2 Nics and 2 subnets traffic configuration

I was hoping someone can help me out w/ this.

I have a 2003 server dual homed w/ DNS, DHCP, and DC configured. There are
2 locations w/ different subnets, this first location has a 192.168.0.x
range and the second location has a 192.168.2.x range. I want to be able to
pass traffic traffic bettwen the 2 networks including AD authentication.
The firewall, which is also the default gateway for the 192.168.0.x network
has an ip address of 192.168.0.250. I've also set up 2 scopes on the DHCP
server for the 2 different subnets.

The NICs are configured as the following:

NIC 192.168.0.x:
IP: 192.168.0.1
Subnet Mask: 255.255.255.0
Default Gateway: 192.168.0.250 (firewall)
DNS: 192.168.0.1

NIC 192.168.2.x:
IP: 192.168.2.1
Subnet Mask: 255.255.255.0
Default Gatewat: (blank)
DNS: 192.168.2.1

Are the NICs setup correctly? The network on the 192.168.0.x range is
perfect, everything is working excellent. I have full internet connection
and can access network resources. The second NIC (192.168.2.x) is not giving
out IP addresses and is having problems passing traffic (e.g. internet,
internal network, etc..). If I set a static ip on a workstation connected
to the 192.168.2.x network I can ping it from the server, but can't ping
anything from the workstation. I'm also testing it by connecting a
cross-over cable from the 2nd nic to the workstation. Should I try using a
switch?

Hi Brian,

What are you trying to ping on 192.168.2.x network? What did you set for
default gateway on clients on 192.168.2.x network (it should be
192.168.2.1)... Can you ping default gateway?

After you ping a resource on local subnet (e.g. anything on 192.168.2.x)
check the ARP table with this command:

arp -a

It should list MAC addresses of the computers that you pinged. If it doesn't
then something is wrong with cables or swtich/hub connection.

--
Mike
Microsoft MVP - Windows Security

"Brian Swain" <(E-Mail Removed)> wrote in message
news:%(E-Mail Removed)...
>I was hoping someone can help me out w/ this.
>
> I have a 2003 server dual homed w/ DNS, DHCP, and DC configured. There
> are 2 locations w/ different subnets, this first location has a
> 192.168.0.x range and the second location has a 192.168.2.x range. I want
> to be able to pass traffic traffic bettwen the 2 networks including AD
> authentication. The firewall, which is also the default gateway for the
> 192.168.0.x network has an ip address of 192.168.0.250. I've also set up
> 2 scopes on the DHCP server for the 2 different subnets.
>
> The NICs are configured as the following:
>
> NIC 192.168.0.x:
> IP: 192.168.0.1
> Subnet Mask: 255.255.255.0
> Default Gateway: 192.168.0.250 (firewall)
> DNS: 192.168.0.1
>
> NIC 192.168.2.x:
> IP: 192.168.2.1
> Subnet Mask: 255.255.255.0
> Default Gatewat: (blank)
> DNS: 192.168.2.1
>
> Are the NICs setup correctly? The network on the 192.168.0.x range is
> perfect, everything is working excellent. I have full internet connection
> and can access network resources. The second NIC (192.168.2.x) is not
> giving out IP addresses and is having problems passing traffic (e.g.
> internet, internal network, etc..). If I set a static ip on a workstation
> connected to the 192.168.2.x network I can ping it from the server, but
> can't ping anything from the workstation. I'm also testing it by
> connecting a cross-over cable from the 2nd nic to the workstation. Should
> I try using a switch?
>

Also, if the 192.168.0.x machines use 192.168.0.250 as a default gateway,
then either the gateway itself or each 192.168.0.x machine (other than the
server) must have a static route to the 192.168.2.x network:

route -p add 192.168.2.0 mask 255.255.255.0 192.168.0.1

If you cannot configure the static route on the gateway, then 192.168.2.x
machines will not have Internet access - you could probably fix this by
running NAT on the server.

Doug Sherman
MCSE, MCSA, MCP+I, MVP

"Brian Swain" <(E-Mail Removed)> wrote in message
news:#(E-Mail Removed)...
> I was hoping someone can help me out w/ this.
>
> I have a 2003 server dual homed w/ DNS, DHCP, and DC configured. There
are
> 2 locations w/ different subnets, this first location has a 192.168.0.x
> range and the second location has a 192.168.2.x range. I want to be able
to
> pass traffic traffic bettwen the 2 networks including AD authentication.
> The firewall, which is also the default gateway for the 192.168.0.x
network
> has an ip address of 192.168.0.250. I've also set up 2 scopes on the DHCP
> server for the 2 different subnets.
>
> The NICs are configured as the following:
>
> NIC 192.168.0.x:
> IP: 192.168.0.1
> Subnet Mask: 255.255.255.0
> Default Gateway: 192.168.0.250 (firewall)
> DNS: 192.168.0.1
>
> NIC 192.168.2.x:
> IP: 192.168.2.1
> Subnet Mask: 255.255.255.0
> Default Gatewat: (blank)
> DNS: 192.168.2.1
>
> Are the NICs setup correctly? The network on the 192.168.0.x range is
> perfect, everything is working excellent. I have full internet connection
> and can access network resources. The second NIC (192.168.2.x) is not
giving
> out IP addresses and is having problems passing traffic (e.g. internet,
> internal network, etc..). If I set a static ip on a workstation connected
> to the 192.168.2.x network I can ping it from the server, but can't ping
> anything from the workstation. I'm also testing it by connecting a
> cross-over cable from the 2nd nic to the workstation. Should I try using
a
> switch?
>
>

I was trying to ping a client on the 192.168.2.x network. I have
192.168.2.1 set as the defaultt GW for the clients.

I'll try checking the arp cache when I get into the office.
Thanks!
"Miha Pihler [MVP]" <mihap-(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Hi Brian,
>
> What are you trying to ping on 192.168.2.x network? What did you set for
> default gateway on clients on 192.168.2.x network (it should be
> 192.168.2.1)... Can you ping default gateway?
>
> After you ping a resource on local subnet (e.g. anything on 192.168.2.x)
> check the ARP table with this command:
>
> arp -a
>
> It should list MAC addresses of the computers that you pinged. If it
> doesn't then something is wrong with cables or swtich/hub connection.
>
> --
> Mike
> Microsoft MVP - Windows Security
>
> "Brian Swain" <(E-Mail Removed)> wrote in message
> news:%(E-Mail Removed)...
>>I was hoping someone can help me out w/ this.
>>
>> I have a 2003 server dual homed w/ DNS, DHCP, and DC configured. There
>> are 2 locations w/ different subnets, this first location has a
>> 192.168.0.x range and the second location has a 192.168.2.x range. I
>> want to be able to pass traffic traffic bettwen the 2 networks including
>> AD authentication. The firewall, which is also the default gateway for
>> the 192.168.0.x network has an ip address of 192.168.0.250. I've also
>> set up 2 scopes on the DHCP server for the 2 different subnets.
>>
>> The NICs are configured as the following:
>>
>> NIC 192.168.0.x:
>> IP: 192.168.0.1
>> Subnet Mask: 255.255.255.0
>> Default Gateway: 192.168.0.250 (firewall)
>> DNS: 192.168.0.1
>>
>> NIC 192.168.2.x:
>> IP: 192.168.2.1
>> Subnet Mask: 255.255.255.0
>> Default Gatewat: (blank)
>> DNS: 192.168.2.1
>>
>> Are the NICs setup correctly? The network on the 192.168.0.x range is
>> perfect, everything is working excellent. I have full internet connection
>> and can access network resources. The second NIC (192.168.2.x) is not
>> giving out IP addresses and is having problems passing traffic (e.g.
>> internet, internal network, etc..). If I set a static ip on a
>> workstation connected to the 192.168.2.x network I can ping it from the
>> server, but can't ping anything from the workstation. I'm also testing
>> it by connecting a cross-over cable from the 2nd nic to the workstation.
>> Should I try using a switch?
>>
>
>

I'll see if I can add a static route on the firewall. How do I NAT traffic
so both subnets get internet traffic? If I NAT port 80 traffic to the
192.168.2.x network won't that disable internet access on the 192.168.0.x
network?

Would it work better if I use the server as the gateway?

"Doug Sherman [MVP]" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Also, if the 192.168.0.x machines use 192.168.0.250 as a default gateway,
> then either the gateway itself or each 192.168.0.x machine (other than the
> server) must have a static route to the 192.168.2.x network:
>
> route -p add 192.168.2.0 mask 255.255.255.0 192.168.0.1
>
> If you cannot configure the static route on the gateway, then 192.168.2.x
> machines will not have Internet access - you could probably fix this by
> running NAT on the server.
>
> Doug Sherman
> MCSE, MCSA, MCP+I, MVP
>
> "Brian Swain" <(E-Mail Removed)> wrote in message
> news:#(E-Mail Removed)...
>> I was hoping someone can help me out w/ this.
>>
>> I have a 2003 server dual homed w/ DNS, DHCP, and DC configured. There
> are
>> 2 locations w/ different subnets, this first location has a 192.168.0.x
>> range and the second location has a 192.168.2.x range. I want to be able
> to
>> pass traffic traffic bettwen the 2 networks including AD authentication.
>> The firewall, which is also the default gateway for the 192.168.0.x
> network
>> has an ip address of 192.168.0.250. I've also set up 2 scopes on the
>> DHCP
>> server for the 2 different subnets.
>>
>> The NICs are configured as the following:
>>
>> NIC 192.168.0.x:
>> IP: 192.168.0.1
>> Subnet Mask: 255.255.255.0
>> Default Gateway: 192.168.0.250 (firewall)
>> DNS: 192.168.0.1
>>
>> NIC 192.168.2.x:
>> IP: 192.168.2.1
>> Subnet Mask: 255.255.255.0
>> Default Gatewat: (blank)
>> DNS: 192.168.2.1
>>
>> Are the NICs setup correctly? The network on the 192.168.0.x range is
>> perfect, everything is working excellent. I have full internet connection
>> and can access network resources. The second NIC (192.168.2.x) is not
> giving
>> out IP addresses and is having problems passing traffic (e.g. internet,
>> internal network, etc..). If I set a static ip on a workstation
>> connected
>> to the 192.168.2.x network I can ping it from the server, but can't ping
>> anything from the workstation. I'm also testing it by connecting a
>> cross-over cable from the 2nd nic to the workstation. Should I try using
> a
>> switch?
>>
>>
>
>

"Brian Swain" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> I'll see if I can add a static route on the firewall. How do I NAT
traffic
> so both subnets get internet traffic? If I NAT port 80 traffic to the
> 192.168.2.x network won't that disable internet access on the 192.168.0.x
> network?

I want to go back to the first post.

1. You should never multi-home a DC

272294 - Active Directory Communication Fails on Multihomed Domain
Controllers
http://support.microsoft.com/default...b;en-us;272294

2. You should never multi-home a machine with WINS

191611 - Symptoms of Multihomed Browsers
http://support.microsoft.com/default...b;EN-US;191611

3. Even if you still choose to multi-home the DC, I see nowhere where you
have configured RRAS on the DC to act as a regular LAN Routing Service. It
will not route between LAN segments automatically,..you have to configure it
to do so. The Hosts on 192.168.2.x can never get to the Firewall if the
Server isn't performing normal standard Layer3 Routing with RRAS.

All Hosts on the LAN will use the DC as their Default Gateway (the interface
according to the subnet they are on). Then, as the others suggested,..the
Firewall needs a static route assinged on it that tells it to use
192.168.0.1 as the "gateway" for the 192.168.2.x network.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/IS...cessRules.html

Microsoft Internet Security & Acceleration Server: Guidance
http://www.microsoft.com/isaserver/t...dance/2004.asp
http://www.microsoft.com/isaserver/t...dance/2000.asp

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp
-----------------------------------------------------

I've seen multiple multihomed DC's running 2003 w/o any problems... isn't
most SBS servers multihomed?

RRAS is configured on the DC for LAN routing. So I shouldn't use the
firewall as a gateway? I'll I tried using the DC as the gateway when I
only had the 192.168.0.x subnet but couldn't get internet access unless I
use the firewall as the default gateway. play w/ a couple settings and see
if I could get it to work correctly.

Thanks for the response guys! Keep them coming!!

"Phillip Windell" <@.> wrote in message
news:%(E-Mail Removed)...
> "Brian Swain" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>> I'll see if I can add a static route on the firewall. How do I NAT
> traffic
>> so both subnets get internet traffic? If I NAT port 80 traffic to the
>> 192.168.2.x network won't that disable internet access on the 192.168.0.x
>> network?
>
> I want to go back to the first post.
>
> 1. You should never multi-home a DC
>
> 272294 - Active Directory Communication Fails on Multihomed Domain
> Controllers
> http://support.microsoft.com/default...b;en-us;272294
>
> 2. You should never multi-home a machine with WINS
>
> 191611 - Symptoms of Multihomed Browsers
> http://support.microsoft.com/default...b;EN-US;191611
>
> 3. Even if you still choose to multi-home the DC, I see nowhere where you
> have configured RRAS on the DC to act as a regular LAN Routing Service.
> It
> will not route between LAN segments automatically,..you have to configure
> it
> to do so. The Hosts on 192.168.2.x can never get to the Firewall if the
> Server isn't performing normal standard Layer3 Routing with RRAS.
>
> All Hosts on the LAN will use the DC as their Default Gateway (the
> interface
> according to the subnet they are on). Then, as the others suggested,..the
> Firewall needs a static route assinged on it that tells it to use
> 192.168.0.1 as the "gateway" for the 192.168.2.x network.
>
> --
> Phillip Windell [MCP, MVP, CCNA]
> www.wandtv.com
> -----------------------------------------------------
> Understanding the ISA 2004 Access Rule Processing
> http://www.isaserver.org/articles/IS...cessRules.html
>
> Microsoft Internet Security & Acceleration Server: Guidance
> http://www.microsoft.com/isaserver/t...dance/2004.asp
> http://www.microsoft.com/isaserver/t...dance/2000.asp
>
> Microsoft Internet Security & Acceleration Server: Partners
> http://www.microsoft.com/isaserver/partners/default.asp
> -----------------------------------------------------
>
>
>

"Brian Swain" <(E-Mail Removed)> wrote in message
news:%(E-Mail Removed)...
> I've seen multiple multihomed DC's running 2003 w/o any problems... isn't
> most SBS servers multihomed?

SBS doesn't count. It is it's "own animal" and is a special case. I didn't
say you couldn't do it,..I said you shouldn't do it. If you examine the
articles I gave, they inform you of all the problems with doing so and then
they try to work around the problems. But is has been common knowledge for
many years that with the exception of SBS,...DCs and WINS Servers should not
be multi-homed, it is just simply a troublesome configuration and a bad
idea. It may not be your problem (probably isn't) but you should be aware
of it, and I made you aware of it.

Anyway, you still have to use RRAS to configure the machine to act as a LAN
Router or you are not going to get anywhere.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/IS...cessRules.html

Microsoft Internet Security & Acceleration Server: Guidance
http://www.microsoft.com/isaserver/t...dance/2004.asp
http://www.microsoft.com/isaserver/t...dance/2000.asp

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp
-----------------------------------------------------