how-to block ads
|
|
Uniqs:
958 |
Share Topic
 |
 |
|
|
|
paolini
join:2003-07-26
Boca Raton, FL | Optimal IP/SubNet/VPN Settings for Home Office PPTP VPN Hello and thanks in advance for reviewing my post.
I travel extensively and need to connect to my home network from time to time ("Dooh! Forgot critical Powerpoint!"). I am partway through the installation of my PPTP VPN and wonder if I can be choosing my settings in a more optimal way.
I am using a Motorola cable modem connected to a 2011 Apple Airport Extreme Time Machine Router. Downstream from this router are two others - a 2nd Airport Express (other side of the house, purely for coverage) and a Linksys WRT610N using DD-WRT.
I have the main AEX using DHCP in the range 10.0.1.0-199 and no DHCP on the second AEX. I have some fixed IP's (printer, server, etc.) in the range 10.0.1.200-209. I have all incoming ports forwarded by default to the DD-WRT currently located at 10.0.1.201. Subnet Mask on AEX is 255.255.255.0
The 2nd AEX has most features - especially DHCP - off, is basically just a 2nd radio.
My DD-WRT is running DynDNS and is properly resolving my defined URL to the dynamic IP provided by my cable operator. I currently have DHCP enabled on DD-WRT in the range 192.168.1.100-149 (mainly for testing within the DD-WRT mini-LAN) and PPTP Server enabled with 10 IP's assignable in the range 192.168.1.90-99. Subnet Mask is 255.255.255.0
I can connect to the PPTP Server using the URL in DynDNS from both computers outside the LAN (e.g. at coffeeshop) and also via Guest SSID and IP Range (172.x) on AEX units. I am properly assigned a PPTP VPN IP (192.168.1.90) and I can access the internal web server in DD-WRT (192.168.1.1).
However, after this things get a bit inconsistent. Sometimes I can connect to my fixed-IP servers (e.g. 10.0.1.200) and other times not. Sometimes I can connect to web pages on those servers but not file sharing services. I wonder if some of the inconsistency has to do with the fact that I am moving from one SSID to another and back and forth, leaving a trail of connections in my PC and also in the multi-AP LAN.
I suspect that I would be better off if the DD-WRT router was located somewhere in the AEX range of 10.0.1.x and used a subnet mask to manage the direction of traffic within the DD-WRT and up toward the AEX and rest of the network. But I'm not very experienced in sub-netting, so I'm not sure if this will help or hurt.
Or maybe I just turn off DHCP on the DD-WRT and put the PPTP range within the 10.0.1.x range of the AEX (but reduce the AEX DHCP range to avoid conflicts) and leave the subnets alone.
Any guidance?
So close (I think) I can taste it....
Thanks in advance! | |
4 edits | My gut reaction (without delving too deeply quite yet) is to avoid multiple networks at all costs. There are VERY VERY VERY VERY few home users who need multiple networks. It just causes more problems than it's worth. The ONLY ppl that should be using multiple networks are those who really need the separation, say for security reasons. For example, maybe you're a landlord and want you and your tenants isolated from each other. But no one should be doing this casually. Heck, I'm a software developer by trade, have dozens of machines here, desktops/laptops/servers, use multiple VPNs, bridges, APs, and have all kinds of complex setups to manage my workday, and even *I* don't have multiple networks!
So unless you can make a good case for multiple networks, get rid of them. Stick to the one off the primary router and only use bridged networking if you want add more routers, APs, switches, etc.
That said, I suspect the reason you're using a second network is because the DD-WRT PPTP VPN is only accessible over its WAN port, correct? FWIW, I've found dd-wrt's implementation of PPTP is not very reliable. You can find many threads on their forums about these PPTP problems. I personally have had similar problems and became so frustrated, I just decided to use a Microsoft PPTP VPN established on one of my servers. Works much better and doesn't require employing another network either (albeit, I have to have a computer running, but I'm almost always using the VPN to access a desktop/server anyway). | |
paolini
join:2003-07-26
Boca Raton, FL | Thanks for the great response!
You are 100% correct - I am using the DD-WRT behind the AEX router purely because I can only use the WAN port for the PPTP VPN. And I use the AEX as the main router because my family can call Apple Support or go to the local store if they have any problems with the network while I am out of town, often for weeks.
My experience with DD-WRT PPTP VPN so far has been good, but ultimately I may move to OpenVPN. Small steps, and also I rarely need more than a stray file or two. It would be different if I needed to be online for long stretches.
And alas, I don't have any spare machines (Win or Mac) that I can leave online full-time and with a static IP.
So given all of that, I think I'm generally headed in the correct direction....
My thought about using sub-netting was related to the way *I think* this stuff works- that even if my DD-WRT is in the same range as the AEX, packets will not be sent out the WAN port to the AEX unless they pass the subnet mask math. Thus I need to arrange for a 4, 8, or 16 IP address range that corresponds both to the VPN IP range and also the proper mask. Again *I think* this will force all traffic outside that very short range of addresses to then go out the WAN port (example 10.0.1.1 VPN Client IP tries to contact 10.0.1.200).
Not sure if I'm articulating this properly, I hope so.
Thanks in advance to the community for advice! | |
1 edit | reply to paolini
You're correct, you MUST in this particular case, use a different network (subnet) behind the dd-wrt router in order for routing to work properly. The fact that your current setup works at all suggests that it is configured properly. The inconsistency in accessing devices/services is harder to explain. As my first response suggests, I don't fully trust the dd-wrt pptp implementation, too finicky in my experience. Perhaps some tweaking is necessary, but I find the dd-wrt documentation somewhat "thin" in this regard. | |
paolini
join:2003-07-26
Boca Raton, FL | OK, great. And again thanks for the quick response.
So here's where I get confused. I think the proper approach is:
AEX Time Machine (main router)
10.0.1.1 router address
DHCP with reservations limited to .50 and below
Fixed IP's in range .51-62
Subnet mask 255.255.255.0
DD-WRT (WAN port connected to AEX above)
10.0.1.193 router address
DHCP with reservations limited to range .194-249
PPTP VPN IP assignments in range 10.0.1.250-254
Subnet mask 255.255.255.192 (creates 4 networks, .1-62, .65-126, .129-190, and .193-254)
So everything in the 10.0.1.x range stays within the AEX LAN, all other traffic goes out the AEX WAN. And everything in the range 10.0.1.193-254 stays in the DD-WRT LAN, all other traffic (like static servers ending in .51-62) goes out the DD-WRT WAN port to the AEX.
Am I correct?
Is it also true that I can expand the AEX addressable range to 10.0.1.1-190 with the exception of .63, .64, .127, and .128? For example put DHCP in 10.0.1.1-.63 and fixed servers in 10.0.1.65-126?
It seems so easy until it doesn't..... 
Again, thanks in advance! | |
|
