[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1233
  • Last Modified:

Windows 2000 RRAS IP Address allocation, Ports setting

I am obviously missing something with my understanding of RRAS.  I inherited a network that has a VPN server which is Microsoft 2000 Server with the RRAS server installed.

General is set to RAS Server only.It works fine meaning users are able to access the network using the Microsoft VPN access over TCP/IP.  They create a new VPN connection and access the network.  

If you right click on the one server I have setup
General is set to RAS Server only.
Under IP I have enable IP routing and allow IP based Remote access and deman dial connections.  It is set to DHCP.
Appletalk does say enabled .  
Everything under PPP is checked as well.
Event Logging is enabled as well not that I get much info from the data but I can at least see when someone has hit the network and know how to troubleshoot from there.

If I right click on Ports I have

RAC PPP Connection using RACPort which I believe is the Dell device which is not being used at all  (I am guessing here cause it says modem under type.)
WAN Miniport PPTP is used by RAS Type PPTP and number of port is 10  (I changed this from 20)
Wan Miniport L2TP is used by NONE type L2TP and number of ports is 5 (the default)

If I right click on Appleralk routing the enable routing option is available .  I do not believe I have any remote MAC users.

My issue is that the server is allocating 20 IP addresses out of my DHCP Pool and I do not want it to allocate more than 10 ever.  How to I stop this from occuring.  Can I change it to static IPs, enter in an unused range of IPs different from my local network, such as 10.0.0.0/240 and have it stop using any addresses from my current DHCP pool which is already limited.  

I am so confused as to why it was set up to use the same DHCP addresses that the local clients are using to access the outside world.

What can I do to get back my 20 DHCP addresses.  

I also have my server binding a second IP address to itself that just seems so funky since it is in the same range as the rest of the DHCP pool.  Therefore currently it has a fixed IP of 192.168.10.50 and a WAN <PPP/SLIP> Interface IP of 192.168.10.169 /32 with a DNS server of 127.0.0.1.

If I was able to simply reduce the total usage to 10 contiguous IPs I would be satisfied.  At one point I believed that Ports meant the IP addresses it could grab and it does appear related.  Meaning when I changed it from 20 to 10 and restarted the service it would only show that 10 IP addresses were allocated in DHCP.  BUT now as new users log on it grabs additional IPs beyound that pool even though the Maximum users at one time is never more than 8.

So I am believing that because there must be more than 10 different users my addresses must have the lease maintained and instead of reusing an existing IP it is grabbing another one from the DHCP pool hence the mess I am getting.

Is that logical?  I do not want to change my lease time..  If that is even a solution.  What other options do I have and how much am I missing.

Sorry but I have not been very good at understanding the concepts being overwhelemed too often with so many mundane tasks.  I hope someone with more experience with this can lead me down the right path.

Thanks

Doug
0
dcohn
Asked:
dcohn
  • 6
  • 5
1 Solution
 
Rob WilliamsCommented:
You should be able to reduce the number of ports to 10, as you have done which will limit 10 simultaneous connections. If you want you may want to limit that further. You can still have 50 users but 10 simultaneous.
Then, in the assigned DHCP range for the VPN users in the RRAS management console (not DHCP management console) you need to limit that range of IP's as well, to 10 or less. This should force re-use of the same IP's.

I believe you could also break your existing scope up into 2 ranges and specify a shorter lease time for the range you wish to use for your VPN clients. Adding a second subnet for the VPN users is another possibility but may require more configuring, another NIC, and some routing to allow the users to access the existing network.
0
 
Rob WilliamsCommented:
Doug, was any of the above helpful in configuring? Have you had any success?
--Rob
0
 
dcohnAuthor Commented:
I see no way to limit the usders of DGCP address,  

Where is this????

Then, in the assigned DHCP range for the VPN users in the RRAS management console (not DHCP management console) you need to limit that range of IP's as well, to 10 or less. This should force re-use of the same IP's.


Sorry I missed the original email in my 9000 per day quota
0
Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

 
dcohnAuthor Commented:
Of course I meant DHCP

I believe I need to just assign static IPs to the server from the DHCP pool that I have in use on the network.  That is why I asked here but you really provided no details at all.  

There is no place to set the DHCP set to 10 addresses in the interface.

Additionally using another IP address range seems like a simple solution.  It seems that I would then just add a staic route and be done.   The only issues I see right off the bat is it would make accessing those users connecting over the RAS server via VNC that much harder.

If you can help please talk to me.

Doug
0
 
Rob WilliamsCommented:
What I was suggesting before is by limiting to 10 ports as you have done, it will limit to 10 simultaneous users. As for the IP addresses you can assign a range by opening the RRAS management console, right click on the server and choose properties, on the IP tab select "Static Address Pool", then click add. Here you can specify the IP range, and number of IP's, which you could limit to 10. It could also be outside of your existing DHCP range/scope so long as it is the same subnet.
0
 
dcohnAuthor Commented:
OK.

As I mentioned the ports I already limited which means that no more than 10 simultaneous users can connect.

The reason I have not done what you are suggesting is that it assigns a subnet mask to the IPs that is not the same as my networks.  Additionally the help does not suggest doing this anywhere.  I will explain.

In the RAS Server Properties under the IP Tab I have the following results under Static Address Pool

You add a range and it shows the following columns
From,  to, number, IP address and mask
The from is the starting IP
The to is the ending IP
The number is the total usable IPs

IP address  - I have no idea what this is but I know the address it fills in is of another server on my network unrelated to the RAS server.  For example I added two ranges as a test but did not save it.  

192.168.10.165 -192.168.10.168 3 and 192.168.10.170 -192.168.10.179 10 for a total of 13.  The reason I left 192.168.10.169 out is that that IP is always assigned to the server itself.   This IP shows up as the Internal  interface under the IP Routing/General menu item. The onboard Interface is a fixed IP which is 192.168.10.50.  Additionally the list shows the LOopback address of 127.0.0.1.

I thought the Internal Interface was assigned dynamically but it is always that .169 address so I am really not sure.  

If you look in my DHCP server and see what leases exist you see that 192.168.10.160 -192.168.10.179 all have a RAS Server (DUN) ICON next to them.  Except for 173 and 174 that were grabbed by something else first so to make up for those 2 missing address .208 and .209 are also marked with a RAS server icon (DUN).  So it seems pretty clear to me that there is a setting somewhere that is allocating 20 addresses to the RAS server.
All I want from you is how I change that number to 10  or 11 so it can assign one to the server's internal address as well which it obvioulsy has been doing. (and I don't see why since the primary address is in the same network)

Mask  This is certainly wrong as the mask is /24 for my network and it is assigning my range a mask that is unrelated to my network  /28

Because of this I did not create this list.  Are you sure this is correct.  It just does not appear correct to me.  I also do not understand why it always seems to assign 20 DHCP addresses.  I had thought it would use the first 10 available after I changed the ports to 10 but I see it bases use on the lease that the DHCP server has set which is somewhat logical.  

I just do not trust this method because the mask is wrong.  I have not ben able to test it since it is live and there are many outside people constantly accessing the server and contacting all of them is very difficult.

I inherited this account which is why I do not understand the setup. as I would not even use the Microsoft RAS server but would use a VPN client from the firewall.  

If you know for sure how this IP assignment works and that it is ok to use addresses that are currently in a DHCP Pool (I would have to exclude them) then I will give it a shot.  

Thanks

Doug
0
 
Rob WilliamsCommented:
>>"All I want from you is how I change that number to 10  or 11 so it can assign one to the server's internal address as well which it obvioulsy has been doing. (and I don't see why since the primary address is in the same network)"
After doing a little reading it may be as simple as restarting your server or restarting the RRAS service. Limiting the RAS server to 10 connections/ports should also limit it to 10 IP's, which you have already done. Hhowever it seems RAS reserves DHCP IP's in blocks of 10, and it does so when the server is started. To release the additional ones from before will probably require a reboot. You can further modify the # of reserved leases within the registry. Have a look at the following Microsoft articles:

"When the RAS server starts up with the option to Use DHCP to assign remote TCP/IP addresses, it makes several DHCP requests in advance and caches the DHCP leases that it will need for dial-in clients. The RAS Server will request a number of addresses according to the behavior defined in the following article......... "
from:   http://support.microsoft.com/?kbid=160699

"The RAS server uses DHCP to lease IP addresses in blocks of 10 and stores them in the registry. The server leases additional addresses in blocks of 10 as needed. The number of addresses that RAS leases at a time is configurable in the registry......"
from:   http://support.microsoft.com/kb/216805/EN-US/ 

>>"IP address  - I have no idea what this is but I know the address it fills in is of another server on my network unrelated to the "
When you click add, you should be able to manually add an address you want legitimate or otherwise. You say it is automatically filling an address? Very odd.

>>"I thought the Internal Interface was assigned dynamically but it is always that .169 address so I am really not sure. "
This is the address assigned to the internal NIC. If it is a server, it should be statically/manually assigned and fixed, not dynamic. The "IP routing/General" section simply lists the configuration of any existing network adapters. You should be able to right click on the appropriate adapter and on the configuration tab see if the adapter has a static or dynamically assigned IP.

As for the subnet mask I have never noticed before that it assigns a mask based on the number of IP's. This should be OK though as the subnet is part of the larger subnet. If you notice on a VPN client it is a assigned the IP with a subnet mask of  255.255.255.255  [ /32].
0
 
dcohnAuthor Commented:
First of all thank you for all those DHCP tips.  They look good.

As to this

>>"IP address  - I have no idea what this is but I know the address it fills in is of another server on my network unrelated to the "
When you click add, you should be able to manually add an address you want legitimate or otherwise. You say it is automatically filling an address? Very odd.

As I mentioned I add exactly what I want.  The issue is the subnet mask it creates and what appears to be a gateway address it selects which as I menetioned is another server on my netwok.

>>"I thought the Internal Interface was assigned dynamically but it is always that .169 address so I am really not sure. "
This is the address assigned to the internal NIC. If it is a server, it should be statically/manually assigned and fixed, not dynamic. The "IP routing/General" section simply lists the configuration of any existing network adapters. You should be able to right click on the appropriate adapter and on the configuration tab see if the adapter has a static or dynamically assigned IP.

No this is NOT the address assigned to the Internal NIC.  My Internal NIOC is also displayed and it has a fixed IP on 192.168.10.50.  There are no other active NICs.  If you look in Network properties you see a single NIC with a staic IP in 192.168.10.50.

BUT within the RAS server properties it shows this INternal NIC setting as I mentioned along with my statically defined Address.  Here I exported the IP Routing/General menu listing

Interface      Type      IP Address      Administrative Status      Operational Status      Incoming bytes      Outgoing bytes      Filters      
Broadcom NetXtreme Gigabit Ethernet Adapter - onboard 1      Dedicated      192.168.10.50      Up      Operational      450,408,114      285,698,511      Disabled      
Internal      Internal      192.168.10.169      Up      Connected      0      0      Disabled      
Loopback      Loopback      127.0.0.1      Up      Operational      0      0      Disabled      

The first listing (Broadcom) is the physical Inmterface.  The second one is a PPP adapter.  Here is an IPconfig output

Windows 2000 IP Configuration

Ethernet adapter Broadcom NetXtreme Gigabit Ethernet Adapter - onboard 1:

        Connection-specific DNS Suffix  . :
        IP Address. . . . . . . . . . . . : 192.168.10.50
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 192.168.10.2

PPP adapter RAS Server (Dial In) Interface:

        Connection-specific DNS Suffix  . :
        IP Address. . . . . . . . . . . . : 192.168.10.169
        Subnet Mask . . . . . . . . . . . : 255.255.255.255
        Default Gateway . . . . . . . . . :

0
 
Rob WilliamsCommented:
I am realizing I am not as familiar with the DHCP configuration of RAS clients as I would like to be so this is great. <G> After playing with a demo machine here, and doing a little more reading it seems the Internal Interface, the .169 in your case, is a virtual device. It is the device the the VPN/RAS clients connect to. It appears to assign it the first IP higher than that of the first connecting RAS client. When the client disconnects it seems to retain the IP. Only stooping and restarting the RAS service using the services management console released the IP.
0
 
dcohnAuthor Commented:
The real issue I see is that it retains the same IP address repeatedly.  

I am certainly not comfortable using the static IP option with ips from my DHCP pool that I reserve.  It just feels wrong.

It seems that the issue is that it reserves IPs in blocks of 10.  If in fact that is true and it will reserve only 10 plus the Internal IP then it may be worth testing that registry change.

It seems quite odd that the only way to set the amount of IPs it grabs is through a reg hit.  Show ya why you should not use this thing.

I am between a rock and a hard place cause the firewall solution this company has in place already is a Watchguard firwall.  I am a Netcreen or Cisco person myself with a heavy preference to netscreen so moving from the logical clean management of a Netscreen to the very funky illogical management of a watchguard has been quite difficult for me.  Damn you have to reboot every time you add a friggin policy!
0
 
Rob WilliamsCommented:
>>"The real issue I see is that it retains the same IP address repeatedly.  "
I assume you mean the "Internal" IP. I found if I stopped the RRAS service and restarted it. It cleared the IP. Next time I re-connected with a client it did not always choose the same IP, but it was always 1 higher than the first connected VPN client. Really don't know how that works or why. No chance you have an open VPN connection maintaining that status.

>>"I am certainly not comfortable using the static IP option with ips from my DHCP pool that I reserve.  It just feels wrong."
Absolutely, but what are you referring to? The .169 ? If so I don't know how to control that.

You really don't need to use the registry Key. It reserves the addresses in blocks of 10 by default. As I understand it if you don't allow more than 10 simultaneous connections/ports it won't reserve more than 10. Allow 11 connections and it will reserver 20, in total. The registry key is only necessary if you wanted to change the default of blocks of 10 to say blocks of 5.

I use several WatchGuard SOHO's and I agree the reboot is ridiculous. As for VPN's I never use the Windows one other than for perhaps a quickie temporary access. Give me a hardware based VPN any day.
0

Featured Post

Prep for the ITIL® Foundation Certification Exam

December’s Course of the Month is now available! Enroll to learn ITIL® Foundation best practices for delivering IT services effectively and efficiently.

  • 6
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now