Routing problems

[Albion]

I have two Microsoft AD Domains connected by a VPN. Domain1=192.0.2.0, Domain2=192.168.1.0, VPN=192.168.4.0. I am able to connect my two servers (Windows 2003 and Windows 2003 R2) through the VPN. I've created a static route in the server (windows 2003) on Domain2 to forward all traffic through the VPN (192.168.4.0) to Domain1, and it works great. I can get to any machine on Domain2 from that server. I've added a static route to the router (Netgear WGR614v9) in Domain2 to route traffic from anywhere on domain2 to my VPN server on Domain2. I've also enabled IP forwarding on the server in Domain2.

Problem is I can't get to any machine in Domain1 from a workstation in Domain2. When I tracert, the traffic goes through the netgear router to the VPN server on Domain2 but that's where it stops. I can't seem to get the server on Domain2 to forward that traffic from the router through the VPN into Domain1?

Routing Table Server Domain2

Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.200 10
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.0.2.0 255.255.255.0 192.168.4.1 192.168.4.3 1
192.168.1.0 255.255.255.0 192.168.1.200 192.168.1.200 10
192.168.1.200 255.255.255.255 127.0.0.1 127.0.0.1 10
192.168.1.255 255.255.255.255 192.168.1.200 192.168.1.200 10
192.168.4.0 255.255.255.0 192.168.4.3 192.168.4.3 30
192.168.4.3 255.255.255.255 127.0.0.1 127.0.0.1 30
192.168.4.255 255.255.255.255 192.168.4.3 192.168.4.3 30
224.0.0.0 240.0.0.0 192.168.1.200 192.168.1.200 10
224.0.0.0 240.0.0.0 192.168.4.3 192.168.4.3 30
255.255.255.255 255.255.255.255 192.168.1.200 192.168.1.200 1
255.255.255.255 255.255.255.255 192.168.4.3 192.168.4.3 1
Default Gateway: 192.168.1.1

Routing Table Netgear Router

# Active Name Destination Gateway
1 Yes OpenVPN 192.0.2.0 192.168.1.200

Routing Table on Workstation in Domain2

Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.2 10
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.0.2.0 255.255.255.0 192.168.4.1 192.168.4.2 31
192.168.1.0 255.255.255.0 On-link 192.168.1.2 266
192.168.1.2 255.255.255.255 On-link 192.168.1.2 266
192.168.1.255 255.255.255.255 On-link 192.168.1.2 266
192.168.4.0 255.255.255.0 On-link 192.168.4.2 286
192.168.4.2 255.255.255.255 On-link 192.168.4.2 286
192.168.4.255 255.255.255.255 On-link 192.168.4.2 286
192.168.56.0 255.255.255.0 On-link 192.168.56.1 276
192.168.56.1 255.255.255.255 On-link 192.168.56.1 276
192.168.56.255 255.255.255.255 On-link 192.168.56.1 276
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.56.1 276
224.0.0.0 240.0.0.0 On-link 192.168.4.2 286
224.0.0.0 240.0.0.0 On-link 192.168.1.2 266
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.56.1 276
255.255.255.255 255.255.255.255 On-link 192.168.4.2 286
255.255.255.255 255.255.255.255 On-link 192.168.1.2 266

Can anyone help me get the traffic moving?

thanks

 

[Silverblade]

The problem could be that 192.0.x.x is a public ip address and not a private address.
Some routers (from what i've heard) aren't able to route public addresses as private adresses.

 

[muckermucker]

Although silverblade is correct in that you are using a public IP address range this is not the cause of the issue. The problem is that the packets do arrive from domain2 to machines on domain1 but they can't return.
If you remember you said you added a static route on the server in domain1 to route traffic for 192.0.2.x across the VPN. This is why you can ping to and from this server across the VPN. But...you need to do the same for the workstations in domain1. That is the problem.
Workstations in domain2 has routing configured correctly and the ping arrives at the WKS on domain1 but when it replies it forward it to the default gateway because there is no static route in its own routing table telling it where the remote network is located.
Take a look at how routing works for a full in depth guide on routing.

On another note you DEFINITELY need to change the 192.0.2.x network range to a private range. At some point this is going to bite you on the ass if you don't do it soon. If ANY pc from either of the networks try to connect to a public server on the internet which is in that IP range it will fail because the PC's will think it is local.

 

[Albion]

muckermucker: Thanks, I think you're right, I never thought of the return trip. I will give that a try.

As for 192.0.2.x, there shouldn't be any public servers using that IP range. According to IANA 192.0.2.x is the IP equivalent of phone numbers starting with 555 in movies and documentation. "Addresses within this block should not appear on the public Internet." - RFC 3330.

That IP range has been entrenched in my network for much longer then the 15 years I've been here. I understand it's not "standard" and that it should be fixed. Unfortunately fixing it is going to take a major undertaking. Since it's never been an issue (according to IANA) I just haven't had the nerve for it.

But, given the lack of available IPv4 addresses, you could be correct. Maybe it's time...