Routing problem: Win 2000 PPTP behind firewall

[zmtw]

I have a small LAN on DSL behind a Linksys BEFSR41 router. I'd like to be able to connect to it from a Win 98 dialup system when I'm working remotely. I have the VPN client setup on the Win98 dialup system. I can connect but cannot communicate between the remote system and the LAN. My LAN is set up as follows:

- 1 Public IP; 63.67.x.x connected to the Linksys router
- Linksys router NAT's to 192.168.0.x (router is the gateway using 192.168.0.1, subnet mask 255.255.255.0)
- All computers on the LAN have static IP addresses: 192.168.0.10 - 20
- Linux WINS server on 192.168.0.10
- DHCP server on Linksys router (192.168.0.1)
- Various other machines on LAN: 192.168.0.12-20, Gateway 192.168.0.1, mask 255.255.255.0 WINS: 192.168.0.10
- WIN 2000 server with 2 NIC cards
- Port 1723 forwarded in Linksys router to Win2000 server

I'd like the Win2000 server to sit behind Linksys router and act only as a VPN router. And I'd like the other machines on the LAN to access the Internet through the Linksys router whether or not the Win 2000 VPN server is powered on (ie: using gateway 192.168.0.1 not through the VPN server). How should I set up my TCP and VPN settings on the WIN 2000 machine?

I've tried a variety of IP addresses and masks without success. I can connect successfully to WIN 2000 VPN from the Win98 dialup system and see that its IP address is correctly set. But I am unable to ping or FTP between the Win 98 dialup system and any of the systems on the LAN.

I suspect I have a routing problem in the WIN 2000 VPN server and that I have IP addresses, masks, and gateways incorrectly set.

 

[TB0NE]

I have a very similar setup and am had the same problem with a Cisco 1701. If you open all of the ports on the router, however, then you can connect to the VPN (W2K) server. This is not recommended in production but it's a good way of testing where your bottleneck is. If you can connect to the VPN server with all ports open on the router then you know that the problem is at the router. It will also tell you that it's a port or ip protocol config issue on the router.

I didn't see whether you had opened IP protocol 47. This and port 1723 are required to be open both ways on the router. Check what other ports are used in W2K network or logon authentication. I believe ports 137 - 139 are also needed. MS has a white paper defining ports used by W2K. You will need to define these additional ports (that W2K needs)on the router.

My problem now is establishing a VPN connection from one private network to another, each behind their own router running NAT....but that's for another post.

Hopefully this provided some clues.

 

[zmtw]

After a lot of fiddling, I've got it working -- kind of. Incoming communication appears to work pretty well -- I can FTP and Net View/Net Use from the remote system through the VPN tunnel. Outgoing communicaton, from machines on the LAN through the VPN tunnel to the VPN client seems to work less well. I'm still diagnosing the problems. But since incoming communications is what I'm really interested in, I'm up and running.

Here's what I ended up doing:

-- on the Linksys router open port 1723 and forward it to the Win 2000 VPN server's internet address
-- on the Linksys router enable PPTP pass through (this allows protocol 47 through).
-- the Linksys router is configured with a LAN address (gateway) of 192.168.0.1 and a subnet mask of 255.255.255.0
-- TCP and the VPN server on the Win 2000 server are set as follows:

NIC 1 NIC 2
Internal External
----------- ------------
- IP 192.168.0.11 192.168.0.129
- subnet 255.255.255.128 255.255.255.128
- gateway 192.168.0.1 -- none --
- wins 192.168..10 192.168.0.10

Note that the subnet mask of 255.255.255.128 is essential. It puts the two NICs in the VPN server on different subnets. On all the other machines on my LAN and on the router the subnet mask is set to 255.255.255.0 and the IP addresses are assigned between 192.168.0.2 and 192.168.0.127 (thus all on the same subnet and on the same subnet as the VPN server's internal NIC card)

The Win 2000 VPN server is set to assign IP addresses to clients from a pool with addresses less than 192.168.0.128 and its DHCP Relay Agent is set to 192.168.0.1 (i.e., the Linksys router which acts as a DHCP server). I don't know whether it is necessary to set the DHCP Relay Agent in the VPN server, but setting it does not seem to hamper things.

Other machines on the LAN have TCP setup as:

IP 192.168.0.2/127
subnet 255.255.255.0
gateway 192.168.0.1
wins 192.168.0.10

All of the machines on the LAN (other than the Linux box at 192.168.0.10 that acts as a WINS server among other things) have Client or Microsoft Networks and File and Printer Sharing for Microsoft Networks set in their LAN configurations.

One other thing. I have found that if you fiddle with the TCP settings on the Win 2000 system you need to "Disable Routing and Remote Access" on the VPN server Routing and Remote Access screen and reconfigure the VPN server again from the beginning. Otherwise Win 2000 gets all mixed up.