Multihome causes log on pause.

[ptj]

Hello all.

I have a slightly bizarre network set-up at home to allow me to be permanently connected to a vpn router at work, while having a domain at home.

My internet IP address is dynamic and traffic comes in via a firewall router on the subnet 192.168.123.x (router .254)

The 192.168.123 subnet is main one for my domain, but I have a firewall endpoint router (192.168.123.253 on the wan side) which is on the subnet 192.168.1.x on its lan side.


So I have 2 subnets at home 192.168.123 and 192.168.1.

Initially I just put an extra nic in my server (sbs 2000) so it could contact my work over the vpn - works no problem.

I then put a second nic in another machine (XP Pro) so it is also multihomed. Vpn is painfully slow on this machine & when you log in to my local domain it takes ages to bring up the desktop (which before the second nic was instant).

I think I have confused something somewhere by having 2 multihomed machines on the same 2 networks - anyone got any ideas (I've tried messing with dns settings a bit, and disabled the client for networking on the second nic, increased its metric to 2, all to no avail!!)


Thanks in anticipation

Phil

 

[bcastner]

Sheeesh.

Some thoughts:

1. You should only have to multi-home 1 machine. A router would be a much easier solution for you. But, multi-home only the original machine.

2. Remove the settings, or much better, remove the second adapter on the other new machine.

3. If I have not tried this, but I think you could convince windows to ICS the VPN connection so that others on the local LAN could use this connection.

4. You will always have the problem on your primary machine, (without a router) of being able to access your local LAN and the VPN at the same time.

5. It may be possible to convince Windows to bridge the VPN connection to your now multi-homed machine. If you create a bridge between the segments than you are essentially routing the external traffic through that principal machine.

If for the other clients on the local LAN you gave them static adresses in your LAN subnet, and directed appropriately the Gateway to the ICS connection, I think it might work.

But a ~#90 hardware router with IPSEC passthrough and other VPN features such as a persistant endpoint service would really make this thing a lot easier, and you a lot happier. Linksys makes a product that would be perfect for you as a constant endpoint VPN client, and the routing side would handle a thousand problems you might face with your local LAN.

 

[manarth]

1. You don't need an extra NIC to setup a VPN connection
2. VPN is effectively a remote network logon - you don't need to ICS this.
3. As long as your firewall allows VPN pass-through, you shouldn't need any further setup, and you should still be able to stay permanently connected.

Could you post your network schematic? I'm afraid I'm thoroughly lost as to what's plugged into what...

<marc> i wonder what will happen if i press this...[ul][li]please give feedback on what works / what doesn't[/li][li]need some help? how to get a better answer: faq581-3339[/li][/ul]

 

[bcastner]

manarth,

If he does it your way, only one machine gets a VPN connection, and he cannot do anything on the local LAN.

He wants to share the VPN, and he wants local LAN access.

I guess I am missing something here. I am used to handling this with a router.

 

[manarth]

There's definately something unusal about this -

So far I can see these connections:
- the internet
- local domain
- the VPN


1. VPN does not require a second NIC.
&quot;Initially I just put an extra nic in my server (sbs 2000) so it could contact my work over the vpn&quot;

2. Why is the WAN using a private IP?.
&quot;I have a firewall endpoint router (192.168.123.253 on the wan side)&quot;
My guess is there's another device in the chain which ptj hasn't mentioned.



So how's about this?

  ISP --- modem --- | FIREWALL | --- LANswitch
        <public IP>              <LAN IPs>

You can set a domain controller on the LAN, set whatever IP addressing policies you like.....
Because every PC in the LAN can access the internet via the gateway, every PC should be able to VPN to the office.

bcastner - I think I'm missing something here aswell - there isn't really enough information yet to be more specific...hopefully a network schematic will shed a bit more light on this!

<marc> i wonder what will happen if i press this...[ul][li]please give feedback on what works / what doesn't[/li][li]need some help? how to get a better answer: faq581-3339[/li][/ul]

 

[bcastner]

My guess is he has one too many routers.

Toss the second router, or the first, or whatever router allows in firmware for it to act as a VPN end-point.

Setup a persistant VPN connection through the router.

I would then Bridge that connection with a dual-NIC host machine.

Forget about ICS, manarth is right it is not needed here.

The second adapter would also go to the switch.

I keep thinking that your router will not do the bridging to the local Lan, that it should be done in software and hardware on a host machine. But I could be full of crap on this issue. I have done it exactly this way, however. And it works. The question is whether you need to provide a multi-homed host for this service to make it work. I think you do for most SOHO class routers.

 

[ptj]

Thanks for all your suggestions. I can understand the logic of only having one router, but there are a couple of reasons why I have installed two!

I already had the first router in place for my local network at home, and I didn't particularly want the vpn to be able to access that subnet. The vpn is mainly for offsite backups of important files from work, so I thought I would multihome my server as a temporary measure and then soon work were to buy some storage facility, like a Snap Server, which would go there instead. My home network would then be completely divorced from work as the vpn endpoint was on a different subnet. However, I occasionally need access from my main machine, so I thought a second nic, which I could disable as required, would be a simply solution!)

The other problem with just one router is that the Linksys vpn endpoint router absolutely refuses to work properly with my Cable Modem if it is directly attached to it. It either allows internet access, but refuses to allow access to it's configuration pages, or it refuses to acknowledge the cable modem exists - no lights on when plugged in. It is not a MAC address issue, have tried cloning the existing router's MAC - doesn't help.


So, because of both of the above this is the situation:


Internet - (Wan Dyn IP via cable modem)
:
SMC Barricade Router (lan 192.168.123.254) (DMZ to - .253)
:
SBS 2000 (.2) Main Machine XP Pro (DHCP) + 2 others (DHCP)
:
Linksys VPN Endpoint Router (wan 192.168.123.253, Lan 192.168.1.1))
:
SBS 2000 (.200) Main Machine (.100)


The multihomed SBS 2000 machine is fine, but the multihomed Main Machine takes forever to login to the domain now and the vpn performance is about half the speed it is on the server!

Any bright ideas?

Thanks in advance

Phil

 

[bcastner]

Slow Computer Browsing from Multihomed Clients:

http://support.microsoft.com/?kbid=288801