Multi-homed server and VPN

Server: win2k3, two NICs. NIC 1 is on 192.168.1.x, the
same network as the LAN. It has a default gateway of
192.168.1.251, the LAN IP address of the router, so that
hosts on the LAN can get to the internet. NIC 2 is on
192.168.2.x with default gateway of 192.168.2.1, the LAN
IP of the other router, a VPN-capable Linksys we use for
remote access. I have heard that mutiple default gateways
on the same server is a No-No, but do not understand why.
Everything is working correctly, as far as I can tell,
except that hosts on the VPN network, can only see
themselves and the server in Network Neighborhood, and in
fact cannot reach any other hosts on the 192.168.1.x
network. How do I correct this? I have enabled routing
on the server, but there must be something else, because
it ain't workin'. Removing either of the default gateways
is not an option, because doing so kills either internet
access for the LAN or kills the VPN. Someone with the
knowledge, willing to provied a little detail, please
respond.

create a static route on the linksys router to point to the 192.168.1 subnet

"NeoAdmin" <(E-Mail Removed)> wrote in message
news:48da01c42bce$0cfe8280$(E-Mail Removed)...
> Server: win2k3, two NICs. NIC 1 is on 192.168.1.x, the
> same network as the LAN. It has a default gateway of
> 192.168.1.251, the LAN IP address of the router, so that
> hosts on the LAN can get to the internet. NIC 2 is on
> 192.168.2.x with default gateway of 192.168.2.1, the LAN
> IP of the other router, a VPN-capable Linksys we use for
> remote access. I have heard that mutiple default gateways
> on the same server is a No-No, but do not understand why.
> Everything is working correctly, as far as I can tell,
> except that hosts on the VPN network, can only see
> themselves and the server in Network Neighborhood, and in
> fact cannot reach any other hosts on the 192.168.1.x
> network. How do I correct this? I have enabled routing
> on the server, but there must be something else, because
> it ain't workin'. Removing either of the default gateways
> is not an option, because doing so kills either internet
> access for the LAN or kills the VPN. Someone with the
> knowledge, willing to provied a little detail, please
> respond.
>

You should not have a default gateway configured on your "private" NIC
(192.168.1.x) . The only default route of this server should be to the
Internet router.


In fact I cannot see any reason to have this router at all. You should
be able to do this from your Internet router. Set all client machines to use
the Internet router as their default. On the Internet router, configure a
static route to redirect traffic for the VPN-connected site to the VPN
router.

For instance, if the subnet across the VPN link is 192.168.5.0/24, add a
static route

192.168.5.0 255.255.255.0 192.168.2.1

"NeoAdmin" <(E-Mail Removed)> wrote in message
news:48da01c42bce$0cfe8280$(E-Mail Removed)...
> Server: win2k3, two NICs. NIC 1 is on 192.168.1.x, the
> same network as the LAN. It has a default gateway of
> 192.168.1.251, the LAN IP address of the router, so that
> hosts on the LAN can get to the internet. NIC 2 is on
> 192.168.2.x with default gateway of 192.168.2.1, the LAN
> IP of the other router, a VPN-capable Linksys we use for
> remote access. I have heard that mutiple default gateways
> on the same server is a No-No, but do not understand why.
> Everything is working correctly, as far as I can tell,
> except that hosts on the VPN network, can only see
> themselves and the server in Network Neighborhood, and in
> fact cannot reach any other hosts on the 192.168.1.x
> network. How do I correct this? I have enabled routing
> on the server, but there must be something else, because
> it ain't workin'. Removing either of the default gateways
> is not an option, because doing so kills either internet
> access for the LAN or kills the VPN. Someone with the
> knowledge, willing to provied a little detail, please
> respond.
>

The idea was to separate the LAN traffic from the VPN
traffic. (not mine, I was advised to do so) LAN packets
bound for the Internet go to the gateway 192.168.1.251,
the LAN NIC of a Linux box serving as a firewall, then
through another Linksys router, and finally through a
cable modem to the 'net. (I just inherited this topology,
and have to trust it is all necessary. If it were solely
up to me, I would bag the Linux box, the second Linksys,
and just use the VPN Linksys for everything. The other
admin is concerned that having only the Linksys between
the LAN and the 'net would pose a security risk, and I
have not enough experience to argue with him. Although,
it does sem to me that that is exactly what we are doing
with the VPN Linksys anyway.) In any case, if I remove the
default gateway from the NIC on 192.168.1.x, does that
mean the server will use the gateway on the VPN NIC for
Internet access? Also, I have 192.168.1.251 as the router
setting in DHCP properties, so I assume DHCP clients will
still be using that as their default gateway. (Did I
mention the 2003 server is also the DHCP server for the
LAN?) Finally, do I set up static routes on the VPN
Linksys, the 2003 server in RRAS, or both?
>-----Original Message-----
> You should not have a default gateway configured on
your "private" NIC
>(192.168.1.x) . The only default route of this server
should be to the
>Internet router.
>
>
> In fact I cannot see any reason to have this router
at all. You should
>be able to do this from your Internet router. Set all
client machines to use
>the Internet router as their default. On the Internet
router, configure a
>static route to redirect traffic for the VPN-connected
site to the VPN
>router.
>
> For instance, if the subnet across the VPN link is
192.168.5.0/24, add a
>static route
>
> 192.168.5.0 255.255.255.0 192.168.2.1
>
>"NeoAdmin" <(E-Mail Removed)> wrote in
message
>news:48da01c42bce$0cfe8280$(E-Mail Removed)...
>> Server: win2k3, two NICs. NIC 1 is on 192.168.1.x, the
>> same network as the LAN. It has a default gateway of
>> 192.168.1.251, the LAN IP address of the router, so that
>> hosts on the LAN can get to the internet. NIC 2 is on
>> 192.168.2.x with default gateway of 192.168.2.1, the LAN
>> IP of the other router, a VPN-capable Linksys we use for
>> remote access. I have heard that mutiple default
gateways
>> on the same server is a No-No, but do not understand
why.
>> Everything is working correctly, as far as I can tell,
>> except that hosts on the VPN network, can only see
>> themselves and the server in Network Neighborhood, and
in
>> fact cannot reach any other hosts on the 192.168.1.x
>> network. How do I correct this? I have enabled routing
>> on the server, but there must be something else, because
>> it ain't workin'. Removing either of the default
gateways
>> is not an option, because doing so kills either internet
>> access for the LAN or kills the VPN. Someone with the
>> knowledge, willing to provied a little detail, please
>> respond.
>>
>
>
>.
>

"NeoAdmin" <(E-Mail Removed)> wrote in message
news:57c601c42d31$db885950$(E-Mail Removed)...
> The idea was to separate the LAN traffic from the VPN
> traffic. (not mine, I was advised to do so) LAN packets
> bound for the Internet go to the gateway 192.168.1.251,

You may have been "advised" by someone who doesn't understand how it works.
VPN traffic is a "specified" set of destination address, the Internet is
not, by the very nature of that they are already separated. It is true, you
cannot have two DFs, by the very definition of the term Default Gateway
means you can only have one. Default Gateways are *only* for "unkown
destination routes". When the destination route is "known" then you use a
Static Route.

(If you get rid of the Win2k3 router)
As Bill suggested,....You either need to use the Internet Router as the
Client's Default Gateway and then use a static route on the Internet Router
for the VPN traffic to go to the VPN Router.

....or flip it around and make the VPN Router the Default Gateway of the
clients, and then make the VPN Router's Default Gateway the Internet Router.
Either way will work and is doing the same thing. Either way the first "hop"
will share the traffic for either destination on the same wire, there is no
way around that.

(If you keep the Win2k3 Router)
....or if you want to keep this duel-home Win2k3 Server as a Router then
treat it just like the Client, and make it's DF the VPN Router with the VPN
Router's DF the Internet Router, ...or flip it and make the Internet Router
its DF and then the Internet router uses a static route to the VPN Router.

The rest of your topology is a mystery to me and I can't compensate for what
I don't know about it.

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

"Phillip Windell" <@.> wrote in message
news:(E-Mail Removed)...
Oh,..one other option if you keep the Win2k3 Router. You can make its
Default Gateway the Internet Router and then use a Static route to send the
VPN Traffic to the VPN Router.

But I think that server is pointless and you should get rid of it. Use that
hardware and Server2003 license for something more usefull.

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com