Route added by RRAS that overrides local LAN route on NIC

I have a SBS 2003 with dual NICs, but I am running the machine in a single
NIC configuration. I have set-up RRAS for remote access, which I have done
many times before on other machines (both SBS and Win2003). For this
particular machine, when a RAS clent connection, the RRAS on the server adds
a 2nd route for the local LAN to the routing stack. With the same
destination, but with the vpn client's assigned IP address as the gateway.

To illustrate:

Before the VPN client connects, the routing table contains 10.0.0.0/24 with
a gateway of 10.0.0.1 (Server Local Area Connection address) on Interface
10.0.0.1. This entry has a metric of 10.

After the VPN client connects, the routing table contains a 2nd entry of
10.0.0.0/24 with a gateway of 10.0.0.118 (the address assigned to the RAS
client) on interface 10.0.0.121 (RRAS Internal Interface). This entry has a
metric of 1. Since this route has a lower metric it becomes the preferred
route for the LAN and not of the PCs on the LAN can communicate with the
server.

When the RAS client disconnects the route is removed, and the PC on the LAN
can reach the server again. I have dug through the RRAS configs many times
and can't explain this. Does anyone know what could be causing this? Or,
can you provide some pointers on how you control the routes that get added to
the server when a RAS client connects? Also, does anyone know if you a
10.0.0.0 network number is a problem. This is a class A private network, and
I normally use 192.168.x.x which is a class C. Could this be some issue with
the 10.0.0.0 being treated different due to it's class?

Thanks,
John

 

Hi John,

Thank you for posting in SBS newsgroup.

I am sorry for the delayed response due to weekend. Please understand that
the newsgroups are staffed weekdays by Microsoft Support professionals to
answer your systems and applications questions. Your understanding is
greatly appreciated!

From your description, do you mean the LAN clients will lose the connection
with SBS if you create VPN to SBS from remote client?

To narrow down the problem, would you please help me collect the following
information?

1. Are you creating VPN to SBS or router from remote client? It means are
you using router or SBS as VPN server?
2. Post the ipconfig/all result from SBS, remote client and LAN client
before creating VPN and after creating VPN.
3. Post the route print result.

Also, you may need to follow the steps below to configure VPN access on an
SBS environment:

1. Run CEICW, follow the wizard and select Enable firewall and then make
sure Virtual Private Networking (VPN) is selected in the Services
Configuration page. And make sure you have typed the public FQDN of the SBS
server on the Web Server Certificate page.
2. Run Remote Access Wizard in Server Management\Internet and
E-mail\Configure Remote Access, and select VPN access in the Remote Access
Method page. After finishing this wizard, RRAS is configured to allow
inbound VPN access, and it can assign IP addresses to the VPN clients by
using DHCP.

Note: When we run the remote access wizard to set up the VPN service, we
need to input the public IP address or the public FQDN of the SBS server.
We need to make sure that the address can be accessed from the internet.

3. On the VPN client, go to https://publicFQDN/remote, clear I'm using a
public or shared computer, log in and download Connection Manager.
4. Install Connection Manager on the VPN client.
5. Is there a hardware router installed in front of the SBS server? If so,
ensure that the port forwarding for TCP 1723 and GRE port (protocol number
47) are opened. PPTP VPN is negotiating a connection on TCP port 1723 and
send data to and from the PPTP server using the GRE protocol (IP Protocol
47, 0x2F if you are looking in Network Monitor). You should open port 1723
on the router and also make sure IP Protocol 47 is allowed.

I appreciate your time and look forward to hearing from you.

Best regards,

Crina Li (MSFT)

Microsoft CSS Online Newsgroup Support

Get Secure! - www.microsoft.com/security

=====================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.

Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Any input or comments in this thread are highly appreciated.

=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| Thread-Topic: Route added by RRAS that overrides local LAN route on NIC
| thread-index: AcbqJyGWs4FS1gogRLGjAUd4XC/dGA==
| X-WBNR-Posting-Host: 65.184.34.228
| From: =?Utf-8?B?Sm9obiBQaGlsaXBz?= <>
| Subject: Route added by RRAS that overrides local LAN route on NIC
| Date: Sat, 7 Oct 2006 08:42:01 -0700
| Lines: 31
| Message-ID: <>
| MIME-Version: 1.0
| Content-Type: text/plain;
| charset="Utf-8"
| Content-Transfer-Encoding: 7bit
| X-Newsreader: Microsoft CDO for Windows 2000
| Content-Class: urn:content-classes:message
| Importance: normal
| Priority: normal
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830
| Newsgroups: microsoft.public.windows.server.sbs
| Path: TK2MSFTNGXA01.phx.gbl
| Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:303427
| NNTP-Posting-Host: TK2MSFTNGXA01.phx.gbl 10.40.2.250
| X-Tomcat-NG: microsoft.public.windows.server.sbs
|
| I have a SBS 2003 with dual NICs, but I am running the machine in a
single
| NIC configuration. I have set-up RRAS for remote access, which I have
done
| many times before on other machines (both SBS and Win2003). For this
| particular machine, when a RAS clent connection, the RRAS on the server
adds
| a 2nd route for the local LAN to the routing stack. With the same
| destination, but with the vpn client's assigned IP address as the gateway.
|
| To illustrate:
|
| Before the VPN client connects, the routing table contains 10.0.0.0/24
with
| a gateway of 10.0.0.1 (Server Local Area Connection address) on Interface
| 10.0.0.1. This entry has a metric of 10.
|
| After the VPN client connects, the routing table contains a 2nd entry of
| 10.0.0.0/24 with a gateway of 10.0.0.118 (the address assigned to the RAS
| client) on interface 10.0.0.121 (RRAS Internal Interface). This entry
has a
| metric of 1. Since this route has a lower metric it becomes the
preferred
| route for the LAN and not of the PCs on the LAN can communicate with the
| server.
|
| When the RAS client disconnects the route is removed, and the PC on the
LAN
| can reach the server again. I have dug through the RRAS configs many
times
| and can't explain this. Does anyone know what could be causing this?
Or,
| can you provide some pointers on how you control the routes that get
added to
| the server when a RAS client connects? Also, does anyone know if you a
| 10.0.0.0 network number is a problem. This is a class A private network,
and
| I normally use 192.168.x.x which is a class C. Could this be some issue
with
| the 10.0.0.0 being treated different due to it's class?
|
| Thanks,
| John
|

 

I am using SBS as the VPN server. This is a router between SBS and the
internet that is peforming NAT. I have the appropriate ports open and can
successfully connect a WinXP RAS client to the VPN server. The problem is
with the routes that get created on the RRAS when the client connects, not
getting a successful connection. When the connection is up I can successful
get to the SBS server across the VPN. My issue is with the disruption to the
connectivity to the other PCs on the LAN.

Let me clarify what's happening with hopes you have seen this before:

The server has a LAN address of 10.0.0.1 and is on a network 10.0.0.0/24.
The route I am speaking of is the route to local LAN that is put in the
routing table when you configure the NIC. In my case this route looks like
this:

Network Dest Netmask Gateway Interface Metric
10.0.0.0 255.255.255.0 10.0.0.1 10.0.0.1 10

10.0.0.1 is the LAN address.

After the RAS client connects there is another route added so the two
entries of interest look like this:

Network Dest Netmask Gateway Interface Metric
10.0.0.0 255.255.255.0 10.0.0.1 10.0.0.1 10 <-this route is always there
(before and after the VPN cient connects)
10.0.0.0 255.255.255.0 10.0.0.115 10.0.0.121 1 <-this
route added when client connects (in addtion to the host route that is also
added like you usually see for each client)

10.0.0.115 is the address assigned to the RAS client (using DHCP).
10.0.0.121 is the Internal Interface on the server used by RAS. As you can
see after this route is added the server is routing to 10.0.0.0 via the RAS
tunnel vs. the LAN Interface so the PCs on the 10.0.0.0/24 local subnet are
"disconnected" from the server. The only thing I could think of what that
this was related to something that is configured automatically since there
are two NICs in the server, but I ran the the Internet Connection wizard and
set-up up the server to use one NIC for Internet and LAN.

I was able to pull the ipconfig and routing table (without and with RAS cient
connected) from the server. They are below.

As you will see by the route table, there is a route as I described .
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.0.0.254 10.0.0.1 1
<------- Default route
10.0.0.0 255.255.255.0 10.0.0.1 10.0.0.1 10
<----------- Route for interface LAN

After the RAS client connects, I get a 2nd entry for 10.0.0.0/255.255.255.0
but the gateway is the RAS client's assigned address, the Interface is the
RRAS internal interface address, and the metic is 1. This causes the server
to route all traffic destined for the local LAN to be routed over the tunnel
to the remote client. As expected the resulting effect is the server cannot
route packets to any of the machines on the local LAN which is very bad as
as it breaks the local area network.

Output of ipconfig /all and route print (without RAS client connected).

Windows IP Configuration

Host Name . . . . . . . . . . . . : SERVER1
Primary Dns Suffix . . . . . . . : kuzma.local
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : Yes
WINS Proxy Enabled. . . . . . . . : Yes
DNS Suffix Search List. . . . . . : kuzma.local

PPP adapter RAS Server (Dial In) Interface:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
Physical Address. . . . . . . . . : 00-53-45-00-00-00
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 10.0.0.121
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . :
NetBIOS over Tcpip. . . . . . . . : Disabled

Ethernet adapter Server Local Area Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection
Physical Address. . . . . . . . . : 00-13-72-F7-3C-AB
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 10.0.0.1
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.0.0.254
DNS Servers . . . . . . . . . . . : 10.0.0.1


C:\Documents and Settings\Administrator>route print (without RAS client
connected)

IPv4 Route Table
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x10002 ...00 53 45 00 00 00 ...... WAN (PPP/SLIP) Interface
0x10003 ...00 13 72 f7 3c ab ...... Intel(R) PRO/1000 MT Network Connection
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.0.0.254 10.0.0.1 1
10.0.0.0 255.255.255.0 10.0.0.1 10.0.0.1 10
10.0.0.1 255.255.255.255 127.0.0.1 127.0.0.1 10
10.0.0.121 255.255.255.255 127.0.0.1 127.0.0.1 50
10.255.255.255 255.255.255.255 10.0.0.1 10.0.0.1 10
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
224.0.0.0 240.0.0.0 10.0.0.1 10.0.0.1 10
255.255.255.255 255.255.255.255 10.0.0.1 10.0.0.1 1
Default Gateway: 10.0.0.254
===========================================================================
Persistent Routes:
None

Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

C:\Documents and Settings\Administrator>route print (after RAS client
connects)

IPv4 Route Table
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x10002 ...00 53 45 00 00 00 ...... WAN (PPP/SLIP) Interface
0x10003 ...00 13 72 f7 3c ab ...... Intel(R) PRO/1000 MT Network Connection
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.0.0.254 10.0.0.1 1
10.0.0.0 255.255.255.0 10.0.0.1 10.0.0.1 10
10.0.0.0 255.255.255.0 10.0.0.115 10.0.0.121 1
<- note this route is added when the RAS client connects which overrides the
route above to the local LAN
10.0.0.1 255.255.255.255 127.0.0.1 127.0.0.1 10
10.0.0.115 255.255.255.255 10.0.0.121 10.0.0.121 1
10.0.0.121 255.255.255.255 127.0.0.1 127.0.0.1 50
10.255.255.255 255.255.255.255 10.0.0.1 10.0.0.1 10
65.184.34.228 255.255.255.255 10.0.0.254 10.0.0.1 1
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
224.0.0.0 240.0.0.0 10.0.0.1 10.0.0.1 10
255.255.255.255 255.255.255.255 10.0.0.1 10.0.0.1 1
Default Gateway: 10.0.0.254
===========================================================================
Persistent Routes:
None

Have you ever heard of this before. What would be making RRAS add this route?

Thanks,
John

 

Hi John,

Thanks for your update.

From current situation, please check if you have configured the network
correctly on SBS and client computer:

SBS:

IP: Fixed IP address
Gateway: your Hardware router IP
DNS: SBS NIC IP as the only entry

In the DNS console (dnsmgmt.msc), right click your ServerName and click
properties. In the Forwarders tab, your ISP DNS server IP should be
inputted there.

On the client workstation, please make sure the configuration:

IP: Assigned by DHCP on SBS or your hardware router
Gateway: hardware router
DNS: SBS INTERNAL NIC IP as the only entry

And then recreate VPN to see if it helps. Please make sure you have
disabled the second NIC on the SBS.

Thanks for your time and I look forward to hearing from you.

Best regards,

Crina Li (MSFT)

Microsoft CSS Online Newsgroup Support

Get Secure! - www.microsoft.com/security

=====================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.

Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Any input or comments in this thread are highly appreciated.

=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| Thread-Topic: Route added by RRAS that overrides local LAN route on NIC
| thread-index: AcbsHRHUAAf6uugcSyW0/DF1OTvIWA==
| X-WBNR-Posting-Host: 65.184.34.228
| From: =?Utf-8?B?Sm9obiBQaGlsaXBz?= <>
| References: <>
<>
| Subject: RE: Route added by RRAS that overrides local LAN route on NIC
| Date: Mon, 9 Oct 2006 20:35:02 -0700
| Lines: 312
| Message-ID: <>
| MIME-Version: 1.0
| Content-Type: text/plain;
| charset="Utf-8"
| Content-Transfer-Encoding: 7bit
| X-Newsreader: Microsoft CDO for Windows 2000
| Content-Class: urn:content-classes:message
| Importance: normal
| Priority: normal
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830
| Newsgroups: microsoft.public.windows.server.sbs
| Path: TK2MSFTNGXA01.phx.gbl
| Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:303842
| NNTP-Posting-Host: TK2MSFTNGXA01.phx.gbl 10.40.2.250
| X-Tomcat-NG: microsoft.public.windows.server.sbs
|
| I am using SBS as the VPN server. This is a router between SBS and the
| internet that is peforming NAT. I have the appropriate ports open and can
| successfully connect a WinXP RAS client to the VPN server. The problem
is
| with the routes that get created on the RRAS when the client connects,
not
| getting a successful connection. When the connection is up I can
successful
| get to the SBS server across the VPN. My issue is with the disruption to
the
| connectivity to the other PCs on the LAN.
|
| Let me clarify what's happening with hopes you have seen this before:
|
| The server has a LAN address of 10.0.0.1 and is on a network 10.0.0.0/24.
| The route I am speaking of is the route to local LAN that is put in the
| routing table when you configure the NIC. In my case this route looks
like
| this:
|
| Network Dest Netmask Gateway Interface Metric
| 10.0.0.0 255.255.255.0 10.0.0.1 10.0.0.1 10
|
| 10.0.0.1 is the LAN address.
|
| After the RAS client connects there is another route added so the two
| entries of interest look like this:
|
| Network Dest Netmask Gateway Interface Metric
| 10.0.0.0 255.255.255.0 10.0.0.1 10.0.0.1 10 <-this route is always there
| (before and after the VPN cient connects)
| 10.0.0.0 255.255.255.0 10.0.0.115 10.0.0.121 1 <-this
| route added when client connects (in addtion to the host route that is
also
| added like you usually see for each client)
|
| 10.0.0.115 is the address assigned to the RAS client (using DHCP).
| 10.0.0.121 is the Internal Interface on the server used by RAS. As you
can
| see after this route is added the server is routing to 10.0.0.0 via the
RAS
| tunnel vs. the LAN Interface so the PCs on the 10.0.0.0/24 local subnet
are
| "disconnected" from the server. The only thing I could think of what that
| this was related to something that is configured automatically since
there
| are two NICs in the server, but I ran the the Internet Connection wizard
and
| set-up up the server to use one NIC for Internet and LAN.
|
| I was able to pull the ipconfig and routing table (without and with RAS
cient
| connected) from the server. They are below.
|
| As you will see by the route table, there is a route as I described .
| Network Destination Netmask Gateway Interface
Metric
| 0.0.0.0 0.0.0.0 10.0.0.254 10.0.0.1
1
| <------- Default route
| 10.0.0.0 255.255.255.0 10.0.0.1 10.0.0.1
10
| <----------- Route for interface LAN
|
| After the RAS client connects, I get a 2nd entry for
10.0.0.0/255.255.255.0
| but the gateway is the RAS client's assigned address, the Interface is
the
| RRAS internal interface address, and the metic is 1. This causes the
server
| to route all traffic destined for the local LAN to be routed over the
tunnel
| to the remote client. As expected the resulting effect is the server
cannot
| route packets to any of the machines on the local LAN which is very bad as
| as it breaks the local area network.
|
| Output of ipconfig /all and route print (without RAS client connected).
|
| Windows IP Configuration
|
| Host Name . . . . . . . . . . . . : SERVER1
| Primary Dns Suffix . . . . . . . : kuzma.local
| Node Type . . . . . . . . . . . . : Unknown
| IP Routing Enabled. . . . . . . . : Yes
| WINS Proxy Enabled. . . . . . . . : Yes
| DNS Suffix Search List. . . . . . : kuzma.local
|
| PPP adapter RAS Server (Dial In) Interface:
|
| Connection-specific DNS Suffix . :
| Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
| Physical Address. . . . . . . . . : 00-53-45-00-00-00
| DHCP Enabled. . . . . . . . . . . : No
| IP Address. . . . . . . . . . . . : 10.0.0.121
| Subnet Mask . . . . . . . . . . . : 255.255.255.255
| Default Gateway . . . . . . . . . :
| NetBIOS over Tcpip. . . . . . . . : Disabled
|
| Ethernet adapter Server Local Area Connection:
|
| Connection-specific DNS Suffix . :
| Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network
Connection
| Physical Address. . . . . . . . . : 00-13-72-F7-3C-AB
| DHCP Enabled. . . . . . . . . . . : No
| IP Address. . . . . . . . . . . . : 10.0.0.1
| Subnet Mask . . . . . . . . . . . : 255.255.255.0
| Default Gateway . . . . . . . . . : 10.0.0.254
| DNS Servers . . . . . . . . . . . : 10.0.0.1
|
|
| C:\Documents and Settings\Administrator>route print (without RAS client
| connected)
|
| IPv4 Route Table
|
===========================================================================
| Interface List
| 0x1 ........................... MS TCP Loopback interface
| 0x10002 ...00 53 45 00 00 00 ...... WAN (PPP/SLIP) Interface
| 0x10003 ...00 13 72 f7 3c ab ...... Intel(R) PRO/1000 MT Network
Connection
|
===========================================================================
|
===========================================================================
| Active Routes:
| Network Destination Netmask Gateway Interface
Metric
| 0.0.0.0 0.0.0.0 10.0.0.254 10.0.0.1
1
| 10.0.0.0 255.255.255.0 10.0.0.1 10.0.0.1
10
| 10.0.0.1 255.255.255.255 127.0.0.1 127.0.0.1
10
| 10.0.0.121 255.255.255.255 127.0.0.1 127.0.0.1
50
| 10.255.255.255 255.255.255.255 10.0.0.1 10.0.0.1
10
| 127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1
1
| 224.0.0.0 240.0.0.0 10.0.0.1 10.0.0.1
10
| 255.255.255.255 255.255.255.255 10.0.0.1 10.0.0.1
1
| Default Gateway: 10.0.0.254
|
===========================================================================
| Persistent Routes:
| None
|
| Microsoft Windows [Version 5.2.3790]
| (C) Copyright 1985-2003 Microsoft Corp.
|
| C:\Documents and Settings\Administrator>route print (after RAS client
| connects)
|
| IPv4 Route Table
|
===========================================================================
| Interface List
| 0x1 ........................... MS TCP Loopback interface
| 0x10002 ...00 53 45 00 00 00 ...... WAN (PPP/SLIP) Interface
| 0x10003 ...00 13 72 f7 3c ab ...... Intel(R) PRO/1000 MT Network
Connection
|
===========================================================================
|
===========================================================================
| Active Routes:
| Network Destination Netmask Gateway Interface
Metric
| 0.0.0.0 0.0.0.0 10.0.0.254 10.0.0.1
1
| 10.0.0.0 255.255.255.0 10.0.0.1 10.0.0.1
10
| 10.0.0.0 255.255.255.0 10.0.0.115 10.0.0.121
1
| <- note this route is added when the RAS client connects which overrides
the
| route above to the local LAN
| 10.0.0.1 255.255.255.255 127.0.0.1 127.0.0.1
10
| 10.0.0.115 255.255.255.255 10.0.0.121 10.0.0.121
1
| 10.0.0.121 255.255.255.255 127.0.0.1 127.0.0.1
50
| 10.255.255.255 255.255.255.255 10.0.0.1 10.0.0.1
10
| 65.184.34.228 255.255.255.255 10.0.0.254 10.0.0.1
1
| 127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1
1
| 224.0.0.0 240.0.0.0 10.0.0.1 10.0.0.1
10
| 255.255.255.255 255.255.255.255 10.0.0.1 10.0.0.1
1
| Default Gateway: 10.0.0.254
|
===========================================================================
| Persistent Routes:
| None
|
| Have you ever heard of this before. What would be making RRAS add this
route?
|
| Thanks,
| John
|
| ""Crina Li"" wrote:
|
| > Hi John,
| >
| > Thank you for posting in SBS newsgroup.
| >
| > I am sorry for the delayed response due to weekend. Please understand
that
| > the newsgroups are staffed weekdays by Microsoft Support professionals
to
| > answer your systems and applications questions. Your understanding is
| > greatly appreciated!
| >
| > From your description, do you mean the LAN clients will lose the
connection
| > with SBS if you create VPN to SBS from remote client?
| >
| > To narrow down the problem, would you please help me collect the
following
| > information?
| >
| > 1. Are you creating VPN to SBS or router from remote client? It means
are
| > you using router or SBS as VPN server?
| > 2. Post the ipconfig/all result from SBS, remote client and LAN client
| > before creating VPN and after creating VPN.
| > 3. Post the route print result.
| >
| > Also, you may need to follow the steps below to configure VPN access on
an
| > SBS environment:
| >
| > 1. Run CEICW, follow the wizard and select Enable firewall and then
make
| > sure Virtual Private Networking (VPN) is selected in the Services
| > Configuration page. And make sure you have typed the public FQDN of the
SBS
| > server on the Web Server Certificate page.
| > 2. Run Remote Access Wizard in Server Management\Internet and
| > E-mail\Configure Remote Access, and select VPN access in the Remote
Access
| > Method page. After finishing this wizard, RRAS is configured to allow
| > inbound VPN access, and it can assign IP addresses to the VPN clients
by
| > using DHCP.
| >
| > Note: When we run the remote access wizard to set up the VPN service,
we
| > need to input the public IP address or the public FQDN of the SBS
server.
| > We need to make sure that the address can be accessed from the internet.
| >
| > 3. On the VPN client, go to https://publicFQDN/remote, clear I'm using
a
| > public or shared computer, log in and download Connection Manager.
| > 4. Install Connection Manager on the VPN client.
| > 5. Is there a hardware router installed in front of the SBS server? If
so,
| > ensure that the port forwarding for TCP 1723 and GRE port (protocol
number
| > 47) are opened. PPTP VPN is negotiating a connection on TCP port 1723
and
| > send data to and from the PPTP server using the GRE protocol (IP
Protocol
| > 47, 0x2F if you are looking in Network Monitor). You should open port
1723
| > on the router and also make sure IP Protocol 47 is allowed.
| >
| > I appreciate your time and look forward to hearing from you.
| >
| > Best regards,
| >
| > Crina Li (MSFT)
| >
| > Microsoft CSS Online Newsgroup Support
| >
| > Get Secure! - www.microsoft.com/security
| >
| > =====================================================
| > This newsgroup only focuses on SBS technical issues. If you have issues
| > regarding other Microsoft products, you'd better post in the
corresponding
| > newsgroups so that they can be resolved in an efficient and timely
manner.
| > You can locate the newsgroup here:
| > http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
| >
| > When opening a new thread via the web interface, we recommend you check
the
| > "Notify me of replies" box to receive e-mail notifications when there
are
| > any updates in your thread. When responding to posts via your
newsreader,
| > please "Reply to Group" so that others may learn and benefit from your
| > issue.
| >
| > Microsoft engineers can only focus on one issue per thread. Although we
| > provide other information for your reference, we recommend you post
| > different incidents in different threads to keep the thread clean. In
doing
| > so, it will ensure your issues are resolved in a timely manner.
| >
| > For urgent issues, you may want to contact Microsoft CSS directly.
Please
| > check http://support.microsoft.com for regional support phone numbers.
| >
| > Any input or comments in this thread are highly appreciated.
| >
| > =====================================================
| >
| > This posting is provided "AS IS" with no warranties, and confers no
rights.
| > --------------------
| > | Thread-Topic: Route added by RRAS that overrides local LAN route on
NIC
| > | thread-index: AcbqJyGWs4FS1gogRLGjAUd4XC/dGA==
| > | X-WBNR-Posting-Host: 65.184.34.228
| > | From: =?Utf-8?B?Sm9obiBQaGlsaXBz?=
<>
| > | Subject: Route added by RRAS that overrides local LAN route on NIC
| > | Date: Sat, 7 Oct 2006 08:42:01 -0700
| > | Lines: 31
| > | Message-ID: <>
| > | MIME-Version: 1.0
| > | Content-Type: text/plain;
| > | charset="Utf-8"
| > | Content-Transfer-Encoding: 7bit
| > | X-Newsreader: Microsoft CDO for Windows 2000
| > | Content-Class: urn:content-classes:message
| > | Importance: normal
| > | Priority: normal
| > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830
| > | Newsgroups: microsoft.public.windows.server.sbs
| > | Path: TK2MSFTNGXA01.phx.gbl
| > | Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:303427
| > | NNTP-Posting-Host: TK2MSFTNGXA01.phx.gbl 10.40.2.250
| > | X-Tomcat-NG: microsoft.public.windows.server.sbs
| > |
| > | I have a SBS 2003 with dual NICs, but I am running the machine in a
| > single
| > | NIC configuration. I have set-up RRAS for remote access, which I
have
| > done
| > | many times before on other machines (both SBS and Win2003). For this
| > | particular machine, when a RAS clent connection, the RRAS on the
server
| > adds
| > | a 2nd route for the local LAN to the routing stack. With the same
| > | destination, but with the vpn client's assigned IP address as the
gateway.
| > |
| > | To illustrate:
| > |
| > | Before the VPN client connects, the routing table contains
10.0.0.0/24
| > with
| > | a gateway of 10.0.0.1 (Server Local Area Connection address) on
Interface
| > | 10.0.0.1. This entry has a metric of 10.
| > |
| > | After the VPN client connects, the routing table contains a 2nd entry
of
| > | 10.0.0.0/24 with a gateway of 10.0.0.118 (the address assigned to the
RAS
| > | client) on interface 10.0.0.121 (RRAS Internal Interface). This
entry
| > has a
| > | metric of 1. Since this route has a lower metric it becomes the
| > preferred
| > | route for the LAN and not of the PCs on the LAN can communicate with
the
| > | server.
| > |
| > | When the RAS client disconnects the route is removed, and the PC on
the
| > LAN
| > | can reach the server again. I have dug through the RRAS configs many
| > times
| > | and can't explain this. Does anyone know what could be causing this?

| > Or,
| > | can you provide some pointers on how you control the routes that get
| > added to
| > | the server when a RAS client connects? Also, does anyone know if you
a
| > | 10.0.0.0 network number is a problem. This is a class A private
network,
| > and
| > | I normally use 192.168.x.x which is a class C. Could this be some
issue
| > with
| > | the 10.0.0.0 being treated different due to it's class?
| > |
| > | Thanks,
| > | John
| > |
| >
| >
|

 

Yes I have done all of these steps. I have intalled about 10 SBS systems and
performed the same set-up on all of them. This one for some reason has this
additional route problem. Can you tell me what causes this additional route
to be added? Is there a way to control the routes that RRAS adds to the
server when the client connects? Since it is adding a route to the full
subnet when the client connects it is behaving to me like a demain dial
connection that you would set-up between two servers, but I have it set-up to
an Access Server.

Any chance it has someting to do with 10.0.0.0/24 addressing on the box?
the 10.x.x.x private block is a Class A block which I am subnetting to be a
Class C. Could this be confusing RRAS?

John

 

Hi John,

Thanks for your update.

The problem may be caused by the following:

When a remote computer connects to the Routing and Remote Access server by
using a dial-up or a VPN connection, the server creates a Point-to-Point
Protocol (PPP) adapter to communicate with the remote computer. The server
may then register the IP address of this PPP adapter in the DNS or the WINS
database.

When the Routing and Remote Access server registers the IP address of its
PPP adapter in DNS or WINS, you may receive errors on the local computers
when you try to connect to the server. You receive these errors because the
DNS or WINS servers may return the IP address of the PPP adapter to
computers that query DNS or WINS for the server's IP address. The computers
then try to connect to the IP address of the PPP adapter. Because the local
computers cannot reach the PPP adapter, the connections fail.

For more detailed information, please refer to the following KB article:

292822 Name resolution and connectivity issues on a Routing and Remote
Access Server that also runs DNS or WINS
http://support.microsoft.com/default.aspx?scid=kb;EN-US;292822

Thanks for your time and I look forward to hearing from you.

Best regards,

Crina Li (MSFT)

Microsoft CSS Online Newsgroup Support

Get Secure! - www.microsoft.com/security

=====================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.

Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Any input or comments in this thread are highly appreciated.

=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| Thread-Topic: Route added by RRAS that overrides local LAN route on NIC
| thread-index: Acbsd5fbSUq6Sh0VSV+m9IxhDrBbbg==
| X-WBNR-Posting-Host: 65.184.34.228
| From: =?Utf-8?B?Sm9obiBQaGlsaXBz?= <>
| References: <>
<>
<>
<>
| Subject: RE: Route added by RRAS that overrides local LAN route on NIC
| Date: Tue, 10 Oct 2006 07:23:01 -0700
| Lines: 317
| Message-ID: <>
| MIME-Version: 1.0
| Content-Type: text/plain;
| charset="Utf-8"
| Content-Transfer-Encoding: 7bit
| X-Newsreader: Microsoft CDO for Windows 2000
| Content-Class: urn:content-classes:message
| Importance: normal
| Priority: normal
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830
| Newsgroups: microsoft.public.windows.server.sbs
| Path: TK2MSFTNGXA01.phx.gbl
| Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:303946
| NNTP-Posting-Host: TK2MSFTNGXA01.phx.gbl 10.40.2.250
| X-Tomcat-NG: microsoft.public.windows.server.sbs
|
| Yes I have done all of these steps. I have intalled about 10 SBS systems
and
| performed the same set-up on all of them. This one for some reason has
this
| additional route problem. Can you tell me what causes this additional
route
| to be added? Is there a way to control the routes that RRAS adds to the
| server when the client connects? Since it is adding a route to the full
| subnet when the client connects it is behaving to me like a demain dial
| connection that you would set-up between two servers, but I have it
set-up to
| an Access Server.
|
| Any chance it has someting to do with 10.0.0.0/24 addressing on the box?
| the 10.x.x.x private block is a Class A block which I am subnetting to be
a
| Class C. Could this be confusing RRAS?
|
| John
|
| ""Crina Li"" wrote:
|
| > Hi John,
| >
| > Thanks for your update.
| >
| > From current situation, please check if you have configured the network
| > correctly on SBS and client computer:
| >
| > SBS:
| >
| > IP: Fixed IP address
| > Gateway: your Hardware router IP
| > DNS: SBS NIC IP as the only entry
| >
| > In the DNS console (dnsmgmt.msc), right click your ServerName and click
| > properties. In the Forwarders tab, your ISP DNS server IP should be
| > inputted there.
| >
| > On the client workstation, please make sure the configuration:
| >
| > IP: Assigned by DHCP on SBS or your hardware router
| > Gateway: hardware router
| > DNS: SBS INTERNAL NIC IP as the only entry
| >
| > And then recreate VPN to see if it helps. Please make sure you have
| > disabled the second NIC on the SBS.
| >
| > Thanks for your time and I look forward to hearing from you.
| >
| > Best regards,
| >
| > Crina Li (MSFT)
| >
| > Microsoft CSS Online Newsgroup Support
| >
| > Get Secure! - www.microsoft.com/security
| >
| > =====================================================
| > This newsgroup only focuses on SBS technical issues. If you have issues
| > regarding other Microsoft products, you'd better post in the
corresponding
| > newsgroups so that they can be resolved in an efficient and timely
manner.
| > You can locate the newsgroup here:
| > http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
| >
| > When opening a new thread via the web interface, we recommend you check
the
| > "Notify me of replies" box to receive e-mail notifications when there
are
| > any updates in your thread. When responding to posts via your
newsreader,
| > please "Reply to Group" so that others may learn and benefit from your
| > issue.
| >
| > Microsoft engineers can only focus on one issue per thread. Although we
| > provide other information for your reference, we recommend you post
| > different incidents in different threads to keep the thread clean. In
doing
| > so, it will ensure your issues are resolved in a timely manner.
| >
| > For urgent issues, you may want to contact Microsoft CSS directly.
Please
| > check http://support.microsoft.com for regional support phone numbers.
| >
| > Any input or comments in this thread are highly appreciated.
| >
| > =====================================================
| >
| > This posting is provided "AS IS" with no warranties, and confers no
rights.
| > --------------------
| > | Thread-Topic: Route added by RRAS that overrides local LAN route on
NIC
| > | thread-index: AcbsHRHUAAf6uugcSyW0/DF1OTvIWA==
| > | X-WBNR-Posting-Host: 65.184.34.228
| > | From: =?Utf-8?B?Sm9obiBQaGlsaXBz?=
<>
| > | References: <>
| > <>
| > | Subject: RE: Route added by RRAS that overrides local LAN route on NIC
| > | Date: Mon, 9 Oct 2006 20:35:02 -0700
| > | Lines: 312
| > | Message-ID: <>
| > | MIME-Version: 1.0
| > | Content-Type: text/plain;
| > | charset="Utf-8"
| > | Content-Transfer-Encoding: 7bit
| > | X-Newsreader: Microsoft CDO for Windows 2000
| > | Content-Class: urn:content-classes:message
| > | Importance: normal
| > | Priority: normal
| > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830
| > | Newsgroups: microsoft.public.windows.server.sbs
| > | Path: TK2MSFTNGXA01.phx.gbl
| > | Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:303842
| > | NNTP-Posting-Host: TK2MSFTNGXA01.phx.gbl 10.40.2.250
| > | X-Tomcat-NG: microsoft.public.windows.server.sbs
| > |
| > | I am using SBS as the VPN server. This is a router between SBS and
the
| > | internet that is peforming NAT. I have the appropriate ports open and
can
| > | successfully connect a WinXP RAS client to the VPN server. The
problem
| > is
| > | with the routes that get created on the RRAS when the client
connects,
| > not
| > | getting a successful connection. When the connection is up I can
| > successful
| > | get to the SBS server across the VPN. My issue is with the disruption
to
| > the
| > | connectivity to the other PCs on the LAN.
| > |
| > | Let me clarify what's happening with hopes you have seen this before:
| > |
| > | The server has a LAN address of 10.0.0.1 and is on a network
10.0.0.0/24.
| > | The route I am speaking of is the route to local LAN that is put in
the
| > | routing table when you configure the NIC. In my case this route looks
| > like
| > | this:
| > |
| > | Network Dest Netmask Gateway Interface Metric
| > | 10.0.0.0 255.255.255.0 10.0.0.1 10.0.0.1 10
| > |
| > | 10.0.0.1 is the LAN address.
| > |
| > | After the RAS client connects there is another route added so the two
| > | entries of interest look like this:
| > |
| > | Network Dest Netmask Gateway Interface Metric
| > | 10.0.0.0 255.255.255.0 10.0.0.1 10.0.0.1 10 <-this route is always
there
| > | (before and after the VPN cient connects)
| > | 10.0.0.0 255.255.255.0 10.0.0.115 10.0.0.121 1 <-this
| > | route added when client connects (in addtion to the host route that
is
| > also
| > | added like you usually see for each client)
| > |
| > | 10.0.0.115 is the address assigned to the RAS client (using DHCP).
| > | 10.0.0.121 is the Internal Interface on the server used by RAS. As
you
| > can
| > | see after this route is added the server is routing to 10.0.0.0 via
the
| > RAS
| > | tunnel vs. the LAN Interface so the PCs on the 10.0.0.0/24 local
subnet
| > are
| > | "disconnected" from the server. The only thing I could think of what
that
| > | this was related to something that is configured automatically since
| > there
| > | are two NICs in the server, but I ran the the Internet Connection
wizard
| > and
| > | set-up up the server to use one NIC for Internet and LAN.
| > |
| > | I was able to pull the ipconfig and routing table (without and with
RAS
| > cient
| > | connected) from the server. They are below.
| > |
| > | As you will see by the route table, there is a route as I described .
| > | Network Destination Netmask Gateway Interface
| > Metric
| > | 0.0.0.0 0.0.0.0 10.0.0.254 10.0.0.1

| > 1
| > | <------- Default route
| > | 10.0.0.0 255.255.255.0 10.0.0.1 10.0.0.1

| > 10
| > | <----------- Route for interface LAN
| > |
| > | After the RAS client connects, I get a 2nd entry for
| > 10.0.0.0/255.255.255.0
| > | but the gateway is the RAS client's assigned address, the Interface
is
| > the
| > | RRAS internal interface address, and the metic is 1. This causes the
| > server
| > | to route all traffic destined for the local LAN to be routed over the
| > tunnel
| > | to the remote client. As expected the resulting effect is the server
| > cannot
| > | route packets to any of the machines on the local LAN which is very
bad as
| > | as it breaks the local area network.
| > |
| > | Output of ipconfig /all and route print (without RAS client
connected).
| > |
| > | Windows IP Configuration
| > |
| > | Host Name . . . . . . . . . . . . : SERVER1
| > | Primary Dns Suffix . . . . . . . : kuzma.local
| > | Node Type . . . . . . . . . . . . : Unknown
| > | IP Routing Enabled. . . . . . . . : Yes
| > | WINS Proxy Enabled. . . . . . . . : Yes
| > | DNS Suffix Search List. . . . . . : kuzma.local
| > |
| > | PPP adapter RAS Server (Dial In) Interface:
| > |
| > | Connection-specific DNS Suffix . :
| > | Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
| > | Physical Address. . . . . . . . . : 00-53-45-00-00-00
| > | DHCP Enabled. . . . . . . . . . . : No
| > | IP Address. . . . . . . . . . . . : 10.0.0.121
| > | Subnet Mask . . . . . . . . . . . : 255.255.255.255
| > | Default Gateway . . . . . . . . . :
| > | NetBIOS over Tcpip. . . . . . . . : Disabled
| > |
| > | Ethernet adapter Server Local Area Connection:
| > |
| > | Connection-specific DNS Suffix . :
| > | Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network
| > Connection
| > | Physical Address. . . . . . . . . : 00-13-72-F7-3C-AB
| > | DHCP Enabled. . . . . . . . . . . : No
| > | IP Address. . . . . . . . . . . . : 10.0.0.1
| > | Subnet Mask . . . . . . . . . . . : 255.255.255.0
| > | Default Gateway . . . . . . . . . : 10.0.0.254
| > | DNS Servers . . . . . . . . . . . : 10.0.0.1
| > |
| > |
| > | C:\Documents and Settings\Administrator>route print (without RAS
client
| > | connected)
| > |
| > | IPv4 Route Table
| > |
| >
===========================================================================
| > | Interface List
| > | 0x1 ........................... MS TCP Loopback interface
| > | 0x10002 ...00 53 45 00 00 00 ...... WAN (PPP/SLIP) Interface
| > | 0x10003 ...00 13 72 f7 3c ab ...... Intel(R) PRO/1000 MT Network
| > Connection
| > |
| >
===========================================================================
| > |
| >
===========================================================================
| > | Active Routes:
| > | Network Destination Netmask Gateway Interface
| > Metric
| > | 0.0.0.0 0.0.0.0 10.0.0.254 10.0.0.1

| > 1
| > | 10.0.0.0 255.255.255.0 10.0.0.1 10.0.0.1

| > 10
| > | 10.0.0.1 255.255.255.255 127.0.0.1 127.0.0.1

| > 10
| > | 10.0.0.121 255.255.255.255 127.0.0.1 127.0.0.1

| > 50
| > | 10.255.255.255 255.255.255.255 10.0.0.1 10.0.0.1

| > 10
| > | 127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1

| > 1
| > | 224.0.0.0 240.0.0.0 10.0.0.1 10.0.0.1

| > 10
| > | 255.255.255.255 255.255.255.255 10.0.0.1 10.0.0.1

| > 1
| > | Default Gateway: 10.0.0.254
| > |
| >
===========================================================================
| > | Persistent Routes:
| > | None
| > |
| > | Microsoft Windows [Version 5.2.3790]
| > | (C) Copyright 1985-2003 Microsoft Corp.
| > |
| > | C:\Documents and Settings\Administrator>route print (after RAS client
| > | connects)
| > |
| > | IPv4 Route Table
| > |
| >
===========================================================================
| > | Interface List
| > | 0x1 ........................... MS TCP Loopback interface
| > | 0x10002 ...00 53 45 00 00 00 ...... WAN (PPP/SLIP) Interface
| > | 0x10003 ...00 13 72 f7 3c ab ...... Intel(R) PRO/1000 MT Network
| > Connection
| > |
| >
===========================================================================
| > |
| >
===========================================================================
| > | Active Routes:
| > | Network Destination Netmask Gateway Interface
| > Metric
| > | 0.0.0.0 0.0.0.0 10.0.0.254 10.0.0.1

| > 1
| > | 10.0.0.0 255.255.255.0 10.0.0.1 10.0.0.1

| > 10
| > | 10.0.0.0 255.255.255.0 10.0.0.115 10.0.0.121

| > 1
| > | <- note this route is added when the RAS client connects which
overrides
| > the
| > | route above to the local LAN
| > | 10.0.0.1 255.255.255.255 127.0.0.1 127.0.0.1

| > 10
| > | 10.0.0.115 255.255.255.255 10.0.0.121 10.0.0.121

| > 1
| > | 10.0.0.121 255.255.255.255 127.0.0.1 127.0.0.1

| > 50
| > | 10.255.255.255 255.255.255.255 10.0.0.1 10.0.0.1

| > 10
| > | 65.184.34.228 255.255.255.255 10.0.0.254 10.0.0.1

| > 1
| > | 127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1

| > 1
| > | 224.0.0.0 240.0.0.0 10.0.0.1 10.0.0.1

| > 10
| > | 255.255.255.255 255.255.255.255 10.0.0.1 10.0.0.1

| > 1
| > | Default Gateway: 10.0.0.254
| > |
| >
===========================================================================
| > | Persistent Routes:
| > | None
| > |
| > | Have you ever heard of this before. What would be making RRAS add
this
| > route?
| > |
| > | Thanks,
| > | John
| > |
| > | ""Crina Li"" wrote:
| > |
|

 

As I read the article you provided, it appears to address name resolution
when the DNS/WINS returns the PPP adapter address instead of the LAN adapter
address. I have seen this problem before in other cases, but that is not the
problem here. I am debugging with IP addreses alone. I will reiterate, the
issue I am experiencing is clear. When the second route is added by the RRAS
for destination 1.0.0.0/24 using the RAS client address as the gateway with a
higer metric, then all traffic from the server to any address in the range of
10.0.0.0/24 - 10.0.0.255/24 (all devices on the LAN) will be routed through
the tunnel and thus the packets will not get to the PC on the LAN as I
observe.

As I have requested before, do you have access to any information on how
routes are added to the routing table on the server when a RAS client
connects to RRAS? If I could control this, I think I could fix my problem.

Thanks,
John

 

I found a fix for my problem. Turns out that if i renumbered my LAN so that
it was not 10.0.0.0/24 (I used 10.1.20.0/24), then while the 10.0.0.0/24
route was still added it no longer interfered with my LAN network route
(since it is now 10.1.20.0/24).

I am still perplexed on where this 10.0.0.0/24 network route is coming from.
After checking some other servers that have VPN connecting correctly, I find
that the extra route that is added is a host route to the public IP of the
RAS client. I now suspect that the 10.0.0.0 route may be resulting from the
way my Dlink router is doing NAT. I can't be sure about this, but otherwise
I can't explain why see host routes to the RAS client public IP on other
machines and an I see a network route on this machine which sites behind the
D-link. My other machines that have a host route added are behind Cisco PIXs
which are doing the NAT.

So the lesson is avoid using 10.0.0.0 network number on you LAN if you plan
on using RRAS.

John

 

Hi John,

Thanks for your update.

I am glad to hear the problem is resolved. Also thanks for your great
sharing.

It is my pleasure to work with you in this post. If you encounter any
difficulties in the future, please submit the post to the newsgroup. We
are glad to be of the assistance.

Again, thank you for using Microsoft newsgroup. Have a nice day.

Best regards,

Crina Li (MSFT)

Microsoft CSS Online Newsgroup Support

Get Secure! - www.microsoft.com/security

=====================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.

Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Any input or comments in this thread are highly appreciated.

=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| Thread-Topic: Route added by RRAS that overrides local LAN route on NIC
| thread-index: Acbtn8EXtoiNfArPRb6ZxmcZTKLWFA==
| X-WBNR-Posting-Host: 65.184.34.228
| From: =?Utf-8?B?Sm9obiBQaGlsaXBz?= <>
| References: <>
<>
<>
<>
<>
<bA$>
<>
| Subject: RE: Route added by RRAS that overrides local LAN route on NIC
| Date: Wed, 11 Oct 2006 18:43:02 -0700
| Lines: 322
| Message-ID: <>
| MIME-Version: 1.0
| Content-Type: text/plain;
| charset="Utf-8"
| Content-Transfer-Encoding: 7bit
| X-Newsreader: Microsoft CDO for Windows 2000
| Content-Class: urn:content-classes:message
| Importance: normal
| Priority: normal
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830
| Newsgroups: microsoft.public.windows.server.sbs
| Path: TK2MSFTNGXA01.phx.gbl
| Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:304402
| NNTP-Posting-Host: TK2MSFTNGXA01.phx.gbl 10.40.2.250
| X-Tomcat-NG: microsoft.public.windows.server.sbs
|
| I found a fix for my problem. Turns out that if i renumbered my LAN so
that
| it was not 10.0.0.0/24 (I used 10.1.20.0/24), then while the 10.0.0.0/24
| route was still added it no longer interfered with my LAN network route
| (since it is now 10.1.20.0/24).
|
| I am still perplexed on where this 10.0.0.0/24 network route is coming
from.
| After checking some other servers that have VPN connecting correctly, I
find
| that the extra route that is added is a host route to the public IP of
the
| RAS client. I now suspect that the 10.0.0.0 route may be resulting from
the
| way my Dlink router is doing NAT. I can't be sure about this, but
otherwise
| I can't explain why see host routes to the RAS client public IP on other
| machines and an I see a network route on this machine which sites behind
the
| D-link. My other machines that have a host route added are behind Cisco
PIXs
| which are doing the NAT.
|
| So the lesson is avoid using 10.0.0.0 network number on you LAN if you
plan
| on using RRAS.
|
| John
|
| "John Philips" wrote:
|
| > As I read the article you provided, it appears to address name
resolution
| > when the DNS/WINS returns the PPP adapter address instead of the LAN
adapter
| > address. I have seen this problem before in other cases, but that is
not the
| > problem here. I am debugging with IP addreses alone. I will
reiterate, the
| > issue I am experiencing is clear. When the second route is added by
the RRAS
| > for destination 1.0.0.0/24 using the RAS client address as the gateway
with a
| > higer metric, then all traffic from the server to any address in the
range of
| > 10.0.0.0/24 - 10.0.0.255/24 (all devices on the LAN) will be routed
through
| > the tunnel and thus the packets will not get to the PC on the LAN as I
| > observe.
| >
| > As I have requested before, do you have access to any information on
how
| > routes are added to the routing table on the server when a RAS client
| > connects to RRAS? If I could control this, I think I could fix my
problem.
| >
| > Thanks,
| > John
| >
| > ""Crina Li"" wrote:
| >
| > > Hi John,
| > >
| > > Thanks for your update.
| > >
| > > The problem may be caused by the following:
| > >
| > > When a remote computer connects to the Routing and Remote Access
server by
| > > using a dial-up or a VPN connection, the server creates a
Point-to-Point
| > > Protocol (PPP) adapter to communicate with the remote computer. The
server
| > > may then register the IP address of this PPP adapter in the DNS or
the WINS
| > > database.
| > >
| > > When the Routing and Remote Access server registers the IP address of
its
| > > PPP adapter in DNS or WINS, you may receive errors on the local
computers
| > > when you try to connect to the server. You receive these errors
because the
| > > DNS or WINS servers may return the IP address of the PPP adapter to
| > > computers that query DNS or WINS for the server's IP address. The
computers
| > > then try to connect to the IP address of the PPP adapter. Because the
local
| > > computers cannot reach the PPP adapter, the connections fail.
| > >
| > > For more detailed information, please refer to the following KB
article:
| > >
| > > 292822 Name resolution and connectivity issues on a Routing and
Remote
| > > Access Server that also runs DNS or WINS
| > > http://support.microsoft.com/default.aspx?scid=kb;EN-US;292822
| > >
| > > Thanks for your time and I look forward to hearing from you.
| > >
| > > Best regards,
| > >
| > > Crina Li (MSFT)
| > >
| > > Microsoft CSS Online Newsgroup Support
| > >
| > > Get Secure! - www.microsoft.com/security
| > >
| > > =====================================================
| > > This newsgroup only focuses on SBS technical issues. If you have
issues
| > > regarding other Microsoft products, you'd better post in the
corresponding
| > > newsgroups so that they can be resolved in an efficient and timely
manner.
| > > You can locate the newsgroup here:
| > > http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
| > >
| > > When opening a new thread via the web interface, we recommend you
check the
| > > "Notify me of replies" box to receive e-mail notifications when there
are
| > > any updates in your thread. When responding to posts via your
newsreader,
| > > please "Reply to Group" so that others may learn and benefit from
your
| > > issue.
| > >
| > > Microsoft engineers can only focus on one issue per thread. Although
we
| > > provide other information for your reference, we recommend you post
| > > different incidents in different threads to keep the thread clean. In
doing
| > > so, it will ensure your issues are resolved in a timely manner.
| > >
| > > For urgent issues, you may want to contact Microsoft CSS directly.
Please
| > > check http://support.microsoft.com for regional support phone numbers.
| > >
| > > Any input or comments in this thread are highly appreciated.
| > >
| > > =====================================================
| > >
| > > This posting is provided "AS IS" with no warranties, and confers no
rights.
| > > --------------------
| > > | Thread-Topic: Route added by RRAS that overrides local LAN route on
NIC
| > > | thread-index: Acbsd5fbSUq6Sh0VSV+m9IxhDrBbbg==
| > > | X-WBNR-Posting-Host: 65.184.34.228
| > > | From: =?Utf-8?B?Sm9obiBQaGlsaXBz?=
<>
| > > | References: <>
| > > <>
| > > <>
| > > <>
| > > | Subject: RE: Route added by RRAS that overrides local LAN route on
NIC
| > > | Date: Tue, 10 Oct 2006 07:23:01 -0700
| > > | Lines: 317
| > > | Message-ID: <>
| > > | MIME-Version: 1.0
| > > | Content-Type: text/plain;
| > > | charset="Utf-8"
| > > | Content-Transfer-Encoding: 7bit
| > > | X-Newsreader: Microsoft CDO for Windows 2000
| > > | Content-Class: urn:content-classes:message
| > > | Importance: normal
| > > | Priority: normal
| > > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830
| > > | Newsgroups: microsoft.public.windows.server.sbs
| > > | Path: TK2MSFTNGXA01.phx.gbl
| > > | Xref: TK2MSFTNGXA01.phx.gbl
microsoft.public.windows.server.sbs:303946
| > > | NNTP-Posting-Host: TK2MSFTNGXA01.phx.gbl 10.40.2.250
| > > | X-Tomcat-NG: microsoft.public.windows.server.sbs
| > > |
| > > | Yes I have done all of these steps. I have intalled about 10 SBS
systems
| > > and
| > > | performed the same set-up on all of them. This one for some reason
has
| > > this
| > > | additional route problem. Can you tell me what causes this
additional
| > > route
| > > | to be added? Is there a way to control the routes that RRAS adds
to the
| > > | server when the client connects? Since it is adding a route to the
full
| > > | subnet when the client connects it is behaving to me like a demain
dial
| > > | connection that you would set-up between two servers, but I have it
| > > set-up to
| > > | an Access Server.
| > > |
| > > | Any chance it has someting to do with 10.0.0.0/24 addressing on the
box?
| > > | the 10.x.x.x private block is a Class A block which I am subnetting
to be
| > > a
| > > | Class C. Could this be confusing RRAS?
| > > |
| > > | John
| > > |
| > > | ""Crina Li"" wrote:
| > > |
| > > | > Hi John,
| > > | >
| > > | > Thanks for your update.
| > > | >
| > > | > From current situation, please check if you have configured the
network
| > > | > correctly on SBS and client computer:
| > > | >
| > > | > SBS:
| > > | >
| > > | > IP: Fixed IP address
| > > | > Gateway: your Hardware router IP
| > > | > DNS: SBS NIC IP as the only entry
| > > | >
| > > | > In the DNS console (dnsmgmt.msc), right click your ServerName and
click
| > > | > properties. In the Forwarders tab, your ISP DNS server IP should
be
| > > | > inputted there.
| > > | >
| > > | > On the client workstation, please make sure the configuration:
| > > | >
| > > | > IP: Assigned by DHCP on SBS or your hardware router
| > > | > Gateway: hardware router
| > > | > DNS: SBS INTERNAL NIC IP as the only entry
| > > | >
| > > | > And then recreate VPN to see if it helps. Please make sure you
have
| > > | > disabled the second NIC on the SBS.
| > > | >
| > > | > Thanks for your time and I look forward to hearing from you.
| > > | >
| > > | > Best regards,
| > > | >
| > > | > Crina Li (MSFT)
| > > | >
| > > | > Microsoft CSS Online Newsgroup Support
| > > | >
| > > | > Get Secure! - www.microsoft.com/security
| > > | >
| > > | > =====================================================
| > > | > This newsgroup only focuses on SBS technical issues. If you have
issues
| > > | > regarding other Microsoft products, you'd better post in the
| > > corresponding
| > > | > newsgroups so that they can be resolved in an efficient and
timely
| > > manner.
| > > | > You can locate the newsgroup here:
| > > | > http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
| > > | >
| > > | > When opening a new thread via the web interface, we recommend you
check
| > > the
| > > | > "Notify me of replies" box to receive e-mail notifications when
there
| > > are
| > > | > any updates in your thread. When responding to posts via your
| > > newsreader,
| > > | > please "Reply to Group" so that others may learn and benefit from
your
| > > | > issue.
| > > | >
| > > | > Microsoft engineers can only focus on one issue per thread.
Although we
| > > | > provide other information for your reference, we recommend you
post
| > > | > different incidents in different threads to keep the thread
clean. In
| > > doing
| > > | > so, it will ensure your issues are resolved in a timely manner.
| > > | >
| > > | > For urgent issues, you may want to contact Microsoft CSS
directly.
| > > Please
| > > | > check http://support.microsoft.com for regional support phone
numbers.
| > > | >
| > > | > Any input or comments in this thread are highly appreciated.
| > > | >
| > > | > =====================================================
| > > | >
| > > | > This posting is provided "AS IS" with no warranties, and confers
no
| > > rights.
| > > | > --------------------
| > > | > | Thread-Topic: Route added by RRAS that overrides local LAN
route on
| > > NIC
| > > | > | thread-index: AcbsHRHUAAf6uugcSyW0/DF1OTvIWA==
| > > | > | X-WBNR-Posting-Host: 65.184.34.228
| > > | > | From: =?Utf-8?B?Sm9obiBQaGlsaXBz?=
| > > <>
| > > | > | References:
<>
| > > | > <>
| > > | > | Subject: RE: Route added by RRAS that overrides local LAN route
on NIC
| > > | > | Date: Mon, 9 Oct 2006 20:35:02 -0700
| > > | > | Lines: 312
| > > | > | Message-ID: <>
| > > | > | MIME-Version: 1.0
| > > | > | Content-Type: text/plain;
| > > | > | charset="Utf-8"
| > > | > | Content-Transfer-Encoding: 7bit
| > > | > | X-Newsreader: Microsoft CDO for Windows 2000
| > > | > | Content-Class: urn:content-classes:message
| > > | > | Importance: normal
| > > | > | Priority: normal
| > > | > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830
| > > | > | Newsgroups: microsoft.public.windows.server.sbs
| > > | > | Path: TK2MSFTNGXA01.phx.gbl
| > > | > | Xref: TK2MSFTNGXA01.phx.gbl
microsoft.public.windows.server.sbs:303842
| > > | > | NNTP-Posting-Host: TK2MSFTNGXA01.phx.gbl 10.40.2.250
| > > | > | X-Tomcat-NG: microsoft.public.windows.server.sbs
| > > | > |
| > > | > | I am using SBS as the VPN server. This is a router between SBS
and
| > > the
| > > | > | internet that is peforming NAT. I have the appropriate ports
open and
| > > can
| > > | > | successfully connect a WinXP RAS client to the VPN server. The
| > > problem
| > > | > is
| > > | > | with the routes that get created on the RRAS when the client
| > > connects,
| > > | > not
| > > | > | getting a successful connection. When the connection is up I
can
| > > | > successful
| > > | > | get to the SBS server across the VPN. My issue is with the
disruption
| > > to
| > > | > the
| > > | > | connectivity to the other PCs on the LAN.
| > > | > |
| > > | > | Let me clarify what's happening with hopes you have seen this
before:
| > > | > |
| > > | > | The server has a LAN address of 10.0.0.1 and is on a network
| > > 10.0.0.0/24.
| > > | > | The route I am speaking of is the route to local LAN that is
put in
| > > the
| > > | > | routing table when you configure the NIC. In my case this route
looks
| > > | > like
| > > | > | this:
| > > | > |
| > > | > | Network Dest Netmask Gateway Interface Metric
| > > | > | 10.0.0.0 255.255.255.0 10.0.0.1 10.0.0.1 10
| > > | > |
| > > | > | 10.0.0.1 is the LAN address.
| > > | > |
| > > | > | After the RAS client connects there is another route added so
the two
| > > | > | entries of interest look like this:
| > > | > |
| > > | > | Network Dest Netmask Gateway Interface Metric
| > > | > | 10.0.0.0 255.255.255.0 10.0.0.1 10.0.0.1 10 <-this route is
always
| > > there
| > > | > | (before and after the VPN cient connects)
| > > | > | 10.0.0.0 255.255.255.0 10.0.0.115 10.0.0.121 1 <-this
| > > | > | route added when client connects (in addtion to the host route
that
| > > is
| > > | > also
| > > | > | added like you usually see for each client)
| > > | > |
| > > | > | 10.0.0.115 is the address assigned to the RAS client (using
DHCP).
| > > | > | 10.0.0.121 is the Internal Interface on the server used by RAS.
As
| > > you
| > > | > can
| > > | > | see after this route is added the server is routing to 10.0.0.0
via
| > > the
| > > | > RAS
| > > | > | tunnel vs. the LAN Interface so the PCs on the 10.0.0.0/24
local
| > > subnet
| > > | > are
| > > | > | "disconnected" from the server. The only thing I could think of
what
| > > that
| > > | > | this was related to something that is configured automatically
since
| > > | > there
| > > | > | are two NICs in the server, but I ran the the Internet
Connection
| > > wizard
| > > | > and
| > > | > | set-up up the server to use one NIC for Internet and LAN.
| > > | > |
| > > | > | I was able to pull the ipconfig and routing table (without and
with
| > > RAS
| > > | > cient
| > > | > | connected) from the server. They are below.
| > > | > |
| > > | > | As you will see by the route table, there is a route as I
described .
|