none
RAS VPN server with remote DHCP

    Question

  • Hi everyone

    I'm a network architect, not a windows person although get my hands dirty every now and then :). I'm being asked to deploy a new VPN solution  (easy) using windows 2016 RRAS (OMG!!).  

    At first i didn't like the thought of using RRAS. Then i played a bit with it and got excited but now i feel like I've hit some strong design limitations so the excitement is gone and i'm back at being mad at MS.

    I need to support up to 6000 VPN users.  Needless to say i don't want to have a single broadcast domain of 6000 users nor do i want to have countless RRAS servers.

    So my main question is around IP addressing. I guess i have two options. Either I use multiple static IP address pools  or I use DHCP.  I've tried the first option, it seems to work but then I don't get any DHCP options apart of what is configured on the selected adaptor.  I want to have DHCP to assign addresses to my VPN users

    Here is my setup. 

    The RAS server (2016) has 2 NICs, one "outside" (10.103.226.201/24) with a default gateway , one "inside" (10.103.225.201/24) with statics routes (including a route to the DHCP server 10.103.224.254/24) defined at the OS level.

    Topology is like this

    DHCP Server  10.103.224.254 <->  Firewall  <-> (NIC1) VPN Server (NIC2) <-> Internet <-> VPN users 

    My DHCP server does NOT sit in the same subnet as the RAS server. I've created a DHCP scope 10.103.227.0/24 on my DHCP server (which is also a DC, it's just a LAB) and i also created a Loopback adapter on the RAS server using an IP address in the scope (10.103.227.254)

    In the RAS config, I've selected DHCP address assignment  and also selected my loopback adapter for DHCP scope selection ( so that the address of the loopback adapter should b used in the GIA field of the DHCP request). Then under the DHCP relay, i've configured the DHCP server address 10.103.224.254 and i've added the "internal" interface (not to confuse with the loopback adapter or "inside" interface". I understand the "internal" interface is the client facing interface for VPN user. 

    I'm not getting an DHCP request leaving the RAS server. Looking at the event viewer, the RAS server complains the DHCP server is unreachable but i can ping it (Again no DHCP request packets leaves the RAS server so it's a local issue, not a firewall/dhcp server issue)

    What am I missing please ?



    • Edited by Kurpeus Tuesday, July 10, 2018 2:04 PM
    Monday, July 9, 2018 3:18 PM

All replies

  • Hi,

    Thanks for your question.

    In my opinion, the problem may be on the loopback interface.

    Any network data packets sent to the loopback interface are considered to be sent to the device itself, and the device will not forward these packets.

    Try to configure the DHCP relay agent without the loopback interface.

    Refer to the following link:

    http://www.isaserver.org/img/upl/vpnkitbeta2/dhcprelay.htm

    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information. 

    Best regards,

    Travis


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Tuesday, July 10, 2018 8:56 AM
  • Hey Thanks for your answer

    I guess you're correct, there is a good logic in your answer. It could well be that the loopback interface cannot be used for external routing. I'll look into this.

    Then this is a serious design limitation.

    Using  a loopback wasn't my first approach but I needed the loopback interface to sit in the VPN user IP range so that the DHCP relay function could set the GIADDR field correctly in the DHCP request. I'd then configure my local router to send all returning traffic to VPN via the inside interface of the RAS server.

    So it looks like the DHCP relay can only be used if the inside interface sits in the VPN users subnet. This is quite inelegant (actually "a disgrace" is more appropriate) as this means returning traffic will cause the local router to ARP out for each client address. I'm supposed to support 6000 users, that's a huge broadcast domain ... that take me back in the 90s.  

    I can't believe this is it there must be another way

    Tuesday, July 10, 2018 12:33 PM
  • With 2008 R2 or 2012 R2 I tried to figure this, how to forward IP queries from RAS to AD's DHCP and I got a reply here that it cannot be done, so I was forced to use RAS's own static IP-pools. 

    MCSE Mobility 2018. Expert on SCCM, Windows 10 and MBAM.

    Friday, July 13, 2018 7:06 AM