VPN server: routing based on source IP?

I'm running a VPN server on Windows Server 2003 SP2 with multiple "internal"
interfaces. I'd like to assign VPN clients an IP address on one of those
internal subnets/VLANs via the static IP setting on the Dial-up tab of the
user's AD properties page. I also want each of these users to use the
gateway of the corresponding subnet/VLAN based on their statically assigned
IP address.

For example, say I have two internal subnets attached to the VPN server:
192.168.1.0/24 and 192.168.2.0/24. The default gateway for the VPN server is
set to use the external interface, say 192.168.200.1. If I enter a static IP
of 192.168.1.50 in the AD user properties for "johndoe", I want him to use
the gateway on the 192.168.1.0/24 subnet. If I assign him a static IP of
192.168.2.60 I want all his traffic routed out through the gateway on
192.168.2.0/24 instead of the default gateway.

Does anyone know if it is possible to route traffic based on the source IP
of a particular VPN client?

It doesn't work like that
You have to choose *one* internal interface for the VPN clients to be
associated with. Thier IP#,... regaurdless of DHCP or Static,...must be
from that segment.

You should not even be "wanting" this and you should not even create a
situation where it even matters what subnet they become part of. Access
Control for VPN users needs to be based on "who" the user is and not what
IP# they receive or what subnet they are on.

The only way I can think of to effect what subnet a VPN Users get associated
with is to stop using the Domain accounts by setting their Dialup Right to
"not allowed". Then use multple RRAS/VPN boxes sitting on the edge of each
subnet. Then create local accounts on the RRAS/VPN box so that the user is
forced to use the RRAS/VPN box that you have given them the credentials of
the local account to use. The box they use determines what subnet they are
part of. They will have to *separately* authenticate for resources they
require on the LAN.

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------

"Ryan" <(E-Mail Removed)> wrote in message
news:24EC6E0D-5D15-46E4-ACD1-(E-Mail Removed)...
> I'm running a VPN server on Windows Server 2003 SP2 with multiple
> "internal"
> interfaces. I'd like to assign VPN clients an IP address on one of those
> internal subnets/VLANs via the static IP setting on the Dial-up tab of the
> user's AD properties page. I also want each of these users to use the
> gateway of the corresponding subnet/VLAN based on their statically
> assigned
> IP address.
>
> For example, say I have two internal subnets attached to the VPN server:
> 192.168.1.0/24 and 192.168.2.0/24. The default gateway for the VPN server
> is
> set to use the external interface, say 192.168.200.1. If I enter a static
> IP
> of 192.168.1.50 in the AD user properties for "johndoe", I want him to use
> the gateway on the 192.168.1.0/24 subnet. If I assign him a static IP of
> 192.168.2.60 I want all his traffic routed out through the gateway on
> 192.168.2.0/24 instead of the default gateway.
>
> Does anyone know if it is possible to route traffic based on the source IP
> of a particular VPN client?

"Ryan" <(E-Mail Removed)> wrote in message
news:24EC6E0D-5D15-46E4-ACD1-(E-Mail Removed)...
> 192.168.2.60 I want all his traffic routed out through the gateway on
> 192.168.2.0/24 instead of the default gateway.

That doesn't work like that even if the rest was not an issue. A Host can
only use a Gateway if that gateway is in the same subnet as the Host. Since
your two "gateways" are different subnets it is impossible to have a
"choice" of which to use.

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------

Phillip,

Thank you for the response, maybe I wasn't clear in my description of the
issue. I don't want a user that is assigned an IP from one subnet to use a
gateway on another subnet. What I want to do is make sure that when a user
is assigned to a particular subnet, they will use the gateway on that subnet.
The reason is because each subnet has a firewall and in order for packets to
make it back to the host, they have to go out through the gateway on that
subnet.

I may have to fall back on a VPN server for each subnet, but I am trying to
avoid that if at all possible.

All other issues aside, do you (or does anyone) know if routing based on the
source IP is an option on Windows Server 2003 SP2? I bring it up because one
of my co-workers is using the type of routing on a Cisco box.

-Ryan

"Phillip Windell" wrote:

> "Ryan" <(E-Mail Removed)> wrote in message
> news:24EC6E0D-5D15-46E4-ACD1-(E-Mail Removed)...
> > 192.168.2.60 I want all his traffic routed out through the gateway on
> > 192.168.2.0/24 instead of the default gateway.
>
> That doesn't work like that even if the rest was not an issue. A Host can
> only use a Gateway if that gateway is in the same subnet as the Host. Since
> your two "gateways" are different subnets it is impossible to have a
> "choice" of which to use.
>
> --
> Phillip Windell
> www.wandtv.com
>
> The views expressed, are my own and not those of my employer, or Microsoft,
> or anyone else associated with me, including my cats.
> -----------------------------------------------------
>
>
>

"Ryan" <(E-Mail Removed)> wrote in message
news:15C19C21-AA08-41B6-B092-(E-Mail Removed)...
> gateway on another subnet. What I want to do is make sure that when a
> user
> is assigned to a particular subnet, they will use the gateway on that
> subnet.
> The reason is because each subnet has a firewall and in order for packets
> to
> make it back to the host, they have to go out through the gateway on that
> subnet.

You misunderstand how VPN works. The VPN Router itself *is* the Default
Gateway of the VPN Client and that is not adjustable. You will not get a
VPN Client connected to one subnet while another VPN Client connectes to a
different subnet when they both use the same VPN Server,...it just ain't
gonna happen.

You have to have a separate VPN Server for each subnet that you want to
"involve". The VPN Client will use a particular subnet based on which VPN
Server they use. The VPN Client is never, ever, ever, ever "aware" of any
"gateway" other than the VPN Server itself. How the traffic "routes" on the
LAN side of the VPN Server depends entirely on how the VPN Server
"understands" your LAN's routing scheme.

It is the way it works,..it is not "flexable". Remote Access VPN is based
on the old Dial-up technology and Dial-up Technology in some ways has its
"own way of doing things".

Assuming the VPN Server is a separate machine sitting on the network edge
and it is *not* doubling as the LAN's Firewall or the LAN Router........
Routing problems will be most likely caused by the LAN Routing Scheme, or
the lack there of. If it is a multi-subnet LAN, then there must be a LAN
Router. Every Host on the LAN needs to use the LAN Router as the Default
Gateway. An exception would be the VPN Server which would use a Static route
since its DFG would face the Internet. Then the LAN Router would use the
Firewall as the Default Gateway. You can *not* have the VPN Client use the
Firewall the "get to the net" because the VPN Server doesn't use the
Firewall to get to the Net. Also the VPN Client is already on the Net to
begin with or they couldn't have a VPN Connection,...so they have to
disconnect the VPN to use the Net by their own means.

If I still misunderstand your setup, then that just goes to show how complex
this can become and why it is so important to have the "big picture"
properly designed for everthing within the over all system concerning what
it is expected to do and why it is so extremely important to clearly explain
everything when posting a question in cases like this.

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------

"Phillip Windell" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> "Ryan" <(E-Mail Removed)> wrote in message
> news:15C19C21-AA08-41B6-B092-(E-Mail Removed)...
>> gateway on another subnet. What I want to do is make sure that when a
>> user
>> is assigned to a particular subnet, they will use the gateway on that
>> subnet.
>> The reason is because each subnet has a firewall and in order for packets
>> to
>> make it back to the host, they have to go out through the gateway on that
>> subnet.
>
> You misunderstand how VPN works. The VPN Router itself *is* the Default
> Gateway of the VPN Client and that is not adjustable. You will not get a
> VPN Client connected to one subnet while another VPN Client connectes to a
> different subnet when they both use the same VPN Server,...it just ain't
> gonna happen.
>
> You have to have a separate VPN Server for each subnet that you want to
> "involve". The VPN Client will use a particular subnet based on which VPN
> Server they use. The VPN Client is never, ever, ever, ever "aware" of any
> "gateway" other than the VPN Server itself. How the traffic "routes" on
> the LAN side of the VPN Server depends entirely on how the VPN Server
> "understands" your LAN's routing scheme.
>
> It is the way it works,..it is not "flexable". Remote Access VPN is based
> on the old Dial-up technology and Dial-up Technology in some ways has its
> "own way of doing things".
>
> Assuming the VPN Server is a separate machine sitting on the network edge
> and it is *not* doubling as the LAN's Firewall or the LAN Router........
> Routing problems will be most likely caused by the LAN Routing Scheme, or
> the lack there of. If it is a multi-subnet LAN, then there must be a LAN
> Router. Every Host on the LAN needs to use the LAN Router as the Default
> Gateway. An exception would be the VPN Server which would use a Static
> route since its DFG would face the Internet. Then the LAN Router would
> use the Firewall as the Default Gateway. You can *not* have the VPN
> Client use the Firewall the "get to the net" because the VPN Server
> doesn't use the Firewall to get to the Net. Also the VPN Client is
> already on the Net to begin with or they couldn't have a VPN
> Connection,...so they have to disconnect the VPN to use the Net by their
> own means.
>
> If I still misunderstand your setup, then that just goes to show how
> complex this can become and why it is so important to have the "big
> picture" properly designed for everthing within the over all system
> concerning what it is expected to do and why it is so extremely important
> to clearly explain everything when posting a question in cases like this.
>
> --
> Phillip Windell
> www.wandtv.com
>
> The views expressed, are my own and not those of my employer, or
> Microsoft, or anyone else associated with me, including my cats.
> -----------------------------------------------------
>
>

Of course you can always put your remote clients in their own subnet and
route that subnet through your RRAS server. The RRAS server gives its
"internal" interface one IP in that subnet and all the remote users get IP
addresses in the same IP subnet. Since all traffic from the remote client
goes to the VPN server by default, all you need to set up on the LAN is that
all traffic for a remote clients get to the RRAS server. If the RRAS server
is the default router for the LAN it automatically works.