Route added by RRAS that overrides local LAN route on NIC

Discussion in 'Windows Small Business Server' started by John Philips, Oct 7, 2006.

  1. John Philips

    John Philips Guest

    I have a SBS 2003 with dual NICs, but I am running the machine in a single
    NIC configuration. I have set-up RRAS for remote access, which I have done
    many times before on other machines (both SBS and Win2003). For this
    particular machine, when a RAS clent connection, the RRAS on the server adds
    a 2nd route for the local LAN to the routing stack. With the same
    destination, but with the vpn client's assigned IP address as the gateway.

    To illustrate:

    Before the VPN client connects, the routing table contains 10.0.0.0/24 with
    a gateway of 10.0.0.1 (Server Local Area Connection address) on Interface
    10.0.0.1. This entry has a metric of 10.

    After the VPN client connects, the routing table contains a 2nd entry of
    10.0.0.0/24 with a gateway of 10.0.0.118 (the address assigned to the RAS
    client) on interface 10.0.0.121 (RRAS Internal Interface). This entry has a
    metric of 1. Since this route has a lower metric it becomes the preferred
    route for the LAN and not of the PCs on the LAN can communicate with the
    server.

    When the RAS client disconnects the route is removed, and the PC on the LAN
    can reach the server again. I have dug through the RRAS configs many times
    and can't explain this. Does anyone know what could be causing this? Or,
    can you provide some pointers on how you control the routes that get added to
    the server when a RAS client connects? Also, does anyone know if you a
    10.0.0.0 network number is a problem. This is a class A private network, and
    I normally use 192.168.x.x which is a class C. Could this be some issue with
    the 10.0.0.0 being treated different due to it's class?

    Thanks,
    John
     
    John Philips, Oct 7, 2006
    #1
    1. Advertisements

  2. John Philips

    Crina Li Guest

    Hi John,

    Thank you for posting in SBS newsgroup.

    I am sorry for the delayed response due to weekend. Please understand that
    the newsgroups are staffed weekdays by Microsoft Support professionals to
    answer your systems and applications questions. Your understanding is
    greatly appreciated!

    From your description, do you mean the LAN clients will lose the connection
    with SBS if you create VPN to SBS from remote client?

    To narrow down the problem, would you please help me collect the following
    information?

    1. Are you creating VPN to SBS or router from remote client? It means are
    you using router or SBS as VPN server?
    2. Post the ipconfig/all result from SBS, remote client and LAN client
    before creating VPN and after creating VPN.
    3. Post the route print result.

    Also, you may need to follow the steps below to configure VPN access on an
    SBS environment:

    1. Run CEICW, follow the wizard and select Enable firewall and then make
    sure Virtual Private Networking (VPN) is selected in the Services
    Configuration page. And make sure you have typed the public FQDN of the SBS
    server on the Web Server Certificate page.
    2. Run Remote Access Wizard in Server Management\Internet and
    E-mail\Configure Remote Access, and select VPN access in the Remote Access
    Method page. After finishing this wizard, RRAS is configured to allow
    inbound VPN access, and it can assign IP addresses to the VPN clients by
    using DHCP.

    Note: When we run the remote access wizard to set up the VPN service, we
    need to input the public IP address or the public FQDN of the SBS server.
    We need to make sure that the address can be accessed from the internet.

    3. On the VPN client, go to https://publicFQDN/remote, clear I'm using a
    public or shared computer, log in and download Connection Manager.
    4. Install Connection Manager on the VPN client.
    5. Is there a hardware router installed in front of the SBS server? If so,
    ensure that the port forwarding for TCP 1723 and GRE port (protocol number
    47) are opened. PPTP VPN is negotiating a connection on TCP port 1723 and
    send data to and from the PPTP server using the GRE protocol (IP Protocol
    47, 0x2F if you are looking in Network Monitor). You should open port 1723
    on the router and also make sure IP Protocol 47 is allowed.

    I appreciate your time and look forward to hearing from you.

    Best regards,

    Crina Li (MSFT)

    Microsoft CSS Online Newsgroup Support

    Get Secure! - www.microsoft.com/security

    =====================================================
    This newsgroup only focuses on SBS technical issues. If you have issues
    regarding other Microsoft products, you'd better post in the corresponding
    newsgroups so that they can be resolved in an efficient and timely manner.
    You can locate the newsgroup here:
    http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

    When opening a new thread via the web interface, we recommend you check the
    "Notify me of replies" box to receive e-mail notifications when there are
    any updates in your thread. When responding to posts via your newsreader,
    please "Reply to Group" so that others may learn and benefit from your
    issue.

    Microsoft engineers can only focus on one issue per thread. Although we
    provide other information for your reference, we recommend you post
    different incidents in different threads to keep the thread clean. In doing
    so, it will ensure your issues are resolved in a timely manner.

    For urgent issues, you may want to contact Microsoft CSS directly. Please
    check http://support.microsoft.com for regional support phone numbers.

    Any input or comments in this thread are highly appreciated.

    =====================================================

    This posting is provided "AS IS" with no warranties, and confers no rights.
    --------------------
    | Thread-Topic: Route added by RRAS that overrides local LAN route on NIC
    | thread-index: AcbqJyGWs4FS1gogRLGjAUd4XC/dGA==
    | X-WBNR-Posting-Host: 65.184.34.228
    | From: =?Utf-8?B?Sm9obiBQaGlsaXBz?= <>
    | Subject: Route added by RRAS that overrides local LAN route on NIC
    | Date: Sat, 7 Oct 2006 08:42:01 -0700
    | Lines: 31
    | Message-ID: <>
    | MIME-Version: 1.0
    | Content-Type: text/plain;
    | charset="Utf-8"
    | Content-Transfer-Encoding: 7bit
    | X-Newsreader: Microsoft CDO for Windows 2000
    | Content-Class: urn:content-classes:message
    | Importance: normal
    | Priority: normal
    | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830
    | Newsgroups: microsoft.public.windows.server.sbs
    | Path: TK2MSFTNGXA01.phx.gbl
    | Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:303427
    | NNTP-Posting-Host: TK2MSFTNGXA01.phx.gbl 10.40.2.250
    | X-Tomcat-NG: microsoft.public.windows.server.sbs
    |
    | I have a SBS 2003 with dual NICs, but I am running the machine in a
    single
    | NIC configuration. I have set-up RRAS for remote access, which I have
    done
    | many times before on other machines (both SBS and Win2003). For this
    | particular machine, when a RAS clent connection, the RRAS on the server
    adds
    | a 2nd route for the local LAN to the routing stack. With the same
    | destination, but with the vpn client's assigned IP address as the gateway.
    |
    | To illustrate:
    |
    | Before the VPN client connects, the routing table contains 10.0.0.0/24
    with
    | a gateway of 10.0.0.1 (Server Local Area Connection address) on Interface
    | 10.0.0.1. This entry has a metric of 10.
    |
    | After the VPN client connects, the routing table contains a 2nd entry of
    | 10.0.0.0/24 with a gateway of 10.0.0.118 (the address assigned to the RAS
    | client) on interface 10.0.0.121 (RRAS Internal Interface). This entry
    has a
    | metric of 1. Since this route has a lower metric it becomes the
    preferred
    | route for the LAN and not of the PCs on the LAN can communicate with the
    | server.
    |
    | When the RAS client disconnects the route is removed, and the PC on the
    LAN
    | can reach the server again. I have dug through the RRAS configs many
    times
    | and can't explain this. Does anyone know what could be causing this?
    Or,
    | can you provide some pointers on how you control the routes that get
    added to
    | the server when a RAS client connects? Also, does anyone know if you a
    | 10.0.0.0 network number is a problem. This is a class A private network,
    and
    | I normally use 192.168.x.x which is a class C. Could this be some issue
    with
    | the 10.0.0.0 being treated different due to it's class?
    |
    | Thanks,
    | John
    |
     
    Crina Li, Oct 9, 2006
    #2
    1. Advertisements

  3. John Philips

    John Philips Guest

    I am using SBS as the VPN server. This is a router between SBS and the
    internet that is peforming NAT. I have the appropriate ports open and can
    successfully connect a WinXP RAS client to the VPN server. The problem is
    with the routes that get created on the RRAS when the client connects, not
    getting a successful connection. When the connection is up I can successful
    get to the SBS server across the VPN. My issue is with the disruption to the
    connectivity to the other PCs on the LAN.

    Let me clarify what's happening with hopes you have seen this before:

    The server has a LAN address of 10.0.0.1 and is on a network 10.0.0.0/24.
    The route I am speaking of is the route to local LAN that is put in the
    routing table when you configure the NIC. In my case this route looks like
    this:

    Network Dest Netmask Gateway Interface Metric
    10.0.0.0 255.255.255.0 10.0.0.1 10.0.0.1 10

    10.0.0.1 is the LAN address.

    After the RAS client connects there is another route added so the two
    entries of interest look like this:

    Network Dest Netmask Gateway Interface Metric
    10.0.0.0 255.255.255.0 10.0.0.1 10.0.0.1 10 <-this route is always there
    (before and after the VPN cient connects)
    10.0.0.0 255.255.255.0 10.0.0.115 10.0.0.121 1 <-this
    route added when client connects (in addtion to the host route that is also
    added like you usually see for each client)

    10.0.0.115 is the address assigned to the RAS client (using DHCP).
    10.0.0.121 is the Internal Interface on the server used by RAS. As you can
    see after this route is added the server is routing to 10.0.0.0 via the RAS
    tunnel vs. the LAN Interface so the PCs on the 10.0.0.0/24 local subnet are
    "disconnected" from the server. The only thing I could think of what that
    this was related to something that is configured automatically since there
    are two NICs in the server, but I ran the the Internet Connection wizard and
    set-up up the server to use one NIC for Internet and LAN.

    I was able to pull the ipconfig and routing table (without and with RAS cient
    connected) from the server. They are below.

    As you will see by the route table, there is a route as I described .
    Network Destination Netmask Gateway Interface Metric
    0.0.0.0 0.0.0.0 10.0.0.254 10.0.0.1 1
    <------- Default route
    10.0.0.0 255.255.255.0 10.0.0.1 10.0.0.1 10
    <----------- Route for interface LAN

    After the RAS client connects, I get a 2nd entry for 10.0.0.0/255.255.255.0
    but the gateway is the RAS client's assigned address, the Interface is the
    RRAS internal interface address, and the metic is 1. This causes the server
    to route all traffic destined for the local LAN to be routed over the tunnel
    to the remote client. As expected the resulting effect is the server cannot
    route packets to any of the machines on the local LAN which is very bad as
    as it breaks the local area network.

    Output of ipconfig /all and route print (without RAS client connected).

    Windows IP Configuration

    Host Name . . . . . . . . . . . . : SERVER1
    Primary Dns Suffix . . . . . . . : kuzma.local
    Node Type . . . . . . . . . . . . : Unknown
    IP Routing Enabled. . . . . . . . : Yes
    WINS Proxy Enabled. . . . . . . . : Yes
    DNS Suffix Search List. . . . . . : kuzma.local

    PPP adapter RAS Server (Dial In) Interface:

    Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
    Physical Address. . . . . . . . . : 00-53-45-00-00-00
    DHCP Enabled. . . . . . . . . . . : No
    IP Address. . . . . . . . . . . . : 10.0.0.121
    Subnet Mask . . . . . . . . . . . : 255.255.255.255
    Default Gateway . . . . . . . . . :
    NetBIOS over Tcpip. . . . . . . . : Disabled

    Ethernet adapter Server Local Area Connection:

    Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection
    Physical Address. . . . . . . . . : 00-13-72-F7-3C-AB
    DHCP Enabled. . . . . . . . . . . : No
    IP Address. . . . . . . . . . . . : 10.0.0.1
    Subnet Mask . . . . . . . . . . . : 255.255.255.0
    Default Gateway . . . . . . . . . : 10.0.0.254
    DNS Servers . . . . . . . . . . . : 10.0.0.1


    C:\Documents and Settings\Administrator>route print (without RAS client
    connected)

    IPv4 Route Table
    ===========================================================================
    Interface List
    0x1 ........................... MS TCP Loopback interface
    0x10002 ...00 53 45 00 00 00 ...... WAN (PPP/SLIP) Interface
    0x10003 ...00 13 72 f7 3c ab ...... Intel(R) PRO/1000 MT Network Connection
    ===========================================================================
    ===========================================================================
    Active Routes:
    Network Destination Netmask Gateway Interface Metric
    0.0.0.0 0.0.0.0 10.0.0.254 10.0.0.1 1
    10.0.0.0 255.255.255.0 10.0.0.1 10.0.0.1 10
    10.0.0.1 255.255.255.255 127.0.0.1 127.0.0.1 10
    10.0.0.121 255.255.255.255 127.0.0.1 127.0.0.1 50
    10.255.255.255 255.255.255.255 10.0.0.1 10.0.0.1 10
    127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
    224.0.0.0 240.0.0.0 10.0.0.1 10.0.0.1 10
    255.255.255.255 255.255.255.255 10.0.0.1 10.0.0.1 1
    Default Gateway: 10.0.0.254
    ===========================================================================
    Persistent Routes:
    None

    Microsoft Windows [Version 5.2.3790]
    (C) Copyright 1985-2003 Microsoft Corp.

    C:\Documents and Settings\Administrator>route print (after RAS client
    connects)

    IPv4 Route Table
    ===========================================================================
    Interface List
    0x1 ........................... MS TCP Loopback interface
    0x10002 ...00 53 45 00 00 00 ...... WAN (PPP/SLIP) Interface
    0x10003 ...00 13 72 f7 3c ab ...... Intel(R) PRO/1000 MT Network Connection
    ===========================================================================
    ===========================================================================
    Active Routes:
    Network Destination Netmask Gateway Interface Metric
    0.0.0.0 0.0.0.0 10.0.0.254 10.0.0.1 1
    10.0.0.0 255.255.255.0 10.0.0.1 10.0.0.1 10
    10.0.0.0 255.255.255.0 10.0.0.115 10.0.0.121 1
    <- note this route is added when the RAS client connects which overrides the
    route above to the local LAN
    10.0.0.1 255.255.255.255 127.0.0.1 127.0.0.1 10
    10.0.0.115 255.255.255.255 10.0.0.121 10.0.0.121 1
    10.0.0.121 255.255.255.255 127.0.0.1 127.0.0.1 50
    10.255.255.255 255.255.255.255 10.0.0.1 10.0.0.1 10
    65.184.34.228 255.255.255.255 10.0.0.254 10.0.0.1 1
    127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
    224.0.0.0 240.0.0.0 10.0.0.1 10.0.0.1 10
    255.255.255.255 255.255.255.255 10.0.0.1 10.0.0.1 1
    Default Gateway: 10.0.0.254
    ===========================================================================
    Persistent Routes:
    None

    Have you ever heard of this before. What would be making RRAS add this route?

    Thanks,
    John
     
    John Philips, Oct 10, 2006
    #3
  4. John Philips

    Crina Li Guest

    Hi John,

    Thanks for your update.

    From current situation, please check if you have configured the network
    correctly on SBS and client computer:

    SBS:

    IP: Fixed IP address
    Gateway: your Hardware router IP
    DNS: SBS NIC IP as the only entry

    In the DNS console (dnsmgmt.msc), right click your ServerName and click
    properties. In the Forwarders tab, your ISP DNS server IP should be
    inputted there.

    On the client workstation, please make sure the configuration:

    IP: Assigned by DHCP on SBS or your hardware router
    Gateway: hardware router
    DNS: SBS INTERNAL NIC IP as the only entry

    And then recreate VPN to see if it helps. Please make sure you have
    disabled the second NIC on the SBS.

    Thanks for your time and I look forward to hearing from you.

    Best regards,

    Crina Li (MSFT)

    Microsoft CSS Online Newsgroup Support

    Get Secure! - www.microsoft.com/security

    =====================================================
    This newsgroup only focuses on SBS technical issues. If you have issues
    regarding other Microsoft products, you'd better post in the corresponding
    newsgroups so that they can be resolved in an efficient and timely manner.
    You can locate the newsgroup here:
    http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

    When opening a new thread via the web interface, we recommend you check the
    "Notify me of replies" box to receive e-mail notifications when there are
    any updates in your thread. When responding to posts via your newsreader,
    please "Reply to Group" so that others may learn and benefit from your
    issue.

    Microsoft engineers can only focus on one issue per thread. Although we
    provide other information for your reference, we recommend you post
    different incidents in different threads to keep the thread clean. In doing
    so, it will ensure your issues are resolved in a timely manner.

    For urgent issues, you may want to contact Microsoft CSS directly. Please
    check http://support.microsoft.com for regional support phone numbers.

    Any input or comments in this thread are highly appreciated.

    =====================================================

    This posting is provided "AS IS" with no warranties, and confers no rights.
    --------------------
    | Thread-Topic: Route added by RRAS that overrides local LAN route on NIC
    | thread-index: AcbsHRHUAAf6uugcSyW0/DF1OTvIWA==
    | X-WBNR-Posting-Host: 65.184.34.228
    | From: =?Utf-8?B?Sm9obiBQaGlsaXBz?= <>
    | References: <>
    <>
    | Subject: RE: Route added by RRAS that overrides local LAN route on NIC
    | Date: Mon, 9 Oct 2006 20:35:02 -0700
    | Lines: 312
    | Message-ID: <>
    | MIME-Version: 1.0
    | Content-Type: text/plain;
    | charset="Utf-8"
    | Content-Transfer-Encoding: 7bit
    | X-Newsreader: Microsoft CDO for Windows 2000
    | Content-Class: urn:content-classes:message
    | Importance: normal
    | Priority: normal
    | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830
    | Newsgroups: microsoft.public.windows.server.sbs
    | Path: TK2MSFTNGXA01.phx.gbl
    | Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:303842
    | NNTP-Posting-Host: TK2MSFTNGXA01.phx.gbl 10.40.2.250
    | X-Tomcat-NG: microsoft.public.windows.server.sbs
    |
    | I am using SBS as the VPN server. This is a router between SBS and the
    | internet that is peforming NAT. I have the appropriate ports open and can
    | successfully connect a WinXP RAS client to the VPN server. The problem
    is
    | with the routes that get created on the RRAS when the client connects,
    not
    | getting a successful connection. When the connection is up I can
    successful
    | get to the SBS server across the VPN. My issue is with the disruption to
    the
    | connectivity to the other PCs on the LAN.
    |
    | Let me clarify what's happening with hopes you have seen this before:
    |
    | The server has a LAN address of 10.0.0.1 and is on a network 10.0.0.0/24.
    | The route I am speaking of is the route to local LAN that is put in the
    | routing table when you configure the NIC. In my case this route looks
    like
    | this:
    |
    | Network Dest Netmask Gateway Interface Metric
    | 10.0.0.0 255.255.255.0 10.0.0.1 10.0.0.1 10
    |
    | 10.0.0.1 is the LAN address.
    |
    | After the RAS client connects there is another route added so the two
    | entries of interest look like this:
    |
    | Network Dest Netmask Gateway Interface Metric
    | 10.0.0.0 255.255.255.0 10.0.0.1 10.0.0.1 10 <-this route is always there
    | (before and after the VPN cient connects)
    | 10.0.0.0 255.255.255.0 10.0.0.115 10.0.0.121 1 <-this
    | route added when client connects (in addtion to the host route that is
    also
    | added like you usually see for each client)
    |
    | 10.0.0.115 is the address assigned to the RAS client (using DHCP).
    | 10.0.0.121 is the Internal Interface on the server used by RAS. As you
    can
    | see after this route is added the server is routing to 10.0.0.0 via the
    RAS
    | tunnel vs. the LAN Interface so the PCs on the 10.0.0.0/24 local subnet
    are
    | "disconnected" from the server. The only thing I could think of what that
    | this was related to something that is configured automatically since
    there
    | are two NICs in the server, but I ran the the Internet Connection wizard
    and
    | set-up up the server to use one NIC for Internet and LAN.
    |
    | I was able to pull the ipconfig and routing table (without and with RAS
    cient
    | connected) from the server. They are below.
    |
    | As you will see by the route table, there is a route as I described .
    | Network Destination Netmask Gateway Interface
    Metric
    | 0.0.0.0 0.0.0.0 10.0.0.254 10.0.0.1
    1
    | <------- Default route
    | 10.0.0.0 255.255.255.0 10.0.0.1 10.0.0.1
    10
    | <----------- Route for interface LAN
    |
    | After the RAS client connects, I get a 2nd entry for
    10.0.0.0/255.255.255.0
    | but the gateway is the RAS client's assigned address, the Interface is
    the
    | RRAS internal interface address, and the metic is 1. This causes the
    server
    | to route all traffic destined for the local LAN to be routed over the
    tunnel
    | to the remote client. As expected the resulting effect is the server
    cannot
    | route packets to any of the machines on the local LAN which is very bad as
    | as it breaks the local area network.
    |
    | Output of ipconfig /all and route print (without RAS client connected).
    |
    | Windows IP Configuration
    |
    | Host Name . . . . . . . . . . . . : SERVER1
    | Primary Dns Suffix . . . . . . . : kuzma.local
    | Node Type . . . . . . . . . . . . : Unknown
    | IP Routing Enabled. . . . . . . . : Yes
    | WINS Proxy Enabled. . . . . . . . : Yes
    | DNS Suffix Search List. . . . . . : kuzma.local
    |
    | PPP adapter RAS Server (Dial In) Interface:
    |
    | Connection-specific DNS Suffix . :
    | Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
    | Physical Address. . . . . . . . . : 00-53-45-00-00-00
    | DHCP Enabled. . . . . . . . . . . : No
    | IP Address. . . . . . . . . . . . : 10.0.0.121
    | Subnet Mask . . . . . . . . . . . : 255.255.255.255
    | Default Gateway . . . . . . . . . :
    | NetBIOS over Tcpip. . . . . . . . : Disabled
    |
    | Ethernet adapter Server Local Area Connection:
    |
    | Connection-specific DNS Suffix . :
    | Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network
    Connection
    | Physical Address. . . . . . . . . : 00-13-72-F7-3C-AB
    | DHCP Enabled. . . . . . . . . . . : No
    | IP Address. . . . . . . . . . . . : 10.0.0.1
    | Subnet Mask . . . . . . . . . . . : 255.255.255.0
    | Default Gateway . . . . . . . . . : 10.0.0.254
    | DNS Servers . . . . . . . . . . . : 10.0.0.1
    |
    |
    | C:\Documents and Settings\Administrator>route print (without RAS client
    | connected)
    |
    | IPv4 Route Table
    |
    ===========================================================================
    | Interface List
    | 0x1 ........................... MS TCP Loopback interface
    | 0x10002 ...00 53 45 00 00 00 ...... WAN (PPP/SLIP) Interface
    | 0x10003 ...00 13 72 f7 3c ab ...... Intel(R) PRO/1000 MT Network
    Connection
    |
    ===========================================================================
    |
    ===========================================================================
    | Active Routes:
    | Network Destination Netmask Gateway Interface
    Metric
    | 0.0.0.0 0.0.0.0 10.0.0.254 10.0.0.1
    1
    | 10.0.0.0 255.255.255.0 10.0.0.1 10.0.0.1
    10
    | 10.0.0.1 255.255.255.255 127.0.0.1 127.0.0.1
    10
    | 10.0.0.121 255.255.255.255 127.0.0.1 127.0.0.1
    50
    | 10.255.255.255 255.255.255.255 10.0.0.1 10.0.0.1
    10
    | 127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1
    1
    | 224.0.0.0 240.0.0.0 10.0.0.1 10.0.0.1
    10
    | 255.255.255.255 255.255.255.255 10.0.0.1 10.0.0.1
    1
    | Default Gateway: 10.0.0.254
    |
    ===========================================================================
    | Persistent Routes:
    | None
    |
    | Microsoft Windows [Version 5.2.3790]
    | (C) Copyright 1985-2003 Microsoft Corp.
    |
    | C:\Documents and Settings\Administrator>route print (after RAS client
    | connects)
    |
    | IPv4 Route Table
    |
    ===========================================================================
    | Interface List
    | 0x1 ........................... MS TCP Loopback interface
    | 0x10002 ...00 53 45 00 00 00 ...... WAN (PPP/SLIP) Interface
    | 0x10003 ...00 13 72 f7 3c ab ...... Intel(R) PRO/1000 MT Network
    Connection
    |
    ===========================================================================
    |
    ===========================================================================
    | Active Routes:
    | Network Destination Netmask Gateway Interface
    Metric
    | 0.0.0.0 0.0.0.0 10.0.0.254 10.0.0.1
    1
    | 10.0.0.0 255.255.255.0 10.0.0.1 10.0.0.1
    10
    | 10.0.0.0 255.255.255.0 10.0.0.115 10.0.0.121
    1
    | <- note this route is added when the RAS client connects which overrides
    the
    | route above to the local LAN
    | 10.0.0.1 255.255.255.255 127.0.0.1 127.0.0.1
    10
    | 10.0.0.115 255.255.255.255 10.0.0.121 10.0.0.121
    1
    | 10.0.0.121 255.255.255.255 127.0.0.1 127.0.0.1
    50
    | 10.255.255.255 255.255.255.255 10.0.0.1 10.0.0.1
    10
    | 65.184.34.228 255.255.255.255 10.0.0.254 10.0.0.1
    1
    | 127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1
    1
    | 224.0.0.0 240.0.0.0 10.0.0.1 10.0.0.1
    10
    | 255.255.255.255 255.255.255.255 10.0.0.1 10.0.0.1
    1
    | Default Gateway: 10.0.0.254
    |
    ===========================================================================
    | Persistent Routes:
    | None
    |
    | Have you ever heard of this before. What would be making RRAS add this
    route?
    |
    | Thanks,
    | John
    |
    | ""Crina Li"" wrote:
    |
    | > Hi John,
    | >
    | > Thank you for posting in SBS newsgroup.
    | >
    | > I am sorry for the delayed response due to weekend. Please understand
    that
    | > the newsgroups are staffed weekdays by Microsoft Support professionals
    to
    | > answer your systems and applications questions. Your understanding is
    | > greatly appreciated!
    | >
    | > From your description, do you mean the LAN clients will lose the
    connection
    | > with SBS if you create VPN to SBS from remote client?
    | >
    | > To narrow down the problem, would you please help me collect the
    following
    | > information?
    | >
    | > 1. Are you creating VPN to SBS or router from remote client? It means
    are
    | > you using router or SBS as VPN server?
    | > 2. Post the ipconfig/all result from SBS, remote client and LAN client
    | > before creating VPN and after creating VPN.
    | > 3. Post the route print result.
    | >
    | > Also, you may need to follow the steps below to configure VPN access on
    an
    | > SBS environment:
    | >
    | > 1. Run CEICW, follow the wizard and select Enable firewall and then
    make
    | > sure Virtual Private Networking (VPN) is selected in the Services
    | > Configuration page. And make sure you have typed the public FQDN of the
    SBS
    | > server on the Web Server Certificate page.
    | > 2. Run Remote Access Wizard in Server Management\Internet and
    | > E-mail\Configure Remote Access, and select VPN access in the Remote
    Access
    | > Method page. After finishing this wizard, RRAS is configured to allow
    | > inbound VPN access, and it can assign IP addresses to the VPN clients
    by
    | > using DHCP.
    | >
    | > Note: When we run the remote access wizard to set up the VPN service,
    we
    | > need to input the public IP address or the public FQDN of the SBS
    server.
    | > We need to make sure that the address can be accessed from the internet.
    | >
    | > 3. On the VPN client, go to https://publicFQDN/remote, clear I'm using
    a
    | > public or shared computer, log in and download Connection Manager.
    | > 4. Install Connection Manager on the VPN client.
    | > 5. Is there a hardware router installed in front of the SBS server? If
    so,
    | > ensure that the port forwarding for TCP 1723 and GRE port (protocol
    number
    | > 47) are opened. PPTP VPN is negotiating a connection on TCP port 1723
    and
    | > send data to and from the PPTP server using the GRE protocol (IP
    Protocol
    | > 47, 0x2F if you are looking in Network Monitor). You should open port
    1723
    | > on the router and also make sure IP Protocol 47 is allowed.
    | >
    | > I appreciate your time and look forward to hearing from you.
    | >
    | > Best regards,
    | >
    | > Crina Li (MSFT)
    | >
    | > Microsoft CSS Online Newsgroup Support
    | >
    | > Get Secure! - www.microsoft.com/security
    | >
    | > =====================================================
    | > This newsgroup only focuses on SBS technical issues. If you have issues
    | > regarding other Microsoft products, you'd better post in the
    corresponding
    | > newsgroups so that they can be resolved in an efficient and timely
    manner.
    | > You can locate the newsgroup here:
    | > http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
    | >
    | > When opening a new thread via the web interface, we recommend you check
    the
    | > "Notify me of replies" box to receive e-mail notifications when there
    are
    | > any updates in your thread. When responding to posts via your
    newsreader,
    | > please "Reply to Group" so that others may learn and benefit from your
    | > issue.
    | >
    | > Microsoft engineers can only focus on one issue per thread. Although we
    | > provide other information for your reference, we recommend you post
    | > different incidents in different threads to keep the thread clean. In
    doing
    | > so, it will ensure your issues are resolved in a timely manner.
    | >
    | > For urgent issues, you may want to contact Microsoft CSS directly.
    Please
    | > check http://support.microsoft.com for regional support phone numbers.
    | >
    | > Any input or comments in this thread are highly appreciated.
    | >
    | > =====================================================
    | >
    | > This posting is provided "AS IS" with no warranties, and confers no
    rights.
    | > --------------------
    | > | Thread-Topic: Route added by RRAS that overrides local LAN route on
    NIC
    | > | thread-index: AcbqJyGWs4FS1gogRLGjAUd4XC/dGA==
    | > | X-WBNR-Posting-Host: 65.184.34.228
    | > | From: =?Utf-8?B?Sm9obiBQaGlsaXBz?=
    <>
    | > | Subject: Route added by RRAS that overrides local LAN route on NIC
    | > | Date: Sat, 7 Oct 2006 08:42:01 -0700
    | > | Lines: 31
    | > | Message-ID: <>
    | > | MIME-Version: 1.0
    | > | Content-Type: text/plain;
    | > | charset="Utf-8"
    | > | Content-Transfer-Encoding: 7bit
    | > | X-Newsreader: Microsoft CDO for Windows 2000
    | > | Content-Class: urn:content-classes:message
    | > | Importance: normal
    | > | Priority: normal
    | > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830
    | > | Newsgroups: microsoft.public.windows.server.sbs
    | > | Path: TK2MSFTNGXA01.phx.gbl
    | > | Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:303427
    | > | NNTP-Posting-Host: TK2MSFTNGXA01.phx.gbl 10.40.2.250
    | > | X-Tomcat-NG: microsoft.public.windows.server.sbs
    | > |
    | > | I have a SBS 2003 with dual NICs, but I am running the machine in a
    | > single
    | > | NIC configuration. I have set-up RRAS for remote access, which I
    have
    | > done
    | > | many times before on other machines (both SBS and Win2003). For this
    | > | particular machine, when a RAS clent connection, the RRAS on the
    server
    | > adds
    | > | a 2nd route for the local LAN to the routing stack. With the same
    | > | destination, but with the vpn client's assigned IP address as the
    gateway.
    | > |
    | > | To illustrate:
    | > |
    | > | Before the VPN client connects, the routing table contains
    10.0.0.0/24
    | > with
    | > | a gateway of 10.0.0.1 (Server Local Area Connection address) on
    Interface
    | > | 10.0.0.1. This entry has a metric of 10.
    | > |
    | > | After the VPN client connects, the routing table contains a 2nd entry
    of
    | > | 10.0.0.0/24 with a gateway of 10.0.0.118 (the address assigned to the
    RAS
    | > | client) on interface 10.0.0.121 (RRAS Internal Interface). This
    entry
    | > has a
    | > | metric of 1. Since this route has a lower metric it becomes the
    | > preferred
    | > | route for the LAN and not of the PCs on the LAN can communicate with
    the
    | > | server.
    | > |
    | > | When the RAS client disconnects the route is removed, and the PC on
    the
    | > LAN
    | > | can reach the server again. I have dug through the RRAS configs many
    | > times
    | > | and can't explain this. Does anyone know what could be causing this?

    | > Or,
    | > | can you provide some pointers on how you control the routes that get
    | > added to
    | > | the server when a RAS client connects? Also, does anyone know if you
    a
    | > | 10.0.0.0 network number is a problem. This is a class A private
    network,
    | > and
    | > | I normally use 192.168.x.x which is a class C. Could this be some
    issue
    | > with
    | > | the 10.0.0.0 being treated different due to it's class?
    | > |
    | > | Thanks,
    | > | John
    | > |
    | >
    | >
    |
     
    Crina Li, Oct 10, 2006
    #4
  5. John Philips

    John Philips Guest

    Yes I have done all of these steps. I have intalled about 10 SBS systems and
    performed the same set-up on all of them. This one for some reason has this
    additional route problem. Can you tell me what causes this additional route
    to be added? Is there a way to control the routes that RRAS adds to the
    server when the client connects? Since it is adding a route to the full
    subnet when the client connects it is behaving to me like a demain dial
    connection that you would set-up between two servers, but I have it set-up to
    an Access Server.

    Any chance it has someting to do with 10.0.0.0/24 addressing on the box?
    the 10.x.x.x private block is a Class A block which I am subnetting to be a
    Class C. Could this be confusing RRAS?

    John

     
    John Philips, Oct 10, 2006
    #5
  6. John Philips

    Crina Li Guest

    Hi John,

    Thanks for your update.

    The problem may be caused by the following:

    When a remote computer connects to the Routing and Remote Access server by
    using a dial-up or a VPN connection, the server creates a Point-to-Point
    Protocol (PPP) adapter to communicate with the remote computer. The server
    may then register the IP address of this PPP adapter in the DNS or the WINS
    database.

    When the Routing and Remote Access server registers the IP address of its
    PPP adapter in DNS or WINS, you may receive errors on the local computers
    when you try to connect to the server. You receive these errors because the
    DNS or WINS servers may return the IP address of the PPP adapter to
    computers that query DNS or WINS for the server's IP address. The computers
    then try to connect to the IP address of the PPP adapter. Because the local
    computers cannot reach the PPP adapter, the connections fail.

    For more detailed information, please refer to the following KB article:

    292822 Name resolution and connectivity issues on a Routing and Remote
    Access Server that also runs DNS or WINS
    http://support.microsoft.com/default.aspx?scid=kb;EN-US;292822

    Thanks for your time and I look forward to hearing from you.

    Best regards,

    Crina Li (MSFT)

    Microsoft CSS Online Newsgroup Support

    Get Secure! - www.microsoft.com/security

    =====================================================
    This newsgroup only focuses on SBS technical issues. If you have issues
    regarding other Microsoft products, you'd better post in the corresponding
    newsgroups so that they can be resolved in an efficient and timely manner.
    You can locate the newsgroup here:
    http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

    When opening a new thread via the web interface, we recommend you check the
    "Notify me of replies" box to receive e-mail notifications when there are
    any updates in your thread. When responding to posts via your newsreader,
    please "Reply to Group" so that others may learn and benefit from your
    issue.

    Microsoft engineers can only focus on one issue per thread. Although we
    provide other information for your reference, we recommend you post
    different incidents in different threads to keep the thread clean. In doing
    so, it will ensure your issues are resolved in a timely manner.

    For urgent issues, you may want to contact Microsoft CSS directly. Please
    check http://support.microsoft.com for regional support phone numbers.

    Any input or comments in this thread are highly appreciated.

    =====================================================

    This posting is provided "AS IS" with no warranties, and confers no rights.
    --------------------
    | Thread-Topic: Route added by RRAS that overrides local LAN route on NIC
    | thread-index: Acbsd5fbSUq6Sh0VSV+m9IxhDrBbbg==
    | X-WBNR-Posting-Host: 65.184.34.228
    | From: =?Utf-8?B?Sm9obiBQaGlsaXBz?= <>
    | References: <>
    <>
    <>
    <>
    | Subject: RE: Route added by RRAS that overrides local LAN route on NIC
    | Date: Tue, 10 Oct 2006 07:23:01 -0700
    | Lines: 317
    | Message-ID: <>
    | MIME-Version: 1.0
    | Content-Type: text/plain;
    | charset="Utf-8"
    | Content-Transfer-Encoding: 7bit
    | X-Newsreader: Microsoft CDO for Windows 2000
    | Content-Class: urn:content-classes:message
    | Importance: normal
    | Priority: normal
    | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830
    | Newsgroups: microsoft.public.windows.server.sbs
    | Path: TK2MSFTNGXA01.phx.gbl
    | Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:303946
    | NNTP-Posting-Host: TK2MSFTNGXA01.phx.gbl 10.40.2.250
    | X-Tomcat-NG: microsoft.public.windows.server.sbs
    |
    | Yes I have done all of these steps. I have intalled about 10 SBS systems
    and
    | performed the same set-up on all of them. This one for some reason has
    this
    | additional route problem. Can you tell me what causes this additional
    route
    | to be added? Is there a way to control the routes that RRAS adds to the
    | server when the client connects? Since it is adding a route to the full
    | subnet when the client connects it is behaving to me like a demain dial
    | connection that you would set-up between two servers, but I have it
    set-up to
    | an Access Server.
    |
    | Any chance it has someting to do with 10.0.0.0/24 addressing on the box?
    | the 10.x.x.x private block is a Class A block which I am subnetting to be
    a
    | Class C. Could this be confusing RRAS?
    |
    | John
    |
    | ""Crina Li"" wrote:
    |
    | > Hi John,
    | >
    | > Thanks for your update.
    | >
    | > From current situation, please check if you have configured the network
    | > correctly on SBS and client computer:
    | >
    | > SBS:
    | >
    | > IP: Fixed IP address
    | > Gateway: your Hardware router IP
    | > DNS: SBS NIC IP as the only entry
    | >
    | > In the DNS console (dnsmgmt.msc), right click your ServerName and click
    | > properties. In the Forwarders tab, your ISP DNS server IP should be
    | > inputted there.
    | >
    | > On the client workstation, please make sure the configuration:
    | >
    | > IP: Assigned by DHCP on SBS or your hardware router
    | > Gateway: hardware router
    | > DNS: SBS INTERNAL NIC IP as the only entry
    | >
    | > And then recreate VPN to see if it helps. Please make sure you have
    | > disabled the second NIC on the SBS.
    | >
    | > Thanks for your time and I look forward to hearing from you.
    | >
    | > Best regards,
    | >
    | > Crina Li (MSFT)
    | >
    | > Microsoft CSS Online Newsgroup Support
    | >
    | > Get Secure! - www.microsoft.com/security
    | >
    | > =====================================================
    | > This newsgroup only focuses on SBS technical issues. If you have issues
    | > regarding other Microsoft products, you'd better post in the
    corresponding
    | > newsgroups so that they can be resolved in an efficient and timely
    manner.
    | > You can locate the newsgroup here:
    | > http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
    | >
    | > When opening a new thread via the web interface, we recommend you check
    the
    | > "Notify me of replies" box to receive e-mail notifications when there
    are
    | > any updates in your thread. When responding to posts via your
    newsreader,
    | > please "Reply to Group" so that others may learn and benefit from your
    | > issue.
    | >
    | > Microsoft engineers can only focus on one issue per thread. Although we
    | > provide other information for your reference, we recommend you post
    | > different incidents in different threads to keep the thread clean. In
    doing
    | > so, it will ensure your issues are resolved in a timely manner.
    | >
    | > For urgent issues, you may want to contact Microsoft CSS directly.
    Please
    | > check http://support.microsoft.com for regional support phone numbers.
    | >
    | > Any input or comments in this thread are highly appreciated.
    | >
    | > =====================================================
    | >
    | > This posting is provided "AS IS" with no warranties, and confers no
    rights.
    | > --------------------
    | > | Thread-Topic: Route added by RRAS that overrides local LAN route on
    NIC
    | > | thread-index: AcbsHRHUAAf6uugcSyW0/DF1OTvIWA==
    | > | X-WBNR-Posting-Host: 65.184.34.228
    | > | From: =?Utf-8?B?Sm9obiBQaGlsaXBz?=
    <>
    | > | References: <>
    | > <>
    | > | Subject: RE: Route added by RRAS that overrides local LAN route on NIC
    | > | Date: Mon, 9 Oct 2006 20:35:02 -0700
    | > | Lines: 312
    | > | Message-ID: <>
    | > | MIME-Version: 1.0
    | > | Content-Type: text/plain;
    | > | charset="Utf-8"
    | > | Content-Transfer-Encoding: 7bit
    | > | X-Newsreader: Microsoft CDO for Windows 2000
    | > | Content-Class: urn:content-classes:message
    | > | Importance: normal
    | > | Priority: normal
    | > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830
    | > | Newsgroups: microsoft.public.windows.server.sbs
    | > | Path: TK2MSFTNGXA01.phx.gbl
    | > | Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:303842
    | > | NNTP-Posting-Host: TK2MSFTNGXA01.phx.gbl 10.40.2.250
    | > | X-Tomcat-NG: microsoft.public.windows.server.sbs
    | > |
    | > | I am using SBS as the VPN server. This is a router between SBS and
    the
    | > | internet that is peforming NAT. I have the appropriate ports open and
    can
    | > | successfully connect a WinXP RAS client to the VPN server. The
    problem
    | > is
    | > | with the routes that get created on the RRAS when the client
    connects,
    | > not
    | > | getting a successful connection. When the connection is up I can
    | > successful
    | > | get to the SBS server across the VPN. My issue is with the disruption
    to
    | > the
    | > | connectivity to the other PCs on the LAN.
    | > |
    | > | Let me clarify what's happening with hopes you have seen this before:
    | > |
    | > | The server has a LAN address of 10.0.0.1 and is on a network
    10.0.0.0/24.
    | > | The route I am speaking of is the route to local LAN that is put in
    the
    | > | routing table when you configure the NIC. In my case this route looks
    | > like
    | > | this:
    | > |
    | > | Network Dest Netmask Gateway Interface Metric
    | > | 10.0.0.0 255.255.255.0 10.0.0.1 10.0.0.1 10
    | > |
    | > | 10.0.0.1 is the LAN address.
    | > |
    | > | After the RAS client connects there is another route added so the two
    | > | entries of interest look like this:
    | > |
    | > | Network Dest Netmask Gateway Interface Metric
    | > | 10.0.0.0 255.255.255.0 10.0.0.1 10.0.0.1 10 <-this route is always
    there
    | > | (before and after the VPN cient connects)
    | > | 10.0.0.0 255.255.255.0 10.0.0.115 10.0.0.121 1 <-this
    | > | route added when client connects (in addtion to the host route that
    is
    | > also
    | > | added like you usually see for each client)
    | > |
    | > | 10.0.0.115 is the address assigned to the RAS client (using DHCP).
    | > | 10.0.0.121 is the Internal Interface on the server used by RAS. As
    you
    | > can
    | > | see after this route is added the server is routing to 10.0.0.0 via
    the
    | > RAS
    | > | tunnel vs. the LAN Interface so the PCs on the 10.0.0.0/24 local
    subnet
    | > are
    | > | "disconnected" from the server. The only thing I could think of what
    that
    | > | this was related to something that is configured automatically since
    | > there
    | > | are two NICs in the server, but I ran the the Internet Connection
    wizard
    | > and
    | > | set-up up the server to use one NIC for Internet and LAN.
    | > |
    | > | I was able to pull the ipconfig and routing table (without and with
    RAS
    | > cient
    | > | connected) from the server. They are below.
    | > |
    | > | As you will see by the route table, there is a route as I described .
    | > | Network Destination Netmask Gateway Interface
    | > Metric
    | > | 0.0.0.0 0.0.0.0 10.0.0.254 10.0.0.1

    | > 1
    | > | <------- Default route
    | > | 10.0.0.0 255.255.255.0 10.0.0.1 10.0.0.1

    | > 10
    | > | <----------- Route for interface LAN
    | > |
    | > | After the RAS client connects, I get a 2nd entry for
    | > 10.0.0.0/255.255.255.0
    | > | but the gateway is the RAS client's assigned address, the Interface
    is
    | > the
    | > | RRAS internal interface address, and the metic is 1. This causes the
    | > server
    | > | to route all traffic destined for the local LAN to be routed over the
    | > tunnel
    | > | to the remote client. As expected the resulting effect is the server
    | > cannot
    | > | route packets to any of the machines on the local LAN which is very
    bad as
    | > | as it breaks the local area network.
    | > |
    | > | Output of ipconfig /all and route print (without RAS client
    connected).
    | > |
    | > | Windows IP Configuration
    | > |
    | > | Host Name . . . . . . . . . . . . : SERVER1
    | > | Primary Dns Suffix . . . . . . . : kuzma.local
    | > | Node Type . . . . . . . . . . . . : Unknown
    | > | IP Routing Enabled. . . . . . . . : Yes
    | > | WINS Proxy Enabled. . . . . . . . : Yes
    | > | DNS Suffix Search List. . . . . . : kuzma.local
    | > |
    | > | PPP adapter RAS Server (Dial In) Interface:
    | > |
    | > | Connection-specific DNS Suffix . :
    | > | Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
    | > | Physical Address. . . . . . . . . : 00-53-45-00-00-00
    | > | DHCP Enabled. . . . . . . . . . . : No
    | > | IP Address. . . . . . . . . . . . : 10.0.0.121
    | > | Subnet Mask . . . . . . . . . . . : 255.255.255.255
    | > | Default Gateway . . . . . . . . . :
    | > | NetBIOS over Tcpip. . . . . . . . : Disabled
    | > |
    | > | Ethernet adapter Server Local Area Connection:
    | > |
    | > | Connection-specific DNS Suffix . :
    | > | Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network
    | > Connection
    | > | Physical Address. . . . . . . . . : 00-13-72-F7-3C-AB
    | > | DHCP Enabled. . . . . . . . . . . : No
    | > | IP Address. . . . . . . . . . . . : 10.0.0.1
    | > | Subnet Mask . . . . . . . . . . . : 255.255.255.0
    | > | Default Gateway . . . . . . . . . : 10.0.0.254
    | > | DNS Servers . . . . . . . . . . . : 10.0.0.1
    | > |
    | > |
    | > | C:\Documents and Settings\Administrator>route print (without RAS
    client
    | > | connected)
    | > |
    | > | IPv4 Route Table
    | > |
    | >
    ===========================================================================
    | > | Interface List
    | > | 0x1 ........................... MS TCP Loopback interface
    | > | 0x10002 ...00 53 45 00 00 00 ...... WAN (PPP/SLIP) Interface
    | > | 0x10003 ...00 13 72 f7 3c ab ...... Intel(R) PRO/1000 MT Network
    | > Connection
    | > |
    | >
    ===========================================================================
    | > |
    | >
    ===========================================================================
    | > | Active Routes:
    | > | Network Destination Netmask Gateway Interface
    | > Metric
    | > | 0.0.0.0 0.0.0.0 10.0.0.254 10.0.0.1

    | > 1
    | > | 10.0.0.0 255.255.255.0 10.0.0.1 10.0.0.1

    | > 10
    | > | 10.0.0.1 255.255.255.255 127.0.0.1 127.0.0.1

    | > 10
    | > | 10.0.0.121 255.255.255.255 127.0.0.1 127.0.0.1

    | > 50
    | > | 10.255.255.255 255.255.255.255 10.0.0.1 10.0.0.1

    | > 10
    | > | 127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1

    | > 1
    | > | 224.0.0.0 240.0.0.0 10.0.0.1 10.0.0.1

    | > 10
    | > | 255.255.255.255 255.255.255.255 10.0.0.1 10.0.0.1

    | > 1
    | > | Default Gateway: 10.0.0.254
    | > |
    | >
    ===========================================================================
    | > | Persistent Routes:
    | > | None
    | > |
    | > | Microsoft Windows [Version 5.2.3790]
    | > | (C) Copyright 1985-2003 Microsoft Corp.
    | > |
    | > | C:\Documents and Settings\Administrator>route print (after RAS client
    | > | connects)
    | > |
    | > | IPv4 Route Table
    | > |
    | >
    ===========================================================================
    | > | Interface List
    | > | 0x1 ........................... MS TCP Loopback interface
    | > | 0x10002 ...00 53 45 00 00 00 ...... WAN (PPP/SLIP) Interface
    | > | 0x10003 ...00 13 72 f7 3c ab ...... Intel(R) PRO/1000 MT Network
    | > Connection
    | > |
    | >
    ===========================================================================
    | > |
    | >
    ===========================================================================
    | > | Active Routes:
    | > | Network Destination Netmask Gateway Interface
    | > Metric
    | > | 0.0.0.0 0.0.0.0 10.0.0.254 10.0.0.1

    | > 1
    | > | 10.0.0.0 255.255.255.0 10.0.0.1 10.0.0.1

    | > 10
    | > | 10.0.0.0 255.255.255.0 10.0.0.115 10.0.0.121

    | > 1
    | > | <- note this route is added when the RAS client connects which
    overrides
    | > the
    | > | route above to the local LAN
    | > | 10.0.0.1 255.255.255.255 127.0.0.1 127.0.0.1

    | > 10
    | > | 10.0.0.115 255.255.255.255 10.0.0.121 10.0.0.121

    | > 1
    | > | 10.0.0.121 255.255.255.255 127.0.0.1 127.0.0.1

    | > 50
    | > | 10.255.255.255 255.255.255.255 10.0.0.1 10.0.0.1

    | > 10
    | > | 65.184.34.228 255.255.255.255 10.0.0.254 10.0.0.1

    | > 1
    | > | 127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1

    | > 1
    | > | 224.0.0.0 240.0.0.0 10.0.0.1 10.0.0.1

    | > 10
    | > | 255.255.255.255 255.255.255.255 10.0.0.1 10.0.0.1

    | > 1
    | > | Default Gateway: 10.0.0.254
    | > |
    | >
    ===========================================================================
    | > | Persistent Routes:
    | > | None
    | > |
    | > | Have you ever heard of this before. What would be making RRAS add
    this
    | > route?
    | > |
    | > | Thanks,
    | > | John
    | > |
    | > | ""Crina Li"" wrote:
    | > |
    |
     
    Crina Li, Oct 11, 2006
    #6
  7. John Philips

    John Philips Guest

    As I read the article you provided, it appears to address name resolution
    when the DNS/WINS returns the PPP adapter address instead of the LAN adapter
    address. I have seen this problem before in other cases, but that is not the
    problem here. I am debugging with IP addreses alone. I will reiterate, the
    issue I am experiencing is clear. When the second route is added by the RRAS
    for destination 1.0.0.0/24 using the RAS client address as the gateway with a
    higer metric, then all traffic from the server to any address in the range of
    10.0.0.0/24 - 10.0.0.255/24 (all devices on the LAN) will be routed through
    the tunnel and thus the packets will not get to the PC on the LAN as I
    observe.

    As I have requested before, do you have access to any information on how
    routes are added to the routing table on the server when a RAS client
    connects to RRAS? If I could control this, I think I could fix my problem.

    Thanks,
    John
     
    John Philips, Oct 11, 2006
    #7
  8. John Philips

    John Philips Guest

    I found a fix for my problem. Turns out that if i renumbered my LAN so that
    it was not 10.0.0.0/24 (I used 10.1.20.0/24), then while the 10.0.0.0/24
    route was still added it no longer interfered with my LAN network route
    (since it is now 10.1.20.0/24).

    I am still perplexed on where this 10.0.0.0/24 network route is coming from.
    After checking some other servers that have VPN connecting correctly, I find
    that the extra route that is added is a host route to the public IP of the
    RAS client. I now suspect that the 10.0.0.0 route may be resulting from the
    way my Dlink router is doing NAT. I can't be sure about this, but otherwise
    I can't explain why see host routes to the RAS client public IP on other
    machines and an I see a network route on this machine which sites behind the
    D-link. My other machines that have a host route added are behind Cisco PIXs
    which are doing the NAT.

    So the lesson is avoid using 10.0.0.0 network number on you LAN if you plan
    on using RRAS.

    John
     
    John Philips, Oct 12, 2006
    #8
  9. John Philips

    Crina Li Guest

    Hi John,

    Thanks for your update.

    I am glad to hear the problem is resolved. Also thanks for your great
    sharing.

    It is my pleasure to work with you in this post. If you encounter any
    difficulties in the future, please submit the post to the newsgroup. We
    are glad to be of the assistance.

    Again, thank you for using Microsoft newsgroup. Have a nice day. :)

    Best regards,

    Crina Li (MSFT)

    Microsoft CSS Online Newsgroup Support

    Get Secure! - www.microsoft.com/security

    =====================================================
    This newsgroup only focuses on SBS technical issues. If you have issues
    regarding other Microsoft products, you'd better post in the corresponding
    newsgroups so that they can be resolved in an efficient and timely manner.
    You can locate the newsgroup here:
    http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

    When opening a new thread via the web interface, we recommend you check the
    "Notify me of replies" box to receive e-mail notifications when there are
    any updates in your thread. When responding to posts via your newsreader,
    please "Reply to Group" so that others may learn and benefit from your
    issue.

    Microsoft engineers can only focus on one issue per thread. Although we
    provide other information for your reference, we recommend you post
    different incidents in different threads to keep the thread clean. In doing
    so, it will ensure your issues are resolved in a timely manner.

    For urgent issues, you may want to contact Microsoft CSS directly. Please
    check http://support.microsoft.com for regional support phone numbers.

    Any input or comments in this thread are highly appreciated.

    =====================================================

    This posting is provided "AS IS" with no warranties, and confers no rights.
    --------------------
    | Thread-Topic: Route added by RRAS that overrides local LAN route on NIC
    | thread-index: Acbtn8EXtoiNfArPRb6ZxmcZTKLWFA==
    | X-WBNR-Posting-Host: 65.184.34.228
    | From: =?Utf-8?B?Sm9obiBQaGlsaXBz?= <>
    | References: <>
    <>
    <>
    <>
    <>
    <bA$>
    <>
    | Subject: RE: Route added by RRAS that overrides local LAN route on NIC
    | Date: Wed, 11 Oct 2006 18:43:02 -0700
    | Lines: 322
    | Message-ID: <>
    | MIME-Version: 1.0
    | Content-Type: text/plain;
    | charset="Utf-8"
    | Content-Transfer-Encoding: 7bit
    | X-Newsreader: Microsoft CDO for Windows 2000
    | Content-Class: urn:content-classes:message
    | Importance: normal
    | Priority: normal
    | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830
    | Newsgroups: microsoft.public.windows.server.sbs
    | Path: TK2MSFTNGXA01.phx.gbl
    | Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:304402
    | NNTP-Posting-Host: TK2MSFTNGXA01.phx.gbl 10.40.2.250
    | X-Tomcat-NG: microsoft.public.windows.server.sbs
    |
    | I found a fix for my problem. Turns out that if i renumbered my LAN so
    that
    | it was not 10.0.0.0/24 (I used 10.1.20.0/24), then while the 10.0.0.0/24
    | route was still added it no longer interfered with my LAN network route
    | (since it is now 10.1.20.0/24).
    |
    | I am still perplexed on where this 10.0.0.0/24 network route is coming
    from.
    | After checking some other servers that have VPN connecting correctly, I
    find
    | that the extra route that is added is a host route to the public IP of
    the
    | RAS client. I now suspect that the 10.0.0.0 route may be resulting from
    the
    | way my Dlink router is doing NAT. I can't be sure about this, but
    otherwise
    | I can't explain why see host routes to the RAS client public IP on other
    | machines and an I see a network route on this machine which sites behind
    the
    | D-link. My other machines that have a host route added are behind Cisco
    PIXs
    | which are doing the NAT.
    |
    | So the lesson is avoid using 10.0.0.0 network number on you LAN if you
    plan
    | on using RRAS.
    |
    | John
    |
    | "John Philips" wrote:
    |
    | > As I read the article you provided, it appears to address name
    resolution
    | > when the DNS/WINS returns the PPP adapter address instead of the LAN
    adapter
    | > address. I have seen this problem before in other cases, but that is
    not the
    | > problem here. I am debugging with IP addreses alone. I will
    reiterate, the
    | > issue I am experiencing is clear. When the second route is added by
    the RRAS
    | > for destination 1.0.0.0/24 using the RAS client address as the gateway
    with a
    | > higer metric, then all traffic from the server to any address in the
    range of
    | > 10.0.0.0/24 - 10.0.0.255/24 (all devices on the LAN) will be routed
    through
    | > the tunnel and thus the packets will not get to the PC on the LAN as I
    | > observe.
    | >
    | > As I have requested before, do you have access to any information on
    how
    | > routes are added to the routing table on the server when a RAS client
    | > connects to RRAS? If I could control this, I think I could fix my
    problem.
    | >
    | > Thanks,
    | > John
    | >
    | > ""Crina Li"" wrote:
    | >
    | > > Hi John,
    | > >
    | > > Thanks for your update.
    | > >
    | > > The problem may be caused by the following:
    | > >
    | > > When a remote computer connects to the Routing and Remote Access
    server by
    | > > using a dial-up or a VPN connection, the server creates a
    Point-to-Point
    | > > Protocol (PPP) adapter to communicate with the remote computer. The
    server
    | > > may then register the IP address of this PPP adapter in the DNS or
    the WINS
    | > > database.
    | > >
    | > > When the Routing and Remote Access server registers the IP address of
    its
    | > > PPP adapter in DNS or WINS, you may receive errors on the local
    computers
    | > > when you try to connect to the server. You receive these errors
    because the
    | > > DNS or WINS servers may return the IP address of the PPP adapter to
    | > > computers that query DNS or WINS for the server's IP address. The
    computers
    | > > then try to connect to the IP address of the PPP adapter. Because the
    local
    | > > computers cannot reach the PPP adapter, the connections fail.
    | > >
    | > > For more detailed information, please refer to the following KB
    article:
    | > >
    | > > 292822 Name resolution and connectivity issues on a Routing and
    Remote
    | > > Access Server that also runs DNS or WINS
    | > > http://support.microsoft.com/default.aspx?scid=kb;EN-US;292822
    | > >
    | > > Thanks for your time and I look forward to hearing from you.
    | > >
    | > > Best regards,
    | > >
    | > > Crina Li (MSFT)
    | > >
    | > > Microsoft CSS Online Newsgroup Support
    | > >
    | > > Get Secure! - www.microsoft.com/security
    | > >
    | > > =====================================================
    | > > This newsgroup only focuses on SBS technical issues. If you have
    issues
    | > > regarding other Microsoft products, you'd better post in the
    corresponding
    | > > newsgroups so that they can be resolved in an efficient and timely
    manner.
    | > > You can locate the newsgroup here:
    | > > http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
    | > >
    | > > When opening a new thread via the web interface, we recommend you
    check the
    | > > "Notify me of replies" box to receive e-mail notifications when there
    are
    | > > any updates in your thread. When responding to posts via your
    newsreader,
    | > > please "Reply to Group" so that others may learn and benefit from
    your
    | > > issue.
    | > >
    | > > Microsoft engineers can only focus on one issue per thread. Although
    we
    | > > provide other information for your reference, we recommend you post
    | > > different incidents in different threads to keep the thread clean. In
    doing
    | > > so, it will ensure your issues are resolved in a timely manner.
    | > >
    | > > For urgent issues, you may want to contact Microsoft CSS directly.
    Please
    | > > check http://support.microsoft.com for regional support phone numbers.
    | > >
    | > > Any input or comments in this thread are highly appreciated.
    | > >
    | > > =====================================================
    | > >
    | > > This posting is provided "AS IS" with no warranties, and confers no
    rights.
    | > > --------------------
    | > > | Thread-Topic: Route added by RRAS that overrides local LAN route on
    NIC
    | > > | thread-index: Acbsd5fbSUq6Sh0VSV+m9IxhDrBbbg==
    | > > | X-WBNR-Posting-Host: 65.184.34.228
    | > > | From: =?Utf-8?B?Sm9obiBQaGlsaXBz?=
    <>
    | > > | References: <>
    | > > <>
    | > > <>
    | > > <>
    | > > | Subject: RE: Route added by RRAS that overrides local LAN route on
    NIC
    | > > | Date: Tue, 10 Oct 2006 07:23:01 -0700
    | > > | Lines: 317
    | > > | Message-ID: <>
    | > > | MIME-Version: 1.0
    | > > | Content-Type: text/plain;
    | > > | charset="Utf-8"
    | > > | Content-Transfer-Encoding: 7bit
    | > > | X-Newsreader: Microsoft CDO for Windows 2000
    | > > | Content-Class: urn:content-classes:message
    | > > | Importance: normal
    | > > | Priority: normal
    | > > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830
    | > > | Newsgroups: microsoft.public.windows.server.sbs
    | > > | Path: TK2MSFTNGXA01.phx.gbl
    | > > | Xref: TK2MSFTNGXA01.phx.gbl
    microsoft.public.windows.server.sbs:303946
    | > > | NNTP-Posting-Host: TK2MSFTNGXA01.phx.gbl 10.40.2.250
    | > > | X-Tomcat-NG: microsoft.public.windows.server.sbs
    | > > |
    | > > | Yes I have done all of these steps. I have intalled about 10 SBS
    systems
    | > > and
    | > > | performed the same set-up on all of them. This one for some reason
    has
    | > > this
    | > > | additional route problem. Can you tell me what causes this
    additional
    | > > route
    | > > | to be added? Is there a way to control the routes that RRAS adds
    to the
    | > > | server when the client connects? Since it is adding a route to the
    full
    | > > | subnet when the client connects it is behaving to me like a demain
    dial
    | > > | connection that you would set-up between two servers, but I have it
    | > > set-up to
    | > > | an Access Server.
    | > > |
    | > > | Any chance it has someting to do with 10.0.0.0/24 addressing on the
    box?
    | > > | the 10.x.x.x private block is a Class A block which I am subnetting
    to be
    | > > a
    | > > | Class C. Could this be confusing RRAS?
    | > > |
    | > > | John
    | > > |
    | > > | ""Crina Li"" wrote:
    | > > |
    | > > | > Hi John,
    | > > | >
    | > > | > Thanks for your update.
    | > > | >
    | > > | > From current situation, please check if you have configured the
    network
    | > > | > correctly on SBS and client computer:
    | > > | >
    | > > | > SBS:
    | > > | >
    | > > | > IP: Fixed IP address
    | > > | > Gateway: your Hardware router IP
    | > > | > DNS: SBS NIC IP as the only entry
    | > > | >
    | > > | > In the DNS console (dnsmgmt.msc), right click your ServerName and
    click
    | > > | > properties. In the Forwarders tab, your ISP DNS server IP should
    be
    | > > | > inputted there.
    | > > | >
    | > > | > On the client workstation, please make sure the configuration:
    | > > | >
    | > > | > IP: Assigned by DHCP on SBS or your hardware router
    | > > | > Gateway: hardware router
    | > > | > DNS: SBS INTERNAL NIC IP as the only entry
    | > > | >
    | > > | > And then recreate VPN to see if it helps. Please make sure you
    have
    | > > | > disabled the second NIC on the SBS.
    | > > | >
    | > > | > Thanks for your time and I look forward to hearing from you.
    | > > | >
    | > > | > Best regards,
    | > > | >
    | > > | > Crina Li (MSFT)
    | > > | >
    | > > | > Microsoft CSS Online Newsgroup Support
    | > > | >
    | > > | > Get Secure! - www.microsoft.com/security
    | > > | >
    | > > | > =====================================================
    | > > | > This newsgroup only focuses on SBS technical issues. If you have
    issues
    | > > | > regarding other Microsoft products, you'd better post in the
    | > > corresponding
    | > > | > newsgroups so that they can be resolved in an efficient and
    timely
    | > > manner.
    | > > | > You can locate the newsgroup here:
    | > > | > http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
    | > > | >
    | > > | > When opening a new thread via the web interface, we recommend you
    check
    | > > the
    | > > | > "Notify me of replies" box to receive e-mail notifications when
    there
    | > > are
    | > > | > any updates in your thread. When responding to posts via your
    | > > newsreader,
    | > > | > please "Reply to Group" so that others may learn and benefit from
    your
    | > > | > issue.
    | > > | >
    | > > | > Microsoft engineers can only focus on one issue per thread.
    Although we
    | > > | > provide other information for your reference, we recommend you
    post
    | > > | > different incidents in different threads to keep the thread
    clean. In
    | > > doing
    | > > | > so, it will ensure your issues are resolved in a timely manner.
    | > > | >
    | > > | > For urgent issues, you may want to contact Microsoft CSS
    directly.
    | > > Please
    | > > | > check http://support.microsoft.com for regional support phone
    numbers.
    | > > | >
    | > > | > Any input or comments in this thread are highly appreciated.
    | > > | >
    | > > | > =====================================================
    | > > | >
    | > > | > This posting is provided "AS IS" with no warranties, and confers
    no
    | > > rights.
    | > > | > --------------------
    | > > | > | Thread-Topic: Route added by RRAS that overrides local LAN
    route on
    | > > NIC
    | > > | > | thread-index: AcbsHRHUAAf6uugcSyW0/DF1OTvIWA==
    | > > | > | X-WBNR-Posting-Host: 65.184.34.228
    | > > | > | From: =?Utf-8?B?Sm9obiBQaGlsaXBz?=
    | > > <>
    | > > | > | References:
    <>
    | > > | > <>
    | > > | > | Subject: RE: Route added by RRAS that overrides local LAN route
    on NIC
    | > > | > | Date: Mon, 9 Oct 2006 20:35:02 -0700
    | > > | > | Lines: 312
    | > > | > | Message-ID: <>
    | > > | > | MIME-Version: 1.0
    | > > | > | Content-Type: text/plain;
    | > > | > | charset="Utf-8"
    | > > | > | Content-Transfer-Encoding: 7bit
    | > > | > | X-Newsreader: Microsoft CDO for Windows 2000
    | > > | > | Content-Class: urn:content-classes:message
    | > > | > | Importance: normal
    | > > | > | Priority: normal
    | > > | > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830
    | > > | > | Newsgroups: microsoft.public.windows.server.sbs
    | > > | > | Path: TK2MSFTNGXA01.phx.gbl
    | > > | > | Xref: TK2MSFTNGXA01.phx.gbl
    microsoft.public.windows.server.sbs:303842
    | > > | > | NNTP-Posting-Host: TK2MSFTNGXA01.phx.gbl 10.40.2.250
    | > > | > | X-Tomcat-NG: microsoft.public.windows.server.sbs
    | > > | > |
    | > > | > | I am using SBS as the VPN server. This is a router between SBS
    and
    | > > the
    | > > | > | internet that is peforming NAT. I have the appropriate ports
    open and
    | > > can
    | > > | > | successfully connect a WinXP RAS client to the VPN server. The
    | > > problem
    | > > | > is
    | > > | > | with the routes that get created on the RRAS when the client
    | > > connects,
    | > > | > not
    | > > | > | getting a successful connection. When the connection is up I
    can
    | > > | > successful
    | > > | > | get to the SBS server across the VPN. My issue is with the
    disruption
    | > > to
    | > > | > the
    | > > | > | connectivity to the other PCs on the LAN.
    | > > | > |
    | > > | > | Let me clarify what's happening with hopes you have seen this
    before:
    | > > | > |
    | > > | > | The server has a LAN address of 10.0.0.1 and is on a network
    | > > 10.0.0.0/24.
    | > > | > | The route I am speaking of is the route to local LAN that is
    put in
    | > > the
    | > > | > | routing table when you configure the NIC. In my case this route
    looks
    | > > | > like
    | > > | > | this:
    | > > | > |
    | > > | > | Network Dest Netmask Gateway Interface Metric
    | > > | > | 10.0.0.0 255.255.255.0 10.0.0.1 10.0.0.1 10
    | > > | > |
    | > > | > | 10.0.0.1 is the LAN address.
    | > > | > |
    | > > | > | After the RAS client connects there is another route added so
    the two
    | > > | > | entries of interest look like this:
    | > > | > |
    | > > | > | Network Dest Netmask Gateway Interface Metric
    | > > | > | 10.0.0.0 255.255.255.0 10.0.0.1 10.0.0.1 10 <-this route is
    always
    | > > there
    | > > | > | (before and after the VPN cient connects)
    | > > | > | 10.0.0.0 255.255.255.0 10.0.0.115 10.0.0.121 1 <-this
    | > > | > | route added when client connects (in addtion to the host route
    that
    | > > is
    | > > | > also
    | > > | > | added like you usually see for each client)
    | > > | > |
    | > > | > | 10.0.0.115 is the address assigned to the RAS client (using
    DHCP).
    | > > | > | 10.0.0.121 is the Internal Interface on the server used by RAS.
    As
    | > > you
    | > > | > can
    | > > | > | see after this route is added the server is routing to 10.0.0.0
    via
    | > > the
    | > > | > RAS
    | > > | > | tunnel vs. the LAN Interface so the PCs on the 10.0.0.0/24
    local
    | > > subnet
    | > > | > are
    | > > | > | "disconnected" from the server. The only thing I could think of
    what
    | > > that
    | > > | > | this was related to something that is configured automatically
    since
    | > > | > there
    | > > | > | are two NICs in the server, but I ran the the Internet
    Connection
    | > > wizard
    | > > | > and
    | > > | > | set-up up the server to use one NIC for Internet and LAN.
    | > > | > |
    | > > | > | I was able to pull the ipconfig and routing table (without and
    with
    | > > RAS
    | > > | > cient
    | > > | > | connected) from the server. They are below.
    | > > | > |
    | > > | > | As you will see by the route table, there is a route as I
    described .
    |
     
    Crina Li, Oct 12, 2006
    #9
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.