February 10th, 2013, 08:58 PM
Windows Server RRS/NAT and VPN
I am running into an issue with my home-based VPN. For fun I received a copy of Windows Server 2012 from my school. I have a dedicated computer that I use to run Server 2012. The server runs the following roles: DC, DNS, DHCP, NAP, and Remote Access/Routing. My wish is to setup a VPN connection so I can access the network remotely. The setup is like this:
I have a Cisco E1000 router with address 192.168.1.1. The DHCP is disabled as the DHCP is from the server. The DHCP server from the DC issues addresses 192.168.1.100 - 192.168.1.149. In Remote Access, I setup an address pool for 192.168.2.10 - 192.168.2.15 for VPN clients. I have one NIC, so under NAT I have "ethernet" and "internal". I set it up so "internal" is private and "ethernet" is public.
When I connect from a different wireless network TO my home VPN, it does connect. I am able to PING google, as well as the servers. But....the odd thing is, when I disconnect from the VPN, ALL LAN-clients lose complete connection. They cannot ping the server, or any other LAN clients, or google. They are able to ping domain names by their IPs though.
The strange thing is, if I set the VPN address pool to be within the 192.168.1.X subnet, then I do not have this issue. Once I disconnect and reconnect to the home network, I am still able to access resources. But, I would like to have the VPN clients to have a separate subnet (ex. 192.168.2.X).
What am I doing wrong to accomplish this? When I do ipconfig /all, everything is what it's supposed to do. The DNS and DHCP are pointing to the DC. Thanks very much for any assistance.
February 12th, 2013, 02:15 PM
Would anyone have any ideas why I am having this issue? The only way to fix the issue is either reboot the server, or restart the routing and remote access service.
I have properly setup static routing from the 192.168.1.X network to 192.168.2.X. I must this setup based on one NIC. I have followed online tutorials for configuring RRAS & NAT with one NIC.
February 12th, 2013, 06:37 PM
What is the IP of the LAN clients when you disconnect, does it change? Are the DNS entries the same as well? If you can ping domain names by IP, I'm suspecting you can ping your LAN machines by IP as well. So the network is working, just DNS is stopping for some reason.
What is the DNS server of the VPN clients? Is there anything odd setup in your NAP settings that would cause a DNS issue?
If I understand you right, when you connect from outside the network via VPN everything works. Then when you disconnect, everything on the LAN fails?
February 13th, 2013, 10:14 AM
You are absolutely correct! I will try to provide as much info as I can.
The main router that connects to my cable modem IP is 192.168.1.1. I have DHCP disabled as I utilize DHCP from the domain controller (192.168.1.160). I have a second router (192.168.2.1), with a WAN-IP of 192.168.1.3, and I set a static route on router 1 with LAN 192.168.2.0, MASK 255.255.255.0, Gateway 192.168.1.3.
THe 192.168.1.160 is both the DHCP and DNS server. For RRAS, I setup a static range from 192.168.2.10 - 192.168.2.14.
I am currently at work right now and will have to verify if I can ping by IP on the LAN. All I know is, if I put the VPN IP range WITHIN the 192.168.1.X subnet, once I disconnect everything is fine. BUT, if I put the range as 192.168.2.X range, that is where the trouble occurs once VPN is disconnected.
Again, it's resolved by restarting the RRAS service.
February 13th, 2013, 03:43 PM
Ok, be sure and post an ipconfig /all output of the LAN clients when they are working and not working. I wonder, since you're using one NIC, if the DC that is also running DNS isn't registering a new address in DNS during the VPN process for some reason; but isn't set to listen on that connection. Hence your LAN clients send DNS requests to the DC's new "interface" that isn't setup to listen for DNS requests. That would explain why routing works but DNS requests don't. It's kind of a long shot but something strange is certainly going on with DNS and that's all I can think of.
February 14th, 2013, 12:12 PM
I appreciate your help with this! When I got home last night to try to re-create my problem, I noticed that when I vpn'd in, I was not able to get internet. I was planning on viddling more with it when I get home today, since I will have more time.
I am doing some research, and utilizing both RRAS vpn and the internet is called "split tunneling". I read an article that stated this is bad, since the internet would be a gateway to the vpn tunnel. Is having vpn AND internet a bad idea? If that's the case I will certainly disregard this issue.
February 14th, 2013, 12:24 PM
Yes, split tunneling is generally regarded as a security issue, and something you would want to avoid in a production environment. At home for testing...not such a big deal.
February 14th, 2013, 02:39 PM
Alrighty! With that being said, we can forget about this issue then! While it is a testing environment, I also use the server to store our personal information. Thanks very much for your assistance, I very much appreciate it
February 14th, 2013, 05:30 PM
Basically it allows you to bypass the internal gateway of the network you are vpn'ing into; and utilize your own internal gateway. Which allows VPN clients to bypass any security at the gateway your company would have setup.
February 14th, 2013, 08:26 PM
Okay, that makes sense. I am thinking about it now, and say I am at work and needed a file for something. If I VPN'd in I could see the files, but there would be no way of copying it since there would be no internet access.
Do you know of any other secure way of accomplishing VPN clients being able to access network resources ALONG with the internet? Obviously, even in a home environment, security is number one, since hackers are everywhere.
If you don't know of any method, then I will certainly give up on this matter and be satisfied with just being able to VPN in.
February 15th, 2013, 10:02 AM
Well you should be able to access everything on the internet like normal; traffic just gets routed properly through your internal gateway, not the gateway you're connected to from outside the network. For instance, if you use split tunneling and you're at a hotel, you'll be going through the hotel's gateway. If you don't use split tunneling, you're going through the gateway at your "office"...in this case your house. That gateway is obviously more secure than the one at the hotel (or wherever you are) because you or your IT staff have put in the necessary security measures you're "company" would deem necessary. Either way you should still be able to access the net like usual; split tunneling just determines which gateway you send traffic to. At least that is my understanding of it; it's been a few years.
February 15th, 2013, 12:28 PM
Okay, so you're recommending NOT using split-tunneling, and using the corporate (aka my house) gateway to access the internet? I will read up on that tonight after work, but what is the specific way for setting this up? Is this the checking or unchecking "Use remote gateway"? I know that when it's unchecked, I can access internet but NO network resources when VPN'd in. If I check it, it's the opposite; I can access network resources but NO internet. If you're saying check it, then I believe I would have to mess with NAT settings to allow internet connection.
February 15th, 2013, 07:30 PM
I just want to give you a heads up that I fixed my problem I originally asked about, in regards to losing network connection during VPN.
Basically....I have router 1 (192.168.1.1) that supplies the internet, and router 2 (192.168.2.1) that is a repeater for router 1. I just assumed since the 192.168.2.X range was empty I would put VPN clients on that. When I got home from work today, I just changed VPN IP's to 192.168.3.10 - 192.168.3.14, instead of the 192.168.3.X subnet. When I connected, my firewall asked me to allow or block, so I allowed, and I connected to BOTH internet and network resources via VPN. Afterwards when I disconnected and connected back to my original home network, I could still connect fine.
Here is my thought. Router 2 has a WAN ip of 192.168.1.3. On router 1, I put a static route for 192.168.2.0 with 255.255.255.0 and gateway of 192.168.1.3. Then...since I moved VPNs to 192.168.3.X subnet, I added the static route on router 1:
192.168.1.160 (rras server)
Now...everything is fine! My thought is that the static route to the 192.168.2.X is from the WAN ip of router 2, when I should have used the rras server IP instead. Now I just utilize 3 subnets, which is fine.
I very much appreciate all your help in this matter Have a great weekend!
February 15th, 2013, 08:16 PM
That would make sense if you're running NAT on the RRAS server; which I believe you said you were. I wonder if DNS requests were getting lost or sent to the wrong gateway address, and now that you have it set to the RRAS server DNS requests are working. Glad you got it figured out!
February 15th, 2013, 08:41 PM
That is exactly my thought! Since the static route pointed to WAN ip of router 2 (192.168.1.3) it never picked up a DNS server, whereas RRAS server is also DNS server, which is why it worked out.
Again, thanks for your assistance!!