LAN, DMZ, WLAN, RRAS and VPN create Routing issue


P. Prisack

Hello NG,

we have a dodgy little problem here which I can't seem to solve, maybe
I'm missing something basic.

The scenario is as follows:

There is a LAN with subnet, a W2K server on
and a router for internet connection (outgoing only) on

Now I've implemented a DMZ on subnet with an own router
on (incoming only). I've mounted a second NIC into the
server and assigned as DMZ IP. VPN ports are forwarded from
the VPN router to the server's DMZ NIC.

I successfully set up RRAS and a VPN server where, on first glance,
everythings looks fine. But there is a routing issue:

If I configure in RRAS the LAN router (.1.100) as a default gateway, all
works fine for VPN clients who connect with an IP from the DMZ (i.e.
WLAN laptops, they receive an IP out of the range from the
DMZ router).

Clients which try to connect from the internet have a problem, because
the VPN server doesn't know the correct route back to the client.

The authentication request arrives at the server:
VPN client -> internet -> DMZ router -> VPN server (DMZ interface)

But the answer goes:
VPN server (LAN interface) -> LAN router -> internet -> nowhere

I don't want to configure the default gateway in RRAS to use the DMZ
router (.2.100) for several reasons: I dont't want the server's own
internet traffice to go through the DMZ, I don't want the laptops'
internet traffice go through the DMZ, I want all internet traffic to
pass the VPN server so I can take control or set up filters later.

I had expected that the VPN server would answer authentication requests
on the interface they arrive, no matter what default gateway exists

Is there a way to achieve this, am I a victim of misconception, or is it
just a stupid mistake? Any hints are greatly appreciated.

Best wishes

Bill Grant

No, you can't really make it run like that. A machine can have multiple
gateways, but only one can be the default gateway. If you know what traffic
needs to use a gateway you can use static routing to get traffic to an
alternate gateway. But Internet access and VPN both need default routing,
because you cannot know in advance what IP address the client will connect

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question