• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2629
  • Last Modified:

RRAS Vpn clients won't register route

Hello experts :)

I am trying to configure a Windows 2008 Server with RRAS on ONE SINGLE NIC.

My setup is as follows :
Internal Network :
DMZ Network :
DMZ Gateway :
RRAS Server :

I installed RRAS and enabled IPV4 Forwarding with an static address pool of : -

From the network I have access trough firewall at everything on my domain.

Now , I have also configured a static route on IPV4 as follows :
Interface : Local Area Connection
Destination :
Mask :
Gateway :

Now , my VPN clients can succesfully connect to the RRAS server and I can connect to any server on the DMZ but the route to my does not work so I can't get in touch with any of my domain server.
My client computer it's on / net so this might be a bit confusing.
Client has IP address :

After connecting to VPN I receive from my RRAS server the IP :

An ipconfig shows :
PPP adapter Fleggaard:

   Connection-specific DNS Suffix  . : mytestdomain.com
   IPv4 Address. . . . . . . . . . . :
   Subnet Mask . . . . . . . . . . . :
   Default Gateway . . . . . . . . . :

thernet adapter Local Area Connection:

  Connection-specific DNS Suffix  . : home.local
  Link-local IPv6 Address . . . . . : fe80::a877:e4f6:23e7:5873%8
  IPv4 Address. . . . . . . . . . . :
  Subnet Mask . . . . . . . . . . . :
  Default Gateway . . . . . . . . . :

If on the client I manually add the route everything works fine :
route ADD MASK

In the code area is the routing table of my client.

Any ideea what I configured wrong or what I forgot to configure ?

IPv4 Route Table
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
     10         On-link    266         On-link    266         On-link    266         On-link    306         On-link    306         On-link    306         On-link    286         On-link    266     12         On-link    267     11         On-link    306         On-link    267         On-link    306         On-link    266         On-link    267

Open in new window

George Sas
George Sas
  • 5
  • 4
1 Solution
Rob WilliamsCommented:
>>"If on the client I manually add the route everything works fine :
route ADD MASK"

You need to do this as the local router does not know the route to the remote site.
Four ways around this that should work are:
1) on the VPN client go to
Pre Vista:
control panel | network connections | right click on the VPN/Virtual adapter and choose properties | Networking | TCP/IP -properties | Advanced | General | check  "Use default gateway on remote network"
control panel | network & sharing center | connections | manage network connections | right click on the VPN/Virtual adapter and choose properties | Networking | Internet Protocol Version 4 (TCP/IP v4) -properties | Advanced | IP settings | check  "Use default gateway on remote network")

2) On the router at the client site add your route (route ADD MASK, assuming it supports adding static routes.

3) Though I have never tried it, under the dial-in tab of the users profile in active directory, there is an option to add static routes for dial-in/VPN clients.

4) If the client machine is a member of the domain, it is possible to apply a logon script and have it automatically add the route to the client
George SasIT EngineerAuthor Commented:
Rob , thank you for the answers but this does not help and let me tell you why.

1.I tried this before I posted the thread. If I use the default gateway on the remote network I will loose the connection to the internet. All the traffic will try to go out trough my VPN connection and this is a no go.

2. I can't do this manually for 200 clients :)

3. This will work only for actual dial-in clients. Tested and does not work.

4. Client computers are both domain computers and non domain computers and the client will logon on the the machine before the VPN is initiated.

What I am trying to achieve is to replace my old Cisco VPN Concentrator which is limited to 50 simultaneous users.(older model)

Thank you for the ideas but I've tried them all :(
Rob WilliamsCommented:
Then the simple solution is change your VPN static address pool in RRAS. There is actually no need to assign an IP outside of the LAN subnet. Use a subset of your LAN subnet for the VPN clients. When doing so also enable LAN routing in RRAS and you will be all set. No need to create routes at the client or within RRAS. See my web site for the configuration steps.
You may also want to address name resolution if having issues. See my blog for that:
We Need Your Input!

WatchGuard is currently running a beta program for our new macOS Host Sensor for our Threat Detection and Response service. We're looking for more macOS users to help provide insight and feedback to help us make the product even better. Please sign up for our beta program today!

George SasIT EngineerAuthor Commented:
The idea of assigning the VPN clients a free class from my private LAN came to me also after 3 days of tesing and poking the networking guy to make firewall changes but I did not tried it yet.(my networking guy is in vacation)
My physical setup is : LAN > Firewall1 > DMZ > Firewall2
LAN : /
DMZ: /

Right now I am using : > so from 11 up I have them free.... I could assign the VPN Clients the subnet but then I would need to reconfigure Firewall1 .. will check with my networking guy and see how happy he is about it.

What am I thinking is that my actual setup should work , and it does work if I manually add the route to my clients.
What bugs me is why the clients are not registering the manually created route on my RRAS server .. this is kind of a mistery for me.
Rob WilliamsCommented:
The reason it doesn't work with the current configuration is the client has only 3 options. Send a packet to an IP belonging to their local LAN. Send a packet to the VPN subnet, or use their default gateway. Your packets for the subnet are sent to their local default gateway because no route is known, and lost. Absolutely nothing at the server end you can do to fix that. The client needs a route some how, or you need to change the addressing.
Rob WilliamsCommented:
If stuck, I can provide a script that will create the route based on the dynamically assigned VPN adapter's IP. This has to be run on the client PC after they connect. I appreciate distributing this may be a nuisance, but it is an option.
George SasIT EngineerAuthor Commented:
What I don't get is why would Microsoft add the option to add a static route to the IPV4 if it does not work ?
That option to add a static route is there for a reason.
Adding a static route to my clients on the Cisco VPN Concentrator works just fine but on MS's RRAS not...
Microsoft works in misterious ways.

I'll just award you the points because you took the time and discuss this with me and confirmed my fears :)
Still not working but  I will figure a way.

Thx Rob.
George SasIT EngineerAuthor Commented:
Did not make it work but the tech details were accurate and the time spent deserve the points.
Rob WilliamsCommented:
The Microsoft VPN is definitely lacking, but comparing it to a cisco concentrator, is not really fair :-) The cisco is a dedicated appliance designed specifically for that and has far more options. Of course it is priced accordingly as well.

Should it be of any use I was involved in a discussing before where I proposed a script to add the route automatically. It could be applied to domain clients but non-domain machines would have to click on the batch file to run it:

Thanks GeoSs. Good luck with the project,
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

WEBINAR: GDPR Implemented - Tips & Lessons Learned

Join the WatchGuard team on Thursday, March 29th as we recount some valuable lessons learned in weighing the needs of a business against the new regulatory environment, look ahead at the two months left before implementation, and help you understand the steps you can take today!

  • 5
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now