Avatar of Alexandre Takacs
Alexandre Takacs
Flag for Switzerland asked on

PPTP networking woes

Hello

I am trying to connect from a machine on domain A onto domain B using PTTP.

Domain A is a plain vanilla MS AD network, with IP range 172.16.100.0/24, gateway on .1, PDC-DNS on .5 and a standalone server on .10 (this is my VPN client, WS2008).

Domain B uses IP range 172.16.101.0/24, gateway & DNS on .1

I manage to connect my VPN without issue but I have DNS being set to both networks, despite having specified my settings as follows

Settings
Result
This creates networking problems in Network A domain as (presumably) DNS resolution is not working as intended.

All I need is to be able to access a printer by IP on network B.

Any idea ?
Active DirectoryVPN

Avatar of undefined
Last Comment
Alexandre Takacs

8/22/2022 - Mon
George Khairallah

Are you using a split-tunnel gateway? I wrote an article about this same issue a while hack on my blog, please take a look and let me know of that helps:
http://blog.foreignkid.net/2012/03/pptp-vpn-and-split-tunneling/
Rob Williams

Ignoring the DNS issue, the printer needs to have the VPN  as its default gateway. This can be harder to achieve when using VPN client.  Keep in mind the return path as to be defined as well as the sending path.

What are you using for the VPN server?  A PC, RRAS, or a hardware VPN device?  If the latter, is that device the default gateway for the network?
Alexandre Takacs

ASKER
> Ignoring the DNS issue, the printer needs to have the VPN  as its default gateway.
> This can be harder to achieve when using VPN client.  Keep in mind the return path
>  as to be defined as well as the sending path.

I have no problem connecting to the devices on the VPN subnet - it is actually my local AD lan that gets unreachable !

> What are you using for the VPN server?  A PC, RRAS, or a hardware VPN device?  If
> the latter, is that device the default gateway for the network?

Hardware VPN based on DD-WRT - yes it is also the default gateway for that network.

> Are you using a split-tunnel gateway? I wrote an article about this same issue a while
> hack on my blog, please take a look and let me know of that helps

Yes I am using a split tunnel - I don't want to send all traffic to the remote site, just the traffic for that subnet.

Before connecting the VPN my routes are

C:\Users\admin>route print
===========================================================================
Interface List
 15...00 0c 29 38 3f 1a ......Intel(R) PRO/1000 MT Network Connection #2
  1...........................Software Loopback Interface 1
 12...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
 14...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0     172.16.100.1    172.16.100.20    266
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
     172.16.100.0    255.255.255.0         On-link     172.16.100.20    266
    172.16.100.20  255.255.255.255         On-link     172.16.100.20    266
   172.16.100.255  255.255.255.255         On-link     172.16.100.20    266
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link     172.16.100.20    266
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link     172.16.100.20    266
===========================================================================
Persistent Routes:
  Network Address          Netmask  Gateway Address  Metric
          0.0.0.0          0.0.0.0     172.16.100.1  Default
          0.0.0.0          0.0.0.0    172.16.10.254  Default
===========================================================================

IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
  1    306 ::1/128                  On-link
 15    266 fe80::/64                On-link
 15    266 fe80::8099:c79:80d5:7654/128
                                    On-link
  1    306 ff00::/8                 On-link
 15    266 ff00::/8                 On-link
===========================================================================
Persistent Routes:
  None

Open in new window

After

C:\Users\admin>route print
===========================================================================
Interface List
 21...........................VPN Connection
 15...00 0c 29 38 3f 1a ......Intel(R) PRO/1000 MT Network Connection #2
  1...........................Software Loopback Interface 1
 12...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
 13...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
 14...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0     172.16.100.1    172.16.100.20    266
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
       172.16.0.0      255.255.0.0     172.16.101.1   172.16.101.150     11
     172.16.100.0    255.255.255.0         On-link     172.16.100.20    266
    172.16.100.20  255.255.255.255         On-link     172.16.100.20    266
   172.16.100.255  255.255.255.255         On-link     172.16.100.20    266
     172.16.101.0    255.255.255.0         On-link    172.16.101.150     11
   172.16.101.150  255.255.255.255         On-link    172.16.101.150    266
   172.16.101.255  255.255.255.255         On-link    172.16.101.150    266
   212.147.43.225  255.255.255.255     172.16.100.1    172.16.100.20     11
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link     172.16.100.20    266
        224.0.0.0        240.0.0.0         On-link    172.16.101.150    266
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link     172.16.100.20    266
  255.255.255.255  255.255.255.255         On-link    172.16.101.150    266
===========================================================================
Persistent Routes:
  Network Address          Netmask  Gateway Address  Metric
          0.0.0.0          0.0.0.0     172.16.100.1  Default
          0.0.0.0          0.0.0.0    172.16.10.254  Default
===========================================================================

IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
  1    306 ::1/128                  On-link
 15    266 fe80::/64                On-link
 15    266 fe80::8099:c79:80d5:7654/128
                                    On-link
  1    306 ff00::/8                 On-link
 15    266 ff00::/8                 On-link
===========================================================================
Persistent Routes:
  None

Open in new window


Not sure to interpret it correctly but it would seem that all traffic for 172.16.100.0 with netmask 255.255.0.0 will be forwarded through the VPN (which is not the intended setting... I'd like a netmask of 255.255.255.0 for that link - how do I change it !?)
Your help has saved me hundreds of hours of internet surfing.
fblack61
Rob Williams

>>"Hardware VPN based on DD-WRT - yes it is also the default gateway for that network."
Good, so long as the printer has the DD-WRT as it's default gateway that is not a problem, but it dos need a Default Gateway for VPN use, it does not on the LAN.

These two lines concern me:
172.16.0.0      255.255.0.0     172.16.101.1   172.16.101.150     11

Persistent routes:
0.0.0.0          0.0.0.0    172.16.10.254  Default

What is 172.16.10.254?  You shouldn't have 2 default gateways, and do you know where the 255.255.0.0 subnet mask comes from?  Is this from the DD-WRT VPN parameters?  It can cause an subnet overlap.
Alexandre Takacs

ASKER
> These two lines concern me:
> 172.16.0.0      255.255.0.0     172.16.101.1   172.16.101.150     11

> Persistent routes:
> 0.0.0.0          0.0.0.0    172.16.10.254  Default

> What is 172.16.10.254?  You shouldn't have 2 default gateways, and do you know
> where the 255.255.0.0 subnet mask comes from?  Is this from the DD-WRT VPN
> parameters?  It can cause an subnet overlap.

Regarding 172.16.10.254 to be honest I have no idea idea where this is coming from - this is not an IP I am using. I will kill it.

As for the entry 172.16.0.0      255.255.0.0     172.16.101.1   172.16.101.150     11 it would be correct except for the netmask.

I will investigate on the router side but can't I overide the settings (IP, DNS) on the client ? I have found a way to manually set the IP and DNS but not the netmask...
ASKER CERTIFIED SOLUTION
Rob Williams

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
Alexandre Takacs

ASKER
I have manually amended the routes and things seem to work. Still not completely happy with the DNS though (the "manual" settings are not carried over). Also have I'd like on be able to have the correct routing setup for me - it would seem that the OS assumes 172.16.x.x will be a class B no matter what is being set in the netmasks of the source and destination networks.
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Alexandre Takacs

ASKER
Not a complete turnkey solution but certainly pointing in the right direction - thanks for the help.