We help IT Professionals succeed at work.

Check out our new AWS podcast with Certified Expert, Phil Phillips! Listen to "How to Execute a Seamless AWS Migration" on EE or on your favorite podcast platform. Listen Now


RRAS Vpn clients won't register route

Medium Priority
Last Modified: 2012-05-07
Hello experts :)

I am trying to configure a Windows 2008 Server with RRAS on ONE SINGLE NIC.

My setup is as follows :
Internal Network :
DMZ Network :
DMZ Gateway :
RRAS Server :

I installed RRAS and enabled IPV4 Forwarding with an static address pool of : -

From the network I have access trough firewall at everything on my domain.

Now , I have also configured a static route on IPV4 as follows :
Interface : Local Area Connection
Destination :
Mask :
Gateway :

Now , my VPN clients can succesfully connect to the RRAS server and I can connect to any server on the DMZ but the route to my does not work so I can't get in touch with any of my domain server.
My client computer it's on / net so this might be a bit confusing.
Client has IP address :

After connecting to VPN I receive from my RRAS server the IP :

An ipconfig shows :
PPP adapter Fleggaard:

   Connection-specific DNS Suffix  . : mytestdomain.com
   IPv4 Address. . . . . . . . . . . :
   Subnet Mask . . . . . . . . . . . :
   Default Gateway . . . . . . . . . :

thernet adapter Local Area Connection:

  Connection-specific DNS Suffix  . : home.local
  Link-local IPv6 Address . . . . . : fe80::a877:e4f6:23e7:5873%8
  IPv4 Address. . . . . . . . . . . :
  Subnet Mask . . . . . . . . . . . :
  Default Gateway . . . . . . . . . :

If on the client I manually add the route everything works fine :
route ADD MASK

In the code area is the routing table of my client.

Any ideea what I configured wrong or what I forgot to configure ?

IPv4 Route Table
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
     10         On-link    266         On-link    266         On-link    266         On-link    306         On-link    306         On-link    306         On-link    286         On-link    266     12         On-link    267     11         On-link    306         On-link    267         On-link    306         On-link    266         On-link    267

Open in new window

Watch Question

Top Expert 2013

>>"If on the client I manually add the route everything works fine :
route ADD MASK"

You need to do this as the local router does not know the route to the remote site.
Four ways around this that should work are:
1) on the VPN client go to
Pre Vista:
control panel | network connections | right click on the VPN/Virtual adapter and choose properties | Networking | TCP/IP -properties | Advanced | General | check  "Use default gateway on remote network"
control panel | network & sharing center | connections | manage network connections | right click on the VPN/Virtual adapter and choose properties | Networking | Internet Protocol Version 4 (TCP/IP v4) -properties | Advanced | IP settings | check  "Use default gateway on remote network")

2) On the router at the client site add your route (route ADD MASK, assuming it supports adding static routes.

3) Though I have never tried it, under the dial-in tab of the users profile in active directory, there is an option to add static routes for dial-in/VPN clients.

4) If the client machine is a member of the domain, it is possible to apply a logon script and have it automatically add the route to the client
George SasIT Engineer


Rob , thank you for the answers but this does not help and let me tell you why.

1.I tried this before I posted the thread. If I use the default gateway on the remote network I will loose the connection to the internet. All the traffic will try to go out trough my VPN connection and this is a no go.

2. I can't do this manually for 200 clients :)

3. This will work only for actual dial-in clients. Tested and does not work.

4. Client computers are both domain computers and non domain computers and the client will logon on the the machine before the VPN is initiated.

What I am trying to achieve is to replace my old Cisco VPN Concentrator which is limited to 50 simultaneous users.(older model)

Thank you for the ideas but I've tried them all :(
Top Expert 2013

Then the simple solution is change your VPN static address pool in RRAS. There is actually no need to assign an IP outside of the LAN subnet. Use a subset of your LAN subnet for the VPN clients. When doing so also enable LAN routing in RRAS and you will be all set. No need to create routes at the client or within RRAS. See my web site for the configuration steps.
You may also want to address name resolution if having issues. See my blog for that:
George SasIT Engineer


The idea of assigning the VPN clients a free class from my private LAN came to me also after 3 days of tesing and poking the networking guy to make firewall changes but I did not tried it yet.(my networking guy is in vacation)
My physical setup is : LAN > Firewall1 > DMZ > Firewall2
LAN : /
DMZ: /

Right now I am using : > so from 11 up I have them free.... I could assign the VPN Clients the subnet but then I would need to reconfigure Firewall1 .. will check with my networking guy and see how happy he is about it.

What am I thinking is that my actual setup should work , and it does work if I manually add the route to my clients.
What bugs me is why the clients are not registering the manually created route on my RRAS server .. this is kind of a mistery for me.
Top Expert 2013

The reason it doesn't work with the current configuration is the client has only 3 options. Send a packet to an IP belonging to their local LAN. Send a packet to the VPN subnet, or use their default gateway. Your packets for the subnet are sent to their local default gateway because no route is known, and lost. Absolutely nothing at the server end you can do to fix that. The client needs a route some how, or you need to change the addressing.
Top Expert 2013
Unlock this solution with a free trial preview.
(No credit card required)
Get Preview
George SasIT Engineer


What I don't get is why would Microsoft add the option to add a static route to the IPV4 if it does not work ?
That option to add a static route is there for a reason.
Adding a static route to my clients on the Cisco VPN Concentrator works just fine but on MS's RRAS not...
Microsoft works in misterious ways.

I'll just award you the points because you took the time and discuss this with me and confirmed my fears :)
Still not working but  I will figure a way.

Thx Rob.
George SasIT Engineer


Did not make it work but the tech details were accurate and the time spent deserve the points.
Top Expert 2013

The Microsoft VPN is definitely lacking, but comparing it to a cisco concentrator, is not really fair :-) The cisco is a dedicated appliance designed specifically for that and has far more options. Of course it is priced accordingly as well.

Should it be of any use I was involved in a discussing before where I proposed a script to add the route automatically. It could be applied to domain clients but non-domain machines would have to click on the batch file to run it:

Thanks GeoSs. Good luck with the project,
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a free trial preview!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.