Link to home
Create AccountLog in
Avatar of Christos Kassianides
Christos KassianidesFlag for Cyprus

asked on

SBS 2011 VPN with external DHCP

I have an SBS 2011 which runs exchange/DNS/DHCP/VPN but I had to remove the DHCP from it and use the routers DHCP for reasons that I cannot explain. Everything works fine but I cannot find anything online that says that VPN will work with an external DHCP.

I've just had my first remote user complain that she cannot connect so I rerun the fix my network and setup the vpn again and she appears to be connected fine. Is there anything else I need to check/do on the server or the router to ensure proper operation of the VPN?
Avatar of Christos Kassianides
Christos Kassianides
Flag of Cyprus image

ASKER

Talked too soon. it didn't work. Is there a way for SBS2011 VPN to work with an external DHCP?
There should be no issue with allowing SBS 2011 to DHCP and DNS.  You may need a separate hardware VPN router. That is how we do VPN to Microsoft Servers running DHCP and DNS.
I reactivated DHCP on the SBS2011 box and while it says that it connects, there is no internet or access to local devices and I get:

Event Type:      Warning
Event Source:      Rasman
Event Category:      None
Event ID:      20209
Computer:      MYSERVER
Description:
A connection between the VPN server and the VPN client 68.248.117.2 has been established, but the VPN connection cannot be completed. The most common cause for this is that a firewall or router between the VPN server and the VPN client is not configured to allow Generic Routing Encapsulation (GRE) packets (protocol 47). Verify that the firewalls and routers between your VPN server and the Internet allow GRE packets. Make sure the firewalls and routers on the user's network are also configured to allow GRE packets. If the problem persists, have the user contact the Internet service provider (ISP) to determine whether the ISP might be blocking GRE packets.

Which is weird since before I disabled the DHCP everything was working ok.
Avatar of Rob Williams
To answer the first part.
SBS does not like the router being the DHCP server. That being said it is possible. When you re-ran the wizard you likely re-enabled DHCP.
You can have RRAS, the VPN, hand out addresses if the SBS does not have DHCP running as in the attached image, by setting a static address pool.

As for "no access", can you ping anything on the network by IP?  If so it is a DNS issue, common with the VPN.  OUser generated imagepen the DNS management console, right click on the server name and choose properties, then click the Interfaces tab.  Change from all to just the SBS LAN IP, both IPv4 and IPv6.  There may be 2 IPv6 addresses.
Not sure why Image in the centre, but....  :-)
SBS does not like the router being the DHCP server.   <-- That is why I suggested hardware VPN as in my experience it just works better.
Like I said DHCP is enabled once again on the SBS. I can connect but I cannot ping local devices or access internet. In the DNS the only ticked items are the SBS IP and one of the two IPv6 addresses.

Should I restart the server after all the enabling/disabling?
I do agree with John a hardware VPN is much more secure, better performance, and eliminates the DHCP problem.  Also SBS 2011 uses PPTP which is considered VERY insecure.....however.

Have you re run the Fix My Network Wizard?  And you didn't answer if you can ping anything in the network by IP?

You shouldn't have to reboot.
I did run fix my network. It found a few old issues with ecmxchamge smtp connectors, dns forwarders and closed ports  but those were preexisting.

I did mention that once connected, I cannot ping any local devices and/or access the interner.
Sorry, I missed your ping comment.

Could you post the results of    route print     and    ipconfig /all      from a command line.  Might help to figure out why the disconnect.
Will do first thing tomorrow morning. I'm in Cyprus and it's 0015 at the moment.
Sounds good.  Will watch for reply.  Could you also advise of make and model of router?

Cheers!
The router is a TP-Link Archer C5 (AC1200) which was working fine before I disabled the DHCP on the SBS and enabled it on the router itself. Please see below my ipconfig/all from my own personal computer once it is connected to the VPN.

Windows IP Configuration

   Host Name . . . . . . . . . . . . : DESKTOP-JF2ILUT
   Primary Dns Suffix  . . . . . . . :
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : domain.local

Ethernet adapter Ethernet:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Intel(R) Ethernet Connection (2) I219-V
   Physical Address. . . . . . . . . : 2C-FD-A1-71-A4-ED
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes

Wireless LAN adapter Local Area Connection* 2:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft Wi-Fi Direct Virtual Adapter
   Physical Address. . . . . . . . . : 66-6E-69-8F-38-8F
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes

Wireless LAN adapter Local Area Connection* 3:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft Wi-Fi Direct Virtual Adapter #2
   Physical Address. . . . . . . . . : 64-6E-69-8F-38-8F
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes

PPP adapter imperio:

   Connection-specific DNS Suffix  . : domain.local
   Description . . . . . . . . . . . : name
   Physical Address. . . . . . . . . :
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 192.168.1.18(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.255
   Default Gateway . . . . . . . . . : 0.0.0.0
   DNS Servers . . . . . . . . . . . : 192.168.1.3
   NetBIOS over Tcpip. . . . . . . . : Enabled

Wireless LAN adapter Wi-Fi:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Realtek 8822BE Wireless LAN 802.11ac PCI-E NIC
   Physical Address. . . . . . . . . : 64-6E-69-8F-38-8F
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::35ec:18d:c476:35f6%12(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.10.1(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : 21 March 2019 23:31:28
   Lease Expires . . . . . . . . . . : 23 March 2019 07:13:00
   Default Gateway . . . . . . . . . : 192.168.10.254
   DHCP Server . . . . . . . . . . . : 192.168.10.254
   DHCPv6 IAID . . . . . . . . . . . : 207908457
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-22-8F-86-85-2C-FD-A1-71-A4-ED
   DNS Servers . . . . . . . . . . . : fe80::1%12
                                       185.37.37.37
                                       fe80::1%12
   NetBIOS over Tcpip. . . . . . . . : Enabled
Sorry, I was meaning route print and IPconfog /all from server.  I will be out most of the day so no rush.

Router is not a problem.  I just wanted to double check as some routers have license limits. If for example 10 and you reboot the server it can be #11 and loose connectivity, but TPlink do not have license limits.
Windows IP Configuration

   Host Name . . . . . . . . . . . . : server
   Primary Dns Suffix  . . . . . . . : domain.local
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : Yes
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : domain.local

PPP adapter RAS (Dial In) Interface:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : RAS (Dial In) Interface
   Physical Address. . . . . . . . . :
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 192.168.1.21(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.255
   Default Gateway . . . . . . . . . :
   NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : HP Ethernet 1Gb 2-port 332i Adapter
   Physical Address. . . . . . . . . : 28-80-23-CC-56-C0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::810a:a81a:e4ea:615d%10(Preferred)
   Link-local IPv6 Address . . . . . : fe80::c8d0:2737:49d2:6d77%10(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.1.3(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.1.1
   DHCPv6 IAID . . . . . . . . . . . : 237535267
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1B-79-00-3B-28-80-23-CC-56-C0

   DNS Servers . . . . . . . . . . . : fe80::c8d0:2737:49d2:6d77%10
                                       192.168.1.3
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.{DDE64B15-C82B-422B-B2EB-CF058D17A422}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Teredo Tunneling Pseudo-Interface:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.{6E06F030-7526-11D2-BAF4-00600815A4BD}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes



===========================================================================
Interface List
 20...........................RAS (Dial In) Interface
 10...28 80 23 cc 56 c0 ......HP Ethernet 1Gb 2-port 332i Adapter
  1...........................Software Loopback Interface 1
 14...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
 12...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
 21...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.1.1      192.168.1.3     15
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
      169.254.0.0      255.255.0.0         On-link      192.168.1.21    306
     169.254.0.20  255.255.255.255         On-link      192.168.1.21    306
  169.254.255.255  255.255.255.255         On-link      192.168.1.21    306
      192.168.1.0    255.255.255.0         On-link       192.168.1.3    266
      192.168.1.3  255.255.255.255         On-link       192.168.1.3    266
     192.168.1.21  255.255.255.255         On-link      192.168.1.21    306
    192.168.1.255  255.255.255.255         On-link       192.168.1.3    266
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link       192.168.1.3    266
        224.0.0.0        240.0.0.0         On-link      192.168.1.21    306
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link       192.168.1.3    266
  255.255.255.255  255.255.255.255         On-link      192.168.1.21    306
===========================================================================
Persistent Routes:
  Network Address          Netmask  Gateway Address  Metric
          0.0.0.0          0.0.0.0      192.168.1.1       5
===========================================================================
Everything looks fine except:
169.254.0.0      255.255.0.0         On-link      192.168.1.21    306
     169.254.0.20  255.255.255.255         On-link      192.168.1.21    306
  169.254.255.255  255.255.255.255         On-link      192.168.1.21    306

That is odd.  I trust their is no "alternate" configuration set on the server's NIC, and it appears you only have 1 NIC (SBS will not work with 2), so I assume the 168.254.x.x addressing is related to the VPN since it's gateway is the VPN IP.
I would try opening the RRAS console, right click on the server name and choose "disable Routing and remote access".  If you still can't ping PCs try re-running the fix my network wizard with RRAS turned off.  If now working you can run the VPN wizard a again to set it up.
If I disable the routing and access, how will the VPN connect for me to try and ping something local?
I am not sure we are talking about the same things.  I may be misunderstanding.
You mentioned; "I did mention that once connected, I cannot ping any local devices and/or access the internet"
I assumed you meant the server has lost access to the network.  Is the server still fine and this is just a VPN issue where a VPN client cannot ping local devices?  

If it is just the VPN client cannot ping local devices on it's own network, on the VPN client PC, right click on the VPN adapter in "change adapter options" and choose "properties", then "networking", "IPv4 properties", "advanced" un-check "use remote default gateway"
My bad. it is the client that loses internet and cannot access the local devices. By local devices, I mean the server and shares in the company network.

I tried what you suggested and while internet is still connected, if I ping 192.168.1.3 (SBS IP), I get a timeout. Same with trying to access \\192.168.1.3 to see the shares.
Ping requires return routing.  I think that is corrupted with the 168.254.x.x route on the SBS. Can you run the VPN Wizard again on the SBS?  As mentioned I have to go out for a while but will check back.
VPN configured successfully. Internet Router configuration failed. The error notes just mention that it couldn't open the port 1723 automatically but it is open and canyouseeme.org says that it is open as well.

I will try to restart the server later tonight as well. Hopefully that will clear any old settings.
You will get the " Internet Router configuration failed" message if UPnP is disabled on the router, which is good as UPnP is a security risk.  SBS needs that to configure automatically, but doing so manually is fine.
Restart has fixed it. I can finally access the shares. Thank you all for your support. I will also recommend we buy a better router with built-in VPN. Do you have any recommendations that don't break the bank and can allow about 5 simultaneous VPN users? Preferably 10/100/1000 with Wifi as well.
Glad to hear it is working.
I don't use VPNs any more except a few site to site between routers.  I like the Cisco/Linksys RVxx series for inexpensive units but their QuickVPN client is a nuisance you would need to purchase a third party.  I think John likes those units as well but uses a 3rd party client, maybe he can recommend. Stepping up Sonicwall, WatchGuard, and Cisco all have great VPN routers and clients.

All the best!
ASKER CERTIFIED SOLUTION
Avatar of Christos Kassianides
Christos Kassianides
Flag of Cyprus image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer