RRAS VPN IP conflict

I am having an issue with VPN and IP settings. I am running Windows Server
2003 RRAS. We have a 1 subnet internal network on the 192.168.1.0/24 subnet.
The VPN server assigns IP’s in the 192.168.1.241 – 254 range. The problem I
am having is if the remote computer is connected to a remote network that is
also on the 192.168.1.0/24 subnet the remote computer cannot access anything
on our network. I understand why this happens but need a workaround or other
solution. Many wireless routers and DSL configurations run by default on the
192.168.1.0/24 subnet.

Thank you in advance.

There is no easy way around that problem. A remote machine will not send
traffic across a VPN link if the target IP is the same IP subnet as the
local LAN. It will try to deliver the traffic "on the wire", not send it to
a router. That is how IP routing works!

The only real solution is to put your remote users in their own IP
subnet, such as 192.168.99.0/24 using a static address pool. You then have
to enable IP routing on the VPN server and make sure that your LAN machines
can route to the remote subnet. This will only work automatically if the VPN
server is the default gateway for the LAN machines.



"Danny F" <(E-Mail Removed)> wrote in message
news:378EBE4F-4957-4078-8DCE-(E-Mail Removed)...
>I am having an issue with VPN and IP settings. I am running Windows Server
> 2003 RRAS. We have a 1 subnet internal network on the 192.168.1.0/24
> subnet.
> The VPN server assigns IP's in the 192.168.1.241 - 254 range. The problem
> I
> am having is if the remote computer is connected to a remote network that
> is
> also on the 192.168.1.0/24 subnet the remote computer cannot access
> anything
> on our network. I understand why this happens but need a workaround or
> other
> solution. Many wireless routers and DSL configurations run by default on
> the
> 192.168.1.0/24 subnet.
>
> Thank you in advance.
>

Bill, thanks for your reply.

I thouhgt of that and tried it but they still can't get to the .1 subnet
because (I think) there still on a .1 local subnet. I tried it with remote
computers on other subnets and they could get to the .1 address of the VPN
server but nothing else. Probalby a routing issue.

Arggghh. I inherited this IP. Would have never used it myself had i built
it.

One though I had was to build out another network 192.168.217.0 and put the
few servers the vpn users need to access on both networks with two NIC's on
each server. one on the .1 subnet on one on the .217 subnet. Any thoughts?

Thanks again.

"Bill Grant" wrote:

> There is no easy way around that problem. A remote machine will not send
> traffic across a VPN link if the target IP is the same IP subnet as the
> local LAN. It will try to deliver the traffic "on the wire", not send it to
> a router. That is how IP routing works!
>
> The only real solution is to put your remote users in their own IP
> subnet, such as 192.168.99.0/24 using a static address pool. You then have
> to enable IP routing on the VPN server and make sure that your LAN machines
> can route to the remote subnet. This will only work automatically if the VPN
> server is the default gateway for the LAN machines.
>
>
>
> "Danny F" <(E-Mail Removed)> wrote in message
> news:378EBE4F-4957-4078-8DCE-(E-Mail Removed)...
> >I am having an issue with VPN and IP settings. I am running Windows Server
> > 2003 RRAS. We have a 1 subnet internal network on the 192.168.1.0/24
> > subnet.
> > The VPN server assigns IP's in the 192.168.1.241 - 254 range. The problem
> > I
> > am having is if the remote computer is connected to a remote network that
> > is
> > also on the 192.168.1.0/24 subnet the remote computer cannot access
> > anything
> > on our network. I understand why this happens but need a workaround or
> > other
> > solution. Many wireless routers and DSL configurations run by default on
> > the
> > 192.168.1.0/24 subnet.
> >
> > Thank you in advance.
> >
>
>
>

That would just complicate the situation. You would then have two local
subnets and you would need to set it up so thet they could both see each
other and the Internet. Much more complicated than putting the remotes in
their own subnet.

"Danny F" <(E-Mail Removed)> wrote in message
news:F27BD46C-37F8-4F09-A7B3-(E-Mail Removed)...
> Bill, thanks for your reply.
>
> I thouhgt of that and tried it but they still can't get to the .1 subnet
> because (I think) there still on a .1 local subnet. I tried it with
> remote
> computers on other subnets and they could get to the .1 address of the VPN
> server but nothing else. Probalby a routing issue.
>
> Arggghh. I inherited this IP. Would have never used it myself had i
> built
> it.
>
> One though I had was to build out another network 192.168.217.0 and put
> the
> few servers the vpn users need to access on both networks with two NIC's
> on
> each server. one on the .1 subnet on one on the .217 subnet. Any
> thoughts?
>
> Thanks again.
>
> "Bill Grant" wrote:
>
>> There is no easy way around that problem. A remote machine will not
>> send
>> traffic across a VPN link if the target IP is the same IP subnet as the
>> local LAN. It will try to deliver the traffic "on the wire", not send it
>> to
>> a router. That is how IP routing works!
>>
>> The only real solution is to put your remote users in their own IP
>> subnet, such as 192.168.99.0/24 using a static address pool. You then
>> have
>> to enable IP routing on the VPN server and make sure that your LAN
>> machines
>> can route to the remote subnet. This will only work automatically if the
>> VPN
>> server is the default gateway for the LAN machines.
>>
>>
>>
>> "Danny F" <(E-Mail Removed)> wrote in message
>> news:378EBE4F-4957-4078-8DCE-(E-Mail Removed)...
>> >I am having an issue with VPN and IP settings. I am running Windows
>> >Server
>> > 2003 RRAS. We have a 1 subnet internal network on the 192.168.1.0/24
>> > subnet.
>> > The VPN server assigns IP's in the 192.168.1.241 - 254 range. The
>> > problem
>> > I
>> > am having is if the remote computer is connected to a remote network
>> > that
>> > is
>> > also on the 192.168.1.0/24 subnet the remote computer cannot access
>> > anything
>> > on our network. I understand why this happens but need a workaround or
>> > other
>> > solution. Many wireless routers and DSL configurations run by default
>> > on
>> > the
>> > 192.168.1.0/24 subnet.
>> >
>> > Thank you in advance.
>> >
>>
>>
>>

I tried that but it doesn't work for me if they're coming from a .1 address.
Here is the scenario:

VPN Server:
Physical IP on the interface: 192.168.1.11
Internal IP of logical interface for VPN: 192.168.99.241
VPN IP Pool: 192.168.99.241 - 254

Remote PC 1:
LAN IP: 192.168.1.100
VPN IP: 192.168.99.242

Remote PC 2:
LAN IP: 192.168.25.100
VPN IP: 192.168.99.243

Remote PC 1 can ping 192.168.99.241 but cannot ping 192.168.1.11. I think
because it is still dealing with the issue of being on a .1 LAN IP.

Remote PC 2 can ping both 192.168.99.241 and 192.168.1.11

"Bill Grant" wrote:

> That would just complicate the situation. You would then have two local
> subnets and you would need to set it up so thet they could both see each
> other and the Internet. Much more complicated than putting the remotes in
> their own subnet.
>
> "Danny F" <(E-Mail Removed)> wrote in message
> news:F27BD46C-37F8-4F09-A7B3-(E-Mail Removed)...
> > Bill, thanks for your reply.
> >
> > I thouhgt of that and tried it but they still can't get to the .1 subnet
> > because (I think) there still on a .1 local subnet. I tried it with
> > remote
> > computers on other subnets and they could get to the .1 address of the VPN
> > server but nothing else. Probalby a routing issue.
> >
> > Arggghh. I inherited this IP. Would have never used it myself had i
> > built
> > it.
> >
> > One though I had was to build out another network 192.168.217.0 and put
> > the
> > few servers the vpn users need to access on both networks with two NIC's
> > on
> > each server. one on the .1 subnet on one on the .217 subnet. Any
> > thoughts?
> >
> > Thanks again.
> >
> > "Bill Grant" wrote:
> >
> >> There is no easy way around that problem. A remote machine will not
> >> send
> >> traffic across a VPN link if the target IP is the same IP subnet as the
> >> local LAN. It will try to deliver the traffic "on the wire", not send it
> >> to
> >> a router. That is how IP routing works!
> >>
> >> The only real solution is to put your remote users in their own IP
> >> subnet, such as 192.168.99.0/24 using a static address pool. You then
> >> have
> >> to enable IP routing on the VPN server and make sure that your LAN
> >> machines
> >> can route to the remote subnet. This will only work automatically if the
> >> VPN
> >> server is the default gateway for the LAN machines.
> >>
> >>
> >>
> >> "Danny F" <(E-Mail Removed)> wrote in message
> >> news:378EBE4F-4957-4078-8DCE-(E-Mail Removed)...
> >> >I am having an issue with VPN and IP settings. I am running Windows
> >> >Server
> >> > 2003 RRAS. We have a 1 subnet internal network on the 192.168.1.0/24
> >> > subnet.
> >> > The VPN server assigns IP's in the 192.168.1.241 - 254 range. The
> >> > problem
> >> > I
> >> > am having is if the remote computer is connected to a remote network
> >> > that
> >> > is
> >> > also on the 192.168.1.0/24 subnet the remote computer cannot access
> >> > anything
> >> > on our network. I understand why this happens but need a workaround or
> >> > other
> >> > solution. Many wireless routers and DSL configurations run by default
> >> > on
> >> > the
> >> > 192.168.1.0/24 subnet.
> >> >
> >> > Thank you in advance.
> >> >
> >>
> >>
> >>
>
>
>

Yes, you are probably right. The remote client will still try to deliver
any traffic for a 192.168.1 address locally rather than sending it across
the VPN.

I wouldn't go down the path of giving the servers two NICs. That would
cause more problems than it would solve (especially if any of them were
DCs).

Putting all your servers in a different IP subnet would work. You could
put all of your servers including the RRAS server in 192.168.217.0 and have
your workstations remain in 192.168.1.0 .The remotes would be able to
contact your servers but not the workstations. But if you are prepared to go
to that much trouble it is probably simpler to just change the IP addresses
on your LAN to 192.168.217.0 . It is only the servers with static IPs which
need changing. The workstation will just get their new config from DHCP and
work as before.

"Danny F" <(E-Mail Removed)> wrote in message
news:2C9AAC35-3592-4863-B934-(E-Mail Removed)...
>I tried that but it doesn't work for me if they're coming from a .1
>address.
> Here is the scenario:
>
> VPN Server:
> Physical IP on the interface: 192.168.1.11
> Internal IP of logical interface for VPN: 192.168.99.241
> VPN IP Pool: 192.168.99.241 - 254
>
> Remote PC 1:
> LAN IP: 192.168.1.100
> VPN IP: 192.168.99.242
>
> Remote PC 2:
> LAN IP: 192.168.25.100
> VPN IP: 192.168.99.243
>
> Remote PC 1 can ping 192.168.99.241 but cannot ping 192.168.1.11. I think
> because it is still dealing with the issue of being on a .1 LAN IP.
>
> Remote PC 2 can ping both 192.168.99.241 and 192.168.1.11
>
> "Bill Grant" wrote:
>
>> That would just complicate the situation. You would then have two
>> local
>> subnets and you would need to set it up so thet they could both see each
>> other and the Internet. Much more complicated than putting the remotes in
>> their own subnet.
>>
>> "Danny F" <(E-Mail Removed)> wrote in message
>> news:F27BD46C-37F8-4F09-A7B3-(E-Mail Removed)...
>> > Bill, thanks for your reply.
>> >
>> > I thouhgt of that and tried it but they still can't get to the .1
>> > subnet
>> > because (I think) there still on a .1 local subnet. I tried it with
>> > remote
>> > computers on other subnets and they could get to the .1 address of the
>> > VPN
>> > server but nothing else. Probalby a routing issue.
>> >
>> > Arggghh. I inherited this IP. Would have never used it myself had i
>> > built
>> > it.
>> >
>> > One though I had was to build out another network 192.168.217.0 and put
>> > the
>> > few servers the vpn users need to access on both networks with two
>> > NIC's
>> > on
>> > each server. one on the .1 subnet on one on the .217 subnet. Any
>> > thoughts?
>> >
>> > Thanks again.
>> >
>> > "Bill Grant" wrote:
>> >
>> >> There is no easy way around that problem. A remote machine will not
>> >> send
>> >> traffic across a VPN link if the target IP is the same IP subnet as
>> >> the
>> >> local LAN. It will try to deliver the traffic "on the wire", not send
>> >> it
>> >> to
>> >> a router. That is how IP routing works!
>> >>
>> >> The only real solution is to put your remote users in their own IP
>> >> subnet, such as 192.168.99.0/24 using a static address pool. You then
>> >> have
>> >> to enable IP routing on the VPN server and make sure that your LAN
>> >> machines
>> >> can route to the remote subnet. This will only work automatically if
>> >> the
>> >> VPN
>> >> server is the default gateway for the LAN machines.
>> >>
>> >>
>> >>
>> >> "Danny F" <(E-Mail Removed)> wrote in message
>> >> news:378EBE4F-4957-4078-8DCE-(E-Mail Removed)...
>> >> >I am having an issue with VPN and IP settings. I am running Windows
>> >> >Server
>> >> > 2003 RRAS. We have a 1 subnet internal network on the
>> >> > 192.168.1.0/24
>> >> > subnet.
>> >> > The VPN server assigns IP's in the 192.168.1.241 - 254 range. The
>> >> > problem
>> >> > I
>> >> > am having is if the remote computer is connected to a remote network
>> >> > that
>> >> > is
>> >> > also on the 192.168.1.0/24 subnet the remote computer cannot access
>> >> > anything
>> >> > on our network. I understand why this happens but need a workaround
>> >> > or
>> >> > other
>> >> > solution. Many wireless routers and DSL configurations run by
>> >> > default
>> >> > on
>> >> > the
>> >> > 192.168.1.0/24 subnet.
>> >> >
>> >> > Thank you in advance.
>> >> >
>> >>
>> >>
>> >>
>>
>>
>>

I did find a workaround for anyone having this issue. It requires manually
manipulating the routing table on the remote PC. Determine the IP of the PPP
VPN adapter and the interface number by running route print. Then run:

route add 192.168.1.0 mask 255.255.255.0 *VPN IP Address* if *interface
Number*

"Bill Grant" wrote:

> Yes, you are probably right. The remote client will still try to deliver
> any traffic for a 192.168.1 address locally rather than sending it across
> the VPN.
>
> I wouldn't go down the path of giving the servers two NICs. That would
> cause more problems than it would solve (especially if any of them were
> DCs).
>
> Putting all your servers in a different IP subnet would work. You could
> put all of your servers including the RRAS server in 192.168.217.0 and have
> your workstations remain in 192.168.1.0 .The remotes would be able to
> contact your servers but not the workstations. But if you are prepared to go
> to that much trouble it is probably simpler to just change the IP addresses
> on your LAN to 192.168.217.0 . It is only the servers with static IPs which
> need changing. The workstation will just get their new config from DHCP and
> work as before.
>
> "Danny F" <(E-Mail Removed)> wrote in message
> news:2C9AAC35-3592-4863-B934-(E-Mail Removed)...
> >I tried that but it doesn't work for me if they're coming from a .1
> >address.
> > Here is the scenario:
> >
> > VPN Server:
> > Physical IP on the interface: 192.168.1.11
> > Internal IP of logical interface for VPN: 192.168.99.241
> > VPN IP Pool: 192.168.99.241 - 254
> >
> > Remote PC 1:
> > LAN IP: 192.168.1.100
> > VPN IP: 192.168.99.242
> >
> > Remote PC 2:
> > LAN IP: 192.168.25.100
> > VPN IP: 192.168.99.243
> >
> > Remote PC 1 can ping 192.168.99.241 but cannot ping 192.168.1.11. I think
> > because it is still dealing with the issue of being on a .1 LAN IP.
> >
> > Remote PC 2 can ping both 192.168.99.241 and 192.168.1.11
> >
> > "Bill Grant" wrote:
> >
> >> That would just complicate the situation. You would then have two
> >> local
> >> subnets and you would need to set it up so thet they could both see each
> >> other and the Internet. Much more complicated than putting the remotes in
> >> their own subnet.
> >>
> >> "Danny F" <(E-Mail Removed)> wrote in message
> >> news:F27BD46C-37F8-4F09-A7B3-(E-Mail Removed)...
> >> > Bill, thanks for your reply.
> >> >
> >> > I thouhgt of that and tried it but they still can't get to the .1
> >> > subnet
> >> > because (I think) there still on a .1 local subnet. I tried it with
> >> > remote
> >> > computers on other subnets and they could get to the .1 address of the
> >> > VPN
> >> > server but nothing else. Probalby a routing issue.
> >> >
> >> > Arggghh. I inherited this IP. Would have never used it myself had i
> >> > built
> >> > it.
> >> >
> >> > One though I had was to build out another network 192.168.217.0 and put
> >> > the
> >> > few servers the vpn users need to access on both networks with two
> >> > NIC's
> >> > on
> >> > each server. one on the .1 subnet on one on the .217 subnet. Any
> >> > thoughts?
> >> >
> >> > Thanks again.
> >> >
> >> > "Bill Grant" wrote:
> >> >
> >> >> There is no easy way around that problem. A remote machine will not
> >> >> send
> >> >> traffic across a VPN link if the target IP is the same IP subnet as
> >> >> the
> >> >> local LAN. It will try to deliver the traffic "on the wire", not send
> >> >> it
> >> >> to
> >> >> a router. That is how IP routing works!
> >> >>
> >> >> The only real solution is to put your remote users in their own IP
> >> >> subnet, such as 192.168.99.0/24 using a static address pool. You then
> >> >> have
> >> >> to enable IP routing on the VPN server and make sure that your LAN
> >> >> machines
> >> >> can route to the remote subnet. This will only work automatically if
> >> >> the
> >> >> VPN
> >> >> server is the default gateway for the LAN machines.
> >> >>
> >> >>
> >> >>
> >> >> "Danny F" <(E-Mail Removed)> wrote in message
> >> >> news:378EBE4F-4957-4078-8DCE-(E-Mail Removed)...
> >> >> >I am having an issue with VPN and IP settings. I am running Windows
> >> >> >Server
> >> >> > 2003 RRAS. We have a 1 subnet internal network on the
> >> >> > 192.168.1.0/24
> >> >> > subnet.
> >> >> > The VPN server assigns IP's in the 192.168.1.241 - 254 range. The
> >> >> > problem
> >> >> > I
> >> >> > am having is if the remote computer is connected to a remote network
> >> >> > that
> >> >> > is
> >> >> > also on the 192.168.1.0/24 subnet the remote computer cannot access
> >> >> > anything
> >> >> > on our network. I understand why this happens but need a workaround
> >> >> > or
> >> >> > other
> >> >> > solution. Many wireless routers and DSL configurations run by
> >> >> > default
> >> >> > on
> >> >> > the
> >> >> > 192.168.1.0/24 subnet.
> >> >> >
> >> >> > Thank you in advance.
> >> >> >
> >> >>
> >> >>
> >> >>
> >>
> >>
> >>
>
>
>