mwyatt
asked on
Trying to connect to a share on different subnet
Trying to connect to a share across subnets
I'm trying to connect from 192.168.1.x to a share on a Hyper-V virtual desktop at 10.0.1.90. Each subnet is on a different physical router and each router has a public IP address (consumer routers: one is a XyWall USG100, the other is a Netgear FVS114).
This diagram shows my configuration with both routers and two public IP addresses. The Hyper-V server has two (2) NICs, the first NIC on the 192.168.1.x subnet and the second NIC on 10.0.1.x subnet. I use the DNS provided by my ISP and I don't employ AD. How do I configure my router(s) to allow subnet 1 to access a share on subnet 2 by name or IP address? By this I mean any computer on subnet 192.168.1.x can browse the network and access shared resources on subnet 10.0.1.x. Or is there more that I need to do besides change router settings?
Internet
|
______________|___________ ______
| |
Router 1 Router 2
x.x.x.18 x.x.x.19
| |
| |
Subnet 1 |
192.168.1.x |
| |
| |
| |
NIC 1 ________ Hyper-V _______ NIC2 (Subnet 2)
192.168.1.46 Server 10.0.1.x
|
|
Virtual
10.0.1.90
I'm trying to connect from 192.168.1.x to a share on a Hyper-V virtual desktop at 10.0.1.90. Each subnet is on a different physical router and each router has a public IP address (consumer routers: one is a XyWall USG100, the other is a Netgear FVS114).
This diagram shows my configuration with both routers and two public IP addresses. The Hyper-V server has two (2) NICs, the first NIC on the 192.168.1.x subnet and the second NIC on 10.0.1.x subnet. I use the DNS provided by my ISP and I don't employ AD. How do I configure my router(s) to allow subnet 1 to access a share on subnet 2 by name or IP address? By this I mean any computer on subnet 192.168.1.x can browse the network and access shared resources on subnet 10.0.1.x. Or is there more that I need to do besides change router settings?
Internet
|
______________|___________
| |
Router 1 Router 2
x.x.x.18 x.x.x.19
| |
| |
Subnet 1 |
192.168.1.x |
| |
| |
| |
NIC 1 ________ Hyper-V _______ NIC2 (Subnet 2)
192.168.1.46 Server 10.0.1.x
|
|
Virtual
10.0.1.90
ASKER
Thanks. I can't even ping. So that's the first problem to solve. I know all routers use different terminology, so very generally what's the setting I would modify?
I'd be OK with connecting via IP only since I'll be mapping a drive to that share anyway.
I'd be OK with connecting via IP only since I'll be mapping a drive to that share anyway.
In general, there are a lot of potential culprits. Firewalls and default gateway or special routes are the most important to check.
Having a closer look into the diagram you supplied, I see a severe issue - there is no router in your LAN connected to both networks. Only the Hyper-V Server has access to both. I reckon you do not want to route traffic in plain (unencrypted) via the public IPs - unless they are in the same subnet, that would be a bad idea, and probably not working because of NAT.
So, you need to install the Routing and Remote Access role on the Hyper-V server. http://social.technet.microsoft.com/Forums/windowsserver/en-US/1866b005-7986-4b39-bc15-34832efda01b/setup-rras-inside-of-hyperv?forum=winserverhyperv can give you a hint how to do that.
Then you'll need to set up the correct RRAS NIC as gateway for each subnet. It is most simple if you create a specific route on the default gateways, else you have to do on each device you want to allow inter-LAN communication for.
In detail:
set a route on x.x.x.19 for 192.168.1.0/24 using 10.0.1.x (Hyper-V NIC)
set a route on x.x.x.18 for 10.0.1.0/24 using 192.168.1.46
That should take care of the rouing. And then comes the firewall ...
Having a closer look into the diagram you supplied, I see a severe issue - there is no router in your LAN connected to both networks. Only the Hyper-V Server has access to both. I reckon you do not want to route traffic in plain (unencrypted) via the public IPs - unless they are in the same subnet, that would be a bad idea, and probably not working because of NAT.
So, you need to install the Routing and Remote Access role on the Hyper-V server. http://social.technet.microsoft.com/Forums/windowsserver/en-US/1866b005-7986-4b39-bc15-34832efda01b/setup-rras-inside-of-hyperv?forum=winserverhyperv can give you a hint how to do that.
Then you'll need to set up the correct RRAS NIC as gateway for each subnet. It is most simple if you create a specific route on the default gateways, else you have to do on each device you want to allow inter-LAN communication for.
In detail:
set a route on x.x.x.19 for 192.168.1.0/24 using 10.0.1.x (Hyper-V NIC)
set a route on x.x.x.18 for 10.0.1.0/24 using 192.168.1.46
That should take care of the rouing. And then comes the firewall ...
ASKER
You are correct, there is no router connecting both networks.
I have 5 static IPs assigned by my ISP and I'm thinking that traffic going from the x.x.x.18 to the x.x.x.19 doesn't actually go out across "the internet" so packets can't get intercepted. Maybe I'm totally wrong...my routing knowledge is rusty and limited.
I have 5 static IPs assigned by my ISP and I'm thinking that traffic going from the x.x.x.18 to the x.x.x.19 doesn't actually go out across "the internet" so packets can't get intercepted. Maybe I'm totally wrong...my routing knowledge is rusty and limited.
Whether the packets remain local or not is a question of ISP configuration. Usually packets of the same subnet do not cross routers. If both routers are plugged into another device, bets are high that no routing to the outside happens. If each router has a dedicated line, bets are high packets are routed on ISP site.
Leaving that aside, there is still NAT. All traffic to Internet have to get mapped to a single public IP, and without further firewall config the other way round does not work - you have to forward traffic for a specific port (in this case e.g. 445 for CIFS) and a specific host. See the issue? You do not have a single host, you want to access multiple targets.
You are better of with the RRAS approach I described above. Or build a VPN between the two internet routers.
Leaving that aside, there is still NAT. All traffic to Internet have to get mapped to a single public IP, and without further firewall config the other way round does not work - you have to forward traffic for a specific port (in this case e.g. 445 for CIFS) and a specific host. See the issue? You do not have a single host, you want to access multiple targets.
You are better of with the RRAS approach I described above. Or build a VPN between the two internet routers.
ASKER
I have a 5-port switch in front those routers, each port going to a different router. The x.x.x.18 plugs into one port, x.x.x.19 plugs into the next and so on, up through x.x.x.22.
Duh. I didn't consider a VPN connection between them. That would solve the security concern. But would I still need to configure RRAS if a VPN is in place?
Duh. I didn't consider a VPN connection between them. That would solve the security concern. But would I still need to configure RRAS if a VPN is in place?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Yes I'm aware of VPN overhead. It's terrible for transferring numerous files, which is the primary purpose of reaching a share across subnets. With that acknowledgment I think that the VPN will be the easiest solution for now, so I will proceed with that.
If anyone else has other suggestions please chime in.
Thanks again Qlemo for the guidance!
If anyone else has other suggestions please chime in.
Thanks again Qlemo for the guidance!
If you can live with having to provide IP addresses, only proper routing is needed. As long as you can ping, you should be able to use \\10.0.1.x\share . Of course you need to take care of the Windows Firewall rules, if active - 192.168.1.0/24 needs to be a trusted network on 10.0.1.0/24 PCs.