News: This forum is now permanently frozen.
Pages: [1]
Topic: Recommendations for PPTP Server Address  (Read 3687 times)
« on: August 11, 2010, 02:08:16 »
kai *
Posts: 4

I seem to remember reading that the recommendation for the PPTP VPN Server address is to have it on a different subnet to the LAN IP address, but can't find the mention of where I saw this.

Putting the question out there - what is the best practice for the VPN PPTP Server IP? Is it best to have it on the same subnet as the LAN interface, or is it best to keep PPTP VPN users in their own subnet?

m0n0 seems to have no problem routing traffic automatically between the two subnets if I have it configured that way, however on the client end I need to then specify that the PPTP VPN connection is the default route, meaning that all their other network traffic (email, internet browsing) also travels through the VPN.

Even though I've specified a /28 for the VPN subnet, I seem to be getting a /24 which means that if I put the VPN PPTP Server IP on the LAN subnet, they should still get a /24 there so that routing to the remote LAN would still work.

Are there any downsides or other issues I need to be aware of when putting the VPN Server IP on the same subnet as the LAN IP? Obviously I need to make sure that the VPN IP range doesn't overlap with the DHCP assigned address range...
« Reply #1 on: August 15, 2010, 03:40:08 »
kai *
Posts: 4

Bump - can anyone recommend using a different subnet for the VPN to the LAN, or is it best to put them on the same subnet?
« Reply #2 on: August 15, 2010, 08:18:20 »
rpsmith ***
Posts: 113

I always use the same subnet as my LAN.  I put the server at .63 and start the clients at .64 (my LAN DHCP range is always .100 to .199)

Roy...
« Reply #3 on: August 15, 2010, 08:22:28 »
kai *
Posts: 4

Thanks for that, Roy.
My initial thoughts would be to use the same subnet as the LAN too, however I'm sure I've seen somewhere recommended to use a different subnet...

I too, always use .100 to .199 for network clients, keeps it nice and simple.

By the way, does m0n0 assign IPs backwards from .199 for you or is it just me?
« Reply #4 on: August 16, 2010, 03:09:37 »
rpsmith ***
Posts: 113

yes - it starts from .199 and works it's way down.   Also, I think the main reason to use a different subnet for your VPN clients would be to free up the LAN IPs.  most of the time that is not an issue but if you have 100+ users you might need the extra IP space for LAN users and servers.

Also just found this:  http://doc.m0n0.ch/handbook/pptp-subnetting.html

Roy...
« Last Edit: August 16, 2010, 08:16:37 by rpsmith »
« Reply #5 on: September 09, 2010, 03:50:51 »
teichhei *
Posts: 3

I have my LAN set to 192.168.102.0/24 and use 192.168.103.0/24 for the PPTP.
The benefit is that you can control exactly what PPTP users can do and what not through firewall rules and you don't have to worry about conflicts with your DHCP configuration. For the start put in Source PPTP * * * to get everything across the firewall, you can limit it down after you know that it is working. By default no traffic is allowed so if you don't create any rules it won't work.
If you need them to connect to the internet after having a PPTP connection you need to create an Outbound NAT rule as well (In my case WAN interface, source 192.168.103.0 any any)
If it was an address space issue you could simply go class B net.
 
Pages: [1]
 
 
Powered by SMF 1.1.20 | SMF © 2013, Simple Machines