Link to home
Create AccountLog in
Avatar of JOE-BULLITT
JOE-BULLITT

asked on

Need help properly configuring RRAS on Server 2012R2. It won't route!

Hello Experts!

Thank you for your kind assistance.

I am trying to deploy a Windows 2012R2 server with RRAS VPN and am having a bit of trouble and cannot figure out what is wrong.  I searched the threads and I see others that had similar issues, but the solutions did not work for me.
(https://www.experts-exchange.com/questions/28480617/LAN-Routing-over-RRAS-VPN.html)
(https://www.experts-exchange.com/questions/26798399/RRAS-VPN-Routing-Problem.html)

The server is running and everything installed fine.  The VPN client can connect, but it will not route anywhere in the same LAN as the Windows RRAS server.  Through VPN, I can ping and RDP to the RRAS server via its private IP, but I cannot access any other servers in the same destination network.

My server installation has two NIC’s in two subnets and is running RRAS/VPN and DNS.  I also tried with just one NIC and one subnet, another time using two NIC’s and one subnet, and now two NIC’s and two subnets.  All unsuccessful.

Here is what I have so far…

Server Public IP: 10.1.0.100/24
Server Private IP: 10.1.1.100/24
Public Subnet: 10.1.0.0/24
Private Subnet: 10.1.1.0/24
Main Network: 10.1.0.0/16

DNS IP: 10.1.1.100/24 (DNS also listening on 10.1.0.100/24)
RRAS Server External IP: 10.1.0.100/24
RRAS Server Internal IP: 10.1.1.100/24
IPv4 address assignment using RRAS static pool:  10.1.1.101 – 10.1.1.120
IPv4 forwarding is enabled
Lan and Demand Dial routing is enabled

I can connect fine via VPN and I get an IP address, but I am unable to reach anything in the 10.1.1.x or 10.1.0.x network except the RRAS/VPN host itself.

Here are the results from the ipconfig on the client VPN adapter
PPP adapter vpn:
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : vpn
   Physical Address. . . . . . . . . :
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 10.1.1.102(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.255
   Default Gateway . . . . . . . . . :
   DNS Servers . . . . . . . . . . . : 10.1.0.100
   NetBIOS over Tcpip. . . . . . . . : Enabled

Here is the result from a tracert to the Public and Private NIC’s on the RRAS server itself:
>tracert 10.1.1.100
Tracing route to VPN [10.1.1.100] over a maximum of 30 hops:
  1    86 ms    88 ms    84 ms  VPN [10.1.1.101]
  2    87 ms    90 ms    91 ms  VPN [10.1.1.100]

>tracert 10.1.0.100
Tracing route to VPN [10.1.0.100] over a maximum of 30 hops:
  1   101 ms     *       89 ms  VPN [10.1.1.101]
  2    98 ms    97 ms    86 ms  VPN [10.1.0.100]

I found it curious that my first hop was to the IP 10.1.1.101.  Is this normal, or should it be configured somewhere?

Here is the result from a tracert to an IP in the subnet
>tracert 10.1.0.10
Tracing route to 10.1.0.10 over a maximum of 30 hops
  1    92 ms     *       90 ms  VPN [10.1.1.101]
  2     *        *        *     Request timed out.
  3     *        *        *     Request timed out.
  4     *        *        *     Request timed out.

Can someone please advise what I am missing, or what I should check?   Thank you!!!
Avatar of Qlemo
Qlemo
Flag of Germany image

Single NIC, single subnet 10.0.0.0/16 is correct. Everything else calls for trouble. Only if you want the networks to be physically separate, i.e. using different switches, the two NIC setup makes sense. More, your "main network" network mask should match on all devices.

Having said that, it is probably not the culprit.
Re first hop being the VPN client IP, that is correct or not, depening on the definition, but it is better this way, to account for additional "cost" to transfer data via a slow/high latency link. So nothing to worry about.
I'm expecting tracert to show exactly two nodes only: Source and target. It doesn't help hence. You do not know if the target does not reply, or reply using a route, or whatsoever. To know that for sure you have to use MS NetMon or WireShark or another network capturing application on the RRAS server and the target machine with an IP address filter set to the VPN client IP, then perform a ping from your VPN client to the target, and see what is captured.
Avatar of JOE-BULLITT
JOE-BULLITT

ASKER

Thank you very much for your feedback and advice!

To make the environment less complex I installed a new copy of 2012R2 and RRAS using just one NIC.  Naturally, the issue is still present.  :-(

I think the problem is that VPN, or DHCP, is not providing the proper network mask.  On my server and in DHCP the network mask is 255.255.255.0.  But my VPN connection always gives me 255.255.255.255.

I can RDP and access the VPN host while on the VPN connection, but I cannot access any other resources in the subnet.

How can I force VPN to give the client a different network mask?

Here’s the ipconfig of each:
SERVER -> PPP adapter RAS (Dial In) Interface:
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : RAS (Dial In) Interface
   Physical Address. . . . . . . . . :
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 10.1.0.210(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.255
   Default Gateway . . . . . . . . . :
   NetBIOS over Tcpip. . . . . . . . : Enabled

SERVER -> Ethernet adapter Ethernet:
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : AWS PV Network Device #0
   Physical Address. . . . . . . . . : <removed>
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : <removed>(Preferred)
   IPv4 Address. . . . . . . . . . . : 10.1.0.200(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 10.1.0.1
   DNS Servers . . . . . . . . . . . : 10.1.0.200
   NetBIOS over Tcpip. . . . . . . . : Enabled

CLIENT -> PPP adapter vpn:
   Connection-specific DNS Suffix  . : mydomain.net
   Description . . . . . . . . . . . : vpn
   Physical Address. . . . . . . . . :
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 10.1.0.209(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.255
   Default Gateway . . . . . . . . . :
   DNS Servers . . . . . . . . . . . : 10.1.0.200
   NetBIOS over Tcpip. . . . . . . . : Enabled

Thanks!
--Joe
It is normal that you have that netmask on the dial-in client. More important is the routing table (route print 10.1.*).
Thanks very much for your help Qlemo!

Here is the route print for 10.1.* on both the client and the server.  If you would kindly review this and see if it is telling, I would sure appreciate it.  :-)  I'm afraid I'm really stumped here.

CLIENT-> route print 10.1.*
===========================================================================
Interface List
  5...f8 16 54 06 49 6b ......Microsoft Wi-Fi Direct Virtual Adapter
  3...fa 16 54 06 49 6a ......Microsoft Hosted Network Virtual Adapter
 43...........................vpn
  2...f8 16 54 06 49 6a ......Intel(R) Dual Band Wireless-AC 7260
  1...........................Software Loopback Interface 1
  6...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
 20...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
 22...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #4
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
         10.1.0.0    255.255.255.0         On-link        10.1.0.209     11
       10.1.0.209  255.255.255.255         On-link        10.1.0.209    266
       10.1.0.255  255.255.255.255         On-link        10.1.0.209    266
===========================================================================
Persistent Routes:
  None

IPv6 Route Table
===========================================================================
Active Routes:
  None
Persistent Routes:
  None
***************************************************************************

SERVER-> route print 10.1.*
===========================================================================
Interface List
 26...........................RAS (Dial In) Interface
 12...0e ac 9d 71 09 f3 ......AWS PV Network Device #0
  1...........................Software Loopback Interface 1
 13...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
 15...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
 16...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
         10.1.0.0    255.255.255.0         On-link        10.1.0.200    266
       10.1.0.200  255.255.255.255         On-link        10.1.0.200    266
       10.1.0.209  255.255.255.255       10.1.0.209       10.1.0.210     31
       10.1.0.210  255.255.255.255         On-link        10.1.0.210    286
       10.1.0.255  255.255.255.255         On-link        10.1.0.200    266
===========================================================================
Persistent Routes:
  None

IPv6 Route Table
===========================================================================
Active Routes:
  None
Persistent Routes:
  None
As I expected, the client gets a 10.1.0.0/24 route. With that you should be able to reach any machine in that subnet (10.1.0.x).
I don 't know what to try next...

The problem is clearly routing.  I can connect to the VPN server and also RDP to it just fine, but no matter what I cannot route to any other system in the subnet.  My tracert goes to the VPN host and that's it.

It is unclear if I need to add a static route in RRAS on the VPN server, or on the VPN client.  But it is pretty clear that I need to add the route(s) somewhere.
If someone would please take a look at my routing again, I'd sure appreciate it!

Here is the IPv4 Route Table from my existing OpenVPN client connection, which I am trying to replace with the new Windows 2012R2 RRAS VPN server.
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.1.1     192.168.1.18     20
         10.0.0.0        255.0.0.0       10.255.0.1      10.255.0.12     20
         10.1.0.0      255.255.0.0       10.255.0.1      10.255.0.12     20
       10.255.0.0      255.255.0.0         On-link       10.255.0.12    276
       10.255.0.0      255.255.0.0       10.255.0.1      10.255.0.12     20
      10.255.0.12  255.255.255.255         On-link       10.255.0.12    276
   10.255.255.255  255.255.255.255         On-link       10.255.0.12    276
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
      192.168.1.0    255.255.255.0         On-link      192.168.1.18    276
     192.168.1.18  255.255.255.255         On-link      192.168.1.18    276
    192.168.1.255  255.255.255.255         On-link      192.168.1.18    276
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link       10.255.0.12    276
        224.0.0.0        240.0.0.0         On-link      192.168.1.18    276
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link       10.255.0.12    276
  255.255.255.255  255.255.255.255         On-link      192.168.1.18    276
===========================================================================
Persistent Routes:
  None
===========================================================================


And here is the IPv4 Route Table from my new Windows 2012R2 RRAS VPN client connection, which won't route anywhere beyond the host I connect to.
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.1.1     192.168.1.18     20
         10.0.0.0        255.0.0.0     10.255.0.201     10.255.0.202     11
         10.1.0.0      255.255.0.0         On-link      10.255.0.202     11
     10.1.255.255  255.255.255.255         On-link      10.255.0.202    266
       10.255.0.0      255.255.0.0         On-link      10.255.0.202     11
     10.255.0.202  255.255.255.255         On-link      10.255.0.202    266
   10.255.255.255  255.255.255.255         On-link      10.255.0.202    266
    52.71.137.102  255.255.255.255      192.168.1.1     192.168.1.18     21
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
      192.168.1.0    255.255.255.0         On-link      192.168.1.18    276
     192.168.1.18  255.255.255.255         On-link      192.168.1.18    276
    192.168.1.255  255.255.255.255         On-link      192.168.1.18    276
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link      192.168.1.18    276
        224.0.0.0        240.0.0.0         On-link      10.255.0.202    266
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link      192.168.1.18    276
  255.255.255.255  255.255.255.255         On-link      10.255.0.202    266
===========================================================================
Persistent Routes:
  None
===========================================================================


If it helps, here is the IPv4 Route Table from the new Windows 2012R2 RRAS Server itself.
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0         10.1.0.1       10.1.0.200    266
         10.1.0.0    255.255.255.0         On-link        10.1.0.200    266
       10.1.0.200  255.255.255.255         On-link        10.1.0.200    266
       10.1.0.255  255.255.255.255         On-link        10.1.0.200    266
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  169.254.169.250  255.255.255.255         10.1.0.1       10.1.0.200     10
  169.254.169.251  255.255.255.255         10.1.0.1       10.1.0.200     10
  169.254.169.254  255.255.255.255         10.1.0.1       10.1.0.200     10
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link        10.1.0.200    266
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link        10.1.0.200    266
===========================================================================
Persistent Routes:
  Network Address          Netmask  Gateway Address  Metric
          0.0.0.0          0.0.0.0         10.1.0.1  Default
===========================================================================
After several different configuration attempts the only way I could get it to work in my environment was to also enable NAT on RRAS.  It just wouldn't work in my environment without NAT.

Thanks for the help Qlemo.
I've requested that this question be closed as follows:

Accepted answer: 0 points for JOE-BULLITT's comment #a41483238

for the following reason:

I've configured VPN before without NAT, but this time it was the only way to get it to work.
ASKER CERTIFIED SOLUTION
Avatar of Qlemo
Qlemo
Flag of Germany image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
Thank you Qlemo.