somewhereinafrica
asked on
how does the VPN thingie work in reality?
So I have received two identical firewalls from HQ (netgear prosafe)
I have set them up and am about to configure a VPN between our two local offices, here are my questions:
1 - When I enable the VPN, does that equal as if i was connecting the two offices to each other with network cable? As in will that office now be getting their DHCP addresses from the other office, have access to network resources, printers etc?
2 - is there anything I need to do in the other office to make the two networks see eachother except for setting up the VPN tunnel?
I have set them up and am about to configure a VPN between our two local offices, here are my questions:
1 - When I enable the VPN, does that equal as if i was connecting the two offices to each other with network cable? As in will that office now be getting their DHCP addresses from the other office, have access to network resources, printers etc?
2 - is there anything I need to do in the other office to make the two networks see eachother except for setting up the VPN tunnel?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Think of it this way:
Office X
192.168.1.x/24
DHCP using Netgear
Office Y
192.168.10.x/24
DHCP using PDC
You'll need to creating some routing on the firewall in order to let office x resources know that they can reach office y resources through the P2P connection. I've typically done this using my core switch act as the default gateway for the specific location. This routing will also let each specific office go out it's own Internet breakout (using a quad-zero ip route), if that's what you want to do.
To answer your questions:
1. They will know about each other once you tell each respective resource how to reach the other.
2. It's my opinion that this is the best method for DHCP.
3. The FW should, based on your routing for each location.
Office X
192.168.1.x/24
DHCP using Netgear
Office Y
192.168.10.x/24
DHCP using PDC
You'll need to creating some routing on the firewall in order to let office x resources know that they can reach office y resources through the P2P connection. I've typically done this using my core switch act as the default gateway for the specific location. This routing will also let each specific office go out it's own Internet breakout (using a quad-zero ip route), if that's what you want to do.
To answer your questions:
1. They will know about each other once you tell each respective resource how to reach the other.
2. It's my opinion that this is the best method for DHCP.
3. The FW should, based on your routing for each location.
ASKER
Ok, so I got the link up and running.
It is basically working as far as that I can ping the server in the other office, and i successfully connected to one of the network printers from one office to the other (by typing in the local IP and the internal web server showed the status page and what not).
However - I could not connect to the server via "\\server_name\share_name
or at least it timed out.... It did ask me for access password - which was strange since the user that was logged on to the computer i was trying from should have full access rights to the network and the shared folder - so some sort of connection was definitely made.
It might have timed out or something....
however, surely there must be something that I can do to make the routing easier - i thought to myself.
so, look at the included image and tell me, should i not put some routes in there?
For example, my AD-DC is on 192.168.0.2 and is named "server.domain_name.local" , should I not put one of those routes in there?
routing.jpg
It is basically working as far as that I can ping the server in the other office, and i successfully connected to one of the network printers from one office to the other (by typing in the local IP and the internal web server showed the status page and what not).
However - I could not connect to the server via "\\server_name\share_name
or at least it timed out.... It did ask me for access password - which was strange since the user that was logged on to the computer i was trying from should have full access rights to the network and the shared folder - so some sort of connection was definitely made.
It might have timed out or something....
however, surely there must be something that I can do to make the routing easier - i thought to myself.
so, look at the included image and tell me, should i not put some routes in there?
For example, my AD-DC is on 192.168.0.2 and is named "server.domain_name.local"
routing.jpg
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
For computers at location X be able to obtain their IP from DHCP server located in Y, then you should configure your router in location X to be DHCP relay (RFC 1542). Basically, when the DHCP relay intercept a DHCP request, it transfer this request to DHCP server. The DHCP server should be configured using two scopes, as X and Y network setup.
For SMB access accross VPN, I think you should review firewall rules.
You probably did not configured your router/firewall to accept SMB to go from X to Y, and reverse. Look on each firewall.
For troubleshooting purpose, you could set up rules to allow all :
- from X to Y on router X
- from X to Y on router Y
- from Y to X on router X
- from Y to X on router Y
For SMB access accross VPN, I think you should review firewall rules.
You probably did not configured your router/firewall to accept SMB to go from X to Y, and reverse. Look on each firewall.
For troubleshooting purpose, you could set up rules to allow all :
- from X to Y on router X
- from X to Y on router Y
- from Y to X on router X
- from Y to X on router Y
ASKER
@Tasmat
Where would i set up this SMB access?
I mean ON THE FIREWALL obviously, but what 'setting' am i looking for to enable/disable SMB features across the VPN?
Where would i set up this SMB access?
I mean ON THE FIREWALL obviously, but what 'setting' am i looking for to enable/disable SMB features across the VPN?
You need to review the firewall rules.
SMB use TCP port 445.
But in order to enable access to share, more ports should be open between the source network and the destination network.
We haven't the firewall model, difficult to help you more
SMB use TCP port 445.
But in order to enable access to share, more ports should be open between the source network and the destination network.
We haven't the firewall model, difficult to help you more
ASKER
oh, sorry, it's a NETGEAR ProSafe VPN Firewall FVS336GV2
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
The VPN pass through is enabled by default...
I am running spiceworks on a server here in the other office, and it goes out and uses WMI to read infor from the machines. I have successfully run a scan on the network on 'the other side', so clearly IP is passing through well enough...
Look, maybe I am dumb. Is there anything I can do to test if some feature is blocked or not between the offices?
In the settings for the firewall it kind of feels like there shouldn't really be any more settings, since the mode that I am using is especially created for site-to-site...
I am running spiceworks on a server here in the other office, and it goes out and uses WMI to read infor from the machines. I have successfully run a scan on the network on 'the other side', so clearly IP is passing through well enough...
Look, maybe I am dumb. Is there anything I can do to test if some feature is blocked or not between the offices?
In the settings for the firewall it kind of feels like there shouldn't really be any more settings, since the mode that I am using is especially created for site-to-site...
ASKER
1 - As soon as i successfully create the VPN connection, magically the server in office-X will start thinking that it is on the local LAN here in the office-Y, and will start acting accordingly
2 - I will use the firewall to run DHCP at office-X and I will use the domain controller here at office-Y and this is the best way forward?
3 - Does the firewall differentiate between local internet connection and going through the "mother server" back at the office-Y? (as in it will use the local connection at office-x for internet requests instead of trying to go over the VPN, and use our gateway here at office-Y)