RRAS and DHCP Leasing

Are your DHCP scopes doomed to be drained?

At a recent conference at which I spoke, a session attendee asked me about the following RRAS and DHCP scenario: When you select the Windows 2000 Routing and Remote Access Server Setup Wizard's Virtual private network (VPN) server configuration option (which Figure 1 shows), RRAS configures a large number of available VPN connections (i.e., 128 PPTP connections and 128 Layer 2 Tunneling Protocol—L2TP—connections) for incoming clients. I had problems with Windows NT RAS and RRAS exhausting my DHCP scopes when obtaining DHCP leases for dial-in RAS clients. Based on the number of VPN connections that Win2K RRAS configures, this situation will go from bad with NT to worse with Win2K. Are my DHCP scopes doomed to be drained?

I'm happy to report good news: Win2K RRAS handles DHCP leasing more intelligently than NT 4.0 RAS and RRAS do. Win2K's DHCP leasing behavior is different from the NT 4.0 method, in which the NT RAS server leases enough IP addresses for all the RAS devices configured on the RAS server (e.g., modems, ISDN terminal adapters, PPTP VPN adapters), as well as one address for the RAS server interface. For example, if you've configured 15 modems for use with your NT 4.0 RAS or RRAS server, the server leases 16 IP addresses when RAS or RRAS starts up.

In Win2K, RRAS uses the more intelligent method of leasing IP addresses from a DHCP server in pools or groups on an as-needed basis. This process prevents RRAS from wasting valuable IP addresses.

If a DHCP server is available and you've configured a Win2K RRAS server to use that DHCP server for client addressing, the RRAS server leases IP addresses in blocks of 10 and stores the addresses in the Registry to allocate to clients later. If the RRAS server's address pool is exhausted, the server leases additional addresses from the DHCP server in blocks of 10. The efficiency of this block-by-block method prevents the DHCP lease-draining problems that are common on NT 4.0 RAS and RRAS servers that support many clients. The key benefit of this leasing method is that you can increase or reduce the size of the IP address pool allotments as you see fit.

Depending on your situation, you might determine that you need to modify the default number of DHCP leases that Win2K RRAS obtains from the DHCP server. You can change the number of addresses that RRAS leases at one time by editing the HKEY_LOCAL_ MACHINE\SYSTEM\CurrentControlSet\Services\ RemoteAccess\Parameters\IP Registry subkey. The default value of the InitialAddressPoolSize subkey (of type REG_DWORD) is 10.

This Win2K RRAS and DHCP question was probably on the minds of many administrators who have already used PPTP or L2TP to set up RRAS with VPN connections. These administrators, as well as the conference attendee who asked the question, can breathe a sigh of relief to know that Win2K RRAS servers handle DHCP server interaction and client IP address allocation more intelligently than their NT 4.0 predecessors do.

End of Article

Yes, you can, but you'll need to implement some mechanism for controlling access to Internet resources on your network. For example, you might assign RAS users IP addresses from a fixed (i.e., static) pool, then filter those IP addresses so that they can't access the Internet on the router or firewall on your network. Another solution is to utilize a gateway device that can restrict access based on policies (e.g., the user account, how the user is accessing the network), such as Microsoft's new Internet Security and Acceleration Server 2000. Many other firewall products on the market also provide these types of features. 
--Sean Daily

Sean Daily December 01, 2000

I regularly read Sean Daily's Remote Possibilities column in Windows 2000 Magazine. I have a question about our RRAS server setup. Our remote users dial in to our server through an 800 number. We just looked at one of our bills: Several users stayed online for more than 500 minutes at a time, surfing the Web. Is there any way we can let our users connect to our servers, read their email, and access their files but limit any other use? 

Jubel Easaw December 01, 2000

Good article but I have a few additional comments which I think people will find useful.

Firstly, I think quoting "the RRAS server leases IP addresses in blocks of 10" is potentially confusing because it implies 10 addresses will always be leased from your DHCP server with the default setting. In actual fact, if you have less than 10 RAS ports configured, 10 addresses are *not* leased - the Win2K leasing behaviour then defaults back to the NT4 behaviour which is <number of ports +1>. So for example if you're using only 5 PPTP ports, your DHCP server will lease only 6 addresses when your RRAS loads.

I know this has confused people before, who only have a few ports configured and their DHCP server is not behaving as they thought it should after reading documentation such as this - so I thought I would point it out.

Also your article implies the registry subkey InitialAddressPoolSize already exists with a default value of 10 and you simply have to edit it - whereas in fact you must first create it and then set the value you want.

And lastly, an important difference between NT4 RAS and Win2K RRAS when it comes to DHCP leases is that Win2K supports APIPA by default. This means that if it cannot contact a DHCP server on loading it will resort to allocating addresses from the APIPA range (169.254.x.x) - which means that RAS users will be allocated an IP address successfully, but they will not be able to communicate beyond your RRAS server. Your only clue to this remote access failure will be in the RRAS server's event log. This is "intelligent" only if remote clients do not need access to the rest of your network. If however, your remote clients need access beyond your RRAS server then I recommend disabling APIPA on the RRAS server.

Carol Bailey March 06, 2001

Since RRAS will allow you to assign addresses from a pool of addresses that you define this will allow you to exclude that range of addresses from your DHCP server. Then use DHCP relay to get the DHCP options to the client. Then since windows 2000 creates 256 devices. Reconfigure the number of devices to something more realistic like 8, or 16 devices.

Anonymous User January 21, 2005 (Article Rating:

)

You must log on before posting a comment.

If you don't have a username & password, please register now.