Re: Help Setting Up A VPN On BT Broadband

"Roger" <(E-Mail Removed)> wrote in message
news:XdN0n.9080$(E-Mail Removed)2...
>
>
> "Sjwdavies" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>>
>> Hi,
>>
>> This is my first post so apologies if this isn't in the correct place.
>>
>> Long story short, i'm trying to setup a VPN at my work.
>>
>> We have a Windows SBS2003 Server, and a BT Broadband line with a BT
>> Business Hub. I bought a Linksys WRV200 VPN router as I was told this
>> would work.
>>
>> I've been told I need to bridge the connection on the BT Business
>> Router then authenticate it over PPPoE on the Linksys VPN router...
>>
>> Thing is, whenever i try and bridge the connection on the BT Business
>> Hub and pass it through to the VPN router I can never get it to
>> connect.
>>
>> Can anyone give me any help?
>>
>>
>>
>>
>> --
>> Sjwdavies
>
> Hi SJW
> not sure about bridging but unless you need to use the wireless/lan ports
> on the business hub why not just put the linksys in the DMZ of the BT hub
> (the BT router will give the linksys its (or one of its) public ip
> address when you do this and forward all internet traffic to the linksys)
> and use the linksys as your lan router as well as vpn box (I believe it
> has lan ports and wireless.
>
> Please note that there is an issue with some vpn ports and BT openzone so
> you may need to disable openzone on your BT router if it enabled. If you
> havent looked there yet take a look at the BT business forums on
> btb.lithium.com where there are several posts about getting vpn working on
> bt business setups. It took me a while to get our linksys rv082 and pptp
> vpn (MS server) set up on our routers but is has been working stably now
> for about 6 months.

In principle you configure the router to allow incoming VPN traffic through
to the server, and run the VPN service on the server. That way a remote
client connects to the server, and gets the facilities that the server is
configured to allow him.

You need some way for the remote client to find out the public IP address of
the router. There are Dynamic DNS services which will allow this, but the
router itself must have the capability to work with such a service. For
extra money BT will give you a static IP. By contrast, professional ISPs
such as Andrews & Arnold, or Zen, always give you a static IP address.

In my experience the best way to achieve a VPN is to use Vigor routers at
each end of the link. Provided both ends have static IP addresses the
routers can be set up for a LAN-to-LAN VPN. The client network connects to
the server's network and there is no need to configure the SBS2003 machine
in any way.

Explicit details are available on the Vigor website.

--
Graham J

"Sjwdavies" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
>
> Thanks for he reply Graham!
>
> With persistance yesterday, I was able to effectively put the BT router
> to sleep (aka Disable Routing), so it passes the unauthenticated
> broadband connection on via Ethernet to the VPN Router.
>
> Using PPPoE authentication, the VPN router then establishes the
> broadband connection, I open up Internet Explorer and hey presto I can
> see google!
>
> My next question is, what software do I need to setup my server to
> accept incoming VPN connections?

I think it's all built into SBS2003. M$ should have some guidance on their
website.

Much better would be to do as I suggest and use Vigor routers to set up the
VPN - then you don't need to do anything with SBS2003.

-- Graham J

In message <4b43b1e0$0$2491$(E-Mail Removed)>, Graham J
<graham@invalid.?.invalid> writes
>In my experience the best way to achieve a VPN is to use Vigor routers at
>each end of the link.
I've had issues with them re-instantiating the link after a line problem
but, (checks stats) the current ones have been up for almost six weeks
now. They work fairly well as VPN endpoints for remote users too.
> Provided both ends have static IP addresses the
>routers can be set up for a LAN-to-LAN VPN. The client network connects to
>the server's network and there is no need to configure the SBS2003 machine
>in any way.
But if the OP is stuck with the BT router then forwarding the relevant
ports to the SBS box and setting up RAS on it will be fairly easy. Just
read the notes on the MS knowledge base and with a little planning it
will be simple.
>
>Explicit details are available on the Vigor website.
>

--
Clint Sharp

In message <(E-Mail Removed)>, Sjwdavies
<(E-Mail Removed)> writes
>
>Thanks for he reply Graham!
>
>With persistance yesterday, I was able to effectively put the BT router
>to sleep (aka Disable Routing), so it passes the unauthenticated
>broadband connection on via Ethernet to the VPN Router.
>
>Using PPPoE authentication, the VPN router then establishes the
>broadband connection, I open up Internet Explorer and hey presto I can
>see google!
>
>My next question is, what software do I need to setup my server to
>accept incoming VPN connections?

You should have no need to configure the server for VPN use as that's
the Linksys VPN router's job.

Your network should be;

Internet
|
| Public IP
|
BT Router
|
| Private subnet
|
Linksys Router
|
| 2ndPrivate subnet
|
Server and internal network (if your server has only one network card)
|
| 3rd Private subnet
|
Internal network if your server has two network cards (preferable).


TBH, you would be better off buying a Draytek ADSL modem/router or the
ADSL Modem/Router version of the Linksys and dumping the BT router (as
Graham suggested) or finding out how to forward the relevant VPN ports
on the BT router and using the server to provide the VPN.

The Linksys is unnecessary and it's a bit of a dog's breakfast the way
you have it at the moment. My worry is that you have exposed your
internal network to the Internet by bridging the BT router.
--
Clint Sharp

Comments in line:

"jaller79" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
>
> I too have a client who wants to connect two site on a seamless network
> so they can share data across sites there is no server involvement
> currently due to cost.
>
> I have recommended a Lacie NAS storage device simple and Fault tolerant
> and inexpensive for centralised storage.

Not related to the issue of VPN but LaCie have a reputation for
unreliability ..!

> Looking at this last solution if he has a bt router at one side this is
> managed by BT the only option you have is to record the ip settings from
> the BT router ditch the bt router then seutp the vigor router site 1
> first test lan and wan and internet then configure same at site 2 then
> setup VPN.

This is much easier if the public IP is static. BT will charge you extra
for this, but professional ISPs such as A&A or Zen include a static IP
address in their price. Probably your first step is to change ISP.

> Are these devices easy to configure?

There is good guidance on the Draytek website. It is good policy to set up
the routers so that you can manage them both from your own (static) IP
address. If your own internet connection does not have a static IP address
you probably should not be in this game.

One end of the VPN should have a static public IP address, the other can use
a Dynamic DNS service - but everything is much easier and more reliable if
both ends have a static IP address

> I am a windows engineer predominantly have done the CCNA course but a
> bit rusty on networking.
>
> Is this the layout for the VPN setup using the Vigor 2820 Series ADSL
> Router Firewall?
>
> Private subnet office 1
> |
> Vigor 2820 Series ADSL Router
> |
> | Public IP office 1
> |
> Internet
> |
> | Public IP office 2
> |
> Vigor 2820 Series ADSL Router
> |
> Private subnet office 2

Note that it is essential that the subnet in office 1 has a different IP
address from the subnet in office 2. The routers then route between the two
subnets over the VPN.

Assuming ordinary ADSL connections, the limiting speed factor is the upload
speed - probably 448kbits/sec at each site.

Be aware that performance of typical M$ applications between the two sites
will be painfully poor - 448kbits/sec is 200 (or 2000) times slower than the
LAN in each of the offices. Other than for maintenance work where Remote
Desktop Connection or VNC are used the only applications that will give
acceptable performance are web services you operate with a browser. Opening
documents for editing within Word is theoretically possible but not
something you would want users to do - they will only complain! Similarly
opening multi-user accounts programs such as Quickbooks or Sage will give
unnacceptably poor performance.

A leased line between the sites, or an ethernet connection to the internet
at both sites which then carries the VPN, either of these operating at 10
Mbits/sec or better would probably be acceptable for inter-office
performance. Rather than £25 per month for each site these are likely to
cost from £250 to £1000 per month perhaps also with significant setup
charges. (Unless the sites are only a few hundred metres apart.)

I haven't found a good solution for a typical small business where there are
two offices each with about 5 computers, and all users require everyday
access to edit all the files. I would be interested to hear of any success
with either:

1) a document management system with local cacheing, or;

2) a "cloud" system where all the files are held on a hosted service and
edited from a browser or similar client.

Cheers,

--
Graham J

On 27/02/10 12:32, Graham J wrote:

[snip]

>> I have recommended a Lacie NAS storage device simple and Fault tolerant
>> and inexpensive for centralised storage.
>
> Not related to the issue of VPN but LaCie have a reputation for
> unreliability ..!

FWIW I have three Buffalo TeraStation Pro II NAS devices configured as
Raid 5 which have been rock solid for over two years and only rebooted
when necessary to physically move them once or twice.

Ivor

On Sat, 27 Feb 2010 12:32:55 +0000, Graham J wrote:

> Note that it is essential that the subnet in office 1 has a different IP
> address from the subnet in office 2. The routers then route between the
> two subnets over the VPN.

It is actually possible to have a bridged rather than routed VPN, but
probably not desirable.

> Assuming ordinary ADSL connections, the limiting speed factor is the
> upload speed - probably 448kbits/sec at each site.

Given the low cost of ADSL2+, there's no reason not to switch if it's
available.

> Be aware that performance of typical M$ applications between the two
> sites will be painfully poor - 448kbits/sec is 200 (or 2000) times
> slower than the LAN in each of the offices.

If the problem is the SMB protocol, Windows has native support for WebDAV
file shares. If you used HTTPS you wouldn't need the VPN either, although
you may want a VPN for other applications.

--
<http://ale.cx/> (AIM:troffasky) ((E-Mail Removed))
16:51:26 up 11 days, 21:42, 5 users, load average: 0.00, 0.01, 0.00
DIMENSION-CONTROLLING FORT DOH HAS NOW BEEN DEMOLISHED,
AND TIME STARTED FLOWING REVERSELY

alexd wrote:
> On Sat, 27 Feb 2010 12:32:55 +0000, Graham J wrote:
>
>> Note that it is essential that the subnet in office 1 has a different IP
>> address from the subnet in office 2. The routers then route between the
>> two subnets over the VPN.
>
> It is actually possible to have a bridged rather than routed VPN, but
> probably not desirable.
>
>> Assuming ordinary ADSL connections, the limiting speed factor is the
>> upload speed - probably 448kbits/sec at each site.
>
> Given the low cost of ADSL2+, there's no reason not to switch if it's
> available.
>
>> Be aware that performance of typical M$ applications between the two
>> sites will be painfully poor - 448kbits/sec is 200 (or 2000) times
>> slower than the LAN in each of the offices.
>
> If the problem is the SMB protocol, Windows has native support for WebDAV
> file shares. If you used HTTPS you wouldn't need the VPN either, although
> you may want a VPN for other applications.
>
It's also been my experience that SMB is far far worse than e.g. ftp
over a WAN.

This may be beacause windows tries to be clever, and build icons, and so
on from file info. FTP just transfers the file.

Whilst SMB (Netbios over TCP etc etc) works, its very very slow.

"The Natural Philosopher" <(E-Mail Removed)> wrote in message
news:hmbnhn$6eq$(E-Mail Removed)...
> alexd wrote:
>> On Sat, 27 Feb 2010 12:32:55 +0000, Graham J wrote:
>>
>>> Note that it is essential that the subnet in office 1 has a different IP
>>> address from the subnet in office 2. The routers then route between the
>>> two subnets over the VPN.
>>
>> It is actually possible to have a bridged rather than routed VPN, but
>> probably not desirable.
>>
>>> Assuming ordinary ADSL connections, the limiting speed factor is the
>>> upload speed - probably 448kbits/sec at each site.
>>
>> Given the low cost of ADSL2+, there's no reason not to switch if it's
>> available.
>>
>>> Be aware that performance of typical M$ applications between the two
>>> sites will be painfully poor - 448kbits/sec is 200 (or 2000) times
>>> slower than the LAN in each of the offices.
>>
>> If the problem is the SMB protocol, Windows has native support for WebDAV
>> file shares. If you used HTTPS you wouldn't need the VPN either, although
>> you may want a VPN for other applications.
>>
> It's also been my experience that SMB is far far worse than e.g. ftp over
> a WAN.
>
> This may be beacause windows tries to be clever, and build icons, and so
> on from file info. FTP just transfers the file.
>
> Whilst SMB (Netbios over TCP etc etc) works, its very very slow.

The issue for users is what they want to do. The most obvious requirement
is to open Word files for editing, so SMB is the underlying protocol. What
they don't want is to learn a new way of working simply because their files
are on a non-local computer.

--
Graham J

"Graham J" <graham@invalid> considered Sat, 27 Feb 2010 12:32:55 -0000
the perfect time to write:

>Comments in line:
>
>"jaller79" <(E-Mail Removed)> wrote in message
>news:(E-Mail Removed)...
>>
>> I too have a client who wants to connect two site on a seamless network
>> so they can share data across sites there is no server involvement
>> currently due to cost.
>>
>> I have recommended a Lacie NAS storage device simple and Fault tolerant
>> and inexpensive for centralised storage.
>
>Not related to the issue of VPN but LaCie have a reputation for
>unreliability ..!
>
>> Looking at this last solution if he has a bt router at one side this is
>> managed by BT the only option you have is to record the ip settings from
>> the BT router ditch the bt router then seutp the vigor router site 1
>> first test lan and wan and internet then configure same at site 2 then
>> setup VPN.
>
>This is much easier if the public IP is static. BT will charge you extra
>for this, but professional ISPs such as A&A or Zen include a static IP
>address in their price. Probably your first step is to change ISP.
>
>> Are these devices easy to configure?
>
>There is good guidance on the Draytek website. It is good policy to set up
>the routers so that you can manage them both from your own (static) IP
>address. If your own internet connection does not have a static IP address
>you probably should not be in this game.
>
>One end of the VPN should have a static public IP address, the other can use
>a Dynamic DNS service - but everything is much easier and more reliable if
>both ends have a static IP address
>
>> I am a windows engineer predominantly have done the CCNA course but a
>> bit rusty on networking.
>>
>> Is this the layout for the VPN setup using the Vigor 2820 Series ADSL
>> Router Firewall?
>>
>> Private subnet office 1
>> |
>> Vigor 2820 Series ADSL Router
>> |
>> | Public IP office 1
>> |
>> Internet
>> |
>> | Public IP office 2
>> |
>> Vigor 2820 Series ADSL Router
>> |
>> Private subnet office 2
>
>Note that it is essential that the subnet in office 1 has a different IP
>address from the subnet in office 2. The routers then route between the two
>subnets over the VPN.
>
>Assuming ordinary ADSL connections, the limiting speed factor is the upload
>speed - probably 448kbits/sec at each site.
>
>Be aware that performance of typical M$ applications between the two sites
>will be painfully poor - 448kbits/sec is 200 (or 2000) times slower than the
>LAN in each of the offices. Other than for maintenance work where Remote
>Desktop Connection or VNC are used the only applications that will give
>acceptable performance are web services you operate with a browser. Opening
>documents for editing within Word is theoretically possible but not
>something you would want users to do - they will only complain! Similarly
>opening multi-user accounts programs such as Quickbooks or Sage will give
>unnacceptably poor performance.
>
>A leased line between the sites, or an ethernet connection to the internet
>at both sites which then carries the VPN, either of these operating at 10
>Mbits/sec or better would probably be acceptable for inter-office
>performance. Rather than ò5 per month for each site these are likely to
>cost from ò50 to ñ000 per month perhaps also with significant setup
>charges. (Unless the sites are only a few hundred metres apart.)
>
>I haven't found a good solution for a typical small business where there are
>two offices each with about 5 computers, and all users require everyday
>access to edit all the files. I would be interested to hear of any success
>with either:
>
>1) a document management system with local cacheing, or;
>
>2) a "cloud" system where all the files are held on a hosted service and
>edited from a browser or similar client.
>
>Cheers,

I've done it between the UK and US, with a small win2k server at each
of 2 UK and 1 US office end and DFS, with a filesystem replica on each
server.

Don't try to store big files in the replicated filesystem though, or
you'll break it (no Outlook .pst files, for instance).

That had about 15 users at one UK office, 4 at the other, and 2 in the
US (although as every file goes everywhere, the distribution makes no
difference, just the total of 21 users.

To increase the working set, you'd have to move up to leased lines,
and you should also be aware that this will run at the speed of the
slowest link in the system, wherever that is.

This was