Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 662
  • Last Modified:

Need help with T1 line with multiple static IP addresses and Windows routing

Hi,

I have a T1 line that has 6 available public addresses adn I am trying to setup two distinct routers that connect to a Windows 2003 Active Directory domain. However, only only one router at once can access the internal Windows domain depending on the gateway I assign to the server that is acting as a main gateway. I tried two different approaches without any luck. Here they are:

Scenario 1: Router 1 has a public address of xxx.xxx.xxx.203 and a private address of 172.16.16.1. Router 1 also have forwarded ports 3389 and 1723 to my main Windows server 172.16.16.4. Router 2 has a public address of xxx.xxx.xxx.204 and a private address of 172.16.16.2. Router 2 also have forwarded ports 3389 and 1723 to my main Windows server 172.16.16.4. Both routers are connected into the same internal segment, along with the server (in a unique switch) The Windows server uses 172.16.16.1 for a gateway and also has routing and remote access activated (including ip routing). Result: I can only access this server (Remote Desktop and pptp) by using connection to router 1. Router 2 won't accept connections. However, both routers can be ping successfully from an internal and remote location (with their respective public and private address).

Scenario 2: I made a variant to the scenario above where I created two separate segments (172.16.16 and 172.16.17 and assigned each of the routers an address in each segment, with same public addresses as above). Router 1 now has private address 172.16.16.1 and router 2 has private address 172.167.17.1. A second network card was installed into the Windows server. Windows server now has 2 ip addresses: 172.16.16.4 and 172.16.17.4. Default gateway on server is 172.16.16.1. Router 1 now forwards ports to 172.16.16.4 while router 2 forwards ports to 172.16.17.4. Windows server is running Routing an remote access (with IP routing). Result: same as above. I can only connect through router that the server is using as a default gateway. If I change default gateway on server to router 2, then only router 2 can access RDP and pptp.

Question: Why can't I access remotely the same server at once by using the two routers with two separate public addresses when I can ping successfully both routers from both external and internal locations (with their respective public and private address)? Some route missing somewhere? What is the benefit of having multiple public static addresses in this context?

Note: I am trying to establish a proof of concept for a scenario where I will need to use two distinct routers.

Thanks.
0
benjilafouine
Asked:
benjilafouine
  • 3
  • 2
1 Solution
 
RowleyCommented:
If packets are coming in on your second gateway and leaving from the windows servers default gateway which is your first router, then you're going to have problems establishing a tcp connection.

You could add a host specific route for your second gateway on your windows box so that all packets coming from router2 go back to router2 as opposed to the default, router1.

If you want a redundant gateway using both routers use VRRP.
0
 
benjilafouineAuthor Commented:
It's exactly that symptom: problems establishing a tcp connection.

The server expects traffic coming in from the first router, not the second.

You are talking about a specific route on the Windows box. What would be that route in both my scenarios?

Or else, I am starting to think that there is a much simpler answer to my own question: if I had two domain controllers each with a different gateway such as server 1 to router 1 and server 2 to gateway 2), would this work? It doesn't matter that I have a different server accepting VPN connections. I already have two servers so I could test that within 24 hours. Would this be an issue to Windows in an Active Directory context? I believe no.

Note: the rationale behind this question is that I am planning to have one side (router 1) connected to a private IP network cloud to Europe and the second one accepting incoming domestic connections (router 2).
0
 
RowleyCommented:
"The server expects traffic coming in from the first router, not the second."

It's not that it "expects" traffic from anywhere, it's the fact that the route for traffic it will use for addresses it doesn't know how to route to will be sent to its default gateway.

I couldn't completely understand what it is you were trying to achieve from what you wrote on your first post, but I understand the issue. If you had 2 boxes with separate gateways then that would work. You just can't expect to talk to TCP to a host from outside without return transmission leaving via the same inside gateway interface it came from.

I can't see any immediate AD issue with your 2 server, 2 gateway proposal, but then again I don't have the whole picture and is a completely separate issue.
0
 
benjilafouineAuthor Commented:
My needs are kind of straight forward. A special site to site vpn router will be installed to connect directly into a private IP cloud (MPLS) in Europe, meaning that this router will make the network become a global "private network". To access this network from the outside then, the point of entry becomes a Europe router.

However, I wanted to keep VPN capabilities for a few users scathered throughout North America and thought that it made no real sense to have them use complex gateways through Europe to connect to a server in North America when the T1 line and servers resides in the same country as the users.

These users should connect via North America then their requests to software in Europe should be routed through the private VPN, reducing traffic on the Europe private network (packets will travel once instead of twice).
0
 
benjilafouineAuthor Commented:
Two servers each with its own gateway did the job and enabled me to design a network with two ports going in different clouds.
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now