LAN, DMZ, WLAN, RRAS and VPN create Routing issue


P

P. Prisack

Hello NG,

we have a dodgy little problem here which I can't seem to solve, maybe
I'm missing something basic.

The scenario is as follows:

There is a LAN with subnet 192.168.1.0/24, a W2K server on 192.168.1.1
and a router for internet connection (outgoing only) on 192.168.1.100.

Now I've implemented a DMZ on subnet 192.168.2.0/24 with an own router
on 192.168.2.100 (incoming only). I've mounted a second NIC into the
server and assigned 192.168.2.1 as DMZ IP. VPN ports are forwarded from
the VPN router to the server's DMZ NIC.

I successfully set up RRAS and a VPN server where, on first glance,
everythings looks fine. But there is a routing issue:

If I configure in RRAS the LAN router (.1.100) as a default gateway, all
works fine for VPN clients who connect with an IP from the DMZ (i.e.
WLAN laptops, they receive an IP out of the 192.168.2.0 range from the
DMZ router).

Clients which try to connect from the internet have a problem, because
the VPN server doesn't know the correct route back to the client.

The authentication request arrives at the server:
VPN client -> internet -> DMZ router -> VPN server (DMZ interface)

But the answer goes:
VPN server (LAN interface) -> LAN router -> internet -> nowhere

I don't want to configure the default gateway in RRAS to use the DMZ
router (.2.100) for several reasons: I dont't want the server's own
internet traffice to go through the DMZ, I don't want the laptops'
internet traffice go through the DMZ, I want all internet traffic to
pass the VPN server so I can take control or set up filters later.

I had expected that the VPN server would answer authentication requests
on the interface they arrive, no matter what default gateway exists
furthermore.

Is there a way to achieve this, am I a victim of misconception, or is it
just a stupid mistake? Any hints are greatly appreciated.

Best wishes
Peter
 
Ad

Advertisements

B

Bill Grant

No, you can't really make it run like that. A machine can have multiple
gateways, but only one can be the default gateway. If you know what traffic
needs to use a gateway you can use static routing to get traffic to an
alternate gateway. But Internet access and VPN both need default routing,
because you cannot know in advance what IP address the client will connect
from.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top