RRAS: Demand-dial Interface and/or new Broadband connection?

Discussion in 'Server Networking' started by Jaime Stuardo, Apr 23, 2005.

  1. Hi all...

    I'm getting problems configuring NAT so that LAN clients can connect to
    Internet through the Windows Server 2003 machine.

    I know that I have to create a demand-dial interface in RRAS MMC since
    Server connects to Internet through a DSL modem. But, what about if I create
    a new broadband connection in Network Connections of control panel? This
    latter alwats work when I connect to Internet from the server. When I only
    create a demand dial interface in RRAS, it never connects.

    How can I do it?
    Thanks a lot in advance

    Jaime Stuardo, Apr 23, 2005
    1. Advertisements

  2. Review the article in the link below from Microsoft on how to configure NAT
    and make sure you select the proper network adapter for external that is
    connected to the internet. You should only have to create the network
    connections in "network connections" for NAT . I have used DSL in the past
    and the pppoe connectoid is a pain. You might want to bypass it and use a
    NAT router/firewall instead that connects to your DSL modem. These devices
    will have different capabilities and costs depending on your needs. The
    Netgear ProSafe line starts at well under $100. --- Steve

    Steven L Umbach, Apr 23, 2005
    1. Advertisements

  3. Hi Steven,

    That step by step guide talks about the external interface yo have the
    addresses provided by the ISP, but that isn't my configuration. That external
    interface is connected to the ADSL modem and it is really assigned IP from
    the ISP. The external NIC remains without IP address until I assign to it a
    static one.

    When you say that I should create a network connection for NAT, do you mean
    that I have to create it only in RRAS MMC? I have to delete the network
    connection I created in control panel?

    Jaime Stuardo, Apr 23, 2005
  4. Your external adapter would be the one that is connected to the
    internet/ADSL modem. If that adapter connects to your ADSL modem then it
    should have the IP address that your ISP assigns either through static IP
    address or dynamic IP address. I have not used DSL in a while but if I
    remember correctly I have to use a pppoe "connectoid" unlike my cable modem
    where I do not have to do that anymore. NAT just needs to know the external
    adapter because that is the only one that will contain the default gateway
    and that would be the adapter that is configured with the pppoe
    onnectoid. --- Steve
    Steven L Umbach, Apr 23, 2005
  5. You mean that the external adapter should have the IP assigned by the ISP?

    In my case, the modem gets the IP... the external adapter remains with an IP
    I have to manually assign.
    Jaime Stuardo, Apr 24, 2005
  6. Modems do not get IP addresses, they are the interface between the telephone
    line and your Ethernet network. A DSL router device would need an IP address
    from your ISP and you can manage them through a web interface. Maybe you
    have one of those? --- Steve
    Steven L Umbach, Apr 24, 2005
  7. Yes... I discovered yesterday that I have a DSL router. Its model is X8024r
    from Xavi Technologies. I knew that its assigned IP is and it was
    supposed to be accesible by telnet or by a web interface as you said.
    Unfortunately, it seems that my ISP has changed the default password for it
    so I could connect to the administration interface :-(

    In order to connect to the DSL router, I had to assign the IP to
    the NIC that connects to it. So now both NIC's are in the same subnet, using

    Now that I know that this is not a modem but a router, how it is considered
    by RRAS? I think that for it it isn't a demand-dial interface then and in
    that case, I can connect using Network connections applet first and then,
    treat the connetion as it was always connected, am I right?

    So to have the picture clear. This configuration is if I had 3 NIC's? one
    for the LAN with IP, other intermediate with IP
    connected to the WAN through the gateway If this were true, I
    thought if I configure as the getway for interface it
    would work, but it didn't.

    Do you know how to manage this case?

    Thanks a lot in advance
    Jaime Stuardo, Apr 24, 2005
  8. Well that makes more sense. is the default gateway for your
    network so any computer on the 192.168.1.xxx network needs to be configured
    with as the default gateway if you want to access the internet.
    You could simply assign all your computers IP addresses on the 192.168.1.x
    network to access the internet which is what I do at home. The DSL router
    will offer protection by blocking uninitiated inbound traffic into your
    network in that it is a NAT/PAT device. You can double check that by doing a
    self scan at a site such as http://scan.sygatetech.com/ .

    If you still want to use RRAS to do NAT, then make sure that only the
    network adapter with the IP of is assigned the default gateway.
    That is what NAT will need to use as the "external" network interface per
    instructions in the KB article I referred you to when you configure NAT. You
    don't need to do anything more than what is listed in that article to
    configure NAT. As long as your "external" network adapter is enabled it will
    be an always on connection using DSL. It may help to disable RRAS and start
    all over with the wizard to set up your NAT connection.

    Another thing you should check is your network adapter priority order. In
    network connections go to advanced/advanced settings and make sure that the
    network adapter for the "internal" network which would be is at
    the top of the priority list. --- Steve
    Steven L Umbach, Apr 24, 2005
  9. I have done that and the only thing client could do was to resolve correctly
    the DNS.

    I have used finally these IP's:

    1.- : DSL router
    2.- : NIC that connects to the DSL router
    3.- : NIC that connects to the LAN
    4.- : A PC in the LAN named CAROLINA
    5.- : A PC in the LAN named JAIME

    This is the IPCONFIG information of a server (note that NIC with
    doesn't have default gateway. If I use as its gateway, server
    cannot resolve names and therefore, cannot browse internet):

    Windows IP Configuration

    Host Name . . . . . . . . . . . . : srv-dev
    Primary Dns Suffix . . . . . . . : DESYTEC.North
    Node Type . . . . . . . . . . . . : Unknown
    IP Routing Enabled. . . . . . . . : Yes
    WINS Proxy Enabled. . . . . . . . : No
    DNS Suffix Search List. . . . . . : DESYTEC.North

    Ethernet adapter Internet:

    Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection
    Physical Address. . . . . . . . . : 00-11-43-2F-69-26
    DHCP Enabled. . . . . . . . . . . : No
    IP Address. . . . . . . . . . . . :
    Subnet Mask . . . . . . . . . . . :
    Default Gateway . . . . . . . . . :

    Ethernet adapter LAN:

    Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . : D-Link DFE-530TX PCI Fast Ethernet
    r (rev.C)
    Physical Address. . . . . . . . . : 00-0D-88-CA-8F-CC
    DHCP Enabled. . . . . . . . . . . : No
    IP Address. . . . . . . . . . . . :
    Subnet Mask . . . . . . . . . . . :
    Default Gateway . . . . . . . . . :
    DNS Servers . . . . . . . . . . . :

    PPP adapter Manquehue:

    Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
    Physical Address. . . . . . . . . : 00-53-45-00-00-00
    DHCP Enabled. . . . . . . . . . . : No
    IP Address. . . . . . . . . . . . :
    Subnet Mask . . . . . . . . . . . :
    Default Gateway . . . . . . . . . :
    DNS Servers . . . . . . . . . . . :
    NetBIOS over Tcpip. . . . . . . . : Disabled

    This is PathPing information of the server:

    Tracing route to www.microsoft.com.nsatc.net []
    over a maximum of 30 hops:
    0 srv-dev.DESYTEC.North []
    4 * * *
    Computing statistics for 100 seconds...
    Source to Here This Node/Link
    Hop RTT Lost/Sent = Pct Lost/Sent = Pct Address
    0 srv-dev.DESYTEC.North
    0/ 100 = 0% |
    1 30ms 0/ 100 = 0% 0/ 100 = 0%
    0/ 100 = 0% |
    2 30ms 0/ 100 = 0% 0/ 100 = 0%
    0/ 100 = 0% |
    3 49ms 0/ 100 = 0% 0/ 100 = 0%
    100/ 100 =100% |
    4 --- 100/ 100 =100% 0/ 100 = 0% srv-dev.DESYTEC.North []

    Trace complete.

    And this is the ipconfig of JAIME client:

    Windows IP Configuration

    Host Name . . . . . . . . . . . . : jaime
    Primary Dns Suffix . . . . . . . : DESYTEC.North
    Node Type . . . . . . . . . . . . : Hybrid
    IP Routing Enabled. . . . . . . . : No
    WINS Proxy Enabled. . . . . . . . : No
    DNS Suffix Search List. . . . . . : DESYTEC.North

    Ethernet adapter LAN:

    Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . : SiS 900-Based PCI Fast Ethernet
    Physical Address. . . . . . . . . : 00-0C-6E-2F-CF-F9
    Dhcp Enabled. . . . . . . . . . . : Yes
    Autoconfiguration Enabled . . . . : Yes
    IP Address. . . . . . . . . . . . :
    Subnet Mask . . . . . . . . . . . :
    Default Gateway . . . . . . . . . :
    DHCP Server . . . . . . . . . . . :
    DNS Servers . . . . . . . . . . . :
    Lease Obtained. . . . . . . . . . : Domingo, 24 de Abril de 2005
    Lease Expires . . . . . . . . . . : Lunes, 02 de Mayo de 2005 19:40:54

    And this is PathPing info of the JAIME client:

    Tracing route to www.microsoft.com.nsatc.net []
    over a maximum of 30 hops:
    0 jaime.DESYTEC.North []
    1 * * *
    Computing statistics for 25 seconds...
    Source to Here This Node/Link
    Hop RTT Lost/Sent = Pct Lost/Sent = Pct Address
    0 jaime.DESYTEC.North

    100/ 100 =100% |
    1 --- 100/ 100 =100% 0/ 100 = 0% jaime.DESYTEC.North []

    Trace complete.

    And finally this is the routing table of the server (note that the IP
    assigned by the ISP is and the first entry in the routing
    table is created automatically when connection is established):

    IPv4 Route Table
    Interface List
    0x1 ........................... MS TCP Loopback interface
    0x10003 ...00 11 43 2f 69 26 ...... Intel(R) PRO/1000 MT Network Connection
    0x10004 ...00 0d 88 ca 8f cc ...... D-Link DFE-530TX PCI Fast Ethernet
    Adapter (
    0xc0005 ...00 53 45 00 00 00 ...... WAN (PPP/SLIP) Interface
    Active Routes:
    Network Destination Netmask Gateway Interface Metric 1 1 10 1 10 1 10 1 1 50 50 10 1 1 1 1 1
    Default Gateway:
    Persistent Routes:

    With this information, can you know why client computers can resolve DNS but
    cannot ping a site or even connect to it with browser? I was thinking that
    the problem may be concerning firewall, but I tested enabling HTTP port in interface using private address, and event I disabled
    firewall but with the same results.

    Seeing Pathping information, I see that the packet doesn't even leave client
    computer. I don't know if I am interpreting it well.

    Thanks a lot
    Jaime Stuardo, Apr 25, 2005
  10. Is your server a domain controller?? If it is that will make a difference in
    the way you configure dns. The link below explains more.


    I am confused in that you said you are using a router. Normally the router
    will use the IP address that the ISP assigns and then use NAT/PAT to allow
    multiple computer behind the router to have intenet access via a class C
    network such as the 192.168.1.xxx as you mention. Yet your server route
    table and Ipconfig results show that your server has the public IP address??
    Your router needs to be connected to the DSL modem via the wan port on the
    router and then your server and other computers should connect to the
    "switch" ports on the router. If it has only one "lan" port then you need to
    connect a hub or switch to the lan port to plug your other computers into.
    Disable or delete the adapter [ maybe virtual pppoe??] that is using the IP address on the server. Also try using tracert to establish
    internet connectivity. Your pathping shows that the IP adresses
    and are in the path and those are "private" IP addresses yet
    you are not indicating that you are using those network IP's?? --- Steve

    XXXDSL modem ------ router WAN port-|XXX|-router LAN port --- your

    Steven L Umbach, Apr 25, 2005
  11. Yes... Server is a DC too. When I get back home I will read the link you gave

    Concerning the DSL router I'm using, its internal IP is but
    curiously, it's IP doesn't change when I connect to the ISP.

    The only way to connect the server to Internet is by creating a new
    (broadband) network connection in control panel. I think that is because I
    need to authenticate sending username and password. Once connected, that new
    connection is assigned the IP by the ISP. The DSL router, that is connected
    to the DSL line, keeps its internal IP, That router only
    provides a monouser connection, so I need to configure the server as the
    router in order to share Internet among client computers (which are connected
    to the LAN using a HUB).

    With respect to private addresses and, I was
    surprised of them too because those IP's don't exist on my network. Just IP's
    I showed you exist, so I thought PathPing was revealing me private IP's on
    the remote network.

    When I used TRACERT from the client, the packet get until the first hop
    only, that is, it didn't even leave the client computer.

    I'm wondering why ICS/ICF worked in this configuration automatically at
    first try. I tried to imitate ICS/ICF configuration using NAT but it didn't
    work. Unfortunately I cannot configure ICS/ICF back again because that option
    doesn't appear in advanced tab of my broadband connection, as it appeared
    before. So I have to continue fighting with this NAT configuration. The only
    fact I can be sure that what I'm trying to do is really possible is that
    ICS/ICF can do it. If ICS/ICF can do it, why cannot NAT?

    As the last point. If you see IPCONFIG of the client, it says that it
    doesn't have IP routing enabled. May be the problem?

    Jaime Stuardo, Apr 25, 2005
  12. The DSL router is where you should enter all the information such as
    username and password - that is what I have done in the past. I believe you
    said that you can not access the router because the ISP changed it? If that
    is so contact them and tell them you need the password or you need them to
    configure it with username/password OR buy one that you can configure if it
    is not a problem with your ISP's service agreement. When I got my DSL at
    work a couple years ago all I got was a modem and I took care of the router
    end. I don't know why they provided you with the type of router they did if
    they only want you to use one internet connection.

    Since you are using your server as a domain controller you really really
    should try to avoid using RRAS on it if at all possible and find a way to
    use the DSL router as the default gateway. Domain controllers should only
    have one network adapter.

    With your current weird configuration the problem sounds like you do not
    have the right default gateway and thus can not access the internet and is
    why tracert stops where it does. My assumption was that the router's lan
    side IP address of would be the default gateway as that is what
    it normally would be with a properly configured NAT/PAT router of the type
    you are using. Usually you make a network adapter a DHCP client to obtain
    information from your ISP unless they give you specific information for
    public IP address, subnet mask, dns servers, and default gateway.

    You mention ICS. ICS is not compatible with a domain controller environment
    because you need to configure DHCP on your server.

    As far a client computers on the network, they do not need to have routing
    enabled for internet access. If routing is enable that means that the
    computer can act as a router between networks if it has more than one
    network adapter. --- Steve

    Steven L Umbach, Apr 25, 2005
  13. DSL router is configured to connect to ISP network and I think ISP changed
    the administration password so that customers cannot access it and
    misconfigure something. I have another DSL router belonging to another ISP
    and to test connectivity with it, I connected this one to my server and no
    connection could be established, so if I could enter administratin of this
    ISP DSL router, maybe I could misconfigure something.

    Anyway, I don't need that password since DSL modem can connect. I enter
    login information when I create the broadband network connection.

    You said that ICS is incompatible with domain controllers, but I have
    configured this same server in a friend's site. He has almost the same
    configuration as me (DC, Active Directory, DNS, and even Exchange Server
    2003), and to make things simpler, I used ICS/ICF in that server and at the
    moment, it is working perfectly.

    Reading other posts in this same group I found out that other people have
    connectivity problems after installing Service Pack 1. And even, I read that
    SP1 may be the cause that ICS option has disappeared. When I get back home,
    the first thing I will do will be to uninstall SP1 and see what happen.

    If I am lucky, this would be the origins of all my problems :)


    Jaime Stuardo, Apr 25, 2005
  14. Since you have another DSL router, try connecting it directly to the DSL
    modem to see if you can get it to work that way. Look for pppoe
    configuration which is what DSL uses. Then you can enter the user name
    password and other configuration for the DSL connection. If that works then
    the gateway of should work.

    As far as ICS, if you got it to work then you may be lucky but I would not
    recommend [ nor does Microsoft] it as a permanent solution. ICS uses a DHCP
    allocator which can conflict with DHCP and DNS. Proper dns configuration is
    crucial for Active Directory functionality and reliability. The link below
    explains this more.


    I have heard about some network connectivity issues with SP1. Uninstalling
    it is worth a try. --- Steve

    Steven L Umbach, Apr 25, 2005
  15. Hi Steve,

    I have uninstalled SP1 and with respect to RRAS something changed. In that
    case, by doing a PathPing www.microsoft.com I saw that packet reachs the
    server (what didn't happen with SP1 installed) but it doesn't leave the
    server toward Internet.

    Anyway, After uninstalling SP1 I was able to configure ICS/ICF instead of
    NAT and it worked. All LAN computers have Internet access now. I reviewed
    server and client routing tables and IPCONFIG informations and I don't found
    any difference with respect to the configuration I had when trying to
    configure NAT. The great mistery in this moment is concerning what else
    ICS/ICF configuration does internally, configuration that was missing in my
    configuration. What commands can I run in order to get all possible
    information so that I could compare it between automatic configuration
    ICS/ICF and manually configured RRAS?


    Jaime Stuardo, Apr 26, 2005
  16. Well I am glad you got it to work though I can not recommend ICS for Active
    Directory domains. "Maybe" it works in small domains in certain
    configurations. You can use the support tools netdiag and dciag on domain
    controllers and netiag on domain computers to check for domain configuration
    health. You might try to configure NAT again without SP1 to see if it makes
    a difference. I am not sure what your exact problem with NAT was but
    generally the main problems are that the wrong network adapter is selected
    for NAT and there are inbound and outbound filters enabled on the interfaces
    that NAT is using that is blocking internet traffic. If you look at the
    properties of the network adapters in the NAT section and the IP
    routing/general section of RRAS Management Console you will see inbound and
    outbound filters. Normally they are not a problem unless you are also trying
    to use the server for VPN in which case inbound/outbound filters may be
    enabled to restrict traffic to just VPN ports/protocols but it would be a
    good idea to check them anyhow. --- Steve

    Steven L Umbach, Apr 26, 2005
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.