The Challange: Create a fully Windows 2000 Domain connected via VPN.

Here, http://www.microsoft.com/TechNet/win2000/vpnscen.asp
Microsoft has laid out a scenario almost equal to ours. We are creating a Persistant VPN similar to the Corporate Office with 2 branch offices connecting.

The only difference? We are all using Netgears RT314 Cable/DSL Router/Switch as our backbone and connection to the internet, instead of using a windows 2000 server as our gateway.

Has anyone else done this via a Router to Router VPN connection?

We have succesfully created computer to server VPN connections. This works well for just playing games and stuff through a tunnel, but the goal is to have all 3 of our houses connected via VPN and function as though we are on the same LAN 24/7. I know it can be done, but it's been fucking with me! I think the RT314 may have something to do with it. Not sure though.

On a side note. Has anyone had any problems with the RT314 renewing it's WAN address from @Home via DHCP????

Every 7 days I have to disjoin my computer from my domain, rename it to the stupid @Home Computer name, plug my computer directly in to the cable modem, renew the DHCP address, and then plug it back into the router, and re-join my computer to my Win2k Domain!

Major pain in the ass!!!

------------------
jim
Beauty is in the eye of the Beer Holder
Brews and Cues

Can you do a DHCP server from a Win2K server box? It's hella easy to configure. Or, do you need to get a specific address from the cable folks? If you can run your own subnet DNS (i'm making up words now), and your cable folks allow you to zone transfer up, then you can do your own addresses, and just tell your cable company which ones you plan to use. Does DHCP interact with DNS? Will it do exclusions based on currently taken DNS entries from elsewhere? Will their DHCP recognize that you have taken one of their addresses (by checking their DNS which you have zone transfered to) and not assign it to anyone else? Can you get by having just a subnet with a bunch of '10.' IPs?

That's all I got. I'm not going to edit because that's pretty much a print of my thought process. Hope something there catches your eye. Remember, I don't do networking. In fact, I hate it.

Ok here's a little more detailed scenario.

We each have ONE VALID internet address from @Home. 24.?.?.? That is the WAN address for the router, which it gets through @Home's DHCP. Internally we all use private subnets.
Me: 192.168.0.?
Friend 1: 192.168.1.?
Friend 2: 192.168.2.?

We all have a Win2k Server which is a DHCP/DNS/VPN box which are all members of the same forest.

What we do is use the NAT/SUA capabilities of the router to point Port 1723 (VPN) to our internal VPN Servers.

So what I do is setup a router to router connection from my server to the WAN address of each friends router. What this does is forward all traffic on 1723 to their router which in turn forwards those packets to their server. BAM, we have connection and I can actually ping all boxes on their network from MY SERVER!!!! NOW... If I go to my workstation and try to ping their address, my computer recognizes the fact that the address is not on my subnet, forwards the packet to my ROUTER/GATEWAY which normally would forward out to the internet. (Which is bad, since I'm pinging and invalid address)

What I've done is setup a static route to pick up all traffic from 192.168.1.? and 192.168.2.? and forward THOSE packets to my internal server.

Now here is the breakdown. My server then is functioning as a router as well. I have a static route setup to send all info directed to 192.168.1.? through the VPN interface to Friend 1's house. Similarly, I have another route setup to send 192.168.2.? through the VPN interface to friend 2's house.

What happens is I get a destination host unknown.

BUT!!! If I take everyone of my boxes and connect indivually to either friends VPN server. I can then ping all his boxes and he can ping all my boxes. This is cool, but we have 5 VPN connections going. It would be better to just have ONE vpn connection through my server which is persistant, and then have it route packets the way it's fucking supposed to!!!

It's not working...

------------------
jim
Beauty is in the eye of the Beer Holder
Brews and Cues

p.s. I don't know if you knew this but @home assigns you a IP based on the hostname info mentioned above. Every @home account has at least 1 IP that never changes. You don't need to use their crappy DHCP servers. Just make sure you write down the other important info that they give you thru DHCP, such as your gateway and DNS servers, and then specify all that crap manually.

But the Netgear allows me to do a pure command line interface with the router to setup complex filters and advanced features well outside of the scope of the Linksys.

Just for the record my 2 friends acutally use the linksys, it just wasn't worth mentioning at the time.

I guess everyone has their own opinion though. and I'm just a command line junkie. I still add users accounts in NT through the command line.

Anyway. Yes I'm aware the host name and domain name, and everything is set correctly. But as I also understand, their DHCP looks at the Windows workgroup for @Home, something that can not be programmed into the router.

Also intrestling enough, in the command line interface of the router if I do a 'sys date' the router reports that it is Sat 1/1/2000

I had this problem in the old days of computer imaging, of taking a new computer that had never been booted, applying an image, and then it failing to connect to the network upon booting. Stumped me forever, but then I called Microsoft Premier and they had me reset the date/time on the PC. Then all the sudden it worked!!! I just can't remember if the date was in the future or the past. I suspect this may be the problem, and I've opened a case with Netgear to fix this shit!!!

As far as the VPN stuff goes, I'm pretty determined to be in a full Windows 2000 domain, using only Microsoft Products. It's good experience, and I'm not Linux savvy nor do I ever plan to be.

Oh, I also tried spoofing the MAC with my router with no luck, and I did try manual setting. I was able to ping the WAN address the GATEWAY, but NOT the DNS SERVERS or any other static address I could think of to try and ping... Not sure why the manual stuff is not working. Oh, and I should mention, that it does work with the manual addresses so long as the DHCP lease is not expired. Once I release the address through 'ipconfig /release' it'll stop working!

------------------
jim
Beauty is in the eye of the Beer Holder
Brews and Cues

I also love how you claim to be a command-line junkie but swear by Microsoft products :-)

I guess it's your choice, but as a UNIX advocate I do contend that if you want true power in a command line, you won't find it with MS.

People can bitch all they want about how bad Microsoft is. But that's all it is.... Bitching!

As of right now, I could ditch the router and use Win2k to act as my gateway, (in much the same way you are talking about using vpnd)

You need to read the reviews comparing the 2 routers, the performance on the Netgear is way above the Linksys. People's biggest complaint about the Netgear is the lack of a fully HTTP interface. Which is something I can certainly live without.

The linksys does have NAT/SUA and SOME filtering options. But none of these options are standard to normal router formats of layering access lists. The Netgear allows filters to be applied in layers executed in order.

It goes down the list and if it meets and access granted condition the traffic goes through, where-as the second it meets an access denied it is punched. This method is much more efficient for filtering packets as it allows the router not to have to perform so many actions on all traffic.

Let me just put it this way.

The netgear does everything that the linksys does, and then some.

------------------
jim
Beauty is in the eye of the Beer Holder
Brews and Cues

Take the old detnet server, for instance. Damn thing ran for 200+ days and served hundreds of gigabytes without so much as a hiccup. In fact, the only reason I had to reboot it was when a route failed and I figured the box had crashed, so I called them up and told them to reboot it. They did so, but then I realized that if I had just waited a bit, things would've been back to normal. I know some NT boxes can last that long, but they're the exception, not the rule.

UNIX philosophy is also centered around the command line, whereas MS's design philosophy seems to be to wrap a GUI around a less-than-functional CLI. Granted MS products are far easier to get started on, but I truly believe one reaches a point where they 'graduate' to UNIX.

I'm going to leave it at that rather than start a flame war. If there's anything I hate more than Windows, it's OS zealots. I try to advocate UNIX without being a zealot.

I don't see the purpose of running Win2k as a desktop without taking full advantage of what a FULL Win2k domain coupled with active directory has to offer. I don't see how you COULDN'T see that.

I happen to run Web Servers for a living, and all are on the NT platform. I've never done a UNIX/LINUX one, so I have little to compare with. People seem to think that getting IIS up and running is a breeze, but because of the security/stability issues you mentioned it's so much more than that. It's actually fun! I can see a place for the GUI. I love the command since it's so much easier (for me at least) do a CTRL-ALT-C (My shortcut to a command prompt) and type in a command than it is to go Start -> Setting -> Control panel, search for the Icon or whatever... You get the picture.

BUT, as far as configuring goes. Nothing beats a GUI. I tried setting up Apache for Win32. Going through countless lines of linear text to setup options was a bitch! It down right SUCKED! The Windows Registry is a marvel! You get complete control, yet everything is laid out in a logical format via folders. Not scrolling through linear text.

A properly configured Windows Domain with all it's options for Group Policies, User Policies, it's newly reformatted DNS method of Name Resolution. It's also great that you can setup a User, The Users Email Address, and apply them to a role. From that role a ALL the users access rights to File Shares, SQL Servers, Internet Access, Remote VPN access, even down to the desktop icons, wallpapers, and even links in their Internet Explorer favoroites can be set for them. Simply by Entering their Name.

Now what is to complain about that?

To me LINUX takes away the Workgroup portion of a business. It tears away at all the wonderful things that come with integration. And lets not forget support. Because their isn't any. None that is standard at least.

Plus, although I think Open Source is a cool idea, it can lead to a nightmare in a business enviroment.

I can't stress enough how well Microsoft Products (Implemented Correctly) work in an Enterprise level corporation...

(ps, you'd think that someone that 'claims' to be all about UNIX would jump at the telnet features of the RT314 )

Please sell me on LINUX. I really don't know all that much about it. I do know ALL Microsoft Products inside and out. I've currently completed about.... Oh shit... I don't know tons of thier tests, from Server to Workstation, from NT 4, to 2000, IIS to SQL... I love it. It works! I can't find a reason not to like them. So help me out here.

------------------
jim
Beauty is in the eye of the Beer Holder
Brews and Cues

quote:

---

Originally posted by cr0bar:
Take the old detnet server, for instance. Damn thing ran for 200+ days and served hundreds of gigabytes without so much as a hiccup

---

This was a dedicated box correct?

In the year I've been working with Sabre, none of our 25+ dedicated boxes have ever gone down without someone purposely rebooting as a result of a patch/sp/or something similar.

Our shared servers are a different story. 600+ webs per box running hundread of poorly written ASP applications, plus poorly written COM objects. We also have damn people who think it's exceptable to run a 10+ Gig Website managed by FrontPage 97! GRRRRRRRRRRRRRRRRRRR!!!!

------------------
jim
Beauty is in the eye of the Beer Holder
Brews and Cues