Internet Related/Filtering/Firewall Thread, Change IP range, provide NAT for some old addresses. How? in Technical; I currently have a small IP range (192.168.100.0/24) that I need to expand. I was planning to use 172.16.0.0/23, doubling ...
11th February 2013, 01:43 PM #1
Change IP range, provide NAT for some old addresses. How?
I currently have a small IP range (192.168.100.0/24) that I need to expand. I was planning to use 172.16.0.0/23, doubling my address space (which should be adequate for my network).
We have a VPN connection to our local council, and they have firewall rules for certain IPs in our existing (192) range. Upon approaching them regarding changing the configuration in favour of the new range I'd like to use, I've been told the 172 addresses I'm planning to use are already in use on their internal system, and I should NAT the required addresses back to their original 192 flavour, to avoid requiring any system changes to the VPN setup.
Given that my experience of NAT goes no further than my router at home (I do know what it is and what it is for), how might I go about achieving this?
(The router than maintains the VPN connection is a Draytek Vigor 2820 and a Windows server runs my DHCP.)
Please, no suggestions of "just change your new IP range to something the council don't use". I get the distinct impression they're in no rush to change the configuration of the VPN and thoroughly intend this is all handled at my end of the tunnel. It is my intention to be prepared if this is the case.
14th February 2013, 01:50 PM #2
(In the interests of post closure...)
Fortunately, the county council have been able to make suitable NAT alterations to their equipment, so I don't have to do anything special at my end, other than make sure all the devices that are to connect over the VPN to their network have IPs in the first 172.16.0.x block. So that's DHCP reservations for the 25 machines that need them, then. Done.
It turned out there was no way I could have done this in-house without having another router or gateway in place to NAT all my traffic back to 192 addresses before it left the building. All I needed to do was switch off and think about it again the next morning and it all suddenly became so clear!
14th February 2013, 02:22 PM #3
Why not make use of a class A range 10.10.*.* for example so you dont conflict with them and then get the mappings changed.
18th February 2013, 05:16 PM #4
The way it's been done (yesterday, using the above mentioned 172 range) required just as much work to implement and still required the local council to change their NAT settings. So would a class A range.
Yeah, we have a limitation of 254 clients that can use the VPN tunnel, but in all seriousness, we only need 20 and I would imagine the council are better off using the smaller subnet anyway. If I'd used a class A range, the same situation could occur further down the line for someone else, because I'm using a bigger range than is required for my needs.
Anyway, it's done now, and after a lot of fallout this morning that I didn't expect, everything is working.
I'm quite pleased with myself, considering all the roadblocks that got in my way when changing my internal IP range: Broken VMware hosts, unmountable NFS shares, corrupt VMware machine configurations...
By flashsnaps in forum Hardware
Last Post: 2nd February 2010, 09:59 PM
By localzuk in forum Windows Server 2000/2003
Last Post: 10th June 2009, 01:31 AM
By Halfmad in forum Wireless Networks
Last Post: 5th April 2009, 08:27 PM
By tosca925 in forum Windows
Last Post: 12th August 2007, 02:35 PM
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)