What would you do? VPN?

**arch0nmyc0n** · November 30th, 2004, 07:14 PM

I have an interesting situation developing at a customer's business. They've built a huge (the biggest I've ever seen) greenhouse that they're gonna grow peppers in year round using combination of hydroponics techniques. They called me in to do the networking. I've mainly dealt with personal networks before, nothing exceeding sharing printers and files and connections. To give you an idea of the layout we have:

The actual networking (wires through walls and jacks) was completed by the contruction company in conjunction with another company that specifically deals with wiring houses and such. From the looks of it they were smart enough to leave room for expansion later (thank god).

I've installed a 4 port DLink 704-P router to bring the network together.

There is one desktop that will be used for general office stuff. (WinXP)
There is one laptop that will be used for the same general office stuff but also be transported to the customers house for reading emails comfortably at home.(WinXP)
These are plugged directly into the 704-P. With a workgroup called EPEPPER

There is a control computer that monitors the temperatures all over the compound. (WinXP) A seperate company out of Toronto installed the system. It's a Dell something or other (go figure). It is connected to a 5 port dumb hub that then has a connection going into the system that the company in Toronto installed (a big locked box that I couldn't figure out how to open, locks out the wazoo). This machine apparently requires internet access so people can login through PCAnywhere so they can check the status anywhere anytime. This is on a workgroup "WORKGROUP", and looks as though this cannot be changed, without the other guys reconfiguring the system.

There are two machines I haven't seen yet that are also in the building that are responsible for monitoring the boilers. I was speaking breifly with the guy that "installed" them and he tells me they're using IP addresses X.X.X.231 and X.X.X.232. These are not connected to the router yet, as there hasn't been a cable run from the boiler room.

I have setup the 704-p with the IP address X.X.X.1 and setup the IP pool for the DHCP to be X.X.X.100-199.

The two office machines are networked fine and they see each other and the printers are shared.

The control machine was added by simply putting in a cable from the 5 port dumb hub to the router; and it can now obtain an IP.

We discussed how the boiler guy likes to do it and he usually puts in a dumb switch near the machines and then runs a line to the router in the office. This has yet to be done.

The 704-P has a firewall obviously.

My questions:

1) I have to set it up so the control machine has access to the internet and people can connect to PCAnywhere on it. What are the ports I need to open? And is that all I'd have to do is open ports or are there more steps that would need to be taken? The PCAnywhere is working through the dialup connection apparently and requires a username/password to logon.

2) (More important) The boiler guy really would like to get access to his computers over the internet. We briefly discussed VPN. I've never set one up so I have no idea how to. Are we thinking the right way?

I talked with the administrator at the ISP I work at and he said there are two ways to do it.
A) IF the boiler programs can be modified to send and recieve on different ports, I could just port forward in the router and the guy would just have to select a port.
B) A 2k (or thereabouts) server with routing and remote services.

Is there something else we can do? They've spent millions of dollars on this compound so I don't see why they wouldnt spend more money on the computer equipment, so a 2k server is possible. But I'd rather not drag in another computer. Can XP be modified to do the "Routing and remote" junk?

Sorry for the long story, but this one is really throwing my brain for a loooooop... ANY thoughts? Any questions I should as to get you guys more information?

PS. Bell are retards and they didn't add the line card for DSL like they said they would so I don't have internet access out there other than a stinky little dialup.

**Matridom** · November 30th, 2004, 07:45 PM

Originally Posted by arch0nmyc0n

Can XP be modified to do the "Routing and remote" junk?

Long story short, it can't unless you install third party applications to do it.

Now here are a few things you need to keep into account with this setup.

1. Port forwarding is your best option for PC anywhere. I can't name offhand what port is used, you would need to check with the company that set it up to find out.

2. Most routers do not support secure incomming VPN connections (even in a passthrough mode). You may want to look at a router that internaly supports incomming VPN connections such as.. http://www.linksys.com/products/prod...id=29&prid=589

3. 2k is on it's way out, MS has already stated that sp5 will never come out. Look at 2k3 for a server solution if you want to go down that route. However, with what you have described, I don't believe it's necessairy.

**arch0nmyc0n** · November 30th, 2004, 08:02 PM

Originally Posted by Matridom

1. Port forwarding is your best option for PC anywhere. I can't name offhand what port is used, you would need to check with the company that set it up to find out.

Figured as much, anyone know the ports or have a page I could read, I'm just too busy to look it up (took me over an hour to type in the full sotry).

Originally Posted by Matridom

2. Most routers do not support secure incomming VPN connections (even in a passthrough mode). You may want to look at a router that internaly supports incomming VPN connections such as.. http://www.linksys.com/products/prod...id=29&prid=589

So basically yer saying that there are routers out there that will do what microsofts "routing and remote" poo will do? So I don't need a server, the router has all the crap I need?

Originally Posted by Matridom

3. 2k is on it's way out, MS has already stated that sp5 will never come out. Look at 2k3 for a server solution if you want to go down that route. However, with what you have described, I don't believe it's necessairy.

What I meant was "2k"ish meaning any of the server OS's obviously leaning towards 2k3... I'm tired... so sue me :P lol

**arch0nmyc0n** · December 1st, 2004, 02:14 PM

Would this be comparable?

http://www.dlink.com/products/?sec=2&pid=273

**kato2274** · December 1st, 2004, 02:49 PM

I know you said you don't want to drag another computer in, but if you are talking about VPN, then you should look into smoothwall. it routes, firewalls, vpns set up dmz's the whole works.

here's the basic on how it works via the setup I use it with. My house, my parents house and my parents business all have hi-speed internet. I have a smoothwall box at each location acting as a firewall / router. their business network is 192.168.10.0 my network is 192.168.20.0 and their home network is 192.168.30.0

I use smoothwall to create VPN tunnels between all the networks. it's really easy. so from my home I can remote desktop their win2k server at their business or their home machine etc.

the tunnel is completely transparent to the user. there is nothing for them to setup or connect. it's pretty cool.

**arch0nmyc0n** · December 1st, 2004, 04:22 PM

I may look into that for when I'm dealing with setting up the stuff in their house which is just off the compound site. but the vpns are going to be used on laptops and even some of those high cost PDAs so I don't think they'd wanna carry one around with em

What I need to know tho is the DLink I suggested comparable to the Linksys Mat suggested? I don't have a real concept of how VPNs work... will getting one of these VPN supported routers be the only equipment I need? They just need to so they can connect to the the internal IP using whatever the hell they wanna use... and I took a look at the "computers" in the boiler room today... they're not really computers... they're more like fuse panels with blinky lights and stuff...

**Matridom** · December 1st, 2004, 08:14 PM

i was showing that router as an example. any product your more familiar with should do just as well. I would just research the product to make sure there are no known issues that would cause a problem with your planned setup.

**Kymera** · December 2nd, 2004, 09:37 AM

To simplify the install, you'll probably want the same endpoint on each side. When I was doing this stuff I'd use Zyxel. Their stuff looks professional, and because you can't buy it at CompUSA you look professional. Also, it comes with some good features like Dial Backup and an ICSA certified Firewall. I guess most importantly, there is a nice range of products so you can get the Zywall 2 for less than $150.

**D@ve** · December 2nd, 2004, 09:47 AM

1, See Here

2, Setup the Boiler Guys with a Static IP either using the router or in Windows then foward port 3389 to that IP then the Boiler Guy can just use Remote Desktop to connect to his PC at work!!

VPN would only give him access to shares or printers on the network! Your best bet if the customer doesn't mind spending the money you should set them up with SBS 2003 Standard.

Hope this helps?

**arch0nmyc0n** · December 2nd, 2004, 12:39 PM

Originally Posted by D@ve

1, See Here

2, Setup the Boiler Guys with a Static IP either using the router or in Windows then foward port 3389 to that IP then the Boiler Guy can just use Remote Desktop to connect to his PC at work!!

VPN would only give him access to shares or printers on the network! Your best bet if the customer doesn't mind spending the money you should set them up with SBS 2003 Standard.

Hope this helps?

Sweet thanks that's what I'll need... *bookmark*

As for the remote desktop... unfortunately the "computers" the boiler guys are using are not computers in any sense I've ever worked on... they're integrated systems into the boiler electronics... so no windows... no linux.... no anything I've seen before... and I asked them about ports and they say it doesn't use ports... so I figure rather than trying to get blood from a stone I'll just give them access with a VPN... These routers with VPN stuff should work... thanks for your suggestion tho.

**arch0nmyc0n** · December 2nd, 2004, 01:35 PM

Thanks for reminding me about a backup dialup access... I totally forgot about that... so I went and checked out the DI-808HV model and downloaded the manual and it said it had the COMport I needed to attach an external modem.... but when I check here:

http://www.dlink.ca/fabs/DI-808HV_fab.pdf

It says it doesn't have it? WTH? The other adobe document is located here:

ftp://support.dlink.ca/gateway/di-80...hv_qig_100.exe

Wouldn't you think they'd be different model numbers?