Stop Internet Traffic via VPN

I have a Windows Server 2003 SBS with Remote Access set-up. When a client
connects to the VPN all of their traffic is routed through our Internet
connection and that is a problem. I've tried unchecking the "Enable IP
Routing" but that stops any access to network shares on the server. I was
going to solve this problem by adding a few iptables rules on the network's
router however all traffic from VPN clients seem to have the servers address
on it? So I would like to know is there a way of blocking any traffic from a
VPN client that is not addressed to the server itself.

Thanks,

Mark

Another option is uncheck use default gateway on remote network. The following links may help,
routing issues on vpn 1) If you don't need to access the entire VPN resources, disable the "use default gateway on remote network" option in the properties of the VPN connection. ...
www.chicagotech.net/routingissuesonvpn.htm


Routing The VPN client may be able to access the Internet if you uncheck Use default gateway in remote network. However, if your remote network resources are ...
www.chicagotech.net/routing.htm



Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on http://www.HowToNetworking.com
"Mr Hives" <(E-Mail Removed)> wrote in message news:488AE9F3-9773-4DF2-97D3-(E-Mail Removed)...
I have a Windows Server 2003 SBS with Remote Access set-up. When a client
connects to the VPN all of their traffic is routed through our Internet
connection and that is a problem. I've tried unchecking the "Enable IP
Routing" but that stops any access to network shares on the server. I was
going to solve this problem by adding a few iptables rules on the network's
router however all traffic from VPN clients seem to have the servers address
on it? So I would like to know is there a way of blocking any traffic from a
VPN client that is not addressed to the server itself.

Thanks,

Mark

The first thing you have to realize is how this works. By default the
VPN client will send all non-local traffic across the VPN. In other words
the VPN link is its default gateway. You can change this by clearing the
"use default gateway..." setting on the client. What happens then is that
the default gateway is still pointing out to the Internet connection. Only a
subnet route is set up to use the VPN link.

This all works if the subnet route it sets up covers all the LAN
machines you need to access. If it doesn't, this traffic goes out to the
Internet gateway and is lost. To fix that you need extra routing on the
client, and that is hard to do.

For a detailed description, see KB 254231 .

Mr Hives wrote:
> I have a Windows Server 2003 SBS with Remote Access set-up. When a
> client connects to the VPN all of their traffic is routed through our
> Internet connection and that is a problem. I've tried unchecking the
> "Enable IP Routing" but that stops any access to network shares on
> the server. I was going to solve this problem by adding a few
> iptables rules on the network's router however all traffic from VPN
> clients seem to have the servers address on it? So I would like to
> know is there a way of blocking any traffic from a VPN client that is
> not addressed to the server itself.
>
> Thanks,
>
> Mark

That's not exactly what I was after but it seems like the only way arround
the bandwidth problem.

Thank-you.


"Robert L [MVP - Networking]" wrote:

> Another option is uncheck use default gateway on remote network. The following links may help,
> routing issues on vpn 1) If you don't need to access the entire VPN resources, disable the "use default gateway on remote network" option in the properties of the VPN connection. ...
> www.chicagotech.net/routingissuesonvpn.htm
>
>
> Routing The VPN client may be able to access the Internet if you uncheck Use default gateway in remote network. However, if your remote network resources are ...
> www.chicagotech.net/routing.htm
>
>
>
> Bob Lin, MS-MVP, MCSE & CNE
> Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net
> How to Setup Windows, Network, VPN & Remote Access on http://www.HowToNetworking.com
> "Mr Hives" <(E-Mail Removed)> wrote in message news:488AE9F3-9773-4DF2-97D3-(E-Mail Removed)...
> I have a Windows Server 2003 SBS with Remote Access set-up. When a client
> connects to the VPN all of their traffic is routed through our Internet
> connection and that is a problem. I've tried unchecking the "Enable IP
> Routing" but that stops any access to network shares on the server. I was
> going to solve this problem by adding a few iptables rules on the network's
> router however all traffic from VPN clients seem to have the servers address
> on it? So I would like to know is there a way of blocking any traffic from a
> VPN client that is not addressed to the server itself.
>
> Thanks,
>
> Mark

That's not exactly what I was after but it seems like the only way arround
the bandwidth problem.

Thank-you.


"Bill Grant" wrote:

> The first thing you have to realize is how this works. By default the
> VPN client will send all non-local traffic across the VPN. In other words
> the VPN link is its default gateway. You can change this by clearing the
> "use default gateway..." setting on the client. What happens then is that
> the default gateway is still pointing out to the Internet connection. Only a
> subnet route is set up to use the VPN link.
>
> This all works if the subnet route it sets up covers all the LAN
> machines you need to access. If it doesn't, this traffic goes out to the
> Internet gateway and is lost. To fix that you need extra routing on the
> client, and that is hard to do.
>
> For a detailed description, see KB 254231 .
>
> Mr Hives wrote:
> > I have a Windows Server 2003 SBS with Remote Access set-up. When a
> > client connects to the VPN all of their traffic is routed through our
> > Internet connection and that is a problem. I've tried unchecking the
> > "Enable IP Routing" but that stops any access to network shares on
> > the server. I was going to solve this problem by adding a few
> > iptables rules on the network's router however all traffic from VPN
> > clients seem to have the servers address on it? So I would like to
> > know is there a way of blocking any traffic from a VPN client that is
> > not addressed to the server itself.
> >
> > Thanks,
> >
> > Mark
>
>
>