Internal computers can not access internet after enable packet filter on VPN server


msnews group

I just set up a small private network with a 1x win2k DHCP/DNS/Domain server
and 3x workstations. they are all behind a netgear firewall router with the
private network is and the netgear router got static IP pointing to
the Internet. the domain server was also a VPN RAS server, it got 2 nics,
both nics were configured with privated IPs, (dns) and
(VPN RAS server). Now every thing works OK as it should be... until I
enable packet filter on Nic2 (VPN RAS sever) for inbound then vpn
clients were able to connect into the server fine but all computer in
internal network behind the netgear firewall could not access to the
internet. If I disable packet filter on Nic2 then all internal
computer ok to access the internet and vpn clients also ok to connect in,
however, if packet filter is not able for RAS it would leave an attack to
the internal network. Any suggestion to resolve this problem would be


Robert L [MS-MVP]

quoted from
Internal clients can't access the Internet after a remote client connects to
Symptoms: After a remote client establishes a connection on a RRAS which is
installed on a domain controller with DNS, one or more of the following
symptoms may occur:
1) Internal clients may no longer be able to browse the Web through Internet
Security and Acceleration (ISA) Server, regardless of whether or not Web
Proxy or the Firewall Client is being used for Web browsing.
2) A "The page cannot be displayed" error message is generated when you use
a Web browser.
3) A "cannot find server or DNS" error occurs.
4) From an internal client, if you use PING to ping the name of the server,
PING returns any other address other than the IP address that is bound to
the server's internal adapter.
5) You cannot browse through the list of computers in Network Neighborhood
or My Network Places.
6) You cannot connect to the following Web page:
7) You may receive the following event message: Event ID: 4319, Source:
Netbt, Description: A duplicate name has been detected on the tcp network.
The IP address of the machine that sent the message is in the data. Use
NBTSTAT with a switch of N in a command window to see which name is in a
conflict state.
8) When a client clicks Update Now from the Firewall Client applet in
Control Panel, the client may receive the following error message:

The server is not responding when client requests an update.
Possible causes:
-The server is not an ISA Server.
-The server is down.
9) Windows 2000 LAN clients cannot map a network drive to the server. The
client may receive the following error message: No Logon Servers Available
to Service your Logon Request.

Resolutions: This issue can occur if the client computer receives a response
from DNS that includes the wrong Internet Protocol (IP) address. This
address is only returned in a query after a remote client has connected by
using Dial-Up Networking. This IP address is registered with DNS if network
basic input/output system (NetBIOS) is bound to the RRAS server's dial-in
interfaces or if DNS is configured to listen on all interfaces. To resolve
this problem, obtain the latest service pack for Windows 2000.
For more and other information, go to

Don't send e-mail or reply to me except you need consulting services.
Posting on MS newsgroup will benefit all readers and you may get more help.

Robert Lin, MS-MVP, MCSE & CNE
Windows & Network Support, Tips and FAQs on
This posting is provided "AS IS" with no warranties.

Bill Grant

No, you can't do it that way. If you want to use filtering on a NIC of
the RRAS server, you have to make it the default gateway of your private
network. You would have to set it up so that only the RRAS server is
connected to the router.

If you are using the router as the default gateway of your network, you
only need one network card in the server. Having two NICs in the server
which are in the same subnet upsets RRAS, and it certainly doesn't work the
way you seem to think it does.

So you really only have two options. Run the system with one NIC in the
server and forward PPTP from the router. You would have to set up the
filtering on the router. Or set up the network with the server as the
gateway of the LAN. The LAN machines would be in one subnet, and the
"external" NIC and the router in a different subnet.

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question