locked
RRAS VPN - DMZ / LAN routing and Internet access RRS feed

  • Question

  • Assuming the following configuration:

    -the RRAS server (Win Server 2012 R2) has two NICs: one connected to the Internet with the public IP address 133.33.33.33, the other one connected to the Internal network with the IP address 10.1.100.250 (there is no NAT in my DMZ).

    Internet interface:

    • IP: 133.33.33.33
    • Mask: 255.255.255.0
    • Gateway: 133.33.33.1

    Intranet interface:

    • IP: 10.1.100.250
    • Mask: 255.255.255.0
    • No gateway

    -my VPN clients are getting IP addresses from the DHCP: 172.16.1.0/24

    -RRAS configured for VPN access (so enabled as an IPv4 router for LAN too)

    -IPv4 forwarding enabled

    -RRAS filters are disabled

    My VPN clients are properly getting IP address from the DHCP server in 10.1.100.0 subnet but my issue is that if I don't configure any IPv4 static routes in the RRAS management console the VPN clients are unable to communicate with the internal network. I don't mind configuring static routes for my internal network but I would like also to have the VPN clients using Internet through the VPN tunnel but it's going to be an annoying job to summarize the public internet IPs...

    • Is that normal that I have to configure static routes to make the VPN clients work? What about Internet? Any way I can troubleshoot this?
    • Is there any documentation around on a DMZ setup and best practices?

    PS: I tried DirectAcces but most of my client applications are not compatible with IPv6.


    

    • Edited by Flop' Monday, September 29, 2014 11:24 PM
    Monday, September 29, 2014 11:21 PM

Answers

  •   If the VPN clients receive an IP address in the same IP subnet as the LAN machines you do not need any static routes. They are all in the same IP subnet, so no IP routing can take place. What happens is that the RRAS server does proxy ARP for the remote client.

      If you want to have a DMZ, it should not be in the same IP subnet as the LAN machines (and that will complicate your VPN setup). What did you plan to use as your firewalls? Most firewall hardware/software also do VPN so you would not need RRAS.

      With RRAS and no third party firewalls the remote client should be able to use the Internet if RRAS is doing NAT for the LAN and the RRAS internal interface is listed as a private interface in NAT.

     

    Bill


    • Edited by Bill Grant Tuesday, September 30, 2014 6:07 AM typo
    • Marked as answer by Flop' Saturday, October 4, 2014 12:02 PM
    Tuesday, September 30, 2014 1:57 AM

All replies

  •   If the VPN clients receive an IP address in the same IP subnet as the LAN machines you do not need any static routes. They are all in the same IP subnet, so no IP routing can take place. What happens is that the RRAS server does proxy ARP for the remote client.

      If you want to have a DMZ, it should not be in the same IP subnet as the LAN machines (and that will complicate your VPN setup). What did you plan to use as your firewalls? Most firewall hardware/software also do VPN so you would not need RRAS.

      With RRAS and no third party firewalls the remote client should be able to use the Internet if RRAS is doing NAT for the LAN and the RRAS internal interface is listed as a private interface in NAT.

     

    Bill


    • Edited by Bill Grant Tuesday, September 30, 2014 6:07 AM typo
    • Marked as answer by Flop' Saturday, October 4, 2014 12:02 PM
    Tuesday, September 30, 2014 1:57 AM
  • Hi,

    I agree with Bill. The DMZ should not be in the same IP subnet as the LAN, and if the remote client wants to access Internet through the VPN tunnel, we should configure NAT for VPN client in the RRAS server. To configure an existing RRAS server to support both VPN remote access and NAT routing, please follow steps below,

    1. Open Routing and Remote Access console,

    2. Expand IPv4, right-click General, and then click New Routing Protocol.

    3. In Routing protocols, click NAT, and then click OK.

    4. Right-click NAT, and then click New Interface.

    5. Select the interface that connects to your private intranet, and then click OK.

    6. Select Private interface connected to private network, and then click OK.

    7. Right-click NAT, and then click New Interface again.

    8. Select the interface that connects to the public Internet, and then click OK.

    9. Select both Public interface connected to the Internet and Enable NAT on this interface, and then click OK.

    More details about configuring NAT, please refer to the link below,

    Enable RRAS as a VPN Server and a NAT Router

    http://technet.microsoft.com/en-us/library/dd458971.aspx

    Best Regards,

    Tina

    Friday, October 3, 2014 10:22 AM
  • Hi Tina , 

    I know you're lady, but you're the man ;)

    Regards!

    Wednesday, August 19, 2015 5:38 AM