Alexandre Takacs
asked on
PPTP networking woes
Hello
I am trying to connect from a machine on domain A onto domain B using PTTP.
Domain A is a plain vanilla MS AD network, with IP range 172.16.100.0/24, gateway on .1, PDC-DNS on .5 and a standalone server on .10 (this is my VPN client, WS2008).
Domain B uses IP range 172.16.101.0/24, gateway & DNS on .1
I manage to connect my VPN without issue but I have DNS being set to both networks, despite having specified my settings as follows
This creates networking problems in Network A domain as (presumably) DNS resolution is not working as intended.
All I need is to be able to access a printer by IP on network B.
Any idea ?
I am trying to connect from a machine on domain A onto domain B using PTTP.
Domain A is a plain vanilla MS AD network, with IP range 172.16.100.0/24, gateway on .1, PDC-DNS on .5 and a standalone server on .10 (this is my VPN client, WS2008).
Domain B uses IP range 172.16.101.0/24, gateway & DNS on .1
I manage to connect my VPN without issue but I have DNS being set to both networks, despite having specified my settings as follows
This creates networking problems in Network A domain as (presumably) DNS resolution is not working as intended.
All I need is to be able to access a printer by IP on network B.
Any idea ?
Ignoring the DNS issue, the printer needs to have the VPN as its default gateway. This can be harder to achieve when using VPN client. Keep in mind the return path as to be defined as well as the sending path.
What are you using for the VPN server? A PC, RRAS, or a hardware VPN device? If the latter, is that device the default gateway for the network?
What are you using for the VPN server? A PC, RRAS, or a hardware VPN device? If the latter, is that device the default gateway for the network?
ASKER
> Ignoring the DNS issue, the printer needs to have the VPN as its default gateway.
> This can be harder to achieve when using VPN client. Keep in mind the return path
> as to be defined as well as the sending path.
I have no problem connecting to the devices on the VPN subnet - it is actually my local AD lan that gets unreachable !
> What are you using for the VPN server? A PC, RRAS, or a hardware VPN device? If
> the latter, is that device the default gateway for the network?
Hardware VPN based on DD-WRT - yes it is also the default gateway for that network.
> Are you using a split-tunnel gateway? I wrote an article about this same issue a while
> hack on my blog, please take a look and let me know of that helps
Yes I am using a split tunnel - I don't want to send all traffic to the remote site, just the traffic for that subnet.
Before connecting the VPN my routes are
Not sure to interpret it correctly but it would seem that all traffic for 172.16.100.0 with netmask 255.255.0.0 will be forwarded through the VPN (which is not the intended setting... I'd like a netmask of 255.255.255.0 for that link - how do I change it !?)
> This can be harder to achieve when using VPN client. Keep in mind the return path
> as to be defined as well as the sending path.
I have no problem connecting to the devices on the VPN subnet - it is actually my local AD lan that gets unreachable !
> What are you using for the VPN server? A PC, RRAS, or a hardware VPN device? If
> the latter, is that device the default gateway for the network?
Hardware VPN based on DD-WRT - yes it is also the default gateway for that network.
> Are you using a split-tunnel gateway? I wrote an article about this same issue a while
> hack on my blog, please take a look and let me know of that helps
Yes I am using a split tunnel - I don't want to send all traffic to the remote site, just the traffic for that subnet.
Before connecting the VPN my routes are
C:\Users\admin>route print
===========================================================================
Interface List
15...00 0c 29 38 3f 1a ......Intel(R) PRO/1000 MT Network Connection #2
1...........................Software Loopback Interface 1
12...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
14...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
===========================================================================
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 172.16.100.1 172.16.100.20 266
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
172.16.100.0 255.255.255.0 On-link 172.16.100.20 266
172.16.100.20 255.255.255.255 On-link 172.16.100.20 266
172.16.100.255 255.255.255.255 On-link 172.16.100.20 266
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 172.16.100.20 266
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 172.16.100.20 266
===========================================================================
Persistent Routes:
Network Address Netmask Gateway Address Metric
0.0.0.0 0.0.0.0 172.16.100.1 Default
0.0.0.0 0.0.0.0 172.16.10.254 Default
===========================================================================
IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
1 306 ::1/128 On-link
15 266 fe80::/64 On-link
15 266 fe80::8099:c79:80d5:7654/128
On-link
1 306 ff00::/8 On-link
15 266 ff00::/8 On-link
===========================================================================
Persistent Routes:
None
AfterC:\Users\admin>route print
===========================================================================
Interface List
21...........................VPN Connection
15...00 0c 29 38 3f 1a ......Intel(R) PRO/1000 MT Network Connection #2
1...........................Software Loopback Interface 1
12...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
13...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
14...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
===========================================================================
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 172.16.100.1 172.16.100.20 266
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
172.16.0.0 255.255.0.0 172.16.101.1 172.16.101.150 11
172.16.100.0 255.255.255.0 On-link 172.16.100.20 266
172.16.100.20 255.255.255.255 On-link 172.16.100.20 266
172.16.100.255 255.255.255.255 On-link 172.16.100.20 266
172.16.101.0 255.255.255.0 On-link 172.16.101.150 11
172.16.101.150 255.255.255.255 On-link 172.16.101.150 266
172.16.101.255 255.255.255.255 On-link 172.16.101.150 266
212.147.43.225 255.255.255.255 172.16.100.1 172.16.100.20 11
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 172.16.100.20 266
224.0.0.0 240.0.0.0 On-link 172.16.101.150 266
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 172.16.100.20 266
255.255.255.255 255.255.255.255 On-link 172.16.101.150 266
===========================================================================
Persistent Routes:
Network Address Netmask Gateway Address Metric
0.0.0.0 0.0.0.0 172.16.100.1 Default
0.0.0.0 0.0.0.0 172.16.10.254 Default
===========================================================================
IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
1 306 ::1/128 On-link
15 266 fe80::/64 On-link
15 266 fe80::8099:c79:80d5:7654/128
On-link
1 306 ff00::/8 On-link
15 266 ff00::/8 On-link
===========================================================================
Persistent Routes:
None
Not sure to interpret it correctly but it would seem that all traffic for 172.16.100.0 with netmask 255.255.0.0 will be forwarded through the VPN (which is not the intended setting... I'd like a netmask of 255.255.255.0 for that link - how do I change it !?)
>>"Hardware VPN based on DD-WRT - yes it is also the default gateway for that network."
Good, so long as the printer has the DD-WRT as it's default gateway that is not a problem, but it dos need a Default Gateway for VPN use, it does not on the LAN.
These two lines concern me:
172.16.0.0 255.255.0.0 172.16.101.1 172.16.101.150 11
Persistent routes:
0.0.0.0 0.0.0.0 172.16.10.254 Default
What is 172.16.10.254? You shouldn't have 2 default gateways, and do you know where the 255.255.0.0 subnet mask comes from? Is this from the DD-WRT VPN parameters? It can cause an subnet overlap.
Good, so long as the printer has the DD-WRT as it's default gateway that is not a problem, but it dos need a Default Gateway for VPN use, it does not on the LAN.
These two lines concern me:
172.16.0.0 255.255.0.0 172.16.101.1 172.16.101.150 11
Persistent routes:
0.0.0.0 0.0.0.0 172.16.10.254 Default
What is 172.16.10.254? You shouldn't have 2 default gateways, and do you know where the 255.255.0.0 subnet mask comes from? Is this from the DD-WRT VPN parameters? It can cause an subnet overlap.
ASKER
> These two lines concern me:
> 172.16.0.0 255.255.0.0 172.16.101.1 172.16.101.150 11
> Persistent routes:
> 0.0.0.0 0.0.0.0 172.16.10.254 Default
> What is 172.16.10.254? You shouldn't have 2 default gateways, and do you know
> where the 255.255.0.0 subnet mask comes from? Is this from the DD-WRT VPN
> parameters? It can cause an subnet overlap.
Regarding 172.16.10.254 to be honest I have no idea idea where this is coming from - this is not an IP I am using. I will kill it.
As for the entry 172.16.0.0 255.255.0.0 172.16.101.1 172.16.101.150 11 it would be correct except for the netmask.
I will investigate on the router side but can't I overide the settings (IP, DNS) on the client ? I have found a way to manually set the IP and DNS but not the netmask...
> 172.16.0.0 255.255.0.0 172.16.101.1 172.16.101.150 11
> Persistent routes:
> 0.0.0.0 0.0.0.0 172.16.10.254 Default
> What is 172.16.10.254? You shouldn't have 2 default gateways, and do you know
> where the 255.255.0.0 subnet mask comes from? Is this from the DD-WRT VPN
> parameters? It can cause an subnet overlap.
Regarding 172.16.10.254 to be honest I have no idea idea where this is coming from - this is not an IP I am using. I will kill it.
As for the entry 172.16.0.0 255.255.0.0 172.16.101.1 172.16.101.150 11 it would be correct except for the netmask.
I will investigate on the router side but can't I overide the settings (IP, DNS) on the client ? I have found a way to manually set the IP and DNS but not the netmask...
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I have manually amended the routes and things seem to work. Still not completely happy with the DNS though (the "manual" settings are not carried over). Also have I'd like on be able to have the correct routing setup for me - it would seem that the OS assumes 172.16.x.x will be a class B no matter what is being set in the netmasks of the source and destination networks.
ASKER
Not a complete turnkey solution but certainly pointing in the right direction - thanks for the help.
http://blog.foreignkid.net/2012/03/pptp-vpn-and-split-tunneling/