Multihomed IP Addressing for RRAS VPN

Guys thanks for the help in advance.

I have a Server 2003 domain with one serving as a RRAS/VPN server. The box
has two NICs. I have them as one private and the other connecting to a
linksys router with Port 1723 forwarded.

My question is should the Private and Public addresses be on different
subnets?

My setup is Public Nic1 IP 10.0.0.1 Private Nic 2 IP 10.0.0.2 The
Router's Lan address is 10.0.0.20. The The public NIC is configured with
default gateway of 10.0.0.20.

Is there a way to verify the connection on the local lan or would
verification have to be done remotely from the Internet?

Any advice would be greatly appreciated.

"Anthony" <(E-Mail Removed)> wrote in message
news:F4F08401-906F-4D47-B5DF-(E-Mail Removed)...
> Guys thanks for the help in advance.
>
> I have a Server 2003 domain with one serving as a RRAS/VPN server. The box
> has two NICs. I have them as one private and the other connecting to a
> linksys router with Port 1723 forwarded.
>
> My question is should the Private and Public addresses be on different
> subnets?

Yes!!

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------

If this machine in on a private LAN behind a router, it doesn't need two
NICs, so the question of what IP to give the second one does not come into
the equation.

You use two NICs if the server has a direct connection to the public
network, and it is obvious that one has a private IP and the other has a
public IP. The remote user connects to the public NIC and gains access to
the private LAN through VPN.

If the server is on a private LAN, the router is your public gateway
and any external users will have to connect to that. They cannot connect to
the VPN server which is on the private LAN.

You will need to set up your RRAS machine as a remote access server with
one NIC. You can test this config locally by connecting from a LAN client to
the server's private IP/name. (VPN works quite happily over your local LAN).
When this works, modify your gateway router/firewall to forward VPN traffic
to the server on the LAN. (This is tcp port 1723 for PPTP). Now try
connecting from a remote client to the gateway router's IP address or public
name.

PS. I hope that the RRAS server is not a DC. This may cause you problems
when a client does connct, because the server then becomes multihomed
(because it obtains a second IP for the internal interface which is the
tunnel endpoint).

"Anthony" <(E-Mail Removed)> wrote in message
news:F4F08401-906F-4D47-B5DF-(E-Mail Removed)...
> Guys thanks for the help in advance.
>
> I have a Server 2003 domain with one serving as a RRAS/VPN server. The box
> has two NICs. I have them as one private and the other connecting to a
> linksys router with Port 1723 forwarded.
>
> My question is should the Private and Public addresses be on different
> subnets?
>
> My setup is Public Nic1 IP 10.0.0.1 Private Nic 2 IP 10.0.0.2 The
> Router's Lan address is 10.0.0.20. The The public NIC is configured with
> default gateway of 10.0.0.20.
>
> Is there a way to verify the connection on the local lan or would
> verification have to be done remotely from the Internet?
>
> Any advice would be greatly appreciated.
>

Bill, thanks for the answer I will make the correction. It makes a lot more
sense now. The RRAS server is not on a DC, RRAS is the only role being used
on this machine.

"Bill Grant" wrote:

> If this machine in on a private LAN behind a router, it doesn't need two
> NICs, so the question of what IP to give the second one does not come into
> the equation.
>
> You use two NICs if the server has a direct connection to the public
> network, and it is obvious that one has a private IP and the other has a
> public IP. The remote user connects to the public NIC and gains access to
> the private LAN through VPN.
>
> If the server is on a private LAN, the router is your public gateway
> and any external users will have to connect to that. They cannot connect to
> the VPN server which is on the private LAN.
>
> You will need to set up your RRAS machine as a remote access server with
> one NIC. You can test this config locally by connecting from a LAN client to
> the server's private IP/name. (VPN works quite happily over your local LAN).
> When this works, modify your gateway router/firewall to forward VPN traffic
> to the server on the LAN. (This is tcp port 1723 for PPTP). Now try
> connecting from a remote client to the gateway router's IP address or public
> name.
>
> PS. I hope that the RRAS server is not a DC. This may cause you problems
> when a client does connct, because the server then becomes multihomed
> (because it obtains a second IP for the internal interface which is the
> tunnel endpoint).
>
> "Anthony" <(E-Mail Removed)> wrote in message
> news:F4F08401-906F-4D47-B5DF-(E-Mail Removed)...
> > Guys thanks for the help in advance.
> >
> > I have a Server 2003 domain with one serving as a RRAS/VPN server. The box
> > has two NICs. I have them as one private and the other connecting to a
> > linksys router with Port 1723 forwarded.
> >
> > My question is should the Private and Public addresses be on different
> > subnets?
> >
> > My setup is Public Nic1 IP 10.0.0.1 Private Nic 2 IP 10.0.0.2 The
> > Router's Lan address is 10.0.0.20. The The public NIC is configured with
> > default gateway of 10.0.0.20.
> >
> > Is there a way to verify the connection on the local lan or would
> > verification have to be done remotely from the Internet?
> >
> > Any advice would be greatly appreciated.
> >
>
>

Ah! I missed seeing that there was a Linksys box there.

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------

"Bill Grant" <not.available@online> wrote in message
news:(E-Mail Removed)...
> If this machine in on a private LAN behind a router, it doesn't need
> two NICs, so the question of what IP to give the second one does not come
> into the equation.
>
> You use two NICs if the server has a direct connection to the public
> network, and it is obvious that one has a private IP and the other has a
> public IP. The remote user connects to the public NIC and gains access to
> the private LAN through VPN.
>
> If the server is on a private LAN, the router is your public gateway
> and any external users will have to connect to that. They cannot connect
> to the VPN server which is on the private LAN.
>
> You will need to set up your RRAS machine as a remote access server
> with one NIC. You can test this config locally by connecting from a LAN
> client to the server's private IP/name. (VPN works quite happily over your
> local LAN). When this works, modify your gateway router/firewall to
> forward VPN traffic to the server on the LAN. (This is tcp port 1723 for
> PPTP). Now try connecting from a remote client to the gateway router's IP
> address or public name.
>
> PS. I hope that the RRAS server is not a DC. This may cause you
> problems when a client does connct, because the server then becomes
> multihomed (because it obtains a second IP for the internal interface
> which is the tunnel endpoint).
>
> "Anthony" <(E-Mail Removed)> wrote in message
> news:F4F08401-906F-4D47-B5DF-(E-Mail Removed)...
>> Guys thanks for the help in advance.
>>
>> I have a Server 2003 domain with one serving as a RRAS/VPN server. The
>> box
>> has two NICs. I have them as one private and the other connecting to a
>> linksys router with Port 1723 forwarded.
>>
>> My question is should the Private and Public addresses be on different
>> subnets?
>>
>> My setup is Public Nic1 IP 10.0.0.1 Private Nic 2 IP 10.0.0.2 The
>> Router's Lan address is 10.0.0.20. The The public NIC is configured with
>> default gateway of 10.0.0.20.
>>
>> Is there a way to verify the connection on the local lan or would
>> verification have to be done remotely from the Internet?
>>
>> Any advice would be greatly appreciated.
>>
>