Solved

Need help with T1 line with multiple static IP addresses and Windows routing

Posted on 2008-10-05
5
653 Views
Last Modified: 2012-08-14
Hi,

I have a T1 line that has 6 available public addresses adn I am trying to setup two distinct routers that connect to a Windows 2003 Active Directory domain. However, only only one router at once can access the internal Windows domain depending on the gateway I assign to the server that is acting as a main gateway. I tried two different approaches without any luck. Here they are:

Scenario 1: Router 1 has a public address of xxx.xxx.xxx.203 and a private address of 172.16.16.1. Router 1 also have forwarded ports 3389 and 1723 to my main Windows server 172.16.16.4. Router 2 has a public address of xxx.xxx.xxx.204 and a private address of 172.16.16.2. Router 2 also have forwarded ports 3389 and 1723 to my main Windows server 172.16.16.4. Both routers are connected into the same internal segment, along with the server (in a unique switch) The Windows server uses 172.16.16.1 for a gateway and also has routing and remote access activated (including ip routing). Result: I can only access this server (Remote Desktop and pptp) by using connection to router 1. Router 2 won't accept connections. However, both routers can be ping successfully from an internal and remote location (with their respective public and private address).

Scenario 2: I made a variant to the scenario above where I created two separate segments (172.16.16 and 172.16.17 and assigned each of the routers an address in each segment, with same public addresses as above). Router 1 now has private address 172.16.16.1 and router 2 has private address 172.167.17.1. A second network card was installed into the Windows server. Windows server now has 2 ip addresses: 172.16.16.4 and 172.16.17.4. Default gateway on server is 172.16.16.1. Router 1 now forwards ports to 172.16.16.4 while router 2 forwards ports to 172.16.17.4. Windows server is running Routing an remote access (with IP routing). Result: same as above. I can only connect through router that the server is using as a default gateway. If I change default gateway on server to router 2, then only router 2 can access RDP and pptp.

Question: Why can't I access remotely the same server at once by using the two routers with two separate public addresses when I can ping successfully both routers from both external and internal locations (with their respective public and private address)? Some route missing somewhere? What is the benefit of having multiple public static addresses in this context?

Note: I am trying to establish a proof of concept for a scenario where I will need to use two distinct routers.

Thanks.
0
Comment
Question by:benjilafouine
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 13

Expert Comment

by:Rowley
ID: 22647645
If packets are coming in on your second gateway and leaving from the windows servers default gateway which is your first router, then you're going to have problems establishing a tcp connection.

You could add a host specific route for your second gateway on your windows box so that all packets coming from router2 go back to router2 as opposed to the default, router1.

If you want a redundant gateway using both routers use VRRP.
0
 
LVL 1

Author Comment

by:benjilafouine
ID: 22647966
It's exactly that symptom: problems establishing a tcp connection.

The server expects traffic coming in from the first router, not the second.

You are talking about a specific route on the Windows box. What would be that route in both my scenarios?

Or else, I am starting to think that there is a much simpler answer to my own question: if I had two domain controllers each with a different gateway such as server 1 to router 1 and server 2 to gateway 2), would this work? It doesn't matter that I have a different server accepting VPN connections. I already have two servers so I could test that within 24 hours. Would this be an issue to Windows in an Active Directory context? I believe no.

Note: the rationale behind this question is that I am planning to have one side (router 1) connected to a private IP network cloud to Europe and the second one accepting incoming domestic connections (router 2).
0
 
LVL 13

Accepted Solution

by:
Rowley earned 500 total points
ID: 22648270
"The server expects traffic coming in from the first router, not the second."

It's not that it "expects" traffic from anywhere, it's the fact that the route for traffic it will use for addresses it doesn't know how to route to will be sent to its default gateway.

I couldn't completely understand what it is you were trying to achieve from what you wrote on your first post, but I understand the issue. If you had 2 boxes with separate gateways then that would work. You just can't expect to talk to TCP to a host from outside without return transmission leaving via the same inside gateway interface it came from.

I can't see any immediate AD issue with your 2 server, 2 gateway proposal, but then again I don't have the whole picture and is a completely separate issue.
0
 
LVL 1

Author Comment

by:benjilafouine
ID: 22649012
My needs are kind of straight forward. A special site to site vpn router will be installed to connect directly into a private IP cloud (MPLS) in Europe, meaning that this router will make the network become a global "private network". To access this network from the outside then, the point of entry becomes a Europe router.

However, I wanted to keep VPN capabilities for a few users scathered throughout North America and thought that it made no real sense to have them use complex gateways through Europe to connect to a server in North America when the T1 line and servers resides in the same country as the users.

These users should connect via North America then their requests to software in Europe should be routed through the private VPN, reducing traffic on the Europe private network (packets will travel once instead of twice).
0
 
LVL 1

Author Closing Comment

by:benjilafouine
ID: 31503244
Two servers each with its own gateway did the job and enabled me to design a network with two ports going in different clouds.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
We recently endured a series of broadcast storms that caused our ISP to shut us down for brief periods of time. After going through a multitude of tests, we determined that the issue was related to Intel NIC drivers on some new HP desktop computers …
Finds all prime numbers in a range requested and places them in a public primes() array. I've demostrated a template size of 30 (2 * 3 * 5) but larger templates can be built such 210  (2 * 3 * 5 * 7) or 2310  (2 * 3 * 5 * 7 * 11). The larger templa…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question