Connecting a server to two networks simultaneously
Is it possible to have multiple ip/gateway combinations on a computer? I have scenario where a customer resides in a "shared" office space. They would like to install their own server. The addition of the server is not a real issue, I can install it on the same subnet as the existing network that is available to the shared office space, both wired and wireless. However, they would also like VPN access to the server remotely. That is where I am not sure how to proceed. Even if I acquire a separate internet connection and firewall and connect it to the server, how do I make the server able to be connected to both networks simultaneously so they can access it remotely via the separate internet connection/firewall combination and also be connected to the share office subnet (when onsite) so they can have wifi or wired access to the server as well as being able to access the shared printers that are available on the shared office space network.
Any insight would be appreciated.
Any insight would be appreciated.
ASKER
Ok, the NIC connected to the shared office network would be the one without a default gateway (just a static ip with a subnet mask)? or can it be either card that is set that way?
Is it possible to have multiple ip/gateway combinations on a computer?
You cannot have multiple IPs and default gateways. While you didn't call out a DEFAULT gateway in that question, it did seem implied.
You can have two NICs, or even assign multiple IP addresses to one NIC. And you'd be able to access both local networks directly. For VPN, as long as ONE of the two NICs can access the internet and that gateway device is configured to handle/forward the VPN traffic, you'd be good. That gateway would also be responsible for any outbound IP traffic though (updates, etc)
I'm gonna go out on a limb and guess that you are stuck because the above is not the behavior you want though. As, in itself, that doesn't seem too complicated. What behavior you do want, however, was not fully described. If you have a more complex topology than you've described then the solution may also be more complex.
---
With that said, I've done a lot of "shared office" where two companies are leasing the same space. For a variety of reasons, that does not mean they should share the same wired or wireless network though. Too many things can go wrong with rogue DHCP servers, each wanting their own domain controllers, etc. Even in a shared space, keeping networks separate is relatively trivial and is a low-cost low-effort investment to keep any security, legal, and ethical issues at bay that can arise on a shared infrastructure. Making this change now could completely alleviate the problem.
ASKER
I agree that total separate networks would make my job easier. However, by doing so, I would remove their access to the office wifi as well as access to the office copier for large print jobs, etc.
So that is why I am forced to have both networks on the same subnet. I will have to rely on the shared network for DHCP and treat our server as a workgroup server. I don't see another option. So with this in mind, I believe my only issue will be remote access to the server. From what I can see, I would either need a dedicated internet connection or if the shared office internet has a free static ip, I may be able to connect a firewall to that for public access.
Thoughts?
So that is why I am forced to have both networks on the same subnet. I will have to rely on the shared network for DHCP and treat our server as a workgroup server. I don't see another option. So with this in mind, I believe my only issue will be remote access to the server. From what I can see, I would either need a dedicated internet connection or if the shared office internet has a free static ip, I may be able to connect a firewall to that for public access.
Thoughts?
Having designed a fair number of these, separating networks, even with whared resources, is fairly straightforward. CompanyA has a switch that they manage. Company has a switch that they manage. And there is a third (usually small), managed switch that is managed by a neutral third party. That switch has a port for the CompanyA VLAN going to their switch. A different port for CompanyB. And trunk ports for shared resources (such as a copier and access points.
Any business device in the last 10 years supports VLANs so the copier would be accessibke from both. And each company could have their own SSID on the access points, but the actual networks remain separate (nothing send in companyA wifi goes to company's network and vice versa, as even the WAP will honor rebroadcasting.)
Maintaining good network posture in shared spaces is still very easy to do and is the better solution. And yes, would fully work with two ISP's (which I'd also recommend.)
Any business device in the last 10 years supports VLANs so the copier would be accessibke from both. And each company could have their own SSID on the access points, but the actual networks remain separate (nothing send in companyA wifi goes to company's network and vice versa, as even the WAP will honor rebroadcasting.)
Maintaining good network posture in shared spaces is still very easy to do and is the better solution. And yes, would fully work with two ISP's (which I'd also recommend.)
ASKER
I agree with you Cliff. However, at this point I have no knowledge of how the share space is setup and gaining access to that information at this point in time is not possible. Therefore, I am trying to implement a scenario that I know will work without relying on any specifics of the shared office network. Given that, if I simply add the second network card and tie a firewall to a separate internet connection, that should give me local as well as remote access to the server? Or am I missing something?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
"Therefore, I am trying to implement a scenario that I know will work without relying on any specifics of the shared office network."
Without specifics of the network, logical or physical, I can't gaurantee ANY topology. Or even say with mild confidence. There are other things at play that could totally break any design you try to do. That" without any specifics" is basically a black box and turns any attempt to design... Or recommend...into "garbage on, garbage out." There are just too many factors that could maneka good design go bad.
Without specifics of the network, logical or physical, I can't gaurantee ANY topology. Or even say with mild confidence. There are other things at play that could totally break any design you try to do. That" without any specifics" is basically a black box and turns any attempt to design... Or recommend...into "garbage on, garbage out." There are just too many factors that could maneka good design go bad.
i have a similar scenario with 2 ISP's and 2 servers. there are 2 subnets and all computers of the network have two NIC's where only one is configured for internet and the other for internal LAN services only.
Sara
Sara
If I am understanding the question correctly, the separate network would only come into play in the event you had to drop in a second Inet connection? In other words, you want to put a server on an internal network that is shared. The fact that everyone on the internal network can see it isn't a problem for your customer. They want to be able to connect to it remotely. This is the actual problem?
If that understanding is correct then why not just place a firewall at the edge that is SSL-VPN capable, authenticate any VPN connection attempts against your internal authentication server(s) and then call it good? Maybe you have to introduce a RADIUSauth device if you want to get really crazy with the auth/permissions?
If that understanding is correct then why not just place a firewall at the edge that is SSL-VPN capable, authenticate any VPN connection attempts against your internal authentication server(s) and then call it good? Maybe you have to introduce a RADIUSauth device if you want to get really crazy with the auth/permissions?
ASKER
atlas_shuddered: "place a firewall at the edge"?? Not sure what you mean.
I am assuming that you already have a firewall between your network and the outside world, "at the edge" of your network?
Just make sure that either it has SSL VPN capability or purchase a firewall that does.
The dual LAN'ing thing can be done but I can give you a definite promise that the headaches you will buy yourself unnecessarily will haunt you for far longer than you will desire.
Just make sure that either it has SSL VPN capability or purchase a firewall that does.
The dual LAN'ing thing can be done but I can give you a definite promise that the headaches you will buy yourself unnecessarily will haunt you for far longer than you will desire.
ASKER
Thank you all.
one connected to the regular network and other to the other one.
the only difference would be that you have one IP manually with default gateway set and another one with no default gateway.
since they will be connecting using the internal IP and the VPN will manage it with the firewall using internal address because the external address will be on the firewall (the public one).