First server, I'm cautious, it may be complicated [illustrated]

Question

Level 1

0 points

First server, I'm cautious, it may be complicated [illustrated]

I'm a visual kind of guy so maybe a picture will save some words:

Everything I'm reading says "Get it right the first time, 'cuz you don't want to be redoing this later", which is why I thought I'd better ask close to the source.

The good news so far, is that everything is talking.

With the network configured as shown, the MBPs and iMac are getting to the web, the phones are wired, but not hot, and printing worked from one client, but hasn't been tested on all yet.

The MacMini server will be the last part of this equation, and has yet to go live.

On to the questions:

Given that VPN access to the server is wanted, I cabled the Mini to the ISP gateway/router. Am I correct in doing so?
Is there anything I should be doing on the Moto to make sure VPN connections will touch the Mini?
Is the subnet on the Moto box far enough out of the ordinary to be OK for VPN?
Do I hard set an IP from that range on the Mini and call it good, or do I need to set up the Mini as a DNS and feed it the ISPs DNS?

I want to get this right and would appreciate any pointers anyone could give.

Regards,

SKH

Mac mini, Mac OS X (10.6), It's the server Mini

Posted on Apr 30, 2011 8:26 PM

Reply

Answer 1

Best reply

Camelot

Level 9

54,339 points

Apr 30, 2011 11:23 PM in response to SKHofDFW

Let's see...

Given that VPN access to the server is wanted, I cabled the Mini to the ISP gateway/router. Am I correct in doing so?

Yes. I would generally wire servers, rather than run them wireless (but I think you have bigger questions/issues at hand).

Is there anything I should be doing on the Moto to make sure VPN connections will touch the Mini?

umm.. what 'Moto'?

Is the subnet on the Moto box far enough out of the ordinary to be OK for VPN?

Ditto

Do I hard set an IP from that range on the Mini and call it good, or do I need to set up the Mini as a DNS and feed it the ISPs DNS?

I don't even know where to start on that one. 🙂

Let's step back a bit...

Since you're running a private LAN with your own server you WILL need a DNS server inside your network. You ISP's DNS doesn't even come into play here.

Beyond that, though, I hate your network setup. Let me explain..

First, if I'm reading your topology correctly, it appears that you're double-NATting your network...? ick, ick, ick.

Traffic comes in from your ISP and is NATted into 192.168.2.x by your Netopia. It then relays the traffic to your Netgear box, which then re-NATs it to the 192.168.4.x network.

So any traffic from your internal (192.168.4.x) systems that needs to go out will be NATted twice - once into 192.168.2.x, then again into your public IP space. This will break many protocols and will be a nightmare to troubleshoot.

I'm wondering why you have this set. Do you have a particular need? or is it lack of understanding?

In addition, given the current topology, what's the purpose of the VPN? Do you expect remote clients to connect to the server only? Or do you expect them to get to other network resources (e.g. other client systems, printers, etc.) in the 192.168.4.x network. As a hint, from what I can see the latter is not going to happen - and that may be OK, I don't know what your goal is here.

Generally I would look to flatten your network as much as possible. Certainly get rid of that double-NAT if you can at all avoid it, and re-examine the purpose of the VPN to determine what its best location is.

Reply

Answer 2

May 1, 2011 7:24 AM in response to Camelot

I suspect "Moto" is the vendor for the VoIP gear.

It does not appear that the Netgear n600 WNDR3400 series can be configured into an Access Point (AP), which greatly limits its usefulness as anything other than as gateway here, and even then with double-NAT due to the Netopia box. It looks to be a client-OS-oriented WiFi gateway all-in-one box.

It looks like the Netopia 2000 series can disable NAT, but that doesn't do all that much for you here if that box is going to be configured at the edge of your network and given that you probably don't have much control over that.

The degree of NAsTy increases by the square of the number of NAT layers present. One NAT is bad. Two NATs are far worse than very bad.

Reply

Answer 3

SKHofDFW Author

Level 1

0 points

May 1, 2011 11:23 AM in response to Camelot

Camelot wrote:

umm.. what 'Moto'?

Motorola manufacturers the Netopia. Was just in a hurry so shortformed it. 😁

<snip>

I don't even know where to start on that one. 🙂

Let's step back a bit...

Since you're running a private LAN with your own server you WILL need a DNS server inside your network. You ISP's DNS doesn't even come into play here.

OK. Some of the posts I'd read before coming here referenced using the ISPs DNSs as forwarders (?), which I've never done and was confused by.
I'd also read that when the install runs if there's no DNS found the server will set up a limited one. Is that the way to go?

Beyond that, though, I hate your network setup. Let me explain..

First, if I'm reading your topology correctly, it appears that you're double-NATting your network...? ick, ick, ick.

<snip>

I'm wondering why you have this set. Do you have a particular need? or is it lack of understanding?

Seriously? It's what I walked into way late in game.
As to the other two questions, probably a bit of both.

Short form: The equipment was already bought, as the ISP situation has been nothing short of nightmarish for this group, and they were relying on information from sales people. This isn't the first time that I've seen double NAT and didn't know there were any issues with it.
Though I am not formally trained, I am known for generally getting things to work. 😉

In addition, given the current topology, what's the purpose of the VPN?

It's a small office, looking to use Daylight as their CRM.
Outside of that I gather that that's what the Daylight people told them they needed in order to be able to have a central location to write to, while using the MBPs at outside locations.

They aren't looking to VPN to anything outside of the server, as far as I can determine.

Certainly get rid of that double-NAT if you can at all avoid it, and re-examine the purpose of the VPN to determine what its best location is.

I'll review the lit on the n600 to see if there's a bridge mode (if that's the correct term) and go from there.

Thanks for reading in and responding ~ SKH_DFW

Reply

Answer 4

SKHofDFW Author

Level 1

0 points

May 1, 2011 12:20 PM in response to MrHoffman

You assessed the situation correctly MrHoffman, the Netopia is the edge device.

The n600 was sold to the group based on it being "The baddest thing we have in the store that'll do everything you want at gigabit speeds".

Essentially that boiled down to providing enough wired ports for the VOIP and handling the USB printing connection.

Between you and Camelot I see I'm going to have to read more at a later date about the evils of NAT, as I've seen double NAT used (in one case for years) to no apparent ill effect.

That said, I ran across another post in a Netgear forum saying there was a way to get it into bridge mode, which I'll try when I go out tomorrow.

But if you, Camelot, or anyone else could confirm that this is the best scenario I'd appreciate it:

Get the Netgear into bridge mode
Set the Netopia to a slightly more exotic subnet (exp. 192.168.33.1)
Server wired to Netopia
Simply run the stock SL server set up routine, allowing it to self config DNS
Bask in the glow of a job well done 😁

I stumbled across a very thorough article just now at http://labs.hoffmanlabs.com/node/1436, that I'm going to review in a bit. Interesting coincidence on the Domain name, isn't it?

Thanks for reading in and responding ~ SKH_DFW

Reply

Answer 5

May 3, 2011 5:52 AM in response to SKHofDFW

I think that you are on the right track but I would add one thing. Your server should not be 192.168.2.x, that implies a DHCP address. I would make sure to set this up during install.

Netopia should be 192.168.33.1

Mac - 192.168.33.2

Netgear - 192.168.33.3 (in bridge mode)

Printer - 192.168.33.4

etc.

If you have only a few VOIP phones set them with static address otherwise use DHCP. You can also set up FTP or TFTP on the server to provision your VOIP.

To back up the other posts, double NAT is not the way to go.

Reply

Answer 6

May 3, 2011 7:36 AM in response to SKHofDFW

Getting this to work with this combination of gear is going to be interesting; you'll need to keep that VoIP gear happy, but you will want (need) to work toward getting rid of the double NAT. That stuff is going to nail you.

Guessing: you might be able to get this to work with either a second static IP and port-forwarding for the VoIP gear, but that'll likely need a server-grade gateway-router box at the edge of the network to cope with that set-up. Or see if the VoIP gear can co-exist inside the existing gateway; give it static address(es) on your LAN, and see if its VoIP gateway can punch through your network gateway correctly. Either of these can get rid of one layer of NAT and the ensuing IP routing problems, if the VoIP gear (still) works after the reconfiguration.

And that is rather less of a domain-name coincidence than you might have realized.

Reply