Sign in with
Sign up | Sign in
Your question

VPN routing from NAT to NAT

Last response: in Windows XP
Share
April 26, 2004 3:11:08 PM

Archived from groups: microsoft.public.windowsxp.work_remotely (More info?)

i am in a local network wich connects via router (192.168.1.1) to internet.
i have set up a vpn connection to another local network via vpn on my pc and the connection is working.
on my local network i have pc´s from 192.168.1.100 to 192.168.1.255 and on the other network to which i connect does have the same pc´s and also a router on 192.168.1.1.
when i connect to services and pc´s my computer connects to the local recources.
how can i tell my xp to connect to certain pc´s and ressources via the vpn connection and to not use the lan ?
do i have to use "route" ? how ?

More about : vpn routing nat nat

Anonymous
April 26, 2004 6:07:54 PM

Archived from groups: microsoft.public.windowsxp.work_remotely (More info?)

Typically you would want to setup a different subnet for clients when connecting via a VPN. That is
configured on the VPN server end. Then you could use a 'hosts' file to map the remote PCs to their
local LAN IP addresses. See how I setup a PPTP VPN server on one of my XP Pro boxes. Note the use of
a different subnet for clients in the configuration. In your case ignore references to the
PocketPC...

http://members.cox.net/ajarvi/WM2003/WM2003PPTPVPN.html

For a sample hosts file look at this page...

http://members.cox.net/ajarvi/LAN/The_Illustrated_Netwo...

--
Al Jarvi (MS-MVP Windows Networking)

Please post *ALL* questions and replies to the news group for the mutual benefit of all of us...
The MS-MVP Program - http://mvp.support.microsoft.com
This posting is provided "AS IS" with no warranties, and confers no rights...

"Mikel" <anonymous@discussions.microsoft.com> wrote in message
news:3ADD42FF-4843-4368-9B34-03E7C09EEA48@microsoft.com...
>i am in a local network wich connects via router (192.168.1.1) to internet.
> i have set up a vpn connection to another local network via vpn on my pc and the connection is
> working.
> on my local network i have pc´s from 192.168.1.100 to 192.168.1.255 and on the other network to
> which i connect does have the same pc´s and also a router on 192.168.1.1.
> when i connect to services and pc´s my computer connects to the local recources.
> how can i tell my xp to connect to certain pc´s and ressources via the vpn connection and to not
> use the lan ?
> do i have to use "route" ? how ?
Anonymous
April 26, 2004 7:39:14 PM

Archived from groups: microsoft.public.windowsxp.work_remotely (More info?)

I forgot to mention that since both networks are using the same addressing range, then its possible
alias mapped to network names may still result in incorrect routing, even with a hosts file. If you
control both networks can you change one to something other than the 192.168.1.X subnet?

--
Al Jarvi (MS-MVP Windows Networking)

Please post *ALL* questions and replies to the news group for the mutual benefit of all of us...
The MS-MVP Program - http://mvp.support.microsoft.com
This posting is provided "AS IS" with no warranties, and confers no rights...

"Sooner Al" <SoonerAl@somewhere.net.invalid> wrote in message
news:eehbIH8KEHA.3292@TK2MSFTNGP11.phx.gbl...
> Typically you would want to setup a different subnet for clients when connecting via a VPN. That
> is configured on the VPN server end. Then you could use a 'hosts' file to map the remote PCs to
> their local LAN IP addresses. See how I setup a PPTP VPN server on one of my XP Pro boxes. Note
> the use of a different subnet for clients in the configuration. In your case ignore references to
> the PocketPC...
>
> http://members.cox.net/ajarvi/WM2003/WM2003PPTPVPN.html
>
> For a sample hosts file look at this page...
>
> http://members.cox.net/ajarvi/LAN/The_Illustrated_Netwo...
>
> --
> Al Jarvi (MS-MVP Windows Networking)
>
> Please post *ALL* questions and replies to the news group for the mutual benefit of all of us...
> The MS-MVP Program - http://mvp.support.microsoft.com
> This posting is provided "AS IS" with no warranties, and confers no rights...
>
> "Mikel" <anonymous@discussions.microsoft.com> wrote in message
> news:3ADD42FF-4843-4368-9B34-03E7C09EEA48@microsoft.com...
>>i am in a local network wich connects via router (192.168.1.1) to internet.
>> i have set up a vpn connection to another local network via vpn on my pc and the connection is
>> working.
>> on my local network i have pc´s from 192.168.1.100 to 192.168.1.255 and on the other network to
>> which i connect does have the same pc´s and also a router on 192.168.1.1.
>> when i connect to services and pc´s my computer connects to the local recources.
>> how can i tell my xp to connect to certain pc´s and ressources via the vpn connection and to not
>> use the lan ?
>> do i have to use "route" ? how ?
>
Related resources
Anonymous
April 27, 2004 4:09:07 AM

Archived from groups: microsoft.public.windowsxp.work_remotely (More info?)

You would definately want to re-subnet your networks... The easiest
way to do this is to make one 192.168.x.0, where x is any number from
0-254 other than 1. Or you can get a new subnet mask and split apart
the 192.168.1.x network into multiple subnets (much harder).

The alternative is to hardcode routes to the specific IP addresses of
the computers you want to connect to with the "route" command...

Jeffrey Randow (Windows Net. & Smart Display MVP)
jeffreyr-support@remotenetworktechnology.com

Please post all responses to the newsgroups for the benefit
of all USENET users. Messages sent via email may or may not
be answered depending on time availability....

Remote Networking Technology Support Site -
http://www.remotenetworktechnology.com
Windows XP Expert Zone - http://www.microsoft.com/windowsxp/expertzone

On Mon, 26 Apr 2004 11:11:08 -0700, "Mikel"
<anonymous@discussions.microsoft.com> wrote:

>i am in a local network wich connects via router (192.168.1.1) to internet.
>i have set up a vpn connection to another local network via vpn on my pc and the connection is working.
>on my local network i have pc´s from 192.168.1.100 to 192.168.1.255 and on the other network to which i connect does have the same pc´s and also a router on 192.168.1.1.
>when i connect to services and pc´s my computer connects to the local recources.
>how can i tell my xp to connect to certain pc´s and ressources via the vpn connection and to not use the lan ?
>do i have to use "route" ? how ?
April 27, 2004 5:06:25 PM

Archived from groups: microsoft.public.windowsxp.work_remotely (More info?)

On Tue, 27 Apr 2004 00:09:07 -0500, "Jeffrey Randow (MVP)"
<jeffreyr-support@remotenetworktechnology.com> wrote:

>You would definately want to re-subnet your networks... The easiest
>way to do this is to make one 192.168.x.0, where x is any number from
>0-254 other than 1. Or you can get a new subnet mask and split apart
>the 192.168.1.x network into multiple subnets (much harder).
>
>The alternative is to hardcode routes to the specific IP addresses of
>the computers you want to connect to with the "route" command...

You do not have to do any of that. You are overly complicating what
amounts to a simple fix, at least in the case of PPTP. In fact, with
the very popular Linksys BEFSR41 router, you can't have two different
subnets. The subnet is hardcoded to 192.168.1.X

All you have to do is separate the subnet into two address regions,
one for the LAN Adapter and one for the VPN Adapter.

For example, I set LAN IP addresses below 192.168.1.100 and VPN IP
addresses from 192.168.1.100 - 192.168.1.200. All addresses on my
networks are static, so I never have a conflict. But if you want to
use DHCP for assigning LAN IP addresses, just limit the range in the
router to the address region for the LAN. I also set up the VPN Client
to ask for a specific address in the range above 192.168.1.100. PPTP
assigns 192.168.1.100 to the VPN Server since it is the first of the
VPN Adapter range.

Now I can use the HOSTS table, or set up windows that map to raw IP
addresses, because those addresses never change. For those who might
not be aware of how to set up access windows, go to Start|Run and type
in the NetBIOS name in the form of a raw IP address. For example, if
the VPN Server is 192.168.1.100,

Start
Run \\192.168.1.100

[Note the double backslash, which is NetBIOS specific]

will spawn a window showing all the shares on the VPN Server. You can
shortcut that window and keep it on your Desktop for later use. It
will always be valid since the VPN Server address will always be the
same from one session to the next.


--

Map Of The Vast Right Wing Conspiracy:
http://www.freewebs.com/vrwc/

"You can all go to hell, and I will go to Texas."
--David Crockett
Anonymous
April 29, 2004 11:55:29 PM

Archived from groups: microsoft.public.windowsxp.work_remotely (More info?)

Only problem is that how you would need to configure the routing
script so it will determine that posts sent to your local network go
to its gateway and posts to the remote network goes to the VPN
server... That's why it is easier to set up on different IP address
schemes... Most routers (including the Linksys) will allow you
specify a different network address (i.e., when I had a Linksys, I
configured it to use 192.168.3.x since my office network is
192.168.2.x and I accessed another network on 192.168.1.x)...


Jeffrey Randow (Windows Net. & Smart Display MVP)
jeffreyr-support@remotenetworktechnology.com

Please post all responses to the newsgroups for the benefit
of all USENET users. Messages sent via email may or may not
be answered depending on time availability....

Remote Networking Technology Support Site -
http://www.remotenetworktechnology.com
Windows XP Expert Zone - http://www.microsoft.com/windowsxp/expertzone

On Tue, 27 Apr 2004 13:06:25 GMT, spam@spam.com (Bob) wrote:

>On Tue, 27 Apr 2004 00:09:07 -0500, "Jeffrey Randow (MVP)"
><jeffreyr-support@remotenetworktechnology.com> wrote:
>
>>You would definately want to re-subnet your networks... The easiest
>>way to do this is to make one 192.168.x.0, where x is any number from
>>0-254 other than 1. Or you can get a new subnet mask and split apart
>>the 192.168.1.x network into multiple subnets (much harder).
>>
>>The alternative is to hardcode routes to the specific IP addresses of
>>the computers you want to connect to with the "route" command...
>
>You do not have to do any of that. You are overly complicating what
>amounts to a simple fix, at least in the case of PPTP. In fact, with
>the very popular Linksys BEFSR41 router, you can't have two different
>subnets. The subnet is hardcoded to 192.168.1.X
>
>All you have to do is separate the subnet into two address regions,
>one for the LAN Adapter and one for the VPN Adapter.
>
>For example, I set LAN IP addresses below 192.168.1.100 and VPN IP
>addresses from 192.168.1.100 - 192.168.1.200. All addresses on my
>networks are static, so I never have a conflict. But if you want to
>use DHCP for assigning LAN IP addresses, just limit the range in the
>router to the address region for the LAN. I also set up the VPN Client
>to ask for a specific address in the range above 192.168.1.100. PPTP
>assigns 192.168.1.100 to the VPN Server since it is the first of the
>VPN Adapter range.
>
>Now I can use the HOSTS table, or set up windows that map to raw IP
>addresses, because those addresses never change. For those who might
>not be aware of how to set up access windows, go to Start|Run and type
>in the NetBIOS name in the form of a raw IP address. For example, if
>the VPN Server is 192.168.1.100,
>
>Start
>Run \\192.168.1.100
>
>[Note the double backslash, which is NetBIOS specific]
>
>will spawn a window showing all the shares on the VPN Server. You can
>shortcut that window and keep it on your Desktop for later use. It
>will always be valid since the VPN Server address will always be the
>same from one session to the next.
April 30, 2004 5:30:27 PM

Archived from groups: microsoft.public.windowsxp.work_remotely (More info?)

On Thu, 29 Apr 2004 19:55:29 -0500, "Jeffrey Randow (MVP)"
<jeffreyr-support@remotenetworktechnology.com> wrote:

>Only problem is that how you would need to configure the routing
>script

What "routing script"? Windows takes care of all that for the user.
This isn't UNIX.

>so it will determine that posts sent to your local network go
>to its gateway and posts to the remote network goes to the VPN
>server... That's why it is easier to set up on different IP address
>schemes...

Posts sent by whom? What posts are you talking about?

>Most routers (including the Linksys) will allow you
>specify a different network address (i.e., when I had a Linksys, I
>configured it to use 192.168.3.x since my office network is
>192.168.2.x and I accessed another network on 192.168.1.x)...

I have the Linksys BEFSR41. I am looking in the DHCP page in the
router's administration interface. The "Starting IP Address" is
hardcoded for the first 3 bytes: 192.168.1 You get to specify only the
last byte.

How you managed to talk the Linksys into a different address range is
beyond me.


--

Map Of The Vast Right Wing Conspiracy:
http://www.freewebs.com/vrwc/

"You can all go to hell, and I will go to Texas."
--David Crockett
Anonymous
May 1, 2004 1:15:19 AM

Archived from groups: microsoft.public.windowsxp.work_remotely (More info?)

Not when you are on the same subnet.. Take a look at what "route
print" gives you...

Also, on the Linksys - if you change the IP Address of the router to
192.168.2.1 (or 192.16.3.1, etc), it will then change your allowable
DHCP range to that subnet... But you must change the LAN IP address
of the router first...

by posts, I am meaning packets...

Hypothetical example:

Your machine is 192.168.1.10 and another computer in your local
network is 192.168.1.20 with a router at address 192.168.1.1...

Now lets say you connect to a VPN that has a server at 192.168.1.150
and that the VPN gateway address (visible when running IPCONFIG) is
192.168.1.200 and that you are assigned IP address 192.168.1.201

How will your computer know how to send a packet to 192.168.1.150?

For example, a route print on my laptop is:
Active Routes:
Network Destination Netmask Gateway Interface
Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.150 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.1.0 255.255.255.0 192.168.1.150 192.168.1.150 20
192.168.1.150 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.1.255 255.255.255.255 192.168.1.150 192.168.1.150 20
224.0.0.0 240.0.0.0 192.168.1.150 192.168.1.150 20
255.255.255.255 255.255.255.255 192.168.1.150 3 1
255.255.255.255 255.255.255.255 192.168.1.150 2 1
255.255.255.255 255.255.255.255 192.168.1.150 192.168.1.150 1
Default Gateway: 192.168.1.1

Packets sent to the 192.168.1.0 network are sent without routing
(using local interface)... Now if you add a VPN with a similar
network, you will add an alternate route for the 192.168.1.0 network,
this time with the remote VPN server as the gateway.. At this point,
only the metric will control which one controls... This is not an
ideal way to function...

Jeffrey Randow (Windows Net. & Smart Display MVP)
jeffreyr-support@remotenetworktechnology.com

Please post all responses to the newsgroups for the benefit
of all USENET users. Messages sent via email may or may not
be answered depending on time availability....

Remote Networking Technology Support Site -
http://www.remotenetworktechnology.com
Windows XP Expert Zone - http://www.microsoft.com/windowsxp/expertzone

On Fri, 30 Apr 2004 13:30:27 GMT, spam@spam.com (Bob) wrote:

>On Thu, 29 Apr 2004 19:55:29 -0500, "Jeffrey Randow (MVP)"
><jeffreyr-support@remotenetworktechnology.com> wrote:
>
>>Only problem is that how you would need to configure the routing
>>script
>
>What "routing script"? Windows takes care of all that for the user.
>This isn't UNIX.
>
>>so it will determine that posts sent to your local network go
>>to its gateway and posts to the remote network goes to the VPN
>>server... That's why it is easier to set up on different IP address
>>schemes...
>
>Posts sent by whom? What posts are you talking about?
>
>>Most routers (including the Linksys) will allow you
>>specify a different network address (i.e., when I had a Linksys, I
>>configured it to use 192.168.3.x since my office network is
>>192.168.2.x and I accessed another network on 192.168.1.x)...
>
>I have the Linksys BEFSR41. I am looking in the DHCP page in the
>router's administration interface. The "Starting IP Address" is
>hardcoded for the first 3 bytes: 192.168.1 You get to specify only the
>last byte.
>
>How you managed to talk the Linksys into a different address range is
>beyond me.
May 1, 2004 10:14:02 AM

Archived from groups: microsoft.public.windowsxp.work_remotely (More info?)

On Fri, 30 Apr 2004 21:15:19 -0500, "Jeffrey Randow (MVP)"
<jeffreyr-support@remotenetworktechnology.com> wrote:

>Also, on the Linksys - if you change the IP Address of the router to
>192.168.2.1 (or 192.16.3.1, etc), it will then change your allowable
>DHCP range to that subnet... But you must change the LAN IP address
>of the router first...

I am not willing to experiment so I will have to take your word for
it, but what you are saying is that the Linksys BEFSR41 has a dynamic
web server embedded in it - that is, the content of the DHCP page (in
particular the text relating the allowed range of IP addresses) is
dependent on the value chosen for the LAN subnet. Incredible.

>Your machine is 192.168.1.10 and another computer in your local
>network is 192.168.1.20 with a router at address 192.168.1.1...

>Now lets say you connect to a VPN that has a server at 192.168.1.150

Which LAN is that referenced to? I assume it is referenced to the LAN
that the VPN server machine is on.

>and that the VPN gateway address (visible when running IPCONFIG) is
>192.168.1.200 and that you are assigned IP address 192.168.1.201

>How will your computer know how to send a packet to 192.168.1.150?

Why would you want to send a packet to that address? Why not send it
to the VPN address of that machine, namely, 192.168.1.200? In fact, if
NetBIOS is behaving properly (which is only sometimes), then you can
address the VPN server machube by its NetBIOS name.

My son has his machine set up as 192.168.1.10 on his LAN and I have
mine set up the same awy on my LAN. When I connect to his VPN server,
which he configured for address range 1920168.1.100-200, his machine
is 192.168.1.100. I don't know anything about his machine's address on
his LAN because that involves his Ethernet adapter which is hidden
from me.

What you seem to be leaving out of your analysis is the bindings of
the various IP addresses to different adapters. Both his machine and
mine have two adapters - a "Local Area Connection" (LAN) adapter and a
VPN adapter. When we send packets to one another, we are doing it over
the VPN adapters, not the LAN adapters. My machine knows nothing about
the network associated with his LAN adapter, and therefore there is no
subnet conflict.

>Packets sent to the 192.168.1.0 network are sent without routing
>(using local interface)...

That is not true. Packets sent to 192.168.1.100 will be sent to the
VPN adapter, because that address is now bound to the VPN adapter and
not the LAN adapter.

> Now if you add a VPN with a similar
>network, you will add an alternate route for the 192.168.1.0 network,
>this time with the remote VPN server as the gateway..

and with the VPN adapter connected to that gateway, not the LAN
adapter.

> At this point,
>only the metric will control which one controls...

The control is in the bindings. How that is accomplished is something
only Microsoft knows.

>This is not an ideal way to function...

Tell that to Microsoft. And while you are at it, tell them to fix
NetBIOS, which apparently is being confused with all this.


--

Map Of The Vast Right Wing Conspiracy:
http://www.freewebs.com/vrwc/

"You can all go to hell, and I will go to Texas."
--David Crockett
Anonymous
May 2, 2004 3:28:14 AM

Archived from groups: microsoft.public.windowsxp.work_remotely (More info?)

See below...

In summary, if you are willing to lose all LAN connectivity while on
the VPN, you can perhaps coexist on the same subnet.. However, all
internet accesses, etc., will go over the VPN link, not directly out
of your computer...

Jeffrey Randow (Windows Net. & Smart Display MVP)
jeffreyr-support@remotenetworktechnology.com

Please post all responses to the newsgroups for the benefit
of all USENET users. Messages sent via email may or may not
be answered depending on time availability....

Remote Networking Technology Support Site -
http://www.remotenetworktechnology.com
Windows XP Expert Zone - http://www.microsoft.com/windowsxp/expertzone

On Sat, 01 May 2004 06:14:02 GMT, spam@spam.com (Bob) wrote:

>On Fri, 30 Apr 2004 21:15:19 -0500, "Jeffrey Randow (MVP)"
><jeffreyr-support@remotenetworktechnology.com> wrote:
>
>>Also, on the Linksys - if you change the IP Address of the router to
>>192.168.2.1 (or 192.16.3.1, etc), it will then change your allowable
>>DHCP range to that subnet... But you must change the LAN IP address
>>of the router first...
>
>I am not willing to experiment so I will have to take your word for
>it, but what you are saying is that the Linksys BEFSR41 has a dynamic
>web server embedded in it - that is, the content of the DHCP page (in
>particular the text relating the allowed range of IP addresses) is
>dependent on the value chosen for the LAN subnet. Incredible.
>

Browse to the Router's admin interface... On the main config page,
you can change the LAN IP Address of the router.. If you want, you
can change it to 192.168.2.x, or whatever... Let the router reboot,
and then release and renew the IP address for your computer (ipconfig
/release and ipconfig /renew). The router will then assign you an
address on the new LAN network (i.e., 192.168.2.x)... Every router I
have seen offers this ability, so I don't understand why this is an
issue.

>>Your machine is 192.168.1.10 and another computer in your local
>>network is 192.168.1.20 with a router at address 192.168.1.1...
>
>>Now lets say you connect to a VPN that has a server at 192.168.1.150
>
>Which LAN is that referenced to? I assume it is referenced to the LAN
>that the VPN server machine is on.

The private address of the VPN server is at 192.168.1.150...
Hypothetically you would connect to it through its public address....
However, once connected, you would use its private address, thus the
premise.

>
>>and that the VPN gateway address (visible when running IPCONFIG) is
>>192.168.1.200 and that you are assigned IP address 192.168.1.201
>
>>How will your computer know how to send a packet to 192.168.1.150?
>
>Why would you want to send a packet to that address? Why not send it
>to the VPN address of that machine, namely, 192.168.1.200? In fact, if
>NetBIOS is behaving properly (which is only sometimes), then you can
>address the VPN server machube by its NetBIOS name.
>
>My son has his machine set up as 192.168.1.10 on his LAN and I have
>mine set up the same awy on my LAN. When I connect to his VPN server,
>which he configured for address range 1920168.1.100-200, his machine
>is 192.168.1.100. I don't know anything about his machine's address on
>his LAN because that involves his Ethernet adapter which is hidden
>from me.
>
>What you seem to be leaving out of your analysis is the bindings of
>the various IP addresses to different adapters. Both his machine and
>mine have two adapters - a "Local Area Connection" (LAN) adapter and a
>VPN adapter. When we send packets to one another, we are doing it over
>the VPN adapters, not the LAN adapters. My machine knows nothing about
>the network associated with his LAN adapter, and therefore there is no
>subnet conflict.
>
I'm not missing that... The metrics determine which route to take..
If you are both using the same private network for your LANs, how will
your machine know whether to send the packet over the local network or
over the VPN (name resolution not withstanding). The only legitimate
way to do this is to set up a routing path for the appropriate
computers.

>>Packets sent to the 192.168.1.0 network are sent without routing
>>(using local interface)...
>
>That is not true. Packets sent to 192.168.1.100 will be sent to the
>VPN adapter, because that address is now bound to the VPN adapter and
>not the LAN adapter.

It is true if you have "Use the Default Gateway on the Remote Network"
unchecked like most users do... However, if you redefine the default
gateway to the remote network, you lose LAN connectivity.. This may
be what you are seeing...

>
>> Now if you add a VPN with a similar
>>network, you will add an alternate route for the 192.168.1.0 network,
>>this time with the remote VPN server as the gateway..
>
>and with the VPN adapter connected to that gateway, not the LAN
>adapter.

Again, depends on your settings... Most users won't have this since
they will have disabled the Use the Default Gateway on the Remote
Network option.

>
>> At this point,
>>only the metric will control which one controls...
>
>The control is in the bindings. How that is accomplished is something
>only Microsoft knows.

No, the control you are talking about is in the selection of a new
default gateway.

>
>>This is not an ideal way to function...
>
>Tell that to Microsoft. And while you are at it, tell them to fix
>NetBIOS, which apparently is being confused with all this.

NetBIOS is not a problem... However, they are trying to move away
from NetBIOS to a pure TCP/IP network... However, I am not sure how
they are going to accomplish this without scrapping SMB.
May 3, 2004 1:00:55 AM

Archived from groups: microsoft.public.windowsxp.work_remotely (More info?)

On Sat, 01 May 2004 23:28:14 -0500, "Jeffrey Randow (MVP)"
<jeffreyr-support@remotenetworktechnology.com> wrote:

>In summary, if you are willing to lose all LAN connectivity while on
>the VPN, you can perhaps coexist on the same subnet.. However, all
>internet accesses, etc., will go over the VPN link, not directly out
>of your computer...

Wrong, at least on my setup.

There are two Win2K machines, one named "vpnserver" at a remote
location behind a Linksys BEFSR41 router with LAN address 192.168.1.10
and the other named "vpnclient" at home behind a Linksys BEFSR41
router with LAN address 192.168.1.10. I am on the home machine.

The VPN server software is set up to allow a range of addresses
192.168.1.100 - 192.168.1.200 and to permit the VPN client to specify
its VPN IP address. The VPN client software is set up to ask for
192.168.1.125. All IP addresses, both LAN and VPN are static.

There is a third machine which is on the home LAN with static IP
address 192.168.1.20. It's name is irrelevant.

The home machine \\vpnclient connects to the remote machine
\\vpnserver successfully. I look in the STATUS|Details page of the VPN
client icon sitting in the tray. It says that the VPN server is
192.168.1.100 and the VPN client is 192.168.1.125 - both as expected.

I access the remote server at \\192.168.1.100 (I would use the NetBIOS
name \\vpnserver but that is not always reliable because although I do
have a HOSTS table entry for reasons I do not understand it does not
always work.) I can access the machine by using:

Start|Run|\\192.168.1.100

RightClickDesktop|New|Shortcut|\\192.168.1.100

The shortcut method is preferred because it leaves you with a
permanent window to access the remote machine again later.

OK, so far so good. I am connected to the remote machine over the VPN
amd I can access the shares on the remote machine. There is a
directory built specifically for me to use called c:\vpnclient and I
have full permission to use it. I create a text file and put it in
that directory. There are also some other directories I have read-only
permission which I can download files from. Everything works as
expected.

Now I try to access the local area machine on my LAN, the one with IP
address 192.168.1.20. I use the same method of accessing shares
described above and sure enough I have access in a window just like I
would have when I am not connected to the VPN. Clearly I have not lost
all LAN connectivity as you claim.

That's because the address space in the subnet has been split into two
regions and each region is bound to the appropriate adapter. The
system knows where to send packets based on those bindings.

If the IP address is below 192.168.1.100 or above 192.168.1.200, then
the system knows to send the packets to the LAN adapter, as if there
is no VPN.

If the IP address is in the range 100 - 200, then the system knows to
send the packets to the VPN adapter, in which case the system knows
how to send them thru the VPN tunnel.

>Browse to the Router's admin interface... On the main config page,
>you can change the LAN IP Address of the router.. If you want, you
>can change it to 192.168.2.x, or whatever... Let the router reboot,
>and then release and renew the IP address for your computer (ipconfig
>/release and ipconfig /renew). The router will then assign you an
>address on the new LAN network (i.e., 192.168.2.x)... Every router I
>have seen offers this ability, so I don't understand why this is an
>issue.

It's not an issue. It's something I was never aware of because I never
played with it. But thanks for the heads up - it is useful to know.

>I'm not missing that... The metrics determine which route to take..

OK, let's ask this question.

What if I set up the VPN server and the VPN client so that the allowed
range of addresses is 192.168.2.100 - 192.168.2.200 and the particular
client address is 192.168.2.125, but I do not change anything else. I
do not change the router, I do not change the LAN parameters - I just
change the VPN parameters.

What would happen then?

Presumably I would get a conflict because when I connect the
\\vpnclient machine to the \\vpnserver's LAN thru the VPN tunnel, it
becomes a member of the \\vpnserver's LAN. Therefore it would seem
that it needs the same subnet. Nevertheless I will experiment with
that when I get time.

In the meantime, I can access the machine on my LAN and the machine on
the VPN at the same time without any problems other than the usual
trouble with using NetBIOS names, which is a Win2K problem because
there is no place in the VPN software to enable NetBIOS like there is
in the VPN for XP.


--

Map Of The Vast Right Wing Conspiracy:
http://www.freewebs.com/vrwc/

"You can all go to hell, and I will go to Texas."
--David Crockett
Anonymous
May 3, 2004 1:23:02 AM

Archived from groups: microsoft.public.windowsxp.work_remotely (More info?)

Post your routing table... If you are accessing machines using the
VPN gateway, which is what you are saying is happening, you will not
be able to access local machines (on the same subnet) without at least
a timeout...

The point is that this is a convoluted solution and the best option is
to not operate on the same subnet if at all possible.

Trying your scenario on a Virtual PC setup does not work in my case
when I have the Use the default gateway option set - I have
connectivity to the VPN environment, but not to my local LAN... With
the default gateway disabled, I have access to the LAN, but no VPN
access.


Jeffrey Randow (Windows Net. & Smart Display MVP)
jeffreyr-support@remotenetworktechnology.com

Please post all responses to the newsgroups for the benefit
of all USENET users. Messages sent via email may or may not
be answered depending on time availability....

Remote Networking Technology Support Site -
http://www.remotenetworktechnology.com
Windows XP Expert Zone - http://www.microsoft.com/windowsxp/expertzone

On Sun, 02 May 2004 21:00:55 GMT, spam@spam.com (Bob) wrote:

>On Sat, 01 May 2004 23:28:14 -0500, "Jeffrey Randow (MVP)"
><jeffreyr-support@remotenetworktechnology.com> wrote:
>
>>In summary, if you are willing to lose all LAN connectivity while on
>>the VPN, you can perhaps coexist on the same subnet.. However, all
>>internet accesses, etc., will go over the VPN link, not directly out
>>of your computer...
>
>Wrong, at least on my setup.
>
>There are two Win2K machines, one named "vpnserver" at a remote
>location behind a Linksys BEFSR41 router with LAN address 192.168.1.10
>and the other named "vpnclient" at home behind a Linksys BEFSR41
>router with LAN address 192.168.1.10. I am on the home machine.
>
>The VPN server software is set up to allow a range of addresses
>192.168.1.100 - 192.168.1.200 and to permit the VPN client to specify
>its VPN IP address. The VPN client software is set up to ask for
>192.168.1.125. All IP addresses, both LAN and VPN are static.
>
>There is a third machine which is on the home LAN with static IP
>address 192.168.1.20. It's name is irrelevant.
>
>The home machine \\vpnclient connects to the remote machine
>\\vpnserver successfully. I look in the STATUS|Details page of the VPN
>client icon sitting in the tray. It says that the VPN server is
>192.168.1.100 and the VPN client is 192.168.1.125 - both as expected.
>
>I access the remote server at \\192.168.1.100 (I would use the NetBIOS
>name \\vpnserver but that is not always reliable because although I do
>have a HOSTS table entry for reasons I do not understand it does not
>always work.) I can access the machine by using:
>
>Start|Run|\\192.168.1.100
>
>RightClickDesktop|New|Shortcut|\\192.168.1.100
>
>The shortcut method is preferred because it leaves you with a
>permanent window to access the remote machine again later.
>
>OK, so far so good. I am connected to the remote machine over the VPN
>amd I can access the shares on the remote machine. There is a
>directory built specifically for me to use called c:\vpnclient and I
>have full permission to use it. I create a text file and put it in
>that directory. There are also some other directories I have read-only
>permission which I can download files from. Everything works as
>expected.
>
>Now I try to access the local area machine on my LAN, the one with IP
>address 192.168.1.20. I use the same method of accessing shares
>described above and sure enough I have access in a window just like I
>would have when I am not connected to the VPN. Clearly I have not lost
>all LAN connectivity as you claim.
>
>That's because the address space in the subnet has been split into two
>regions and each region is bound to the appropriate adapter. The
>system knows where to send packets based on those bindings.
>
>If the IP address is below 192.168.1.100 or above 192.168.1.200, then
>the system knows to send the packets to the LAN adapter, as if there
>is no VPN.
>
>If the IP address is in the range 100 - 200, then the system knows to
>send the packets to the VPN adapter, in which case the system knows
>how to send them thru the VPN tunnel.
>
>>Browse to the Router's admin interface... On the main config page,
>>you can change the LAN IP Address of the router.. If you want, you
>>can change it to 192.168.2.x, or whatever... Let the router reboot,
>>and then release and renew the IP address for your computer (ipconfig
>>/release and ipconfig /renew). The router will then assign you an
>>address on the new LAN network (i.e., 192.168.2.x)... Every router I
>>have seen offers this ability, so I don't understand why this is an
>>issue.
>
>It's not an issue. It's something I was never aware of because I never
>played with it. But thanks for the heads up - it is useful to know.
>
>>I'm not missing that... The metrics determine which route to take..
>
>OK, let's ask this question.
>
>What if I set up the VPN server and the VPN client so that the allowed
>range of addresses is 192.168.2.100 - 192.168.2.200 and the particular
>client address is 192.168.2.125, but I do not change anything else. I
>do not change the router, I do not change the LAN parameters - I just
>change the VPN parameters.
>
>What would happen then?
>
>Presumably I would get a conflict because when I connect the
>\\vpnclient machine to the \\vpnserver's LAN thru the VPN tunnel, it
>becomes a member of the \\vpnserver's LAN. Therefore it would seem
>that it needs the same subnet. Nevertheless I will experiment with
>that when I get time.
>
>In the meantime, I can access the machine on my LAN and the machine on
>the VPN at the same time without any problems other than the usual
>trouble with using NetBIOS names, which is a Win2K problem because
>there is no place in the VPN software to enable NetBIOS like there is
>in the VPN for XP.
May 3, 2004 10:20:13 AM

Archived from groups: microsoft.public.windowsxp.work_remotely (More info?)

On Sun, 02 May 2004 21:23:02 -0500, "Jeffrey Randow (MVP)"
<jeffreyr-support@remotenetworktechnology.com> wrote:

>Post your routing table...

+++++
Interface List
0x1... MS TCP Loopback interface
0x2...00 50 04 d9 4f 6a...3Com EtherLink PCI
0x4000004...00 53 45 00 00 00...WAN (PPP/SLIP) Interface
Active Routes:
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.10 1
x.x.x.x 255.255.255.255 192.168.1.1 192.168.1.10 1
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.1.0 255.255.255.0 192.168.1.10 192.168.1.10 1
192.168.1.0 255.255.255.0 192.168.1.125 192.168.1.125 1
192.168.1.10 255.255.255.255 127.0.0.1 127.0.0.1 1
192.168.1.125 255.255.255.255 127.0.0.1 127.0.0.1 1
192.168.1.255 255.255.255.255 192.168.1.10 192.168.1.10 1
192.168.1.255 255.255.255.255 192.168.1.125 192.168.1.125 1
224.0.0.0 224.0.0.0 192.168.1.10 192.168.1.10 1
224.0.0.0 224.0.0.0 192.168.1.125 192.168.1.125 1
255.255.255.255 255.255.255.255 192.168.1.10 192.168.1.10 1
Default Gateway: 192.168.1.1
Persistent Routes: None
+++++

I had to remove the spaces so it would not wrap.

>If you are accessing machines using the
>VPN gateway, which is what you are saying is happening, you will not
>be able to access local machines (on the same subnet) without at least
>a timeout...

There is no timeout. I can access the VPN machine and the LAN machine
right away. I go to Start Run, which already has the two addresses
from previous use. I click on one and a window opens immediately. I
click on the other and a window opens immediately. No timeout, at
least none apparent to me. Admittedly, there is a small hesitation
when I access the VPN machine, but I attribute that to the fact that
it is a remote machine and not on my 100BaseTX LAN.

>The point is that this is a convoluted solution and the best option is
>to not operate on the same subnet if at all possible.

I am really trying to discover why you are saying that, but I am
unable because every time you make a claim, it isn't that way - at
least not as I see it. You claim I can't access the LAM machine, yet I
am able to, You claim there will be a timeout, yet there isn't any.

>Trying your scenario on a Virtual PC setup does not work in my case
>when I have the Use the default gateway option set - I have
>connectivity to the VPN environment, but not to my local LAN... With
>the default gateway disabled, I have access to the LAN, but no VPN
>access.

I have no earthly idea what you just said.

You did not answer my earlier question:

What if I set up the VPN server and the VPN client so that the allowed
range of addresses is 192.168.2.100 - 192.168.2.200 and the particular
client address is 192.168.2.125, but I do not change anything else. I
do not change the router, I do not change the LAN parameters - I just
change the VPN parameters.

What would happen then?

Presumably I would get a conflict because when I connect the
\\vpnclient machine to the \\vpnserver's LAN thru the VPN tunnel, it
becomes a member of the \\vpnserver's LAN. Therefore it would seem
that it needs the same subnet. Nevertheless I will experiment with
that when I get time.


--

Map Of The Vast Right Wing Conspiracy:
http://www.freewebs.com/vrwc/

"You can all go to hell, and I will go to Texas."
--David Crockett
May 6, 2004 5:46:05 PM

Archived from groups: microsoft.public.windowsxp.work_remotely (More info?)

On Sun, 02 May 2004 21:23:02 -0500, "Jeffrey Randow (MVP)"
<jeffreyr-support@remotenetworktechnology.com> wrote:

>Post your routing table... If you are accessing machines using the
>VPN gateway, which is what you are saying is happening, you will not
>be able to access local machines (on the same subnet) without at least
>a timeout...
>
>The point is that this is a convoluted solution and the best option is
>to not operate on the same subnet if at all possible.
>
>Trying your scenario on a Virtual PC setup does not work in my case
>when I have the Use the default gateway option set - I have
>connectivity to the VPN environment, but not to my local LAN... With
>the default gateway disabled, I have access to the LAN, but no VPN
>access.

>Jeffrey Randow (Windows Net. & Smart Display MVP)
>jeffreyr-support@remotenetworktechnology.com
>
>Please post all responses to the newsgroups for the benefit
>of all USENET users. Messages sent via email may or may not
>be answered depending on time availability....

I posted responses to this post, but I have not seen your reply.


--

Map Of The Vast Right Wing Conspiracy:
http://www.freewebs.com/vrwc/

"You can all go to hell, and I will go to Texas."
--David Crockett
Anonymous
May 7, 2004 12:44:45 AM

Archived from groups: microsoft.public.windowsxp.work_remotely (More info?)

You have two routes to the 192.168.1.0 network using different
gateway... This is not standard internet design... The only reason I
think you are connecting to the 192.168.1.125 gateway is that it is
listed last (but this is just a thought).

If it works for you, then leave it the way it is.. However, if one
wants to properly set up a TCPIP network, then it should be segmented
and subnetted properly...

For more reference, see:
http://www.draytek.co.uk/support/vpn_check.html
http://www.chicagotech.net/routing.htm
http://www.unixathome.org/adsl/archives/2001_11/0061.ht...
http://groups.google.com/groups?q=vpn+subnet+same+as+lo...
http://groups.google.com/groups?q=vpn+subnet+same+as+lo...

All I am saying is that this is not best practice for other users to
follow unless they are willing to deal with the ramifications and the
potential problems that could pop up.. Many have posted here for the
last three years (or since the end of the XP beta when these
newsgroups went live) who have had problems that were fixed the moment
they changed their local IP network to something different than the
office network.

In an ideal world, we would not have this discussion - this is a
limitation that NAT firewall devices and routers have foisted upon us.
NAT causes many of the issues that we have to strive to work around in
these discussions.

VPN connections are finicky depending on your exact network
configurations (i.e., NetBIOS over TCP enabled, presence of WINS
Servers, presence of DNS servers, whether you use PPTP or L2TP,
default gateways on remote networks, etc.). One solution doesn't fit
all cases. I have office users I support running different patch
levels of Windows XP who each get different VPN experiences when
connecting to my office network.


Jeffrey Randow (Windows Net. & Smart Display MVP)
jeffreyr-support@remotenetworktechnology.com

Please post all responses to the newsgroups for the benefit
of all USENET users. Messages sent via email may or may not
be answered depending on time availability....

Remote Networking Technology Support Site -
http://www.remotenetworktechnology.com
Windows XP Expert Zone - http://www.microsoft.com/windowsxp/expertzone

On Mon, 03 May 2004 06:20:13 GMT, spam@spam.com (Bob) wrote:

>On Sun, 02 May 2004 21:23:02 -0500, "Jeffrey Randow (MVP)"
><jeffreyr-support@remotenetworktechnology.com> wrote:
>
>>Post your routing table...
>
>+++++
>Interface List
>0x1... MS TCP Loopback interface
>0x2...00 50 04 d9 4f 6a...3Com EtherLink PCI
>0x4000004...00 53 45 00 00 00...WAN (PPP/SLIP) Interface
>Active Routes:
>0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.10 1
>x.x.x.x 255.255.255.255 192.168.1.1 192.168.1.10 1
>127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
>192.168.1.0 255.255.255.0 192.168.1.10 192.168.1.10 1
>192.168.1.0 255.255.255.0 192.168.1.125 192.168.1.125 1
>192.168.1.10 255.255.255.255 127.0.0.1 127.0.0.1 1
>192.168.1.125 255.255.255.255 127.0.0.1 127.0.0.1 1
>192.168.1.255 255.255.255.255 192.168.1.10 192.168.1.10 1
>192.168.1.255 255.255.255.255 192.168.1.125 192.168.1.125 1
>224.0.0.0 224.0.0.0 192.168.1.10 192.168.1.10 1
>224.0.0.0 224.0.0.0 192.168.1.125 192.168.1.125 1
>255.255.255.255 255.255.255.255 192.168.1.10 192.168.1.10 1
>Default Gateway: 192.168.1.1
>Persistent Routes: None
>+++++
>
>I had to remove the spaces so it would not wrap.
>
>>If you are accessing machines using the
>>VPN gateway, which is what you are saying is happening, you will not
>>be able to access local machines (on the same subnet) without at least
>>a timeout...
>
>There is no timeout. I can access the VPN machine and the LAN machine
>right away. I go to Start Run, which already has the two addresses
>from previous use. I click on one and a window opens immediately. I
>click on the other and a window opens immediately. No timeout, at
>least none apparent to me. Admittedly, there is a small hesitation
>when I access the VPN machine, but I attribute that to the fact that
>it is a remote machine and not on my 100BaseTX LAN.
>
>>The point is that this is a convoluted solution and the best option is
>>to not operate on the same subnet if at all possible.
>
>I am really trying to discover why you are saying that, but I am
>unable because every time you make a claim, it isn't that way - at
>least not as I see it. You claim I can't access the LAM machine, yet I
>am able to, You claim there will be a timeout, yet there isn't any.
>
>>Trying your scenario on a Virtual PC setup does not work in my case
>>when I have the Use the default gateway option set - I have
>>connectivity to the VPN environment, but not to my local LAN... With
>>the default gateway disabled, I have access to the LAN, but no VPN
>>access.
>
>I have no earthly idea what you just said.
>
>You did not answer my earlier question:
>
>What if I set up the VPN server and the VPN client so that the allowed
>range of addresses is 192.168.2.100 - 192.168.2.200 and the particular
>client address is 192.168.2.125, but I do not change anything else. I
>do not change the router, I do not change the LAN parameters - I just
>change the VPN parameters.
>
>What would happen then?
>
>Presumably I would get a conflict because when I connect the
>\\vpnclient machine to the \\vpnserver's LAN thru the VPN tunnel, it
>becomes a member of the \\vpnserver's LAN. Therefore it would seem
>that it needs the same subnet. Nevertheless I will experiment with
>that when I get time.
Anonymous
May 7, 2004 12:44:59 AM

Archived from groups: microsoft.public.windowsxp.work_remotely (More info?)

See my final response in your last posting...

Jeffrey Randow (Windows Net. & Smart Display MVP)
jeffreyr-support@remotenetworktechnology.com

Please post all responses to the newsgroups for the benefit
of all USENET users. Messages sent via email may or may not
be answered depending on time availability....

Remote Networking Technology Support Site -
http://www.remotenetworktechnology.com
Windows XP Expert Zone - http://www.microsoft.com/windowsxp/expertzone

On Thu, 06 May 2004 13:46:05 GMT, spam@spam.com (Bob) wrote:

>On Sun, 02 May 2004 21:23:02 -0500, "Jeffrey Randow (MVP)"
><jeffreyr-support@remotenetworktechnology.com> wrote:
>
>>Post your routing table... If you are accessing machines using the
>>VPN gateway, which is what you are saying is happening, you will not
>>be able to access local machines (on the same subnet) without at least
>>a timeout...
>>
>>The point is that this is a convoluted solution and the best option is
>>to not operate on the same subnet if at all possible.
>>
>>Trying your scenario on a Virtual PC setup does not work in my case
>>when I have the Use the default gateway option set - I have
>>connectivity to the VPN environment, but not to my local LAN... With
>>the default gateway disabled, I have access to the LAN, but no VPN
>>access.
>
>>Jeffrey Randow (Windows Net. & Smart Display MVP)
>>jeffreyr-support@remotenetworktechnology.com
>>
>>Please post all responses to the newsgroups for the benefit
>>of all USENET users. Messages sent via email may or may not
>>be answered depending on time availability....
>
>I posted responses to this post, but I have not seen your reply.
May 7, 2004 3:17:39 PM

Archived from groups: microsoft.public.windowsxp.work_remotely (More info?)

On Thu, 06 May 2004 20:44:45 -0500, "Jeffrey Randow (MVP)"
<jeffreyr-support@remotenetworktechnology.com> wrote:

>You have two routes to the 192.168.1.0 network using different
>gateway... This is not standard internet design...

That's because it's Microsoft. My response is: "If it works, don't fix
it."

Isn't it a bit strange that with the MS PPTP VPN, there are no
apparent problems caused by this abberant practivce? Isn't it strange
that nowhere in the documentation for the PPTP VPN does MS mention the
necessity for different subnets?

Could it be that MS has circumvented this issue? Naw.

Your comments have been helpful. I will keep them in mind if I run
into any problems related to subnet clashes.

--

Map Of The Vast Right Wing Conspiracy:
http://www.freewebs.com/vrwc/

"You can all go to hell, and I will go to Texas."
--David Crockett
!