Re: VPN routing from NAT to NAT

From: Jeffrey Randow (MVP) (jeffreyr-support_at_remotenetworktechnology.com)
Date: 05/02/04 

Date: Sat, 01 May 2004 23:28:14 -0500

See below...

In summary, if you are willing to lose all LAN connectivity while on
the VPN, you can perhaps coexist on the same subnet.. However, all
internet accesses, etc., will go over the VPN link, not directly out
of your computer...

Jeffrey Randow (Windows Net. & Smart Display MVP)
jeffreyr-support@remotenetworktechnology.com

Please post all responses to the newsgroups for the benefit
of all USENET users. Messages sent via email may or may not
be answered depending on time availability....

Remote Networking Technology Support Site -
http://www.remotenetworktechnology.com
Windows XP Expert Zone - http://www.microsoft.com/windowsxp/expertzone

On Sat, 01 May 2004 06:14:02 GMT, spam@spam.com (Bob) wrote:

>On Fri, 30 Apr 2004 21:15:19 -0500, "Jeffrey Randow (MVP)"
><jeffreyr-support@remotenetworktechnology.com> wrote:
>
>>Also, on the Linksys - if you change the IP Address of the router to
>>192.168.2.1 (or 192.16.3.1, etc), it will then change your allowable
>>DHCP range to that subnet... But you must change the LAN IP address
>>of the router first...
>
>I am not willing to experiment so I will have to take your word for
>it, but what you are saying is that the Linksys BEFSR41 has a dynamic
>web server embedded in it - that is, the content of the DHCP page (in
>particular the text relating the allowed range of IP addresses) is
>dependent on the value chosen for the LAN subnet. Incredible.
>

Browse to the Router's admin interface... On the main config page,
you can change the LAN IP Address of the router.. If you want, you
can change it to 192.168.2.x, or whatever... Let the router reboot,
and then release and renew the IP address for your computer (ipconfig
/release and ipconfig /renew). The router will then assign you an
address on the new LAN network (i.e., 192.168.2.x)... Every router I
have seen offers this ability, so I don't understand why this is an
issue.

>>Your machine is 192.168.1.10 and another computer in your local
>>network is 192.168.1.20 with a router at address 192.168.1.1...
>
>>Now lets say you connect to a VPN that has a server at 192.168.1.150
>
>Which LAN is that referenced to? I assume it is referenced to the LAN
>that the VPN server machine is on.

The private address of the VPN server is at 192.168.1.150...
Hypothetically you would connect to it through its public address....
However, once connected, you would use its private address, thus the
premise.

>
>>and that the VPN gateway address (visible when running IPCONFIG) is
>>192.168.1.200 and that you are assigned IP address 192.168.1.201
>
>>How will your computer know how to send a packet to 192.168.1.150?
>
>Why would you want to send a packet to that address? Why not send it
>to the VPN address of that machine, namely, 192.168.1.200? In fact, if
>NetBIOS is behaving properly (which is only sometimes), then you can
>address the VPN server machube by its NetBIOS name.
>
>My son has his machine set up as 192.168.1.10 on his LAN and I have
>mine set up the same awy on my LAN. When I connect to his VPN server,
>which he configured for address range 1920168.1.100-200, his machine
>is 192.168.1.100. I don't know anything about his machine's address on
>his LAN because that involves his Ethernet adapter which is hidden
>from me.
>
>What you seem to be leaving out of your analysis is the bindings of
>the various IP addresses to different adapters. Both his machine and
>mine have two adapters - a "Local Area Connection" (LAN) adapter and a
>VPN adapter. When we send packets to one another, we are doing it over
>the VPN adapters, not the LAN adapters. My machine knows nothing about
>the network associated with his LAN adapter, and therefore there is no
>subnet conflict.
>
I'm not missing that... The metrics determine which route to take..
If you are both using the same private network for your LANs, how will
your machine know whether to send the packet over the local network or
over the VPN (name resolution not withstanding). The only legitimate
way to do this is to set up a routing path for the appropriate
computers.

>>Packets sent to the 192.168.1.0 network are sent without routing
>>(using local interface)...
>
>That is not true. Packets sent to 192.168.1.100 will be sent to the
>VPN adapter, because that address is now bound to the VPN adapter and
>not the LAN adapter.

It is true if you have "Use the Default Gateway on the Remote Network"
unchecked like most users do... However, if you redefine the default
gateway to the remote network, you lose LAN connectivity.. This may
be what you are seeing...

>
>> Now if you add a VPN with a similar
>>network, you will add an alternate route for the 192.168.1.0 network,
>>this time with the remote VPN server as the gateway..
>
>and with the VPN adapter connected to that gateway, not the LAN
>adapter.

Again, depends on your settings... Most users won't have this since
they will have disabled the Use the Default Gateway on the Remote
Network option.

>
>> At this point,
>>only the metric will control which one controls...
>
>The control is in the bindings. How that is accomplished is something
>only Microsoft knows.

No, the control you are talking about is in the selection of a new
default gateway.

>
>>This is not an ideal way to function...
>
>Tell that to Microsoft. And while you are at it, tell them to fix
>NetBIOS, which apparently is being confused with all this.

NetBIOS is not a problem... However, they are trying to move away
from NetBIOS to a pure TCP/IP network... However, I am not sure how
they are going to accomplish this without scrapping SMB.

Relevant Pages

  • Re: VPN usage question
    ... Exactly the same as a LAN. ... > A VPN is a network connection on top of another connection. ...
    (microsoft.public.windowsxp.general)
  • Re: VPN routing from NAT to NAT
    ... You have two routes to the 192.168.1.0 network using different ... think you are connecting to the 192.168.1.125 gateway is that it is ... VPN connections are finicky depending on your exact network ... >it is a remote machine and not on my 100BaseTX LAN. ...
    (microsoft.public.windowsxp.work_remotely)
  • My First VPN and my first Problem
    ... network and my LAN at home. ... (No small feat for a network newbie). ... The VPN Gateway at home is a LinkSys BEFVP41 Router Firmware Version ... The remote VPN Client software is TheGreenbowVPN. ...
    (microsoft.public.isa.vpn)
  • Re: Remote Desktop thru VPN and Network Security
    ... > network after connecting with VPN. ... > Remote Desktop to access the network. ... What other security issues should I consider doing this. ... passing any traffic to/from the local LAN except for your allowed exceptions ...
    (microsoft.public.windows.terminal_services)
  • Re: Multi-homed server and VPN
    ... The idea was to separate the LAN traffic from the VPN ... bound for the Internet go to the gateway 192.168.1.251, ... I have 192.168.1.251 as the router ...
    (microsoft.public.windows.server.networking)