Windows 2000 Server RRAS Router Setup

Are  you trying to allow your clients access to the internet?

Yes, i want my clients on my private lan to be able to access the internet through the server.

not sure what this "my clients on my private lan can contact items on my private side" means. But one way or other, have you enabled the IP routing? quoted form http://www.ms-mvps.com/

How to Configure Windows server to Be a Router
To setup Windows 2000/2003 as a router for a LAN, you need to two network adapters. To enable LAN routing. go to Administrative Tools>Routing and Remote Access>Action>Configure and Enable Routing and Remote Access, and then complete the wizard. Right-click the server for which you want to enable routing, and then click Properties>General>Router, check the routing option.

ou will want to use NAT
see here
http://www.computing.net/howto/advanced/2000nat/
and here
http://www.certificationsuccess.com/index.cfm?pageid=269&siteid=1

Client IP 10.0.0.2 GW 10.0.0.1 Server nic1 IP 10.0.0.1 nic2 IP 128.10.10.1 GW 128.10.10.3 Firewall IP 128.10.10.2 and ADSL Modem IP 128.10.10.3. My Server can connect to the Internet, my firewall , modem and my client, but my client can only connect to my server, it can ping both nic1 and nic2. my ADSL modem is NAT enabled. I have configured RRAS as a network router and have confirmed that the router option is checked in the general>router>properties i have not made any other settings. Do i need to give server nic1 a GW? Is my client GW correct? and when i said "my clients on my private lan can contact items on my private side" i meant that my client could not ping my firewall or modem.

>> Do i need to give server nic1 a GW
no
>>Is my client GW correct\
Yes
run a tracert from the client to the firewall
If possible, fro testing purposes pull out the firewall and see if your client can ping the modem (lan side)

Tracert results are hop 1 = 10.0.0.1 (nic1)
hop2> request timeout
I have connected a laptop directly into NIC2 and i cant ping that either from my private client but i can from my server

check this reg key and make sure it is set for ip forwarding
How to Enable TCP/IP Forwarding in Windows 2000

http://support.microsoft.com/support/kb/articles/Q230/0/82.ASP

also on the server, do a route print and post the results here

I have enabled TCP/IP forwarding on my server and client but unfortunately without joy. Here is the route print from my server
Active routes:
Destination                  Network                    Gateway                    Interface                 Metric
0.0.0.0                        0.0.0.0                     128.10.10.3               128.10.10.1             1
10.0.0.0                      255.0.0.0                  10.0.0.1                     10.0.0.1                  1
10.0.0.1                      255.255.255.255        127.0.0.1                   127.0.0.1                1
10.255.255.255           255.255.255.255         10.0.0.1                    10.0.0.1                  1
127.0.0.0                    255.0.0.0                   127.0.0.1                  127.0.0.1                 1
128.10.0.0                  255.255.0.0                128.10.10.1               128.10.10.1             1
128.10.10.1                255.255.255.255         127.0.0.1                   127.0.0.1                2
128.10.255.255           255.255.255.255         128.10.10.1               128.10.10.1             2
224.0.0.0                    224.0.0.0                   10.0.0.1                    10.0.0.1                   1
224.0.0.0                    224.0.0.0                   128.10.10.1               128.10.10.1             2
255.255.255.255         255.255.255.255         128.10.10.1               128.10.10.1              1
default gateway:         128.10.10.3
Persistant routes:  None

I have disconnected the firewall and connected a laptop to the cable going into the firewall LAN port, i can ping my private clients and my private clients can ping my laptop, i then disconnected my Laptop and connected the modem, i can ping this from my server but not my clients, i then disconnected my modem and connected the firewall, i can again ping this from my server but not my clients, why can i ping another pc from my clients and my server but i can only ping my firewall and modem from my server.
because of this obviously i can only access the internet from my server as my clients display page cannot be displayed, which leaves me back a square one with my clients unable to access the internet.

Lets try a route add
route add 128.0.0.0 mask 255.0.0.0 128.10.10.1

I have added the route but my clients still cannot ping my firewall or modem, or use internet explorer to access the logon screen for either. Just a quick one, it doesnt matter that the server is a domain controller does it? i know that microsoft doesnt recommend a domain controller as a gateway to the internet but i dont have a choice.

You can have your DC do routing, but their will be a performance hit...  Also, am sure you are aware that there are issues that arise from running a multihomed system, as you can obviously see...

One question though, is there a reason you want to even run RRAS..???  Why don't you just run everyone through a switch and let the router/firewall manage your WAN..?  If you want to limit access to the WAN, you can use GPO's and IPSec to do this....

Just curious...

FE

thanks for comming in here buddy!

the reasons I am using RRAS is I want at a later stage to set up a vpn into my network and i dont realy want users getting near my lan without being authenticated first by my server. I am used to setting up Win2kSBS and it is so easy to set up multihomed network, I have setup a SOHO at home with a Windows 2K Server, Exchange 2000 and three clients on my lan. I am just trying to follow what i am used too and use two nic's as in SBS. I am just signing up with a new ISP to provide me with a no-nat 4 ip's setup so i can give my modem and firewall static ip's to allow me to set up VPN, i have never touched vpn before and i want to learn. maybe i am doing things wrong, so many people say different things, its confusing what to know what is the best to go with.

Completely understandable..  and RRAS is the way to go when you want a VPN tunnel using the Windows technologies...  It can be difficult and there are many steps to take to enable the VPN with RRAS, but that is later...  Guess we need to focus on why your setup is not working...   let me digest the previous comments and see if we can find out where you went wrong...  

I do have some other things happening around me, so I will be in and out...

And Steven, you are welcome.. always do enjoy working with you (and all the other experts) on these..  :)

FE

Thinking what Fatal Exception last said about connecting my firewall and modem up to a switch/router, my firewall is a 3com officeconnect 25 that has the ability with a purchasable upgrade to allow VPN traffic. Would this be a better solution than using Windows VPN technologies. The 3com upgrade will activate the vpn capabilities and provide client software that will allow 10 consecutive users. What exactly is the best solution, remembering that this is not just for my home network but also for a learnig curve for work.

Ljel
I hope you don't mind, I've asked a fellow expert (Fatal) to take a look here too . I trust him, he's good!

FE, this is the way it always was in the "old days" LOL

Steven...   And this is the way it should be...  much better...

If you are asking a personal question regarding my thoughts on configuring a network...  I prefer to let my servers do what they were intended to do, and that is serve resources to my clients...  My office network provides a vpn via a Cisco Pix, which also doubles as DHCP and of course, a firewall....  We have multiple vpn's running through it and that leaves my server available for what it is supposed to do...  

And to tell you the truth, it has been a while since I played with RRAS, and that is why I have to give it some thought...  So to your specific problem...  It does not sound to me that your 2 NICs are properly bridged....  It just has to be on the server...  I am looking for some documentation on this...  maybe we can narrow it down a little more...  

Back in a bit...

When you configured RRAS..  did you use the Wizard..?  Check out this article:

http://support.microsoft.com/default.aspx?scid=kb;%5BLN%5D;243374

And here is a great Resource for RRAS:

http://labmice.techtarget.com/networking/ras.htm

Also, here is some info if you have not seen it regarding Static Routing....

http://support.microsoft.com/default.aspx?scid=kb;EN-US;178993

FE

In other words, what the first article is telling us is that if you use the Wizard, the connection (bridge) is setup to only use PPTP or L2TP...  this could be why your clients can not get through...  maybe..?

Yes fine with what you are saying, but if i am understanding you correctly arent we going away from my initial issue and into VPN, i dont need either PPTP or L2TP just for routing. When i configured RRAS a a router, I used the wizard and selected network router as my option, and RRAS started, i didnt configure anything else after this point except edit the registry to enable ip forwarding. As i said if i connect a laptop upto my public Nic then my clients can contact my laptop and my laptop can contact my clients (using ping). But when i remove the laptop and replace it with either my firewall or modem I cannot contact (ping) either of them only from the server itself. they both have web administration contacted by their respective IP's in a web browser, i can open this from my server but my clients display page cannot be displayed. I just dont understand why i can contact a Windows XP Pro laptop but neither my firewall or modem.

You followed the steps liste here?
http://www.certificationsuccess.com/index.cfm?pageid=269&siteid=1

lets see if I have this right
modem -->firewall-->server---other machine

Ok...  I missed the part about connecting your laptop on the WAN side of your server..  sorry..

Nice brief article, Steven..

on the server, please do an
ipconfig /all and post here
also after enabling ip forwarding, did you reboot?

Good point Steven..  changes in the router require the router to be restarted...  

Server IPCONFIG /ALL
node type - Hybrid
IP Routing enabled - Yes
Wins Proxy enabled - No

Adapter
Realtek RTL8139
DHCP enabled - No
IP Address - 10.0.0.1
Subnet - 255.0.0.0
Default Gateway -
DNS Server - 10.0.0.1

Adapter
Realtek RTL8139
DHCP enabled - No
IP Address - 128.10.10.1
Subnet - 255.255.0.0
Default Gateway - 128.10.10.2
DNS Server - 62.172.195.15

Client IPCONFIG /ALL
node type - Hybrid
IP Routing enabled - Yes
Wins Proxy enabled - No

Adapter
3COM Etherlink XL 10/100
DHCP enabled - Yes
IP Address - 10.0.0.2
Subnet - 255.0.0.0
Default Gateway - 10.0.0.1
DNS Server - 10.0.0.1

Is that subnet for 128.10.10.1 right..?  

128.x.x.x is a class b, so 255.255.0.0 would be correct
what make firewall is this we are dealing with?

Your client is getting a valid ip from yuor dhcp server (the NAT server) so this is good
It has to be your server is not routing, or the firewall is blocking
You can ping the 128.10.10.1 from the client? but not the firewall? The firewall isn't set to block pings is it?

I can't see anything wrong with your server side.

On your VPN client, lok at the properties of the VPN connection
Look at the networking tab
Look at the properties of TCP/IP
Press "Advanced"
And make sure "Use default gateway on remote network" is selected

One interesting thing is that the tracert is not getting through the router...  

Steven:- my firewall or modem cannot be blocking ping as i can ping them from my server.
my firewall is a 3COM Officeconnect 25.

shoptheweb:- sorry about information above, the sugestions went off track. we are not talking about VPN only setting the server up as a router for my clients to access the internet through a second network card, VPN is a subject for a later discussion.

Fatal Exception:- I have connected my laptop (128.10.10.5) to the Wan Nic again, as i said before i can ping my clients (10.0.0.3)and they can ping my laptop so routing must be working.
I have done a tracert from my client on my private nic to my laptop on my public nic results are:-
tracert 128.10.10.5

Tracing route to laptop (128.10.10.5)
over a maximum of 30 hops:

1 <10ms  <10ms  <10ms   SERVDC1 (10.0.0.1)
2 <10ms  <10ms  <10ms   LAPTOP (128.10.10.5)
Trace complete

Then from my Laptop to my client results are:-
tracert 10.0.0.3

Tracing route to (10.0.0.1)
over a maximum of 30 hops:

1 <1ms  <1ms  <1ms   (10.0.0.1)
Trace complete

Then a tracert from my server to my modem, therefore through my firewall.
tracert 128.10.10.3

Tracing route to spare1-10.cs.purdue.edu (128.10.10.3)
over a maximum of 30 hops:

1 <10ms  <10ms  <10ms   spare1-10.cs.purdue.edu (128.10.10.3)
Trace complete

what  spare1-10.cs.purdue.edu means i dont know.
Maybe something i've noticed might help, the firewall event log shows alerts for IP SPOOF DETECTED every couple of minuites from my clients IP address 10.0.0.3 (i have confirmed the MAC address as my client) to my ISP DNS IP address. these spoof detections are on ports 1025, 1047, 1063, 1071, 1097 and 1100.
I hope this helps something.

The spare1-10.cs.purdue.edu has to do with name resolution of the Ip address 128.10.10.3..  Is this within the Purdue Univ network?  Just curious...  :)

The packet that is being picked up by the firewall has information regarding the NAT of your RRAS...  It may be that because of this, it believes that the packet's IP is being spoofed and is not allowing it through...  I am not that well versed in the firewall scripting, so this is a little out of my league...  What we need to do here is to lure a network specialist into this thread..  Or perhaps Steven can shed some light here..  eh..???

FE

I'm not versed in firewall scripting either, but the packets seem to be getting to the modem (128.10.10.3)
I am d/l the user guide now

Well, what a download (26 mb)
OK, I'm confused about a couple of things
the firewall ip adress is a public address, but you are using NAT, My thinking is it should be a private address , and that should be the gateway address, not the modem


this way the firewall/router provides the NAT from a private address to the public
I have a dlink router w/ built in firewall, and this is how I have my LAN setup
modem -->router (LAN ip of 192.168.0.1) -->network
and my gateway is 192.168.0.1
the router does all the NAT

Steven makes a good point..  My question would be..  what is your external/Global IP address?  On our Cisco Firewalls, they pick up the Global address and use NAT/PAT...  It appears that your modem is doing this...  In other words, if the 128.10.10.x network is a private subnet, why is it even on your modem, as they do not usually do NAT transversal..   Am I making any sense here...???

128.x.x.x is not a reserved private network range
they are
10.0.0.0      -   10.255.255.255  (10/8 prefix)
172.16.0.0    -   172.31.255.255  (172.16/12 prefix)
192.168.0.0   -   192.168.255.255 (192.168/16 prefix
so I assume this is the public address so they are using 2 address of their provider
I'm fairly sure the firewall should hav a private address

Oh, FE, I've asked chicogoan to come in here too :-)
He's real good with firewalls, etc

yes...  I have worked with him before and he is one of the best here...  

After reviewing my previous comment, I see that I misworded it, or was just confused on the configuration..  Not used to having the Global IP range come through the firewall and into my servers......   Maybe I just need to brush up on my firewall configurations...  hmmm..  would really be interested in Chicago's take on this...

FE

Internet

<ADSL Modem>
<Firewall IP 128.10.10.3> (3COM Officeconnect 25 outside)
<Firewall IP 128.10.10.2> (3COM Officeconnect 25 inside)

             ^
             |
< nic2 IP 128.10.10.1>
< GW 10.0.0.1 Server nic1 IP>   Windows 2000 Server
             ^
             |
(switch/hub/x-over)
             ^
             |
<Client IP 10.0.0.2>

Help me paint this picture:

You have a network at 10.0.0.0.
You have a dual-homed windows 2000 server 10.0.0.1 and 128.10.10.1

You have a 3COM Officeconnect 25 and an ADSL Modem.
You've given the inside interface  128.10.10.2 and the modem is assigning 128.10.10.3 to the outside interface.

Is this correct??


What are your public address and subnet masks?

At a minimum, your WIndows 2000 server is going to have to NAT the 10.x.x.x network to 128.10.10.1
http://support.microsoft.com/default.aspx?scid=kb;en-us;310357

However: your addresses 128.10.10.1 128.10.10.2 128.10.10.3 are either all on the same subnet, or 128.10.10.3 would
 fall on a network address. The interfaces on the firewall have to be on different subnets.
What are your public address and subnet masks?

Exactly...  Thanks for stopping by ch...

ditto!

I used to have a windows 2000 sbs server setup when we had to install one for a client, that was easy as you had an internet wizard that configured all the routing for you. The modem is providing NAT between the 128.x.x.x side of the network. the only change to the network now is that the sbs server has been replaced by a windows 2000 server, i am trying to configure this setup much the same as the sbs setup, but i dont have a wizard to do everything for me. the nic2, firewall and modem are all on the 255.255.0.0 subnet, 128.10.10.x ip range was not used for any specific reason, it was used with no specific thought. the network above is spot-on to how mine is configured.
WHY will i have to use NAT between 10.x.x.x and 128.x.x.x, i thought you could only use NAT once? and i am using it on my modem as i do not have a fixed IP address asigned from my ISP.
Public IP 207.68.173.254 at the moment.

Ahh...  so you are using a public IP range for your 'external' route to the firewall/modem...  This is where I was really getting confused..!!!  But since Chicagoan is the better man for the job here, I will just sit back and wait for his response..  :)

ok - you took 128 addresses to use for the inside hop from your windoze box to the firewall... this is world routable address space and that's what's confusing.

what isn't confusing is that you have to have the firewall between two subnets.

The external interface of the firewall should get it's IP address from the DSL modem (or be set to your static address).

The internal interface of the firewall and the external interface of the windoze fox need to be on one subnet.

Let's use 192.168.0.1 255.255.255.0 and 192.168.0.2 255.255.255.0 for the sake of talking.

The inside interface of your windoze box remains 10.x.x.x and is the default router or gateway of your internal network.
The windoze machine routes 10.x.x.x to the inside interface and 0.0.0.0 0.0.0.0 to the inside address of the firewall.
The firewall then NAT's the traffic to it's outside interface.
This is all assuming you can enter a router for 10.x.x.x on your firewall to the outside interface of the windoze machine.

Internet

<ADSL Modem>
<Firewall IP dhcp or static from ISP> (3COM Officeconnect 25 outside)
<Firewall IP 192.168.0.2> (3COM Officeconnect 25 inside)

             ^
             |
< nic2 IP 192.168.0.1>
< GW 10.0.0.1 Server nic1 IP>   Windows 2000 Server
             ^
             |
(switch/hub/x-over)
             ^
             |
<Client IP 10.0.0.2>

now... why do you want to use your windoze machine as a router?





 

Looks like we have come full circle with the question...  why..?  :)

I thought that firewall config looked strange :-)

The customer is always right!

But, at these rates, we get to ask 'why'.

There are plenty of legitimate reasons: proxy, firewall capabilities beyond that of the 3com (stateful inspection, bandwidth metering, debug-level logging, snmp, caching)... I'm just curious.

>>But, at these rates, we get to ask 'why'.
*big grin*

To answer your question as why i want to use a windows machine as a router.
I have only setup sbs 2000 server before, have always used two nic's and use the internet wizard to configure, it is easy. second in about four weeks i am getting four static ip's from my isp, so that my modem and firewall can have static ip's, thus enabling me at a later date to set up VPN, but lets not go there again at the moment. my question is if i can see my internal side of my firewall from my clients then i am happy, but at present i cannot. my idea, i'm sorry if i am wrong but isnt that why i am here,is-

Internet

<ADSL Modem static from ISP> (both outside and inside)
<Firewall static from ISP> (3COM Officeconnect 25 outside)
<Firewall IP x.x.x.x> (3COM Officeconnect 25 inside)

             ^
             |
< nic2 IP x.x.x.x>
< GW 10.0.0.1 Server nic1 IP>   Windows 2000 Server
             ^
             |
(switch/hub/x-over)
             ^
             |
<Client IP 10.0.0.2>

I will change my nic2 and lan firewall to 192.x.x.x, and see if my client can then comunicate with my firewall, and add the routes as above.

Correct...!!!  Will be keeping my fingers crossed for you...

Ah, this is the way it used to be, collaberation, not competiveness. I love it!

Im sorry people but i must not be explaining myself properly. I appreciate all the help that I am getting, i have tried everything that has been advised, and still my clients cannot communicate with my firewall, either by ping, tracert or internet explorer. theirfore if they cant see at the least my firewall, then they will never be able to connect to the internet. I just do not know what i am doing wrong. i do not have a preferance to what IP addresses are used anywhere, i just want to allow my clients access to the internet through my server.
if we break the network down and build it up piece by piece, my clients can contact server NIC1, server NIC2 but then it fails to contact the firewall, what i really dont understand is if i replace the firewall with a laptop, they can contact each other. so i think then it must be something to do with the firewall configuration, but i can contact the firewall from my server without error. WHY?

Is the firewall set to discard ping requests?

Personally, I would rethink using your W2K box as a router..  It would be so much easier if you just disable one of the nics and use it as a backup nic...  Then let the server do its job and the switch route the traffic to the WAN..  I know this is not what you are asking, but it seems to me the simplest solution....  And you don't need to have 2 nics to establish your VPN in the future..  

That being said, I would love to hear of a resolution to your problem...  

FE

Steven:- in answer to your question, it seems obvious that the firewall is not set to discard ping requests because we have said numerous times that i can ping the firewall and the modem from the server.

FE:- Yes i agree that looking at things, having the firewall and modem connected to a switch and also connect the clients to the switch would allow everyone who is connected to the switch internet access.

Question 1:- Why can i use the configuration i have if i use Windows 2000 SBS, yet i am having all this trouble because i want to use Windows 2000 Server.

Question 2:- Connecting everything to a switch, does this not reduce my protection from the internet, whereas connected through the server i would also have authentication.

Question 3:- if i was to use the switch setup, would i have no problems when i come to setup VPN.

I would also love to hear a resolution to this problem, but it looks like at the moment no-one has one. therefore realy i am left with either going with the switch setup or Windows 2000 SBS.

can you post the results of ROUTE PRINT on your windoze machine?

If you really want security, you would put that server in a DMZ..  but lets not even go there right now, eh..?

Personally, I would like nothing better to see chicagoan solve this puzzle...  So I will sit on the sidelines and watch what happens...  :)

Question 1:- Why can i use the configuration i have if i use Windows 2000 SBS, yet i am having all this trouble because i want to use Windows 2000 Server.

Shouldn't be a problem if it's properly setup

Question 2:- Connecting everything to a switch, does this not reduce my protection from the internet, whereas connected through the server i would also have authentication.

It would only require authentication if you set up ISA as a reverse proxy

Question 3:- if i was to use the switch setup, would i have no problems when i come to setup VPN.

If you're talking about using the winsoze box as a vpn into your network, you would want to route through it.
Some firewalls support VPN as well.

I would also love to hear a resolution to this problem, but it looks like at the moment no-one has one. therefore realy i am left with either going with the switch setup or Windows 2000 SBS.

You haven't posted the results of ROUTE PRINT yes, there's no reason you can't route through the windoze machine.
If you have your subnets set up correctly you just need to enable routing and have the proper routes.

Here is the route print from my Windows 2000 Server that will not allow my clients to contact the firewall or server.
Active routes:
Destination            Network          Gateway          Interface       Metric
0.0.0.0                  0.0.0.0            128.10.10.3     128.10.10.1      1
10.0.0.0                255.0.0.0         10.0.0.1          10.0.0.1            1
10.0.0.1             255.255.255.255  127.0.0.1        127.0.0.1         1
10.255.255.255  255.255.255.255  10.0.0.1          10.0.0.1           1
127.0.0.0              255.0.0.0          127.0.0.1       127.0.0.1           1
128.10.0.0           255.255.0.0      128.10.10.1    128.10.10.1        1
128.10.10.1        255.255.255.255 127.0.0.1        127.0.0.1          2
128.10.255.255   255.255.255.255 128.10.10.1    128.10.10.1       2
224.0.0.0              224.0.0.0           10.0.0.1          10.0.0.1          1
224.0.0.0              224.0.0.0         128.10.10.1     128.10.10.1       2
255.255.255.255  255.255.255.255  128.10.10.1   128.10.10.1     1
default gateway:     128.10.10.3
Persistant routes:  None

Here is the route print from my Windows 2000 SBS Server that will allow the clients to connect to the firewall and modem.
Active routes:
Destination            Network          Gateway          Interface       Metric
0.0.0.0                  0.0.0.0            128.10.10.3     128.10.10.1      1
127.0.0.0              255.0.0.0         127.0.0.1        127.0.0.1          1
128.10.0.0            255.255.0.0     128.10.10.1     128.10.10.1       1
128.10.10.1      255.255.255.255  127.0.0.1         127.0.0.1          1
128.10.255.255 255.255.255.255  10.0.0.1          10.0.0.1            1
10.0.0.0               255.255.0.0      128.10.10.1    128.10.10.1       1
10.0.0.1            255.255.255.255  127.0.0.1        127.0.0.1          1
10.0.255.255     255.255.255.255 10.0.0.1           10.0.0.1           1
224.0.0.0              224.0.0.0         10.0.0.1          10.0.0.1            1
224.0.0.0              224.0.0.0         128.10.10.1     128.10.10.1      1
255.255.255.255 255.255.255.255 10.0.0.1          10.0.0.1            1
default gateway:     128.10.10.3
Persistant routes:  None

well... i see you haven't renumbered your network to private ip...
but that's not a dealbreaker - (you will cut yourself off from 255x255 hosts in the 128.10 netblock)

You've enable routing...

Are you dead certain you know which interface is which?

and can you check the value of  IPEnableRouter in  HKEY_LOCAL_MACHINE \SYSTEM\CurrentControlSet\Services\Tcpip \Parameters

ipenablerouter    reg-dword  0x00000001 (1)
interface 128.10.10.1 = firewall/modem/Internet
interface 10.0.0.1 = Lan

and sorry but the above Route print for the SBS Server is wrong, here is correct

Active routes:
Destination            Network          Gateway          Interface       Metric
0.0.0.0                  0.0.0.0            128.10.10.3     128.10.10.1      1
127.0.0.0              255.0.0.0         127.0.0.1        127.0.0.1          1
128.10.0.0            255.255.0.0     128.10.10.1     128.10.10.1       1
128.10.10.1      255.255.255.255  127.0.0.1         127.0.0.1          1
128.10.255.255 255.255.255.255  128.10.10.1     128.10.10.1      1
10.0.0.0               255.255.0.0      10.0.0.1          10.0.0.1            1
10.0.0.1            255.255.255.255  127.0.0.1        127.0.0.1          1
10.0.255.255     255.255.255.255 10.0.0.1           10.0.0.1           1
224.0.0.0              224.0.0.0         10.0.0.1          10.0.0.1            1
224.0.0.0              224.0.0.0         128.10.10.1     128.10.10.1      1
255.255.255.255 255.255.255.255 10.0.0.1          10.0.0.1            1
default gateway:     128.10.10.3
Persistant routes:  None

I have cross referanced them both and the Windows 2000 Server has these additional routes

10.0.0.0                 255.0.0.0              10.0.0.1       10.0.0.1         1
10.255.255.255      255.255.255.255   10.0.0.1        10.0.0.1         1
255.255.255.255    255.255.255.255   128.10.10.1   128.10.10.1   1

and the SBS Server has these

10.0.0.0                 255.255.0.0           10.0.0.1        10.0.0.1        1
10.0.255.255          255.255.255.255    10.0.0.1        10.0.0.1        1

I hope we are getting there.

Are the subnet masks on 10.0.0.1, your dhcp scope (the subnet mask the clients are using) and the route statement on your firewall (10.x.x.x via 128.10.10.1) consistent?

chicagoan
I had the him do a route add earlier, but purposely didn't make it persistant

Ljel is this entry present  in the root print on the sbs server that works
10.0.0.0               255.255.0.0      128.10.10.1    128.10.10.1       1

No this root is not present, the root is:-
10.0.0.0      255.255.0.0      10.0.0.1     10.0.0.1      1
Steven had me route add 128.0.0.0 mask 255.0.0.0 128.10.10.1

Are the subnet masks on 10.0.0.1, your dhcp scope (the subnet mask the clients are using) and the route statement on your firewall (10.x.x.x via 128.10.10.1) consistent?

Yes the 10.0.0.x is my Internal Lan DHCP scope.
Sorry what do you mean route statement on my firewall?

Can you examine the subnet masks on your DHCP scope and your clients?

If a request comes from the 10.x.x.x network, the firewall would have to know where to send the traffic...
Do you have a static route on your firewall for that network?
By virtue of it's inside interface it wouuld only know about your 129.x.x.x network.

Sorry you are losing me here, the 10.x.x.x network requests go to the server, then the firewall and finally the modem. I cant see the firewall from my clients so what does it matter how the firewall is setup, and i'm assuming the 129.x.x.x you mean 128.x.x.x

The firewall has two interfaces.
One on the public network and one on your 128.x.x.x network.

If a packet comes in on the inside interface with a source address of 10.x.x.x it has to know how to get the traffic back there.
Since the server (which is a router) and the firewall (which is also a router) aren't exchaning routing information you have to have a routing statement on the firewall to send any traffic for the 10.0.0.0 network to the outside interface of the server, otherwise it will either use it's default route, which is the outside interface or, if it's programmed right, drop the traffic by virtue of it's being private ip.

Did you verify subnet masks on your DHCP scope and your clients are consistant?

Keep the dialogue going guys...  I am learning a lot here...  :)

Both the firewall interfaces are on the 128.x.x.x network.
Server nic2 128.0.0.1 to the firewall 128.0.0.2, which has static routes for the Lan side of 128.0.0.2 and Wan side 128.0.0.2, the firewall is set up in standard mode with 128.0.0.3 (Modem) setup as my Wan side router address, and 128.0.0.2 set up as my public address.

A tough one Kabaam..  Not sure what to recommend..   but I will be happy to go along with whatever everyone else agrees to here..

FE

I wish the originating author returned to this question and the problem was reported as fixed.  Excellent collaboration between experts is somthing to include in the newsletter as an interesting and fun PAQ.  Being a fly on the wall, I can see that teamwork like this is much more productive.

Ljel seemed very interested in getting this resolved.  I am going to assume that Chicagoan's last post got him going.  Either that Ljel was hit by a bus.  Hopefully it is not the latter.

Agreed..  Chicagoan it is..

FE