Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


VPN, RRAS, and 2 different subnets

Posted on 2011-02-25
Medium Priority
Last Modified: 2012-09-18
I have a win 2003 server running Routing and Remote Access for VPN clients.  I have two different subnets 192.168.111.x and 192.168.10.x.  The RRAS box is sitting on the 192.168.111.x subnet and my clients can connect to it just fine and have full access to the 192.168.111.x subnet, however they cannot see the 192.168.10.x subnet.  

I have added a static route in RRAS with the following settings:
Interface: Local Area Connection (there is only one NIC)
Network Mask:
Gateway: (the IP address of the RRAS box)

There is a Cisco router that connects the 111.x subnet to the 10.x subnet and its IP address is  My RRAS server can connect to and ping the 10.x subnet just fine but my VPN clients cannot.  What am I doing wrong?
Question by:apsonline
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
LVL 29

Accepted Solution

pwindell earned 500 total points
ID: 34987634
I don't know what static route you created,...but my guess is that you should not have.

The clients must enable the checkbox in the DUN Settings that says "Use Gateway on Remote Network".  Without that they will only be able to contact the immediate subnet that they "dialed into".  what this does is cause whatever the RRAS Gateway and Routing Settings to be applied to the VPN Clients.  You will not see this happen on the clients using IPCONFIG,...it happens internally within the relationship between the and the VPN Server that they dialed into.

On the Clients an IPCONFIG would show the IP# they were given and it would show a Mask of (yes that is the correct mask), and the Gateway is the same IP# as the Interface IP.  The Dialup Interface gets automatically moved to the top of the binding order and the 32bit mask tells it that any destination that doesn't match the exact IP of the Dialup Interface just get "tossed at the VPN Connection",....the RRAS Server does all the rest of the work from there.

Note this will limit the Users access to their own local network to just the local subnet they are on.  This is Remote Access VPN and it is not designed to be up all the time,...it is only to be up for the period of time the work is being done,...then disconnected so that the user's machine goes back to operating normally on their local LAN.   If you haven't noticed by now VPN is a "Dialup Tecnhnology" and operate by al the same principles and behavors of the old modem dialup links.


Author Closing Comment

ID: 34987896
Well now I feel silly; that worked great.  Thank you so much for the solution and great explanation.
LVL 29

Expert Comment

ID: 35014635
Now, don't feel silly!  People get tripped up on that one all the time.

Expert Comment

ID: 38412590
I have RRAS running on 2003 and I don't need to check "use remote gateway", but I do on 2008 RRAS.  I'd prefer to be able to not sure the RRAS as the remote gateway.  Is there any workaround?

Featured Post


Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

OpenVPN is a great open source VPN server that is capable of providing quick and easy VPN access to your network on the cheap.  By default the software is configured to allow open access to your network.  But what if you want to restrict users to on…
If you’re involved with your company’s wide area network (WAN), you’ve probably heard about SD-WANs. They’re the “boy wonder” of networking, ostensibly allowing companies to replace expensive MPLS lines with low-cost Internet access. But, are they …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question