rtang626
asked on
From my work computer, I cannot remote desktop into computers in my home LAN, while connected via PPTP VPN.
I have a VPN server at home with RRAS enabled. From work, I can connect to the VPN just fine, and rdp into the VPN server just fine. However, I cannot rdp into my home PC's which is on the same LAN as the VPN server. I also notice that before I make a VPN connection from work, I can ping my home router and gateway, but after I connect to my VPN, I cannot ping my router and gateway. I am able to ping the VPN server just fine. I am not able to ping my PC's at my home. My router is a Linksys BEFW11S4. I have port forwarded rdp 3389 to my VPN server IP address. When at home, I can remote desktop from one PC to another just fine, but this only works in my LAN. Can an expert please help. Let me know if you need screen shots. Thank you.
mikelfritz
Are you using the same ip address scheme at both locations? 192.168.1.X at both work and home? If so you may need to change the home network to something else like 192.168.2.X
ASKER
my work ip address scheme is 192.168.0.x, and my home 192.168.1.x . So, they are different IP scheme. Here is how the NICs on my VPN server is configured.
NIC 1 (LAN)
ip: 192.168.1.xx1
subnet: 255.255.255.0
gateway: none
prim dns: 192.168.1.xx3 (IP for primary DC server)
sec dns: none
NIC 2 (WAN)
ip: 66.214.182.xx5
subnet: 255.255.255.248
gateway: 66.214.182.xx1 (IP for linksys router gateway)
prim dns: 24.205.1.xx
sec dns: 66.215.64.xx
NIC 1 (LAN)
ip: 192.168.1.xx1
subnet: 255.255.255.0
gateway: none
prim dns: 192.168.1.xx3 (IP for primary DC server)
sec dns: none
NIC 2 (WAN)
ip: 66.214.182.xx5
subnet: 255.255.255.248
gateway: 66.214.182.xx1 (IP for linksys router gateway)
prim dns: 24.205.1.xx
sec dns: 66.215.64.xx
Just for testing purposes, try installing realVNC onto the remote desktop and run it as a server. Then add the client onto the home pc. I had problems similar to your's (I never investigated why) but now use realVNC quite successfully. Mind you, I think RDT is slightly faster. If it works, it proves a number of things about the connection.
It appears you may be running an Microsoft ISA firewall to protect yourself from the external internal. You would need some sort of firewall protection.
Does this firewall (ISA or third party) have routes to allow inbound traffic to it's LAN? Since you have a /29 block of IPs, I would create a 1-to-1 NAT for you other home desktop -- then port forward 3389 to that 1-to-1 NAT.
Does this firewall (ISA or third party) have routes to allow inbound traffic to it's LAN? Since you have a /29 block of IPs, I would create a 1-to-1 NAT for you other home desktop -- then port forward 3389 to that 1-to-1 NAT.
ASKER
I am not using ISA. My firewall is tied into my router, which disabled basic firewall on my VPN server. I have a Linksys BEFW11S4. How would I allow inbound traffic on my LAN? Is this done on my router configuration page, or on my RRAS on the VPN server? Please advise. I am a novice when it comes to VPN.
I would redo the whole setup like this:
telephone pole --> house --> wall --> linksys --> (firewall) --> VPN server
I would have your Linksys do ALL the routing, firewall, and gateway functions. If you need NATing -- I would contemplate a real firewall -- Zywall's and Sonicwalls are cheap.
I would remove the second NIC from your VPN server -- the Linksys device is now the firewall/gateway/dsl device it was designed to be. You'll need to remove the DMZ network, or Bridge mode is currently set in -- change it to act as a standard gaeway. You'll need to port forward 1723 to your VPN server's internal IP.
Then I would setup your Windows 2003 Server to use Windows Routing and Remote Access. This VPN server would only act as a Remote Access Server (by choosing a Custom setup, and removing the Router option before starting) running a PPTP VPN. Remember to add the DHCP server -- running on your Linksys -- as a DHCP relay server in RRAS (you might need to research this tweak). I would then create an VPN users group and then create a Remote Access Policy to allow that group access.
telephone pole --> house --> wall --> linksys --> (firewall) --> VPN server
I would have your Linksys do ALL the routing, firewall, and gateway functions. If you need NATing -- I would contemplate a real firewall -- Zywall's and Sonicwalls are cheap.
I would remove the second NIC from your VPN server -- the Linksys device is now the firewall/gateway/dsl device it was designed to be. You'll need to remove the DMZ network, or Bridge mode is currently set in -- change it to act as a standard gaeway. You'll need to port forward 1723 to your VPN server's internal IP.
Then I would setup your Windows 2003 Server to use Windows Routing and Remote Access. This VPN server would only act as a Remote Access Server (by choosing a Custom setup, and removing the Router option before starting) running a PPTP VPN. Remember to add the DHCP server -- running on your Linksys -- as a DHCP relay server in RRAS (you might need to research this tweak). I would then create an VPN users group and then create a Remote Access Policy to allow that group access.
ASKER
Not the solution I was looking for, but thanks. Anyone out there familiar with my setup, please advise. It should be something rather simple, that someone with years of experience can probably figure out for me. Points to best advise and/or solution.
If the Linksys is in bridge mode, and your second NIC has an external IP, and you have no firewall enabled on the VPN server.... then your VPN server is fully exposed to the internet = unsafe.
ASKER
My Linksys Router is my firewall. I did not enable DMZ. I enabled PPTP VPN passthrough, and enabled vpn port 1723. I dont have the option to bridge in the router config page. I use this VPN for lab purposes, and test purposes to build on my IT skills only, so safety is not too much of a concern, as I am just trying to get this whole rdp thing to work from an external source. Once I accomplish that, then I will worry about safety.
check the windows firewall
Sounds like you know what you're doing.... bare with me just a little longer...
Q: "I also notice that before I make a VPN connection from work, I can ping my home router and gateway, but after I connect to my VPN, I cannot ping my router and gateway"
A: Most likely you need to enable split-tunneling on the VPN client-side. Try these steps from the computer connecting...
1) Right click the My Network Places icon on the desktop and click Properties.
2) Right click on your VPN client connections in the Network Connections window and click Properties.
3) Click the Networking tab, and then click on the Internet Protocol (TCP/IP) entry and click the Properties button.
4) On the General tab of the Internet Protocol (TCP/IP) Properties dialog box, click the Advanced button.
5) On the General tab of the Advanced TCP/IP Settings dialog box, note the "Use Default Gateway on Remote Network" option.
6) Try removing the check mark and then try your ping test to your gateway again.
Q: " I am able to ping the VPN server just fine. I am not able to ping my PC's at my home."
A: Make sure you are pinging the internal IP address of your other home PC's. It could be possible that DNS is not working across your VPN. In which case, using a computer name would not work -- try the internal IP addresss.
Q: "I also notice that before I make a VPN connection from work, I can ping my home router and gateway, but after I connect to my VPN, I cannot ping my router and gateway"
A: Most likely you need to enable split-tunneling on the VPN client-side. Try these steps from the computer connecting...
1) Right click the My Network Places icon on the desktop and click Properties.
2) Right click on your VPN client connections in the Network Connections window and click Properties.
3) Click the Networking tab, and then click on the Internet Protocol (TCP/IP) entry and click the Properties button.
4) On the General tab of the Internet Protocol (TCP/IP) Properties dialog box, click the Advanced button.
5) On the General tab of the Advanced TCP/IP Settings dialog box, note the "Use Default Gateway on Remote Network" option.
6) Try removing the check mark and then try your ping test to your gateway again.
Q: " I am able to ping the VPN server just fine. I am not able to ping my PC's at my home."
A: Make sure you are pinging the internal IP address of your other home PC's. It could be possible that DNS is not working across your VPN. In which case, using a computer name would not work -- try the internal IP addresss.
ASKER
Yay! the split tunneling steps work. Thanks for that. I am able to ping to my public gateway. However, I am not able to ping to my private gateway, the router gateway, which is 192.168.1.x. Also, I still cannot ping to my internal IP addresses (LAN computers). As a result, I am still not able to RDP into my internal machines from work.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I would try to change you network LAN IP address scheme at home to 172.16.1.X (also private) http://en.wikipedia.org/wiki/Private_network
Some routers will have trouble routing between a 192.168.0.X and any other 192.168.X.X network...
Some routers will have trouble routing between a 192.168.0.X and any other 192.168.X.X network...
ASKER
Hi vdh tech,
Yes, the RRAS is handing out IP addresses which are on the same subnets as my local computers. I verified this by the doing ipconfig /all.
Yes, the RRAS is handing out IP addresses which are on the same subnets as my local computers. I verified this by the doing ipconfig /all.
ASKER
Hi vdh tech,
I think I resolved the problem. I disabled the RRAS, and reconfigured it. This time, I setup vpn using NAT rather than just selecting the option to connect to vpn. I also set a static IP pool rather than using the RRAS DHCP. It worked! I am able to RDP into my local machine from an external source. Thanks alot for your efforts vdh. For that, I will give you points.
I think I resolved the problem. I disabled the RRAS, and reconfigured it. This time, I setup vpn using NAT rather than just selecting the option to connect to vpn. I also set a static IP pool rather than using the RRAS DHCP. It worked! I am able to RDP into my local machine from an external source. Thanks alot for your efforts vdh. For that, I will give you points.
ASKER
Solution Resolved! Thanks Expert Exchange community.