Solved

Windows Server 2003 + NAT + DSL - ought to be easy

Posted on 2008-10-15
9
930 Views
Last Modified: 2012-05-05
This one should be easy for anyone who knows what they're doing :)

I have a machine running Windows Server 2003, which I want to be my router/dhcp server/wins server for my small network. My internet is provided by Primus Canada, which is a high speed DSL provider. The little modem that came with my internet is configured in "bridge" mode. My internet uses dynamic IPs, and dynamic DNS server IP's.

My Server is already the DHCP server and WINS server and the LAN is working perfectly. All computers can talk to each other, as well as the server.

There are two NICs in the server. One connects to my switch on the lan side (call it the LAN NIC), the other goes to the primus modem (call it the WAN NIC). The LAN NIC has a static IP, the WAN NIC has an automatic IP.

Then I added an "Internet Connection" via Add New Connection Wizard, configured it for PPPoE to connect to the internet. It connects fine.

Then I configured Routing + Remote Access, setting it up as a "NAT/VPN", and selecting the WAN NIC as the network device that has the internet. Turned it on, everything seems fine. The DHCP server is allocating IP's in preparation for VPN clients just fine.

My SERVER has the internet now, and does all the LAN based routing for my entire network just fine.

PROBLEMS:
    1) The "WAN NIC" never gets an IP. Even though the internet works. Always says "Limited or no connectivity". See the code snippet, you'll see the IP is the default invalid one.

    2) Client's cannot connect to the internet. Probably because the "WAN NIC" isn't actually connected to anything, and I don't know why. Something wrong with my Routing + Remote Access settings?

    3) Primus provides two DNS servers. You can see them in the code snippet under "PPP adapter", but how do I configure DHCP to use those addresses?

IPCONFIG /ALL
 

Windows IP Configuration
 

   Host Name . . . . . . . . . . . . : quasimodo

   Primary Dns Suffix  . . . . . . . :

   Node Type . . . . . . . . . . . . : Unknown

   IP Routing Enabled. . . . . . . . : Yes

   WINS Proxy Enabled. . . . . . . . : Yes
 

Ethernet adapter LAN NIC 100mbps:
 

   Connection-specific DNS Suffix  . :

   Description . . . . . . . . . . . : SOHOware 10/100 PCI Network Adapter

   Physical Address. . . . . . . . . : 00-80-C6-EB-CD-2E

   DHCP Enabled. . . . . . . . . . . : No

   IP Address. . . . . . . . . . . . : 192.168.1.200

   Subnet Mask . . . . . . . . . . . : 255.255.255.0

   Default Gateway . . . . . . . . . :

   Primary WINS Server . . . . . . . : 192.168.1.200
 

Ethernet adapter WAN NIC 10mbps:
 

   Connection-specific DNS Suffix  . :

   Description . . . . . . . . . . . : Intel 21041-Based PCI Ethernet Adapter (

eneric) #2

   Physical Address. . . . . . . . . : 00-E0-29-25-75-A9

   DHCP Enabled. . . . . . . . . . . : Yes

   Autoconfiguration Enabled . . . . : Yes

   Autoconfiguration IP Address. . . : 169.254.242.156

   Subnet Mask . . . . . . . . . . . : 255.255.0.0

   Default Gateway . . . . . . . . . :
 

PPP adapter Primus High Speed Internet:
 

   Connection-specific DNS Suffix  . :

   Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface

   Physical Address. . . . . . . . . : 00-53-45-00-00-00

   DHCP Enabled. . . . . . . . . . . : No

   IP Address. . . . . . . . . . . . : 202.102.35.161

   Subnet Mask . . . . . . . . . . . : 255.255.255.255

   Default Gateway . . . . . . . . . :

   DNS Servers . . . . . . . . . . . : 216.254.141.13

                                       209.90.160.220

   NetBIOS over Tcpip. . . . . . . . : Disabled

Open in new window

0
Comment
Question by:Frosty555
  • 5
  • 3
9 Comments
 
LVL 8

Assisted Solution

by:MrJemson
MrJemson earned 200 total points
ID: 22728334
1) The WAN NIC doesn't need an IP. You can set a static (private) IP on it Ie. 10.0.0.1 if the limited or no connectivity message annoys you. It just needs to be plugged in to the bridge for the sake of the PPP tunnel.

2) What is the default gateway your clients are provided by DHCP?

3) You can specify this in your DHCP options. The other alternative is to setup DNS on your server, and add these to the forward lookup zone.
0
 
LVL 13

Assisted Solution

by:kdearing
kdearing earned 300 total points
ID: 22728377
Is the server running SBS?
Because it's REALLY not a good idea to have a public IP address on your server unless you're running ISA or something similar.
0
 
LVL 31

Author Comment

by:Frosty555
ID: 22731756
My DHCP server is sending 192.168.1.200 as the default gateway. This is the IP of the server. I can verify that this is going out to the client machines properly.

KDearing: I need to host a website using IIS on the server. My modem's built in DHCP server is pathetic, you can't even change the DHCP's IP range. If you think I should put ISA on the computer, I can do that so long as you help me configure it :)

I tried hard coding the DNS servers into my DHCP server (e.g. I set the scope option so that DNS servers are 216.254.141.13 and 209.90.160.220. I even tried just setting up a static DNS on the client. Still no internet.

What else should I try? Or what other info do you guys need?

0
 
LVL 31

Accepted Solution

by:
Frosty555 earned 0 total points
ID: 22733716
Figured it out guys.

1) You don't create a new internet connection from Control Panel->Network Connections. That applies only to the server, RRAS knows nothing about it.

If you want RRAS to use PPPoE as it's connection to the internet, you have to setup a demand-dial interface. This option was NOT provided in the config wizard to me, because I selected "VPN/NAT", and not just "NAT". When I reconfigured it using just NAT, it gave me the option.

2) When I configured demand-dial, I had to go into the security tab and select "Allow unsecured password". My ISP doesn't support that, and by default it is set to "Require secure password"

3) MrJemson, like you said, the WAN connection need only have some static IP set, and only if the "limited or no connectivity" icon bothers me. Which it does. So I changed that.
Instead, you setup RRAS to use Demand-Dial

4) The NAT settings in RRAS deployed the DNS servers for me automatically. I didn't need to specify them. They get set for me on the client computers without any intervention on my part. Yay!

Attached are some pictures, for anyone else who visits this thread with the same problem.

Looks like it's working!


rras1.jpg
rras2.jpg
rras3.jpg
rras4.jpg
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 31

Author Comment

by:Frosty555
ID: 22733770
KDearing, you expressed concern about exposing the computer to the internet like this.

I have configured the basic firewall, currently it doesn't let ANYTHING through. I have successfully tested that my server's FTP server, IIS (web server), filesharing, and remote desktop are not accessible from other computers on the internet, even though those services are enabled and accessible on my LAN.  Is there anything further I should be concerned about?
0
 
LVL 13

Assisted Solution

by:kdearing
kdearing earned 300 total points
ID: 22734115
I would prefer something other than Windows Firewall, but maybe that's just me.

One other thing...DNS

If your server is a Domain Controller, then you'll need to re-configure your DNS.
On the DC server -
  DNS forwarders set to ISP's DNS
  All NICs configured for itself, 192.168.1.200
  DHCP configured for DC as DNS only
0
 
LVL 31

Author Comment

by:Frosty555
ID: 22734753
I take back point (4) on my comment #22733716. My DHCP server had the dns settings hardcoded in. NAT doesn't do anything related to relaying dns addresses to clients.

All seems to be well, provided my DHCP server has the dns settings hard coded in. If those dns settings ever change I will have problems until I fix it, though, and that doesn't really go with the set-it-and-forget-it mentality...

I'm actually on a workgroup, but WINS server is handling my computer name resolution. Are you suggesting that Quasimodo (that's the name of my server) be a DNS server as well? Will that cause any slowdowns as far as DNS name resolution for clients on the network goes?

I'm getting my hands on ICA server 2004 now. I'll see what I can do about using it instead of Windows Firewall.
0
 
LVL 13

Expert Comment

by:kdearing
ID: 22735315
If you're not using your server as a Domain Controller, then you're good.
0
 
LVL 31

Author Comment

by:Frosty555
ID: 22737680
Whoops, I already set it up.  But it's working well enough. Oh well.

Thank you for your help, I'm really glad I got this working finally.
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Suggested Solutions

There are two basic ways to configure a static route for Cisco IOS devices. I've written this article to highlight a case study comparing the configuration of a static route using the next-hop IP and the configuration of a static route using an outg…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now