Re: VPN Clients and subnet, NOT the usual "255.255.255.255 subnet mask" question!
- From: "Bill Grant" <not.available@online>
- Date: Sat, 9 Sep 2006 11:35:05 +1000
To get back to a question in the original post, it was asked why you get
a 24-bit
subnet mask for your subnet route. The reason is that this mask is generated
by the client machine itself. The mask depends solely on the address it
receives. It does not get the subnet mask address from the server.
Since the subnet mask depends only on the received IP it uses the old
class rules. So if it gets a 192.168.x.y address it uses a 24-bit mask. If
it gets a 10.x.y.z address it uses an 8-bit mask. As Phillip said this is
old stuff. It was a bit different in NT/W98. There is a description of the
differences in KB 254231.
Phillip Windell wrote:
"snowdog_2112" <dkiernan@xxxxxxxxxxxxxxxxxxx> wrote in message
news:1157733394.261766.159970@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
I was thinking the "use default gateway" option was not as good
because it forces *all* of the traffic from the VPN client out my
Internet connection.
No. It forces all traffic not destined to your personal machine's
own local subnet through the VPN. That's not quite the same thing
although it may seem subtile.
I have 3rd party people in, and I don't want to be
providing Internet access for them -- what if they are VPN'd in and
download porn over my connection?
That is up to you to not allow that to happen. See below.
Isn't it safer to just have them access my network over the VPN
connection and use the internet out their own connection (split
tunnel, so to speak)?
The design is meant to protect the network being "VPN'ed" into. It is
not to protect the local personal machine. You fool around on the Net
independently,..get infected with something,...spead it to the LAN you
VPN'ed into. By forcing the non-local traffic over the VPN, the
remote LAN you connect to is able to filter your evil browsing habits
using whatever product or means they have in place to do that. For
example,...if you VPN into our system I can completely prevent you
from browsing the Internet totally if I wish,...problem solved.
Remember that even if you have a proxy server configured in your
Browser's "LAN/Connection" settings,...these will be ignored while
the VPN is active. VPN is a "dialup" technology,...if you look in the
browser settings you will see the VPN and other Dialup Connections if
they exist. If you look at the "Settings" of each one you will find
that they each have their own independent proxy settings,...so if you
VPN into my system you have to assign proxy setting to that
particular VPN Connectiod and would have to use my proxy and fall
under the restrictions that I set on that proxy. The "use remote
gateway" prevents you from "sidestepping" my proxy and going to the
Internet intependently and possibly speading some infection to me.
However unchecking that box causes you to not get anywhere on my LAN
beyond the particular subnet the you "dialed into". Hence some
Admins have specific small subnets that accept the VPN dialins but
leave the user "trapped" there if the "use remote gateway" is not
enabled.
BTW - This is all "old stuff". Back in the days when dialup was
popular this all worked the same way. VPN is just a new form of
Dialup and falls under the same principles.
.
- References:
- Prev by Date: Re: Cannot Access server Via \\name on by IP
- Next by Date: Re: DHCP Scope Change and Remote Access
- Previous by thread: Re: VPN Clients and subnet, NOT the usual "255.255.255.255 subnet mask" question!
- Next by thread: Odd IE Problem
- Index(es):
Relevant Pages
|
|
