Help Setting Up A VPN On BT Broadband
Sjwdavies
Hi,
This is my first post so apologies if this isn't in the correct place.
Long story short, i'm trying to setup a VPN at my work.
We have a Windows SBS2003 Server, and a BT Broadband line with a BT
Business Hub. I bought a Linksys WRV200 VPN router as I was told this
would work.
I've been told I need to bridge the connection on the BT Business
Router then authenticate it over PPPoE on the Linksys VPN router...
Thing is, whenever i try and bridge the connection on the BT Business
Hub and pass it through to the VPN router I can never get it to
connect.
Can anyone give me any help?
--
Sjwdavies
Roger
"Sjwdavies" <Sjwdavie...@broadbandbanter.com> wrote in message
news:Sjwdavie...@broadbandbanter.com...
Hi SJW
not sure about bridging but unless you need to use the wireless/lan ports on
the business hub why not just put the linksys in the DMZ of the BT hub (the
BT router will give the linksys its (or one of its) public ip address when
you do this and forward all internet traffic to the linksys) and use the
linksys as your lan router as well as vpn box (I believe it has lan ports
and wireless.
Please note that there is an issue with some vpn ports and BT openzone so
you may need to disable openzone on your BT router if it enabled. If you
havent looked there yet take a look at the BT business forums on
btb.lithium.com where there are several posts about getting vpn working on
bt business setups. It took me a while to get our linksys rv082 and pptp
vpn (MS server) set up on our routers but is has been working stably now for
about 6 months.
Roger.
Graham J
"Roger" <roger_...@yahoo.com> wrote in message
news:XdN0n.9080$KM6...@newsfe02.ams2...
In principle you configure the router to allow incoming VPN traffic through
to the server, and run the VPN service on the server. That way a remote
client connects to the server, and gets the facilities that the server is
configured to allow him.
You need some way for the remote client to find out the public IP address of
the router. There are Dynamic DNS services which will allow this, but the
router itself must have the capability to work with such a service. For
extra money BT will give you a static IP. By contrast, professional ISPs
such as Andrews & Arnold, or Zen, always give you a static IP address.
In my experience the best way to achieve a VPN is to use Vigor routers at
each end of the link. Provided both ends have static IP addresses the
routers can be set up for a LAN-to-LAN VPN. The client network connects to
the server's network and there is no need to configure the SBS2003 machine
in any way.
Explicit details are available on the Vigor website.
--
Graham J
Sjwdavies
Thanks for he reply Graham!
With persistance yesterday, I was able to effectively put the BT router
to sleep (aka Disable Routing), so it passes the unauthenticated
broadband connection on via Ethernet to the VPN Router.
Using PPPoE authentication, the VPN router then establishes the
broadband connection, I open up Internet Explorer and hey presto I can
see google!
My next question is, what software do I need to setup my server to
accept incoming VPN connections?
--
Sjwdavies
Adrian
sounding much like they were saying:
I'm not quite sure what you're trying to do.
The BT router is at the office, with the SBS box inside, and the LinkSys
at your house or a secondary site?
Are you trying to establish a VPN between the SBS box or the BT box at
that end, and the Linksys or a client at the other end?
I'm assuming you're trying to link from inside the Linksys to the SBS
behind the BT box.
A quick look at the BT box's specs suggests that it doesn't support VPN
directly, so you'd need to open the right port(s) on that, and allow the
traffic through to the SBS server.
http://www.microsoft.com/smallbusiness/support/articles/
sec_sbs2003_network.mspx
gives you a good overview. TCP/1723 is the only port you actually need to
open for VPN.
SBS2003 gives you a "VPN client" installer. You don't need it. You just
need to configure a bog-standard PPTP client - it may be one of the
config options on the Linksys, or something installed on a client machine
at that end - to point to the SBS box.
If it were me, though, and you actually need a VPN, then I'd bin the BT
box completely, replace it with something like that Linksys, and make the
VPN connection from wherever to the Linksys.
Or, even better, figure out what you actually want to connect to the SBS
server for, and find a way to connect those services, rather than open
your work network to whatever nasties might be lurking on your domestic
network. At a guess, OWA & RDP will suffice. Far more secure, far more
reliable.
Graham J
"Sjwdavies" <Sjwdavie...@broadbandbanter.com> wrote in message
news:Sjwdavie...@broadbandbanter.com...
>
I think it's all built into SBS2003. M$ should have some guidance on their
website.
Much better would be to do as I suggest and use Vigor routers to set up the
VPN - then you don't need to do anything with SBS2003.
-- Graham J
Clint Sharp
<graham@invalid.?.invalid> writes
>In my experience the best way to achieve a VPN is to use Vigor routers at
>each end of the link.
but, (checks stats) the current ones have been up for almost six weeks
now. They work fairly well as VPN endpoints for remote users too.
> Provided both ends have static IP addresses the
>routers can be set up for a LAN-to-LAN VPN. The client network connects to
>the server's network and there is no need to configure the SBS2003 machine
>in any way.
ports to the SBS box and setting up RAS on it will be fairly easy. Just
read the notes on the MS knowledge base and with a little planning it
will be simple.
>
>Explicit details are available on the Vigor website.
>
--
Clint Sharp
Clint Sharp
<Sjwdavie...@broadbandbanter.com> writes
You should have no need to configure the server for VPN use as that's
the Linksys VPN router's job.
Your network should be;
Internet
|
| Public IP
|
BT Router
|
| Private subnet
|
Linksys Router
|
| 2ndPrivate subnet
|
Server and internal network (if your server has only one network card)
|
| 3rd Private subnet
|
Internal network if your server has two network cards (preferable).
TBH, you would be better off buying a Draytek ADSL modem/router or the
ADSL Modem/Router version of the Linksys and dumping the BT router (as
Graham suggested) or finding out how to forward the relevant VPN ports
on the BT router and using the server to provide the VPN.
The Linksys is unnecessary and it's a bit of a dog's breakfast the way
you have it at the moment. My worry is that you have exposed your
internal network to the Internet by bridging the BT router.
--
Clint Sharp
jaller79
I too have a client who wants to connect two site on a seemless network
so they can share data across sites there is no server involvement
currently due to cost.
I have recommended a Lacie NAS storage device simple and Fault tolerant
and inexpensive for centralised storage.
Looking at this last solution if he has a bt router at one side this is
managed by BT the only option you have is to record the ip settings from
the BT router ditch the bt router then seutp the vigor router site 1
first test lan and wan and internet then configure same at site 2 then
setup VPN.
Are these devices easy to configure?
I am a windows engineer predominantly have done the CCNA course but a
bit rusty on networking.
Is this the layout for the VPN setup using the Vigor 2820 Series ADSL
Router Firewall?
Private subnet office 1
|
Vigor 2820 Series ADSL Router
|
| Public IP office 1
|
Internet
|
| Public IP office 2
|
Vigor 2820 Series ADSL Router
|
Private subnet office 2
thanks all seems a no nonsense forum this - which is good.
John
|
--
jaller79
Graham J
"jaller79" <jaller79...@broadbandbanter.com> wrote in message
news:jaller79...@broadbandbanter.com...
>
> I too have a client who wants to connect two site on a seamless network
> so they can share data across sites there is no server involvement
> currently due to cost.
>
> I have recommended a Lacie NAS storage device simple and Fault tolerant
> and inexpensive for centralised storage.
Not related to the issue of VPN but LaCie have a reputation for
unreliability ..!
> Looking at this last solution if he has a bt router at one side this is
> managed by BT the only option you have is to record the ip settings from
> the BT router ditch the bt router then seutp the vigor router site 1
> first test lan and wan and internet then configure same at site 2 then
> setup VPN.
This is much easier if the public IP is static. BT will charge you extra
for this, but professional ISPs such as A&A or Zen include a static IP
address in their price. Probably your first step is to change ISP.
> Are these devices easy to configure?
There is good guidance on the Draytek website. It is good policy to set up
the routers so that you can manage them both from your own (static) IP
address. If your own internet connection does not have a static IP address
you probably should not be in this game.
One end of the VPN should have a static public IP address, the other can use
a Dynamic DNS service - but everything is much easier and more reliable if
both ends have a static IP address
> I am a windows engineer predominantly have done the CCNA course but a
> bit rusty on networking.
>
> Is this the layout for the VPN setup using the Vigor 2820 Series ADSL
> Router Firewall?
>
> Private subnet office 1
> |
> Vigor 2820 Series ADSL Router
> |
> | Public IP office 1
> |
> Internet
> |
> | Public IP office 2
> |
> Vigor 2820 Series ADSL Router
> |
> Private subnet office 2
Note that it is essential that the subnet in office 1 has a different IP
address from the subnet in office 2. The routers then route between the two
subnets over the VPN.
Assuming ordinary ADSL connections, the limiting speed factor is the upload
speed - probably 448kbits/sec at each site.
Be aware that performance of typical M$ applications between the two sites
will be painfully poor - 448kbits/sec is 200 (or 2000) times slower than the
LAN in each of the offices. Other than for maintenance work where Remote
Desktop Connection or VNC are used the only applications that will give
acceptable performance are web services you operate with a browser. Opening
documents for editing within Word is theoretically possible but not
something you would want users to do - they will only complain! Similarly
opening multi-user accounts programs such as Quickbooks or Sage will give
unnacceptably poor performance.
A leased line between the sites, or an ethernet connection to the internet
at both sites which then carries the VPN, either of these operating at 10
Mbits/sec or better would probably be acceptable for inter-office
performance. Rather than �25 per month for each site these are likely to
cost from �250 to �1000 per month perhaps also with significant setup
charges. (Unless the sites are only a few hundred metres apart.)
I haven't found a good solution for a typical small business where there are
two offices each with about 5 computers, and all users require everyday
access to edit all the files. I would be interested to hear of any success
with either:
1) a document management system with local cacheing, or;
2) a "cloud" system where all the files are held on a hosted service and
edited from a browser or similar client.
Cheers,
--
Graham J
alexd
> Note that it is essential that the subnet in office 1 has a different IP
> address from the subnet in office 2. The routers then route between the
> two subnets over the VPN.
It is actually possible to have a bridged rather than routed VPN, but
probably not desirable.
> Assuming ordinary ADSL connections, the limiting speed factor is the
> upload speed - probably 448kbits/sec at each site.
Given the low cost of ADSL2+, there's no reason not to switch if it's
available.
> Be aware that performance of typical M$ applications between the two
> sites will be painfully poor - 448kbits/sec is 200 (or 2000) times
> slower than the LAN in each of the offices.
If the problem is the SMB protocol, Windows has native support for WebDAV
file shares. If you used HTTPS you wouldn't need the VPN either, although
you may want a VPN for other applications.
--
<http://ale.cx/> (AIM:troffasky) (UnSoEs...@ale.cx)
16:51:26 up 11 days, 21:42, 5 users, load average: 0.00, 0.01, 0.00
DIMENSION-CONTROLLING FORT DOH HAS NOW BEEN DEMOLISHED,
AND TIME STARTED FLOWING REVERSELY
The Natural Philosopher
> On Sat, 27 Feb 2010 12:32:55 +0000, Graham J wrote:
>
>> Note that it is essential that the subnet in office 1 has a different IP
>> address from the subnet in office 2. The routers then route between the
>> two subnets over the VPN.
>
> It is actually possible to have a bridged rather than routed VPN, but
> probably not desirable.
>
>> Assuming ordinary ADSL connections, the limiting speed factor is the
>> upload speed - probably 448kbits/sec at each site.
>
> Given the low cost of ADSL2+, there's no reason not to switch if it's
> available.
>
>> Be aware that performance of typical M$ applications between the two
>> sites will be painfully poor - 448kbits/sec is 200 (or 2000) times
>> slower than the LAN in each of the offices.
>
> If the problem is the SMB protocol, Windows has native support for WebDAV
> file shares. If you used HTTPS you wouldn't need the VPN either, although
> you may want a VPN for other applications.
>
over a WAN.
This may be beacause windows tries to be clever, and build icons, and so
on from file info. FTP just transfers the file.
Whilst SMB (Netbios over TCP etc etc) works, its very very slow.
Graham J
"The Natural Philosopher" <t...@invalid.invalid> wrote in message
news:hmbnhn$6eq$2...@news.albasani.net...
The issue for users is what they want to do. The most obvious requirement
is to open Word files for editing, so SMB is the underlying protocol. What
they don't want is to learn a new way of working simply because their files
are on a non-local computer.
--
Graham J
The Natural Philosopher
Graham J
>>> Whilst SMB (Netbios over TCP etc etc) works, its very very slow.
>>
>> The issue for users is what they want to do. The most obvious
>> requirement is to open Word files for editing, so SMB is the underlying
>> protocol. What they don't want is to learn a new way of working simply
>> because their files are on a non-local computer.
>>
> drag and drop to local, work there, drag and drop to remote
Exactly - a different way of working, probably beyond the capability of most
users!
Futher - drag & drop uses SMB and will take a long time to refresh the
window to show the files have been moved.
--
Graham J
Ian Pawson
If you just want multiple access to files and to keep them in sync have
you looked at a 'cloud' service such as dropbox?
jaller79
'Ivor Jones[_2_ Wrote:
> ;189744']On 27/02/10 12:32, Graham J wrote:
>
> [snip]
> [Ivor
Great advise on here - to connect two small offices its aquestion of
cost and bandwidth.
If on a budjet and a slow link there is only one solution I can think
off.
Amixture of thin and fat client applications, identify what can run in
isolation then all other apps must be installed uder citrix or terminal
services. or as you say RDP. Other than thats we have created VM's in
the host site with applications on. These were un in India by a
development team using .net anything is possible with correct tools and
of course budjet.
I need to brush up my networking skills I have CCNA but is dated any
advise on books or router sims that are good. Need to understand whats
current with VPN's and WAN solutions leased lines.
I looked at the website for Vigor products great site good info -
Perhaps I'll try to become a reseller and get on one of their courses.
John
--
jaller79
Graham J
> Perhaps I'll try to become a reseller and get on one of their courses.
Perhaps you should go on the courses before trying to become a reseller -
that way you would know what you are selling and perhaps be able to satisfy
your customers ...
--
Graham J
jaller79
Catch 22 with Vigor you have to request to become a reseller to access
their course they validate you then courses are offered.
John
--
jaller79