VPN, RRAS, and 2 different subnets

Posted on 2011-02-25
Last Modified: 2012-09-18
I have a win 2003 server running Routing and Remote Access for VPN clients.  I have two different subnets 192.168.111.x and 192.168.10.x.  The RRAS box is sitting on the 192.168.111.x subnet and my clients can connect to it just fine and have full access to the 192.168.111.x subnet, however they cannot see the 192.168.10.x subnet.  

I have added a static route in RRAS with the following settings:
Interface: Local Area Connection (there is only one NIC)
Network Mask:
Gateway: (the IP address of the RRAS box)

There is a Cisco router that connects the 111.x subnet to the 10.x subnet and its IP address is  My RRAS server can connect to and ping the 10.x subnet just fine but my VPN clients cannot.  What am I doing wrong?
Question by:apsonline
  • 2
LVL 29

Accepted Solution

pwindell earned 125 total points
ID: 34987634
I don't know what static route you created,...but my guess is that you should not have.

The clients must enable the checkbox in the DUN Settings that says "Use Gateway on Remote Network".  Without that they will only be able to contact the immediate subnet that they "dialed into".  what this does is cause whatever the RRAS Gateway and Routing Settings to be applied to the VPN Clients.  You will not see this happen on the clients using IPCONFIG, happens internally within the relationship between the and the VPN Server that they dialed into.

On the Clients an IPCONFIG would show the IP# they were given and it would show a Mask of (yes that is the correct mask), and the Gateway is the same IP# as the Interface IP.  The Dialup Interface gets automatically moved to the top of the binding order and the 32bit mask tells it that any destination that doesn't match the exact IP of the Dialup Interface just get "tossed at the VPN Connection",....the RRAS Server does all the rest of the work from there.

Note this will limit the Users access to their own local network to just the local subnet they are on.  This is Remote Access VPN and it is not designed to be up all the time, is only to be up for the period of time the work is being done,...then disconnected so that the user's machine goes back to operating normally on their local LAN.   If you haven't noticed by now VPN is a "Dialup Tecnhnology" and operate by al the same principles and behavors of the old modem dialup links.


Author Closing Comment

ID: 34987896
Well now I feel silly; that worked great.  Thank you so much for the solution and great explanation.
LVL 29

Expert Comment

ID: 35014635
Now, don't feel silly!  People get tripped up on that one all the time.

Expert Comment

ID: 38412590
I have RRAS running on 2003 and I don't need to check "use remote gateway", but I do on 2008 RRAS.  I'd prefer to be able to not sure the RRAS as the remote gateway.  Is there any workaround?

Featured Post

Flexible connectivity for any environment

The KE6900 series can extend and deploy computers with high definition displays across multiple stations in a variety of applications that suit any environment. Expand computer use to stations across multiple rooms with dynamic access.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Cisco MRA Phones 4 126
2012 r2 branch office DNS 2 61
site - site VPN 3 45
VPN connect issues 2 29
Overview Often, we set up VPN appliances where the connected clients are on a separate subnet and the company will have alternate internet connections and do not use this particular device as the gateway for certain servers or clients. In this case…
OpenVPN is a great open source VPN server that is capable of providing quick and easy VPN access to your network on the cheap.  By default the software is configured to allow open access to your network.  But what if you want to restrict users to on…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question