Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy for valuable how-to assets including sample agreements, checklists, flowcharts, and more!
From my work computer, I cannot remote desktop into computers in my home LAN, while connected via PPTP VPN.
I have a VPN server at home with RRAS enabled. From work, I can connect to the VPN just fine, and rdp into the VPN server just fine. However, I cannot rdp into my home PC's which is on the same LAN as the VPN server. I also notice that before I make a VPN connection from work, I can ping my home router and gateway, but after I connect to my VPN, I cannot ping my router and gateway. I am able to ping the VPN server just fine. I am not able to ping my PC's at my home. My router is a Linksys BEFW11S4. I have port forwarded rdp 3389 to my VPN server IP address. When at home, I can remote desktop from one PC to another just fine, but this only works in my LAN. Can an expert please help. Let me know if you need screen shots. Thank you.
Who is Participating?
Experts Exchange Solution brought to you by
Enjoy your complimentary solution view.
Get every solution instantly with Premium.
Start your 7-day free trial.
I wear a lot of hats...
"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.
LVL 14
Are you using the same ip address scheme at both locations? 192.168.1.X at both work and home? If so you may need to change the home network to something else like 192.168.2.X
my work ip address scheme is 192.168.0.x, and my home 192.168.1.x . So, they are different IP scheme. Here is how the NICs on my VPN server is configured.
NIC 1 (LAN)
ip: 192.168.1.xx1
subnet: 255.255.255.0
gateway: none
prim dns: 192.168.1.xx3 (IP for primary DC server)
sec dns: none
NIC 2 (WAN)
ip: 66.214.182.xx5
subnet: 255.255.255.248
gateway: 66.214.182.xx1 (IP for linksys router gateway)
prim dns: 24.205.1.xx
sec dns: 66.215.64.xx
NIC 1 (LAN)
ip: 192.168.1.xx1
subnet: 255.255.255.0
gateway: none
prim dns: 192.168.1.xx3 (IP for primary DC server)
sec dns: none
NIC 2 (WAN)
ip: 66.214.182.xx5
subnet: 255.255.255.248
gateway: 66.214.182.xx1 (IP for linksys router gateway)
prim dns: 24.205.1.xx
sec dns: 66.215.64.xx
Just for testing purposes, try installing realVNC onto the remote desktop and run it as a server. Then add the client onto the home pc. I had problems similar to your's (I never investigated why) but now use realVNC quite successfully. Mind you, I think RDT is slightly faster. If it works, it proves a number of things about the connection.
It appears you may be running an Microsoft ISA firewall to protect yourself from the external internal. You would need some sort of firewall protection.
Does this firewall (ISA or third party) have routes to allow inbound traffic to it's LAN? Since you have a /29 block of IPs, I would create a 1-to-1 NAT for you other home desktop -- then port forward 3389 to that 1-to-1 NAT.
Does this firewall (ISA or third party) have routes to allow inbound traffic to it's LAN? Since you have a /29 block of IPs, I would create a 1-to-1 NAT for you other home desktop -- then port forward 3389 to that 1-to-1 NAT.
I am not using ISA. My firewall is tied into my router, which disabled basic firewall on my VPN server. I have a Linksys BEFW11S4. How would I allow inbound traffic on my LAN? Is this done on my router configuration page, or on my RRAS on the VPN server? Please advise. I am a novice when it comes to VPN.
I would redo the whole setup like this:
telephone pole --> house --> wall --> linksys --> (firewall) --> VPN server
I would have your Linksys do ALL the routing, firewall, and gateway functions. If you need NATing -- I would contemplate a real firewall -- Zywall's and Sonicwalls are cheap.
I would remove the second NIC from your VPN server -- the Linksys device is now the firewall/gateway/dsl device it was designed to be. You'll need to remove the DMZ network, or Bridge mode is currently set in -- change it to act as a standard gaeway. You'll need to port forward 1723 to your VPN server's internal IP.
Then I would setup your Windows 2003 Server to use Windows Routing and Remote Access. This VPN server would only act as a Remote Access Server (by choosing a Custom setup, and removing the Router option before starting) running a PPTP VPN. Remember to add the DHCP server -- running on your Linksys -- as a DHCP relay server in RRAS (you might need to research this tweak). I would then create an VPN users group and then create a Remote Access Policy to allow that group access.
telephone pole --> house --> wall --> linksys --> (firewall) --> VPN server
I would have your Linksys do ALL the routing, firewall, and gateway functions. If you need NATing -- I would contemplate a real firewall -- Zywall's and Sonicwalls are cheap.
I would remove the second NIC from your VPN server -- the Linksys device is now the firewall/gateway/dsl device it was designed to be. You'll need to remove the DMZ network, or Bridge mode is currently set in -- change it to act as a standard gaeway. You'll need to port forward 1723 to your VPN server's internal IP.
Then I would setup your Windows 2003 Server to use Windows Routing and Remote Access. This VPN server would only act as a Remote Access Server (by choosing a Custom setup, and removing the Router option before starting) running a PPTP VPN. Remember to add the DHCP server -- running on your Linksys -- as a DHCP relay server in RRAS (you might need to research this tweak). I would then create an VPN users group and then create a Remote Access Policy to allow that group access.
Not the solution I was looking for, but thanks. Anyone out there familiar with my setup, please advise. It should be something rather simple, that someone with years of experience can probably figure out for me. Points to best advise and/or solution.
If the Linksys is in bridge mode, and your second NIC has an external IP, and you have no firewall enabled on the VPN server.... then your VPN server is fully exposed to the internet = unsafe.
My Linksys Router is my firewall. I did not enable DMZ. I enabled PPTP VPN passthrough, and enabled vpn port 1723. I dont have the option to bridge in the router config page. I use this VPN for lab purposes, and test purposes to build on my IT skills only, so safety is not too much of a concern, as I am just trying to get this whole rdp thing to work from an external source. Once I accomplish that, then I will worry about safety.
Sounds like you know what you're doing.... bare with me just a little longer...
Q: "I also notice that before I make a VPN connection from work, I can ping my home router and gateway, but after I connect to my VPN, I cannot ping my router and gateway"
A: Most likely you need to enable split-tunneling on the VPN client-side. Try these steps from the computer connecting...
1) Right click the My Network Places icon on the desktop and click Properties.
2) Right click on your VPN client connections in the Network Connections window and click Properties.
3) Click the Networking tab, and then click on the Internet Protocol (TCP/IP) entry and click the Properties button.
4) On the General tab of the Internet Protocol (TCP/IP) Properties dialog box, click the Advanced button.
5) On the General tab of the Advanced TCP/IP Settings dialog box, note the "Use Default Gateway on Remote Network" option.
6) Try removing the check mark and then try your ping test to your gateway again.
Q: " I am able to ping the VPN server just fine. I am not able to ping my PC's at my home."
A: Make sure you are pinging the internal IP address of your other home PC's. It could be possible that DNS is not working across your VPN. In which case, using a computer name would not work -- try the internal IP addresss.
Q: "I also notice that before I make a VPN connection from work, I can ping my home router and gateway, but after I connect to my VPN, I cannot ping my router and gateway"
A: Most likely you need to enable split-tunneling on the VPN client-side. Try these steps from the computer connecting...
1) Right click the My Network Places icon on the desktop and click Properties.
2) Right click on your VPN client connections in the Network Connections window and click Properties.
3) Click the Networking tab, and then click on the Internet Protocol (TCP/IP) entry and click the Properties button.
4) On the General tab of the Internet Protocol (TCP/IP) Properties dialog box, click the Advanced button.
5) On the General tab of the Advanced TCP/IP Settings dialog box, note the "Use Default Gateway on Remote Network" option.
6) Try removing the check mark and then try your ping test to your gateway again.
Q: " I am able to ping the VPN server just fine. I am not able to ping my PC's at my home."
A: Make sure you are pinging the internal IP address of your other home PC's. It could be possible that DNS is not working across your VPN. In which case, using a computer name would not work -- try the internal IP addresss.
Yay! the split tunneling steps work. Thanks for that. I am able to ping to my public gateway. However, I am not able to ping to my private gateway, the router gateway, which is 192.168.1.x. Also, I still cannot ping to my internal IP addresses (LAN computers). As a result, I am still not able to RDP into my internal machines from work.
I believe there is some odd configuration on your RRAS.
Are you sure that your RRAS is handing out IP addresses which are on the same subnet as your local computers?
When you connect to the VPN, check the VPN assigned IP address -- confirm this matches your LAN subnet.
Are you sure that your RRAS is handing out IP addresses which are on the same subnet as your local computers?
When you connect to the VPN, check the VPN assigned IP address -- confirm this matches your LAN subnet.
Experts Exchange Solution brought to you by
Your issues matter to us.
Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.
Start your 7-day free trial
I would try to change you network LAN IP address scheme at home to 172.16.1.X (also private) http://en.wikipedia.org/wiki/Private_network
Some routers will have trouble routing between a 192.168.0.X and any other 192.168.X.X network...
Some routers will have trouble routing between a 192.168.0.X and any other 192.168.X.X network...
Hi vdh tech,
Yes, the RRAS is handing out IP addresses which are on the same subnets as my local computers. I verified this by the doing ipconfig /all.
Yes, the RRAS is handing out IP addresses which are on the same subnets as my local computers. I verified this by the doing ipconfig /all.
Hi vdh tech,
I think I resolved the problem. I disabled the RRAS, and reconfigured it. This time, I setup vpn using NAT rather than just selecting the option to connect to vpn. I also set a static IP pool rather than using the RRAS DHCP. It worked! I am able to RDP into my local machine from an external source. Thanks alot for your efforts vdh. For that, I will give you points.
I think I resolved the problem. I disabled the RRAS, and reconfigured it. This time, I setup vpn using NAT rather than just selecting the option to connect to vpn. I also set a static IP pool rather than using the RRAS DHCP. It worked! I am able to RDP into my local machine from an external source. Thanks alot for your efforts vdh. For that, I will give you points.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
VPN
From novice to tech pro — start learning today.
Experts Exchange Solution brought to you by
Enjoy your complimentary solution view.
Get every solution instantly with Premium.
Start your 7-day free trial.