3 Replies Latest reply: Nov 11, 2012 12:58 PM by khkewsupport
khkewsupport Level 1 Level 1 (10 points)

Hi,

 

I have a Mac Mini Server running 10.6.8. It is a our vpn server.

 

We also have another Mac Mini Server running 10.6.8 which is our DNS and DHCP Servers.

 

On the Mac Mini running the VPN, it is configured as a PPTP VPN server with the address range of 10.0.0.100 -> 10.0.0.200. When we are connected to the vpn, we can't access via screen sharing or ssh network devices with address' in the range on 10.0.1.0 -> 10.0.3.255 ->. Our DHCP server is running with a subnet of 10.0.1.0 -> 10.0.3.255 and a subnet mask of 255.255.252.0.

 

Our Servers our on the address range of 10.0.0.0 -> 10.0.0.20

 

How to we configure the vpn so that users can ssh or screen share with users on the 10.0.1.0 -> 10.0.3.255 range?

 

Thanks in advance and I hope it makes sense.

 

Alex


Mac mini, Mac OS X (10.6.8)
  • 1. Re: VPN with 255.255.252.0 subnet mask
    Camelot Level 8 Level 8 (45,790 points)

    Our DHCP server is running with a subnet of 10.0.1.0 -> 10.0.3.255 and a subnet mask of 255.255.252.0

     

    The bigger question is what's the network setting for the server that's running VPN.

     

    Just because your main DHCP server is running on a /22 network (255.255.252.0) that doesn't mean your VPN server is doing the same. Check the settings on the VPN server to make sure they match.

     

    The other thing to check is whether the clients are being told to send the right traffic over the VPN connection. You have the ability to define which IP subnets should be tunneled, and if that doesn't include the full /22 then you may experience this kind of problem.

     

    The easiest way to check is to connect a client to the VPN system and use Terminal.app to check the output of ifconfig -a (list all active interfaces) and netstat -nr (list all network routes) which, combined, will tell you the connection state.

  • 2. Re: VPN with 255.255.252.0 subnet mask
    MrHoffman Level 6 Level 6 (12,470 points)

    This does appear to be an IP subnet routing question.  And you may (or do?) understand some of the following.

     

    The usual approach involves rationalizing the network and particularly subnets and DHCP server assignments across the organization, and to use IP routers and (potentially) static routes between the "hunks" of the networks; the subnets.

     

    If you don't have a whole lot of network traffic, then stuffing everything into the same /22 is simple and will work fine.

     

    However, a /22 can be a whole lot of hosts for one segment, and can easily saturate any existing GbE-class backbone(s) as those hosts get chatty.  You've also got the usual Bonjour and other multicast traffic rattling around within that whole subnet (Bonjour doesn't pass beyond an IP router by default), and propagating multocast announcements and related traffic through the whole network might not be entirely appropriate, or might be confusing to users.  Using smaller subnet hunks and routers, the network traffic can be more effectively partitioned, with less traffic on the backbone(s).

     

    If you decide to partition the network, it's common to partition based either on network topology or on organizational function, and variously on both.  You might have a four-wing building with north, south, east and west networks because of the wiring - or New York, London, Singapore and Sydney based on location - or you might have an overlaid Student and Faculty or Operations and Finance networks - and set the routing up accordingly.  The former design to partition the network traffic on (or off of) the physical links, while the latter partitions the information.  And it's quite feasible to combine the two schemes.

     

    I'd also likely migrate the VPN servers off of the OS X systems and over to the network perimeter (usually at or via a gateway), as implementing a VPN server at the network edge is usual easier to manage in my experience, and particularly when NAT passthrough is involved.   (And OS X makes for a comparatively expensive and under-performing IP router, too.)

  • 3. Re: VPN with 255.255.252.0 subnet mask
    khkewsupport Level 1 Level 1 (10 points)

    Thank you for your responses, I have fixed the issue. I have added networking routing definitions and everything seems to be working.