RRAS, DNS, NAT, and Web Browsing

[Jim Davis]

Symptom:

VPN client is still using its default internet connection's DNS for
resolving, *except* when specifically using nslookup. Client can't
connect to anything outside of the server's network. The server's
firewall seems to be configured properly and "[x] Use default gateway on
remote network" is checked.

----------------
C:\>nslookup www.example.com
*** Can't find server name for address 192.168.0.1: Non-existent domain
Server: cronus.example.com
Address: 192.168.2.2

Name: athena.example.com
Address: 192.168.1.3
Aliases: www.example.com
(OK)

C:\>ping 192.168.1.3

Pinging 192.168.1.3 with 32 bytes of data:

Reply from 192.168.1.3: bytes=32 time=90ms TTL=62
(OK)

C:\>ping www.example.com

Pinging example.com [204.x.x.2] with 32 bytes of data:

Request timed out.
(NOT OK. It's getting the external address of www.example.com from the
client's local DNS server instead of from cronus.example.com on the
server's network. There is nothing bogus in the client's hosts or
lmhosts that could account for this.)

C:\>ping www.google.com

Pinging www.google.akadns.net [64.233.161.104] with 32 bytes of data:

Request timed out.
(NOT OK. I expect this to go from [client]->[rras server]->[rras
server's firewall]->(real world) and to work just as it would from
[other host on rras server's network]->[rras server's firewall]->(real
world), which *does* work.)
----------------

I would like clients connected to our RRAS server to conduct all traffic
as if they were directly connected to our LAN; including web browsing.

Our RRAS server has one NIC on the inside of the LAN and one in our
NATted DMZ. It looks something like this if you're using a fixed-width
font:

(lan:192.168.2.0/24)--[firewall]--(outside:204.x.x.x)
| |
| (dmz:192.168.12.20/30)
| |
[RRAS:192.168.2.13 and 192.168.1.22]

The client is also behind a DSL modem's NAT:

[client:192.168.0.2]--[dsl modem 192.168.0.1]--(outside)

My client can VPN into the RRAS box and receives DHCP/DNS/WINS
information properly from the appropriate server on the LAN. Here's the
output of "ipconfig/all" from the client while connected:

----------------
Windows 2000 IP Configuration

Host Name . . . . . . . . . . . . : feline
Primary DNS Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : example.com

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : NETGEAR FA310TX Fast Ethernet
Adapter (NGRPCI)
Physical Address. . . . . . . . . : 00-A0-CC-5D-A4-D6
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.0.2
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.0.1
DNS Servers . . . . . . . . . . . : 192.168.0.1

PPP adapter VPN via Uranus:

Connection-specific DNS Suffix . : example.com
Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
Physical Address. . . . . . . . . : 00-53-45-00-00-00
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.2.145
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . :
DNS Servers . . . . . . . . . . . : 192.168.2.2
192.168.2.2
192.168.3.2
Primary WINS Server . . . . . . . : 192.168.2.2
Secondary WINS Server . . . . . . : 192.168.3.2
----------------

Here's the output of "route print" on the client while connected:

----------------
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x1000003 ...00 a0 cc 5d a4 d6 ...... NETGEAR FA310TX Fast Ethernet PCI
Adapter
0x12000004 ...00 53 45 00 00 00 ...... WAN (PPP/SLIP) Interface
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.0.1 192.168.0.2 2
0.0.0.0 0.0.0.0 192.168.2.145 192.168.2.145 1
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.0.0 255.255.255.0 192.168.0.2 192.168.0.2 1
192.168.0.2 255.255.255.255 127.0.0.1 127.0.0.1 1
192.168.0.255 255.255.255.255 192.168.0.2 192.168.0.2 1
192.168.2.145 255.255.255.255 127.0.0.1 127.0.0.1 1
192.168.2.255 255.255.255.255 192.168.2.145 192.168.2.145 1
204.x.x.13 255.255.255.255 192.168.0.1 192.168.0.2 1
224.0.0.0 224.0.0.0 192.168.0.2 192.168.0.2 1
224.0.0.0 224.0.0.0 192.168.2.145 192.168.2.145 1
255.255.255.255 255.255.255.255 192.168.0.2 192.168.0.2 1
Default Gateway: 192.168.2.145
===========================================================================
Persistent Routes:
None

 

[Jim Davis]

D'oh - misrepresented rough network schematic, DMZ IP of RRAS server.
Should be:

(lan:192.168.2.0/24)--[firewall]--(outside:204.x.x.x)
| |
| (dmz:192.168.12.20/30)
| |
[RRAS:192.168.2.13 and 192.168.12.22]

 

[Robert L [MS-MVP]]

can you ping a public ip like 4.2.2.1?

--
For more and other information, go to http://www.ChicagoTech.net

Don't send e-mail or reply to me except you need consulting services.
Posting on MS newsgroup will benefit all readers and you may get more help.

Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN, Anti-Virus, Tips & Troubleshooting on
http://www.ChicagoTech.net
Networking Solutions, http://www.chicagotech.net/networksolutions.htm
VPN Solutions, http://www.chicagotech.net/vpnsolutions.htm
VPN Process and Error Analysis, http://www.chicagotech.net/VPN process.htm
VPN Troubleshooting, http://www.chicagotech.net/vpn.htm
This posting is provided "AS IS" with no warranties.

Symptom:

VPN client is still using its default internet connection's DNS for
resolving, *except* when specifically using nslookup. Client can't
connect to anything outside of the server's network. The server's
firewall seems to be configured properly and "[x] Use default gateway on
remote network" is checked.

----------------
C:\>nslookup www.example.com
*** Can't find server name for address 192.168.0.1: Non-existent domain
Server: cronus.example.com
Address: 192.168.2.2

Name: athena.example.com
Address: 192.168.1.3
Aliases: www.example.com
(OK)

C:\>ping 192.168.1.3

Pinging 192.168.1.3 with 32 bytes of data:

Reply from 192.168.1.3: bytes=32 time=90ms TTL=62
(OK)

C:\>ping www.example.com

Pinging example.com [204.x.x.2] with 32 bytes of data:

Request timed out.
(NOT OK. It's getting the external address of www.example.com from the
client's local DNS server instead of from cronus.example.com on the
server's network. There is nothing bogus in the client's hosts or lmhosts
that could account for this.)

C:\>ping www.google.com

Pinging www.google.akadns.net [64.233.161.104] with 32 bytes of data:

Request timed out.
(NOT OK. I expect this to go from [client]->[rras server]->[rras server's
firewall]->(real world) and to work just as it would from [other host on
rras server's network]->[rras server's firewall]->(real world), which
*does* work.)
----------------

I would like clients connected to our RRAS server to conduct all traffic
as if they were directly connected to our LAN; including web browsing.

Our RRAS server has one NIC on the inside of the LAN and one in our NATted
DMZ. It looks something like this if you're using a fixed-width font:

(lan:192.168.2.0/24)--[firewall]--(outside:204.x.x.x)
| |
| (dmz:192.168.12.20/30)
| |
[RRAS:192.168.2.13 and 192.168.1.22]

The client is also behind a DSL modem's NAT:

[client:192.168.0.2]--[dsl modem 192.168.0.1]--(outside)

My client can VPN into the RRAS box and receives DHCP/DNS/WINS information
properly from the appropriate server on the LAN. Here's the output of
"ipconfig/all" from the client while connected:

----------------
Windows 2000 IP Configuration

Host Name . . . . . . . . . . . . : feline
Primary DNS Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : example.com

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : NETGEAR FA310TX Fast Ethernet Adapter
(NGRPCI)
Physical Address. . . . . . . . . : 00-A0-CC-5D-A4-D6
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.0.2
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.0.1
DNS Servers . . . . . . . . . . . : 192.168.0.1

PPP adapter VPN via Uranus:

Connection-specific DNS Suffix . : example.com
Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
Physical Address. . . . . . . . . : 00-53-45-00-00-00
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.2.145
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . :
DNS Servers . . . . . . . . . . . : 192.168.2.2
192.168.2.2
192.168.3.2
Primary WINS Server . . . . . . . : 192.168.2.2
Secondary WINS Server . . . . . . : 192.168.3.2
----------------

Here's the output of "route print" on the client while connected:

----------------
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x1000003 ...00 a0 cc 5d a4 d6 ...... NETGEAR FA310TX Fast Ethernet PCI
Adapter
0x12000004 ...00 53 45 00 00 00 ...... WAN (PPP/SLIP) Interface
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface
Metric
0.0.0.0 0.0.0.0 192.168.0.1 192.168.0.2 2
0.0.0.0 0.0.0.0 192.168.2.145 192.168.2.145 1
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.0.0 255.255.255.0 192.168.0.2 192.168.0.2 1
192.168.0.2 255.255.255.255 127.0.0.1 127.0.0.1 1
192.168.0.255 255.255.255.255 192.168.0.2 192.168.0.2 1
192.168.2.145 255.255.255.255 127.0.0.1 127.0.0.1 1
192.168.2.255 255.255.255.255 192.168.2.145 192.168.2.145 1
204.x.x.13 255.255.255.255 192.168.0.1 192.168.0.2 1
224.0.0.0 224.0.0.0 192.168.0.2 192.168.0.2 1
224.0.0.0 224.0.0.0 192.168.2.145 192.168.2.145 1
255.255.255.255 255.255.255.255 192.168.0.2 192.168.0.2 1
Default Gateway: 192.168.2.145
===========================================================================
Persistent Routes:
None

 

[Jim Davis]

can you ping a public ip like 4.2.2.1?
Nope:

C:\>ping www.google.com

Pinging www.google.akadns.net [64.233.161.104] with 32 bytes of data:

Request timed out.

Also tried pinging a local university's mail server (by IP) that I
normally use for connectivity tests, and it failed there as well.