Connecting a server to two networks simultaneously

Is it possible to have multiple ip/gateway combinations on a computer?  I have scenario where a customer resides in a "shared" office space. They would like to install their own server.  The addition of the server is not a real issue, I can install it on the same subnet as the existing network that is available to the shared office space, both wired and wireless.  However, they would also like VPN access to the server remotely. That is where I am not sure how to proceed.  Even if I acquire a separate internet connection and firewall and connect it to the server, how do I make the server able to be connected to both networks simultaneously so they can access it remotely via the separate internet connection/firewall combination and also be connected to the share office subnet (when onsite) so they can have wifi or wired access to the server as well as being able to access the shared printers that are available on the shared office space network.

Any insight would be appreciated.
David BarmanAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Jose Gabriel Ortega CastroEE Rookie/Solution Guide/Topic Advisor and CEO Faru Bonon ITCommented:
Well, you just need 2 NICs on the server.
one connected to the regular network and other to the other one.

the only difference would be that you have one IP manually with default gateway set and another one with no default gateway.
since they will be connecting using the internal IP and the VPN will manage it with the firewall using internal address because the external address will be on the firewall (the public one).
David BarmanAuthor Commented:
Ok, the NIC connected to the shared office network would be the one without a default gateway (just a static ip with a subnet mask)? or can it be either card that is set that way?
Cliff GaliherCommented:
Is it possible to have multiple ip/gateway combinations on a computer?

You cannot have multiple IPs and default gateways.  While you didn't call out a DEFAULT gateway in that question, it did seem implied.

You can have two NICs, or even assign multiple IP addresses to one NIC.  And you'd be able to access both local networks directly.  For VPN, as long as ONE of the two NICs can access the internet and that gateway device is configured to handle/forward the VPN traffic, you'd be good.  That gateway would also be responsible for any outbound IP traffic though (updates, etc)

I'm gonna go out on a limb and guess that you are stuck because the above is not the behavior you want though.  As, in itself, that doesn't seem too complicated.   What behavior you do want, however, was not fully described.  If you have a more complex topology than you've described then the solution may also be more complex.


With that said, I've done a lot of "shared office" where two companies are leasing the same space.  For a variety of reasons, that does not mean they should share the same wired or wireless network though.  Too many things can go wrong with rogue DHCP servers, each wanting their own domain controllers, etc.  Even in  a shared space, keeping networks separate is relatively trivial and is a low-cost low-effort investment to keep any security, legal, and ethical issues at bay that can arise on a shared infrastructure.  Making this change now could completely alleviate the problem.
Learn Ruby Fundamentals

This course will introduce you to Ruby, as well as teach you about classes, methods, variables, data structures, loops, enumerable methods, and finishing touches.

David BarmanAuthor Commented:
I agree that total separate networks would make my job easier.  However, by doing so, I would remove their access to the office wifi as well as access to the office copier for large print jobs, etc.

So that is why I am forced to have both networks on the same subnet.  I will have to rely on the shared network for DHCP and treat our server as a workgroup server.  I don't see another option.  So with this in mind, I believe my only issue will be remote access to the server.  From what I can see, I would either need a dedicated internet connection or if the shared office internet has a free static ip,  I may be able to connect a firewall to that for public access.

Cliff GaliherCommented:
Having designed a fair number of these, separating networks, even with whared resources, is fairly straightforward. CompanyA has a switch that they manage. Company has a switch that they manage.  And there is a third (usually small), managed switch that is managed by a neutral third party.  That switch has a port for the CompanyA VLAN going to their switch. A different port for CompanyB. And trunk ports for shared resources (such as a copier and access points.

Any business device in the last 10 years supports VLANs so the copier would be accessibke from both. And each company could have their own SSID on the access points, but the actual networks remain separate (nothing send in companyA wifi goes to company's network and vice versa, as even the WAP will honor rebroadcasting.)

Maintaining good network posture in shared spaces is still very easy to do and is the better solution. And yes, would fully work with two ISP's (which I'd also recommend.)
David BarmanAuthor Commented:
I agree with you Cliff.  However, at this point I have no knowledge of how the share space is setup and gaining access to that information at this point in time is not possible.  Therefore, I am trying to implement a scenario that I know will work without relying on any specifics of the shared office network.  Given that, if I simply add the second network card and tie a firewall to a separate internet connection, that should give me local as well as remote access to the server? Or am I missing something?
Jose Gabriel Ortega CastroEE Rookie/Solution Guide/Topic Advisor and CEO Faru Bonon ITCommented:

Yeah the whole idea is as follows:

My main idea was to set up on a fixed but the truth is that you can't have them on the same network but you can use the shared office if you have the 2nd nic.

You can reduce costs if you get a Fortigate 60D , this have the hability to get 2 WANs (ISP1 and ISP2) and route the traffice from the internals (2 internals separated network) because each port is configurable, so you can set 2 dhcp one for lan1 and other for lan2.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Cliff GaliherCommented:
"Therefore, I am trying to implement a scenario that I know will work without relying on any specifics of the shared office network."

Without specifics of the network, logical or physical, I can't gaurantee ANY topology. Or even say with mild confidence. There are other things at play that could totally break any design you try to do.  That" without any specifics" is basically a black box and turns any attempt to design... Or recommend...into "garbage on, garbage out." There are just too many factors that could maneka good design go bad.
i have a similar scenario with 2 ISP's and 2 servers. there are 2 subnets and all computers of the network have two NIC's where only one is configured for internet and the other for internal LAN services only.

atlas_shudderedSr. Network EngineerCommented:
If I am understanding the question correctly, the separate network would only come into play in the event you had to drop in a second Inet connection?  In other words, you want to put a server on an internal network that is shared.  The fact that everyone on the internal network can see it isn't a problem for your customer.  They want to be able to connect to it remotely.  This is the actual problem?

If that understanding is correct then why not just place a firewall at the edge that is SSL-VPN capable, authenticate any VPN connection attempts against your internal authentication server(s) and then call it good?  Maybe you have to introduce a RADIUSauth device if you want to get really crazy with the auth/permissions?
David BarmanAuthor Commented:
atlas_shuddered: "place a firewall at the edge"?? Not sure what you mean.
atlas_shudderedSr. Network EngineerCommented:
I am assuming that you already have a firewall between your network and the outside world, "at the edge" of your network?

Just make sure that either it has SSL VPN capability or purchase a firewall that does.

The dual LAN'ing thing can be done but I can give you a definite promise that the headaches you will buy yourself unnecessarily will haunt you for far longer than you will desire.
David BarmanAuthor Commented:
Thank you all.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows 10

From novice to tech pro — start learning today.