static routing

Discussion in 'Server Networking' started by Robert, Jul 2, 2007.

  1. Robert

    Robert Guest

    I have a branch office of which I am setup a demand dial interfact for the
    network to the corporate office. I can browse resources on the coporate
    network from the branch server, but users on the branch lan cannot. They
    can access the internet, but nothing on the corporate web. I have done a
    million different combinations of static routes so the lan users can access
    the corporate network, but nothing seems to be working. Can anyone help me
    out here? I'm at a loss.

    Robert
     
    Robert, Jul 2, 2007
    #1
    1. Advertisements

  2. Robert

    DanJ Guest

    Hi,

    Am I right in assuming that the Branch office server itself has the demand
    dial interface?
    Also, if that is the case, I assume the client PCs have their default
    gateway set to the LAN IP Address of the Branch Office Server... is that the
    case?

    It may be worth doing a Tracert to ensure that the Client PCs are going the
    correct route.

    The Static route needs to specify the Demand Dial Interface as the
    'Interface' for the Static Route. Specify destination IP Address and Subnet
    Mask for the remote network.

    If you can provide a little more info, I may be able to help more, sorry
    this response is slightly vague.

    Dan
    MCSA MCSE 2000/2003
     
    DanJ, Jul 2, 2007
    #2
    1. Advertisements

  3. Robert

    Robert Guest

    Yes, your right. Here is the setup:

    Branch Office
    Server "WAN"
    IP: 192.168.16.11
    Subnet: 255.255.255.0
    Gateway: 192.168.16.1

    Server "LAN"
    IP: 192.168.17.2
    Subnet: 255.255.255.0
    Gateway: "None"

    Client IP Setup:
    IP: 192.168.17.25
    Subnet: 255.255.255.0
    Gateway: 192.168.17.2

    I used static ip addressing on the clients to make it easier. The clients
    can connect to the internet just fine, but can't browse the remote network.
    The server already has the demand dial interface connected and I can browse
    the remote network from the server, but not from the clients. I can also
    browse the branch office server from the corporate office network (clients
    or servers). Hope this helps.

    Robert
     
    Robert, Jul 2, 2007
    #3
  4. Robert

    Bill Grant Guest

    To get routing working between the two sites you will need to set up a
    site to site (also called router to router) connection. Routing is a two-way
    process. You must have routes on the routers at both ends to be able to get
    from a host in on site to a host in the other.

    To do it using RRAS routers you need one in each site. The connection is
    made between the routers. Each router has a static route to the other site
    linked to a demand dial interface. The "calling" router connects to the dd
    interface on the answering router. The static route thehn become effective,
    routing traffic through the link.
     
    Bill Grant, Jul 3, 2007
    #4
  5. Robert

    Robert Guest

    OK, so if I understand you, I need to create a demand dial connection on
    both sides and connect them? I still don't understand how the lan users on
    the side that already has the dd connection made can't access the network,
    but the machine that made the connection can.

    Robert
     
    Robert, Jul 3, 2007
    #5
  6. Robert

    Bill Grant Guest

    The reson it doesn't work is, as I said previously, routing is a two-way
    process. A static route will get the traffic from one site to the other, but
    what happens to the traffic in the other direction?

    As an example, assume that a workstation in one site tries to ping a
    workstsation at the other site. The packet goes to the default router which
    has a static route pointing to the "other" site via the point to point link.
    Everything is fine. What happens when the target machine tries to reply? As
    before, the packet goes to the default router for that site. This router
    does not have a route for the private IP subnet of the first site. It tries
    to send a reply using its default route (which is probably out to the
    Internet). The packet is discarded because private IPs cannot cross the
    Internet.

    Routing between sites will only work if each router has a static route
    for the subnet of the "other" site via the point to point connection. In
    this case, the privately addressed packet is encrypted and encapsulated
    before it is sent out to the Internet. (That is, the private traffic between
    the two private subnets is tunnelled through the public Internet). The
    traffic in both directions must use the tunnel.
     
    Bill Grant, Jul 3, 2007
    #6
  7. Robert

    Robert Guest

    OK, I understand, for the most part. On the corporate server, what do I put
    in for the gateway on the static route? Here is what I have so far:

    Static Route:
    Interface (Local Area Connection 2) --this is the only interface available
    on the corporate server
    Destination: 192.168.17.0
    Subnet: 255.255.255.0
    Gateway: ?????

    Robert
     
    Robert, Jul 3, 2007
    #7
  8. Robert

    Bill Grant Guest

    You can't do it manually because the interface doesn't exist until the
    connection is made.Is this server running RRAS? If so, you configure a
    demand dial interface. You then use the static route wizard to configure a
    static route for the subnet of the remote site and select the demand dial
    interface from the dropdown list as the interface.

    When you make a connction to the server you use the name of the
    demand-dial interface as the username. RRAS then connects you to the correct
    interface for the calling site (so that you get the correct subnet for the
    site. Multiple sites can connect using different dd interfaces and creating
    different tunnels.) When the dd interface becomes active, RRAS adds the
    static route (which has been stored in the registry) to the routing table.
     
    Bill Grant, Jul 4, 2007
    #8
  9. Robert

    Robert Guest

    Ok, thats already been done on the remote branch side. On the remote branch
    server, the deman dial connection is already made and is connected 24/7. A
    static route has been added that matches the subnet of the corporate
    network. My problem is, users on the remote branch office network can't
    access the corporate network (ie; use the tunnel that has been made), but
    the server that has made the connection can. There is a missing link there.
    The server that made the connection can use the tunnel, but the users on the
    same network of this server can't? The users on this network (were talking
    about the remote site here) use RRAS (same server and software that has
    established the tunnel) to access the internet. There is something I
    missed.

    Robert
     
    Robert, Jul 4, 2007
    #9
  10. Robert

    Bill Grant Guest

    I wasn't talking about the remote branch router. I was talking about the
    corporate router. Both routers must have a demand-dial interface and a
    corresponding static route. If the branch office makes a connection without
    connecting to a demand-dial interface, routing will not work. Instead of
    connecting as a router it connects as a simple remote access client. Instead
    of a subnet route, you just get a host route back to the client. So the
    server can route to the corporate LAN but machines behind it cannot.
     
    Bill Grant, Jul 4, 2007
    #10
  11. Robert

    Robert Guest

    OK, I am creating a deman dial interface on the corporate server and
    connects to the branch office server. This way, I will have a demand dial
    connection going from each end, with appropriate static routes. My only
    problem is, I knew this was going to happen, the router that I use at the
    remote office is a Linksys router that used to be used my a phone company
    (kind of link Vonage, but someone else). Of course, the voip function no
    longer works, but its still a decent router. What I noticed when I had it
    at the corporate office for a little while, is when someone from outside
    tries to establish a VPN connection to the server on the inside, the users
    connection just hangs at "Verifying Username and Password", then eventually
    times out. I think my only options are to either buy a new router or
    connect the remote office's cable modem directly to the server. Not really
    wanting to do the second option, and would prefer not to spend the money on
    a new router at the moment. Any ideas to get around this?

    Robert
     
    Robert, Jul 4, 2007
    #11
  12. Robert

    Bill Grant Guest

    That is puzzling. You said that the connection was up and stable. Was that
    running through this same router?

    If you are using PPTP, failure to connect through a router is usually
    caused by the router blocking GRE (Generic Routing Protocol) which is IP
    protocol 47. This usually causes a 721 error. Have you tried connecting from
    the branch end? Don't forget that the username must match the name of the
    demand-dial inerface on the answering router.
     
    Bill Grant, Jul 5, 2007
    #12
  13. Robert

    Robert Guest

    Connections work going out from inside the router, but connection coming
    from outside to in don't work. I have the remote server in the dmz zone, so
    ports won't affect it. Its just that piece of **** router. I guess for now
    I'll have to remove the router and connect the server directly to the cable
    modem. It will get me buy. OK, so I get this name thing straight.
    Username is already setup on the corporate server, named "t-town". What do
    I name the connection that starts from the remote side? Then, what username
    should I set up in the wizard for the corporate connection to login with?
    Also, do I name the connection that the corporate server makes the same as
    the username it is logging in with? If this helps, email me and we can talk
    outside of this forum.

    Robert
     
    Robert, Jul 5, 2007
    #13
  14. Robert

    Bill Grant Guest

    You only need to set up the connection from one end. You do not have two
    separate connections. It is just one connection between the two routers.
    From the RRAS server at the branch office, start the connection using the
    name of the dd interface on the corporate RRAS router. When it connects, the
    dd interfaces on both routers should bind to the connection, and the static
    routes linked to them appear in the routing tables.

    Each router now has a static route to the subnet at the other site bound
    to the connection. I suspect your problem is having additional routers in
    the setup. It will only work staight off if the RRAS routers are the default
    gateways for the sites. If this is not the case you will need extra routing
    on the LAN to get the traffic from the default gateway of the LAN to the
    RRAS router.

    A router to router link just works like a slow IP router. All traffic
    which is addressed to a private IP ot the "other" site is directed through
    the tunnel. Like any other router it can only redirect traffic which
    actually gets to it. If the private addressed traffic hits an Internet
    router before it gets to the VPN router it fails, because the private
    traffic is sent to the Internet unencapsulated.
     
    Bill Grant, Jul 5, 2007
    #14
  15. Robert

    Robert Guest

    OK, good news and bad news. Did what you said and now workstations on the
    remote side can access the corporate network. Here is the catch, sitting
    from my laptop, or any workstation on the remote side, can't access anything
    other than the RRAS server, also my pdc that the remote connection was
    answered by. I can't access any other computers and servers in the same lan
    on the corporate side from the workstations. Of course, it works just fine
    from the remote server, but not clients. Any suggestions?

    Robert
     
    Robert, Jul 5, 2007
    #15
  16. Robert

    Robert Guest

    Problem fixed. Figured out other servers and some workstations were using
    hardware router for gateway, instead of RRAS server. Everything is working
    correctly now. Thanks for your help Bill.

    Robert
     
    Robert, Jul 6, 2007
    #16
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.