Web Access via Dial-up - VPN

  • Thread starter Thread starter Mike
  • Start date Start date
M

Mike

I have a multihomed Windows 2000 Server box with RRAS
installed and configured. My dial-in clients want to
access the internet via this connection and cannot. I
have packet filtering configured so ony web traffic is
allowed through the external interface. I did this in
the same manner you would configure the PPTP filtering.
I have confirmed that this works becuase a terminal
services session is able to browse the web. Does anyone
know why my dial-up clients cannot get to the web. We
don't have a proxy and I do know that if we had one this
would not be an issue. Other than this all functions via
VPN or dial-up work great. What am I missing in this
configuration. I also realize that this is not the best
way to do this but at this momment it is all I have.

Any help would be greatly appreciated.
 
Is your RRAS server doing NAT for your LAN clients? Remote clients do
not get to use the NAT service, because the internal interface (which the
remotes connect to) is not an input to NAT.

To make this internal interface an input to NAT, enter this netsh
command at a command prompt.

netsh routing ip nat add interface internal private
 
It is not doing NAT for my LAN clients. My LAN clients
do not get on the internet via this box.
 
The first thing to check is the routing. Do the remotes receive IP
addresses in the same subnet as the LAN clients? If not, you will need to
route traffic through the RRAS server. If they do, the server should just
act as a proxy for the remotes.

Also check that the remotes are getting the correct DNS server address.
 
The remotes do recieve IP's in the same subnet. They do
recieve the correct DNS and do resolve names. By using
the default gateway on the remote network, you would
think the client would use the default gateway of the
RRAS server. Like all remote clients, their gateway is
actually their assigned dial-up ip. Will I have to add a
route on the remote clients to find the default gateway
on the RRAS server?
 
No, you don't need to do that. The remote clients should perform just
like the LAN machines. The server just forwards the traffic on to the LAN.
On the LAN, a packet from the remote looks just the same as a packet from a
LAN client. The reply from the firewall/router will also look just like a
reply to a LAN client. The RRAS server does proxy ARP for the remote, gets
the packet and relays it over the point-to-point link.

The other alternative is to use "off subnet" addresses. Give the remote
clients their own subnet and enable LAN routing on the server. You then use
normal routing procedures to route between the subnets (ie you give the
gateway router the info it needs to forward traffic for the remote subnet to
the RRAS router).
 
Back
Top