Has anyone done this or know someone who has???

We are opening up a Branch office about 200metres down the road. The Branch Office will have its own DC using Windows 2003 which will connect to our Main Office which is using SBS 2003. We want to use 2 access points with huge antennas.. which at the moment is working quite well good reception speed etc...
My question is how do i get the two Domain controllers talking to each other. Because i have set them up independtly so Main office is on 192.168.0 network and the branch office is on 192.168.1 . I know how to use VPN but is there away to use wireless?

Is the wireless just bridging the two networks? If you're not running VLANS or anything funky, you should be able to see between the two with a subnet of 255.255.254.0.

You'll need to explain your network layout a bit better for us to understand exactly how they're connected ( bridged? ) and what tech/protocols might be in the way of the DCs talking ( NAT, firewalls, routers, etc ).

So you have two seperate domains and want them to talk? Setup a trust and/or piss off SBS and make it into a real mans DC.

Also, you will need a router somewhere that is connected to both networks to route the traffic between each network and/or take Stinky's suggestion and change the subnet of all your hosts to 255.255.254.0

You might not want to do this though - putting two seperate networks on what's effectively the same wireless network will results in lots of broadcast wireless packets, and may exceed your 5/7 segment limits.

I strongly recommend having a router behind each access point, and running the APs in bridge mode.

So many ways to do this but to make it simple, keep the subnets the same if you can, two WAP's in bridge mode, router on each end and done. I have done this myself and it will work.

just wack a second nic in one of the machines, run that nic to the AP at that office, and enable ip routing on that machine.

the important thing to consider here is that you trust the security of the wireless link you have setup. too often people don't tighten the security up on APs after they get it working initially


last edited by ara at 18:57:13 25/Jul/07

In netware I would have them in the same tree, set up 3 partitions. 1 for each location and 1 for the commonly shared objects (eg. users). A server at each end with a rw of the shared bit. And a seperate server for each of their bit.

Network wise I'd have them on 3 seperate networks, to limit broadcasts and multicasts.

lan1
link
lan2


But windows .. *shrug*

I'd put them in different contexts as well just to be cool.

So many ways to do this but to make it simple, keep the subnets the same if you can, two WAP's in bridge mode, router on each end and done. I have done this myself and it will work.

Did I not make it *really* clear why this is a *really* bad idea?

Let me reiterate: All your DHCP traffic; all your broadcast traffic; all netbios discovery traffic - all of this will be transmitted over *both sides* of the transmission, taking up valuable bandwidth which is already going to be pretty limited over 200 meters.

Seriously:

172.16.10.0/24 ------------------------------------------- 172.16.20.0/24
switch<->router<->AP ((( P2P or PMP bridge + VPN ))) AP<->router<->switch

Edit: I've overreacted a bit and missed that you did in fact suggest putting a router on each end. My bad. But hopefully my insanity has helped clear things up a bit more for anyone already confused :)

FWIW I've had to set up a network completely connected using PMP covering a few kms for public access every March and November of each year... so I know how things don't quite work in practice as they do in theory.

last edited by Raven at 21:29:30 25/Jul/07

Umm I think you are over reacting with the dhcp,broadcasts, netbios traffic. We are talking about a small number of PC's not 11tybillion with multiple collision domains :P

Router at both ends will take care of DHCP, easily done. Set the RIP to one way if you want and there is no problem :)

this is what i got

but need some help on doing it

http://img523.imageshack.us/img523/1849/officesetupjj2.jpg

i also want it so if one of the branch managers come into our main office with his laptop he is able to log on.. vice vs...

I also want both offices to have their own internet connection....

last edited by TiT at 22:07:18 25/Jul/07

What you did is fine, you will have to add staic routes to see the other network, or change the subnets to match each other and you will be fine.

ok i have updated the picture....
http://img401.imageshack.us/img401/7753/officesetupeg3.jpg

Ok
Office A
Internet Netgear Router 192.168.0.1
Wireless D-Link 2100 AP Router 192.168.0.5

Office B
Internet Netgear Router 192.168.1.1
Wireless D-Link 2100 AP Router 192.168.1.5

Ok For Office A I will need to go into the Internet Router 192.168.0.1
In Static Route
Destination: 192.168.1.0
Gateway 192.168.0.5

Is this correct

For Office B just the opposite....

How does the two AP see each other if they are on differnt IP address?


Also if you have MSN can you please add me
prod_dorp at hot mail dot com

last edited by TiT at 09:23:36 26/Jul/07

How does the two AP see each other if they are on differnt IP address?

A) Get a routerz
B) Change subnet on all hosts to 255.255.254.0

i am running 255.255.255.0 for both offices, is that ok?

last edited by TiT at 09:24:18 26/Jul/07

Wireless D-Link 2100 AP Router 192.168.1.5

The DLink DWL-2100AP is not a router, it is a P2MP AP only.
I would recommend, if you can stretch the budget, to get DWL-3200APs instead - they're basically the same as the 2100 but are designed for enterprise use. Ie, better quality parts, better SnR, dual antennas at 100mW combined rather than a single antennae at 20/30mW. It also sports a faster processor and handles the heat much better, in addition to working with Power over Ethernet. The PoE adaptor is included.
From memory the difference in rec retail is $170 vs $340 each, so you're looking at about $120 vs $260 for realistic prices. The extra is well worth it though.
(fwiw, I own 6 2100s and 4 3200s - we use them for the large network I described earlier).

As for the two APs seeing each other, on an IP level you just need to make sure each AP has the gateway configured correctly and reverse NAT enabled.
What will happen is the AP will send the traffic BACK to the router on its side, which *if configured correctly* will then re-route back out the same interface across the WLAN. Using a separate subnet for your WLAN devices might be a better idea (ie, put all your APs on 192.168.2/24).

i am running 255.255.255.0 for both offices, is that ok?

No, it's why we've all been saying use 255.255.254.0. Without going too over the top, a subnet of 255.255.255.0 (or /24) will let you see devices in the IP range IP range of 192.168.0.1 -> 192.168.0.254 without needing a router, whereas a subnet of 255.255.254.0 (or /23) will cover an IP range of 192.168.0.1 -> 192.168.1.254.

Edit: ^- is only if you want to go the cheaper way. If you wanted to buy a router and the rest of it then 255.255.255.0 is fine for each office as the router would handle the traffic between the two subnets.

Of course, in doing so you're losing the ability to have some kind of VPN between the two locations, so you'll be relying on WEP or WPA as your only encryption... which will also severely degrade network performance.

If you're planning on using WPA over this tunnel, expect your throughput to be as low as 50-100KB/s.

I just really think using a /23 subnet is a really bad idea in this scenario. Don't be cheap, do it properly.

Also, if you're purchasing equipment here, you could always buy a Cisco 877W instead - that would become your ADSL router, and your AP/bridge. The 877 should be able to do pretty much everything you want here - including hardware 3DES VPN.

Then you only need a switch on the DMZ side and you're set.

ok...

Well at the moment we have

Netgear FVS124G Dual WAN PORT Router Office A Internet Router

Netgear FVS328 for Office A

2 x Dlink 2100 AP setup for WDS....

If it's in WDS mode you don't need to seperate the IP ranges since WDS is all about bridging two AP's to make each side part of the same network. You could put all the devices onto a /24 and it'll work a treat.

Of course, in doing so you're losing the ability to have some kind of VPN between the two locations

how's that?

this thread is painful

tic man can you add me to msn????

how's that?

If you have no routers between, nothing to stop the traffic, then anyone who does decide to get in basically has unrestricted transmit ability to either side.
If you introduce a VPN between the two sides, but you still don't have those routers there, an intruder can still just transmit freely without having to send data over the VPN - so I do lie, you can have your VPN - but it's useless. That is, of course, unless you really lock down the systems to only accept data from VPN addresses/gateways.

It's just too much of a security headache.

If it's in WDS mode you don't need to seperate the IP ranges since WDS is all about bridging two AP's to make each side part of the same network. You could put all the devices onto a /24 and it'll work a treat.

See above.

WDS + WEP = few kB/sec. WDS + WPA = less kB/sec. And WAP/WPA are both breakable - so you have an insecure environment.

Remember, WDS bridges Layer 2/3, whether you're using TCP/IP, Appletalk, whatever, that's all irrelevant to the AP, it knows nothing of it. It only handles management via TCP/IP.

Basically, virtually everyone here is saying "Just run an open, insecure network. It'll be fine!"

Edit: I'm not saying you can't use layer 2/3 managed switches here to help, but it's easier/better to use a router.

last edited by Raven at 14:54:29 26/Jul/07

If you have no routers between, nothing to stop the traffic, then anyone who does decide to get in basically has unrestricted transmit ability to either side.
If you introduce a VPN between the two sides, but you still don't have those routers there, an intruder can still just transmit freely without having to send data over the VPN - so I do lie, you can have your VPN - but it's useless. That is, of course, unless you really lock down the systems to only accept data from VPN addresses/gateways.

It's just too much of a security headache.

ok so you use a /24 on each side, and what's to stop a user on 192.168.0.0/24 from doing something like route add -net 192.168.1.0 netmask 255.255.255.0 dev eth0 ?

there's not a lot of difference, you still need to restrict traffic flow regardless. not that I really care and this isn't even really relevant to his issue, but setting the subnet mask to a /23 doesn't mean he can't have a vpn or that a vpn would be useless

you would!

i still have no idea how to get the routers and the AP talking to each other....

i have made diagram

http://img401.imageshack.us/img401/7753/officesetupeg3.jpg

I am thinking this could be wrong as the two wireless AP need to be on the same IP address....

So if put them on the 192.168.0.5 & 192.168.0.6

So on Office A router (192.168.0.1)
Static Route
Destination 192.168.1.0
Subnet 255.255.255.0
Gateway 192.168.1.1

and in office B
Static Route
Destination 192.168.0.0
Subnet 255.255.255.0
Gateway 192.168.0.6

is that correct??


or

have decided to put 3 network cards in each server...

One for Internal
one for external -- which will link to my router...
One for Wireless -- Access points

and put the access points on another ip address 192.168.3.0

last edited by TiT at 16:41:48 26/Jul/07

last edited by TiT at 16:42:23 26/Jul/07

last edited by TiT at 16:44:31 26/Jul/07

f*** you girls have managed to complicate this.

ok so at the moment i have got the office branches connected using the vpn on Remote Access on Windows 2003... this is working sweet...

Now all i need is to change it from using the internet to use the wireless AP....

are the setting above correct?

As has already been said, it doesnt matter about the IP settings on the APs.
What matters are that the channel, datarate and SSID on the APs match. Same deal with the use of WEP (I'm not actually sure if you can even use WEP/WPA over WDS).

ok so you use a /24 on each side, and what's to stop a user on 192.168.0.0/24 from doing something like route add -net 192.168.1.0 netmask 255.255.255.0 dev eth0 ?

there's not a lot of difference, you still need to restrict traffic flow regardless. not that I really care and this isn't even really relevant to his issue, but setting the subnet mask to a /23 doesn't mean he can't have a vpn or that a vpn would be useless

That is all lies.

I'm not actually sure if you can even use WEP/WPA over WDS

You sure can, at least with a WRT54G and DD-WRT Firmware you can.

typo, I'm experiencing indignancy!

I didn't think that you could ahve multiple DC's with SBS2003? But then I am nto a server guru any more.

Jim, I bought some cream from an email advertisement that will help you with that.

ok got it to work

what i have done

Office A
192.168.0.1 Router
192.168.0.5 Wireless AP on WDS with WPA2
192.168.0.10 Server

Router Static settings
Destination 192.168.1.0
Subnet 255.255.255.0
Gateway 192.168.0.1
metric 2

Office B
192.168.1.1 Router
192.168.1.5 Wireless AP on WDS with WPA2
192.168.1.10 Server

Router Static settings
Destination 192.168.0.0
Subnet 255.255.255.0
Gateway 192.168.1.1

AND IT WORKS that it!!!! the wirless bridges perfectly!!!

What have fine, is that we loose connection sometimes to the server... maybe it switch problem and i need to put the wireless AP directly connected to the router....



BTW you can have lots of DC connected to the SBS box, it must be primary and you cant move the FSMO accross and exchange and other programs across,

last edited by TiT at 16:21:09 27/Jul/07

Are those static routes actually doing anything?

do you mean aside from providing a path between the two networks?

Are those static routes actually doing anything?

have you been playing with packet tracer?

hi nerds.

do you mean aside from providing a path between the two networks?

but how? At 192.168.0.1, he's set the gateway for the 192.168.1/24 net to be 192.168.0.1, which seems awfully recursive and non-functional. So from an IP routing perspective how do the packets then go 192.168.0.1 -> 192.168.0.5 -> 192.168.1.5 -> dest? And do they get NATted?

I'm guessing that despite the destination IP being in a different subnet, the packets never make it to the .1 modem/router because the destination is resolved via some sort of ARP magic between the switches and the WDS bridge, which both operate at the MAC layer and don't really care about IPs (from what I can gather).

I see what you mean I think

I didn't read it like that though, I just read it as noobspeak for having set the nexthop of each router to be the other router's ip