W2K3, RRAS and PAT

Good day to all.
I have this scenario:
A LAN with 10.0.1.0/24 subnet.
A W2K3 server with R&RAS running, just one NIC, address 10.0.1.2.
A dummy ADSL router (10.0.1.1) as default gateway for the LAN.
OpenVPN on my server. Its virtual NIC has 10.8.0.0/24 subnet and
10.8.0.1 address.
OpenVPN works fine: when I establish VPN tunnel from my client, I get an
IP address from 10.8.0.0 subnet, so I can reach the server at 10.8.0.1.
I'm not able to reach the rest of the LAN, because other hosts don't
know how to route packets to 10.8.0.0 subnet.
I'm looking for a way which don't implies to set static routes neither
on hosts in the LAN, nor on the default gateway.
Unfortunately I didn't find in RRAS a feature to PAT the traffic coming
from OpenVPN interface. This way, every packet coming from my client
(10.8.0.x) would be sent into the LAN with 10.0.1.2 as source address.
Some time ago, by another customer, I had a Cisco PIX 501 perfectly
doing this "hard" work.
Any hint?
Thanks in advance!
-Pietro.

--
http://store.webmad.it/ http://www.linkedin.com/in/pietrolicata


Pietro

The first question is this. Why did you set up the VPN to use 10.8.0.0/24
if you wanted the remote client to access your LAN machines? Doesn't OpenVPN
support on-subnet addressing (ie the remote client uses the same IP subnet
as the LAN machines)? Windows VPN does.

If the remote client and the server virtual interface are in a different
subnet from the LAN, there is no way that they can communicate without your
adding extra routing. You would need to enable IP routing on the server and
add a static route to the gateway router to forward traffic for 10.8.0.0 to
the RRAS server. (Without this route, the traffic goes to the default
gateway unencrypted and unencapsulated). The server could then deliver it to
the remote client through the V PN tunnel.

W2k3 RRAS supports NAT, but it isn't really the solution to your
problem.

"Pietro" <webmad_NOSPAM_@bigfoot.com> wrote in message
news:epcemf$77k$(E-Mail Removed)...
> Good day to all.
> I have this scenario:
> A LAN with 10.0.1.0/24 subnet.
> A W2K3 server with R&RAS running, just one NIC, address 10.0.1.2.
> A dummy ADSL router (10.0.1.1) as default gateway for the LAN.
> OpenVPN on my server. Its virtual NIC has 10.8.0.0/24 subnet and 10.8.0.1
> address.
> OpenVPN works fine: when I establish VPN tunnel from my client, I get an
> IP address from 10.8.0.0 subnet, so I can reach the server at 10.8.0.1.
> I'm not able to reach the rest of the LAN, because other hosts don't know
> how to route packets to 10.8.0.0 subnet.
> I'm looking for a way which don't implies to set static routes neither on
> hosts in the LAN, nor on the default gateway.
> Unfortunately I didn't find in RRAS a feature to PAT the traffic coming
> from OpenVPN interface. This way, every packet coming from my client
> (10.8.0.x) would be sent into the LAN with 10.0.1.2 as source address.
> Some time ago, by another customer, I had a Cisco PIX 501 perfectly doing
> this "hard" work.
> Any hint?
> Thanks in advance!
> -Pietro.
>
> --
> http://store.webmad.it/ http://www.linkedin.com/in/pietrolicata

Bill Grant ha scritto:
> The first question is this. Why did you set up the VPN to use 10.8.0.0/24
> if you wanted the remote client to access your LAN machines? Doesn't OpenVPN
> support on-subnet addressing (ie the remote client uses the same IP subnet
> as the LAN machines)? Windows VPN does.
Because of network address overlapping issues... I'm testing these tools
at my lab. The customer I should install the tools to, has the same
network subnet address on both sites!
OpenVPN supports on-subnet addressing, too, as opposed to "tunnel mode".
Some articles state I should enable ethernet bridging between LAN
adapter and OpenVPN virtual adapter. I'll try it...

> If the remote client and the server virtual interface are in a different
> subnet from the LAN, there is no way that they can communicate without your
> adding extra routing. You would need to enable IP routing on the server and
> add a static route to the gateway router to forward traffic for 10.8.0.0 to
> the RRAS server. (Without this route, the traffic goes to the default
> gateway unencrypted and unencapsulated). The server could then deliver it to
> the remote client through the V PN tunnel.
>
> W2k3 RRAS supports NAT, but it isn't really the solution to your
> problem.

Ok thanks, I'll get my Cisco back from the shelves

>
> "Pietro" <webmad_NOSPAM_@bigfoot.com> wrote in message
> news:epcemf$77k$(E-Mail Removed)...
>> Good day to all.
>> I have this scenario:
>> A LAN with 10.0.1.0/24 subnet.
>> A W2K3 server with R&RAS running, just one NIC, address 10.0.1.2.
>> A dummy ADSL router (10.0.1.1) as default gateway for the LAN.
>> OpenVPN on my server. Its virtual NIC has 10.8.0.0/24 subnet and 10.8.0.1
>> address.
>> OpenVPN works fine: when I establish VPN tunnel from my client, I get an
>> IP address from 10.8.0.0 subnet, so I can reach the server at 10.8.0.1.
>> I'm not able to reach the rest of the LAN, because other hosts don't know
>> how to route packets to 10.8.0.0 subnet.
>> I'm looking for a way which don't implies to set static routes neither on
>> hosts in the LAN, nor on the default gateway.
>> Unfortunately I didn't find in RRAS a feature to PAT the traffic coming
>> from OpenVPN interface. This way, every packet coming from my client
>> (10.8.0.x) would be sent into the LAN with 10.0.1.2 as source address.
>> Some time ago, by another customer, I had a Cisco PIX 501 perfectly doing
>> this "hard" work.
>> Any hint?
>> Thanks in advance!
>> -Pietro.
>>

--
http://store.webmad.it/ http://www.linkedin.com/in/pietrolicata