Hello,
In order to preserve users from testing I'd like to know if I build a VPN connection without removing my current routers. The goal is to remove them once everything is OK.
I think it is possible if I use a different IP adress map than the actual ( 192.168.0.xyz/255.255.255.0 ) because B3 use 192.168.10.xyz
(I only have to take care of static IP for severs)
This way it seems to be possible to switch the entire lan only with changing DHCP server settings
Could you please confirm ?
Regards
New user's registration have been closed due to high spamming and low trafic on this forum. Please contact forum admins directly if you need an account. Thanks !
Keep router while testing
Re: Keep router while testing
Are you planning to set up a vpn to or fom theb3?
Re: Keep router while testing
Of course, I will test OpenVPN
Re: Keep router while testing
Well, I have connected may first B3 this way :
ISP router <- WAN B3 LAN -> lan switch
x.x.x.254 <- x.x.x.253 / x.x.x.252 ->
(mask 255.255.255.0)
and configure it as Router+Firewall+server
So now a Debian PC(static address) is fully functionnal the this B3 as gateway (x.x.x.252) !
We have a professionnal ISP and we cannot remove their box(!). So we have to set th b3 as a second gateway on our LAN.
Open VPN server is set on this B3 and I am currently setting a second B3 as client and test it from another site. Ports TCP22 & UDP 1194 have been redirected by the ISP on their box (LAN x.x.x.254) to point to B3 WAN adresses x.x.x.253
Is it possible to set DHCP reservation on a B3 ? (for servers and printers)
The goal is to set a new network adressing on our whole LAN without service interruption as soon as VPN connection will be OK.
Then we will connect B3s to Active Directory, share printers and servers ...
We cannot have any server on our 2 sites, only at headquarters so B3 will be set as DC
(Yes, I like challenges !)
Laurent.
ISP router <- WAN B3 LAN -> lan switch
x.x.x.254 <- x.x.x.253 / x.x.x.252 ->
(mask 255.255.255.0)
and configure it as Router+Firewall+server
So now a Debian PC(static address) is fully functionnal the this B3 as gateway (x.x.x.252) !
We have a professionnal ISP and we cannot remove their box(!). So we have to set th b3 as a second gateway on our LAN.
Open VPN server is set on this B3 and I am currently setting a second B3 as client and test it from another site. Ports TCP22 & UDP 1194 have been redirected by the ISP on their box (LAN x.x.x.254) to point to B3 WAN adresses x.x.x.253
Is it possible to set DHCP reservation on a B3 ? (for servers and printers)
The goal is to set a new network adressing on our whole LAN without service interruption as soon as VPN connection will be OK.
Then we will connect B3s to Active Directory, share printers and servers ...
We cannot have any server on our 2 sites, only at headquarters so B3 will be set as DC
(Yes, I like challenges !)
Laurent.
Re: Keep router while testing
That is not an answer to the question...
Re: Keep router while testing
I'm not sure if I understand this correctly, but if you put multiple routers on the same wire they will compete amongst each other. This can lead to very unexpected results with DHCP clients, specially if you use different network ranges and masks. Either use a fully independent network (wired or wifi) or at least disable the DHCP server in the B3. For testing purposes there should be no need to place the B3 in a different network range - just change the router setting on the client that you want to test with.
Re: Keep router while testing
If I understand the setup then the routers are not competing, but the b3 is placed inbetween the ISP router and the LAN (i.e. the ISP is connected to WAN on the B3, and the switch is connected to the LAN port on the B3).
Re: Keep router while testing
You're right !
Both ISP router & B3 LAN ports are connected on a LAN switch. B3 WAN is on another ISP router LAN eth plug (it has 4). So B3 act as an intermediate GW just to receive VPN connections, switched on 1194 port by ISP router.
In the agencies, I don't know if I can connect B3 directly between ISP router and LAN to mangage both VPN and standard internet connection or if I have do the same as above and define a different route to access to headquarter public IP (ISP WAN) ...
Both ISP router & B3 LAN ports are connected on a LAN switch. B3 WAN is on another ISP router LAN eth plug (it has 4). So B3 act as an intermediate GW just to receive VPN connections, switched on 1194 port by ISP router.
In the agencies, I don't know if I can connect B3 directly between ISP router and LAN to mangage both VPN and standard internet connection or if I have do the same as above and define a different route to access to headquarter public IP (ISP WAN) ...
Re: Keep router while testing
so what you're saying is, is that I'm wrong (and Gordon is right!)! You do have both the B3 and the ISP router in parallel directly to the switch. On top of that you have the WAN port of the B3 connected to another port of the ISP router. That sounds a bit like a recipe for disaster, but apparently it does not crash. I'd first follow Gordons advice before start the VPN adventure.
Am I correct in uderstanding that the thing you are actually trying to do is connect the remote B3s together so that is looks like they are on the same subnet?
Am I correct in uderstanding that the thing you are actually trying to do is connect the remote B3s together so that is looks like they are on the same subnet?
Re: Keep router while testing
Actually I'm not. As it appears he has the WAN and the LAN side of the B3 both connected to the same physical network. While possible, by *logically* separating the two networks (I think that was the original question), this is highly inadvisable. Like I said, the main issue in this case will be the DHCP offerings. In terms of operability it is also a lot less easy to manually change a full IP configuration (consisting of at least IP, netmask, DNS, router) than changing what router you want to use either as default or for specific targets.
My advise is that if you want to loose the ISP router, you should start with that. Adding the VPN later should normally not disturb regular routing (or if it does can be as easily reversed) and as a rule will also be simpler to configure (specifically if attempting to use ipsec). If for some reason you can't get rid of the ISP router (e.g. I can't - and because the ISP fubar-ed their router I even have the B3 piggybacking my home network on top of my work VPN router which is in turn connected to the ISP router) just cascade them and put everybody on the LAN side of the B3.
My advise is that if you want to loose the ISP router, you should start with that. Adding the VPN later should normally not disturb regular routing (or if it does can be as easily reversed) and as a rule will also be simpler to configure (specifically if attempting to use ipsec). If for some reason you can't get rid of the ISP router (e.g. I can't - and because the ISP fubar-ed their router I even have the B3 piggybacking my home network on top of my work VPN router which is in turn connected to the ISP router) just cascade them and put everybody on the LAN side of the B3.
Re: Keep router while testing
Cascading routers is the goal because I know this configuration is not "confortable" ... but I had to find a flexible solution to test B3&Openvpn without disturbing users.
I take care to have only 1 active DHCP sever on the LAN.
I take care to have only 1 active DHCP sever on the LAN.
Re: Keep router while testing
That would probably work, except for netmasks.
The smallest netmask you can choose here is /30 (i.e. 255.255.255.252) to include 254 and 253 in the WAN network. This means that you cannot 252 on the LAN side, because this is the netnumber (i.e. 0) for the WAN network. Theoretically you might be able to choose 250 as the highest available number on the range below (251 will be the broadcast address on that range), but then this range can also not hold more than two addresses because any larger range would overlap with the 252 net range.
In either case this will require you to set a fixed address and netmask on the B3 WAN side. I'd suggest you choose a netmask of /25 (i.e. 255.255.255.128) and set the LAN address at x.y.z.126 (again, 127 is the broadcast address in this case). This will define routing inside the B3 and allow workstations in the range x.y.z.1-125 and netmask /24 to choose either the B3 or the main router for outbound packages. Do note though that in this case the B3 on the LAN side cannot participate in protocols that require using the broadcast address.
The smallest netmask you can choose here is /30 (i.e. 255.255.255.252) to include 254 and 253 in the WAN network. This means that you cannot 252 on the LAN side, because this is the netnumber (i.e. 0) for the WAN network. Theoretically you might be able to choose 250 as the highest available number on the range below (251 will be the broadcast address on that range), but then this range can also not hold more than two addresses because any larger range would overlap with the 252 net range.
In either case this will require you to set a fixed address and netmask on the B3 WAN side. I'd suggest you choose a netmask of /25 (i.e. 255.255.255.128) and set the LAN address at x.y.z.126 (again, 127 is the broadcast address in this case). This will define routing inside the B3 and allow workstations in the range x.y.z.1-125 and netmask /24 to choose either the B3 or the main router for outbound packages. Do note though that in this case the B3 on the LAN side cannot participate in protocols that require using the broadcast address.