VPN / RAS on local net

Hi, I hope someone can help me with a small problem I can't seem to find a
soulution to.

My Network setup:
Firewall / Router with "official IP" and 192.168.1.1 (running DHCP and DNS)

Windows 2003 Server (No Domain) with two NIC 192.168.1.5 and 192.168.1.10
running amongst other services RAS for VPN.

I want to use 192.168.1.5 for free internal access to fileserver and
terminal server, and use 192.168.1.10 to receive port 1723 and protocol 47
forwarding from firewall to accept VPN loggins.

This all work fine, but when I configure server NIC 192.168.1.10 (VPN) to
drop all packets exept 1723 and protocol 47 I am able to logg in throug PPTP
VPN but nothing more. I can't connect server any more on NIC 192.168.1.5,
everything seems to be locked out by the rule I just made on NIC 192.168.1.10.

Hope I have managed to explain my problem, and what's more :-) Hope someone
can help me to solve this problem.

RB

hi,
you have to set different network segments on nic's on server.
--
Dragos CAMARA
MCSA Windows 2003 server


"Brochs" wrote:

> Hi, I hope someone can help me with a small problem I can't seem to find a
> soulution to.
>
> My Network setup:
> Firewall / Router with "official IP" and 192.168.1.1 (running DHCP and DNS)
>
> Windows 2003 Server (No Domain) with two NIC 192.168.1.5 and 192.168.1.10
> running amongst other services RAS for VPN.
>
> I want to use 192.168.1.5 for free internal access to fileserver and
> terminal server, and use 192.168.1.10 to receive port 1723 and protocol 47
> forwarding from firewall to accept VPN loggins.
>
> This all work fine, but when I configure server NIC 192.168.1.10 (VPN) to
> drop all packets exept 1723 and protocol 47 I am able to logg in throug PPTP
> VPN but nothing more. I can't connect server any more on NIC 192.168.1.5,
> everything seems to be locked out by the rule I just made on NIC 192.168.1.10.
>
> Hope I have managed to explain my problem, and what's more :-) Hope someone
> can help me to solve this problem.
>
> RB

Thank you for your reply.

I know that this is a possibility, but then I will have to make a whole new
subnet as well, and this will not be ideal for my setup. And also I would
have to enable NAT in this case I supose.
Do you mean by this that there are no possible way for me to just block
traffic on one of the NIC's when both use are on the same subnet?

Do you know if forwarding port 1723 and protocol 47 to NIC 192.168.1.10
without traffic blocking would be a bigger security risk? both NIC's are
behind a secure firewall.

RB

"Dragos CAMARA" wrote:

> hi,
> you have to set different network segments on nic's on server.
> --
> Dragos CAMARA
> MCSA Windows 2003 server
>
>
> "Brochs" wrote:
>
> > Hi, I hope someone can help me with a small problem I can't seem to find a
> > soulution to.
> >
> > My Network setup:
> > Firewall / Router with "official IP" and 192.168.1.1 (running DHCP and DNS)
> >
> > Windows 2003 Server (No Domain) with two NIC 192.168.1.5 and 192.168.1.10
> > running amongst other services RAS for VPN.
> >
> > I want to use 192.168.1.5 for free internal access to fileserver and
> > terminal server, and use 192.168.1.10 to receive port 1723 and protocol 47
> > forwarding from firewall to accept VPN loggins.
> >
> > This all work fine, but when I configure server NIC 192.168.1.10 (VPN) to
> > drop all packets exept 1723 and protocol 47 I am able to logg in throug PPTP
> > VPN but nothing more. I can't connect server any more on NIC 192.168.1.5,
> > everything seems to be locked out by the rule I just made on NIC 192.168.1.10.
> >
> > Hope I have managed to explain my problem, and what's more :-) Hope someone
> > can help me to solve this problem.
> >
> > RB

You cannot successfully run two NICs in a machine if they are in the same
IP subnet (unless you use NIC teaming). You can have two IP addresses on one
NIC.

What did you hope to gain by this anyway? The traffic all ends up in the
same place, no matter which NIC it uses.

"Brochs" <(E-Mail Removed)> wrote in message
news:EE23581E-5E8C-45DA-A8CA-(E-Mail Removed)...
> Thank you for your reply.
>
> I know that this is a possibility, but then I will have to make a whole
> new
> subnet as well, and this will not be ideal for my setup. And also I would
> have to enable NAT in this case I supose.
> Do you mean by this that there are no possible way for me to just block
> traffic on one of the NIC's when both use are on the same subnet?
>
> Do you know if forwarding port 1723 and protocol 47 to NIC 192.168.1.10
> without traffic blocking would be a bigger security risk? both NIC's are
> behind a secure firewall.
>
> RB
>
> "Dragos CAMARA" wrote:
>
>> hi,
>> you have to set different network segments on nic's on server.
>> --
>> Dragos CAMARA
>> MCSA Windows 2003 server
>>
>>
>> "Brochs" wrote:
>>
>> > Hi, I hope someone can help me with a small problem I can't seem to
>> > find a
>> > soulution to.
>> >
>> > My Network setup:
>> > Firewall / Router with "official IP" and 192.168.1.1 (running DHCP and
>> > DNS)
>> >
>> > Windows 2003 Server (No Domain) with two NIC 192.168.1.5 and
>> > 192.168.1.10
>> > running amongst other services RAS for VPN.
>> >
>> > I want to use 192.168.1.5 for free internal access to fileserver and
>> > terminal server, and use 192.168.1.10 to receive port 1723 and protocol
>> > 47
>> > forwarding from firewall to accept VPN loggins.
>> >
>> > This all work fine, but when I configure server NIC 192.168.1.10 (VPN)
>> > to
>> > drop all packets exept 1723 and protocol 47 I am able to logg in throug
>> > PPTP
>> > VPN but nothing more. I can't connect server any more on NIC
>> > 192.168.1.5,
>> > everything seems to be locked out by the rule I just made on NIC
>> > 192.168.1.10.
>> >
>> > Hope I have managed to explain my problem, and what's more :-) Hope
>> > someone
>> > can help me to solve this problem.
>> >
>> > RB

Hi,

Well, maybe I'm thinking wrong, but I wantet to rout all LAN traffic to one
NIC without restrictions, and rout incoming VPN traffic to the other NIC with
rouls to drop ALL traffic but the one to port 1723 and Protocol 47.

Any input is welcome it my toughts about this is not right.

RB

"Bill Grant" wrote:

> You cannot successfully run two NICs in a machine if they are in the same
> IP subnet (unless you use NIC teaming). You can have two IP addresses on one
> NIC.
>
> What did you hope to gain by this anyway? The traffic all ends up in the
> same place, no matter which NIC it uses.
>
> "Brochs" <(E-Mail Removed)> wrote in message
> news:EE23581E-5E8C-45DA-A8CA-(E-Mail Removed)...
> > Thank you for your reply.
> >
> > I know that this is a possibility, but then I will have to make a whole
> > new
> > subnet as well, and this will not be ideal for my setup. And also I would
> > have to enable NAT in this case I supose.
> > Do you mean by this that there are no possible way for me to just block
> > traffic on one of the NIC's when both use are on the same subnet?
> >
> > Do you know if forwarding port 1723 and protocol 47 to NIC 192.168.1.10
> > without traffic blocking would be a bigger security risk? both NIC's are
> > behind a secure firewall.
> >
> > RB
> >
> > "Dragos CAMARA" wrote:
> >
> >> hi,
> >> you have to set different network segments on nic's on server.
> >> --
> >> Dragos CAMARA
> >> MCSA Windows 2003 server
> >>
> >>
> >> "Brochs" wrote:
> >>
> >> > Hi, I hope someone can help me with a small problem I can't seem to
> >> > find a
> >> > soulution to.
> >> >
> >> > My Network setup:
> >> > Firewall / Router with "official IP" and 192.168.1.1 (running DHCP and
> >> > DNS)
> >> >
> >> > Windows 2003 Server (No Domain) with two NIC 192.168.1.5 and
> >> > 192.168.1.10
> >> > running amongst other services RAS for VPN.
> >> >
> >> > I want to use 192.168.1.5 for free internal access to fileserver and
> >> > terminal server, and use 192.168.1.10 to receive port 1723 and protocol
> >> > 47
> >> > forwarding from firewall to accept VPN loggins.
> >> >
> >> > This all work fine, but when I configure server NIC 192.168.1.10 (VPN)
> >> > to
> >> > drop all packets exept 1723 and protocol 47 I am able to logg in throug
> >> > PPTP
> >> > VPN but nothing more. I can't connect server any more on NIC
> >> > 192.168.1.5,
> >> > everything seems to be locked out by the rule I just made on NIC
> >> > 192.168.1.10.
> >> >
> >> > Hope I have managed to explain my problem, and what's more :-) Hope
> >> > someone
> >> > can help me to solve this problem.
> >> >
> >> > RB
>
>
>

hi,
it simple not works , because the computer will send the response by who
know nic(most probally first driver loaded), so let's say if a request will
come by one nic it's probably to send the response to the other nic and will
be a nasty situation -wich is happening to you. maybe if you put the local
nic to be loadead first will work but i have serious doubt.
network settings->tools->advanced settings adapters and bidings tab.
--
Dragos CAMARA
MCSA Windows 2003 server


"Brochs" wrote:

> Thank you for your reply.
>
> I know that this is a possibility, but then I will have to make a whole new
> subnet as well, and this will not be ideal for my setup. And also I would
> have to enable NAT in this case I supose.
> Do you mean by this that there are no possible way for me to just block
> traffic on one of the NIC's when both use are on the same subnet?
>
> Do you know if forwarding port 1723 and protocol 47 to NIC 192.168.1.10
> without traffic blocking would be a bigger security risk? both NIC's are
> behind a secure firewall.
>
> RB
>
> "Dragos CAMARA" wrote:
>
> > hi,
> > you have to set different network segments on nic's on server.
> > --
> > Dragos CAMARA
> > MCSA Windows 2003 server
> >
> >
> > "Brochs" wrote:
> >
> > > Hi, I hope someone can help me with a small problem I can't seem to find a
> > > soulution to.
> > >
> > > My Network setup:
> > > Firewall / Router with "official IP" and 192.168.1.1 (running DHCP and DNS)
> > >
> > > Windows 2003 Server (No Domain) with two NIC 192.168.1.5 and 192.168.1.10
> > > running amongst other services RAS for VPN.
> > >
> > > I want to use 192.168.1.5 for free internal access to fileserver and
> > > terminal server, and use 192.168.1.10 to receive port 1723 and protocol 47
> > > forwarding from firewall to accept VPN loggins.
> > >
> > > This all work fine, but when I configure server NIC 192.168.1.10 (VPN) to
> > > drop all packets exept 1723 and protocol 47 I am able to logg in throug PPTP
> > > VPN but nothing more. I can't connect server any more on NIC 192.168.1.5,
> > > everything seems to be locked out by the rule I just made on NIC 192.168.1.10.
> > >
> > > Hope I have managed to explain my problem, and what's more :-) Hope someone
> > > can help me to solve this problem.
> > >
> > > RB