none
RRAS IP Filters in Windows 2008 R2 RRS feed

  • General discussion

  • This isn't my first rodeo.  I've successfully setup a few RRAS boxes in various configurations but I'm banging my head against a wall on this one.

    I've installed RRAS and NPS and configured it all to my liking as a VPN server.  Works as expected except, while RRAS is running, none of the other running network services are available (http, rdp, etc.).  This is normal as by default, static IP filters are applied when you install RRAS.  No problem then, right?  Nope.  I checked the usual places (the NPS Network Policy and RRAS interface static filters) and cleared any filters I found.  No joy.  Disabled Windows Firewall.  Still no joy.  If I stop the RRAS service, everything is available again.  I've verified using a port scanner.

    Does anyone have any suggestions where else some packet filters may be hiding?

    Thanks in advance.

     

    Update:

    Disabling the Router Manager on the external interface allows me to VPN in AND all other servers become available BUT without the router manager, once connected to the VPN, I can't access anything outside the local network (ie - can't browse the web).  It seems pretty clear that the Router Manager on the external interface is the problem but those static filters are clear.  WTF.

    Wednesday, June 2, 2010 4:37 AM

All replies

  • Hi defenestrated ,

     

    Thanks for posting here.

     

    I assume your networking structure like below

                                        |————|

    External --------------- ---   RRAS        --------------------Internal (holding few services, like http,RDP,etc )

                                        |_NPS____|

     

    If I misunderstand please let me know.

     

    Before we move on, I would like to confirm the following information with you:

    1.       Have you set NAT on RRAS server?

    2.       Could you describe more detail about “none of the other running network services are available (http, RDP, etc.)”.

    As I understand that you can’t access this service which is located in your “internal” network from “external” side when RRAS service is on.

    3.       Could you describe more detail about what you mention on your update” Disabling the Router Manager on the external interface allows me to VPN in”

    As I understand that you disable the external ,and attempted to access the RRAS server from internal via VPN ?

    4.       How do you disable firewall on RRAS server?

    Please following the article blow to disable firewall on windows 2008:

     

    http://technet.microsoft.com/en-us/library/cc766337(WS.10).aspx

     

    By default, RRAS do not enable IP filter feature on each interface.

    For test, you may like to set RRAS without authentication by Radius server (NPS) first.

     

    To verify what happens on the VPN traffic to internal, you may capture the network trace on the Client , RRAS and internal server by Ping command.

    Download the NetMon3.3 from the following link:

     

    http://www.microsoft.com/downloads/details.aspx?FamilyID=983b941d-06cb-4658-b7f6-3088333d062f&displaylang=en

     

    1) Install the network monitor on each computer.

    2) Start the capture on each computer and try to Ping the internal server from outside client with VPN connection.

    3) Once the issue is reproduced, stop the captures and save the network trace files to verify whether the server receive and respond the ICMP ping properly.

     

    PS:

     

    On July 1st we will be making this forum read only. After receiving a lot of feedback from the community, it was decided that this forum is a duplication and therefore redundant of the Network Infrastructure Servers Forum. So, until July 1st, we will start asking customers to redirect their questions to the Network Infrastructure Servers Forum. On June 11th, CSS engineers will move any new threads to the Network Infrastructure Servers Forum.

     

    Please post a reply to the announcement thread if you have any feedback on this decision or the process. You can also email WSSDComm@microsoft.com.

     

    Thanks.

     

    Tiger Li

    Thursday, June 3, 2010 6:06 AM
  • Hi,

    Thanks for the reply.  I try to clarify more for you.

    Your description of the network infrastructure is close.  The only difference is that all the services are running on the same server (RRAS, NPS, HTTPS, etc).  I know it's not a best practise but my client has a pretty limited budget.

    Answers:

    1. Yes, NAT is enabled.  RRAS is supplying the IPs in the 10.0.0.11-250 range.  I may change to DHCP later.
    2. What I mean is that when RRAS is enabled, none of the other publically available (external) services running on the RRAS server are available.
    3. Within the RRAS management console, the properties of the IPv4 external interface has a checkbox labeled "Enable IP router manager".  It's checked by default.  Disbaling it was an attempt to find where the IP filtering is taking place.  Unchecking it makes the other external services like http available externally again and I can still open a VPN tunnel from a remote system to the RRAS box with PPTP but I can no longer access the rest of the internet over the tunnel, just local resources "behind" the the RRAS server.
    4. I mean the Windows firewall service.

    The problem isn't with the RRAS service allowing remote VPN connections, it has to do with RRAS filtering other external IP communications to the same box without a VPN tunnel.

    Does that help clarify?

    Thanks,
    D

    Thursday, June 3, 2010 4:07 PM
  • Hi defenestrated ,

     

    Thanks for your clarification.

     

    According your description, I thought this issue occurred because firewall not disabled correctly.

     

    Please check if it worked with article below to disable firewall in windows 2008:

     

    http://technet.microsoft.com/en-us/library/cc766337(WS.10).aspx

     

    I also suggest to re-configure RRAS service by RRAS wizard. Please make sure select current internal side NIC and external side NIC .

     

    Here is an article which help you for trouble the RRAS issue:

     

    Troubleshoot Routing and Remote Access

     

    http://technet.microsoft.com/en-us/library/cc731120(WS.10).aspx

     

    Thanks.

     

    Tiger Li

    PS:

     

    On July 1st we will be making this forum read only. After receiving a lot of feedback from the community, it was decided that this forum is a duplication and therefore redundant of the Network Infrastructure Servers Forum. So, until July 1st, we will start asking customers to redirect their questions to the Network Infrastructure Servers Forum. On June 11th, CSS engineers will move any new threads to the Network Infrastructure Servers Forum.

     

    Please post a reply to the announcement thread if you have any feedback on this decision or the process. You can also email WSSDComm@microsoft.com.

    Friday, June 4, 2010 3:45 AM
  • It appears I was missing some NAT rules for the other services (http, etc.) on the external interface.  However, there's a new problem with high packet loss with these rules enabled.  I currently have a support incident open with MS and they're looking into it.  I'll update once I have anything worth while to report.
    Friday, June 4, 2010 3:39 PM
  • I just got off the phone with MS.  So here's the deal.  Apparently, R2 closes all the external ports other than those related to the VPN, in my case PPTP, with RRAS running as I have it configured.  Creating static port maps back to the internal interface "works" but has a very high rate of packet loss making it useless.  These are known issues with R2 and they have no plans to fix it any time soon.  They have no work-around for me and suggested I go back to R1 or get another server to run the other services and only run RRAS on that system.
    Monday, June 14, 2010 8:49 PM
  • Hi defenestrated,

    Thanks for your feedback.

    Did MS supporter provided any KB which describe this known high rate packet loss issue?

    Yes ,I’m expect the test result about using another physical server and install only RRAS.

    Thanks.

    Tiger Li

    Wednesday, June 16, 2010 4:21 AM
  • No KB article was provided.  He wasn't very forthcoming about any details at all.  Just that there were changes made to RRAS in R2 and they have been getting calls about them causing problems.   Unfortunately, not enough calls to warrant a fix and that I should switch back to R1 or separate the roles to different systems.  With a lack of operating budget, we're going back to R1 with the same configuration.

    D

    Sunday, June 20, 2010 3:23 PM