mls14
asked on
Talking to the internet and a LAN simultaneously
I am trying to set up an NT server to access our local LAN and the internet simultaneously. The internet connection is a fractional T1 going through a router/gateway (from VINA technologies). I need this NT server to talk to the private LAN and to the internet because I need it to offer internet email through exchange server. Also, I'd like to run WinProxy on it when I get this straightened out. I only have one NIC in the server, but would get a second if that is required.
Additional info: I have internet IP addresses given to me by my ISP so I can assign one to the NT server (which is also my Domain Controller on a small network). Also, I have been able to get workstations to connect to the internet through the router, but then they cannot access the local lan (except for the macs which access the local lan via appletalk). One final note: my local LAN's IP addresses are not in the proper class C range... could this be a problem when setting up the NT server with 2 IP addresses (one for the LAN, one for internet)?
I realize this is an involved question, but it seems this thing needs to be done by lots of people, so I'm sure somebody out there knows a good way to do this.
Additional info: I have internet IP addresses given to me by my ISP so I can assign one to the NT server (which is also my Domain Controller on a small network). Also, I have been able to get workstations to connect to the internet through the router, but then they cannot access the local lan (except for the macs which access the local lan via appletalk). One final note: my local LAN's IP addresses are not in the proper class C range... could this be a problem when setting up the NT server with 2 IP addresses (one for the LAN, one for internet)?
I realize this is an involved question, but it seems this thing needs to be done by lots of people, so I'm sure somebody out there knows a good way to do this.
Are you going to use the router or winproxy? and what is the primary purpose of the server besides email and internet, IE. Lan App server, terminal server, backoffice etc.?
You need two nic's. One with a IP adress that going to the router and one that going to your local LAN.
Let's say the router will recieve the IPadress 192.0.0.1 then you need to setup a NIC with the adress 192.0.0.2 with the default gateway to 192.0.0.1 (The router)
The second nic will recieve the LAN ethernetadres let's say 172.0.0.1.
In you Proxy you must specified a LAT (Local adres table) for your LAN network say 172.0.0.2 => 172.0.0.100 and route your Proxy via the router to your ISP..
PS Use the above IP-adressrange for you local network and the properly IP-adress that your recieve from your ISP for the internet.
Mario
Let's say the router will recieve the IPadress 192.0.0.1 then you need to setup a NIC with the adress 192.0.0.2 with the default gateway to 192.0.0.1 (The router)
The second nic will recieve the LAN ethernetadres let's say 172.0.0.1.
In you Proxy you must specified a LAT (Local adres table) for your LAN network say 172.0.0.2 => 172.0.0.100 and route your Proxy via the router to your ISP..
PS Use the above IP-adressrange for you local network and the properly IP-adress that your recieve from your ISP for the internet.
Mario
ASKER
In response to the first question from tedsenn, I will consider getting the second card. As far as the workstations all having the same network ID, the local LAN is set up with the NT server using DHCP and a subnet mask of 255.255.0.0, so all the machines are within a certain IP range assigned randomly by my predecessor here (141.13.x.x). The Internet IP addresses assigned for me and the one used by the router are in a different range.
In response to the second question from simplethoughts, the server itself currently does printing, file serving, and exchange server for about 20 people or so. My ideal setup would be to have the server itself go through the router and set up a proxy server for the workstations. This is so that the exchange server will have a permanent IP address for internet email purposes. If necessary, I could use the proxy server for the exchange server to get access, but only if it will work properly through the proxy.
Really, if setting up the proxy server will solve my problems for me and allow me to use the exchange server for internet email, I will just do that rather than get another NIC and attempt to mess around with IP routing, forwarding, etc. Let me know what you think; sorry to be long-winded.
Matthew
In response to the second question from simplethoughts, the server itself currently does printing, file serving, and exchange server for about 20 people or so. My ideal setup would be to have the server itself go through the router and set up a proxy server for the workstations. This is so that the exchange server will have a permanent IP address for internet email purposes. If necessary, I could use the proxy server for the exchange server to get access, but only if it will work properly through the proxy.
Really, if setting up the proxy server will solve my problems for me and allow me to use the exchange server for internet email, I will just do that rather than get another NIC and attempt to mess around with IP routing, forwarding, etc. Let me know what you think; sorry to be long-winded.
Matthew
Connecting your Exchange server (also your print and file server) directly to the router is not a good idee. You leave your LAN open for everyone. I prefere to have a proxy! My proxy blocks everyone that don't have permissions to come in to the LAN. Without Proxy my LAN is open for everyone. So place your proxy before your exchange server.
And the second problem is, when your exchange server will dial-out for the mail and someone is already on the router you don't have a free connection. With the proxy even if someone is "surfing" you will getting your mail out and in.
Mario
And the second problem is, when your exchange server will dial-out for the mail and someone is already on the router you don't have a free connection. With the proxy even if someone is "surfing" you will getting your mail out and in.
Mario
Yes , the proxy is a good choice, mostly for conrol, you can setting the mappings for each service as you please. The IP problem can work many differnt ways, getting a second card will allow you to place all cards on the lan under the 192.168.X.X system then leaving the primary for internet or router connection, I would still use the proxy although. This way you have a clean IP system and external mail for the internet server ip can just be mapped via proxy. MarioLer is right about connecting it all together but a server should follow its purpose. With the cheap price of the extra lan card you solve the IP problems, with the proxy, you keep your lan secure and can restrict what users do with greater ease. With win2k this problem is solved easier. Exchange Server will still wortk fine, and intranet email will be much easier without IP conflicts.
Simple answer.
Use your current Ethernet card to link exclusively to the T1
Install a second card with a local IP address eg 10.0.0.50
Install Win Proxy. Tell it you want to connect to the internet via the T1 card and the other card to the LAN. Just ensure you do not use the default POp, HTTP and SMTP ports.
I have just done this and it worked very well! I just used a different proxy program
Use your current Ethernet card to link exclusively to the T1
Install a second card with a local IP address eg 10.0.0.50
Install Win Proxy. Tell it you want to connect to the internet via the T1 card and the other card to the LAN. Just ensure you do not use the default POp, HTTP and SMTP ports.
I have just done this and it worked very well! I just used a different proxy program
ASKER
To simplethoughts... Just to clarify: You suggest getting a second NIC AND using the proxy. Is using the proxy without a second NIC also feasible? From how I read your response and what I've read about proxy servers, it should be. If not, let me know. Overall, your answer seems very good to me. My only other additional question is whether or not I will need to set my local LAN up with 192.168.x.x addresses or if it will work with the current 141.13.x.x addresses assigned by my predecessor. I will try to implement this in very short order... if it works, I will gladly bestow 200 pts. upon you. I truly appreciate the help.
ASKER
To simplethoughts...
I tried the suggested process with just the one NIC. I set up everything right, the IP address, the gateway, DNS servers, then set up winproxy and told it the correct internal address and external address. I turned on IP forwarding in the network control panel under TCP/IP properties. After doing all this, it seems to me the only possibility is to get the additional NIC and try the same procedure. Apparently setting up two IP addresses on the same NIC just isn't working. Maybe it has something to do with my internal addresses not being in the 192.168 range? I know this is probably more work than it is worth for you for the 200 points, but unfortunately the 2 people I provided answers for on other questions seem to have forgotten to check their email for quite a while. If you think that adding the second NIC should fix me up fine, let me know. Otherwise, give me some other tip that I might be able to use. Thanks a lot!
Matthew
I tried the suggested process with just the one NIC. I set up everything right, the IP address, the gateway, DNS servers, then set up winproxy and told it the correct internal address and external address. I turned on IP forwarding in the network control panel under TCP/IP properties. After doing all this, it seems to me the only possibility is to get the additional NIC and try the same procedure. Apparently setting up two IP addresses on the same NIC just isn't working. Maybe it has something to do with my internal addresses not being in the 192.168 range? I know this is probably more work than it is worth for you for the 200 points, but unfortunately the 2 people I provided answers for on other questions seem to have forgotten to check their email for quite a while. If you think that adding the second NIC should fix me up fine, let me know. Otherwise, give me some other tip that I might be able to use. Thanks a lot!
Matthew
M$ Proxy server requires two network interfaces 2 NIC or 1 NIC one dialup. I would think that all proxy servers would need that same setup. IP should not allow more that one subnet on one adapter although multiple addresses in the same subnet are OK.
ASKER
I am getting the second NIC. I assume it will work, so no further comments are necessary. I will simply accept the answer and give the points when I have it working.
Matthew
Matthew
Do not need 2 Nics, need 2 subnets but can bind both to one interface even with proxy.
do not use 172.0.anything it is public, 176.16.0.0 to 172.32.255.255 is private so ok but rest of the 172.x class B subnets are in use somewhere on internet.
why use proxy for seurity, if your router can do fractional t1 then it can probaby process access lists and do NAT as well.
But there again it is much easier with 2 NICs.
If you only have one IP address from ISP then either NAT router or PRI card in proxy only because you would need ateast 2 legal addresses one for proxy and one for routers ethernet port for proposed solution to work without NAT.
trouble with E-E is that if someone proposes an answer 2 hours after you ask the Q most of us do not see the question
do not use 172.0.anything it is public, 176.16.0.0 to 172.32.255.255 is private so ok but rest of the 172.x class B subnets are in use somewhere on internet.
why use proxy for seurity, if your router can do fractional t1 then it can probaby process access lists and do NAT as well.
But there again it is much easier with 2 NICs.
If you only have one IP address from ISP then either NAT router or PRI card in proxy only because you would need ateast 2 legal addresses one for proxy and one for routers ethernet port for proposed solution to work without NAT.
trouble with E-E is that if someone proposes an answer 2 hours after you ask the Q most of us do not see the question
Oh, and proxy is not working for you with one NIC unless you have edited the LAT unless using private address. Also it will fail with 2 NIC until new LAT created.
Even then how do you expect to talk to the REAL 141.13.x.x addresses on internet if your machines think they are on LAN. re-number now and curse your preecessor.
Even then how do you expect to talk to the REAL 141.13.x.x addresses on internet if your machines think they are on LAN. re-number now and curse your preecessor.
ASKER
I have had to reject the answer as I received some information leading me to try another method. The method suggested would not work, and the suggestion of andy alder seems to be the way to go. I spoke with the vendors of our router (it is a T1 integrator from Vina Technologies) and they can set up a NAT for us. This will be the way to go. Thanks Andy, but also thanks to simplethoughts for your insight. It is highly likely your solution will work in other circumstances, but the simple truth is that the NAT seems to be the best solution for us here. By the way, I will be changing my IP addresses to class C 192.168.x.x addresses, grumbling as I do so.
Matthew
Matthew
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for the help. As you said, I don't really need the second NIC. I was able to do everything after I switched my local network over to 192.168.x.x numbers. I did have a question though... when you said to have the router point incoming mail to port 25, do you mean it should do that if I have a proxy installed or just in general?
Matthew
Matthew
Assuming you have a mail server like Exchange on the private LAN, then the IP address that'll be registered through DNS for it will be the router.
When someone sends a mail to this address the router will need to know where to send it so there needs to be some lookup table on the router that tells it where the mailserver is.
The router knows where to send normal incoming packets like replies to you browsing the web because they are associated with an individual client PC's session but SMTP mail is not related to a client session.
If you do not have a mailserver and are using POP3 mail clients then there is no need to bother about this.
When someone sends a mail to this address the router will need to know where to send it so there needs to be some lookup table on the router that tells it where the mailserver is.
The router knows where to send normal incoming packets like replies to you browsing the web because they are associated with an individual client PC's session but SMTP mail is not related to a client session.
If you do not have a mailserver and are using POP3 mail clients then there is no need to bother about this.
ASKER
The Exchange server is on the private LAN but it has its own internet IP address as well. Should I set the email addresses for all the folks as @ip.address.of.server or @ip.address.of.router? Perhaps I should pose this as a separate question and offer more points. (BTW - How come my "expert" points don't necessarily add to my "available" points which I can use to ask questions?) I will talk to the vendor for our connection and the router about this as well.
Thanks for the help,
Matthew
Thanks for the help,
Matthew
Expert points do not add to question points, it's in the E-E FAQ somewhere, all you can do is get T-shirts with them.
If you have a legal address for Exchange then you could get the ISP to set Exchange IP address as the MX record and get the router to pass SMTP (port 25) without translating the address. I don't know how to setup your router for this so can't help here.
It would also work if the MX record pointed to the router and it re-directed port 25 after translating address to Exchange.
How to config the router might be on Vina's website.
If you have a legal address for Exchange then you could get the ISP to set Exchange IP address as the MX record and get the router to pass SMTP (port 25) without translating the address. I don't know how to setup your router for this so can't help here.
It would also work if the MX record pointed to the router and it re-directed port 25 after translating address to Exchange.
How to config the router might be on Vina's website.
ASKER
Thanks for the comment. I do not have a password for configuring the router (although I have the manual). I spoke to a person from our internet vendor and he has the router set for port 25. The only thing we're waiting on is getting our web hoster (pair.com) to either put in an MX record pointing to our exchange server's IP address, or just to forward mail to us. Either way, we will be functional very soon. Thanks very much for all the help and we'll be seeing you on the internet!
Matthew
Matthew
1) Is address going to on the same subnet (network ID's same) ?
If so go directly
If not the go to gateway address.
If you are running NT Proxy server will work. I use it on my setup.