VPN External Access not working - can I "borrow" your eyes?

MrHoffman

Thanks, very helpful (and sorry for the delayed response). I'm a bit overloaded with the amount of info I'm having to digest so for now I just want to be clear on the "don't do that stuff." I'll definitely keep those articles you linked to and delve into them a bit more though.

I'm confused about how to define a separate subnet for VPN. Right now, in Server Admin, we have 192.168.252.x defined as a subnet (and this is the only range of IP addresses I'm supposed to use for my purposes), but DCHP is only using 101-199 (lower addresses are being used for machines with static IPs, higher addresses are supposed to be for VPN).

To make this work, would I simply need to change the subnet mask so that the higher IP range is not included in the subnet or is this going to be a bit more complicated?

Berdoll - Thanks for the references. I've got the 10.5 Server book from Peachpress, but I'm a little reluctant to buy 10.6 since the book I have doesn't really touch DHCP or VPN.

Message was edited by: Typo180

I'm confused about how to define a separate subnet for VPN. Right now, in Server Admin, we have 192.168.252.x defined as a subnet (and this is the only range of IP addresses I'm supposed to use for my purposes), but DCHP is only using 101-199 (lower addresses are being used for machines with static IPs, higher addresses are supposed to be for VPN).

Conceptually, if the VPN device has an IP pool, make sure it doesn't overlap with a DHCP pool, or with any existing static IP assignments.

If the VPN device is cooperating with the DHCP device (as is the case with various external firewall devices) and if it uses the same pool as the DHCP server address pool, just make sure the DHCP pool does not overlap the static IP assignments.

Exact details here on how to do this vary by the particular VPN device and the particular DHCP device and the particular local static IP address assignments. It's specific to your local hardware and your network. Without knowing which VPN device and which DHCP device and details of how those devices work, and with which static IP address assignments are in use, it is not feasible to provide you a more specific recommendation.

And these (non-overlapping!) pools and static IP address assignments are all generally within the same subnet.

To make this work, would I simply need to change the subnet mask so that the higher IP range is not included in the subnet or is this going to be a bit more complicated?

You need non-overlapping assignments. Not specifically higher addresses. Not specifically lower. Just non-overlapping. Preferably and typically within the same subnet block.

I usually configure the DHCP and VPN blocks toward the higher IP address ranges within the subnet block, just because I like to use the smaller numbers for the static IP assignments. Stuff like servers and routers are easier to remember when they're .1 or .2 than when they're .129 or .243 or such. This general configuration scheme is entirely personal preference, and certainly not a specific requirement.

Bergdoll, regarding the Airport, if you select Internet and then go to the NAT tab do you see a checkbox abled "Enable NAT Port Mapping Protocol"? I believe that once that is checked, Port Mapping will show up in Advanced.