Multihomed Network w/ Win2K3 Server

I'm having issues setting a multi-homed server (Win2K3) as a router.
Basically, I've split my network into two subnets, and the only
connection between the two is the Win2K3 server. Here's the config:


(Internet, Router/Firewall)
|
|
(192.168.42.1, 192.168.42.250)
SBS Server1 (DHCP, DNS, WINS, ISA)
(192.168.16.2, 192.168.42.5)
|
|
Office Network (192.168.16.x)
|
|
(192.168.16.10)
Server2 (DHCP)
(192.168.14.1)
|
|
Equip. Network (192.168.14.x)

Server1 is assigning IP addresses to the office network via DHCP

Server2 is assigning IP addresses to the Equip. Network via DHCP

Server2 config:

NIC1
IP: 192.168.16.10
Mask: 255.255.255.0
DNS: 192.168.16.2
Gtwy: 192.168.16.2

NIC2
IP: 192.168.14.1
Mask: 255.255.255.0
DNS: 192.168.16.2
Gtwy: (none)

DHCP (Server2)
003 Router: 192.168.16.2
006 DNS Servers: 192.168.16.2
016 DNS Domain Name: (same as Server1, subdomain.FQDN.com.)
044 WINS/NBNS Servers: 192.168.16.2, 192.168.16.2
046 WINS/NBT Node Type: 0x8

Firewalls are not enabled on either NIC.

DNS info is NOT passing through Server2.
Names are not resolving on the Equip. side.
I cannot ping any office side(16.x) addresses from the Equip(14.x)
side.
I cannot ping any 14.x addresses from the office side.
If I set the DHCP Router on Server2 to 192.168.14.1, I can ping
192.168.16.10 (NIC1 on Server2) from the Equip side, but nothing else
on the office side.

I have tried installing RRAS using the wizard (custom config, LAN
Routing).
I have tried it without RRAS installed.
I have tried adding a DHCP Relay Agent to RRAS and disabling the DHCP
Server on Server2. Clients could no longer obtain IP Addresses.
If I 'route add 192.168.16.0 mask 255.255.255.0 192.168.14.1 metric 1'
on the equipment side client computer, I can ping 192.168.16.10, but
not 16.2. Tracert shows a direct link (should it not show a hop over
14.1?)

Any ideas?

Here's the Routing Table from Server2:


IPv4 Route Table
================================================== =========================

Interface List
0x1 ........................... MS TCP Loopback interface
0x30003 ...00 11 43 5a 64 de ...... Intel(R) PRO/1000 MT Network
Connection #2
0x30005 ...00 11 43 5a 64 dd ...... Intel(R) PRO/1000 MT Network
Connection
================================================== =========================

================================================== =========================

Active Routes:
Network Destination Netmask Gateway Interface
Metric
0.0.0.0 0.0.0.0 192.168.16.2 192.168.16.10
10
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1
1
192.168.14.0 255.255.255.0 192.168.14.1 192.168.14.1
10
192.168.14.1 255.255.255.255 127.0.0.1 127.0.0.1
10
192.168.14.255 255.255.255.255 192.168.14.1 192.168.14.1
10
192.168.16.0 255.255.255.0 192.168.16.10 192.168.16.10
10
192.168.16.10 255.255.255.255 127.0.0.1 127.0.0.1
10
192.168.16.255 255.255.255.255 192.168.16.10 192.168.16.10
10
224.0.0.0 240.0.0.0 192.168.14.1 192.168.14.1
10
224.0.0.0 240.0.0.0 192.168.16.10 192.168.16.10
10
255.255.255.255 255.255.255.255 192.168.14.1 192.168.14.1
1
255.255.255.255 255.255.255.255 192.168.16.10 192.168.16.10
1
Default Gateway: 192.168.16.2
================================================== =========================

Persistent Routes:
None

Well, the important stuff you didn't tell us:

1. Do the 192.168.14.x machines have a default gateway of 192.168.14.1? I
guess you did tell us the scope now provides this.

2. Is routing enabled on Server 2?

3. Do the 192.168.16.x machines or their default gateway have a route to
192.168.14.x with a gateway of 192.168.16.10?

It sounds like packets from the 192.168.14.x network are reaching the
192.168.16.x network, but the 192.168.16.x network does not know where to
send the response - see #3. above.

Doug Sherman
MCSE, MCSA, MCP+I, MVP

<(E-Mail Removed)> wrote in message
news:(E-Mail Removed) oups.com...
> I'm having issues setting a multi-homed server (Win2K3) as a router.
> Basically, I've split my network into two subnets, and the only
> connection between the two is the Win2K3 server. Here's the config:
>
>
> (Internet, Router/Firewall)
> |
> |
> (192.168.42.1, 192.168.42.250)
> SBS Server1 (DHCP, DNS, WINS, ISA)
> (192.168.16.2, 192.168.42.5)
> |
> |
> Office Network (192.168.16.x)
> |
> |
> (192.168.16.10)
> Server2 (DHCP)
> (192.168.14.1)
> |
> |
> Equip. Network (192.168.14.x)
>
> Server1 is assigning IP addresses to the office network via DHCP
>
> Server2 is assigning IP addresses to the Equip. Network via DHCP
>
> Server2 config:
>
> NIC1
> IP: 192.168.16.10
> Mask: 255.255.255.0
> DNS: 192.168.16.2
> Gtwy: 192.168.16.2
>
> NIC2
> IP: 192.168.14.1
> Mask: 255.255.255.0
> DNS: 192.168.16.2
> Gtwy: (none)
>
> DHCP (Server2)
> 003 Router: 192.168.16.2
> 006 DNS Servers: 192.168.16.2
> 016 DNS Domain Name: (same as Server1, subdomain.FQDN.com.)
> 044 WINS/NBNS Servers: 192.168.16.2, 192.168.16.2
> 046 WINS/NBT Node Type: 0x8
>
> Firewalls are not enabled on either NIC.
>
> DNS info is NOT passing through Server2.
> Names are not resolving on the Equip. side.
> I cannot ping any office side(16.x) addresses from the Equip(14.x)
> side.
> I cannot ping any 14.x addresses from the office side.
> If I set the DHCP Router on Server2 to 192.168.14.1, I can ping
> 192.168.16.10 (NIC1 on Server2) from the Equip side, but nothing else
> on the office side.
>
> I have tried installing RRAS using the wizard (custom config, LAN
> Routing).
> I have tried it without RRAS installed.
> I have tried adding a DHCP Relay Agent to RRAS and disabling the DHCP
> Server on Server2. Clients could no longer obtain IP Addresses.
> If I 'route add 192.168.16.0 mask 255.255.255.0 192.168.14.1 metric 1'
> on the equipment side client computer, I can ping 192.168.16.10, but
> not 16.2. Tracert shows a direct link (should it not show a hop over
> 14.1?)
>
> Any ideas?
>
> Here's the Routing Table from Server2:
>
>
> IPv4 Route Table
>
================================================== =========================
>
> Interface List
> 0x1 ........................... MS TCP Loopback interface
> 0x30003 ...00 11 43 5a 64 de ...... Intel(R) PRO/1000 MT Network
> Connection #2
> 0x30005 ...00 11 43 5a 64 dd ...... Intel(R) PRO/1000 MT Network
> Connection
>
================================================== =========================
>
>
================================================== =========================
>
> Active Routes:
> Network Destination Netmask Gateway Interface
> Metric
> 0.0.0.0 0.0.0.0 192.168.16.2 192.168.16.10
> 10
> 127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1
> 1
> 192.168.14.0 255.255.255.0 192.168.14.1 192.168.14.1
> 10
> 192.168.14.1 255.255.255.255 127.0.0.1 127.0.0.1
> 10
> 192.168.14.255 255.255.255.255 192.168.14.1 192.168.14.1
> 10
> 192.168.16.0 255.255.255.0 192.168.16.10 192.168.16.10
> 10
> 192.168.16.10 255.255.255.255 127.0.0.1 127.0.0.1
> 10
> 192.168.16.255 255.255.255.255 192.168.16.10 192.168.16.10
> 10
> 224.0.0.0 240.0.0.0 192.168.14.1 192.168.14.1
> 10
> 224.0.0.0 240.0.0.0 192.168.16.10 192.168.16.10
> 10
> 255.255.255.255 255.255.255.255 192.168.14.1 192.168.14.1
> 1
> 255.255.255.255 255.255.255.255 192.168.16.10 192.168.16.10
> 1
> Default Gateway: 192.168.16.2
>
================================================== =========================
>
> Persistent Routes:
> None
>

I would start by simplifying.

First, fix the addressing scheme as I've shown in the diagram
beloe,..then,...

1. Get rid of DHCP on Server2,..just flat remove it.

2. Remove RRAS,....then reinstall it. Use the "Wizard" as your did before to
make RRAS a LAN Router (no NAT). Configure the DHCP Relay Agent in RRAS to
point to Server1 for DHCP.

3. On Server1, add the Scope in DHCP for the 192.168.14.x network. It will
have at least two independent Scopes (*.16.x, and *.14.x). A Scope for
192.168.42.x is optional. Get rid of the 192.168.42.5 address on the
"Office" facing Nic, unless that was just a "typo" in your diagram.

4. *ALL* machines on the LAN, regaurdless of the subnet, use Server1 for DNS
and WINS. The DNS Service in Server1 must use the ISP's DNS in its
Forwarders List. This is the only place the ISP's DNS should ever appear.
Your Firewall must allow your DNS to make DNS Queries to the ISP's DNS.

5. The Internet NAT Device needs to have a Static Route entered into it to
tell it that it must use 192.168.42.1 as the Gateway to get to the
192.168.16.x *and* 192.168.14.x A single route using a 16bit mask will
probably handle that
(Net-192.168.0.0 mask-255.255.0.0 Interface-192.168.42.1)

It should come out something like this:

(Internet, Router/Firewall)
|
(192.168.42.1, 255.255.255.0, GW [Firewall IP#])
SBS Server1 (DHCP, DNS, WINS, ISA)
(192.168.16.2, 255.255.255.0, GW [None])
|
Office Network (192.168.16.x, all Clients GW 192.168.16.2)
|
(192.168.16.10, 255.255.255.0, GW 192.168.16.2)
Server2 (RRAS with DHCP Relay Agent)
(192.168.14.1, 255.255.255.0, GW [None])
|
Equip. Network (192.168.14.x, all Clients GW 192.168.14.1)

If it still doesn't work, at least you have a "cleaner slate" to
troubleshoot from.

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

1. No they do not. It *was*, however my research in this forum
pointed me to that being a problem in the future, so I changed it back
to 192.168.16.2 (my ISA Server). If I change it to 14.1, I can ping
16.10, but no further. And it performs no 'hops' to get there.

2. I assume you mean if RRAS is installed, and configured for LAN
Routing. Then yes, it is.

3. Yes, they do. RRAS on Server1 has a static route set up to route
192.168.14.0 traffic to 192.168.16.10. However, I can only ping
192.168.14.1, no further.

The problem that concerns me is that when I tracert Server2 from the
16.x side, there are no hops to either IP address. If I ping the 14.1
address from the 16.x side, shouldn't it show a hop over 16.10?

Try:

1. route print on Server 1 to confirm the static route and correct subnet
mask

2. ipconfig /all on Server 2 to confirm that routing is enabled.

3. 192.168.14.x machines cannot have a default gateway of 192.168.16.2;
they must have a default gateway or static route to 192.168.14.1 in order to
reach the 192.168.16.x network.

Doug Sherman
MCSE, MCSA, MCP+I, MVP

<(E-Mail Removed)> wrote in message
news:(E-Mail Removed) oups.com...
> 1. No they do not. It *was*, however my research in this forum
> pointed me to that being a problem in the future, so I changed it back
> to 192.168.16.2 (my ISA Server). If I change it to 14.1, I can ping
> 16.10, but no further. And it performs no 'hops' to get there.
>
> 2. I assume you mean if RRAS is installed, and configured for LAN
> Routing. Then yes, it is.
>
> 3. Yes, they do. RRAS on Server1 has a static route set up to route
> 192.168.14.0 traffic to 192.168.16.10. However, I can only ping
> 192.168.14.1, no further.
>
> The problem that concerns me is that when I tracert Server2 from the
> 16.x side, there are no hops to either IP address. If I ping the 14.1
> address from the 16.x side, shouldn't it show a hop over 16.10?
>