VPN server deployment: IP Addressing, Routing/NAT, Single vs two NIC
I have seen a lot of IP addressing, NIC, NAT related queries in different newsgroups. This blog is aimed to give you a quick view on this.
First the basics on IP address/routing on RRAS perspective:
- Broadly there are two set of machines (or subnets) which needs IP address - one is the LAN machines (which may be obtaining IP address through DHCP Server) and other is the remote access client or VPN client machines (which gets IP address through RRAS server - via IPCP). For the second case, the RRAS server may be configured with a static address pool OR may be obtaining the IP addresses from a DHCP server (on behalf of VPN client).
- RRAS server creates a virtual interface (called as Internal interface or RAS Dial-in adapter) which is also assigned one IP address. This IP address is taken from the pool configured for VPN clients.
- The IP address pool (or subnet) can be shared between LAN machines as well as VPN clients OR can have different pool. For example, all LAN + VPN clients can have a shared pool as 192.168.1.1 to 192.168.1.254 OR LAN machines may have pool as 192.168.1.x and VPN clients as 192.168.2.x. The advantage of sharing between LAN + VPN clients is - no extra routes need to be added on LAN clients as well as VPN clients. But there can be practical requirements to have different subnets for LAN as well as VPN clients. And in this case you need to ensure there are appropriate routes from LAN clients to reach VPN clients and vice versa. This blog gives a good idea about it: http://blogs.technet.com/rrasblog/archive/2006/02/09/419100.aspx
Let us now take some examples:
1) RRAS server behind a NAT router with single NIC
Internet --> NAT router ---> LAN ----> RRAS server (single NIC)
Assume RRAS server is running DNS/WINS, DHCP and DC (like in SBS server scenario).
Say all the LAN clients as well as VPN clients share the same address pool - say 192.168.1.x, NAT router private NIC has IP address as 192.168.1.1 and RRAS server LAN NIC as 192.168.1.2 (it is better to have static IP address - so that NAT router can redirect correctly).
1) Configure DHCP server with a pool - 192.168.1.3-192.168.1.254 (note: 192.168.1.1 is given to NAT router and 192.168.1.2 to RRAS server itself) and default gateway as 192.168.1.1 (i.e. NAT router's LAN IP address).
2) Configure RRAS for single NIC - Select DHCP as the way to obtain IP address pool http://blogs.technet.com/rrasblog/archive/2006/06/19/437171.aspx
2.1) As you are running DNS/WINS on the same machine on RRAS, you may need to disable registering of RRAS tunnel adapter address into DNS/WINS - otherwise LAN machines will not be able to reach DNS/WINS server. Refer to http://support.microsoft.com/kb/292822/EN-US for more information.
2.2) As you are running multiple services on RRAS box, ensure you turn off static filters when configuring RRAS server (http://blogs.technet.com/rrasblog/archive/2006/07/06/440398.aspx)
3) Enable NAT router to redirect PPTP packets coming on its public interface to RRAS server: http://blogs.technet.com/rrasblog/archive/2006/06/14/435826.aspx
Note: RRAS server with L2TP behind a NAT router is not a "recommended scenario". Refer to following KB for further details: http://support.microsoft.com/default.aspx?scid=kb;en-us;818043
4) Create a VPN client - with "Use default gateway" check on and VPN server address as NAT router's public IP address. Ensure you are able to ping VPN server's internal interface, LAN NIC and the LAN clients by name as well as IP address.
In the above scenario, if you want to give different address pool to VPN clients and LAN clients, you can configure RRAS server with static IP address pool and give a different pool - like 192.168.2.x. Ensure you configure DHCP server scope to pass a static route (192.168.2.0/255.255.255.0 with gateway as 192.168.1.2 or RRAS server's LAN IP address) to LAN clients. This route will enable LAN client to reach VPN clients. VPN clients can reach LAN clients - because they have a default route towards VPN server.
2) RRAS server with two NIC
Internet --> RRAS server (two NIC) --> LAN
Assume RRAS server is running as NAT router too (for LAN machines as well as VPN clients)
Say all the LAN clients as well as VPN clients share the same address pool - say 192.168.1.x, RRAS server has a public IP address (say 126.96.36.199) and RRAS server LAN NIC as 192.168.1.2.
Note: In this scenario too you can have RAS as well as LAN clients sharing the same IP address pool OR have different pools
All the steps for this configuration remains same - except configure RRAS server for two NICs (one facing internet and one facing intranet) and enable NAT on RRAS server itself.
Please send us back your feedback or any queries that you may have
Lead Program Manager
RRAS, Windows Enterprise Networking
[This posting is provided "AS IS" with no warranties, and confers no rights.]