VPN vs. VLAN

[vap0rtranz]

I'm setting up a totally isolated VLAN for testing and bumped into a few
issues connecting to it via RRAS's VPN.

VPN via PPTP works. I can connect to the Win2k DC running RRAS from a XP
client; it gets a statically defined IP and can do basic networking (ex: ping
the server). DNS and DHCP for the client, however, are broken. With RAS
configured to give IP's via DHCP and the Internal interface doing DHCP Relay,
the XP client gets an IP from the LAN router. This is totally flies at the
face of a VLAN; I had thought that because the server only as RAS enabled --
not Routing for LAN nor LAN and dial-in -- that it would keep VPN clients
unroutable from the physical LAN and essentially create a VLAN. Maybe I
misunderstand how Microsoft wants this done?

I want DHCP leases given from the server so that VPN clients are totally
integrated in AD/DDNS. This is not possible with the IP List option in RRAS.
To not cause IP conflicts with the LAN router's DHCP daemon I had unbound
the server's DHCP service from the local NIC. Yet a VPN client gets an IP
from the LAN router, so I'm doing something wrong. It must be the Relay
Agent that is passing over the client's DHCP request to the LAN router, no?

Also, how do I bind a static IP address for the server on this VLAN that I'm
creating? There's no such option for the Internal interface in rrasmgmt.msc,
and when I assigned a VLAN IP address to the Local (NIC) interface alongside
its LAN IP, I lost remote connectivity to the server So this post is to
solicit how Microsoft wants this done until I can get to the server's console.

Justin
--
AIM/YIM/ICQ: vap0rtranz
Homepage: http://appstate.edu/~jp59031/

"Here on the moon, our weekends are so advanced, they encompass the entire
week." - Ignignokt

 

[Phillip Windell]

The VPN Server must be in the LAN Segment that you want the users to be in.
The Users will be in whatever Segment the "internal interface" is in. RRAS
must have the DHCP Relay Agent installed and functioning.

The DHCP Server needs a separate distinct Scope for every IP Segment that is
services.

VLANs are irrelevant,...An IP segment is an IP segment, no matter how it was
"created".

The LAN Router between the IP Segments needs to be configured to forward
DHCP Queries to the DHCP Server.


--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.

 

[vap0rtranz]

VLANs are irrelevant,...An IP segment is an IP segment, no matter how it
was
Yea I didn't want to get into semantic wars about what a "VLAN" is;
basically what I meant was: how does one correctly assign another IP to a NIC
in win2k? an IP that can be bound to the local DHCP service (instead of
listening in on the same network as the LAN router's DHCP daemon). In *nix
worlds this is easily done via an ip alias and binding daemons to listening
only on those aliases (instead of the interface globally). I just don't see
an easy way to do this via RRAS. netsh looks more promising but there's
little documentation on it ...

Justin
--
AIM/YIM/ICQ: vap0rtranz
Homepage: http://appstate.edu/~jp59031/

"Here on the moon, our weekends are so advanced, they encompass the entire
week." - Ignignokt

 

[Phillip Windell]

Yea I didn't want to get into semantic wars about what a "VLAN" is;

Others read these when searching the Internet for answers, so I write things
to "clarify" as much for them as for you based on common missunderstandings
that I often run across.

basically what I meant was: how does one correctly assign another IP to a
NIC
in win2k? an IP that can be bound to the local DHCP service (instead of
listening in on the same network as the LAN router's DHCP daemon). In
*nix
worlds this is easily done via an ip alias and binding daemons to
listening
only on those aliases (instead of the interface globally). I just don't
see
an easy way to do this via RRAS. netsh looks more promising but there's
little documentation on it ...

I just don't see how it solves anything you want to do. You can add
multiple IP#s to an interface, that's common. You can also add IP#s/Masks to
the same Nic that are even in a different subnet but it just isn't a very
good idea.

Now for the RRAS/VPN box you can go to the TCP/IP Properties of the
LAN-facing Nic and go to the Advanced section and add a different IP#/Mask
for what "segment" you want,...but most likely that will just make a mess.
The interface would have to be physically on a wire that runs both segments
on it (which VLANs can do) but your Nic driver must be capable of Frame
Tagging that is compatible with the Frame Tagging that the Switch is using.
Then after that the RRAS Service may just "throw up" on that and not work as
you expect.

The best approach is to run a single IP/Mask on the Interface and have that
interface on a "wire" that is on the correct subnet that you want the VPN
users to "live" in. Whether you do an Address Pool in RRAS or use DHCP with
the DHCP Relay Agent is up to you.

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------

 

[vap0rtranz]

so I write things to "clarify"

Good point.

but most likely that will just make a mess.

Indeed. Doing exactly that is how I lost my RDP session with the box At
least it's a test box, but it means there's some routing that barfed.
Perhaps I added another gateway to itself ... I'll have to check when I get
to the console.

your Nic driver must be capable of Frame Tagging that is compatible with the Frame Tagging that the Switch is using

This reminded me that DHCP REQ/ACK are broadcast; I'd have to physically
segment the network anyway to keep the router and server from not giving
conflicting IPs, so I don't even know what I meant by saying "bind DHCP so an
IP address".

This all means that I'll probably have to use the statically assign IP pool
via RAS and configure VPN clients to use the DC as their DNS server, etc.
It was a try ...

Justin
--
AIM/YIM/ICQ: vap0rtranz
Homepage: http://appstate.edu/~jp59031/

"Here on the moon, our weekends are so advanced, they encompass the entire
week." - Ignignokt

 

[Phillip Windell]

This all means that I'll probably have to use the statically assign IP
pool
via RAS and configure VPN clients to use the DC as their DNS server, etc.

It was a try ...

The LAN Interface of the VPN Server will still have to reside in the LAN
Segment you want the users to "live in" . There is nothing bad about them
using the AD/DNS,...that is the way it should be on a properly configured
system,..in fact they should never use anything else for DNS.

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------