Solved

Need help with T1 line with multiple static IP addresses and Windows routing

Posted on 2008-10-05
5
649 Views
Last Modified: 2012-08-14
Hi,

I have a T1 line that has 6 available public addresses adn I am trying to setup two distinct routers that connect to a Windows 2003 Active Directory domain. However, only only one router at once can access the internal Windows domain depending on the gateway I assign to the server that is acting as a main gateway. I tried two different approaches without any luck. Here they are:

Scenario 1: Router 1 has a public address of xxx.xxx.xxx.203 and a private address of 172.16.16.1. Router 1 also have forwarded ports 3389 and 1723 to my main Windows server 172.16.16.4. Router 2 has a public address of xxx.xxx.xxx.204 and a private address of 172.16.16.2. Router 2 also have forwarded ports 3389 and 1723 to my main Windows server 172.16.16.4. Both routers are connected into the same internal segment, along with the server (in a unique switch) The Windows server uses 172.16.16.1 for a gateway and also has routing and remote access activated (including ip routing). Result: I can only access this server (Remote Desktop and pptp) by using connection to router 1. Router 2 won't accept connections. However, both routers can be ping successfully from an internal and remote location (with their respective public and private address).

Scenario 2: I made a variant to the scenario above where I created two separate segments (172.16.16 and 172.16.17 and assigned each of the routers an address in each segment, with same public addresses as above). Router 1 now has private address 172.16.16.1 and router 2 has private address 172.167.17.1. A second network card was installed into the Windows server. Windows server now has 2 ip addresses: 172.16.16.4 and 172.16.17.4. Default gateway on server is 172.16.16.1. Router 1 now forwards ports to 172.16.16.4 while router 2 forwards ports to 172.16.17.4. Windows server is running Routing an remote access (with IP routing). Result: same as above. I can only connect through router that the server is using as a default gateway. If I change default gateway on server to router 2, then only router 2 can access RDP and pptp.

Question: Why can't I access remotely the same server at once by using the two routers with two separate public addresses when I can ping successfully both routers from both external and internal locations (with their respective public and private address)? Some route missing somewhere? What is the benefit of having multiple public static addresses in this context?

Note: I am trying to establish a proof of concept for a scenario where I will need to use two distinct routers.

Thanks.
0
Comment
Question by:benjilafouine
  • 3
  • 2
5 Comments
 
LVL 13

Expert Comment

by:Rowley
ID: 22647645
If packets are coming in on your second gateway and leaving from the windows servers default gateway which is your first router, then you're going to have problems establishing a tcp connection.

You could add a host specific route for your second gateway on your windows box so that all packets coming from router2 go back to router2 as opposed to the default, router1.

If you want a redundant gateway using both routers use VRRP.
0
 
LVL 1

Author Comment

by:benjilafouine
ID: 22647966
It's exactly that symptom: problems establishing a tcp connection.

The server expects traffic coming in from the first router, not the second.

You are talking about a specific route on the Windows box. What would be that route in both my scenarios?

Or else, I am starting to think that there is a much simpler answer to my own question: if I had two domain controllers each with a different gateway such as server 1 to router 1 and server 2 to gateway 2), would this work? It doesn't matter that I have a different server accepting VPN connections. I already have two servers so I could test that within 24 hours. Would this be an issue to Windows in an Active Directory context? I believe no.

Note: the rationale behind this question is that I am planning to have one side (router 1) connected to a private IP network cloud to Europe and the second one accepting incoming domestic connections (router 2).
0
 
LVL 13

Accepted Solution

by:
Rowley earned 500 total points
ID: 22648270
"The server expects traffic coming in from the first router, not the second."

It's not that it "expects" traffic from anywhere, it's the fact that the route for traffic it will use for addresses it doesn't know how to route to will be sent to its default gateway.

I couldn't completely understand what it is you were trying to achieve from what you wrote on your first post, but I understand the issue. If you had 2 boxes with separate gateways then that would work. You just can't expect to talk to TCP to a host from outside without return transmission leaving via the same inside gateway interface it came from.

I can't see any immediate AD issue with your 2 server, 2 gateway proposal, but then again I don't have the whole picture and is a completely separate issue.
0
 
LVL 1

Author Comment

by:benjilafouine
ID: 22649012
My needs are kind of straight forward. A special site to site vpn router will be installed to connect directly into a private IP cloud (MPLS) in Europe, meaning that this router will make the network become a global "private network". To access this network from the outside then, the point of entry becomes a Europe router.

However, I wanted to keep VPN capabilities for a few users scathered throughout North America and thought that it made no real sense to have them use complex gateways through Europe to connect to a server in North America when the T1 line and servers resides in the same country as the users.

These users should connect via North America then their requests to software in Europe should be routed through the private VPN, reducing traffic on the Europe private network (packets will travel once instead of twice).
0
 
LVL 1

Author Closing Comment

by:benjilafouine
ID: 31503244
Two servers each with its own gateway did the job and enabled me to design a network with two ports going in different clouds.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Many of us in IT utilize a combination of roaming profiles and folder redirection to ensure user information carries over from one workstation to another; in my environment, it was to enable virtualization without needing a separate desktop for each…
I'm a big fan of Windows' offline folder caching and have used it on my laptops for over a decade.  One thing I don't like about it, however, is how difficult Microsoft has made it for the cache to be moved out of the Windows folder.  Here's how to …
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now