?
Solved

dual homed server 2003 route problem

Posted on 2011-04-27
27
Medium Priority
?
695 Views
Last Modified: 2012-05-11
I have a Server 2003 running RRAS for VPN.
One nic is dedicated for vpn and is connected to my cable mode directly with a public static IP 75.146.59.xxx. It is locked down except for pot 1723 and protocol 47
Second nic(192.168.1 subnet) is connected to my internal network which connects to my router which is connected to my cable mode.
The default gateway for the vpn nic is 75.146.59.14. For the intranet nic its 192.168.1.1 .
I changed the binding order to make the intranet nic 1st. I changed the metric for the vpn nic to 100.
On the server, I can connect to the Internet OK except for the rest of my static ip block.
How do I fix that?
IPv4 Route Table
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x10002 ...00 53 45 00 00 00 ...... WAN (PPP/SLIP) Interface
0x10003 ...00 16 35 5c 37 38 ...... HP NC7782 Gigabit Server Adapter
0x10004 ...00 11 0a 5c ba e1 ...... HP NC7170 Dual Gigabit Server Adapter
0x30005 ...00 11 0a 5c ba e0 ...... HP NC7170 Dual Gigabit Server Adapter #2
===========================================================================
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0     75.146.59.14     75.146.59.10    100
          0.0.0.0          0.0.0.0      192.168.1.1     192.168.1.10      1
      75.146.59.8  255.255.255.248     75.146.59.10     75.146.59.10    100
     75.146.59.10  255.255.255.255        127.0.0.1        127.0.0.1    100
   75.255.255.255  255.255.255.255     75.146.59.10     75.146.59.10    100
        127.0.0.0        255.0.0.0        127.0.0.1        127.0.0.1      1
      192.168.1.0    255.255.255.0      192.168.1.6      192.168.1.6     20
      192.168.1.0    255.255.255.0     192.168.1.10     192.168.1.10     10
      192.168.1.6  255.255.255.255        127.0.0.1        127.0.0.1     20
     192.168.1.10  255.255.255.255        127.0.0.1        127.0.0.1     10
    192.168.1.201  255.255.255.255        127.0.0.1        127.0.0.1     50
    192.168.1.255  255.255.255.255      192.168.1.6      192.168.1.6     20
    192.168.1.255  255.255.255.255     192.168.1.10     192.168.1.10     10
        224.0.0.0        240.0.0.0     75.146.59.10     75.146.59.10    100
        224.0.0.0        240.0.0.0      192.168.1.6      192.168.1.6     20
        224.0.0.0        240.0.0.0     192.168.1.10     192.168.1.10     10
  255.255.255.255  255.255.255.255     75.146.59.10     75.146.59.10      1
  255.255.255.255  255.255.255.255      192.168.1.6      192.168.1.6      1
  255.255.255.255  255.255.255.255     192.168.1.10     192.168.1.10      1
Default Gateway:       192.168.1.1
===========================================================================
Persistent Routes:
  None
0
Comment
Question by:rickhan
  • 12
  • 9
  • 6
27 Comments
 
LVL 2

Author Comment

by:rickhan
ID: 35480806
updated route table

IPv4 Route Table
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x10002 ...00 53 45 00 00 00 ...... WAN (PPP/SLIP) Interface
0x10003 ...00 16 35 5c 37 38 ...... HP NC7782 Gigabit Server Adapter
0x30005 ...00 11 0a 5c ba e0 ...... HP NC7170 Dual Gigabit Server Adapter #2
===========================================================================
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0     75.146.59.14     75.146.59.10     10
          0.0.0.0          0.0.0.0      192.168.1.1     192.168.1.10     10
      75.146.59.8  255.255.255.248     75.146.59.10     75.146.59.10     10
     75.146.59.10  255.255.255.255        127.0.0.1        127.0.0.1     10
   75.255.255.255  255.255.255.255     75.146.59.10     75.146.59.10     10
        127.0.0.0        255.0.0.0        127.0.0.1        127.0.0.1      1
  166.134.245.143  255.255.255.255     75.146.59.14     75.146.59.10     10
      192.168.1.0    255.255.255.0     192.168.1.10     192.168.1.10     10
     192.168.1.10  255.255.255.255        127.0.0.1        127.0.0.1     10
    192.168.1.201  255.255.255.255        127.0.0.1        127.0.0.1     50
    192.168.1.203  255.255.255.255    192.168.1.201    192.168.1.201      1
    192.168.1.255  255.255.255.255     192.168.1.10     192.168.1.10     10
        224.0.0.0        240.0.0.0     75.146.59.10     75.146.59.10     10
        224.0.0.0        240.0.0.0     192.168.1.10     192.168.1.10     10
  255.255.255.255  255.255.255.255     75.146.59.10     75.146.59.10      1
  255.255.255.255  255.255.255.255     192.168.1.10     192.168.1.10      1
Default Gateway:      75.146.59.14
===========================================================================
Persistent Routes:
  None
0
 
LVL 2

Author Comment

by:rickhan
ID: 35480812
I need to change the default gateway 192.168.1.1 without breaking the vpn nic. Some of the changes I did earlier broke the vpn nic, so I'm back to the beginning.
0
 
LVL 17

Expert Comment

by:aoakeley
ID: 35481211
Is the static IP block you are talking about 75.146.59.8/29 or some other static IP block?

If it is the above block, what are your trying to connect to in that block (e.g. webserver)? if your NIC is filtered to only allow traffic on ports 1723 and ip 47 then these are th only two ports you will be able to connect to on that subnet.

For Example: You cannot route traffic on port 80 out your 192.168.1.10 interface to go out into the internet and back to your 75.146.59.8/29 subnet as the server will always route that traffic out the filtered 75.146.59.10 interface.

You may b better off getting a firewalld device that can handle the two connections, and recducing the server to only having one NIC.
0
NFR key for Veeam Agent for Linux

Veeam is happy to provide a free NFR license for one year.  It allows for the non‑production use and valid for five workstations and two servers. Veeam Agent for Linux is a simple backup tool for your Linux installations, both on‑premises and in the public cloud.

 
LVL 2

Author Comment

by:rickhan
ID: 35481282
75.146.59.8/29 is the static block. I've 2 or 3 Web servers right now.
Can't I change the route table to handle this situation?
It's trying to route all Internet traffic through  the 75.146.59.10 interface right now, which is definitely NOT what I want.

This is a Server 2003 running RRAS. Default setup is to use 1 nic for vpn, another for intranet traffic, so there must be a proper way to set up the routeing.
I prefer RRAS for my vpn, as I can use AD for all my access control. Be a real pain otherwise.
0
 
LVL 17

Expert Comment

by:aoakeley
ID: 35481572
The issue you are confronting is that you are trying to have two default routes, and you want the highest priority route to be on the 192.168.1.10 interface so that all internet traffic goes out on that interface.

So if you decrease the metric of the 192.168.1.10 what does the server do with a packet that comes in on the 75.146.59.10 interface? it does exactly what you have told it to do, it sends its reply out the 192.168.1.10 interface. Therefore your VPN does not work because the packets going out are coming from a different interface (natted interface on your other gateway) and the VPN client does not like this (could be compromised connection) and yuor VPNs stop working.

If you know the IP address range that all your VPN clients were coming from you could remove the default gateway from the 75.146.59.10 interface and add static routes for all the remote subnets that you are have vpn clients connecting from, but this is hardly practical.

Because you have web servers etc on the 75.146.59.8/29 subnet and you have limited the ports that interface can use to the VPN ports you are never going to be able to access the web servers on that subnet from your server. because the server is ALWAYS going to try to send packets to that subnet out the 75.146.59.10 interface.

When you say "Default setup is to use 1 nic for vpn, another for intranet traffic" whose default? certinly not microsofts. If this is SBS2003 the default setup is to have one NIC for internet traffic (WAN Interface), and one for LAN traffic. The LAN interface will not have a default gateway, thus all internet traffic goes out the WAN interface.

IMHO if your intention is to split the traffic across two internet connections to maximise performance the best way is to use a router infront of the server than can handle and manage both internet connections for you. You can still use RRAS and AD Authentication and you can manage which internet service gets use for which protocols, both inbound and outbound.

If you were running ISA Server on your server there would be additional options open to you, but on a plain routing table basis I am afraid (I believe) you are stuck
0
 
LVL 2

Author Comment

by:rickhan
ID: 35484183
The Microsoft setup wizard for RRAS VPN forces you to use two nics to setup VPN, one for intranet, one for Internet. The default  also locks down the Internet nic.
You can do a manual setup, and use just one nic, but then you need NAT and port forwarding for it to work on a separate static ip from the router..
0
 
LVL 17

Expert Comment

by:aoakeley
ID: 35484230
Yes, one for intranet and one for Internet. You are trying to use two for Internet. No matter what you say you can't make the routing rules alone do what you are asking.
0
 
LVL 2

Author Comment

by:rickhan
ID: 35484327
The default setup locks the Internet one down for on vpn traffic. That leaves no nic for regular Internet traffic. If that was a bug, Microsoft would have fixed it a long time ago. Something's missing here.
0
 
LVL 17

Expert Comment

by:aoakeley
ID: 35484433
To be honest I have never run the default wizard, i have always done a custom config, but that still does not change the way that routing works. Getting late in OZ I'll test it on a vm tomorrow to be sure.

It is not a bug. In MS Land you would not have your RRAS server doing anything else, so this is normal. If you let the sbs setup configure RRAS for you then the port blocking will not be there. Take out the port blocking and you will be able to access your web servers, but if you change the metric to prioritize the 192 NIC on the default routes your PPTP vpns will break.
0
 
LVL 2

Author Comment

by:rickhan
ID: 35484587
I'm actually using just Standard Server 2003 without SBS. I don't routinely access the Internet from the server , except when I am debugging something and need to reference something on the Internet.
The server is my DC, my SQL Server, and my RRAS server.
Pretty light load, for development use.
Maybe I can configure my Linksys RV042 WAN2 port to the static ip for vpn,then 1-1 NAT to the vpn nic on a local ip. Probably also need to port forward the 1723.
0
 
LVL 37

Expert Comment

by:Jamie McKillop
ID: 35488256
Hello,

The root of your problem is that you have two default gateways configured. You can't have this. You should only have a default gateway on the internet facing NIC. If you have more than one internal VLAN, you will need to setup static routes.

JJ
0
 
LVL 17

Expert Comment

by:aoakeley
ID: 35488468
@rickhan I believe I told you the same thing as @jjmck back in my second post.

Yes using a router such as the RV024 to manage the two connections is the correct way to go. That way your server only needs one IP and one Default gateway.
0
 
LVL 2

Author Comment

by:rickhan
ID: 35488919
Then the question is, what is the best way to set up the RV042.
If my vpn nic is on the inside of the RV042, then I can disable the default filtering that the wizard wants to set, as its not needed.
The benefit I get from using two nics is keeping the vpn network traffic separate from my regular server network traffic.
On the RV042, I can change the DMZ port to WAN2 and assign the vpn public static ip, then port forward 1723 and gre to the vpn nic. Do I need to NAT all WAN2 traffic to the vpn nic also?
0
 
LVL 17

Expert Comment

by:aoakeley
ID: 35488996
I only have a very passing familiarity with the RV042. But assuming it works like any other dual WAN router I would do the following.

- Set the LAN interface of the RV042 to be the default gateway for the network (192.168.1.1)
- Remove the IP Address and disable the second NIC on the server
- The server should now only have one NIC enable and that is the 192.168.1.10 IF with 192.168.1.1 GW
- Configure RRAS using "custom configuration" tick "VPN" and "LAN Routing" and create a policy. To begin with just create one using "time of day" or Windows Security Group
- Configure both internet connctions on the RV042. Most dual WAN routers enable you to create some rules on how you want to route outbound traffic. They generally route traffic out based on the interface it comes in on as well.
- port forward 1723 and IP47 (GRE) from the 75.146.59.10 interface of the RV047 to the 192.168.1.10 interface of the server.

At the end of this all internet traffic should go in and out the "other" internet interface, and VPN users can connect to the 75.146.59.10 interface for VPN usage. Traffic to your web servers on the 75.146.59.8/29 subnet will still go out the 75.146.59.10, but that's OK.

If you cannot do the above config in the RV042 then you might have to look at getting a better dual wan router. I use WatchGuard routers, but Cyberoam, Mikrotik, Cisco IOS, Snapgear (now out of production) all have this ability
0
 
LVL 2

Author Comment

by:rickhan
ID: 35489100
I think it should work if I keep the second nic for just vpn traffic. I just have both nics on the same subnet, with 1 default gateway. Easy to temporarily disable vpn just by disabling the nic.Also, the vpn connections may be doing large uploads/downloads, and I don't want that to affect access to the server on the intranet, especially as that is my DC and SQL Server.
I'll test that config tomorrow.
0
 
LVL 17

Expert Comment

by:aoakeley
ID: 35489393
As long as both NICS have 192.168.1.1 as their default gateway you can do this. but beware if the second NIC is registered in DNS client computers may also try to connect to it.

I would first set it up allon the one NIC (KISS - Keep It Simple Stupid). If you want to disable VPN just stop RRAS. Then after you have it all working you can play about with two NICS.

Given that the NICS are gigabit and your ADSL and CABLE connections are only a fraction of that in their capacity by %, I doubt the uploads and downloads will have any effect on performance. Checking the current utilization on the intranet NIC would give you a guide on this. My bet would be that unless it is a very heavity utilised server with RAID10 SAS disk arrays the NIC will be <25% .utilization

Anyway I think your original Q is probably closed and if you have issues setting up the router, or need a new router that would be considered a new Q.

Andy
0
 
LVL 37

Expert Comment

by:Jamie McKillop
ID: 35490800
Before we continue troubleshooting this any further, can I ask why you are setting up an RRAS server when your RV042 has built-in VPN functionality?

JJ
0
 
LVL 17

Expert Comment

by:aoakeley
ID: 35490971
Kind of because we ended up with the rv042 as the solution, rather than where the Q started.....
0
 
LVL 37

Expert Comment

by:Jamie McKillop
ID: 35491040
Right, the question started with how to properly configure the RRAS server. My question is why is he even trying to setup an RRAS server when the router he is using has a built-in VPN server? Is there a specific technical or business reason for not using the VPN server in the router or is he just not aware the router has that capability? The simpliest solution here would be to use the VPN capabilities of the router and forget about setting up an RRAS server.

JJ
0
 
LVL 17

Expert Comment

by:aoakeley
ID: 35491189
Agreed, and use RADIUS to link the authentication to AD. (Not that familiar with the RV047 so not sure if it supports RADIUS). This would also give the ability to VPN in on either internet connection if one was down for a while... but again this all digresses from the original Q which was about routing and RRAS. IMHO now that the original routing Q has been answered he should open a new Q for the best way to configure the RV047, and it sounds like you @JJ are the man to answer those questions :)
0
 
LVL 37

Expert Comment

by:Jamie McKillop
ID: 35491247
I don't agree that a new questions should be opened. I also don't agree that the proper solution to the original question has been provided. If he wants to continue down the path of setting up an RRAS server, I'll provide what I believe is the proper setup. If he wants to ditch the RRAS server and setup VPN on the router, we can continue that conversation. I just didn't want to get into any further discussions about RRAS if that isn't going to be the final solution.

JJ
0
 
LVL 17

Expert Comment

by:aoakeley
ID: 35491408
I will be interested to see if you have a different solution to setting up RRAS than the one I have suggested. I assume you have read all the posts so you can see how the discussion ended up where it did. Over to you @JJ
0
 
LVL 37

Expert Comment

by:Jamie McKillop
ID: 35491648
The second WAN port on the router can be configured as a DMZ port. He should setup a DMZ on the router and connect NIC 1 on the RRAS server to that port. NIC 2 on the server should be connected to his internal network. Assuming he uses 10.1.1.x for the DMZ, it would look like this:

NIC1:
IP - 10.1.1.10
Mask - 255.255.255.0
Gateway - 10.1.1.1

NIC2
IP - 192.168.1.10
Mask - 255.255.255.0
Gateway -

When you run the RRAS setup wizard, it actually only firewalls inbound connections so the server will have access to the internet. I think this point is where most of the confusion lies. Optionally, you can uncheck the box on the wizard to secure the connection and use the router to only allow 1723 and 47 inbound.

JJ
0
 
LVL 17

Expert Comment

by:aoakeley
ID: 35491677
Does not solve his issue of wanting all Internet traffic from the server to go out the other GW. But yes agreed is the correct setup for one WAN and one LAN interface.
0
 
LVL 37

Expert Comment

by:Jamie McKillop
ID: 35491766
That isn't possible. You can't specify by the type of traffic which interface to use. If this is a dedicated RRAS server, there shouldn't be any internet traffic other than the VPN connections.

JJ
0
 
LVL 17

Accepted Solution

by:
aoakeley earned 2000 total points
ID: 35491873
Again I am agreeing with you @JJ. We already told the author that it was not possible to do what he was asking with the server and RRAS alone. That is how we ended up with the rv047 he mentioned he had, and how to set it up as a dual wan router with port forwarding to RRAS as he stated he specifically still wanted to use RRAS.

Andy
0
 
LVL 2

Author Comment

by:rickhan
ID: 35492664
The vpn capability of the RV042 router does not work with AD. The users would need two accounts, and I would need to administer two accounts for each user.

The rras server firewalls inbound and outbound connections on the vpn nic. When I turn it off, I can access the Internet from the server. When on, I can't.

The two solutions:
1. Turn off the second gateway on the server and live with not accessing the Internet from the server. I can live with that.
2. Run one or two nics through the RV042 router, with port forwarding to the server and WAN2 set to the static ip. Single and double nics both work.

I really appreciate all the help.
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
This Micro Tutorial will teach you how to add a cinematic look to any film or video out there. There are very few simple steps that you will follow to do so. This will be demonstrated using Adobe Premiere Pro CS6.
Look below the covers at a subform control , and the form that is inside it. Explore properties and see how easy it is to aggregate, get statistics, and synchronize results for your data. A Microsoft Access subform is used to show relevant calcul…

750 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question