Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 437
  • Last Modified:

how does the VPN thingie work in reality?

So I have received two identical firewalls from HQ (netgear prosafe)

I have set them up and am about to configure a VPN between our two local offices, here are my questions:

1 - When I enable the VPN, does that equal as if i was connecting the two offices to each other with network cable? As in will that office now be getting their DHCP addresses from the other office, have access to network resources, printers etc?

2 - is there anything I need to do in the other office to make the two networks see eachother except for setting up the VPN tunnel?
0
somewhereinafrica
Asked:
somewhereinafrica
  • 5
  • 4
  • 2
  • +1
3 Solutions
 
paul_mountcastleCommented:
1. If you set-up a point-to-point VPN, it will be as if both offices are connected via a network cable; however, I would suggest creating 2 different subnets (one at each office) and using either their respective Netgear devices or Windows DHCP servers answer DHCP requests.

2. There should be nothing more to do than create the P2P VPN tunnel between the two firewalls. This may entail creating objects on each firewall with their respective rules.
0
 
somewhereinafricaAuthor Commented:
SO as I understand it:

1 - As soon as i successfully create the VPN connection, magically the server in office-X will start thinking that it is on the local LAN here in the office-Y, and will start acting accordingly

2 - I will use the firewall to run DHCP at office-X and I will use the domain controller here at office-Y and this is the best way forward?

3 - Does the firewall differentiate between local internet connection and going through the "mother server" back at the office-Y? (as in it will use the local connection at office-x for internet requests instead of trying to go over the VPN, and use our gateway here at office-Y)

0
 
paul_mountcastleCommented:
Think of it this way:

Office X
192.168.1.x/24
DHCP using Netgear

Office Y
192.168.10.x/24
DHCP using PDC

You'll need to creating some routing on the firewall in order to let office x resources know that they can reach office y resources through the P2P connection. I've typically done this using my core switch act as the default gateway for the specific location. This routing will also let each specific office go out it's own Internet breakout (using a quad-zero ip route), if that's what you want to do.

To answer your questions:

1. They will know about each other once you tell each respective resource how to reach the other.

2. It's my opinion that this is the best method for DHCP.

3. The FW should, based on your routing for each location.
0
Lessons on Wi-Fi & Recommendations on KRACK

Simplicity and security can be a difficult  balance for any business to tackle. Join us on December 6th for a look at your company's biggest security gap. We will also address the most recent attack, "KRACK" and provide recommendations on how to secure your Wi-Fi network today!

 
somewhereinafricaAuthor Commented:
Ok, so I got the link up and running.

It is basically working as far as that I can ping the server in the other office, and i successfully connected to one of the network printers from one office to the other (by typing in the local IP and the internal web server showed the status page and what not).

However - I could not connect to the server via "\\server_name\share_name

or at least it timed out.... It did ask me for access password - which was strange since the user that was logged on to the computer i was trying from should have full access rights to the network and the shared folder - so some sort of connection was definitely made.

It might have timed out or something....

however, surely there must be something that I can do to make the routing easier - i thought to myself.

so, look at the included image and tell me, should i not put some routes in there?
For example, my AD-DC is on 192.168.0.2 and is named "server.domain_name.local", should I not put one of those routes  in there?
routing.jpg
0
 
BokisCommented:
Follow paul_mountc…'s advice to get your site-to-stie vpn connection up.
What I would do from office X to access resources in office Y via dns names is, make sure that device at office x is configured with DNS IP located on ofice Y.
 In fact, when I am doing a server upgrade for a client, I have it ship directly to my shop and then I bring it up and join it to their domain etc etc before taking it onsite to plug in.  The reason I am able to do this is because I have site-to-site for most of my clients and during the configurations, I would be using the their dns on the new box that is being setup.
Getting DHCP and netbios to pass over vpn is another thing.....and can be done as well.
0
 
TasmantCommented:
For computers at location X be able to obtain their IP from DHCP server located in Y, then you should configure your router in location X to be DHCP relay (RFC 1542). Basically, when the DHCP relay intercept a DHCP request, it transfer this request to DHCP server. The DHCP server should be configured using two scopes, as X and Y network setup.

For SMB access accross VPN, I think you should review firewall rules.
You probably did not configured your router/firewall to accept SMB to go from X to Y, and reverse. Look on each firewall.
For troubleshooting purpose, you could set up rules to allow all :
- from X to Y on router X
- from X to Y on router Y

- from Y to X on router X
- from Y to X on router Y
0
 
somewhereinafricaAuthor Commented:
@Tasmat
Where would i set up this SMB access?
I mean ON THE FIREWALL obviously, but what 'setting' am i looking for to enable/disable SMB features across the VPN?
0
 
TasmantCommented:
You need to review the firewall rules.
SMB use TCP port 445.
But in order to enable access to share, more ports should be open between the source network and the destination network.
We haven't the firewall model, difficult to help you more
0
 
somewhereinafricaAuthor Commented:
oh, sorry, it's a NETGEAR ProSafe VPN Firewall FVS336GV2
0
 
TasmantCommented:
For DHCP relay :
ftp://downloads.netgear.com/files/FVS336Gv2_RM_14_April10v.pdf
Section : Choosing the VPN Firewall DHCP Options

For Firewall rules
Section : Using Rules to Block or Allow Specific Kinds of Traffic

Section : Attack Checks
Maybe use VPN Pass through in the Attack Checks. Seems to not filter VPN trafic.
0
 
somewhereinafricaAuthor Commented:
The VPN pass through is enabled by default...

I am running spiceworks on a server here in the other office, and it goes out and uses WMI to read infor from the machines. I have successfully run a scan on the network on 'the other side', so clearly IP is passing through well enough...

Look, maybe I am dumb. Is there anything I can do to test if some feature is blocked or not between the offices?

In the settings for the firewall it kind of feels like there shouldn't really be any more settings, since the mode that I am using is especially created for site-to-site...
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 5
  • 4
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now