IP, IPX, and AppleTalk Router

Once the remote access connection is established, the remote access client can begin sending LAN protocol traffic to the remote access server or to locations beyond the remote access server. When the remote access client sends LAN protocol traffic that is not destined for the remote access server, the remote access server must forward the LAN traffic to its appropriate destination. To accomplish this, the remote access server must have forwarding capabilities enabled on its routable protocols and act as an IP, IPX, and AppleTalk router.

When the Routing and Remote Access service is installed and enabled to provide point-to-LAN remote access connectivity, it enables forwarding between the installed LAN adapters and the WAN miniport interface.

Figure 7.8 illustrates the remote access server architecture as it appears when routing packets. (In an effort to simplify the illustration, only IP routing is shown.) However, IPX and AppleTalk routing work in the same fashion.

Figure 7.8 IP Routing on the Remote Access Server

Packets from Remote Access Clients

The following process describes how IP packets sent by the remote access client are forwarded by the remote access server.

1. Depending on the dial-up technology, either the entire PPP frame is received by the WAN hardware and passed up as a single frame to the appropriate WAN miniport driver or individual bits of the PPP frame are passed up to the appropriate WAN miniport driver.

2. The WAN miniport driver passes the PPP frame to Ndiswan.sys.

3. Ndiswan.sys verifies the PPP checksum and uses the PPP protocol ID to determine that it is an IP datagram. For more information about PPP, see "Point-to-Point Protocol" later in this chapter.

4. The IP datagram is passed to the TCP/IP protocol driver.

5. The TCP/IP protocol driver, which is enabled for IP forwarding, determines a forwarding interface and an IP address based on the destination IP address in the IP datagram and the contents of its routing table.

6. To forward the IP datagram using the LAN adapter, the TCP/IP protocol calls NDIS with an NdisSend(), along with instructions to send it using the LAN adapter.

7. NDIS forwards the IP datagram to the appropriate LAN miniport driver.

8. The LAN miniport forwards the IP datagram to the LAN adapter through NDIS.

The end result is that packets from the remote access client are forwarded using the same IP routing process used for all IP routing. The success of the IP forwarding process depends on whether the remote access server can find a suitable entry in the IP routing table. Therefore, either the remote access server is configured with a default gateway, or the remote access server has specific routes to all the locations on the intranet to which the remote access server is attached. Specific routes can be added through static routes, or by enabling a routing protocol on the remote access server.

Packets to Remote Access Clients

The following process describes how IP packets sent by intranet hosts to the remote access client are forwarded by the remote access server.

1. The LAN adapter passes a frame to its appropriate LAN miniport driver through NDIS. The details of how an IP datagram is forwarded to the MAC address of the remote access server can be found in the next section, "TCP/IP On-Subnet and Off-Subnet Addressing."

2. The LAN miniport driver passes the IP datagram to the TCP/IP protocol driver through NDIS.

3. The TCP/IP protocol driver, which is enabled for IP forwarding, determines a forwarding interface and IP address based on the destination IP address in the IP datagram and the contents of its routing table. When the remote access client connects, a host route is created in the IP routing table for the IP address allocated to the remote access client that points to the RAS server interface.

4. To forward the IP datagram using the WAN adapter, the TCP/IP protocol calls NDIS with an NdisSend() with instructions to send it using NDISWAN and a specific connection handle.

5. NDISWAN resolves the connection handle to a specific device and port, adds a PPP header and trailer, and forwards the IP datagram to the appropriate WAN miniport driver through NDIS.

6. The WAN miniport driver forwards the IP datagram to the WAN adapter through NDIS.

The end result is that packets from intranet hosts are forwarded using the same IP routing process used for all IP routing. The success of the IP forwarding process depends on whether the IP addresses of remote access clients are reachable from the hosts on the intranet.