VPN routing from NAT to NAT

Archived from groups: microsoft.public.windowsxp.work_remotely (More info?)

i am in a local network wich connects via router (192.168.1.1) to internet.
i have set up a vpn connection to another local network via vpn on my pc and the connection is working.
on my local network i have pc´s from 192.168.1.100 to 192.168.1.255 and on the other network to which i connect does have the same pc´s and also a router on 192.168.1.1.
when i connect to services and pc´s my computer connects to the local recources.
how can i tell my xp to connect to certain pc´s and ressources via the vpn connection and to not use the lan ?
do i have to use "route" ? how ?
16 answers Last reply
More about routing
  1. Archived from groups: microsoft.public.windowsxp.work_remotely (More info?)

    Typically you would want to setup a different subnet for clients when connecting via a VPN. That is
    configured on the VPN server end. Then you could use a 'hosts' file to map the remote PCs to their
    local LAN IP addresses. See how I setup a PPTP VPN server on one of my XP Pro boxes. Note the use of
    a different subnet for clients in the configuration. In your case ignore references to the
    PocketPC...

    http://members.cox.net/ajarvi/WM2003/WM2003PPTPVPN.html

    For a sample hosts file look at this page...

    http://members.cox.net/ajarvi/LAN/The_Illustrated_Network.html

    --
    Al Jarvi (MS-MVP Windows Networking)

    Please post *ALL* questions and replies to the news group for the mutual benefit of all of us...
    The MS-MVP Program - http://mvp.support.microsoft.com
    This posting is provided "AS IS" with no warranties, and confers no rights...

    "Mikel" <anonymous@discussions.microsoft.com> wrote in message
    news:3ADD42FF-4843-4368-9B34-03E7C09EEA48@microsoft.com...
    >i am in a local network wich connects via router (192.168.1.1) to internet.
    > i have set up a vpn connection to another local network via vpn on my pc and the connection is
    > working.
    > on my local network i have pc´s from 192.168.1.100 to 192.168.1.255 and on the other network to
    > which i connect does have the same pc´s and also a router on 192.168.1.1.
    > when i connect to services and pc´s my computer connects to the local recources.
    > how can i tell my xp to connect to certain pc´s and ressources via the vpn connection and to not
    > use the lan ?
    > do i have to use "route" ? how ?
  2. Archived from groups: microsoft.public.windowsxp.work_remotely (More info?)

    I forgot to mention that since both networks are using the same addressing range, then its possible
    alias mapped to network names may still result in incorrect routing, even with a hosts file. If you
    control both networks can you change one to something other than the 192.168.1.X subnet?

    --
    Al Jarvi (MS-MVP Windows Networking)

    Please post *ALL* questions and replies to the news group for the mutual benefit of all of us...
    The MS-MVP Program - http://mvp.support.microsoft.com
    This posting is provided "AS IS" with no warranties, and confers no rights...

    "Sooner Al" <SoonerAl@somewhere.net.invalid> wrote in message
    news:eehbIH8KEHA.3292@TK2MSFTNGP11.phx.gbl...
    > Typically you would want to setup a different subnet for clients when connecting via a VPN. That
    > is configured on the VPN server end. Then you could use a 'hosts' file to map the remote PCs to
    > their local LAN IP addresses. See how I setup a PPTP VPN server on one of my XP Pro boxes. Note
    > the use of a different subnet for clients in the configuration. In your case ignore references to
    > the PocketPC...
    >
    > http://members.cox.net/ajarvi/WM2003/WM2003PPTPVPN.html
    >
    > For a sample hosts file look at this page...
    >
    > http://members.cox.net/ajarvi/LAN/The_Illustrated_Network.html
    >
    > --
    > Al Jarvi (MS-MVP Windows Networking)
    >
    > Please post *ALL* questions and replies to the news group for the mutual benefit of all of us...
    > The MS-MVP Program - http://mvp.support.microsoft.com
    > This posting is provided "AS IS" with no warranties, and confers no rights...
    >
    > "Mikel" <anonymous@discussions.microsoft.com> wrote in message
    > news:3ADD42FF-4843-4368-9B34-03E7C09EEA48@microsoft.com...
    >>i am in a local network wich connects via router (192.168.1.1) to internet.
    >> i have set up a vpn connection to another local network via vpn on my pc and the connection is
    >> working.
    >> on my local network i have pc´s from 192.168.1.100 to 192.168.1.255 and on the other network to
    >> which i connect does have the same pc´s and also a router on 192.168.1.1.
    >> when i connect to services and pc´s my computer connects to the local recources.
    >> how can i tell my xp to connect to certain pc´s and ressources via the vpn connection and to not
    >> use the lan ?
    >> do i have to use "route" ? how ?
    >
  3. Archived from groups: microsoft.public.windowsxp.work_remotely (More info?)

    You would definately want to re-subnet your networks... The easiest
    way to do this is to make one 192.168.x.0, where x is any number from
    0-254 other than 1. Or you can get a new subnet mask and split apart
    the 192.168.1.x network into multiple subnets (much harder).

    The alternative is to hardcode routes to the specific IP addresses of
    the computers you want to connect to with the "route" command...

    Jeffrey Randow (Windows Net. & Smart Display MVP)
    jeffreyr-support@remotenetworktechnology.com

    Please post all responses to the newsgroups for the benefit
    of all USENET users. Messages sent via email may or may not
    be answered depending on time availability....

    Remote Networking Technology Support Site -
    http://www.remotenetworktechnology.com
    Windows XP Expert Zone - http://www.microsoft.com/windowsxp/expertzone

    On Mon, 26 Apr 2004 11:11:08 -0700, "Mikel"
    <anonymous@discussions.microsoft.com> wrote:

    >i am in a local network wich connects via router (192.168.1.1) to internet.
    >i have set up a vpn connection to another local network via vpn on my pc and the connection is working.
    >on my local network i have pc´s from 192.168.1.100 to 192.168.1.255 and on the other network to which i connect does have the same pc´s and also a router on 192.168.1.1.
    >when i connect to services and pc´s my computer connects to the local recources.
    >how can i tell my xp to connect to certain pc´s and ressources via the vpn connection and to not use the lan ?
    >do i have to use "route" ? how ?
  4. Archived from groups: microsoft.public.windowsxp.work_remotely (More info?)

    On Tue, 27 Apr 2004 00:09:07 -0500, "Jeffrey Randow (MVP)"
    <jeffreyr-support@remotenetworktechnology.com> wrote:

    >You would definately want to re-subnet your networks... The easiest
    >way to do this is to make one 192.168.x.0, where x is any number from
    >0-254 other than 1. Or you can get a new subnet mask and split apart
    >the 192.168.1.x network into multiple subnets (much harder).
    >
    >The alternative is to hardcode routes to the specific IP addresses of
    >the computers you want to connect to with the "route" command...

    You do not have to do any of that. You are overly complicating what
    amounts to a simple fix, at least in the case of PPTP. In fact, with
    the very popular Linksys BEFSR41 router, you can't have two different
    subnets. The subnet is hardcoded to 192.168.1.X

    All you have to do is separate the subnet into two address regions,
    one for the LAN Adapter and one for the VPN Adapter.

    For example, I set LAN IP addresses below 192.168.1.100 and VPN IP
    addresses from 192.168.1.100 - 192.168.1.200. All addresses on my
    networks are static, so I never have a conflict. But if you want to
    use DHCP for assigning LAN IP addresses, just limit the range in the
    router to the address region for the LAN. I also set up the VPN Client
    to ask for a specific address in the range above 192.168.1.100. PPTP
    assigns 192.168.1.100 to the VPN Server since it is the first of the
    VPN Adapter range.

    Now I can use the HOSTS table, or set up windows that map to raw IP
    addresses, because those addresses never change. For those who might
    not be aware of how to set up access windows, go to Start|Run and type
    in the NetBIOS name in the form of a raw IP address. For example, if
    the VPN Server is 192.168.1.100,

    Start
    Run \\192.168.1.100



    will spawn a window showing all the shares on the VPN Server. You can
    shortcut that window and keep it on your Desktop for later use. It
    will always be valid since the VPN Server address will always be the
    same from one session to the next.


    --

    Map Of The Vast Right Wing Conspiracy:
    http://www.freewebs.com/vrwc/

    "You can all go to hell, and I will go to Texas."
    --David Crockett
  5. Archived from groups: microsoft.public.windowsxp.work_remotely (More info?)

    Only problem is that how you would need to configure the routing
    script so it will determine that posts sent to your local network go
    to its gateway and posts to the remote network goes to the VPN
    server... That's why it is easier to set up on different IP address
    schemes... Most routers (including the Linksys) will allow you
    specify a different network address (i.e., when I had a Linksys, I
    configured it to use 192.168.3.x since my office network is
    192.168.2.x and I accessed another network on 192.168.1.x)...


    Jeffrey Randow (Windows Net. & Smart Display MVP)
    jeffreyr-support@remotenetworktechnology.com

    Please post all responses to the newsgroups for the benefit
    of all USENET users. Messages sent via email may or may not
    be answered depending on time availability....

    Remote Networking Technology Support Site -
    http://www.remotenetworktechnology.com
    Windows XP Expert Zone - http://www.microsoft.com/windowsxp/expertzone

    On Tue, 27 Apr 2004 13:06:25 GMT, spam@spam.com (Bob) wrote:

    >On Tue, 27 Apr 2004 00:09:07 -0500, "Jeffrey Randow (MVP)"
    ><jeffreyr-support@remotenetworktechnology.com> wrote:
    >
    >>You would definately want to re-subnet your networks... The easiest
    >>way to do this is to make one 192.168.x.0, where x is any number from
    >>0-254 other than 1. Or you can get a new subnet mask and split apart
    >>the 192.168.1.x network into multiple subnets (much harder).
    >>
    >>The alternative is to hardcode routes to the specific IP addresses of
    >>the computers you want to connect to with the "route" command...
    >
    >You do not have to do any of that. You are overly complicating what
    >amounts to a simple fix, at least in the case of PPTP. In fact, with
    >the very popular Linksys BEFSR41 router, you can't have two different
    >subnets. The subnet is hardcoded to 192.168.1.X
    >
    >All you have to do is separate the subnet into two address regions,
    >one for the LAN Adapter and one for the VPN Adapter.
    >
    >For example, I set LAN IP addresses below 192.168.1.100 and VPN IP
    >addresses from 192.168.1.100 - 192.168.1.200. All addresses on my
    >networks are static, so I never have a conflict. But if you want to
    >use DHCP for assigning LAN IP addresses, just limit the range in the
    >router to the address region for the LAN. I also set up the VPN Client
    >to ask for a specific address in the range above 192.168.1.100. PPTP
    >assigns 192.168.1.100 to the VPN Server since it is the first of the
    >VPN Adapter range.
    >
    >Now I can use the HOSTS table, or set up windows that map to raw IP
    >addresses, because those addresses never change. For those who might
    >not be aware of how to set up access windows, go to Start|Run and type
    >in the NetBIOS name in the form of a raw IP address. For example, if
    >the VPN Server is 192.168.1.100,
    >
    >Start
    >Run \\192.168.1.100
    >
    >
    >
    >will spawn a window showing all the shares on the VPN Server. You can
    >shortcut that window and keep it on your Desktop for later use. It
    >will always be valid since the VPN Server address will always be the
    >same from one session to the next.
  6. Archived from groups: microsoft.public.windowsxp.work_remotely (More info?)

    On Thu, 29 Apr 2004 19:55:29 -0500, "Jeffrey Randow (MVP)"
    <jeffreyr-support@remotenetworktechnology.com> wrote:

    >Only problem is that how you would need to configure the routing
    >script

    What "routing script"? Windows takes care of all that for the user.
    This isn't UNIX.

    >so it will determine that posts sent to your local network go
    >to its gateway and posts to the remote network goes to the VPN
    >server... That's why it is easier to set up on different IP address
    >schemes...

    Posts sent by whom? What posts are you talking about?

    >Most routers (including the Linksys) will allow you
    >specify a different network address (i.e., when I had a Linksys, I
    >configured it to use 192.168.3.x since my office network is
    >192.168.2.x and I accessed another network on 192.168.1.x)...

    I have the Linksys BEFSR41. I am looking in the DHCP page in the
    router's administration interface. The "Starting IP Address" is
    hardcoded for the first 3 bytes: 192.168.1 You get to specify only the
    last byte.

    How you managed to talk the Linksys into a different address range is
    beyond me.


    --

    Map Of The Vast Right Wing Conspiracy:
    http://www.freewebs.com/vrwc/

    "You can all go to hell, and I will go to Texas."
    --David Crockett
  7. Archived from groups: microsoft.public.windowsxp.work_remotely (More info?)

    Not when you are on the same subnet.. Take a look at what "route
    print" gives you...

    Also, on the Linksys - if you change the IP Address of the router to
    192.168.2.1 (or 192.16.3.1, etc), it will then change your allowable
    DHCP range to that subnet... But you must change the LAN IP address
    of the router first...

    by posts, I am meaning packets...

    Hypothetical example:

    Your machine is 192.168.1.10 and another computer in your local
    network is 192.168.1.20 with a router at address 192.168.1.1...

    Now lets say you connect to a VPN that has a server at 192.168.1.150
    and that the VPN gateway address (visible when running IPCONFIG) is
    192.168.1.200 and that you are assigned IP address 192.168.1.201

    How will your computer know how to send a packet to 192.168.1.150?

    For example, a route print on my laptop is:
    Active Routes:
    Network Destination Netmask Gateway Interface
    Metric
    0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.150 20
    127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
    192.168.1.0 255.255.255.0 192.168.1.150 192.168.1.150 20
    192.168.1.150 255.255.255.255 127.0.0.1 127.0.0.1 20
    192.168.1.255 255.255.255.255 192.168.1.150 192.168.1.150 20
    224.0.0.0 240.0.0.0 192.168.1.150 192.168.1.150 20
    255.255.255.255 255.255.255.255 192.168.1.150 3 1
    255.255.255.255 255.255.255.255 192.168.1.150 2 1
    255.255.255.255 255.255.255.255 192.168.1.150 192.168.1.150 1
    Default Gateway: 192.168.1.1

    Packets sent to the 192.168.1.0 network are sent without routing
    (using local interface)... Now if you add a VPN with a similar
    network, you will add an alternate route for the 192.168.1.0 network,
    this time with the remote VPN server as the gateway.. At this point,
    only the metric will control which one controls... This is not an
    ideal way to function...

    Jeffrey Randow (Windows Net. & Smart Display MVP)
    jeffreyr-support@remotenetworktechnology.com

    Please post all responses to the newsgroups for the benefit
    of all USENET users. Messages sent via email may or may not
    be answered depending on time availability....

    Remote Networking Technology Support Site -
    http://www.remotenetworktechnology.com
    Windows XP Expert Zone - http://www.microsoft.com/windowsxp/expertzone

    On Fri, 30 Apr 2004 13:30:27 GMT, spam@spam.com (Bob) wrote:

    >On Thu, 29 Apr 2004 19:55:29 -0500, "Jeffrey Randow (MVP)"
    ><jeffreyr-support@remotenetworktechnology.com> wrote:
    >
    >>Only problem is that how you would need to configure the routing
    >>script
    >
    >What "routing script"? Windows takes care of all that for the user.
    >This isn't UNIX.
    >
    >>so it will determine that posts sent to your local network go
    >>to its gateway and posts to the remote network goes to the VPN
    >>server... That's why it is easier to set up on different IP address
    >>schemes...
    >
    >Posts sent by whom? What posts are you talking about?
    >
    >>Most routers (including the Linksys) will allow you
    >>specify a different network address (i.e., when I had a Linksys, I
    >>configured it to use 192.168.3.x since my office network is
    >>192.168.2.x and I accessed another network on 192.168.1.x)...
    >
    >I have the Linksys BEFSR41. I am looking in the DHCP page in the
    >router's administration interface. The "Starting IP Address" is
    >hardcoded for the first 3 bytes: 192.168.1 You get to specify only the
    >last byte.
    >
    >How you managed to talk the Linksys into a different address range is
    >beyond me.
  8. Archived from groups: microsoft.public.windowsxp.work_remotely (More info?)

    On Fri, 30 Apr 2004 21:15:19 -0500, "Jeffrey Randow (MVP)"
    <jeffreyr-support@remotenetworktechnology.com> wrote:

    >Also, on the Linksys - if you change the IP Address of the router to
    >192.168.2.1 (or 192.16.3.1, etc), it will then change your allowable
    >DHCP range to that subnet... But you must change the LAN IP address
    >of the router first...

    I am not willing to experiment so I will have to take your word for
    it, but what you are saying is that the Linksys BEFSR41 has a dynamic
    web server embedded in it - that is, the content of the DHCP page (in
    particular the text relating the allowed range of IP addresses) is
    dependent on the value chosen for the LAN subnet. Incredible.

    >Your machine is 192.168.1.10 and another computer in your local
    >network is 192.168.1.20 with a router at address 192.168.1.1...

    >Now lets say you connect to a VPN that has a server at 192.168.1.150

    Which LAN is that referenced to? I assume it is referenced to the LAN
    that the VPN server machine is on.

    >and that the VPN gateway address (visible when running IPCONFIG) is
    >192.168.1.200 and that you are assigned IP address 192.168.1.201

    >How will your computer know how to send a packet to 192.168.1.150?

    Why would you want to send a packet to that address? Why not send it
    to the VPN address of that machine, namely, 192.168.1.200? In fact, if
    NetBIOS is behaving properly (which is only sometimes), then you can
    address the VPN server machube by its NetBIOS name.

    My son has his machine set up as 192.168.1.10 on his LAN and I have
    mine set up the same awy on my LAN. When I connect to his VPN server,
    which he configured for address range 1920168.1.100-200, his machine
    is 192.168.1.100. I don't know anything about his machine's address on
    his LAN because that involves his Ethernet adapter which is hidden
    from me.

    What you seem to be leaving out of your analysis is the bindings of
    the various IP addresses to different adapters. Both his machine and
    mine have two adapters - a "Local Area Connection" (LAN) adapter and a
    VPN adapter. When we send packets to one another, we are doing it over
    the VPN adapters, not the LAN adapters. My machine knows nothing about
    the network associated with his LAN adapter, and therefore there is no
    subnet conflict.

    >Packets sent to the 192.168.1.0 network are sent without routing
    >(using local interface)...

    That is not true. Packets sent to 192.168.1.100 will be sent to the
    VPN adapter, because that address is now bound to the VPN adapter and
    not the LAN adapter.

    > Now if you add a VPN with a similar
    >network, you will add an alternate route for the 192.168.1.0 network,
    >this time with the remote VPN server as the gateway..

    and with the VPN adapter connected to that gateway, not the LAN
    adapter.

    > At this point,
    >only the metric will control which one controls...

    The control is in the bindings. How that is accomplished is something
    only Microsoft knows.

    >This is not an ideal way to function...

    Tell that to Microsoft. And while you are at it, tell them to fix
    NetBIOS, which apparently is being confused with all this.


    --

    Map Of The Vast Right Wing Conspiracy:
    http://www.freewebs.com/vrwc/

    "You can all go to hell, and I will go to Texas."
    --David Crockett
  9. Archived from groups: microsoft.public.windowsxp.work_remotely (More info?)

    See below...

    In summary, if you are willing to lose all LAN connectivity while on
    the VPN, you can perhaps coexist on the same subnet.. However, all
    internet accesses, etc., will go over the VPN link, not directly out
    of your computer...

    Jeffrey Randow (Windows Net. & Smart Display MVP)
    jeffreyr-support@remotenetworktechnology.com

    Please post all responses to the newsgroups for the benefit
    of all USENET users. Messages sent via email may or may not
    be answered depending on time availability....

    Remote Networking Technology Support Site -
    http://www.remotenetworktechnology.com
    Windows XP Expert Zone - http://www.microsoft.com/windowsxp/expertzone

    On Sat, 01 May 2004 06:14:02 GMT, spam@spam.com (Bob) wrote:

    >On Fri, 30 Apr 2004 21:15:19 -0500, "Jeffrey Randow (MVP)"
    ><jeffreyr-support@remotenetworktechnology.com> wrote:
    >
    >>Also, on the Linksys - if you change the IP Address of the router to
    >>192.168.2.1 (or 192.16.3.1, etc), it will then change your allowable
    >>DHCP range to that subnet... But you must change the LAN IP address
    >>of the router first...
    >
    >I am not willing to experiment so I will have to take your word for
    >it, but what you are saying is that the Linksys BEFSR41 has a dynamic
    >web server embedded in it - that is, the content of the DHCP page (in
    >particular the text relating the allowed range of IP addresses) is
    >dependent on the value chosen for the LAN subnet. Incredible.
    >

    Browse to the Router's admin interface... On the main config page,
    you can change the LAN IP Address of the router.. If you want, you
    can change it to 192.168.2.x, or whatever... Let the router reboot,
    and then release and renew the IP address for your computer (ipconfig
    /release and ipconfig /renew). The router will then assign you an
    address on the new LAN network (i.e., 192.168.2.x)... Every router I
    have seen offers this ability, so I don't understand why this is an
    issue.

    >>Your machine is 192.168.1.10 and another computer in your local
    >>network is 192.168.1.20 with a router at address 192.168.1.1...
    >
    >>Now lets say you connect to a VPN that has a server at 192.168.1.150
    >
    >Which LAN is that referenced to? I assume it is referenced to the LAN
    >that the VPN server machine is on.

    The private address of the VPN server is at 192.168.1.150...
    Hypothetically you would connect to it through its public address....
    However, once connected, you would use its private address, thus the
    premise.

    >
    >>and that the VPN gateway address (visible when running IPCONFIG) is
    >>192.168.1.200 and that you are assigned IP address 192.168.1.201
    >
    >>How will your computer know how to send a packet to 192.168.1.150?
    >
    >Why would you want to send a packet to that address? Why not send it
    >to the VPN address of that machine, namely, 192.168.1.200? In fact, if
    >NetBIOS is behaving properly (which is only sometimes), then you can
    >address the VPN server machube by its NetBIOS name.
    >
    >My son has his machine set up as 192.168.1.10 on his LAN and I have
    >mine set up the same awy on my LAN. When I connect to his VPN server,
    >which he configured for address range 1920168.1.100-200, his machine
    >is 192.168.1.100. I don't know anything about his machine's address on
    >his LAN because that involves his Ethernet adapter which is hidden
    >from me.
    >
    >What you seem to be leaving out of your analysis is the bindings of
    >the various IP addresses to different adapters. Both his machine and
    >mine have two adapters - a "Local Area Connection" (LAN) adapter and a
    >VPN adapter. When we send packets to one another, we are doing it over
    >the VPN adapters, not the LAN adapters. My machine knows nothing about
    >the network associated with his LAN adapter, and therefore there is no
    >subnet conflict.
    >
    I'm not missing that... The metrics determine which route to take..
    If you are both using the same private network for your LANs, how will
    your machine know whether to send the packet over the local network or
    over the VPN (name resolution not withstanding). The only legitimate
    way to do this is to set up a routing path for the appropriate
    computers.

    >>Packets sent to the 192.168.1.0 network are sent without routing
    >>(using local interface)...
    >
    >That is not true. Packets sent to 192.168.1.100 will be sent to the
    >VPN adapter, because that address is now bound to the VPN adapter and
    >not the LAN adapter.

    It is true if you have "Use the Default Gateway on the Remote Network"
    unchecked like most users do... However, if you redefine the default
    gateway to the remote network, you lose LAN connectivity.. This may
    be what you are seeing...

    >
    >> Now if you add a VPN with a similar
    >>network, you will add an alternate route for the 192.168.1.0 network,
    >>this time with the remote VPN server as the gateway..
    >
    >and with the VPN adapter connected to that gateway, not the LAN
    >adapter.

    Again, depends on your settings... Most users won't have this since
    they will have disabled the Use the Default Gateway on the Remote
    Network option.

    >
    >> At this point,
    >>only the metric will control which one controls...
    >
    >The control is in the bindings. How that is accomplished is something
    >only Microsoft knows.

    No, the control you are talking about is in the selection of a new
    default gateway.

    >
    >>This is not an ideal way to function...
    >
    >Tell that to Microsoft. And while you are at it, tell them to fix
    >NetBIOS, which apparently is being confused with all this.

    NetBIOS is not a problem... However, they are trying to move away
    from NetBIOS to a pure TCP/IP network... However, I am not sure how
    they are going to accomplish this without scrapping SMB.
  10. Archived from groups: microsoft.public.windowsxp.work_remotely (More info?)

    On Sat, 01 May 2004 23:28:14 -0500, "Jeffrey Randow (MVP)"
    <jeffreyr-support@remotenetworktechnology.com> wrote:

    >In summary, if you are willing to lose all LAN connectivity while on
    >the VPN, you can perhaps coexist on the same subnet.. However, all
    >internet accesses, etc., will go over the VPN link, not directly out
    >of your computer...

    Wrong, at least on my setup.

    There are two Win2K machines, one named "vpnserver" at a remote
    location behind a Linksys BEFSR41 router with LAN address 192.168.1.10
    and the other named "vpnclient" at home behind a Linksys BEFSR41
    router with LAN address 192.168.1.10. I am on the home machine.

    The VPN server software is set up to allow a range of addresses
    192.168.1.100 - 192.168.1.200 and to permit the VPN client to specify
    its VPN IP address. The VPN client software is set up to ask for
    192.168.1.125. All IP addresses, both LAN and VPN are static.

    There is a third machine which is on the home LAN with static IP
    address 192.168.1.20. It's name is irrelevant.

    The home machine \\vpnclient connects to the remote machine
    \\vpnserver successfully. I look in the STATUS|Details page of the VPN
    client icon sitting in the tray. It says that the VPN server is
    192.168.1.100 and the VPN client is 192.168.1.125 - both as expected.

    I access the remote server at \\192.168.1.100 (I would use the NetBIOS
    name \\vpnserver but that is not always reliable because although I do
    have a HOSTS table entry for reasons I do not understand it does not
    always work.) I can access the machine by using:

    Start|Run|\\192.168.1.100

    RightClickDesktop|New|Shortcut|\\192.168.1.100

    The shortcut method is preferred because it leaves you with a
    permanent window to access the remote machine again later.

    OK, so far so good. I am connected to the remote machine over the VPN
    amd I can access the shares on the remote machine. There is a
    directory built specifically for me to use called c:\vpnclient and I
    have full permission to use it. I create a text file and put it in
    that directory. There are also some other directories I have read-only
    permission which I can download files from. Everything works as
    expected.

    Now I try to access the local area machine on my LAN, the one with IP
    address 192.168.1.20. I use the same method of accessing shares
    described above and sure enough I have access in a window just like I
    would have when I am not connected to the VPN. Clearly I have not lost
    all LAN connectivity as you claim.

    That's because the address space in the subnet has been split into two
    regions and each region is bound to the appropriate adapter. The
    system knows where to send packets based on those bindings.

    If the IP address is below 192.168.1.100 or above 192.168.1.200, then
    the system knows to send the packets to the LAN adapter, as if there
    is no VPN.

    If the IP address is in the range 100 - 200, then the system knows to
    send the packets to the VPN adapter, in which case the system knows
    how to send them thru the VPN tunnel.

    >Browse to the Router's admin interface... On the main config page,
    >you can change the LAN IP Address of the router.. If you want, you
    >can change it to 192.168.2.x, or whatever... Let the router reboot,
    >and then release and renew the IP address for your computer (ipconfig
    >/release and ipconfig /renew). The router will then assign you an
    >address on the new LAN network (i.e., 192.168.2.x)... Every router I
    >have seen offers this ability, so I don't understand why this is an
    >issue.

    It's not an issue. It's something I was never aware of because I never
    played with it. But thanks for the heads up - it is useful to know.

    >I'm not missing that... The metrics determine which route to take..

    OK, let's ask this question.

    What if I set up the VPN server and the VPN client so that the allowed
    range of addresses is 192.168.2.100 - 192.168.2.200 and the particular
    client address is 192.168.2.125, but I do not change anything else. I
    do not change the router, I do not change the LAN parameters - I just
    change the VPN parameters.

    What would happen then?

    Presumably I would get a conflict because when I connect the
    \\vpnclient machine to the \\vpnserver's LAN thru the VPN tunnel, it
    becomes a member of the \\vpnserver's LAN. Therefore it would seem
    that it needs the same subnet. Nevertheless I will experiment with
    that when I get time.

    In the meantime, I can access the machine on my LAN and the machine on
    the VPN at the same time without any problems other than the usual
    trouble with using NetBIOS names, which is a Win2K problem because
    there is no place in the VPN software to enable NetBIOS like there is
    in the VPN for XP.


    --

    Map Of The Vast Right Wing Conspiracy:
    http://www.freewebs.com/vrwc/

    "You can all go to hell, and I will go to Texas."
    --David Crockett
  11. Archived from groups: microsoft.public.windowsxp.work_remotely (More info?)

    Post your routing table... If you are accessing machines using the
    VPN gateway, which is what you are saying is happening, you will not
    be able to access local machines (on the same subnet) without at least
    a timeout...

    The point is that this is a convoluted solution and the best option is
    to not operate on the same subnet if at all possible.

    Trying your scenario on a Virtual PC setup does not work in my case
    when I have the Use the default gateway option set - I have
    connectivity to the VPN environment, but not to my local LAN... With
    the default gateway disabled, I have access to the LAN, but no VPN
    access.


    Jeffrey Randow (Windows Net. & Smart Display MVP)
    jeffreyr-support@remotenetworktechnology.com

    Please post all responses to the newsgroups for the benefit
    of all USENET users. Messages sent via email may or may not
    be answered depending on time availability....

    Remote Networking Technology Support Site -
    http://www.remotenetworktechnology.com
    Windows XP Expert Zone - http://www.microsoft.com/windowsxp/expertzone

    On Sun, 02 May 2004 21:00:55 GMT, spam@spam.com (Bob) wrote:

    >On Sat, 01 May 2004 23:28:14 -0500, "Jeffrey Randow (MVP)"
    ><jeffreyr-support@remotenetworktechnology.com> wrote:
    >
    >>In summary, if you are willing to lose all LAN connectivity while on
    >>the VPN, you can perhaps coexist on the same subnet.. However, all
    >>internet accesses, etc., will go over the VPN link, not directly out
    >>of your computer...
    >
    >Wrong, at least on my setup.
    >
    >There are two Win2K machines, one named "vpnserver" at a remote
    >location behind a Linksys BEFSR41 router with LAN address 192.168.1.10
    >and the other named "vpnclient" at home behind a Linksys BEFSR41
    >router with LAN address 192.168.1.10. I am on the home machine.
    >
    >The VPN server software is set up to allow a range of addresses
    >192.168.1.100 - 192.168.1.200 and to permit the VPN client to specify
    >its VPN IP address. The VPN client software is set up to ask for
    >192.168.1.125. All IP addresses, both LAN and VPN are static.
    >
    >There is a third machine which is on the home LAN with static IP
    >address 192.168.1.20. It's name is irrelevant.
    >
    >The home machine \\vpnclient connects to the remote machine
    >\\vpnserver successfully. I look in the STATUS|Details page of the VPN
    >client icon sitting in the tray. It says that the VPN server is
    >192.168.1.100 and the VPN client is 192.168.1.125 - both as expected.
    >
    >I access the remote server at \\192.168.1.100 (I would use the NetBIOS
    >name \\vpnserver but that is not always reliable because although I do
    >have a HOSTS table entry for reasons I do not understand it does not
    >always work.) I can access the machine by using:
    >
    >Start|Run|\\192.168.1.100
    >
    >RightClickDesktop|New|Shortcut|\\192.168.1.100
    >
    >The shortcut method is preferred because it leaves you with a
    >permanent window to access the remote machine again later.
    >
    >OK, so far so good. I am connected to the remote machine over the VPN
    >amd I can access the shares on the remote machine. There is a
    >directory built specifically for me to use called c:\vpnclient and I
    >have full permission to use it. I create a text file and put it in
    >that directory. There are also some other directories I have read-only
    >permission which I can download files from. Everything works as
    >expected.
    >
    >Now I try to access the local area machine on my LAN, the one with IP
    >address 192.168.1.20. I use the same method of accessing shares
    >described above and sure enough I have access in a window just like I
    >would have when I am not connected to the VPN. Clearly I have not lost
    >all LAN connectivity as you claim.
    >
    >That's because the address space in the subnet has been split into two
    >regions and each region is bound to the appropriate adapter. The
    >system knows where to send packets based on those bindings.
    >
    >If the IP address is below 192.168.1.100 or above 192.168.1.200, then
    >the system knows to send the packets to the LAN adapter, as if there
    >is no VPN.
    >
    >If the IP address is in the range 100 - 200, then the system knows to
    >send the packets to the VPN adapter, in which case the system knows
    >how to send them thru the VPN tunnel.
    >
    >>Browse to the Router's admin interface... On the main config page,
    >>you can change the LAN IP Address of the router.. If you want, you
    >>can change it to 192.168.2.x, or whatever... Let the router reboot,
    >>and then release and renew the IP address for your computer (ipconfig
    >>/release and ipconfig /renew). The router will then assign you an
    >>address on the new LAN network (i.e., 192.168.2.x)... Every router I
    >>have seen offers this ability, so I don't understand why this is an
    >>issue.
    >
    >It's not an issue. It's something I was never aware of because I never
    >played with it. But thanks for the heads up - it is useful to know.
    >
    >>I'm not missing that... The metrics determine which route to take..
    >
    >OK, let's ask this question.
    >
    >What if I set up the VPN server and the VPN client so that the allowed
    >range of addresses is 192.168.2.100 - 192.168.2.200 and the particular
    >client address is 192.168.2.125, but I do not change anything else. I
    >do not change the router, I do not change the LAN parameters - I just
    >change the VPN parameters.
    >
    >What would happen then?
    >
    >Presumably I would get a conflict because when I connect the
    >\\vpnclient machine to the \\vpnserver's LAN thru the VPN tunnel, it
    >becomes a member of the \\vpnserver's LAN. Therefore it would seem
    >that it needs the same subnet. Nevertheless I will experiment with
    >that when I get time.
    >
    >In the meantime, I can access the machine on my LAN and the machine on
    >the VPN at the same time without any problems other than the usual
    >trouble with using NetBIOS names, which is a Win2K problem because
    >there is no place in the VPN software to enable NetBIOS like there is
    >in the VPN for XP.
  12. Archived from groups: microsoft.public.windowsxp.work_remotely (More info?)

    On Sun, 02 May 2004 21:23:02 -0500, "Jeffrey Randow (MVP)"
    <jeffreyr-support@remotenetworktechnology.com> wrote:

    >Post your routing table...

    +++++
    Interface List
    0x1... MS TCP Loopback interface
    0x2...00 50 04 d9 4f 6a...3Com EtherLink PCI
    0x4000004...00 53 45 00 00 00...WAN (PPP/SLIP) Interface
    Active Routes:
    0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.10 1
    x.x.x.x 255.255.255.255 192.168.1.1 192.168.1.10 1
    127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
    192.168.1.0 255.255.255.0 192.168.1.10 192.168.1.10 1
    192.168.1.0 255.255.255.0 192.168.1.125 192.168.1.125 1
    192.168.1.10 255.255.255.255 127.0.0.1 127.0.0.1 1
    192.168.1.125 255.255.255.255 127.0.0.1 127.0.0.1 1
    192.168.1.255 255.255.255.255 192.168.1.10 192.168.1.10 1
    192.168.1.255 255.255.255.255 192.168.1.125 192.168.1.125 1
    224.0.0.0 224.0.0.0 192.168.1.10 192.168.1.10 1
    224.0.0.0 224.0.0.0 192.168.1.125 192.168.1.125 1
    255.255.255.255 255.255.255.255 192.168.1.10 192.168.1.10 1
    Default Gateway: 192.168.1.1
    Persistent Routes: None
    +++++

    I had to remove the spaces so it would not wrap.

    >If you are accessing machines using the
    >VPN gateway, which is what you are saying is happening, you will not
    >be able to access local machines (on the same subnet) without at least
    >a timeout...

    There is no timeout. I can access the VPN machine and the LAN machine
    right away. I go to Start Run, which already has the two addresses
    from previous use. I click on one and a window opens immediately. I
    click on the other and a window opens immediately. No timeout, at
    least none apparent to me. Admittedly, there is a small hesitation
    when I access the VPN machine, but I attribute that to the fact that
    it is a remote machine and not on my 100BaseTX LAN.

    >The point is that this is a convoluted solution and the best option is
    >to not operate on the same subnet if at all possible.

    I am really trying to discover why you are saying that, but I am
    unable because every time you make a claim, it isn't that way - at
    least not as I see it. You claim I can't access the LAM machine, yet I
    am able to, You claim there will be a timeout, yet there isn't any.

    >Trying your scenario on a Virtual PC setup does not work in my case
    >when I have the Use the default gateway option set - I have
    >connectivity to the VPN environment, but not to my local LAN... With
    >the default gateway disabled, I have access to the LAN, but no VPN
    >access.

    I have no earthly idea what you just said.

    You did not answer my earlier question:

    What if I set up the VPN server and the VPN client so that the allowed
    range of addresses is 192.168.2.100 - 192.168.2.200 and the particular
    client address is 192.168.2.125, but I do not change anything else. I
    do not change the router, I do not change the LAN parameters - I just
    change the VPN parameters.

    What would happen then?

    Presumably I would get a conflict because when I connect the
    \\vpnclient machine to the \\vpnserver's LAN thru the VPN tunnel, it
    becomes a member of the \\vpnserver's LAN. Therefore it would seem
    that it needs the same subnet. Nevertheless I will experiment with
    that when I get time.


    --

    Map Of The Vast Right Wing Conspiracy:
    http://www.freewebs.com/vrwc/

    "You can all go to hell, and I will go to Texas."
    --David Crockett
  13. Archived from groups: microsoft.public.windowsxp.work_remotely (More info?)

    On Sun, 02 May 2004 21:23:02 -0500, "Jeffrey Randow (MVP)"
    <jeffreyr-support@remotenetworktechnology.com> wrote:

    >Post your routing table... If you are accessing machines using the
    >VPN gateway, which is what you are saying is happening, you will not
    >be able to access local machines (on the same subnet) without at least
    >a timeout...
    >
    >The point is that this is a convoluted solution and the best option is
    >to not operate on the same subnet if at all possible.
    >
    >Trying your scenario on a Virtual PC setup does not work in my case
    >when I have the Use the default gateway option set - I have
    >connectivity to the VPN environment, but not to my local LAN... With
    >the default gateway disabled, I have access to the LAN, but no VPN
    >access.

    >Jeffrey Randow (Windows Net. & Smart Display MVP)
    >jeffreyr-support@remotenetworktechnology.com
    >
    >Please post all responses to the newsgroups for the benefit
    >of all USENET users. Messages sent via email may or may not
    >be answered depending on time availability....

    I posted responses to this post, but I have not seen your reply.


    --

    Map Of The Vast Right Wing Conspiracy:
    http://www.freewebs.com/vrwc/

    "You can all go to hell, and I will go to Texas."
    --David Crockett
  14. Archived from groups: microsoft.public.windowsxp.work_remotely (More info?)

    You have two routes to the 192.168.1.0 network using different
    gateway... This is not standard internet design... The only reason I
    think you are connecting to the 192.168.1.125 gateway is that it is
    listed last (but this is just a thought).

    If it works for you, then leave it the way it is.. However, if one
    wants to properly set up a TCPIP network, then it should be segmented
    and subnetted properly...

    For more reference, see:
    http://www.draytek.co.uk/support/vpn_check.html
    http://www.chicagotech.net/routing.htm
    http://www.unixathome.org/adsl/archives/2001_11/0061.html
    http://groups.google.com/groups?q=vpn+subnet+same+as+local+LAN&hl=en&lr=&ie=UTF-8&oe=UTF-8&selm=CQpS7.4513%24ED6.745080%40typhoon.neo.rr.com&rnum=4
    http://groups.google.com/groups?q=vpn+subnet+same+as+local+LAN&start=10&hl=en&lr=&ie=UTF-8&oe=UTF-8&selm=useEwEp1BHA.2800%40tkmsftngp07&rnum=14

    All I am saying is that this is not best practice for other users to
    follow unless they are willing to deal with the ramifications and the
    potential problems that could pop up.. Many have posted here for the
    last three years (or since the end of the XP beta when these
    newsgroups went live) who have had problems that were fixed the moment
    they changed their local IP network to something different than the
    office network.

    In an ideal world, we would not have this discussion - this is a
    limitation that NAT firewall devices and routers have foisted upon us.
    NAT causes many of the issues that we have to strive to work around in
    these discussions.

    VPN connections are finicky depending on your exact network
    configurations (i.e., NetBIOS over TCP enabled, presence of WINS
    Servers, presence of DNS servers, whether you use PPTP or L2TP,
    default gateways on remote networks, etc.). One solution doesn't fit
    all cases. I have office users I support running different patch
    levels of Windows XP who each get different VPN experiences when
    connecting to my office network.


    Jeffrey Randow (Windows Net. & Smart Display MVP)
    jeffreyr-support@remotenetworktechnology.com

    Please post all responses to the newsgroups for the benefit
    of all USENET users. Messages sent via email may or may not
    be answered depending on time availability....

    Remote Networking Technology Support Site -
    http://www.remotenetworktechnology.com
    Windows XP Expert Zone - http://www.microsoft.com/windowsxp/expertzone

    On Mon, 03 May 2004 06:20:13 GMT, spam@spam.com (Bob) wrote:

    >On Sun, 02 May 2004 21:23:02 -0500, "Jeffrey Randow (MVP)"
    ><jeffreyr-support@remotenetworktechnology.com> wrote:
    >
    >>Post your routing table...
    >
    >+++++
    >Interface List
    >0x1... MS TCP Loopback interface
    >0x2...00 50 04 d9 4f 6a...3Com EtherLink PCI
    >0x4000004...00 53 45 00 00 00...WAN (PPP/SLIP) Interface
    >Active Routes:
    >0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.10 1
    >x.x.x.x 255.255.255.255 192.168.1.1 192.168.1.10 1
    >127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
    >192.168.1.0 255.255.255.0 192.168.1.10 192.168.1.10 1
    >192.168.1.0 255.255.255.0 192.168.1.125 192.168.1.125 1
    >192.168.1.10 255.255.255.255 127.0.0.1 127.0.0.1 1
    >192.168.1.125 255.255.255.255 127.0.0.1 127.0.0.1 1
    >192.168.1.255 255.255.255.255 192.168.1.10 192.168.1.10 1
    >192.168.1.255 255.255.255.255 192.168.1.125 192.168.1.125 1
    >224.0.0.0 224.0.0.0 192.168.1.10 192.168.1.10 1
    >224.0.0.0 224.0.0.0 192.168.1.125 192.168.1.125 1
    >255.255.255.255 255.255.255.255 192.168.1.10 192.168.1.10 1
    >Default Gateway: 192.168.1.1
    >Persistent Routes: None
    >+++++
    >
    >I had to remove the spaces so it would not wrap.
    >
    >>If you are accessing machines using the
    >>VPN gateway, which is what you are saying is happening, you will not
    >>be able to access local machines (on the same subnet) without at least
    >>a timeout...
    >
    >There is no timeout. I can access the VPN machine and the LAN machine
    >right away. I go to Start Run, which already has the two addresses
    >from previous use. I click on one and a window opens immediately. I
    >click on the other and a window opens immediately. No timeout, at
    >least none apparent to me. Admittedly, there is a small hesitation
    >when I access the VPN machine, but I attribute that to the fact that
    >it is a remote machine and not on my 100BaseTX LAN.
    >
    >>The point is that this is a convoluted solution and the best option is
    >>to not operate on the same subnet if at all possible.
    >
    >I am really trying to discover why you are saying that, but I am
    >unable because every time you make a claim, it isn't that way - at
    >least not as I see it. You claim I can't access the LAM machine, yet I
    >am able to, You claim there will be a timeout, yet there isn't any.
    >
    >>Trying your scenario on a Virtual PC setup does not work in my case
    >>when I have the Use the default gateway option set - I have
    >>connectivity to the VPN environment, but not to my local LAN... With
    >>the default gateway disabled, I have access to the LAN, but no VPN
    >>access.
    >
    >I have no earthly idea what you just said.
    >
    >You did not answer my earlier question:
    >
    >What if I set up the VPN server and the VPN client so that the allowed
    >range of addresses is 192.168.2.100 - 192.168.2.200 and the particular
    >client address is 192.168.2.125, but I do not change anything else. I
    >do not change the router, I do not change the LAN parameters - I just
    >change the VPN parameters.
    >
    >What would happen then?
    >
    >Presumably I would get a conflict because when I connect the
    >\\vpnclient machine to the \\vpnserver's LAN thru the VPN tunnel, it
    >becomes a member of the \\vpnserver's LAN. Therefore it would seem
    >that it needs the same subnet. Nevertheless I will experiment with
    >that when I get time.
  15. Archived from groups: microsoft.public.windowsxp.work_remotely (More info?)

    See my final response in your last posting...

    Jeffrey Randow (Windows Net. & Smart Display MVP)
    jeffreyr-support@remotenetworktechnology.com

    Please post all responses to the newsgroups for the benefit
    of all USENET users. Messages sent via email may or may not
    be answered depending on time availability....

    Remote Networking Technology Support Site -
    http://www.remotenetworktechnology.com
    Windows XP Expert Zone - http://www.microsoft.com/windowsxp/expertzone

    On Thu, 06 May 2004 13:46:05 GMT, spam@spam.com (Bob) wrote:

    >On Sun, 02 May 2004 21:23:02 -0500, "Jeffrey Randow (MVP)"
    ><jeffreyr-support@remotenetworktechnology.com> wrote:
    >
    >>Post your routing table... If you are accessing machines using the
    >>VPN gateway, which is what you are saying is happening, you will not
    >>be able to access local machines (on the same subnet) without at least
    >>a timeout...
    >>
    >>The point is that this is a convoluted solution and the best option is
    >>to not operate on the same subnet if at all possible.
    >>
    >>Trying your scenario on a Virtual PC setup does not work in my case
    >>when I have the Use the default gateway option set - I have
    >>connectivity to the VPN environment, but not to my local LAN... With
    >>the default gateway disabled, I have access to the LAN, but no VPN
    >>access.
    >
    >>Jeffrey Randow (Windows Net. & Smart Display MVP)
    >>jeffreyr-support@remotenetworktechnology.com
    >>
    >>Please post all responses to the newsgroups for the benefit
    >>of all USENET users. Messages sent via email may or may not
    >>be answered depending on time availability....
    >
    >I posted responses to this post, but I have not seen your reply.
  16. Archived from groups: microsoft.public.windowsxp.work_remotely (More info?)

    On Thu, 06 May 2004 20:44:45 -0500, "Jeffrey Randow (MVP)"
    <jeffreyr-support@remotenetworktechnology.com> wrote:

    >You have two routes to the 192.168.1.0 network using different
    >gateway... This is not standard internet design...

    That's because it's Microsoft. My response is: "If it works, don't fix
    it."

    Isn't it a bit strange that with the MS PPTP VPN, there are no
    apparent problems caused by this abberant practivce? Isn't it strange
    that nowhere in the documentation for the PPTP VPN does MS mention the
    necessity for different subnets?

    Could it be that MS has circumvented this issue? Naw.

    Your comments have been helpful. I will keep them in mind if I run
    into any problems related to subnet clashes.

    --

    Map Of The Vast Right Wing Conspiracy:
    http://www.freewebs.com/vrwc/

    "You can all go to hell, and I will go to Texas."
    --David Crockett
Ask a new question

Read More

Connection VPN Windows XP