Remove From My Forums

Windows Server 2008 R2, RRAS, NPS, VPN, LAN routing - not to be able to go beyond the VPN server from VPN client

Question
0

Sign in to vote
I have been trying to setup a VPN on Windows Server 2008 R2 Standard. I did exactly what recommended Shilpesh in his answer (http://social.technet.microsoft.com/Forums/en/winserverNIS/thread/0686de84-e278-4820-8576-82351cf128dd)
It's mean:
- install RRAS
- custom configuration
- check VPN and LANrouting
- start service
- configure IPv4 - static IP pool from 172.0.0.64 to 172.0.0.127
- we use PPPTP protocol with strongest encryption and CHAPv2
- setup NPS (I created rule for network policies - for RAS(VPN-Dial up))

So, I can make VPNconnection - situation looks like:
External World (internet; public IP address 194.228.x.x)---->VDSLmodem(routing public IPaddress to internal IPaddress 10.0.0.43)---->VPN server(internal IP address 10.0.0.43; VPN static IP pool from 172.0.0.64 to 172.0.0.127)---->Internal Networks(10.0.0.x)

But when I connect to VPN from my NB, I'm not to be able to go beyond the VPN server. I can communicate with VPN server only (IP address is 10.0.0.43 - I already tried ping, tracert, mstsc) but if I want to use other resources from our intranet, I'm not be able to connect them.

I have ping to VPN server only - 10.0.0.43. When I try another IP, then timeout occurred.

From VPN server I got IP address 172.0.0.65 (VPN client's IP address) - when I try trace route to IP address e.g. 10.0.0.200 I see:
Tracing route to 10.0.0.200 over a maximum of 30 hops
1 95 ms 108 ms 129 ms 172.0.0.64 (server's "Internal" interface IP)
2 * * * Request timed out.
3 * * * Request timed out.

BUT!!!When I try ping from intranet to my NB it works! I mean ping from any computer from intranet with IP address 10.0.0.x to 172.0.0.65 (my VPN client's IP address) works! So - routing from intranet to VPNclient's works, but routing from VPNclients to intranet doesn't work

edited: I was wrong - I get correct ping only from 10.0.0.43. When I try from another LANclients I get:

C:\Windows\system32>ping 172.0.0.65
Pinging 172.0.0.65 with 32 bytes of data:
Reply from 194.228.x.x (our public IP address): TTL expired in transit.
Reply from 194.228.x.x: TTL expired in transit.
Reply from 194.228.x.x: TTL expired in transit.
Reply from 194.228.x.x: TTL expired in transit.

Ping statistics for 172.0.0.65:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss)

I'm very frustrated.

So can you help me find where is the problem why I'm not to be able to go beyond the VPN server from VPN client?

Thank you very much
Jiri
- Edited by Jiri.Sokol Wednesday, July 18, 2012 2:23 PM
Wednesday, July 18, 2012 12:05 PM

Answers

0

Sign in to vote
I could not found a manual for the VR-3026e but I found one for a similar device.

- Open Internet Explorer and type in 10.0.0.138 as address

- type in username and password

- Click "Advanced Setup" on the left-hand navigation pane

- Click "Routing"

- Click "Static routes"

- Click "Add" to add a new static route

Destination Network Address: 172.0.0.0

Subnet Mask: 255.255.255.0

Enable "Use Gateway IP address" and type in 10.0.0.43

Deactivate "Use Interface"

- Click "Save/Apply"

Hope that helps and yes your description about your laptop is correct.

Good luck!

Lutz
- Marked as answer by Jiri.Sokol Sunday, September 23, 2012 3:05 PM
Friday, July 20, 2012 9:56 PM

All replies

0

Sign in to vote

My first guess is that your internal clients do not use the RAS server as default gateway and so the clients do not know how to route to 172.0.0.64 to 172.0.0.127 (your VPN net). If my assumption is correct you need to configure a static route on the device what is default gateway with the VPN network and the gateway is the internal IP of your RAS server.

Second guess is, that "use default gateway on remote network" is deactivated. It is on by default if you create a new VPN connection. To verify this go on one of your VPN clients into the VPN connection properties, Networking tab, TCP/IP v4 Properties/Advanced.

Good luck!

Lutz

Thursday, July 19, 2012 5:00 AM
0

Sign in to vote

Hi Jiri,

Thanks for posting here.

Please first showing us the routing table and “ipconfig /all” form this RRAS server when it is ready to receive incoming connection request and please also let us see these results from one of VPN client when the tunnel is established .

Usually We need to adjust the routing table on RRAS server if the address space (172.0.0.64 to 172.0.0.127)we assigned to VPN users are different form our internal address space(10.0.0.x):

Cannot reach beyond the RRAS server from VPN clients?

http://blogs.technet.com/b/rrasblog/archive/2006/02/09/419100.aspx

Also on VPN client ,by default system will use the address we assigned to the virtual PPP interface on RRAS (172.0.0.64 in your case) as the default gateway which would cause the internet connection been broken after tunnel is created :

Split Tunneling for Concurrent Access to the Internet and an Intranet

http://technet.microsoft.com/en-us/library/bb878117.aspx

Hope that help

Thanks

Tiger Li
Tiger Li

TechNet Community Support

Thursday, July 19, 2012 5:03 AM
0

Sign in to vote
Hi to all :)

Thank you for your time. Here you are ipconfig /all & route print -4 from VPN server nad VPNclient (when connection is established):
VPN server:
C:\Windows\system32>ipconfig.exe /all

Windows IP Configuration

Host Name . . . . . . . . . . . . : <server-name>
Primary Dns Suffix . . . . . . . : <full domain name>
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : Yes
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : <full domain name>
Home

PPP adapter RAS (Dial In) Interface:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : RAS (Dial In) Interface
Physical Address. . . . . . . . . :
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 172.0.0.64(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . :
NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . : Home
Description . . . . . . . . . . . : Microsoft Virtual Machine Bus Notwork Adapter
Physical Address. . . . . . . . . : 00-15-5D-00-2A-00
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::f955:38d:5957:f878%10(Preferred)
IPv4 Address. . . . . . . . . . . : 10.0.0.43(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : 12. července 2012 9:51:04
Lease Expires . . . . . . . . . . : 20. července 2012 9:51:13
Default Gateway . . . . . . . . . : fe80::1%10
10.0.0.138
DHCP Server . . . . . . . . . . . : 10.0.0.138
DHCPv6 IAID . . . . . . . . . . . : 234886493
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-17-55-8E-CA-00-15-5D-00-2A-00
DNS Servers . . . . . . . . . . . : 10.0.0.41
NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter Local Area Connection* 11:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface

C:\Windows\system32>route print -4
===========================================================================
Interface List
25...........................RAS (Dial In) Interface
10...00 15 5d 00 2a 00 ......Microsoft Virtual Machine Bus Notwork Adapter
1...........................Software Loopback Interface 1
11...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Notmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.0.0.138 10.0.0.43 5
10.0.0.43 255.255.255.255 On-link 10.0.0.43 261
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
172.0.0.64 255.255.255.255 On-link 172.0.0.64 306
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 10.0.0.43 261
224.0.0.0 240.0.0.0 On-link 172.0.0.64 306
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 10.0.0.43 261
255.255.255.255 255.255.255.255 On-link 172.0.0.64 306
===========================================================================
Persistent Routes:
None

----------------------------------------------------------

VPN clients (when the tunnel is established):
C:\windows\system32>ipconfig /all

Windows IP Configuration

Host Name . . . . . . . . . . . : <computer name>
Primary Dns Suffix. . . . . . . : <full domain name>
Node Type . . . . . . . . . . . : hybrid
IP Routing Enabled . . . . . . : No
WINS Proxy Enabled . . . . . . : No
DNS Suffix Search List . . . . : <full domain name>

PPP adapter VPN to work:

Connection-specific DNS Suffix . . . . :
Description . . . . . . . . . . . . . . : VPN to work
Physical Address. . . . . . . . . . . . :
DHCP Enabled . . . . . . . . . . . . . : No
Autoconfiguration Enabled . . . . . . . : Yes
Adresa IPv4 . . . . . . . . . . . . . . : 172.0.0.67(Preferované)
Subnet Mask . . . . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . . . . : 0.0.0.0
DNS Servers . . . . . . . . . . . . . . : 10.0.0.41
NetBIOS over Tcpip. . . . . . . . . . . : Enabled

Wifi Adapter Bezdrátové připojení k síti:

Connection-specific DNS Suffix . . . . :
Description . . . . . . . . . . . . . . : Intel(R) Centrino(R) Advanced-N 6205
Physical Address. . . . . . . . . . . . : 08-11-96-E9-0C-14
DHCP Enabled . . . . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . . . . : Yes
IPv4 address . . . . . . . . . . . . . : 192.168.1.220(Preferované)
Subnet Mask . . . . . . . . . . . . . . : 255.255.255.0
Lease Obtained . . . . . . . . . . . . : 19. července 2012 12:35:27
Lease Expires . . . . . . . . . . . . . : 19. července 2012 13:35:27
Default Gateway . . . . . . . . . . . . : 192.168.1.1
Server DHCP . . . . . . . . . . . . . . : 192.168.1.1
DNS Servers . . . . . . . . . . . . . . : 192.168.1.1
NetBIOS over Tcpip. . . . . . . . . . . : Enabled

Tunnel adapter Teredo Tunneling Pseudo-Interface:

Connection-specific DNS Suffix . . . . :
Description . . . . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled . . . . . . . . . . . . . : No
Autoconfiguration Enabled . . . . . . . : Yes
Link-local IPv6 Address . . . . . . . . : fe80::c4f:352f:53ff:ffbc%14(Preferované)
Default Gateway . . . . . . . . . . . . :
IAID DHCPv6 . . . . . . . . . . . . . . : 520093696
DUID klienta DHCPv6 . . . . . . . . . . : 00-01-00-01-16-86-61-DB-E4-11-5B-F1-BB-E0
NetBIOS nad TCP/IP. . . . . . . . . . . : disabled

Tunnel adapter isatap.{F72E9043-5D24-40AC-A63F-21A498A36B86}:

Media State . . . . . . . . . . . . . . : disconnected
Connection-specific DNS Suffix . . . . :
Description . . . . . . . . . . . . . . : Microsoft ISATAP Adapter #5
Physical Address. . . . . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled . . . . . . . . . . . . . : No
Autoconfiguration Enabled . . . . . . . : Yes

Tunnel adapter 6TO4 Adapter:

Connection-specific DNS Suffix. . . . . :
Description . . . . . . . . . . . . . . : Microsoft 6to4 Adapter
Physical Address. . . . . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled . . . . . . . . . . . . . : No
Autoconfiguration Enabled . . . . . . . : Yes
IPv6 adresa . . . . . . . . . . . . . . : 2002:ac00:43::ac00:43(Preferované)
Default Gateway . . . . . . . . . . . . : 2002:c058:6301::c058:6301
DNS Servers . . . . . . . . . . . . . . : 10.0.0.41
NetBIOS nad TCP/IP. . . . . . . . . . . : disabled

C:\windows\system32>route print -4
===========================================================================
Interface List
19...........................VPN to work
13...08 11 96 e9 0c 14 ......Intel(R) Centrino(R) Advanced-N 6205
1...........................Software Loopback Interface 1
14...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
22...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #5
17...00 00 00 00 00 00 00 e0 Microsoft 6to4 Adapter
33...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #6
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Notmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.220 4250
0.0.0.0 0.0.0.0 On-link 172.0.0.67 26
127.0.0.0 255.0.0.0 On-link 127.0.0.1 4531
127.0.0.1 255.255.255.255 On-link 127.0.0.1 4531
127.255.255.255 255.255.255.255 On-link 127.0.0.1 4531
172.0.0.67 255.255.255.255 On-link 172.0.0.67 281
192.168.1.0 255.255.255.0 On-link 192.168.1.220 4506
192.168.1.220 255.255.255.255 On-link 192.168.1.220 4506
192.168.1.255 255.255.255.255 On-link 192.168.1.220 4506
194.228.x.x 255.255.255.255 192.168.1.1 192.168.1.220 4251
224.0.0.0 240.0.0.0 On-link 127.0.0.1 4531
224.0.0.0 240.0.0.0 On-link 192.168.1.220 4510
224.0.0.0 240.0.0.0 On-link 172.0.0.67 26
255.255.255.255 255.255.255.255 On-link 127.0.0.1 4531
255.255.255.255 255.255.255.255 On-link 192.168.1.220 4506
255.255.255.255 255.255.255.255 On-link 172.0.0.67 281
===========================================================================
Persistent Routes:
None
- Edited by Jiri.Sokol Thursday, July 19, 2012 12:42 PM
Thursday, July 19, 2012 11:48 AM
0

Sign in to vote

Hi Jiri,

what device is behind 10.0.0.138 and is 10.0.0.138 the default gateway for all your LAN clients.

Thank you,

Lutz

Thursday, July 19, 2012 11:08 PM
0

Sign in to vote

Hi Jiri,

Thanks for posting here.

I verified the routing table on RRAS ,it appears there is no routing entry on RRAS server to internal subnet 10.0.0.0/24 which means even the VPN client was been routed to the RRAS server through VPN tunnel (172.0.0.) but will not be routed to the internal subnet 10.0.0.0/24 from RRAS. So please first adding routing entry below on RRAS server and see how is going :

Performing command on RRAS server “route add 10.0.0.0 mask 255.255.255.0 10.0.0.43”

Thanks.

Tiger Li
Tiger Li

TechNet Community Support

Friday, July 20, 2012 3:02 AM
0

Sign in to vote

Hi guys!

10.0.0.138 it's internal LAN IP address of our VDSLmodem - it's gateway from our intranet to internet... => it's end-device :)

So, I tried add route on RRAS server - but without any effect:
C:\Windows\system32>route add 10.0.0.0 mask 255.255.255.0 10.0.0.43
OK!
C:\Windows\system32>route print -4
===========================================================================
Interface List
25...........................RAS (Dial In) Interface
10...00 15 5d 00 2a 00 ......Microsoft Virtual Machine Bus Network Adapter
1...........................Software Loopback Interface 1
11...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.0.0.138 10.0.0.43 5
10.0.0.0 255.255.255.0 On-link 10.0.0.43 6
10.0.0.43 255.255.255.255 On-link 10.0.0.43 261
10.0.0.255 255.255.255.255 On-link 10.0.0.43 261
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
172.0.0.64 255.255.255.255 On-link 172.0.0.64 286
172.0.0.69 255.255.255.255 172.0.0.69 172.0.0.64 31
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 10.0.0.43 261
224.0.0.0 240.0.0.0 On-link 172.0.0.64 286
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 10.0.0.43 261
255.255.255.255 255.255.255.255 On-link 172.0.0.64 286
===========================================================================
Persistent Routes:
None

results on my VPNclient:

C:\windows\system32>tracert 10.0.0.44
Výpis trasy k 10.0.0.44 s nejvýše 30 směrováními
1 210 ms * 103 ms 172.0.0.64
2 * * * Request timed out.
3 * * * Request timed out.
4 ^C
C:\windows\system32>ping 10.0.0.44
Příkaz PING na 10.0.0.44 - 32 bajtů dat:
Request timed out.

Statistika ping pro 10.0.0.44:
Pakety: Sent = 1, Received = 0, Lost = 1 (100% loss),

Then I tried delete route 10.0.0.0 and create it again for interface of VPNserver (RAS (Dial In) Interface - ID 25) - same bad result :(
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.0.0.138 10.0.0.43 5
10.0.0.0 255.255.255.0 10.0.0.43 172.0.0.64 31

Thanks to all

Jiri

Friday, July 20, 2012 8:44 AM
0

Sign in to vote

Hi Jiri,

add the static route to your VDSL modem instead of to the RAS server.

Can you post a ipconfig/all of one of your internal clients as well?

Thank you,

Lutz

Friday, July 20, 2012 1:44 PM
0

Sign in to vote

Hi Lutz,

do you think that there is some difference between my notebook and server where is VPNserver running? (ipconfig from this server I have already pointed)
C:\windows\system32>ipconfig /all
Konfigurace protokolu IP systému Windows
Host Name . . . . . . . . . . . . : <computer name>
Primary Dns Suffix. . . . . . . . : <full domain name>
Node Type . . . . . . . . . . . . : hybrid
IP Routing Enabled . . . . . . . : No
WINS Proxy Enabled . . . . . . . : No
DNS Suffix Search List. . . . . . : <full domain name>
Home

Ethernet adapter Připojení k místní síti:
Connection-specific DNS Suffix. . . . . : Home
Description . . . . . . . . . . . . . . : Intel(R) 82579LM Gigabit Network Connection
Physical Address. . . . . . . . . . . . : E4-11-5B-F1-BB-E0
DHCP Enabled. . . . . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . . . . : Yes
Link-local IPv6 Address . . . . . . . . : fe80::2c37:b6f0:f2db:b304%10(Prefered)
IPv4 Address. . . . . . . . . . . . . . : 10.0.0.34(Prefered)
Subnet Mask . . . . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . . . . : 20. července 2012 10:35:28
Lease Expires . . . . . . . . . . . . . : 21. července 2012 13:20:44
Default Gateway . . . . . . . . . . . . : fe80::1%10
10.0.0.138
Server DHCP . . . . . . . . . . . . . . : 10.0.0.138
IAID DHCPv6 . . . . . . . . . . . . . . : 238832274
DUID klienta DHCPv6 . . . . . . . . . . : 00-01-00-01-16-86-61-DB-E4-11-5B-F1-BB-E0
DNS Servers . . . . . . . . . . . . . . : 10.0.0.41
NetBIOS over Tcpip. . . . . . . . . . . : Enabled

Tunnel adapter Teredo Tunneling Pseudo-Interface:
Media state . . . . . . . . . . . . . . : disconnected
Connection-specific DNS Suffix. . . . . :
Description . . . . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . . . . : No
Autoconfiguration Enabled . . . . . . . : Yes

Tunnel adapter isatap.Home:
Media state . . . . . . . . . . . . . . : disconnected
Connection-specific DNS Suffix. . . . . :
Description . . . . . . . . . . . . . . : Microsoft ISATAP Adapter #6
Physical Address. . . . . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . . . . : No
Autoconfiguration Enabled . . . . . . . : Yes

C:\windows\system32>route print -4
===========================================================================
Interface List
10...e4 11 5b f1 bb e0 ......Intel(R) 82579LM Gigabit Network Connection
1...........................Software Loopback Interface 1
14...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
33...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #6
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Notmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.0.0.138 10.0.0.34 10
10.0.0.0 255.255.255.0 On-link 10.0.0.34 266
10.0.0.34 255.255.255.255 On-link 10.0.0.34 266
10.0.0.255 255.255.255.255 On-link 10.0.0.34 266
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 10.0.0.34 266
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 10.0.0.34 266
===========================================================================
Persistent Routes:
None

Many thanks for your time

Jiri

Friday, July 20, 2012 2:29 PM
0

Sign in to vote

Hi Jiri,

I was asking for a ipconfig from one of your clients in your LAN, not from the RAS server and not from a VPN client.

I assume that all your LAN clients and the RAS server have the same default gateway: 10.0.0.138. Am I correct?
In that case if you ping a VPN machine the LAN client is sending the IP packet to 10.0.0.138. Problem here is, that 10.0.0.138 has no information how to route to the VPN network (172.0.0.64 to 172.0.0.127). This information has only the RAS server. So you have to do some configuration on the VDSL device and add a static route for 172.0.0.64 to 172.0.0.127 using 10.0.0.43 as next hop/gateway.

What is the model of your VDSL modem so I can lookup to find out the exact configuration steps.

Thank you,

Lutz

Friday, July 20, 2012 5:12 PM
0

Sign in to vote

Hi Lutz...

If I'm connect to our LAN, my NB is LAN client. When I connect to the internet e.g. by my mobile phone and then make VPN connection, my NB is VPN client - correct?

So, data above is from my NB when I was connected to the our LAN - it was from LAN client. ;-)

Answer on your question is "yes", all LAN clients and the RRAS server using the same gateway 10.0.0.138. Make static route on the VDSLmodem seems to be good idea :)

Our model of VDSLmodem is Comtrend VR-3026e.

Best regards,

Jiri

Friday, July 20, 2012 8:24 PM
0

Sign in to vote
I could not found a manual for the VR-3026e but I found one for a similar device.

- Open Internet Explorer and type in 10.0.0.138 as address

- type in username and password

- Click "Advanced Setup" on the left-hand navigation pane

- Click "Routing"

- Click "Static routes"

- Click "Add" to add a new static route

Destination Network Address: 172.0.0.0

Subnet Mask: 255.255.255.0

Enable "Use Gateway IP address" and type in 10.0.0.43

Deactivate "Use Interface"

- Click "Save/Apply"

Hope that helps and yes your description about your laptop is correct.

Good luck!

Lutz
- Marked as answer by Jiri.Sokol Sunday, September 23, 2012 3:05 PM
Friday, July 20, 2012 9:56 PM
0

Sign in to vote
Hi Jiri,

Thanks for update.

The reason I ask to add that entry is because there is no entry for that subnet no even traffic form VPN was been received by the PPP interface on RRAS ,there was no way to redirect to our internal subnet.

Yes, there is little mistake in my last reply , since this server has been assigned an address where form subnet 10.0.0.0/24 which is 10.0.0.43 so the command should be “route add 10.0.0.0 mask 255.255.255.0 10.0.0.138”.

Is there any problem to reach any host at 10.0.0.0/24 which also include the default gateway 10.0.0.138 after this command ? (please first removing the current routing entry for subnet 10.0.0.0/24 by command “route delete 10.0.0.0 mask 255.255.255.0”before we add it ).

External World (internet; public IP address 194.228.x.x)---->VDSLmodem(10.0.0.138)---->VPN server(internal IP address 10.0.0.43; VPN static IP pool from 172.0.0.64 to 172.0.0.127)---->Internal Networks(10.0.0.x)

After these settings, VPN clients should able to access internal network through interface RRAS server. Please also keep the entry at client after we establish the tunnel :

Network Destination        Notmask          Gateway       Interface Metric

          0.0.0.0          0.0.0.0      192.168.1.1    192.168.1.220   4250

          0.0.0.0          0.0.0.0       On-link        172.0.0.67     26

If we are still unable to get it works, please try to modify the registry entry IPEnableRouter on RRAS in order to force the system to enable IP forward, reboot it after we modify that :

How to Enable TCP/IP Forwarding in Windows XP

http://support.microsoft.com/kb/315236

Thanks.

Tiger Li
Tiger Li

TechNet Community Support
- Proposed as answer by Tiger LiMicrosoft employee Tuesday, July 24, 2012 2:09 AM
Monday, July 23, 2012 12:45 PM
0

Sign in to vote

Hi guys!

To Lutz:

Well done - this works - I have ping from VPNclients to internal IPaddresses and I have ping from LAN clients to VPNclient... tracert is very slow, but working. That's perfect!

BUT :( I'm not be able to do anything else... I can't go to share folder on LAN clients, I can't use intranet web etc.

When I added static route I have problem determine "prefix length" of destination (value after slash in destination definition) and metric. I set:

Destination: 172.0.0.0/24
Interface: LAN/br0
Gateway IP address: 10.0.0.43
Metric: 200

is it correct?

Primary goal of VPN connection is working from home like as from work...

To Tiger Li:

Sorry, your recommendation doesn't work :(

I delete route 10.0.0.0, then I added route again as you wrote - I had not ping from VPN client to the LANclient and from LANclient to the VPNclient. Then I change IPenableRouter in registry from value 0 to 1.

On VPN client then I saw in routing table:

Network Destination Netmask Gateway Interface Metric

0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.220 4250
0.0.0.0 0.0.0.0 On-link 172.0.0.68 26
127.0.0.0 255.0.0.0 On-link 127.0.0.1 4531

but any ping and I'm not be able to use any service of our intranet :(

Any next idea?
Thanks to all!

Jiri

Tuesday, July 24, 2012 11:58 AM
0

Sign in to vote

Hi to all,

I think, that I found where was my problem...

First - adding the static route on the VDSL modem do ping from intranet (servers, clients) to vpn clients...

Second problem was in our new Symantec Endpoint Protection 12.1 :(

I have to add pool of ip addresses of VPN to all rules of Symantec FW...

From this moment I have all services what I need.

But when I installed Symantec Endpoint Protection client on the VPN server - I lost all services outside the VPN server again (I had still ping response to the entire network). I think, that can be due by IPv6 of VPN - can anybody confirm this? I don't know why, but I think that Symantec AV disable all IPv6 traffic.

Does anybody know how can I solve this? How can I install Symantec AV client on VPN server and allow all services which I need for seamless traffic?

Thanks to all again

Jiri

Sunday, September 23, 2012 3:31 PM
0

Sign in to vote

Sorry, I have to pass on Symantec AV.

Sunday, September 23, 2012 3:46 PM
0

Sign in to vote
Just you need to allow IP Traffic form SEP:
- Proposed as answer by M.Hasan Farokhi Sunday, August 4, 2013 10:32 AM
Sunday, August 4, 2013 10:32 AM

Products

Resources

Solutions

Updates

Trials

Related Sites

Training

Certifications

Other resources

Support options

More support

Not an IT pro?

Answered by:

Windows Server 2008 R2, RRAS, NPS, VPN, LAN routing - not to be able to go beyond the VPN server from VPN client

Question

Answers

All replies