Router advice for VPN

[fissidens]

I have a small windows 2003 network with all internal clients and 2 DCs on a backbone / hub network layout. The servers only have one NIC each. We have a router just plugged into one of the hubs (ZyXel 652) which appears not to allow PPTP passthrough - just get the 721 error. I think I have tried everything anyone's ever suggested (1723 port forwarding, inbound firewall settings on the router etc)!

Has anyone out there managed to connect a remote XP client to a network similarly configured to the above and which router did they use? Were there any issues with address pools? We use the 192.168.1.0 subnet for our internal IP addresses. One of the DCs is also a DHCP server. The remote machine I am experimenting with is a laptop which is a member of the domain already.

One thing I did find was that I could access the RRAS service when using the laptop internally but that DHCP issued an address in our main address pool and then DNS set up a Host A record for the server at that address (as well as its own static address). I have since removed the automatic registering of DNS records by the DHCP service since that seemed very undesirable.

Most of MicroSoft's documentation assumes you have 2 NICs in the VPN server but we're not set up like that at the present time.

As you can tell I'm pretty new to most of this so please be patient!

 

[Sanjiv123]

Hi,

We have a similar set up.... (two servers 1=SBS 2003 1=W2K3 Server) AND we use the ZyXEL 652 ADSL Router. Internal clients on 192.168.*.* network. The SBS Server runs the DHCP and DNS Service and is the VPN Server for the network. The 652 Router is configured to allow PPTP Passthru to the VPN Server. We can connect multiple simultaneous remote VPN Sessions thru the Router without any problems.

On the Router, you must open up GRE from WAN to LAN

In the Router's Web Configurator:
Advanced Setup > Firewall > Rule Summary >
Packet Direction WAN>LAN

Then insert a new rule (to allow 2 services = PPTP on TCP 1723 and GRE)

Good luck.

 

[fissidens]

Thanks Sanjiv, I just needed the confidence that it was possible! I hadn't spotted the built-in GRE protocol and had created my own TCP port 47 which I know was complete rubbish. It works fine now.

Cheers

 

[Sanjiv123]

Excellent. It should work like a dream now.

 

[fissidens]

Another problem has arisen! One of our users can log on remotely and browse the shares on the server. He is perfectly happy! Another user (unfortunately me!) finds he can log on but is then unable to get any further. Any attempt at net view \\server gives a system error 5 access denied message. And yet I am logging on as an administrator. I can use dial-up OK, albeit slowly, so it looks like a broadband router setting (at my home I mean), but I have tried two different routers and both behave similarly. What is going on?

 

[fissidens]

Solved it! My router at home had the same internal LAN IP address as the gateway router at work! My colleague who had no problems had a different router address. Simply change the router LAN side address at either end of the connection - I used 10.11.12.1 to keep to a non-routable address (anything beginning with 10 would have worked). This problem arose because almost all routers have a factory-set LAN-side address of 192.168.1.1.
Incidentally, I have also learnt the hard way that when setting up the RRAS on a server which is also a DC, WINS server etc that it's best (probably essential) to use a static address pool to issue addresses from and that this should be on yet another non-routable subnet (I use 10.10.10.10 to 10.10.10.20).
Thanks to everyone with enough patience to read this.

 

[Sanjiv123]

well done fissidens and thanks for posting your solution.