P
P. Prisack
Hello NG,
we have a dodgy little problem here which I can't seem to solve, maybe
I'm missing something basic.
The scenario is as follows:
There is a LAN with subnet 192.168.1.0/24, a W2K server on 192.168.1.1
and a router for internet connection (outgoing only) on 192.168.1.100.
Now I've implemented a DMZ on subnet 192.168.2.0/24 with an own router
on 192.168.2.100 (incoming only). I've mounted a second NIC into the
server and assigned 192.168.2.1 as DMZ IP. VPN ports are forwarded from
the VPN router to the server's DMZ NIC.
I successfully set up RRAS and a VPN server where, on first glance,
everythings looks fine. But there is a routing issue:
If I configure in RRAS the LAN router (.1.100) as a default gateway, all
works fine for VPN clients who connect with an IP from the DMZ (i.e.
WLAN laptops, they receive an IP out of the 192.168.2.0 range from the
DMZ router).
Clients which try to connect from the internet have a problem, because
the VPN server doesn't know the correct route back to the client.
The authentication request arrives at the server:
VPN client -> internet -> DMZ router -> VPN server (DMZ interface)
But the answer goes:
VPN server (LAN interface) -> LAN router -> internet -> nowhere
I don't want to configure the default gateway in RRAS to use the DMZ
router (.2.100) for several reasons: I dont't want the server's own
internet traffice to go through the DMZ, I don't want the laptops'
internet traffice go through the DMZ, I want all internet traffic to
pass the VPN server so I can take control or set up filters later.
I had expected that the VPN server would answer authentication requests
on the interface they arrive, no matter what default gateway exists
furthermore.
Is there a way to achieve this, am I a victim of misconception, or is it
just a stupid mistake? Any hints are greatly appreciated.
Best wishes
Peter
we have a dodgy little problem here which I can't seem to solve, maybe
I'm missing something basic.
The scenario is as follows:
There is a LAN with subnet 192.168.1.0/24, a W2K server on 192.168.1.1
and a router for internet connection (outgoing only) on 192.168.1.100.
Now I've implemented a DMZ on subnet 192.168.2.0/24 with an own router
on 192.168.2.100 (incoming only). I've mounted a second NIC into the
server and assigned 192.168.2.1 as DMZ IP. VPN ports are forwarded from
the VPN router to the server's DMZ NIC.
I successfully set up RRAS and a VPN server where, on first glance,
everythings looks fine. But there is a routing issue:
If I configure in RRAS the LAN router (.1.100) as a default gateway, all
works fine for VPN clients who connect with an IP from the DMZ (i.e.
WLAN laptops, they receive an IP out of the 192.168.2.0 range from the
DMZ router).
Clients which try to connect from the internet have a problem, because
the VPN server doesn't know the correct route back to the client.
The authentication request arrives at the server:
VPN client -> internet -> DMZ router -> VPN server (DMZ interface)
But the answer goes:
VPN server (LAN interface) -> LAN router -> internet -> nowhere
I don't want to configure the default gateway in RRAS to use the DMZ
router (.2.100) for several reasons: I dont't want the server's own
internet traffice to go through the DMZ, I don't want the laptops'
internet traffice go through the DMZ, I want all internet traffic to
pass the VPN server so I can take control or set up filters later.
I had expected that the VPN server would answer authentication requests
on the interface they arrive, no matter what default gateway exists
furthermore.
Is there a way to achieve this, am I a victim of misconception, or is it
just a stupid mistake? Any hints are greatly appreciated.
Best wishes
Peter