DNS and Split Tunneling for VPN?

Ok I was following the guide found here,
http://www.microsoft.com/technet/com...uy/cg1003.mspx, to
setup split tunneling for our VPN connections.

The splitting works wonderfully! Oh I'm using the "Classless Static Routes
DHCP Option".

However the remote client only pulls DNS from host network DNS servers.

Therefore unless you know the IP address(es) of the VPN'd network this is
useless. I can't imaging this is supposed to be the case.

ipconfig /all on the remote computer, lists the DNS servers on the VPN'd
network, but doesn't access them.

Does anyone have any ideas?

Thanks,

Andrew




Andrew

The VPN Dialup Connectiod needs its own separate DNS Server entry,...either
via DHCP or Statically.

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------

"Andrew" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Ok I was following the guide found here,
> http://www.microsoft.com/technet/com...uy/cg1003.mspx,
> to
> setup split tunneling for our VPN connections.
>
> The splitting works wonderfully! Oh I'm using the "Classless Static
> Routes DHCP Option".
>
> However the remote client only pulls DNS from host network DNS servers.
>
> Therefore unless you know the IP address(es) of the VPN'd network this is
> useless. I can't imaging this is supposed to be the case.
>
> ipconfig /all on the remote computer, lists the DNS servers on the VPN'd
> network, but doesn't access them.
>
> Does anyone have any ideas?
>
> Thanks,
>
> Andrew
>

I think understand what you're saying, but not 100% sure. Can you explain
more?


ipconfig /all does show:

PPP adapter ARSCO - DC01:

Connection-specific DNS Suffix . : ROCKNET.Local
Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
Physical Address. . . . . . . . . : 00-53-45-00-00-00
Dhcp Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.8.8
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . :
DNS Servers . . . . . . . . . . . : 192.168.10.24
192.168.10.25
Primary WINS Server . . . . . . . : 192.168.10.24
Secondary WINS Server . . . . . . : 192.168.10.25

All 192.168.8.0, 255.255.252.0 traffic goes out over the VPN.

Andrew



"Phillip Windell" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> The VPN Dialup Connectiod needs its own separate DNS Server
> entry,...either via DHCP or Statically.
>
> --
> Phillip Windell
> www.wandtv.com
>
> The views expressed, are my own and not those of my employer, or
> Microsoft, or anyone else associated with me, including my cats.
> -----------------------------------------------------
>
> "Andrew" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>> Ok I was following the guide found here,
>> http://www.microsoft.com/technet/com...uy/cg1003.mspx,
>> to
>> setup split tunneling for our VPN connections.
>>
>> The splitting works wonderfully! Oh I'm using the "Classless Static
>> Routes DHCP Option".
>>
>> However the remote client only pulls DNS from host network DNS servers.
>>
>> Therefore unless you know the IP address(es) of the VPN'd network this is
>> useless. I can't imaging this is supposed to be the case.
>>
>> ipconfig /all on the remote computer, lists the DNS servers on the VPN'd
>> network, but doesn't access them.
>>
>> Does anyone have any ideas?
>>
>> Thanks,
>>
>> Andrew
>>
>
>

The type of VPN you are dealing with here is Remote Access VPN.
Keep that in mind.
There are different types of VPN with different behavors and different
purposes.

The subnet you connected to with VPN is:
192.168.8.0

The DNS Servers are on a different subnet of:
192.168.10.0

When you run Split Tunneling you can only access the immediate subnet you
VPN'ed into,...you can *not* reach any other subnet on the system you VPN'ed
into,...that is the way it is,...that is the way it was designed and was
meant to be. The DNS Servers are unreachable to you unless you stop using
Split-Tunneling becuase you are only allowed to connect to devices on
192.168.8.x.

There are reasons why you are not supposed to use Split-Tunneling. When you
VPN into a system you put that system at risk from whatever "else" your PC
may be connected to,...therefore VPN is design so that once you connect all
traffic goes through the VPN'ed system and effectively "cuts off" your
machine from any "other" connections it may be connected to (like the
Internet, or other subnets on your own local LAN). When you run
Split-Tunneling you are side-stepping this safety feature and therefore as a
result you can only connect to resources on the immediate subnet you VPN'ed
into. This is why some companies put their VPN Server on its own special
subnet so that if someone connects to it while running Split-Tunneling they
cannot get to anything anywhere else on the companies LAN.

The intension of Remote Access VPN is that you connect,..take care of the
task you connected to do,..then disconnect. It is not designed to
connect,..stay connected,...and access other resources on other LAN Segments
or the Internet at the same time.

This is not anything new. It is exactly the same way things behaved with the
old "modem-dialup-over-a-phone-line" connections. Remote Access VPN is
*still* the same old modem dialup technology except the physical modem was
replaced by the "virtual VPN adapter" and the phone number was replaced by
the IP#,...beyond that it is the same thing working on the same principles.

If you need to do all those tasks at the same time while connected to the
VPN,...then you need a Site-to-Site VPN (aka Router-to-Router VPN) which is
a completely different type of VPN which is "always up" and is performed by
a pair of VPN capable routing devices.

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------

"Andrew" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
>I think understand what you're saying, but not 100% sure. Can you explain
>more?
>
>
> ipconfig /all does show:
>
> PPP adapter ARSCO - DC01:
>
> Connection-specific DNS Suffix . : ROCKNET.Local
> Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
> Physical Address. . . . . . . . . : 00-53-45-00-00-00
> Dhcp Enabled. . . . . . . . . . . : No
> IP Address. . . . . . . . . . . . : 192.168.8.8
> Subnet Mask . . . . . . . . . . . : 255.255.255.255
> Default Gateway . . . . . . . . . :
> DNS Servers . . . . . . . . . . . : 192.168.10.24
> 192.168.10.25
> Primary WINS Server . . . . . . . : 192.168.10.24
> Secondary WINS Server . . . . . . : 192.168.10.25
>
> All 192.168.8.0, 255.255.252.0 traffic goes out over the VPN.
>
> Andrew
>
>
>
> "Phillip Windell" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>> The VPN Dialup Connectiod needs its own separate DNS Server
>> entry,...either via DHCP or Statically.
>>
>> --
>> Phillip Windell
>> www.wandtv.com
>>
>> The views expressed, are my own and not those of my employer, or
>> Microsoft, or anyone else associated with me, including my cats.
>> -----------------------------------------------------
>>
>> "Andrew" <(E-Mail Removed)> wrote in message
>> news:(E-Mail Removed)...
>>> Ok I was following the guide found here,
>>> http://www.microsoft.com/technet/com...uy/cg1003.mspx,
>>> to
>>> setup split tunneling for our VPN connections.
>>>
>>> The splitting works wonderfully! Oh I'm using the "Classless Static
>>> Routes DHCP Option".
>>>
>>> However the remote client only pulls DNS from host network DNS servers.
>>>
>>> Therefore unless you know the IP address(es) of the VPN'd network this
>>> is
>>> useless. I can't imaging this is supposed to be the case.
>>>
>>> ipconfig /all on the remote computer, lists the DNS servers on the VPN'd
>>> network, but doesn't access them.
>>>
>>> Does anyone have any ideas?
>>>
>>> Thanks,
>>>
>>> Andrew
>>>
>>
>>
>
>

Ok I understand what you're saying. However I really don't consider this a
risk. Why would you want your VPN users to waste your companies bandwidth,
by not using split tunneling? i.e. They VPN in and then access the
Internet.

As a network admin, there a lot of times I need to be connected to the
company network and access the Internet at the same time. This accomplished
with the default VPN setup, but Internet access is really slow. Work only
has a T1, I have a 15MB pipe from Time Warner.

I was able to get it to work, by having the VPN connection not pull a DHCP
address, but rather assign it an IP in the 192.168.10.0 network, from which
it had access to the DNS server.

Another work around would be to assign an 192.168.8.0 network address to the
DNS server.

Thank you for help.

Andrew

"Phillip Windell" <(E-Mail Removed)> wrote in message
news:%(E-Mail Removed)...
> The type of VPN you are dealing with here is Remote Access VPN.
> Keep that in mind.
> There are different types of VPN with different behavors and different
> purposes.
>
> The subnet you connected to with VPN is:
> 192.168.8.0
>
> The DNS Servers are on a different subnet of:
> 192.168.10.0
>
> When you run Split Tunneling you can only access the immediate subnet you
> VPN'ed into,...you can *not* reach any other subnet on the system you
> VPN'ed into,...that is the way it is,...that is the way it was designed
> and was meant to be. The DNS Servers are unreachable to you unless you
> stop using Split-Tunneling becuase you are only allowed to connect to
> devices on 192.168.8.x.
>
> There are reasons why you are not supposed to use Split-Tunneling. When
> you VPN into a system you put that system at risk from whatever "else"
> your PC may be connected to,...therefore VPN is design so that once you
> connect all traffic goes through the VPN'ed system and effectively "cuts
> off" your machine from any "other" connections it may be connected to
> (like the Internet, or other subnets on your own local LAN). When you run
> Split-Tunneling you are side-stepping this safety feature and therefore as
> a result you can only connect to resources on the immediate subnet you
> VPN'ed into. This is why some companies put their VPN Server on its own
> special subnet so that if someone connects to it while running
> Split-Tunneling they cannot get to anything anywhere else on the companies
> LAN.
>
> The intension of Remote Access VPN is that you connect,..take care of the
> task you connected to do,..then disconnect. It is not designed to
> connect,..stay connected,...and access other resources on other LAN
> Segments or the Internet at the same time.
>
> This is not anything new. It is exactly the same way things behaved with
> the old "modem-dialup-over-a-phone-line" connections. Remote Access VPN
> is *still* the same old modem dialup technology except the physical modem
> was replaced by the "virtual VPN adapter" and the phone number was
> replaced by the IP#,...beyond that it is the same thing working on the
> same principles.
>
> If you need to do all those tasks at the same time while connected to the
> VPN,...then you need a Site-to-Site VPN (aka Router-to-Router VPN) which
> is a completely different type of VPN which is "always up" and is
> performed by a pair of VPN capable routing devices.
>
> --
> Phillip Windell
> www.wandtv.com
>
> The views expressed, are my own and not those of my employer, or
> Microsoft, or anyone else associated with me, including my cats.
> -----------------------------------------------------
>
> "Andrew" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>>I think understand what you're saying, but not 100% sure. Can you explain
>>more?
>>
>>
>> ipconfig /all does show:
>>
>> PPP adapter ARSCO - DC01:
>>
>> Connection-specific DNS Suffix . : ROCKNET.Local
>> Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
>> Physical Address. . . . . . . . . : 00-53-45-00-00-00
>> Dhcp Enabled. . . . . . . . . . . : No
>> IP Address. . . . . . . . . . . . : 192.168.8.8
>> Subnet Mask . . . . . . . . . . . : 255.255.255.255
>> Default Gateway . . . . . . . . . :
>> DNS Servers . . . . . . . . . . . : 192.168.10.24
>> 192.168.10.25
>> Primary WINS Server . . . . . . . : 192.168.10.24
>> Secondary WINS Server . . . . . . : 192.168.10.25
>>
>> All 192.168.8.0, 255.255.252.0 traffic goes out over the VPN.
>>
>> Andrew
>>
>>
>>
>> "Phillip Windell" <(E-Mail Removed)> wrote in message
>> news:(E-Mail Removed)...
>>> The VPN Dialup Connectiod needs its own separate DNS Server
>>> entry,...either via DHCP or Statically.
>>>
>>> --
>>> Phillip Windell
>>> www.wandtv.com
>>>
>>> The views expressed, are my own and not those of my employer, or
>>> Microsoft, or anyone else associated with me, including my cats.
>>> -----------------------------------------------------
>>>
>>> "Andrew" <(E-Mail Removed)> wrote in message
>>> news:(E-Mail Removed)...
>>>> Ok I was following the guide found here,
>>>> http://www.microsoft.com/technet/com...uy/cg1003.mspx,
>>>> to
>>>> setup split tunneling for our VPN connections.
>>>>
>>>> The splitting works wonderfully! Oh I'm using the "Classless Static
>>>> Routes DHCP Option".
>>>>
>>>> However the remote client only pulls DNS from host network DNS servers.
>>>>
>>>> Therefore unless you know the IP address(es) of the VPN'd network this
>>>> is
>>>> useless. I can't imaging this is supposed to be the case.
>>>>
>>>> ipconfig /all on the remote computer, lists the DNS servers on the
>>>> VPN'd
>>>> network, but doesn't access them.
>>>>
>>>> Does anyone have any ideas?
>>>>
>>>> Thanks,
>>>>
>>>> Andrew
>>>>
>>>
>>>
>>
>>
>
>

"Andrew" <(E-Mail Removed)> wrote in message
news:O$(E-Mail Removed)...
> Ok I understand what you're saying. However I really don't consider this
> a risk.

I know,...and the true level of risk is debatable,...but it doesn't matter,
that is the way the technology is designed.

> Why would you want your VPN users to waste your companies bandwidth, by
> not using split tunneling? i.e. They VPN in and then access the Internet.

Becuause it was determined by the VPN networking gods (whomever they may be)
that security was more important than bandwidth. But also remember that it
doesn't mean the users would "surf the net" by looping through the VPN,...it
could mean that they would not have the Internet at all,...they are supposed
to just use the resources they came for and then "leave",...then there is no
bandwidth being sacrificed. Many commercial VPN capable products (like MS
ISA for example) do not let the VPN users get to the internet at all unless
you go out of your way to make it happen.

> I was able to get it to work, by having the VPN connection not pull a DHCP
> address, but rather assign it an IP in the 192.168.10.0 network, from
> which it had access to the DNS server.
>
> Another work around would be to assign an 192.168.8.0 network address to
> the DNS server.

Well you'd have to actually move that DNS machine to the 8 subnet, you
couldn't just assign it the address if it doesn't agree with the
cabling,..but yes that is an option to get the DNS naming working,...but you
still can not access resources on other subnets beyond the "8" subnet with
Split-Tunneling on. Just because you could now resolve the name properly
doesn't mean you can connect to them. You'd still have to stop using
Split-Tunneling to do that.

I think the best solution would be to place a Workstation or Terminal Server
on the "8" subnet and then remote control it with RDP to do whatever Admin
work you wanted to do. That machine would be able to access anything since
it is physically there on the LAN and is not a VPN Client. Then the machine
you are sitting at home would access the Internet for whatever you want at
the same time. This is the way I handle ours,..early on I RDP'ed to my
desktop machine at work to work on things,...later on I deployed a Terminal
Server and replaced my desktop machine with a laptop that I take home,...I
RDP the Terminal Server from the Laptop. It may not be the answer to
everything but it workd for me. You may also have to reconsider some of
your methods of how you administrate things to deal with the reality of how
things are. You can't get anywhere by being rigid and only wanting to do
things one way.

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------

"Phillip Windell" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> "Andrew" <(E-Mail Removed)> wrote in message
> news:O$(E-Mail Removed)...
>> Ok I understand what you're saying. However I really don't consider this
>> a risk.
>
> I know,...and the true level of risk is debatable,...but it doesn't
> matter, that is the way the technology is designed.
>
>> Why would you want your VPN users to waste your companies bandwidth, by
>> not using split tunneling? i.e. They VPN in and then access the
>> Internet.
>
> Becuause it was determined by the VPN networking gods (whomever they may
> be) that security was more important than bandwidth. But also remember
> that it doesn't mean the users would "surf the net" by looping through the
> VPN,...it could mean that they would not have the Internet at all,...they
> are supposed to just use the resources they came for and then
> "leave",...then there is no bandwidth being sacrificed. Many commercial
> VPN capable products (like MS ISA for example) do not let the VPN users
> get to the internet at all unless you go out of your way to make it
> happen.
>
>> I was able to get it to work, by having the VPN connection not pull a
>> DHCP address, but rather assign it an IP in the 192.168.10.0 network,
>> from which it had access to the DNS server.
>>
>> Another work around would be to assign an 192.168.8.0 network address to
>> the DNS server.
>
> Well you'd have to actually move that DNS machine to the 8 subnet, you
> couldn't just assign it the address if it doesn't agree with the
> cabling,..but yes that is an option to get the DNS naming working,...but
> you still can not access resources on other subnets beyond the "8" subnet
> with Split-Tunneling on. Just because you could now resolve the name
> properly doesn't mean you can connect to them. You'd still have to stop
> using Split-Tunneling to do that.

Actually that's not true, I can access anything within the 192.168.8.0,
255.255.252.0 network. All I did was assign a secondary IP address to the
DNS server to be in the 192.168.8.0 network, and then made sure its static
DNS information was set to use the 8.0 network IP.

Since 8.0 is the DHCP range, I have to restrict giving out the DNS server's
IP too.

>
> I think the best solution would be to place a Workstation or Terminal
> Server on the "8" subnet and then remote control it with RDP to do
> whatever Admin work you wanted to do. That machine would be able to
> access anything since it is physically there on the LAN and is not a VPN
> Client. Then the machine you are sitting at home would access the
> Internet for whatever you want at the same time. This is the way I handle
> ours,..early on I RDP'ed to my desktop machine at work to work on
> things,...later on I deployed a Terminal Server and replaced my desktop
> machine with a laptop that I take home,...I RDP the Terminal Server from
> the Laptop. It may not be the answer to everything but it workd for me.
> You may also have to reconsider some of your methods of how you
> administrate things to deal with the reality of how things are. You can't
> get anywhere by being rigid and only wanting to do things one way.
>
> --
> Phillip Windell
> www.wandtv.com
>
> The views expressed, are my own and not those of my employer, or
> Microsoft, or anyone else associated with me, including my cats.
> -----------------------------------------------------
>
>

"Andrew" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Actually that's not true, I can access anything within the 192.168.8.0,
> 255.255.252.0 network. All I did was assign a secondary IP address to the
> DNS server to be in the 192.168.8.0 network, and then made sure its static
> DNS information was set to use the 8.0 network IP.
>
> Since 8.0 is the DHCP range, I have to restrict giving out the DNS
> server's IP too.

Ok,..I didn't know there was a 252 in the third octect of the mask. Details
make a difference, that's why I annoy people so much by asking for more and
more details.

That can cause you to overload the IP Segment with broadcasts if you climb
over 250-300 hosts,...but that is a whole other debate that I don't want to
get into. Suffice it to say that the guidline is to never go over 250-300
hosts per segment. The 24 bit mask provides for 254 hosts which fits that
perfect. If you need more, then create a new 254 host segment. But that is
off the current topic and I don't know that I want to get into that one.


--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------