Hello all,I have setup a working network for my church, but I'm second guessing the schema that I'm using. I would very much appreciate your thoughts on this. But a caveat first: our budget is limited, so while I know we do a lot more in terms of security with better equipment... for now, we have what we have. So here's the hardware I have:Servers:One box running Server 2008 Enterprse (Core) with 3 vm's. The host machine is running only Hyper-V. 2 NIC's are installed. VM1 is primary DC, DHCP; VM2 is backup DC, file server; VM3 is RRAS, print server.Networking: we have one public IP and a cable modem. One router (Linksys BEFSX41) as the gateway. A few basic switches.Wireless: 4 WAP's. DHCP is turned off; set up as RADIUS clients, authenticating to the domain.Clients: mostly XP Pro, one Mac OSX 10.4 (don't ask), one Vista BusinessStuff I'd like to have ASAPbut have not yet implemented: - VPN - Allow at least one user to VPN into the network (I say at least 1 because I'm not sure if that's all our router will allow).- Wireless DMZ -- Allows guests to have wireless access to the Internet but not access the network.The current setup:- Router IP: 192.168.1.1- Switch is not plugged into the router. I am keeping the LAN separate from the router as a security measure.- One NIC from the server is plugged into the router (192.168.1.13); the other is plugged into the switch (10.0.0.13).VM3 is acting as a router so that networkclients can access the Internet. It has two NIC's (192.168.1.14 and 10.0.0.14)- VM1 (10.0.0.15) and VM2 (10.0.0.12) have static IP's.- DHCP assigns 10.0.0.100-199, gateway 10.0.0.14 (VM3), DNS 10.0.0.15/12 (VM1 and 2).- All static network clients (servers) have 10.0.0.14 (VM3) as their gateway.Problems: - Internet connection for clients is dog-slow. This prompted my post herebecause I thought it was maybe Hyper-V related. It is a somewhat, but that discussion has led me to re-think the network topology.- Not sure how to implement VPN, which I'm itchin' to get running.What I'm thinking:- Plug the switch into the router directly. According toe BrianEh in that post, it's not really buying me the security I thought it was.- Remove NAT from VM3. Client gateways will be the router instead of the server. Questions/concerns:- Should the router be on totally different subnet than the domain computers? Does it matter if the gateway IP for a 10.0.0.x network client is 192.168.1.1?- I've read it's good to have two NIC's for one's VPN server. I have that on VM3. But do I give it two 10.0.0.x IP's? One 192.168.1.x IP? Which one is the "Internet" NIC that RRAS prompts for? Or does it not matter?- Bearing in mind I'd like to have wireless DMZ, how does that affect IP address assignment for network devices? Does this force me to have adifferent subnet thanthe network for the gateway? Since Internet traffic for both DMZ and network clients will ultimately be going through the router.As you can tell, I'm a newbie, but I've gotten pretty far with this. If you have an IP address schema that you think works better than my 10.0.0.x and 192.168.1.x, I'm all ears (10.0.x.x? 192.168.x.x?). I've read a little on private subnets, but I've only absorbed so much.Again, your help is much appreciated.ThanksTom

too many questions for one post, but i'll pick at this:the vpn question:on your linksys router map tcp 1723 from the internet to one of your windows server's internal ip address. then setup PPTP inside of routing and remote access. the router doesnt need to be involved other than passing the traffic through.wireless dmz:use the cable modem's default network to create a dmz. attach the wireless routers to this network. perhaps 10.0.0.0. then put your linksys behind that. the wan interface of the linksys would be on the 10x range but the internal range would be 192. the 192 range is your lan. if you do this, make sure you map 1723 in the cable modem AND the linksys if you use the above vpn guidance. this also allows wireless users to vpn back into the network if they want to work on the lan via their vpn tunnel. i have a diagram of a similar setup if you email me. Mike Crowley A+, Network+, Security+, MCT, MCSE, MCTS, MCITP: Enterprise Administrator / Messaging Administrator