0

I have a RRAS WS2k8r2 server with two NICs:

  • public NIC is in the DMZ network segment behind a firewall (which does NAT by itself);
  • private NIC is in the local network segment.

The same firewall takes care of all the traffic from local and DMZ segments to the Internet.

Now, VPN clients receive IP4 addresses from the local segment scope, so they can reach private network just fine, but they cannot reach internet. The "use default gateway .." option is enabled.

I could implement NAT on the RRAS server itself, but I suppose this would mean that the traffic is natted twice (on the RRAS and the firewall), and the traffic from VPN clients to the internet would go through the DMZ segment. I prefer to have the same policies for VPN clients as they are set for PCs in the local network segment.

So, how to route the VPN clients' traffic to the internet through the local subnet, without NAT on RRAS? Maybe VPN clients should be on separate segment, and RRAS is in between this segment and local segment. How to accomplish this?

Thanks!

Improve this question

1 Answer 1

Reset to default
0

After some research, I found that this is very hard to accomplish, if impossible. The default route should always point to the public NIC (thru DMZ subnet in my case). One can add a second default route with lower metric (i.e. higher priority) to the RRAS server which points to the private network segment, but the server simply ignores it. So I decided to use different approach without RRAS.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .