What is better approach with VPN clients.
One way it so set separate subnet for them and then set routing to other IP subnet with physical devices, or to squeeze VPN users in the same IP range as physical devices?
I think for smaller deployments it is probably easier to have the VPN users in the same range.
The firewall on (Windows on trusted network) devices will usually let devices in same IP range connect.
If the VPN server is on a device in the Same subnet as the physical devices, but is not the default gateway, having them on a different subnet will often result in Triangle Routing vpnclient->physclient->gateway->vpnclient which firewalls don’t like.
The down side to being on part of the same subnet, is you will need some form of proxy arp on the VPN server. (Mikrotik does this quite well)
Another option is you can have them on a different subnet but use SRC-NAT when connecting to the physical devices.
Now I have then in separate subnet and use classic routing to make them visible with other subnet.
I am considering if having them all in one subnet would somehow reduce resource usage of the router?
this is interesting thought.
the basics will always remain the same - but the goals functionality can change how things work.
in this case - whether you are an isp or corporate Datacenter can make how the access concentrator work differently.
let us say the objective for an access concentrator or bras or bng in isp works simpler than that in corporate Datacenter. which probably required more filters etc.
so… we will let you define your access concentrator role first - then the layout design will follow.
It just simple case of office where people who work from home or for some other reason are out of office can connect using VPN to have access to office network.
It is to be expected that traffic among VPN users and servers on LAN would be intensive.
well, if you have a specific place for those servers ie. a servers farm - you can put the vpn access concentrator on the dmz (not in the same place of those servers) so that you can still doing some filters.
I do not see how it is related to my question.
I am considering if having them all in one subnet would somehow reduce resource usage of the router?
Hardly. But it will complicate your configuration (you would need arp-proxy and so on).
Moreover, it will limit your abilities to filter the traffic.
I usually put road warriors into a separate network only allowing them access to DNS, DC (sometimes) and RD Gateway.
Unless you need remote and local users to be on the same broadcast domain (most probably you do not) stay with a separate network.
PS: You might think that having clients in the same L2 network gives them near-the-wire speed and hardware switching. It is true for local PCs (connecting them directly via a bridge is better than having L3 router between them) but it doesn’t apply to VPN connections
1 Like
Broadcast is what I need.
Of course I do not expect it to be as connecting via switch, just wondered maybe it would go some shorter paths within router itself making less stress to it.
If you need a broadcast then yes: you should put them into the same network. Broadcasts can’t be routed (except for very special cases).
But what for do you need it?
Most modern protocols either use multicast (which can be routed by means of IGMP) or point-to-point connections.
What is your use case?
1 Like
I need users to be able to see shared printers for example or shared directories. And there is also some usage of mDNS.