January 12th, 2007, 04:59 PM
IP Addressing Scheme, multiple subnets
I inherited a network that was incorrectly setup as far as addressing goes. The scheme that was chosen has posed a couple of problems to the point that I have decided to redo it correctly - problem is I'm not sure how to proceed!
Here is the current scheme:
Corporate Office - 30 DHCP clients, 15 Static clients
30 Satellite Offices - 2 DHCP clients per office
etc etc etc
First off, I'm not sure why the previous admin used a Class B Subnet mask at the corporate office and Class C masks elsewhere. Since our needs are pretty low at the corporate office I'd like to use a Class C mask here too.
The satellite offices all maintain a hardware to hardware VPN tunnels back to corporate - their routers have a static internal address (Office One's router is 10.0.1.1) but they hand out DHCP leases themselves to the clients on their individual subnets rather than using the DHCP server back at corporate. The machines at the satellites are all members of our Windows domain and file/printer sharing among sites works great.
The problem arises from remote workers or people in hotel rooms who use our software VPN client to login to the corporate office. If they are coming from a network that uses the same 192.168.1.x address scheme (which as you know 90% of the networks out there seem to do) they cannot successfully connect.
In the past the workaround has been to change the scheme of people's home networks to using 172.16.0.x/255.255.255.0 and the problem is solved. I'm getting tired of having to make housecalls and realized I need to just bite the bullet and just make the change up here.
What would you folks suggest as a correct Subnet and Mask to use for the corporate office? Can I use 10.0.0.x with a 255.255.255.0 mask? That would certainly be easy to implement just wanted to make sure that this would be OK. I've never been involved with network design - just maintenance.
Thanks in advance for all assistance, please let me know if I need to clarify anything else.
January 13th, 2007, 12:36 PM
10.0.0.0 255.255.255.0 is a valid network address and should work just fine. As you have noted, 192.168.1.0 255.255.0.0 is not valid (192.168.1.0 is a class C network) and could be causing you some problems. I would get that taken care of ASAP.
January 13th, 2007, 05:00 PM
This hints that the VPN isn't doing DHCP properly such that the VPN client is using their existing IP for the VPN connection rather than the appropriate IP for the tunnel.
I've never been able to appreciate the sublime arrogance of folks who feel they were put on earth just to save other folks from themselves .." - Donald Hamilton
January 13th, 2007, 10:00 PM
The VPN client hands out a DHCP lease fine, it's just that I guess having a similar addressing scheme but a different mask confuses the client and communication is impossible - I can't even ping anything on the other side of the tunnel. Software vendor says that all we need to do is change the scheme at corporate office but they won't give me any suggestions.
Originally Posted by Doug G
Anyways, I'm going to roll with the 10.0.0.x/255.255.255.0 scheme woodlander - thanks for the confirmation. Need to get all prepped and probably will pull the trigger next week, will let you folks know how it goes. Thanks again!
January 16th, 2007, 07:31 AM
A Vpn Client doesnt hand out a lease. it receives one. Why dont you change the IP range that your VPN server is handing out. If the only problem you have with you scheme is VPN trouble.
Originally Posted by -Glyn-
Last edited by sporky12; January 16th, 2007 at 07:35 AM.
January 20th, 2007, 10:23 PM
Checked back in to say thanks for the assistance, made the change to the addressing scheme a few days back and all went well.
Didn't see your message Sporky until after the fact and see the destinction you were making - athough we use a network appliance that manages our VPN tunnels and it simply passes along leases from the corporate office DHCP server where it resides. I could have tried to delve into seeing if there was setting I was overlooking in the appliance to pass out a separate scheme of adresses specifically for the VPN clients but decided that since the subnet mask we were using was already a problem why not just kill two birds with one stone.
Anyways, thanks all for the help.