#1
  1. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jan 2007
    Posts
    3
    Rep Power
    0

    IP Addressing Scheme, multiple subnets


    I inherited a network that was incorrectly setup as far as addressing goes. The scheme that was chosen has posed a couple of problems to the point that I have decided to redo it correctly - problem is I'm not sure how to proceed!

    Here is the current scheme:
    Corporate Office - 30 DHCP clients, 15 Static clients
    192.168.1.x/255.255.0.0

    30 Satellite Offices - 2 DHCP clients per office
    Office One:10.0.1.x/255.255.255.0
    Office Two:10.0.2.x/255.255.255.0
    Office Three:10.0.3.x/255.255.255.0
    etc etc etc

    First off, I'm not sure why the previous admin used a Class B Subnet mask at the corporate office and Class C masks elsewhere. Since our needs are pretty low at the corporate office I'd like to use a Class C mask here too.

    The satellite offices all maintain a hardware to hardware VPN tunnels back to corporate - their routers have a static internal address (Office One's router is 10.0.1.1) but they hand out DHCP leases themselves to the clients on their individual subnets rather than using the DHCP server back at corporate. The machines at the satellites are all members of our Windows domain and file/printer sharing among sites works great.

    The problem arises from remote workers or people in hotel rooms who use our software VPN client to login to the corporate office. If they are coming from a network that uses the same 192.168.1.x address scheme (which as you know 90% of the networks out there seem to do) they cannot successfully connect.

    In the past the workaround has been to change the scheme of people's home networks to using 172.16.0.x/255.255.255.0 and the problem is solved. I'm getting tired of having to make housecalls and realized I need to just bite the bullet and just make the change up here.

    SO........................

    What would you folks suggest as a correct Subnet and Mask to use for the corporate office? Can I use 10.0.0.x with a 255.255.255.0 mask? That would certainly be easy to implement just wanted to make sure that this would be OK. I've never been involved with network design - just maintenance.

    Thanks in advance for all assistance, please let me know if I need to clarify anything else.
  2. #2
  3. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Oct 2004
    Posts
    92
    Rep Power
    17
    10.0.0.0 255.255.255.0 is a valid network address and should work just fine. As you have noted, 192.168.1.0 255.255.0.0 is not valid (192.168.1.0 is a class C network) and could be causing you some problems. I would get that taken care of ASAP.
  4. #3
  5. No Profile Picture
    Grumpier old Moderator
    Devshed Supreme Being (6500+ posts)

    Join Date
    Jun 2003
    Posts
    14,453
    Rep Power
    4539
    The problem arises from remote workers or people in hotel rooms who use our software VPN client to login to the corporate office. If they are coming from a network that uses the same 192.168.1.x address scheme (which as you know 90% of the networks out there seem to do) they cannot successfully connect.
    This hints that the VPN isn't doing DHCP properly such that the VPN client is using their existing IP for the VPN connection rather than the appropriate IP for the tunnel.
    ======
    Doug G
    ======
    Bartender to Rene Descartes "have another beer?" Descartes: "I think not" and he vanished.
    --Alfred Bester
  6. #4
  7. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jan 2007
    Posts
    3
    Rep Power
    0
    Originally Posted by Doug G
    This hints that the VPN isn't doing DHCP properly such that the VPN client is using their existing IP for the VPN connection rather than the appropriate IP for the tunnel.
    The VPN client hands out a DHCP lease fine, it's just that I guess having a similar addressing scheme but a different mask confuses the client and communication is impossible - I can't even ping anything on the other side of the tunnel. Software vendor says that all we need to do is change the scheme at corporate office but they won't give me any suggestions.

    Anyways, I'm going to roll with the 10.0.0.x/255.255.255.0 scheme woodlander - thanks for the confirmation. Need to get all prepped and probably will pull the trigger next week, will let you folks know how it goes. Thanks again!
  8. #5
  9. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Aug 2004
    Posts
    355
    Rep Power
    166
    Originally Posted by -Glyn-
    The VPN client hands out a DHCP lease fine, it's just that I guess having a similar addressing scheme but a different mask confuses the client and communication is impossible - I can't even ping anything on the other side of the tunnel. Software vendor says that all we need to do is change the scheme at corporate office but they won't give me any suggestions.

    Anyways, I'm going to roll with the 10.0.0.x/255.255.255.0 scheme woodlander - thanks for the confirmation. Need to get all prepped and probably will pull the trigger next week, will let you folks know how it goes. Thanks again!
    A Vpn Client doesnt hand out a lease. it receives one. Why dont you change the IP range that your VPN server is handing out. If the only problem you have with you scheme is VPN trouble.
    Last edited by sporky12; January 16th, 2007 at 08:35 AM.
  10. #6
  11. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jan 2007
    Posts
    3
    Rep Power
    0

    Thumbs up


    Checked back in to say thanks for the assistance, made the change to the addressing scheme a few days back and all went well.

    Didn't see your message Sporky until after the fact and see the destinction you were making - athough we use a network appliance that manages our VPN tunnels and it simply passes along leases from the corporate office DHCP server where it resides. I could have tried to delve into seeing if there was setting I was overlooking in the appliance to pass out a separate scheme of adresses specifically for the VPN clients but decided that since the subnet mask we were using was already a problem why not just kill two birds with one stone.

    Anyways, thanks all for the help.

IMN logo majestic logo threadwatch logo seochat tools logo