VPN Clients and subnet, NOT the usual "255.255.255.255 subnet mask" question!

Discussion in 'Windows Networking' started by snowdog_2112, Sep 8, 2006.

  1. snowdog_2112

    snowdog_2112 Guest

    Greetings,

    I have my Window VPN client properties set to *NOT* use the default
    gateway on remote network (for policy reasons). The RAS server is a
    Win2000 Server. The RAS server is handing out IP's from its own pool.
    The netmask on the pool is 255.255.255.192.

    I get the typical route for the VPN address with the host mask
    (255.255.255.255). I also get a route for the class C of the RAS
    server, with gateway of my client IP.

    0.0.0.0 0.0.0.0 10.175.192.97
    10.175.192.113 10 <=== Local IP
    10.175.192.96 255.255.255.224 10.175.192.113 10.175.192.113
    10
    10.175.192.113 255.255.255.255 127.0.0.1 127.0.0.1
    10
    192.168.89.0 255.255.255.0 192.168.89.7 192.168.89.7
    1 <=== VPN IP
    192.168.89.7 255.255.255.255 127.0.0.1 127.0.0.1
    50

    The problem is, the RAS server's subnet mask is not 255.255.255.0, but
    is really 255.255.240.0. The LAN is in a larger subnet than a single
    class C.

    Therefore, my VPN cannot reach any devices on the LAN that are between
    192.168.80.0 and 192.168.88.255, even though they are on the same LAN.
    If I manually add a route at the client ("route add 192.168.80.0 mask
    255.255.240.0 192.168.89.7" in this case), it works fine.

    Question 1: can I have the RAS server assign that static route using
    the IP assigned to the VPN client as the gateway -- without enabling
    the "use default gateway on remote network"?

    Question 2: Why am I getting a route for the class C? Is this because
    I am *not* using the default gateway on remote network?

    Thanks.
     
    snowdog_2112, Sep 8, 2006
    #1
    1. Advertisements

  2. You're not supposed to.
    Yes. That is exactly why. It is a security risk to not enable that,...that
    is why it is enabled by default. This is all designed the way it is on
    purpose. Without it, you will have to manually add a route at the client
    (every VPN client) as you described earlier.
     
    Phillip Windell, Sep 8, 2006
    #2
    1. Advertisements

  3. snowdog_2112

    snowdog_2112 Guest

    Hey, thanks for the quick response!

    I was thinking the "use default gateway" option was not as good because
    it forces *all* of the traffic from the VPN client out my Internet
    connection. I have 3rd party people in, and I don't want to be
    providing Internet access for them -- what if they are VPN'd in and
    download porn over my connection?

    Isn't it safer to just have them access my network over the VPN
    connection and use the internet out their own connection (split tunnel,
    so to speak)?

    Please correct me if I'm missing something here. Thanks!
     
    snowdog_2112, Sep 8, 2006
    #3
  4. No. It forces all traffic not destined to your personal machine's own local
    subnet through the VPN. That's not quite the same thing although it may
    seem subtile.
    That is up to you to not allow that to happen. See below.
    The design is meant to protect the network being "VPN'ed" into. It is not to
    protect the local personal machine. You fool around on the Net
    independently,..get infected with something,...spead it to the LAN you
    VPN'ed into. By forcing the non-local traffic over the VPN, the remote LAN
    you connect to is able to filter your evil browsing habits using whatever
    product or means they have in place to do that. For example,...if you VPN
    into our system I can completely prevent you from browsing the Internet
    totally if I wish,...problem solved.

    Remember that even if you have a proxy server configured in your Browser's
    "LAN/Connection" settings,...these will be ignored while the VPN is active.
    VPN is a "dialup" technology,...if you look in the browser settings you will
    see the VPN and other Dialup Connections if they exist. If you look at the
    "Settings" of each one you will find that they each have their own
    independent proxy settings,...so if you VPN into my system you have to
    assign proxy setting to that particular VPN Connectiod and would have to use
    my proxy and fall under the restrictions that I set on that proxy. The "use
    remote gateway" prevents you from "sidestepping" my proxy and going to the
    Internet intependently and possibly speading some infection to me. However
    unchecking that box causes you to not get anywhere on my LAN beyond the
    particular subnet the you "dialed into". Hence some Admins have specific
    small subnets that accept the VPN dialins but leave the user "trapped" there
    if the "use remote gateway" is not enabled.

    BTW - This is all "old stuff". Back in the days when dialup was popular
    this all worked the same way. VPN is just a new form of Dialup and falls
    under the same principles.
     
    Phillip Windell, Sep 8, 2006
    #4
  5. snowdog_2112

    Bill Grant Guest

    To get back to a question in the original post, it was asked why you get
    a 24-bit
    subnet mask for your subnet route. The reason is that this mask is generated
    by the client machine itself. The mask depends solely on the address it
    receives. It does not get the subnet mask address from the server.

    Since the subnet mask depends only on the received IP it uses the old
    class rules. So if it gets a 192.168.x.y address it uses a 24-bit mask. If
    it gets a 10.x.y.z address it uses an 8-bit mask. As Phillip said this is
    old stuff. It was a bit different in NT/W98. There is a description of the
    differences in KB 254231.
     
    Bill Grant, Sep 9, 2006
    #5
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.