RRAS allow VPN clients access to DMZ

Rahul Sukumar 141 Reputation points
2022-04-07T03:30:21.39+00:00

I am trying to allow VPN clients connecting to a RRAS server in our DMZ access to other servers in the DMZ. Network topology is as follows:

Win10 VPN client -> Internet -> DMZ firewall -> NAT map to external interface of RRAS -> Internal perimeter network -> Internal permitter firewall -> Lan

DMZ network is 10.0.1.0
Internal perimeter network is 10.0.30.0
Lan is 10.0.50.0

RRAS has a static route to route traffic from internal perimeter to LAN using gateway of 10.0.30.1. The RRAS server is supplying VPN clients with addresses in this network.

My question is, how can I route VPN clients so that they can access other servers in the DMZ network (10.0.1.0/24)? Setting up a static route doesn't seem to be working. I think this is because the external NIC on the RRAS server is on the 10.0.1.0 network and even adding a static route so that 10.0.30.0 machines to use the gateway of 10.0.30.1 makes it lower priority than the local route (which is the RRAS server itself, the server's routing table's gateway for 10.0.1.0 is 0.0.0.0).

Any help is appreciated!

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,406 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Limitless Technology 44,046 Reputation points
    2022-04-13T07:30:00.333+00:00

    Hi there,

    If the VPN clients receive an IP address in the same IP subnet as the LAN machines you do not need any static routes. They are all in the same IP subnet, so no IP routing can take place. What happens is that the RRAS server does proxy ARP for the remote client.

    The DMZ should not be in the same IP subnet as the LAN, and if the remote client wants to access the Internet through the VPN tunnel, we should configure NAT for the VPN client in the RRAS server.

    Here are some links that might help you in getting some insights into this topology.

    RRAS VPN - DMZ / LAN routing and Internet access https://social.technet.microsoft.com/Forums/windowsserver/en-US/02fdc5b3-8e69-40e3-ab07-5e4f1557a707/rras-vpn-dmz-lan-routing-and-internet-access?forum=winserverNIS

    Enable RRAS as a VPN Server and a NAT Router
    https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd458971(v=ws.11)?redirectedfrom=MSDN

    ---------------------------------------------------------------------------------------------------------------

    --If the reply is helpful, please Upvote and Accept it as an answer–

    0 comments No comments