Hello Apologies if this is not in the right forum, but I couldn't find any closer match. Could anyone tell me the answer to this problem? We currently have routing and remote access running on a Windows Server 2003 machine, to which users connect using Microsoft VPN. It is setup so that using a NAT policy our firewall lets through PPTP traffic to the said server. This all works OK, the only problem being our LAN and VPN clients get their IP addresses from the same DHCP server on the network, which works fine, but we're running out of IP addresses. So, I decided to give the VPN clients IP addresses from a different range using the static address pool on the RRAS. So we have: - Existing network (DHCP): 192.168.254.0/24 Static Address Pool (RRAS): 192.168.252.0/24 Now, I can connect to the VPN OK, and get a 192.168.252 address, however I can't connect to the 192.168.254 network, no pings - nothing. I know you can have one network card in a Windows server with two IP addresses on it, but can anyone tell me how I get the routing between the two addresses to work, or whether I need to do anything in routing and remote access aswell. I've tried a few permutations but no luck. Any help gratefully received. Thanks DC.

Hello, I have not done this before so I cannot say 100% for sure but I'm guessing that if you add a third NIC as your subnet 192.168.252.0 then enable routing between the two private subnets you will achieve your goal. WAN -> VPN Interface NIC1 -192.168.254.0 NIC2 - 192.168.252.0 Configure IGRP or RIP (I can't remember exactly what protocols RRAS supports) between NIC1 and NIC2 and you should be good to go.Miguel Fra | Falcon IT Services, Miami, FL www.falconitservices.com | www.falconits.com | Blog

Thanks Miguel I've tried adding 192.168.254.9 and 192.168.252.150 to the same NIC, but the routing between the two addresses doesn't seem to work. Do I need to do it somewhere else as well, or add a specific protocol, etc. Thanks DC

All you should need to do is enable IP routing on the RRAS server. The RRAS server itself should then route between the LAN subnet and the remote subnet. You don't need a NIC - it uses the internal interface in RRAS which is the endpoint for the VPN connections. When the LAN and remote IPs are in the same subnet, you don't need routing. The RRAS server does proxy ARP on the LAN for the remotes. http://technet.microsoft.com/en-us/library/cc958008.aspx Bill

All you should need to do is enable IP routing on the RRAS server. The RRAS server itself should then route between the LAN subnet and the remote subnet. You don't need a NIC - it uses the internal interface in RRAS which is the endpoint for the VPN connections. When the LAN and remote IPs are in the same subnet, you don't need routing. The RRAS server does proxy ARP on the LAN for the remotes. http://technet.microsoft.com/en-us/library/cc958008.aspx Bill

I agree with Bill regarding the primary requirement is to enable routing in the RRAS configuration [ right click on server name in RRAS, select properties, general, LAN and demand dial routing]. If the remote clients have left "use remote default gateway" checked in their VPN/PPP adapter configuration they should then be able to connect to the server. However if unchecked you will probably have to add a route to the client which is awkward as the IP changes. On a client assuming their dynamic VPN IP is 192.168.252.101 then you need: route add 192.168.254.0 mask 255.255.255.0 192.168.252.101 In addition if the client wants to connect to something on the RRAS server LAN other then the RRAS server itself, that device will need to know the return route. When the RRAS server is the gateway for the network this is not necessary but it appears it is not. Thus on the LAN server or PC to which the VPN client want to connect there needs to be a return route added. Alternatively this could be added to the LAN's gateway/router if it supports adding static routes. Assume the RRAS server's LAN IP is 192.168.254.1 route add 192.168.252.0 mask 255.255.255.0 192.168.254.1 This is why it is simpler to use a subset of the LAN's DHCP address pool.Rob Williams

I agree with Bill regarding the primary requirement is to enable routing in the RRAS configuration [ right click on server name in RRAS, select properties, general, LAN and demand dial routing]. If the remote clients have left "use remote default gateway" checked in their VPN/PPP adapter configuration they should then be able to connect to the server. However if unchecked you will probably have to add a route to the client which is awkward as the IP changes. On a client assuming their dynamic VPN IP is 192.168.252.101 then you need: route add 192.168.254.0 mask 255.255.255.0 192.168.252.101 In addition if the client wants to connect to something on the RRAS server LAN other then the RRAS server itself, that device will need to know the return route. When the RRAS server is the gateway for the network this is not necessary but it appears it is not. Thus on the LAN server or PC to which the VPN client want to connect there needs to be a return route added. Alternatively this could be added to the LAN's gateway/router if it supports adding static routes. Assume the RRAS server's LAN IP is 192.168.254.1 route add 192.168.252.0 mask 255.255.255.0 192.168.254.1 This is why it is simpler to use a subset of the LAN's DHCP address pool.Rob Williams

Hello Thank-you for all your comments. I'm out of the office for a few days at the moment. I will try out your suggestions on my return. Many thanks. DC.