APE, DHCP, RAS & 3(?) subnets :(

[mikeygar]

Hey networking gurus,

I'm having a little trouble figuring out if APE will conflict/support a config I currently have:


Currently, 2 separate LANS connect to each other via on-demand VPN connections via internet. Each LAN runs its own Active Directory Service and both are set to trust each other's domains.

Access via RAS to either network is no problem, AD authentication and access is successful, and because the trust relationship is established, a RAS conn from LAN A can access network resources from LAN B (print/file/etc.) and vise versa. Internet access is also possible via RAS.


Setup is:
1. LAN A currently being served by W2k Advanced Server (separate Active Directory Domain Controller) running the ff: network services:
-RRAS for NAT, RAS and VPN
-DHCP for LAN (10.1.1.x)

2. LAN B currently being served by W2k Advanced Server (Active Directory Domain Controller, same box) running the ff: network services:
-RRAS for NAT, RAS and VPN
-DHCP for LAN (10.1.2.x)

What I have is currently a textbook setup, but this is where things get sticky

I'd like to:

1. Connect an APE base station to each LAN to serve wireless clients who use DHCP
-I guess this is a no brainer, but...
-considering each LAN has it's own existing DHCP server, will APE's built in DHCP conflict if I plug in the APE's ethernet port into the LAN's switch?
-if no conflict, what address would it assign, or would it be assigned an IP from the W2k server?
-will the APE be able to co-exist with the existing DHCP server, by configuring the APE to distribute addresses on a different subnet and bridge the connections so LAN users can access wireless users without authentication problems?

2. Use the APE's built in modem to access the LAN rather than using the modems hooked up to the servers.
-in theory, I assume that it would work no problem if my proposed solution above is possible because the APE's built in modem would assign an IP address local to the APE's DHCP range.
-RAS authentication would initially handled by the APE rather than the AD servers, but once the VPN connections are manually established, I assume that there should be no problems with further authentications so users may access print/file services.

To address this, i've considered using a regular access point, but I want to trim down the equipment in the rack by maxing out the features of the APE, including it's built in modem (thereby removing the modems currently installed in the servers).

Would a setup like what is below work?

[APE A (10.1.3.100-254)] xx-xx-xx-xx [APE B (10.1.3.1-99)]
[RAS A (10.1.3.x)] xx-xx-xx-xx-xx [RAS B (10.1.3.x)]
[LAN A (10.1.1.X)] <----VPN----> [LAN B (10.1.2.X)]

Curious if any of you guys have tried a similar setup- and what your comments are. I guess the answer to this is really simple, but I guess i've fallen victim to the dreaded brain drain... I've spent too much time figuring out how to properly integrate OSx without having to make changes to the AD structure...

Thanks guys!

[hoho]

Why use the Airport Extreme Base Station? Although the APEBS would be the "Apple" way of doing things, it will have features that you will not need.

That wouldn't be the most cost-effective way to add wireless capabilities to your current LAN. Why not get a simple Wireless Access Point, like the Netgear WAP11?

This way, you can use the existing DHCP services available from the W2K Servers on each segment. No muss, no fuss.

H

[directX]

Connect AEBS to your network via the WAN port. AEBS DHCP will only give out IP address (10, 192 or 17 subnets) on the LAN port and WiFi.

With modems connected, AEBS will assign a "local" IP from its DHCP IP pool.

hoho, Netgear may be a cheaper solution but I doubt if it provides you with a PPP-enabled modem port.

[hoho]

Originally posted by directX
hoho, Netgear may be a cheaper solution but I doubt if it provides you with a PPP-enabled modem port.

Quite true. But, he already has the modems and everything else available and setup.

The APEBS would be a really expensive way to do something he can already do with existing equipment, except for serving WiFi clients of course.

Mikey, in #2, you mentioned accessing file/print services via the dialup connection (using the APEBS)... that would be a painful way of doing it, since you will only get 33.6Kbps connections across the 2 APEBS. That would be extremely slow.

We used to do something similar, we had a Point-of-Presence in Makati connected to our NOC in Quezon City via a dialup connection. We soon quickly realized that someone sending an attachment via email from one POP to another via the dialup connection would completely saturate the line, hopelessly bogging down everything else, even simple ssh sessions. Imagine trying that with file and print services, which will always entail big files. You will find that you were better off using the VPN through the Internet, especially if you have a halfway decent DSL connection to the Internet on both sides.

H

[directX]

If the two sites are within Metro Manila, getting a DSL connection for each site will cost you close to 20K/month total (10K each way). With that, you can get an E1 leased line from Bayantel already.

[mikeygar]

Originally posted by hoho

Originally posted by directX
hoho, Netgear may be a cheaper solution but I doubt if it provides you with a PPP-enabled modem port.

Quite true. But, he already has the modems and everything else available and setup.

The APEBS would be a really expensive way to do something he can already do with existing equipment, except for serving WiFi clients of course.

Mikey, in #2, you mentioned accessing file/print services via the dialup connection (using the APEBS)... that would be a painful way of doing it, since you will only get 33.6Kbps connections across the 2 APEBS. That would be extremely slow.

We used to do something similar, we had a Point-of-Presence in Makati connected to our NOC in Quezon City via a dialup connection. We soon quickly realized that someone sending an attachment via email from one POP to another via the dialup connection would completely saturate the line, hopelessly bogging down everything else, even simple ssh sessions. Imagine trying that with file and print services, which will always entail big files. You will find that you were better off using the VPN through the Internet, especially if you have a halfway decent DSL connection to the Internet on both sides.

H

Thanks for the reply, and I agree that large transfers via the dial-up RAS will saturate the line, but both LANs have interconnects served by broadband connections, 1 LAN via inter.net 768kbps DSL, the other which is in Antipolo (no broadband DSL or cable there, last I checked), 512kbps microwave wireless by Meridian.

The VPN is an on-demand connection and is used probably an hour at a time to replicate db's and transfer mail.

The dial-up is used as a last resort for select mobile users (myself and the network admin) to monitor the servers on both LANs. Reason also why I figured the AEBS would be a good choice is bec I want to remove the existing modems from the server (mountains + antenna towers = lightning/bad)...

For some weird reason, the Antipolo modem takes a long time to reinitialize if the connection is dropped or interrupted unexpectedly, requiring to manually reset the modem using W2k's RRAS panel... BTW, lines there are horrible for data...

Instead of buying external USR/3com modems which are on the pricey side, might as well go for the plunge and buy an all-in-one and match my powerbook at the same time

I hope it does it's job. Cisco has a similar wireless access point and can be hooked up to a bank of modems (analog and ISDN), but costs about 100k.

I'll probably do this sometime this month, once the AEBS price cuts in the US reach here, and i'll let you guys know how it goes, and if it does work

Originally posted by directX
If the two sites are within Metro Manila, getting a DSL connection for each site will cost you close to 20K/month total (10K each way). With that, you can get an E1 leased line from Bayantel already.

with regards to leased lines, we explored that early this year, but since the other site is in Antipolo, microwave was the only way to go.