static routing

I have a branch office of which I am setup a demand dial interfact for the
network to the corporate office. I can browse resources on the coporate
network from the branch server, but users on the branch lan cannot. They
can access the internet, but nothing on the corporate web. I have done a
million different combinations of static routes so the lan users can access
the corporate network, but nothing seems to be working. Can anyone help me
out here? I'm at a loss.

Robert

 

Hi,

Am I right in assuming that the Branch office server itself has the demand
dial interface?
Also, if that is the case, I assume the client PCs have their default
gateway set to the LAN IP Address of the Branch Office Server... is that the
case?

It may be worth doing a Tracert to ensure that the Client PCs are going the
correct route.

The Static route needs to specify the Demand Dial Interface as the
'Interface' for the Static Route. Specify destination IP Address and Subnet
Mask for the remote network.

If you can provide a little more info, I may be able to help more, sorry
this response is slightly vague.

Dan
MCSA MCSE 2000/2003

 

Yes, your right. Here is the setup:

Branch Office
Server "WAN"
IP: 192.168.16.11
Subnet: 255.255.255.0
Gateway: 192.168.16.1

Server "LAN"
IP: 192.168.17.2
Subnet: 255.255.255.0
Gateway: "None"

Client IP Setup:
IP: 192.168.17.25
Subnet: 255.255.255.0
Gateway: 192.168.17.2

I used static ip addressing on the clients to make it easier. The clients
can connect to the internet just fine, but can't browse the remote network.
The server already has the demand dial interface connected and I can browse
the remote network from the server, but not from the clients. I can also
browse the branch office server from the corporate office network (clients
or servers). Hope this helps.

Robert

 

To get routing working between the two sites you will need to set up a
site to site (also called router to router) connection. Routing is a two-way
process. You must have routes on the routers at both ends to be able to get
from a host in on site to a host in the other.

To do it using RRAS routers you need one in each site. The connection is
made between the routers. Each router has a static route to the other site
linked to a demand dial interface. The "calling" router connects to the dd
interface on the answering router. The static route thehn become effective,
routing traffic through the link.

 

OK, so if I understand you, I need to create a demand dial connection on
both sides and connect them? I still don't understand how the lan users on
the side that already has the dd connection made can't access the network,
but the machine that made the connection can.

Robert

 

The reson it doesn't work is, as I said previously, routing is a two-way
process. A static route will get the traffic from one site to the other, but
what happens to the traffic in the other direction?

As an example, assume that a workstation in one site tries to ping a
workstsation at the other site. The packet goes to the default router which
has a static route pointing to the "other" site via the point to point link.
Everything is fine. What happens when the target machine tries to reply? As
before, the packet goes to the default router for that site. This router
does not have a route for the private IP subnet of the first site. It tries
to send a reply using its default route (which is probably out to the
Internet). The packet is discarded because private IPs cannot cross the
Internet.

Routing between sites will only work if each router has a static route
for the subnet of the "other" site via the point to point connection. In
this case, the privately addressed packet is encrypted and encapsulated
before it is sent out to the Internet. (That is, the private traffic between
the two private subnets is tunnelled through the public Internet). The
traffic in both directions must use the tunnel.

 

OK, I understand, for the most part. On the corporate server, what do I put
in for the gateway on the static route? Here is what I have so far:

Static Route:
Interface (Local Area Connection 2) --this is the only interface available
on the corporate server
Destination: 192.168.17.0
Subnet: 255.255.255.0
Gateway: ?????

Robert

 

You can't do it manually because the interface doesn't exist until the
connection is made.Is this server running RRAS? If so, you configure a
demand dial interface. You then use the static route wizard to configure a
static route for the subnet of the remote site and select the demand dial
interface from the dropdown list as the interface.

When you make a connction to the server you use the name of the
demand-dial interface as the username. RRAS then connects you to the correct
interface for the calling site (so that you get the correct subnet for the
site. Multiple sites can connect using different dd interfaces and creating
different tunnels.) When the dd interface becomes active, RRAS adds the
static route (which has been stored in the registry) to the routing table.

 

Ok, thats already been done on the remote branch side. On the remote branch
server, the deman dial connection is already made and is connected 24/7. A
static route has been added that matches the subnet of the corporate
network. My problem is, users on the remote branch office network can't
access the corporate network (ie; use the tunnel that has been made), but
the server that has made the connection can. There is a missing link there.
The server that made the connection can use the tunnel, but the users on the
same network of this server can't? The users on this network (were talking
about the remote site here) use RRAS (same server and software that has
established the tunnel) to access the internet. There is something I
missed.

Robert

 

I wasn't talking about the remote branch router. I was talking about the
corporate router. Both routers must have a demand-dial interface and a
corresponding static route. If the branch office makes a connection without
connecting to a demand-dial interface, routing will not work. Instead of
connecting as a router it connects as a simple remote access client. Instead
of a subnet route, you just get a host route back to the client. So the
server can route to the corporate LAN but machines behind it cannot.

 

OK, I am creating a deman dial interface on the corporate server and
connects to the branch office server. This way, I will have a demand dial
connection going from each end, with appropriate static routes. My only
problem is, I knew this was going to happen, the router that I use at the
remote office is a Linksys router that used to be used my a phone company
(kind of link Vonage, but someone else). Of course, the voip function no
longer works, but its still a decent router. What I noticed when I had it
at the corporate office for a little while, is when someone from outside
tries to establish a VPN connection to the server on the inside, the users
connection just hangs at "Verifying Username and Password", then eventually
times out. I think my only options are to either buy a new router or
connect the remote office's cable modem directly to the server. Not really
wanting to do the second option, and would prefer not to spend the money on
a new router at the moment. Any ideas to get around this?

Robert

 

That is puzzling. You said that the connection was up and stable. Was that
running through this same router?

If you are using PPTP, failure to connect through a router is usually
caused by the router blocking GRE (Generic Routing Protocol) which is IP
protocol 47. This usually causes a 721 error. Have you tried connecting from
the branch end? Don't forget that the username must match the name of the
demand-dial inerface on the answering router.

 

Connections work going out from inside the router, but connection coming
from outside to in don't work. I have the remote server in the dmz zone, so
ports won't affect it. Its just that piece of **** router. I guess for now
I'll have to remove the router and connect the server directly to the cable
modem. It will get me buy. OK, so I get this name thing straight.
Username is already setup on the corporate server, named "t-town". What do
I name the connection that starts from the remote side? Then, what username
should I set up in the wizard for the corporate connection to login with?
Also, do I name the connection that the corporate server makes the same as
the username it is logging in with? If this helps, email me and we can talk
outside of this forum.

Robert

 

You only need to set up the connection from one end. You do not have two
separate connections. It is just one connection between the two routers.
From the RRAS server at the branch office, start the connection using the
name of the dd interface on the corporate RRAS router. When it connects, the
dd interfaces on both routers should bind to the connection, and the static
routes linked to them appear in the routing tables.

Each router now has a static route to the subnet at the other site bound
to the connection. I suspect your problem is having additional routers in
the setup. It will only work staight off if the RRAS routers are the default
gateways for the sites. If this is not the case you will need extra routing
on the LAN to get the traffic from the default gateway of the LAN to the
RRAS router.

A router to router link just works like a slow IP router. All traffic
which is addressed to a private IP ot the "other" site is directed through
the tunnel. Like any other router it can only redirect traffic which
actually gets to it. If the private addressed traffic hits an Internet
router before it gets to the VPN router it fails, because the private
traffic is sent to the Internet unencapsulated.

 

OK, good news and bad news. Did what you said and now workstations on the
remote side can access the corporate network. Here is the catch, sitting
from my laptop, or any workstation on the remote side, can't access anything
other than the RRAS server, also my pdc that the remote connection was
answered by. I can't access any other computers and servers in the same lan
on the corporate side from the workstations. Of course, it works just fine
from the remote server, but not clients. Any suggestions?

Robert

 

Problem fixed. Figured out other servers and some workstations were using
hardware router for gateway, instead of RRAS server. Everything is working
correctly now. Thanks for your help Bill.

Robert