locked
Windows Server 2008 RRAS, VPN and NAT RRS feed

  • Question

  • I have been trying to set up a working VPN to my server without success and it is driving me crazy.  I am able to successfully connect to the VPN server via PPTP and get an IP address but Windows will not NAT packets between the connected VPN clients and the local network.  Let me explain the setup:

    Internet Firewall -> VPN Server

    The firewall has had the proper port and protocol opened up for clients to connect to the VPN server, which works fine.  The Server has 2 nics, one is on the network(internet addressable IP) and the other is disabled.  The VPN clients are setup to receive an IP address from a static pool in the range of 172.16.0.1 - 172.16.0.100.

    Once I connect with a VPN client, if I attempt to tracert to a machine on the network, it properly attempts to go through the VPN connection, however, it never gets past the VPN server's "Internal" interface's IP address.  For example, from the VPN client after connecting:

    VPN client's IP address is 172.16.0.2

    Tracing route to 198.183.x.x over a maximum of 30 hops
     
      1    517 ms    152 ms    174 ms    172.16.0.1 (server's "Internal" interface IP)
      2      *              *              *
      3      *              *              *

    How do I configure RRAS and VPN so that it properly NATs incoming packets from the "Internal" interface to the Local Area Connection?  Should it do this automatically and I am missing a firewall rule somewhere?

    Roles installed on the server:
      Active Directory Domain Controller (this is the primary DC)
      DNS Server
      Routing and Remote Access
        Remote Access Service
        Routing

    Tuesday, March 10, 2009 2:50 PM

Answers

  •    I can only agree with Shilpesh that you should not be running this on your DC. Running your DC as a router or remote access server will cause you grief sooner or later (probably sooner)! Do not multihome your DC.

       If your server is behind a router it only needs one NIC to operate as a VPN server. The two-NIC scenario is for a VPN server directly connected to the Internet.

        If your VPN client is receiving IP addresses in a subnet which is not used on the LAN, what you see is the expected result. The client will be able to connect to the VPN server, but the LAN machines are in a different IP subnet. This would only work automatically if the remotes were in the same IP subnet as the LAN machines. (RRAS then uses proxy ARP to get traffic from the LAN machines back to the remotes).

       If your LAN machines are in a different IP subnet from the remotes, you first have to enable IP routing in RRAS (so that it can route between the two subnets). You then have to modify your LAN routing so that traffic for 172.16.0.0 goes to the VPN server, not to the default gateway (which is probably your firewall). If the private address traffic goes directly to the gateway router it will be discarded (because private traffic cannot cross the Internet). It needs to go first to the VPN router to be encrypted and encapsulated before it hits the Internet router.   

     

     


    Bill
    • Marked as answer by Elisa Willman Monday, March 30, 2009 11:32 PM
    Wednesday, March 11, 2009 4:07 AM

All replies

  • + It will be not good idea to expose DC to internet with public IP on it or with RRAS service. Use different box for RRAS service.
     
    + Little confused........................you have mentioned that server has 2 NIC and one is disabled???
    "The Server has 2 nics, one is on the network(internet addressable IP) and the other is disabled"

    + VPN server can be run on single NIC, but it will unable to route between two networks. According to your requirement, i will recommend use two NIC to configure Routing and VPN.

    External World (internet)---->Firewall---->VPN server---->Internal Networks.

    Remove RRAS configuration and re-configured with following steps,

    1. Right click server name under RRAS MMC - click "Configre and enable Routing and remote access"
    2. Click next on welcome page - Select customer configuration and click next
    3. Click VPN access and LAN routing check boxes
    4. Click Finish.
    5. It will ask if you would like to start service, say YES.

    + Once service starts successfully, right click server name and click properties and go to IP tab and configure static range. First IP will be taken by VPN server itself for creating PPP adapter (while first client connects) and from second IP onwards, it will be assigned to VPN clients.

    + No other configuration need to be done..................RRAS service will route packets between VPN clients and internal clients.

    Hope this helps.
    Wednesday, March 11, 2009 2:54 AM
  •    I can only agree with Shilpesh that you should not be running this on your DC. Running your DC as a router or remote access server will cause you grief sooner or later (probably sooner)! Do not multihome your DC.

       If your server is behind a router it only needs one NIC to operate as a VPN server. The two-NIC scenario is for a VPN server directly connected to the Internet.

        If your VPN client is receiving IP addresses in a subnet which is not used on the LAN, what you see is the expected result. The client will be able to connect to the VPN server, but the LAN machines are in a different IP subnet. This would only work automatically if the remotes were in the same IP subnet as the LAN machines. (RRAS then uses proxy ARP to get traffic from the LAN machines back to the remotes).

       If your LAN machines are in a different IP subnet from the remotes, you first have to enable IP routing in RRAS (so that it can route between the two subnets). You then have to modify your LAN routing so that traffic for 172.16.0.0 goes to the VPN server, not to the default gateway (which is probably your firewall). If the private address traffic goes directly to the gateway router it will be discarded (because private traffic cannot cross the Internet). It needs to go first to the VPN router to be encrypted and encapsulated before it hits the Internet router.   

     

     


    Bill
    • Marked as answer by Elisa Willman Monday, March 30, 2009 11:32 PM
    Wednesday, March 11, 2009 4:07 AM
  • Why should I use a separate box for RRAS?  I have read in many places(in books and on the Internet) not to do this but no justification at all, for this.  I cannot go request another server machine(hardware and software licenses) just because "Microsoft and the Internet says so."  I need justifiable reasons for this.

    I figured out that RRAS and VPN is working fine.  The actual issue is that because my server only has one Internet addressable IP, you cannot use that IP to connect to RRAS with the VPN client *and* attempt to use it to make network share connections.  I should have looked closer at the routing table on the VPN client after connection.  Once I added a loopback adapter and put it on a private subnet, VPN clients were able to talk to the domain server using this IP.

    Now my issue is that VPN clients are extremely unreliable when it comes to using the correct DNS server once connected to VPN.  I can force it to work with a 3g air card and following http://support.microsoft.com/kb/311218 however, this fails completely when I connect via a wireless network on the same machine.
    Wednesday, March 11, 2009 12:00 PM
  •    The simple reason for not multhoming a DC/DNS server is that it causes all sorts of name resolution problems. See KB292822 for  examples of this and possible fixes. The best way around the problem is to avoid it in the first place.

       If you are behind a firewall/router, your server should not have any Internet addressable IPs. Remote clients should connect to the firewall/router using its public IP. File sharing should use only the private IP addresses of the LAN machines. That is the whole point of VPN. The client gets a private IP address and is "virtually" on the LAN. The link through the public Internet should be invisible.

        When a client connects by VPN, it should receive the DNS address used by the DNS server. You can override this by manually configuring the DNS address in the connection properties. If you are using split tunnelling (ie maintaining your Internet connection as well as your VPN link), you can expect to have DNS problems. 


    Bill
    Wednesday, March 11, 2009 11:59 PM
  • DC will hold Active Directory information and no one would like to expose AD (Heart of resources) to public and reason MS recommend different box for RRAS service. As Bill has said, mutli homed machines create name resolution issue as well.

    Exmaple - RPC service listen to 0.0.0.0:135, which mean it listen to all IP on machine including public IP. If hacker would like to bring your box down, it will be peace of cake for him (all services are depend on RPC service).

    Hope this helps.
    Thursday, March 12, 2009 12:53 AM