RE: Route added by RRAS that overrides local LAN route on NIC
- From: John Philips <JohnPhilips@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Mon, 9 Oct 2006 20:35:02 -0700
I am using SBS as the VPN server. This is a router between SBS and the
internet that is peforming NAT. I have the appropriate ports open and can
successfully connect a WinXP RAS client to the VPN server. The problem is
with the routes that get created on the RRAS when the client connects, not
getting a successful connection. When the connection is up I can successful
get to the SBS server across the VPN. My issue is with the disruption to the
connectivity to the other PCs on the LAN.
Let me clarify what's happening with hopes you have seen this before:
The server has a LAN address of 10.0.0.1 and is on a network 10.0.0.0/24.
The route I am speaking of is the route to local LAN that is put in the
routing table when you configure the NIC. In my case this route looks like
this:
Network Dest Netmask Gateway Interface Metric
10.0.0.0 255.255.255.0 10.0.0.1 10.0.0.1 10
10.0.0.1 is the LAN address.
After the RAS client connects there is another route added so the two
entries of interest look like this:
Network Dest Netmask Gateway Interface Metric
10.0.0.0 255.255.255.0 10.0.0.1 10.0.0.1 10 <-this route is always there
(before and after the VPN cient connects)
10.0.0.0 255.255.255.0 10.0.0.115 10.0.0.121 1 <-this
route added when client connects (in addtion to the host route that is also
added like you usually see for each client)
10.0.0.115 is the address assigned to the RAS client (using DHCP).
10.0.0.121 is the Internal Interface on the server used by RAS. As you can
see after this route is added the server is routing to 10.0.0.0 via the RAS
tunnel vs. the LAN Interface so the PCs on the 10.0.0.0/24 local subnet are
"disconnected" from the server. The only thing I could think of what that
this was related to something that is configured automatically since there
are two NICs in the server, but I ran the the Internet Connection wizard and
set-up up the server to use one NIC for Internet and LAN.
I was able to pull the ipconfig and routing table (without and with RAS cient
connected) from the server. They are below.
As you will see by the route table, there is a route as I described .
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.0.0.254 10.0.0.1 1
<------- Default route
10.0.0.0 255.255.255.0 10.0.0.1 10.0.0.1 10
<----------- Route for interface LAN
After the RAS client connects, I get a 2nd entry for 10.0.0.0/255.255.255.0
but the gateway is the RAS client's assigned address, the Interface is the
RRAS internal interface address, and the metic is 1. This causes the server
to route all traffic destined for the local LAN to be routed over the tunnel
to the remote client. As expected the resulting effect is the server cannot
route packets to any of the machines on the local LAN which is very bad as
as it breaks the local area network.
Output of ipconfig /all and route print (without RAS client connected).
Windows IP Configuration
Host Name . . . . . . . . . . . . : SERVER1
Primary Dns Suffix . . . . . . . : kuzma.local
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : Yes
WINS Proxy Enabled. . . . . . . . : Yes
DNS Suffix Search List. . . . . . : kuzma.local
PPP adapter RAS Server (Dial In) Interface:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
Physical Address. . . . . . . . . : 00-53-45-00-00-00
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 10.0.0.121
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . :
NetBIOS over Tcpip. . . . . . . . : Disabled
Ethernet adapter Server Local Area Connection:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection
Physical Address. . . . . . . . . : 00-13-72-F7-3C-AB
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 10.0.0.1
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.0.0.254
DNS Servers . . . . . . . . . . . : 10.0.0.1
C:\Documents and Settings\Administrator>route print (without RAS client
connected)
IPv4 Route Table
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x10002 ...00 53 45 00 00 00 ...... WAN (PPP/SLIP) Interface
0x10003 ...00 13 72 f7 3c ab ...... Intel(R) PRO/1000 MT Network Connection
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.0.0.254 10.0.0.1 1
10.0.0.0 255.255.255.0 10.0.0.1 10.0.0.1 10
10.0.0.1 255.255.255.255 127.0.0.1 127.0.0.1 10
10.0.0.121 255.255.255.255 127.0.0.1 127.0.0.1 50
10.255.255.255 255.255.255.255 10.0.0.1 10.0.0.1 10
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
224.0.0.0 240.0.0.0 10.0.0.1 10.0.0.1 10
255.255.255.255 255.255.255.255 10.0.0.1 10.0.0.1 1
Default Gateway: 10.0.0.254
===========================================================================
Persistent Routes:
None
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.
C:\Documents and Settings\Administrator>route print (after RAS client
connects)
IPv4 Route Table
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x10002 ...00 53 45 00 00 00 ...... WAN (PPP/SLIP) Interface
0x10003 ...00 13 72 f7 3c ab ...... Intel(R) PRO/1000 MT Network Connection
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.0.0.254 10.0.0.1 1
10.0.0.0 255.255.255.0 10.0.0.1 10.0.0.1 10
10.0.0.0 255.255.255.0 10.0.0.115 10.0.0.121 1
<- note this route is added when the RAS client connects which overrides the
route above to the local LAN
10.0.0.1 255.255.255.255 127.0.0.1 127.0.0.1 10
10.0.0.115 255.255.255.255 10.0.0.121 10.0.0.121 1
10.0.0.121 255.255.255.255 127.0.0.1 127.0.0.1 50
10.255.255.255 255.255.255.255 10.0.0.1 10.0.0.1 10
65.184.34.228 255.255.255.255 10.0.0.254 10.0.0.1 1
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
224.0.0.0 240.0.0.0 10.0.0.1 10.0.0.1 10
255.255.255.255 255.255.255.255 10.0.0.1 10.0.0.1 1
Default Gateway: 10.0.0.254
===========================================================================
Persistent Routes:
None
Have you ever heard of this before. What would be making RRAS add this route?
Thanks,
John
""Crina Li"" wrote:
Hi John,.
Thank you for posting in SBS newsgroup.
I am sorry for the delayed response due to weekend. Please understand that
the newsgroups are staffed weekdays by Microsoft Support professionals to
answer your systems and applications questions. Your understanding is
greatly appreciated!
From your description, do you mean the LAN clients will lose the connection
with SBS if you create VPN to SBS from remote client?
To narrow down the problem, would you please help me collect the following
information?
1. Are you creating VPN to SBS or router from remote client? It means are
you using router or SBS as VPN server?
2. Post the ipconfig/all result from SBS, remote client and LAN client
before creating VPN and after creating VPN.
3. Post the route print result.
Also, you may need to follow the steps below to configure VPN access on an
SBS environment:
1. Run CEICW, follow the wizard and select Enable firewall and then make
sure Virtual Private Networking (VPN) is selected in the Services
Configuration page. And make sure you have typed the public FQDN of the SBS
server on the Web Server Certificate page.
2. Run Remote Access Wizard in Server Management\Internet and
E-mail\Configure Remote Access, and select VPN access in the Remote Access
Method page. After finishing this wizard, RRAS is configured to allow
inbound VPN access, and it can assign IP addresses to the VPN clients by
using DHCP.
Note: When we run the remote access wizard to set up the VPN service, we
need to input the public IP address or the public FQDN of the SBS server.
We need to make sure that the address can be accessed from the internet.
3. On the VPN client, go to https://publicFQDN/remote, clear I'm using a
public or shared computer, log in and download Connection Manager.
4. Install Connection Manager on the VPN client.
5. Is there a hardware router installed in front of the SBS server? If so,
ensure that the port forwarding for TCP 1723 and GRE port (protocol number
47) are opened. PPTP VPN is negotiating a connection on TCP port 1723 and
send data to and from the PPTP server using the GRE protocol (IP Protocol
47, 0x2F if you are looking in Network Monitor). You should open port 1723
on the router and also make sure IP Protocol 47 is allowed.
I appreciate your time and look forward to hearing from you.
Best regards,
Crina Li (MSFT)
Microsoft CSS Online Newsgroup Support
Get Secure! - www.microsoft.com/security
=====================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.
Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.
For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.
Any input or comments in this thread are highly appreciated.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| Thread-Topic: Route added by RRAS that overrides local LAN route on NIC
| thread-index: AcbqJyGWs4FS1gogRLGjAUd4XC/dGA==
| X-WBNR-Posting-Host: 65.184.34.228
| From: =?Utf-8?B?Sm9obiBQaGlsaXBz?= <JohnPhilips@xxxxxxxxxxxxxxxxxxxxxxxxx>
| Subject: Route added by RRAS that overrides local LAN route on NIC
| Date: Sat, 7 Oct 2006 08:42:01 -0700
| Lines: 31
| Message-ID: <850ACC3C-EA74-409F-9BE7-D86A2147AFF0@xxxxxxxxxxxxx>
| MIME-Version: 1.0
| Content-Type: text/plain;
| charset="Utf-8"
| Content-Transfer-Encoding: 7bit
| X-Newsreader: Microsoft CDO for Windows 2000
| Content-Class: urn:content-classes:message
| Importance: normal
| Priority: normal
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830
| Newsgroups: microsoft.public.windows.server.sbs
| Path: TK2MSFTNGXA01.phx.gbl
| Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:303427
| NNTP-Posting-Host: TK2MSFTNGXA01.phx.gbl 10.40.2.250
| X-Tomcat-NG: microsoft.public.windows.server.sbs
|
| I have a SBS 2003 with dual NICs, but I am running the machine in a
single
| NIC configuration. I have set-up RRAS for remote access, which I have
done
| many times before on other machines (both SBS and Win2003). For this
| particular machine, when a RAS clent connection, the RRAS on the server
adds
| a 2nd route for the local LAN to the routing stack. With the same
| destination, but with the vpn client's assigned IP address as the gateway.
|
| To illustrate:
|
| Before the VPN client connects, the routing table contains 10.0.0.0/24
with
| a gateway of 10.0.0.1 (Server Local Area Connection address) on Interface
| 10.0.0.1. This entry has a metric of 10.
|
| After the VPN client connects, the routing table contains a 2nd entry of
| 10.0.0.0/24 with a gateway of 10.0.0.118 (the address assigned to the RAS
| client) on interface 10.0.0.121 (RRAS Internal Interface). This entry
has a
| metric of 1. Since this route has a lower metric it becomes the
preferred
| route for the LAN and not of the PCs on the LAN can communicate with the
| server.
|
| When the RAS client disconnects the route is removed, and the PC on the
LAN
| can reach the server again. I have dug through the RRAS configs many
times
| and can't explain this. Does anyone know what could be causing this?
Or,
| can you provide some pointers on how you control the routes that get
added to
| the server when a RAS client connects? Also, does anyone know if you a
| 10.0.0.0 network number is a problem. This is a class A private network,
and
| I normally use 192.168.x.x which is a class C. Could this be some issue
with
| the 10.0.0.0 being treated different due to it's class?
|
| Thanks,
| John
|
- Follow-Ups:
- RE: Route added by RRAS that overrides local LAN route on NIC
- From: "Crina Li"
- RE: Route added by RRAS that overrides local LAN route on NIC
- References:
- RE: Route added by RRAS that overrides local LAN route on NIC
- From: "Crina Li"
- RE: Route added by RRAS that overrides local LAN route on NIC
- Prev by Date: Re: Slow Network
- Next by Date: Re: Slow Network
- Previous by thread: RE: Route added by RRAS that overrides local LAN route on NIC
- Next by thread: RE: Route added by RRAS that overrides local LAN route on NIC
- Index(es):
Relevant Pages
|
