Win2K RRAS/VPN Help

  • Thread starter Thread starter DMF
  • Start date Start date
D

DMF

All,

I have inherited a site with Win2KS running AD/DNS/RRAS/VPN
with a Linksys router running NAT/DHCP to share the DSL
connection. Linksys is 192.168.1.1, Server LAN side NIC#1 is
192.168.1.2, RRAS Server is 192.168.1.200 on Server NIC#2
IP=192.168.1.192, VPN Clients are *.200+, LAN Clients are
*.100+ The Linksys is setup with a static IP WAN side with VPN
traffic (typically PPTP clients on Win2K or WinXP) forwarding to
the Server NIC#2 with IP=*.192 and connection to RRAS.

The problem is that this setup is terribly unrealiable for the both LAN
users and VPN clients. LAN side users often drop shared drives or
lose internet connection. VPN users get weird login messages (duplicate
name on network, etc), dropped connections or require multiple attempts
to establish a connection. I have already replaced one flaky switch and
a bad DSL modem -- so things are getting better. But to really make
progress I think I am going to have to dig in and reconfigure this server.
I am no expert but I'm reading a lot of whitpapers (and I stayed at a
Holiday Inn last night ;-). So one of the first things I learned is that it
is bad form to have two NICs in one server on the same subnet. The
error log is full of errors regarding this and I think its one of the causes
of the unreliable VPN connections. Anyway, today I tried to disable
the NIC#2 and get the RRAS to use the NIC#1 IP, no joy.

Questions...

1) Are the two NICs in one server on the same subnet the source of
my grief? If so, how do I correct this? Even a temporary solution
would be good -- until I can get up to speed on setting this server
up properly.

2) Currently the DSL modem dumps into the Linksys router WAN
side. LAN side of router is 192.168.1.1 and is the default gateway
on the network. Server NIC#2 (IP=192.168.1.192) is plugged into
the Linksy LAN port as are a couple of printers and then the Linksys
is linked to a 16P switch. All the local Client PCs and the Server
NIC#1 (IP=192.168.1.2) are plugged into the 16P Switch. This
doesn't seem right to me.... it seems a little circular. Could this be
a source of my problems?

Thanks for any replies.

Regards,
David
 
1) Yes, having two NICs in the same IP subnet is a bad idea (especially
if you try to configure different gateway settings on the NICs). It is also
unnecessary and doesn't do anything useful. But if you disable NIC2, you
will need to change the port forwarding on the router so that it forwards
the VPN traffic to NIC 1. You should not need to change anything on the
server itself.

This probably won't solve all of your problems. Your server will still
be multihomed (ie have two interfaces) when a VPN client connects (because
of the "internal" RRAS interface 192.168.1.200 which is the endpoint of VPN
connections). This causes duplicate names and browsing problems.

The simplest way to fix this is to disable Netbios over TCP/IP on the
RRAS internal interface. The details are given near the end of KB 292822.

2) The person who set it up obviously didn't grasp the situation. If all the
machines are using the Linksys as their default gateway they can all plug
into the same switch. (NIC2 should be disabled and not plugged into
anything). The present setup would only make some sense if the Linksys and
the router were in a different IP subnet from the LAN clients. This is a
feasable solution but is not the one you are set up for. In that case, the
LAN clients would use the server's LAN NIC as their default gateway, not the
Linksys.

How about DNS? Are the clients set up to use the DC as their DNS server?
And is the server set to forward to a public DNS (such as your ISP)?
 
Bill Grant wrote...
1) Yes, having two NICs in the same IP subnet is a bad idea (especially
if you try to configure different gateway settings on the NICs). It is
also unnecessary and doesn't do anything useful. But if you disable NIC2,
you will need to change the port forwarding on the router so that it
forwards the VPN traffic to NIC 1. You should not need to change anything
on the server itself.
Click to expand...

That's what I was hoping but I disabled NIC#2 and told RRAS to use
NIC#1 which went fine. However, the RRAS was set to distribute
*.201 thru *.225 IPs for VPN clients. Included in that setting was a
reference to the *.192 NIC#2 IP and I could not change it so that it
referred to NIC#1 IP *.2 so I gave up. There was also a choice to
use DHCP but I did not want to make any drastic changes since the
company boss was on a trip to Boston and I didn't really want to risk
knocking the VPN out of commission ;-)

Next time I go back I will get more details on the *.192 reference that
I could not change.
This probably won't solve all of your problems. Your server will still
be multihomed (ie have two interfaces) when a VPN client connects
(because of the "internal" RRAS interface 192.168.1.200 which is the
endpoint of VPN connections). This causes duplicate names and
browsing problems.
Click to expand...

Hmmm... now I am confused because I have seen other sites with
RRAS using *.200 and clients getting *.200+ IPs. I thought that the
duplicate names and browsing problems were coming from NIC#2
with the *.192 address on the same subnet as the *.2 address both
in the Server PC.
The simplest way to fix this is to disable Netbios over TCP/IP on the
RRAS internal interface. The details are given near the end of KB
292822.
Click to expand...

Okay, I will look into that. I also read a site that suggested that if File
and Print sharing is deselected for the secondary NIC then two NICs
can co-exist in the same server without generating errors.
2) The person who set it up obviously didn't grasp the situation.
Click to expand...

I realized that pretty quickly ;-)
If all the machines are using the Linksys as their default gateway they
can all plug into the same switch. (NIC2 should be disabled and not
plugged into anything). The present setup would only make some sense
if the Linksys and the router were in a different IP subnet from the LAN
clients. This is a feasable solution but is not the one you are set up
for. In
that case, the LAN clients would use the server's LAN NIC as their
default gateway, not the Linksys.
Click to expand...

Disabling NIC#2 is my (short-term) goal right now but I was afraid of
knocking VPN access out of commision. I think that long term the way
I want to set it up is to get NIC#2 one of the static, public DSL addresses
with VPN only filter on it and use a different public DSL address for the
WAN side of the Linksys which would provide FW/DHCP/NAT to LAN
side clients and Server providing on NIC#1 AD/DNS/FileShare and on
NIC#2 RRAS/VPN
How about DNS? Are the clients set up to use the DC as their DNS
server? And is the server set to forward to a public DNS (such as your
ISP)?
Click to expand...

Seems to work okay... Server is AD/DNS with forward set to the ISPs
public DNS so clients look to Server for DNS and can access the Internet
and shared local resources. However, lost shared drives and Internet
disconnects are common LAN/client side -- a reboot fixes the problem.

I'm going back to this site tomorrow and will collect more info. I really
appreciate you help here, Bill. Thanks.

Regards,
David
 
If you want to use the RRAS server to filter the traffic between the LAN
and the Internet, the best solution is to isolate the Linksys from the LAN.
You set it up in much the same way as you would for the example where the
server has one NIC directly connected to the Internet. Only the "public" NIC
of the server can see the router. The server is the default gateway for the
LAN clients. The server's two NICs are in different IP subnets.

In this scenario the server needs to do DHCP for the LAN
machines(because they can't see the router). The router forwards the VPN
traffic to the "public" NIC. I suspect this is the model your system
designer was aiming for (but missed a few vital bits!)
 
Win2K Server Saga update...

I went back today and disabled Netbios over TCP/IP and File
and Print Share on NIC#2 and rebooted. BSOD STOP error
on reboot, no boot device found -- I nearly had a heart attack!
Eventually I got into the recovery console, ran CHKDSK then
safemode and disabled NIC#2 completely -- could a defective
NIC cause a BSOD on setting changes?

Anyway, after I disabled NIC#2, I set RRAS to use NIC#1.
Previously when I tried this the setting that would not change was
in RRAS seup, IP tab where you choose the static pool -- I had
to change the range of the pool or it picked up the old IP of *.192
for NIC#2. When I changed the range of the pool it picked up
NIC#1 IP. I tested the VPN with a laptop via dialup and it seemed
to work okay... all shares, dbase program, etc. all worked. So for
now things are okay... also once I disabled NIC#2 the LAN-side
shared drives seems to work better.

Bill Grant wrote...
If you want to use the RRAS server to filter the traffic between the
LAN and the Internet, the best solution is to isolate the Linksys
from the LAN. You set it up in much the same way as you would
for the example where the server has one NIC directly connected
to the Internet. Only the "public" NIC of the server can see the
router. The server is the default gateway for the LAN clients. The
server's two NICs are in different IP subnets.

In this scenario the server needs to do DHCP for the LAN
machines(because they can't see the router). The router forwards
the VPN traffic to the "public" NIC. I suspect this is the model your
system designer was aiming for (but missed a few vital bits!)
Click to expand...

I thought about doing it this way and it makes a lot of sense. However,
this server has been so unreliable the boss insists that the DSL/Internet
connection be independent of the server. I think that at one point the
server's power supply went out and it took two or three days to get a
new one. So the tech setup the router to share DSL and provide DHCP
independent of the server -- its now a requirement ;-)

Given that requirement, here's the setup that I am planning on now
(unless there is a better way)

DSL Modem
Static IP#1 => Linksys Router => All LAN side clients DHCP
with 192.168.1.* addresses, Server Static at
*.2, Router is default GW 192.168.1.1
Static IP#2 => Server NIC#2 => RRAS/VPN only traffic.

LS Router is DHCP/FW/NAT,
Server NIC#1 is Static Private IP 192.168.1.2 AD/DNS/F&P
Share, Client DNS is Server IP *.2 with
forwarding to ISP public DNS for non-local.
Server NIC#2 is Static Public IP 67.*.*.* WAN side RRAS/VPN

In essence, what I want to do is use an additional static DSL IP.
Their acount has 5 public DSL IP addresses and right now they are
only using one on the Linksys WAN side which is providing DSL
access for LAN side clients and VPN connection. The Linksys is
set for VPN data forwarding which is how the RRAS on NIC#2 is
getting data. What I would like is that the site have two public IPs
one into the router (for LAN side Internet) and one into Server
NIC#2 for VPN incoming connections. (with VPN only filter for
security).

Would this work? Are there routing issues getting the VPN
clients to see the LAN side if the NIC had a public IP? TIA.

Regards,
David
 
Update...

I went in today and started to work on reconfiguring the RRAS
setup, etc... but I found that two UPS devices were defective
and the VPN router was bad -- the Linksys VPN router would
restart on a tracert... very strange... so I bailed out and decided
to defer RRAS work till I get other issues resolved.

Regards,
David
 
Back
Top