• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 661
  • Last Modified:

EBS 2008 - Need to add an internal subnet

Hello,

I need to connect an additional IP subnet to an existing Windows Essential Business Server 2008 network:

Internet -- Firewall Appliance -- EBS Security Server -- internal network (192.168.254.0/24) -- Router Appliance -- 2nd internal network appliance (192.168.251.0/24)

I installed the router, I added the route to TMG on the security server via the "getting started wizard". A "route print" command shows the new route:
===========================================================================
Persistent Routes:
  Network Address          Netmask  Gateway Address  Metric
    192.168.251.0    255.255.255.0  192.168.254.254     256
          0.0.0.0          0.0.0.0    192.168.250.1       1
===========================================================================

However, I can't access systems located on the additional subnet. Pinging systems does not work. I need to add the route locally on a computer to be able to ping systems located on the other side of the router. Looks like I am having some ICMP Redirect issue. Do I need to add a TMG rule for this to work ?

Any help would be appreciated.

0
xmi
Asked:
xmi
  • 6
  • 3
1 Solution
 
pwindellCommented:
1. You have to also add the new IP Range to the Internal Network Definition (the Addresses Tab in the Properties of "Internal Network")

2. The new Router Appliance between the two LAN segments is now the Default Gateway of the LAN,...not the EBS-SS machine.

3. The Router Appliance will then,...in turn,...use the EBS-SS as its Default Gateway
0
 
xmiAuthor Commented:
Thanks.

1: it was already done, I forgot to mention it.

2: do you mean the appliance becomes the default gateway for the existing subnet and the new one ?

3: already configured
0
 
pwindellCommented:
2.  Yes.  It is a requirement.  It is called maintaining Synchronous Routing,...meaning packets always have to follow the same path in both directions no mater where they came from or where they are going

Synchronous Routing = good
Asynchronous Routing = evil
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
pwindellCommented:
Here's a diagram example

 3segmentlan.jpg
0
 
pwindellCommented:
Another option,...looking at the diagram above,...simple remove LAN1 from the diagram and make that link between the LAN Router and ISA a simple Point-to-Point Link with a /30bit mask.  It is the same thing other than I choose to not let it go to waste as a /30bit P2P segment and made it a /24bit segment to be able to use Hosts on it.

If you leave my LAN3 out of the diagram it creates exactly what you have.
0
 
xmiAuthor Commented:
I understand your remarks about the asynchronous routing. I am a bit reluctant to change the default config of a so integrated solution (EBS) and having the routing to rely on a 300$ appliance vs a 6000$ server... I will have to test this.
0
 
pwindellCommented:
It isn't not a "option".  It is not something you can pick-and-choose.  It is the way it has to be.   I've never seen a LAN Router appliance cost $300,...They've always been $1000 or higher unless you buy a used one.

If it cannot handle the job then you have to buy a better one,..it is just that simple.
0
 
xmiAuthor Commented:
Thank you for your observations. Have a look here for appliances: http://www.applianceshop.eu/index.php/firewalls/opnsense.html. I realize I did not mention that, in our case, the new subnet is made of 3 systems that need to talk to one system on the existing subnet. This is why we looked at solutions like the ones sold via that website instead of some Cisco stuff.

I appreciate your guidance which made me reconsider the whole network design. Off-hours tests made me find the original cause of the problem: an IP conflict on the new subnet.
0
 
pwindellCommented:
Looks like those are Firewalls,...not Routers.
Firewalls are not routers,....routers are not Firewalls.  Commercial quality versions of both can, in a limited way, do both jobs, but not nearly as well as a product specifically designed to do the specific job.

The tragedy of the home-user retail market is that they have destroyed terminology.  The retail market calls firewalls "routers",...when, at least the home-user variety, is not even capable of "routing".  Commercial quality Firewalls are usually capable of doing double-duty as a LAN Router but they are also usually no where near as capable of doing so as a "real" router.

So if you need a Firewall, you buy a Firewall,...if you need a LAN Router, buy a LAN Router,...if you need a WAN Router, then buy a WAN Router.  Firewalls are what they are,...LAN Routers tend to have mostly Ethernet Interfaces (e0, e1, e2),...WAN Routers tend to have mostly Serial Interfaces unless they have an integrated CSU/DSU (s0, s1 ,s2)
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

  • 6
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now