VPN Server behind firewall on single NIC

Posted on 2007-10-18
Medium Priority
Last Modified: 2008-01-09
Customer is running small domain on win2k server sp4. There is a ADSL modem/firewall/router providing internet access. Customer wants VPN operational. I haven't played with VPN on windows server & have been reading up on this. Customer is not interested in buying another server for VPN so it's got to be on the DC & I'm interested in minimal disruption & reconfiguration in the network. So my question boils down to this:

Is it possible to implement VPN using only the current single internal NIC on the server?
I can configure whatever is required for routing/port passthru/etc so this is not an issue.

I did start just trying to test it but of course as soon as I installed/enable RRAS it blocked the LAN & I had to stop the server to allow LAN access.

Please note that whilst I mark my level on this as beginner, that is to do with my VPN knowledge only.

Question by:EDP_NIAdmin
  • 3
  • 2

Expert Comment

ID: 20105371

You don't need to break the customer service for install this option.
Yes, you can support RRAS with only one NIC.

Use wizard assistant and be aware of this points:

1st: open ports TCP1723 and GRE (protocol 47) in your router with NAT to the RRAS server.
2nd: configure RRAS service in your server. Only remote access, don't configure routing because it's not necessari.
3th: in RRAS server configure policies in order to accept in connections (allow almost the two rules defined by default).
4ht: explain to RRAS server where to obtain IP configuration: you can define a DHCP server, or a range of IP add.

Don't heistate contact again


Author Comment

ID: 20105797
Hi Jordibartrina,

Used wizard to do the install/config of RRAS. RRas is stopped but configurable.
Have disabled routing

server properties - General TAB - Enable this computer as : -> RAS only
server properties - IP TAB - "enable IP routing" unticked
server properties - IP TAB - IP address assignment - Static IP pool

Default policy is "Allow access if dial in permission enabled"

No other policies, but then these are policies for remote access.

The core issue I have is that as soon as I start the RAS server I lose ALL LAN access. Can't ping anything, PC's can't access the server. I presume the RAS server is locking down the IF because it wants it secure, how do I stop it doing this?



Author Comment

ID: 20106586
Have found area under IP Routing in RRAS. Server->IP Routing->General->Local IF-> properties
In the General TAB I have found "Enable IP Router Management" turned on. Don't know if this makes a difference as routing is turned off, but have disabled anyway.

Also, filters set for this interface would DEFINITELY block LAN if they go operational. Can't test this now as server is live but wondering if this is the right area? Can't as usual find any reference to this in the windows help.

Accepted Solution

jordibartrina earned 1000 total points
ID: 20107444
--In the General TAB I have found "Enable IP Router Management" turned on--
It's ok.

Filters for Local IF should be empty.

Please verify if your static routes in rras configuration are well defined.
You can find it in IP Routing->Static routes->Right click->Show...
Compare with routing table when you type in command line: route print.


Author Comment

ID: 20119835
Thanks jordi...

Tried setting routes & modifying filters but as soon as I enabled the server the network was killed. Investigation showed that it was killing the basic LAN routes, eg. not in route table when IF is


Killed then installed/reconfigured the server & dumped the filters & routing & it looks OK at the moment. Now I've got to see if I can get a client to connect :)

thanks again.


Featured Post

A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For a while, I have wanted to connect my HTC Incredible to my corporate network to take advantage of the phone's powerful capabilities. I searched online and came up with varied answers from "it won't work" to super complicated statements that I did…
Let’s list some of the technologies that enable smooth teleworking. 
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question