Solved

Trying to connect to a share on different subnet

Posted on 2014-02-03
8
739 Views
Last Modified: 2014-02-05
Trying to connect to a share across subnets

I'm trying to connect from 192.168.1.x to a share on a Hyper-V virtual desktop at 10.0.1.90. Each subnet is on a different physical router and each router has a public IP address (consumer routers: one is a XyWall USG100, the other is a Netgear FVS114).

This diagram shows my configuration with both routers and two public IP addresses. The Hyper-V server has two (2) NICs, the first NIC on the 192.168.1.x subnet and the second NIC on 10.0.1.x subnet. I use the DNS provided by my ISP and I don't employ AD. How do I configure my router(s) to allow subnet 1 to access a share on subnet 2 by name or IP address? By this I mean any computer on subnet 192.168.1.x can browse the network and access shared resources on subnet 10.0.1.x.  Or is there more that I need to do besides change router settings?

                          Internet
                                |
          ______________|_________________
         |                                                    |
     Router 1                                      Router 2
     x.x.x.18                                        x.x.x.19
         |                                                    |
         |                                                    |
   Subnet 1                                             |
192.168.1.x                                           |
         |                                                    |    
         |                                                    |
         |                                                    |
       NIC 1 ________ Hyper-V _______ NIC2 (Subnet 2)
192.168.1.46           Server              10.0.1.x
                                                                |
                                                                |
                                                            Virtual
                                                           10.0.1.90
0
Comment
Question by:mwyatt
  • 4
  • 4
8 Comments
 
LVL 68

Expert Comment

by:Qlemo
ID: 39830973
Browsing across routers only works with properly configured DNS and domain suffixes (or WINS).
If you can live with having to provide IP addresses, only proper routing is needed. As long as you can ping, you should be able to use \\10.0.1.x\share . Of course you need to take care of the Windows Firewall rules, if active - 192.168.1.0/24 needs to be a trusted network on 10.0.1.0/24 PCs.
0
 

Author Comment

by:mwyatt
ID: 39830999
Thanks. I can't even ping. So that's the first problem to solve. I know all routers use different terminology, so very generally what's the setting I would modify?

I'd be OK with connecting via IP only since I'll be mapping a drive to that share anyway.
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 39831066
In general, there are a lot of potential culprits. Firewalls and default gateway or special routes are the most important to check.

Having a closer look into the diagram you supplied, I see a severe issue - there is no router in your LAN connected to both networks. Only the Hyper-V Server has access to both. I reckon you do not want to route traffic in plain (unencrypted) via the public IPs - unless they are in the same subnet, that would be a bad idea, and probably not working because of NAT.

So, you need to install the Routing and Remote Access role on the Hyper-V server. http://social.technet.microsoft.com/Forums/windowsserver/en-US/1866b005-7986-4b39-bc15-34832efda01b/setup-rras-inside-of-hyperv?forum=winserverhyperv can give you a hint how to do that.
Then you'll need to set up the correct RRAS NIC as gateway for each subnet. It is most simple if you create a specific route on the default gateways, else you have to do on each device you want to allow inter-LAN communication for.

In detail:
  set a route on x.x.x.19 for 192.168.1.0/24 using 10.0.1.x (Hyper-V NIC)
  set a route on x.x.x.18 for 10.0.1.0/24 using 192.168.1.46

That should take care of the rouing. And then comes the firewall ...
0
 

Author Comment

by:mwyatt
ID: 39832888
You are correct, there is no router connecting both networks.

I have 5 static IPs assigned by my ISP and I'm thinking that traffic going from the x.x.x.18 to the x.x.x.19 doesn't actually go out across "the internet" so packets can't get intercepted. Maybe I'm totally wrong...my routing knowledge is rusty and limited.
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 68

Expert Comment

by:Qlemo
ID: 39833194
Whether the packets remain local or not is a question of ISP configuration. Usually packets of the same subnet do not cross routers. If both routers are plugged into another device, bets are high that no routing to the outside happens. If each router has a dedicated line, bets are high packets are routed on ISP site.

Leaving that aside, there is still NAT. All traffic to Internet have to get mapped to a single public IP, and without further firewall config the other way round does not work - you have to forward traffic for a specific port (in this case e.g. 445 for CIFS) and a specific host. See the issue? You do not have a single host, you want to access multiple targets.

You are better of with the RRAS approach I described above. Or build a VPN between the two internet routers.
0
 

Author Comment

by:mwyatt
ID: 39833277
I have a 5-port switch in front those routers, each port going to a different router. The x.x.x.18 plugs into one port, x.x.x.19 plugs into the next and so on, up through x.x.x.22.

Duh. I didn't consider a VPN connection between them. That would solve the security concern. But would I still need to configure RRAS if a VPN is in place?
0
 
LVL 68

Accepted Solution

by:
Qlemo earned 500 total points
ID: 39834186
If the routers are building the VPN tunnel, you won't need RRAS. NAT is no issue, as the connection inside of the VPN is just a (full routing) network connection.
The only downside of the VPN is that it will add some overhead, leading to (hopefully unnotified) delays in using it. That is because VPN uses CBC algorithms, which require data to get filled into blocks of predetermined size. That adds lag, as does the encryption itself, and the additional byte overhead needed to transport the encrypted payload.
0
 

Author Closing Comment

by:mwyatt
ID: 39835737
Yes I'm aware of VPN overhead. It's terrible for transferring numerous files, which is the primary purpose of reaching a share across subnets. With that acknowledgment I think that the VPN will be the easiest solution for now, so I will proceed with that.

If anyone else has other suggestions please chime in.

Thanks again Qlemo for the guidance!
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now