VPN Subnetting

How can i get the client VPN connection to have a different subnet mask. The current subnett mask that is being assigned is 255.255.255.255.

Hi,

What would you like it to be? Why do you want/need it to be something else?

You should change routing in your LAN not on VPN clients. You can weaken
security of your clients with this...

Mike

"Foward" <(E-Mail Removed)> wrote in message
news:FDF2BA49-BD34-4FC5-A2B5-(E-Mail Removed)...
> How can i get the client VPN connection to have a different subnet mask.
The current subnett mask that is being assigned is 255.255.255.255.

I agree with Mike, why would you want/need to have a different subnet for your vpn clients? If you need access other networks you can add some static routes to your client machine.

Bradley Fox
Sr. Network Administrator
MCSE - W2K

>>> Foward<(E-Mail Removed)> 07/28/04 04:17PM >>>
I would like the subnet to be 255.0.0.0. I have already tried using dhcp to assign the address but the client automatically assignes 255.255.255.255, no matter what the ip address is.

"Miha Pihler" wrote:

> Hi,
>
> What would you like it to be? Why do you want/need it to be something else?
>
> You should change routing in your LAN not on VPN clients. You can weaken
> security of your clients with this...
>
> Mike
>
> "Foward" <(E-Mail Removed)> wrote in message
> news:FDF2BA49-BD34-4FC5-A2B5-(E-Mail Removed)...
> > How can i get the client VPN connection to have a different subnet mask.
> The current subnett mask that is being assigned is 255.255.255.255.
>
>
>

I don't think it's possible (AFAIK), and I still can't see why you would
want to do this...

If you leave it at 255.255.255.255 your client will send _every_ network
request to default gateway that will route it further to destination. The
only reason for having e.g. 255.0.0.0 would be if your clients would be in
"same LAN" but this is not the case on VPN. Changing subnet mask could also
compromise your LAN (split network)...

Mike

"Foward" <(E-Mail Removed)> wrote in message
news:7CAEA866-A7D6-4C5B-A752-(E-Mail Removed)...
> I would like the subnet to be 255.0.0.0. I have already tried using dhcp
to assign the address but the client automatically assignes 255.255.255.255,
no matter what the ip address is.
>
> "Miha Pihler" wrote:
>
> > Hi,
> >
> > What would you like it to be? Why do you want/need it to be something
else?
> >
> > You should change routing in your LAN not on VPN clients. You can weaken
> > security of your clients with this...
> >
> > Mike
> >
> > "Foward" <(E-Mail Removed)> wrote in message
> > news:FDF2BA49-BD34-4FC5-A2B5-(E-Mail Removed)...
> > > How can i get the client VPN connection to have a different subnet
mask.
> > The current subnett mask that is being assigned is 255.255.255.255.
> >
> >
> >

Perhaps he should read KB 254231 which explains what changes in the routes
when a remote access client connects to a RRAS server.

"Miha Pihler" <mihap-(E-Mail Removed)> wrote in message
news:#(E-Mail Removed)...
> I don't think it's possible (AFAIK), and I still can't see why you would
> want to do this...
>
> If you leave it at 255.255.255.255 your client will send _every_ network
> request to default gateway that will route it further to destination. The
> only reason for having e.g. 255.0.0.0 would be if your clients would be in
> "same LAN" but this is not the case on VPN. Changing subnet mask could
also
> compromise your LAN (split network)...
>
> Mike
>
> "Foward" <(E-Mail Removed)> wrote in message
> news:7CAEA866-A7D6-4C5B-A752-(E-Mail Removed)...
> > I would like the subnet to be 255.0.0.0. I have already tried using
dhcp
> to assign the address but the client automatically assignes
255.255.255.255,
> no matter what the ip address is.
> >
> > "Miha Pihler" wrote:
> >
> > > Hi,
> > >
> > > What would you like it to be? Why do you want/need it to be something
> else?
> > >
> > > You should change routing in your LAN not on VPN clients. You can
weaken
> > > security of your clients with this...
> > >
> > > Mike
> > >
> > > "Foward" <(E-Mail Removed)> wrote in message
> > > news:FDF2BA49-BD34-4FC5-A2B5-(E-Mail Removed)...
> > > > How can i get the client VPN connection to have a different subnet
> mask.
> > > The current subnett mask that is being assigned is 255.255.255.255.
> > >
> > >
> > >
>
>

Good article, I'll have to add that one to my list.

It sounds like it comes down to the idea if just never trying to control
routing at the client, but control routing at a specific "routing device" on
the LAN,...then using the "Use gateway on remote network" to control which
LAN the client looks to for that. At least that is how I always expected to
do it anyway,...I've never liked "client centric routing".

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com


"Bill Grant" <not.available@online> wrote in message
news:(E-Mail Removed)...
> Perhaps he should read KB 254231 which explains what changes in the
routes
> when a remote access client connects to a RRAS server.
>
> "Miha Pihler" <mihap-(E-Mail Removed)> wrote in message
> news:#(E-Mail Removed)...
> > I don't think it's possible (AFAIK), and I still can't see why you would
> > want to do this...
> >
> > If you leave it at 255.255.255.255 your client will send _every_ network
> > request to default gateway that will route it further to destination.
The
> > only reason for having e.g. 255.0.0.0 would be if your clients would be
in
> > "same LAN" but this is not the case on VPN. Changing subnet mask could
> also
> > compromise your LAN (split network)...
> >
> > Mike
> >
> > "Foward" <(E-Mail Removed)> wrote in message
> > news:7CAEA866-A7D6-4C5B-A752-(E-Mail Removed)...
> > > I would like the subnet to be 255.0.0.0. I have already tried using
> dhcp
> > to assign the address but the client automatically assignes
> 255.255.255.255,
> > no matter what the ip address is.
> > >
> > > "Miha Pihler" wrote:
> > >
> > > > Hi,
> > > >
> > > > What would you like it to be? Why do you want/need it to be
something
> > else?
> > > >
> > > > You should change routing in your LAN not on VPN clients. You can
> weaken
> > > > security of your clients with this...
> > > >
> > > > Mike
> > > >
> > > > "Foward" <(E-Mail Removed)> wrote in message
> > > > news:FDF2BA49-BD34-4FC5-A2B5-(E-Mail Removed)...
> > > > > How can i get the client VPN connection to have a different subnet
> > mask.
> > > > The current subnett mask that is being assigned is 255.255.255.255.
> > > >
> > > >
> > > >
> >
> >
>
>

Yep. Let the routers do the routing!

The only exception is if you clear the "use default gateway" to keep
your default route to the Internet (split tunelling). When you do this, you
only get a subnet route through the tunnel. If you want to access other
subnets through the tunnel, you have to modify the client routing. Otherwise
the traffic goes out to the Internet and gets lost. (I note that you already
said that in a reply to a different post yesterday!)

"Phillip Windell" <@.> wrote in message
news:(E-Mail Removed)...
> Good article, I'll have to add that one to my list.
>
> It sounds like it comes down to the idea if just never trying to control
> routing at the client, but control routing at a specific "routing device"
on
> the LAN,...then using the "Use gateway on remote network" to control which
> LAN the client looks to for that. At least that is how I always expected
to
> do it anyway,...I've never liked "client centric routing".
>
> --
>
> Phillip Windell [MCP, MVP, CCNA]
> www.wandtv.com
>
>
> "Bill Grant" <not.available@online> wrote in message
> news:(E-Mail Removed)...
> > Perhaps he should read KB 254231 which explains what changes in the
> routes
> > when a remote access client connects to a RRAS server.
> >
> > "Miha Pihler" <mihap-(E-Mail Removed)> wrote in message
> > news:#(E-Mail Removed)...
> > > I don't think it's possible (AFAIK), and I still can't see why you
would
> > > want to do this...
> > >
> > > If you leave it at 255.255.255.255 your client will send _every_
network
> > > request to default gateway that will route it further to destination.
> The
> > > only reason for having e.g. 255.0.0.0 would be if your clients would
be
> in
> > > "same LAN" but this is not the case on VPN. Changing subnet mask could
> > also
> > > compromise your LAN (split network)...
> > >
> > > Mike
> > >
> > > "Foward" <(E-Mail Removed)> wrote in message
> > > news:7CAEA866-A7D6-4C5B-A752-(E-Mail Removed)...
> > > > I would like the subnet to be 255.0.0.0. I have already tried using
> > dhcp
> > > to assign the address but the client automatically assignes
> > 255.255.255.255,
> > > no matter what the ip address is.
> > > >
> > > > "Miha Pihler" wrote:
> > > >
> > > > > Hi,
> > > > >
> > > > > What would you like it to be? Why do you want/need it to be
> something
> > > else?
> > > > >
> > > > > You should change routing in your LAN not on VPN clients. You can
> > weaken
> > > > > security of your clients with this...
> > > > >
> > > > > Mike
> > > > >
> > > > > "Foward" <(E-Mail Removed)> wrote in message
> > > > > news:FDF2BA49-BD34-4FC5-A2B5-(E-Mail Removed)...
> > > > > > How can i get the client VPN connection to have a different
subnet
> > > mask.
> > > > > The current subnett mask that is being assigned is
255.255.255.255.
> > > > >
> > > > >
> > > > >
> > >
> > >
> >
> >
>
>