How to set up VPN?

There are various ways to handle the network configuration.

From a networking/routing perspective, I wouldnt say connecting both routers using a VPN connection is necessary.

I'm not familiar with those router models, but if those routers allow you to define VLANs, then you would simply create another subnet that will be used to connect both routers together (192.168.3.x for example), connect a cable between both routers, and change one of the 192.168.1.x networks to a 192.168.2.x (or other subnet), that should take care of the issue with regards to routing.

The problem may be is that if these are consumer based routers (the type that you buy at the retail store), many generally dont have the ability to really allow you to create multiple subnets and route among the subnets on the private side of your network.

Did someone inform/suggest to you that you needed a VPN connection between them? Even with a VPN connection, having the 192.168.1.x subnet defined on both sides will not allow you to get packets from one segment to the other.

We need some discussion from someone that has hands on working knowledge with those devices.

I just assumed I needed some type of VPN connection. What's a VLAN?

I got both routers at Best Buy.

Ok, so I wouldnt want for you to go and change the config without knowing if this is supported by those two routers, but in general, this diagram depicts how you would accomplish what you are asking about in general networking.

The only problem is whether or not your routers support routing on different local interfaces. I would suspect they do, but I'm not familiar with those consumer based models.

Love the diagram. So let's say I went ahead and changed the EA6900 to use 192.168.0.x instead of 192.168.1.x

How exactly do I set up that .3.x part?! Is that done in the router? Which router?

Your dhcp is via Meraki - as in Cisco's Meraki routers? You have one physically on-site?

One of these: https://meraki.cisco.com/products/wireless/mr18

JorgeM, what if I were to stick a USB-based wireless adapter into the back of my workstation and connected to the Meraki device just like all the other DaniPad members do? Would there be an IP conflict since now there would be two network adapters that each have access to a different network, each with their own 192.168.1.1?

Also, if I were to do that, how could I specify to always use just one of the network adapters for browsing the web?

How exactly do I set up that .3.x part?! Is that done in the router? Which router?

That's the problem. Each router has to support the ability for you to create an interface so you can assign an IP. So if these routers would support that, you would assign say 192.168.3.1 on one router and 192.168.3.2 on the other. Then the last step is to create the appropriate static routes if supported (or enable dynamic routes if supported) on each router.

At least from a general networking/tcpip, the info I gave you would work just fine. its just a matter about what those routers are capable of doing.

What if I were to stick a USB-based wireless adapter into the back of my workstation and connected to the Meraki device just like all the other DaniPad members do?

Yes, you could do that. Windows would allow that configuration. I would set up the IP on that Wifi connection as static. You dont want Windows configured with two default gateways. Then, when you set up the printer connection on your computer, just supply the IP address of the printer. Windows will know which interface to use because of the IP and route table on your computer.

Would there be an IP conflict since now there would be two network adapters that each have access to a different network, each with their own 192.168.1.1?

Its not so much of a IP conflict problem since your current design has the 192.168.1.x network seperated, its more of a problem for your windows computer because now it has two interfaces on the same subnet address. You are going to get weird results likely.

If you are going to put your computer on the wireless network, you should re-IP that local subnet to something other than 192.168.1.x on one side of the network.

Also, if I were to do that, how could I specify to always use just one of the network adapters for browsing the web?

Ok, that's no problem. On the wireless NIC, if you specific a static IP (just the ip and subnet mask) and NO default gateway, your computer will always use the other wired NIC that has a default gateway address. This is just basic TCP/IP routing. Your computer has a route table and if its has one default gateway, that's the NIC where packets will go out through for remote networks.

EDIT- your wireless NIC will be on the 10.x.x.x segment with the other wireless nodes. Since this printer is not on that segment, you will need either a default gateway or static route on your windows box. Since you don't want a second default gateway, you must add a static route on that workstation so it knows that to get to 192.168.1.110, it must send packets to 10.1.1.1 (IP gateway on wireless network).

Should work just fine.

OK so my Linksys EA6900 has a section in its admin console called static routing. I have no clue what the other router has because my workstation can't connect to it haha.

Do you think that changing the Linksys EA6900 to be on 192.168.2.x and then using the wireless network adapter that I happen to already have lying around would be the best bet?

OK so my Linksys EA6900 has a section in its admin console called static routing

Not needed for this plan.

do you think that changing...

Yes I would try that since it requires no additional $$$ and if you are unable to get the configs correctly, your network will be in the same shape its in now just in a different subnet.

So once you get that side on .2.x, install the wireless NIC on your workstation, then assign the wireless NIC a static available IP on the 10. Subnet and add the appropriate static route on your windows workstation. The static route is needed on your computer because it will have two NICs and if it tries to get to 192.168.1.x it will go out the wired interface because that is a remote subnet. You want to prevent that and you want to force it through the wireless NIC.

The route command is going to be something like this...

route ADD 192.168.1.0 MASK 255.255.255.0 10.0.0.1

Use the windows help in CMD to look up the route command and get the parameter about persistence so when you add the route, you tell windows to save it.

I'll give this a shot tomorrow when I get into the office.

OK, so I realized that I can't do this. I know I didn't fully explain my architecture, but other devices and systems attached to the .18 router look for the server at its static 192.168.1.??? address. Changing this to .2 I don't believe is as easy as it sounds.

And changing the other router to .2 would mean telling all of the DaniPad members to uninstall and reinstall the printer.

Ok... Here is another possibility. If your printer supports web (HTTP) printing... Enable that on the printer, then you'd simply print to that public Internet URL.

From a technical perspective, what would be happening is that packets would arrive at the public interface of that e1200 router and would be translated into the private network so your computer is unaware that its printing to a device with the same private IP.

It's the same as if you had this router at home and you enabled web printing (hp printers are known for this). I'm sure you have seen those hp commercials where people send the print job from the Internet to their home printer.

This is a solution if your printer supports that feature.

If that's not getting you anywhere, you can still try to set up a VPN to get this to work. The nice thing about it is that you would be able to access anything on the network at Danipad while you at home/mcdonalds/etc securely (which can simplify firewall rules and sercurity if you have a bunch of private things on the server).

I've never seen a router that has VPN capabilities though (except perhaps for those that are firmware modifiable), so you'll need some extra computer to run 24/7 (or on when you need the printer at least).

There are two ways you can go about this.
1. Let the vpn server run on your server, connect the extra computer to the printer and connect the extra computer to the vpn.
2. Let the vpn server run on the extra computer, connect the extra computer to the printer and connect your workstation (and/or) server to the vpn server.

PPtP is now crackable in practice, so I would suggest that it's avoided. A nice alternative is OpenVPN.

If I read that right, both subnets behind the .18 and .20 consumer linksys routers are assigned 192.168.1.0/24 subnets. If that is true then you can not use a VPN at all due to the overlapping subnets. (these routers don't seem to support NAT before Crypto to overcome that issue, so its out of the question).

A solution, though not an ideal one, is to use a single port forward on the 1200 router to take a single high, non-standard port on the public ip x.x.x.20 and forward it into tcp 9100 on the printer's address. Look at E1200 user guide on page 57 for info. Take TCP port 9299 and forward it into tcp 9100 to the IP address assigned to the printer. From your workstation, you setup the printer using IP Port x.x.x.20 port 9299. This traffic on the public IP is sent into the printer on the right port.

This means anyone can scan and potentially find/print to this printer, but the random high port eliminated alot of that risk. It would be ideal to have a router that can allow traffic based on Source IP as well, but it is beyond this 1200's capabilities.

The better solution is a redo of one of the 2 router subnets so that you can just use a 2nd interface to reach the prrinter.

Yeah, CimmerianX's recommendation is simplier than the HP HTTP printing solution (although the same idea) because it uses the general port for tcpip printing.

Using port forwarding either on 80 (for HTTP printing) or 9100 for for direct printing will work, although not the best solution, but defaintely zero cost and requires no additional hardware.

The only problem with this port forwarding solution is that anyone will be able to print to this printer by hitting the public IP on that router. I wouldnt be too concerned about. I dont see this as a huge security risk or worry about random internet users printing to your device. If that were to happen, just firewall/create appropriate rules on that router to only allow print related traffic to come from the other router's public IP.

I had actually already thought about doing port forwarding but I was hoping for a better solution due to the ability for anyone to print remotely.

I'm leaning towards either doing that, or changing the subnet from .1 to .2 for the network everyone else uses. We're only two months old, so it would mean only having to tell a dozen people to uninstall and reinstall the printer on their computers. In the future, there might be other advantages to having my workstation be on the members' network, and if I'm eventually going to want to go down that route, I'd rather inconvenience a dozen people than four dozen.

Of course I can also just get my own printer in my office instead of jumping through hoops trying to share the public printer :)

I'd say that if you can re-subnet your side, do that anyway. You only have to inconvenience yourself by having to re-ip those nodes that are static. You don't have to inconvenience your customers for that to happen. This opens up for future opportunities you don't know about now.

Then just plug in a wifi stick in your PC, create the static route on your computer since this doesn't introduce the forwarding concern.

None of this will cost extra since you already have the wifi stick..just a little costs regarding time.

The problem with doing that is the security system is tied into my server, and I have absolutely no idea how to reprogram our security system (card swipe and camera system). I'd need to end up hiring the security guy to come out and do it.

Also do you know if there are issues changing the static IP address of a Windows Server Essentials 2013 machine? I had a HELL of a time getting the certificates to work correctly.

Sorry, i have no experience at all with Essentials edition. I can tell you that on the enterprise versions of Windows, i cant think of any instances where changing out the server's IP would break some app running, say like active directory, or any of the platform networking services.

so it looks like you may be back to having to re-ip the subnet where the printer resides.

Why would changing an IP have anything to do with certificates? As long as your DNS is updated to reflect the new subnet on the original name, certs should not be an issue at all.

The Re-ip is a good idea all around rergardless.... but the port forward is still the quickest and easist I think. Camera systems can be granted a new IP without an issue, especially if you use FQDN to access the system. For Card Swipers, this would depend on your solution. You would usually manage the security database via thick client or via local app on the controller. The controller would upload the changes via console to what is essentially the central unit(s). The IP may change on the app server, but the COM port uploads should not be affected. Other systems, i.e. ELK or Crestron can all have IPs changed on the management consoles without issue.

Which solutioon are you going to use?

Dani,

As I see it your problem comes from the fact that both of the routers are using addresses in the 192.168.1.0/24 subnet. It would be easier to solve if say the EA6900 only had IPs in the 192.168.1.2 to 192.168.1.32 range and the E1200 had them in the .33 to .255. If there is some defined cut off then 'we got lots to work with man' and it can be done from the routers with a few static routes. Basically what you looking at is to get data from your workstation on the EA6900 over to the printer on the E1200 we are going to have to either build a bridge between the two routers for the printer traffic or give it a map to follow.

The following site gives a good reference for creating the static routes if the routers are broken down with 2 to 32 on router 1 and 33 to 255 on router 2.
http://www.dd-wrt.com/wiki/index.php/Linking_Subnets_with_Static_Routes

But if all we really need is your workstation (Which I am assuming is Windows if it is Linux then let me know) to be able to send to the printer then we add the following route for the printer to the workstation. We need and administrator command prompt Start, Accessories, then right click and select "run as administrator" (not just cmd in the start box).

First we get a copy of where we are right now

`route print > c:\startingRoute.txt`

You can pull the file up with notepad or whatever you choose. Now we add the route and see what happens.

`route add 192.168.1.110 mask 255.255.255.255 x.x.x.20`

Where the x.x.x.20 is the real address of the E1200. This should send any traffic for .110 to the other router where it will go on its merry way to the printer. But to get traffic back we need a static route on the printer which may not be an option. But since you primarily send to a printer that should not be a problem. If it does not work or messes things up you can remove it by rebooting. If it works then run the same command with the -p flag to get it to stay between reboots.

`route -p add 192.168.1.110 mask 255.255.255.255 x.x.x.20`

How this works and helps.

@rch1231-

regarding...

route add 192.168.1.110 mask 255.255.255.255 x.x.x.20
Where the x.x.x.20 is the real address of the E1200. This should send any traffic for .110 to the other router where it will go on its merry way to the printer.

Keep in mind that this .20 address is the public interface for that router, and this router is running NAT, so its not going to route traffic into the 192.168.1.x network without any port forwarding so I dont think this is going to work. thoughts?

JorgeM,

It might need a internal static route but to be honest I did not think so. I am going to build a virtual network with GNS3 and check with a couple of the network guru's when at work tonight. You may have a point that it does not normally accept traffic for that subnet unless it is a reply to a packet the router submitted. Logically though if the packet makes it through the gateway of the WAN port on the E1200 then it would now be in the native subnet and should travel on to its destination. Getting back was the tricky part as far as I could see.

To me the big piece is are any IP's duplicated on the two 192.168.1.X networks and are they segregated already (like .1 to .128 on one and .129 to .255 on the other) so we can just give a smaller netmask (255.255.255.128) and crosslink the routers.

Man that sounds good and like I know what I am talking about doesn't it. LOL