VPN Server behind firewall on single NIC

Posted on 2007-10-18
Last Modified: 2008-01-09
Customer is running small domain on win2k server sp4. There is a ADSL modem/firewall/router providing internet access. Customer wants VPN operational. I haven't played with VPN on windows server & have been reading up on this. Customer is not interested in buying another server for VPN so it's got to be on the DC & I'm interested in minimal disruption & reconfiguration in the network. So my question boils down to this:

Is it possible to implement VPN using only the current single internal NIC on the server?
I can configure whatever is required for routing/port passthru/etc so this is not an issue.

I did start just trying to test it but of course as soon as I installed/enable RRAS it blocked the LAN & I had to stop the server to allow LAN access.

Please note that whilst I mark my level on this as beginner, that is to do with my VPN knowledge only.

Question by:EDP_NIAdmin
    LVL 4

    Expert Comment


    You don't need to break the customer service for install this option.
    Yes, you can support RRAS with only one NIC.

    Use wizard assistant and be aware of this points:

    1st: open ports TCP1723 and GRE (protocol 47) in your router with NAT to the RRAS server.
    2nd: configure RRAS service in your server. Only remote access, don't configure routing because it's not necessari.
    3th: in RRAS server configure policies in order to accept in connections (allow almost the two rules defined by default).
    4ht: explain to RRAS server where to obtain IP configuration: you can define a DHCP server, or a range of IP add.

    Don't heistate contact again


    Author Comment

    Hi Jordibartrina,

    Used wizard to do the install/config of RRAS. RRas is stopped but configurable.
    Have disabled routing

    server properties - General TAB - Enable this computer as : -> RAS only
    server properties - IP TAB - "enable IP routing" unticked
    server properties - IP TAB - IP address assignment - Static IP pool

    Default policy is "Allow access if dial in permission enabled"

    No other policies, but then these are policies for remote access.

    The core issue I have is that as soon as I start the RAS server I lose ALL LAN access. Can't ping anything, PC's can't access the server. I presume the RAS server is locking down the IF because it wants it secure, how do I stop it doing this?



    Author Comment

    Have found area under IP Routing in RRAS. Server->IP Routing->General->Local IF-> properties
    In the General TAB I have found "Enable IP Router Management" turned on. Don't know if this makes a difference as routing is turned off, but have disabled anyway.

    Also, filters set for this interface would DEFINITELY block LAN if they go operational. Can't test this now as server is live but wondering if this is the right area? Can't as usual find any reference to this in the windows help.
    LVL 4

    Accepted Solution

    --In the General TAB I have found "Enable IP Router Management" turned on--
    It's ok.

    Filters for Local IF should be empty.

    Please verify if your static routes in rras configuration are well defined.
    You can find it in IP Routing->Static routes->Right click->Show...
    Compare with routing table when you type in command line: route print.


    Author Comment

    Thanks jordi...

    Tried setting routes & modifying filters but as soon as I enabled the server the network was killed. Investigation showed that it was killing the basic LAN routes, eg. not in route table when IF is


    Killed then installed/reconfigured the server & dumped the filters & routing & it looks OK at the moment. Now I've got to see if I can get a client to connect :)

    thanks again.


    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    Some time ago I faced the need to use a uniform folder structure that spanned across numerous sites of an enterprise to be used as a common repository for the Software packages of the Configuration Manager 2007 infrastructure. Because the procedu…
    This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    737 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    21 Experts available now in Live!

    Get 1:1 Help Now