Which IP range should I use?

[undrop79]

We have a server with 2 NIC's (1xLAN NIC & 1xINTERNET NIC)

LAN NIC (192.168.16.100) goes to a switch which connects all the workstations on our network to utilise the servers files and programs (Exchange, File and Print services etc). The Server acts as a DHCP and it issues IP's to all the workstaions with the range 192.168.16.X

INTERNET NIC (192.168.0.1) is connected to our DSL Router which has the IP of 192.168.0.2. The internet is then tunneled to the workstations as listed below:

The Web - Router (192.168.0.2) - INTERNET NIC (192.168.0.1) - LAN NIC (192.168.16.100) - Workstations (192.168.16.X)

Is this setup correct? Whilst the internet does work like this on our workstations, I can't help but thinking that the DSL router and INTERNET NIC should be on the same IP Range of 192.168.16.X

[Jabber_uk]

In the past I have set up this sort of system with totally different IP ranges.

For instance:

1.
Local Network in the 192.168.1.0 range using a server to provide DHCP or a local router to provide DHCP. Router/Server on 192.168.1.1

Internet Network in the 10.0.0.0 range. Router providing DHCP to the Internet NICs.

There are problems with this kind of setup especially if DNS gets messed up.

2. Another way would be to have the Internet Router send its data to the Local Router and then on to the PC's although that would give hackers more direct access to the PC's then.

I prefer option 1 for security reasons...

[undrop79]

I'm familiar with both your examples. We used to use option 2 that you have described when our server used to have just the 1 NIC. Now that it has 2 NIC's we went for your option 1.

Is there a specific reason why with option 1, the LAN side and the INTERNET side need to be on 2 different IP ranges?

1 issue that I noticed, is that we use pcAnywhere to connect to the computers on this network remotely. But when we use option 1, we can only access the main server, and not the other workstations directly. With option 2, you can choose which workstation you want to connect to, it gives you a list of those on the network.

[brian.mark]

If you use the same subnet on both sides, it won't ever know how to contact the router because it could be on either side. That creates a problem and it won't ever work properly.

As far as the PC's not being available on PC Anywhere, that's because you've got to go one more network segment to get to them. What's the reason for the server not being on a public IP so you can use different ports to go to different PC's? That's how we handle things.

Brian.

[undrop79]

Hi Brian.Mark,

Our current setup does have the same subnet mask on each side. I didn't realise this would be an issue.

INTERNET SIDE [192.168.0.1 - 255.255.255.0]
LAN SIDE [192.168.16.100 - 255.255.255.0]

Do you mean that my router should have the IP address assigned by our ISP on it? If so, I was wondering if you could give me an example changing my setup from what it currently is below:

Static IP assigned by ISP:
IP: 81.174.143.54

Cisco DSL Router:
IP: 192.168.0.2
Subnet Mask: 255.255.255.0

Server INTERNET Side NIC:
IP: 192.168.0.1
Subnet Mask: 255.255.255.0
Default Gateway: 192.168.0.2

Server LAN Side NIC:
IP: 192.168.16.100
Subnet Mask: 255.255.255.0

Thanks again for your help...

[brian.mark]

Actually, I was meaning that the same subnets can't be on both sides. You can't have 192.168.16.___ on both sides and expect it to route properly.

It sounds like your cisco device is doing NAT already, which is usually the goal of putting PC's behind a server. What are you trying to accomplish? I think we need to take a step back here.

Brian.

[undrop79]

Quote:

What's the reason for the server not being on a public IP so you can use different ports to go to different PC's? That's how we handle things.

I'm not sure what you mean by 'the server not being on a public IP'. You'll have to excuse my ignorance, I'm not 100% savy in networking. What would you suggest is the correct setup?

The cisco device does have NAT enabled.

The setup I had described, is how we currently have it. Do you think this is correct?

I noticed you mentioned that in order for pcAnywhere to become accesible through the other workstations, I would need to go one more network segment to get to them. Could you explain to me how this would be accomplished?

Apart from the above, I just wanted to confirm that all the settings on our router and NIC's were correct, or whether anyone could forsee any problems with having them setup this way.