#1
  1. No Profile Picture
    Coopercentral
    Devshed Newbie (0 - 499 posts)

    Join Date
    Aug 2002
    Location
    Rochester, NY
    Posts
    24
    Rep Power
    0

    Windows Server RRS/NAT and VPN


    Hello everyone,

    I am running into an issue with my home-based VPN. For fun I received a copy of Windows Server 2012 from my school. I have a dedicated computer that I use to run Server 2012. The server runs the following roles: DC, DNS, DHCP, NAP, and Remote Access/Routing. My wish is to setup a VPN connection so I can access the network remotely. The setup is like this:

    I have a Cisco E1000 router with address 192.168.1.1. The DHCP is disabled as the DHCP is from the server. The DHCP server from the DC issues addresses 192.168.1.100 - 192.168.1.149. In Remote Access, I setup an address pool for 192.168.2.10 - 192.168.2.15 for VPN clients. I have one NIC, so under NAT I have "ethernet" and "internal". I set it up so "internal" is private and "ethernet" is public.

    When I connect from a different wireless network TO my home VPN, it does connect. I am able to PING google, as well as the servers. But....the odd thing is, when I disconnect from the VPN, ALL LAN-clients lose complete connection. They cannot ping the server, or any other LAN clients, or google. They are able to ping domain names by their IPs though.

    The strange thing is, if I set the VPN address pool to be within the 192.168.1.X subnet, then I do not have this issue. Once I disconnect and reconnect to the home network, I am still able to access resources. But, I would like to have the VPN clients to have a separate subnet (ex. 192.168.2.X).

    What am I doing wrong to accomplish this? When I do ipconfig /all, everything is what it's supposed to do. The DNS and DHCP are pointing to the DC. Thanks very much for any assistance.
  2. #2
  3. No Profile Picture
    Coopercentral
    Devshed Newbie (0 - 499 posts)

    Join Date
    Aug 2002
    Location
    Rochester, NY
    Posts
    24
    Rep Power
    0
    Would anyone have any ideas why I am having this issue? The only way to fix the issue is either reboot the server, or restart the routing and remote access service.

    I have properly setup static routing from the 192.168.1.X network to 192.168.2.X. I must this setup based on one NIC. I have followed online tutorials for configuring RRAS & NAT with one NIC.
  4. #3
  5. No Profile Picture
    Contributing User
    Devshed Regular (2000 - 2499 posts)

    Join Date
    May 2004
    Location
    surfing the interwebz
    Posts
    2,410
    Rep Power
    2005
    What is the IP of the LAN clients when you disconnect, does it change? Are the DNS entries the same as well? If you can ping domain names by IP, I'm suspecting you can ping your LAN machines by IP as well. So the network is working, just DNS is stopping for some reason.

    What is the DNS server of the VPN clients? Is there anything odd setup in your NAP settings that would cause a DNS issue?

    If I understand you right, when you connect from outside the network via VPN everything works. Then when you disconnect, everything on the LAN fails?
  6. #4
  7. No Profile Picture
    Coopercentral
    Devshed Newbie (0 - 499 posts)

    Join Date
    Aug 2002
    Location
    Rochester, NY
    Posts
    24
    Rep Power
    0
    You are absolutely correct! I will try to provide as much info as I can.

    The main router that connects to my cable modem IP is 192.168.1.1. I have DHCP disabled as I utilize DHCP from the domain controller (192.168.1.160). I have a second router (192.168.2.1), with a WAN-IP of 192.168.1.3, and I set a static route on router 1 with LAN 192.168.2.0, MASK 255.255.255.0, Gateway 192.168.1.3.

    THe 192.168.1.160 is both the DHCP and DNS server. For RRAS, I setup a static range from 192.168.2.10 - 192.168.2.14.

    I am currently at work right now and will have to verify if I can ping by IP on the LAN. All I know is, if I put the VPN IP range WITHIN the 192.168.1.X subnet, once I disconnect everything is fine. BUT, if I put the range as 192.168.2.X range, that is where the trouble occurs once VPN is disconnected.

    Again, it's resolved by restarting the RRAS service.
  8. #5
  9. No Profile Picture
    Contributing User
    Devshed Regular (2000 - 2499 posts)

    Join Date
    May 2004
    Location
    surfing the interwebz
    Posts
    2,410
    Rep Power
    2005
    Ok, be sure and post an ipconfig /all output of the LAN clients when they are working and not working. I wonder, since you're using one NIC, if the DC that is also running DNS isn't registering a new address in DNS during the VPN process for some reason; but isn't set to listen on that connection. Hence your LAN clients send DNS requests to the DC's new "interface" that isn't setup to listen for DNS requests. That would explain why routing works but DNS requests don't. It's kind of a long shot but something strange is certainly going on with DNS and that's all I can think of.
  10. #6
  11. No Profile Picture
    Coopercentral
    Devshed Newbie (0 - 499 posts)

    Join Date
    Aug 2002
    Location
    Rochester, NY
    Posts
    24
    Rep Power
    0
    seakc79,

    I appreciate your help with this! When I got home last night to try to re-create my problem, I noticed that when I vpn'd in, I was not able to get internet. I was planning on viddling more with it when I get home today, since I will have more time.

    I am doing some research, and utilizing both RRAS vpn and the internet is called "split tunneling". I read an article that stated this is bad, since the internet would be a gateway to the vpn tunnel. Is having vpn AND internet a bad idea? If that's the case I will certainly disregard this issue.

    Thanks!
  12. #7
  13. No Profile Picture
    Contributing User
    Devshed Regular (2000 - 2499 posts)

    Join Date
    May 2004
    Location
    surfing the interwebz
    Posts
    2,410
    Rep Power
    2005
    Yes, split tunneling is generally regarded as a security issue, and something you would want to avoid in a production environment. At home for testing...not such a big deal.
  14. #8
  15. No Profile Picture
    Coopercentral
    Devshed Newbie (0 - 499 posts)

    Join Date
    Aug 2002
    Location
    Rochester, NY
    Posts
    24
    Rep Power
    0
    Alrighty! With that being said, we can forget about this issue then! While it is a testing environment, I also use the server to store our personal information. Thanks very much for your assistance, I very much appreciate it
  16. #9
  17. No Profile Picture
    Contributing User
    Devshed Regular (2000 - 2499 posts)

    Join Date
    May 2004
    Location
    surfing the interwebz
    Posts
    2,410
    Rep Power
    2005
    Basically it allows you to bypass the internal gateway of the network you are vpn'ing into; and utilize your own internal gateway. Which allows VPN clients to bypass any security at the gateway your company would have setup.
  18. #10
  19. No Profile Picture
    Coopercentral
    Devshed Newbie (0 - 499 posts)

    Join Date
    Aug 2002
    Location
    Rochester, NY
    Posts
    24
    Rep Power
    0
    Okay, that makes sense. I am thinking about it now, and say I am at work and needed a file for something. If I VPN'd in I could see the files, but there would be no way of copying it since there would be no internet access.

    Do you know of any other secure way of accomplishing VPN clients being able to access network resources ALONG with the internet? Obviously, even in a home environment, security is number one, since hackers are everywhere.

    If you don't know of any method, then I will certainly give up on this matter and be satisfied with just being able to VPN in.
  20. #11
  21. No Profile Picture
    Contributing User
    Devshed Regular (2000 - 2499 posts)

    Join Date
    May 2004
    Location
    surfing the interwebz
    Posts
    2,410
    Rep Power
    2005
    Well you should be able to access everything on the internet like normal; traffic just gets routed properly through your internal gateway, not the gateway you're connected to from outside the network. For instance, if you use split tunneling and you're at a hotel, you'll be going through the hotel's gateway. If you don't use split tunneling, you're going through the gateway at your "office"...in this case your house. That gateway is obviously more secure than the one at the hotel (or wherever you are) because you or your IT staff have put in the necessary security measures you're "company" would deem necessary. Either way you should still be able to access the net like usual; split tunneling just determines which gateway you send traffic to. At least that is my understanding of it; it's been a few years.
  22. #12
  23. No Profile Picture
    Coopercentral
    Devshed Newbie (0 - 499 posts)

    Join Date
    Aug 2002
    Location
    Rochester, NY
    Posts
    24
    Rep Power
    0
    Okay, so you're recommending NOT using split-tunneling, and using the corporate (aka my house) gateway to access the internet? I will read up on that tonight after work, but what is the specific way for setting this up? Is this the checking or unchecking "Use remote gateway"? I know that when it's unchecked, I can access internet but NO network resources when VPN'd in. If I check it, it's the opposite; I can access network resources but NO internet. If you're saying check it, then I believe I would have to mess with NAT settings to allow internet connection.
  24. #13
  25. No Profile Picture
    Coopercentral
    Devshed Newbie (0 - 499 posts)

    Join Date
    Aug 2002
    Location
    Rochester, NY
    Posts
    24
    Rep Power
    0
    seack79,
    I just want to give you a heads up that I fixed my problem I originally asked about, in regards to losing network connection during VPN.

    Basically....I have router 1 (192.168.1.1) that supplies the internet, and router 2 (192.168.2.1) that is a repeater for router 1. I just assumed since the 192.168.2.X range was empty I would put VPN clients on that. When I got home from work today, I just changed VPN IP's to 192.168.3.10 - 192.168.3.14, instead of the 192.168.3.X subnet. When I connected, my firewall asked me to allow or block, so I allowed, and I connected to BOTH internet and network resources via VPN. Afterwards when I disconnected and connected back to my original home network, I could still connect fine.

    Here is my thought. Router 2 has a WAN ip of 192.168.1.3. On router 1, I put a static route for 192.168.2.0 with 255.255.255.0 and gateway of 192.168.1.3. Then...since I moved VPNs to 192.168.3.X subnet, I added the static route on router 1:
    192.168.3.0
    255.255.255.0
    192.168.1.160 (rras server)

    Now...everything is fine! My thought is that the static route to the 192.168.2.X is from the WAN ip of router 2, when I should have used the rras server IP instead. Now I just utilize 3 subnets, which is fine.

    I very much appreciate all your help in this matter Have a great weekend!
  26. #14
  27. No Profile Picture
    Contributing User
    Devshed Regular (2000 - 2499 posts)

    Join Date
    May 2004
    Location
    surfing the interwebz
    Posts
    2,410
    Rep Power
    2005
    That would make sense if you're running NAT on the RRAS server; which I believe you said you were. I wonder if DNS requests were getting lost or sent to the wrong gateway address, and now that you have it set to the RRAS server DNS requests are working. Glad you got it figured out!
  28. #15
  29. No Profile Picture
    Coopercentral
    Devshed Newbie (0 - 499 posts)

    Join Date
    Aug 2002
    Location
    Rochester, NY
    Posts
    24
    Rep Power
    0
    That is exactly my thought! Since the static route pointed to WAN ip of router 2 (192.168.1.3) it never picked up a DNS server, whereas RRAS server is also DNS server, which is why it worked out.

    Again, thanks for your assistance!!

IMN logo majestic logo threadwatch logo seochat tools logo