none
RAS VPN server with remote DHCP

    Question

  • Hi everyone

    I'm a network architect, not a windows person although get my hands dirty every now and then :). I'm being asked to deploy a new VPN solution  (easy) using windows 2016 RRAS (OMG!!).  

    At first i didn't like the thought of using RRAS. Then i played a bit with it and got excited but now i feel like I've hit some strong design limitations so the excitement is gone and i'm back at being mad at MS.

    I need to support up to 6000 VPN users.  Needless to say i don't want to have a single broadcast domain of 6000 users nor do i want to have countless RRAS servers.

    So my main question is around IP addressing. I guess i have two options. Either I use multiple static IP address pools  or I use DHCP.  I've tried the first option, it seems to work but then I don't get any DHCP options apart of what is configured on the selected adaptor.  I want to have DHCP to assign addresses to my VPN users

    Here is my setup. 

    The RAS server (2016) has 2 NICs, one "outside" (10.103.226.201/24) with a default gateway , one "inside" (10.103.225.201/24) with statics routes (including a route to the DHCP server 10.103.224.254/24) defined at the OS level.

    Topology is like this

    DHCP Server  10.103.224.254 <->  Firewall  <-> (NIC1) VPN Server (NIC2) <-> Internet <-> VPN users 

    My DHCP server does NOT sit in the same subnet as the RAS server. I've created a DHCP scope 10.103.227.0/24 on my DHCP server (which is also a DC, it's just a LAB) and i also created a Loopback adapter on the RAS server using an IP address in the scope (10.103.227.254)

    In the RAS config, I've selected DHCP address assignment  and also selected my loopback adapter for DHCP scope selection ( so that the address of the loopback adapter should b used in the GIA field of the DHCP request). Then under the DHCP relay, i've configured the DHCP server address 10.103.224.254 and i've added the "internal" interface (not to confuse with the loopback adapter or "inside" interface". I understand the "internal" interface is the client facing interface for VPN user. 

    I'm not getting an DHCP request leaving the RAS server. Looking at the event viewer, the RAS server complains the DHCP server is unreachable but i can ping it (Again no DHCP request packets leaves the RAS server so it's a local issue, not a firewall/dhcp server issue)

    What am I missing please ?



    • Edited by Kurpeus Tuesday, July 10, 2018 2:04 PM
    Monday, July 9, 2018 3:18 PM

Answers

  • I came up with my own solutions for this.  As i see it, there is 2 choices, either using static IP pools or using DHCP informs. It comes down to two considerations. Do you need to send DHCP options to your clients ? And do you want to use a network design that wasn't made in the 90s.

    Static IP pools is quite straight forward. One (or more) IP pool per server making sure the local  router on the "inside" interface of the RAS server, routes traffic to the specific IP pool(s) via the RAS inside interface IP . It's a No brainer and quite "clean" really but you can't send DHCP options. You can only pass DNS / WINS / Domain Name parameters based on the "selected" interface properties of the RAS server (RAS server > properties > IPv4 tab)

    So back to the real problem.  What if i need to use DHCP ? The problem with the way the RAS solution was designed is that the "selected" interface defines which network the DHCP requests will be coming from so the DHCP server will only ever allocate addresses that are within the RAS server local network. There is no other way to have the GIADDR field in a DHCP request to use a different address than the RAS local interface.

    The problem with this approach is that since your clients receive  IP addresses from the same range as the inside interface of the RAS server, it then creates a broadcast domain between the local router and the vpn gateway that is equal to the number of connected clients. The local router sees all the VPN clients as locally connected and will ARP out for every single one of them. (I need to support 6000 users). This is terrible by design

    So my solution is as follow: Use a different network mask on the local router and the VPN gateway so that the router sees the gateway as directly connected but consider all VPN clients to belong to a different subnet and route the traffic to them via the VPN gateway. How do we go on achieving that ?    Make sure you local router and your VPN gateway sits in the same small subnet (/28 thru /30 depending how many routers / RAS server you have)

    Here is a simple example

    Local router 10.0.0.1/30  (mask 255.255.255.252) (Network scope 10.0.0.0 -> 10.0.0.3)

    RAS gateway 10.0.0.2/19 (mask 255.255.224.0) (Network scope 10.0.0.0 -> 10.0.31.255)

    Create an IP route on the local router to reach 10.0.0.0/19 via 10.0.0.2. This overlaps will its local subnet but it doesn't really matter as the directly connected route always wins. 

    DHCP scope 10.0.0.0 -> 10.0.31.255 and make sure to exclude 10.0.0.0/30)

    With this the local router sees the VPN gateway as directly connected while the users are reachable via the VPN gateway address. The broadcast domain is therefore limited between those two hosts only. 

    The RAS server knows the VPN clients allocated addresses so it does not ARP out on the local subnet expect for the router address.

    THe DHCP server sees the GIADDR field coming from 10.0.0.2 therefore it knows which scope to allocate address from (and DHCP options)

    So it's an elegant solution to circumvent the design limitation but somehow it still tickles me. 

    • Marked as answer by Kurpeus Wednesday, July 25, 2018 1:14 PM
    Wednesday, July 25, 2018 1:14 PM

All replies

  • Hi,

    Thanks for your question.

    In my opinion, the problem may be on the loopback interface.

    Any network data packets sent to the loopback interface are considered to be sent to the device itself, and the device will not forward these packets.

    Try to configure the DHCP relay agent without the loopback interface.

    Refer to the following link:

    http://www.isaserver.org/img/upl/vpnkitbeta2/dhcprelay.htm

    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information. 

    Best regards,

    Travis


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Tuesday, July 10, 2018 8:56 AM
    Moderator
  • Hey Thanks for your answer

    I guess you're correct, there is a good logic in your answer. It could well be that the loopback interface cannot be used for external routing. I'll look into this.

    Then this is a serious design limitation.

    Using  a loopback wasn't my first approach but I needed the loopback interface to sit in the VPN user IP range so that the DHCP relay function could set the GIADDR field correctly in the DHCP request. I'd then configure my local router to send all returning traffic to VPN via the inside interface of the RAS server.

    So it looks like the DHCP relay can only be used if the inside interface sits in the VPN users subnet. This is quite inelegant (actually "a disgrace" is more appropriate) as this means returning traffic will cause the local router to ARP out for each client address. I'm supposed to support 6000 users, that's a huge broadcast domain ... that take me back in the 90s.  

    I can't believe this is it there must be another way

    Tuesday, July 10, 2018 12:33 PM
  • With 2008 R2 or 2012 R2 I tried to figure this, how to forward IP queries from RAS to AD's DHCP and I got a reply here that it cannot be done, so I was forced to use RAS's own static IP-pools. 

    MCSE Mobility 2018. Expert on SCCM, Windows 10 and MBAM.

    Friday, July 13, 2018 7:06 AM
  • Hi,
    Was your issue resolved? 
    If you resolved it using our solution, please "mark it as answer" to help other community members find the helpful reply quickly.
    If you resolve it using your own solution, please share your experience and solution here. It will be very beneficial for other community members who have similar questions.
    If no, please reply and tell us the current situation in order to provide further help.
    Best Regards,
    Travis

    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Tuesday, July 24, 2018 3:00 AM
    Moderator
  • I came up with my own solutions for this.  As i see it, there is 2 choices, either using static IP pools or using DHCP informs. It comes down to two considerations. Do you need to send DHCP options to your clients ? And do you want to use a network design that wasn't made in the 90s.

    Static IP pools is quite straight forward. One (or more) IP pool per server making sure the local  router on the "inside" interface of the RAS server, routes traffic to the specific IP pool(s) via the RAS inside interface IP . It's a No brainer and quite "clean" really but you can't send DHCP options. You can only pass DNS / WINS / Domain Name parameters based on the "selected" interface properties of the RAS server (RAS server > properties > IPv4 tab)

    So back to the real problem.  What if i need to use DHCP ? The problem with the way the RAS solution was designed is that the "selected" interface defines which network the DHCP requests will be coming from so the DHCP server will only ever allocate addresses that are within the RAS server local network. There is no other way to have the GIADDR field in a DHCP request to use a different address than the RAS local interface.

    The problem with this approach is that since your clients receive  IP addresses from the same range as the inside interface of the RAS server, it then creates a broadcast domain between the local router and the vpn gateway that is equal to the number of connected clients. The local router sees all the VPN clients as locally connected and will ARP out for every single one of them. (I need to support 6000 users). This is terrible by design

    So my solution is as follow: Use a different network mask on the local router and the VPN gateway so that the router sees the gateway as directly connected but consider all VPN clients to belong to a different subnet and route the traffic to them via the VPN gateway. How do we go on achieving that ?    Make sure you local router and your VPN gateway sits in the same small subnet (/28 thru /30 depending how many routers / RAS server you have)

    Here is a simple example

    Local router 10.0.0.1/30  (mask 255.255.255.252) (Network scope 10.0.0.0 -> 10.0.0.3)

    RAS gateway 10.0.0.2/19 (mask 255.255.224.0) (Network scope 10.0.0.0 -> 10.0.31.255)

    Create an IP route on the local router to reach 10.0.0.0/19 via 10.0.0.2. This overlaps will its local subnet but it doesn't really matter as the directly connected route always wins. 

    DHCP scope 10.0.0.0 -> 10.0.31.255 and make sure to exclude 10.0.0.0/30)

    With this the local router sees the VPN gateway as directly connected while the users are reachable via the VPN gateway address. The broadcast domain is therefore limited between those two hosts only. 

    The RAS server knows the VPN clients allocated addresses so it does not ARP out on the local subnet expect for the router address.

    THe DHCP server sees the GIADDR field coming from 10.0.0.2 therefore it knows which scope to allocate address from (and DHCP options)

    So it's an elegant solution to circumvent the design limitation but somehow it still tickles me. 

    • Marked as answer by Kurpeus Wednesday, July 25, 2018 1:14 PM
    Wednesday, July 25, 2018 1:14 PM
  • With 2008 R2 or 2012 R2 I tried to figure this, how to forward IP queries from RAS to AD's DHCP and I got a reply here that it cannot be done, so I was forced to use RAS's own static IP-pools. 

    MCSE Mobility 2018. Expert on SCCM, Windows 10 and MBAM.


    I managed to do 2016 VPN server with remote DHCP servers which are actually my DCs. It requires DHCP relays pointed to DHCP servers. Works like a charm.

    MCSE Mobility 2018. Expert on SCCM, Windows 10 and MBAM.

    Tuesday, July 31, 2018 6:20 AM