Daily IT Matters, this is the place where I post my daily findings on IT.

Wednesday, September 20, 2006

IP routing RRAS style

Below is a Technet blog entry I found quite helpfull

First the basics on IP address/routing on RRAS perspective:

Broadly there are two set of machines (or subnets) which needs IP address - one
is the LAN machines (which may be obtaining IP address through DHCP Server) and
other is the remote access client or VPN client machines (which gets IP address
through RRAS server - via IPCP). For the second case, the RRAS server may be
configured with a static address pool OR may be obtaining the IP addresses from
a DHCP server (on behalf of VPN client).

RRAS server creates a virtual interface (called as Internal interface or RAS
Dial-in adapter) which is also assigned one IP address. This IP address is taken
from the pool configured for VPN clients.

The IP address pool (or subnet) can be shared between LAN machines as well as
VPN clients OR can have different pool. For example, all LAN + VPN clients can
have a shared pool as 192.168.1.1 to 192.168.1.254 OR LAN machines may have pool
as 192.168.1.x and VPN clients as 192.168.2.x. The advantage of sharing between
LAN + VPN clients is - no extra routes need to be added on LAN clients as well
as VPN clients. But there can be practical requirements to have different
subnets for LAN as well as VPN clients. And in this case you need to ensure
there are appropriate routes from LAN clients to reach VPN clients and vice
versa. This blog gives a good idea about it: http://blogs.technet.com/rrasblog/archive/2006/02/09/419100.aspx

Let us now take some examples:

1) RRAS server behind a NAT router with single NIC

Internet --> NAT router ---> LAN ----> RRAS server (single NIC)

Assume RRAS server is running DNS/WINS, DHCP and DC (like in SBS server scenario).

Say all the LAN clients as well as VPN clients share the same address pool - say
192.168.1.x, NAT router private NIC has IP address as 192.168.1.1 and RRAS
server LAN NIC as 192.168.1.2 (it is better to have static IP address - so that
NAT router can redirect correctly).

1) Configure DHCP server with a pool - 192.168.1.3-192.168.1.254 (note: 192.168.1.1
is given to NAT router and 192.168.1.2 to RRAS server itself) and default
gateway as 192.168.1.1 (i.e. NAT router's LAN IP address).

2) Configure RRAS for single NIC - Select DHCP as the way to obtain IP address
pool http://blogs.technet.com/rrasblog/archive/2006/06/19/437171.aspx

2.1) As you are running DNS/WINS on the same machine on RRAS, you may need to
disable registering of RRAS tunnel adapter address into DNS/WINS - otherwise LAN
machines will not be able to reach DNS/WINS server. Refer to http://support.microsoft.com/kb/292822/EN-US
for more information.

2.2) As you are running multiple services on RRAS box, ensure you turn off
static filters when configuring RRAS server (http://blogs.technet.com/rrasblog/archive/2006/07/06/440398.aspx)

3) Enable NAT router to redirect PPTP packets coming on its public interface to
RRAS server: http://blogs.technet.com/rrasblog/archive/2006/06/14/435826.aspx

Note: RRAS server with L2TP behind a NAT router is not a "recommended scenario".
Refer to following KB for further details: http://support.microsoft.com/default.aspx?scid=kb;en-us;818043

4) Create a VPN client - with "Use default gateway" check on and VPN server
address as NAT router's public IP address. Ensure you are able to ping VPN
server's internal interface, LAN NIC and the LAN clients by name as well as IP
address.

In the above scenario, if you want to give different address pool to VPN clients
and LAN clients, you can configure RRAS server with static IP address pool and
give a different pool - like 192.168.2.x. Ensure you configure DHCP server scope
to pass a static route (192.168.2.0/255.255.255.0 with gateway as 192.168.1.2 or
RRAS server's LAN IP address) to LAN clients. This route will enable LAN client
to reach VPN clients. VPN clients can reach LAN clients - because they have a
default route towards VPN server.

2) RRAS server with two NIC

Internet --> RRAS server (two NIC) --> LAN

Assume RRAS server is running as NAT router too (for LAN machines as well as VPN
clients)

Say all the LAN clients as well as VPN clients share the same address pool - say
192.168.1.x, RRAS server has a public IP address (say 1.2.3.4) and RRAS server
LAN NIC as 192.168.1.2.

Note: In this scenario too you can have RAS as well as LAN clients sharing the
same IP address pool OR have different pools

All the steps for this configuration remains same - except configure RRAS server
for two NICs (one facing internet and one facing intranet) and enable NAT on
RRAS server itself.

1 comment:

alex smith said...

After use vpn i can bypass my isp monitor.This Vpn is great.

Google