second public IP from Comcast as a later resort if other solutions fail.
Much thanks ... David
Active 3 days ago
It sounds like everything is configured correctly. Once you connect to the VPN server (the D-Link) you may not be able to "see" anything. One test is to connect to the D-Link using it's normal LAN IP 192.168.1.x If you can do that the VPN is working. Next if you have any software firewalls on the PC/servers you wish to connect to, they must be configured to accept the connections. For now as a test just disable them. Then NetBIOS names are not often available over a VPN (there are ways around this) so try connecting to a share using the IP address such as \\192.168.1.123\ShareName Remember the 192.168.2.0 network is virtual, pretend it doesn't exist.
>>"Does networking usually seem this complex?"
Mmmmmmm.....and you are just at the tip of the iceberg. When you get into serious networking there is as much to know about it, as there is server operating systems. On a scale of 1 to 10 I am a 2 but there are 9's and 10's here.
>>"Does networking usually seem this complex?"
Mmmmmmm.....and you are just at the tip of the iceberg. When you get into serious networking there is as much to know about it, as there is server operating systems. On a scale of 1 to 10 I am a 2 but there are 9's and 10's here.
Active 3 days ago
Hi RobWill;
Thank you for you patience and perseverance in helping me. The client who was asking me for a solution decided not to implement VPN, however, I learned quite a bit from you.
Much thanks ... David
Thank you for you patience and perseverance in helping me. The client who was asking me for a solution decided not to implement VPN, however, I learned quite a bit from you.
Much thanks ... David
Featured Post
Before moving to the cloud, it is important to carefully define your db needs, plan for the migration & understand prod. environment. This wp explains how to define what you need from a cloud provider, plan for the migration & what putting a cloud solution into practice entails.
Question has a verified solution.
If you are experiencing a similar issue, please ask a related question
Most of the applications these days are on Cloud. Cloud is ubiquitous with many service providers in the market. Since it has many benefits such as cost reduction, software updates, remote access, disaster recovery and much more.
This article will show how Aten was able to supply easy management and control for Artear's video walls and wide range display configurations of their newsroom.
- Networking Hardware-Other
- MultiMedia Applications
- Switches / Hubs
- Displays / Monitors
- ATEN Technology
- Hardware, Network Architecture, *Kernel-based Virtual Machine (KVM)
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…
Suggested Courses
Course of the Month11 days, 19 hours left to enroll
730 members asked questions and received personalized solutions in the past 7 days.
Join the community of 500,000 technology professionals and ask your questions.