Need help with specific router/Win2003 server setup

Hi,

Thank you for reading this message, let me first state I'm not a
Network Wizard at all. This question is regarding my home office
setup and I could need some help.

What I have here, is the following:

A) 1 ADSL router, internal IP address 192.168.1.1, type Netopia 3356
B) 1 Windows 2003 Server, connected to (A) with a LAN card, IP
address 192.168.1.100. Also connected to the "internal" network via a
separate LAN card, IP address 192.168.2.1
C) A 2nd Windows 2003 Server, connected to (B) via a hub, IP address
192.168.2.5, gateway 192.168.2.1
D) several workstations/client PCs, running W2000, XP etc, DNS IP
addresses, gateway 192.168.2.1 (also via DNS)

Server (B) runs several small websites and newsgroups by forwarding
some ports on the outside to 192.168.1.100. This works fine.

What I would like, is to create 1 "server" on the outside and forward it
to 192.168.2.5 on the inside. On the outside, I would like only 1 IP
address to gain access to that particular "service".

Server B has IP Routing turned ON, the router A is able to create static
routes and so on.

However, I have no idea whatsoever how to create this.

Should I change something at Server B? Or in Router A?

Can someone help me with this?

--
Martijn Tonies

Hi Martijn,
To make this work you would create a static route on the router A, sending
all 192.168.2.0 traffic to the gateway 192.168.1.100. Server B would forward
it automatically to its 192.168.2.1 interface and on to Server C.
However I think it is a complicated design that is not achieving much. In my
opinion your best approaches would be:
1) One flat network behind the router. Use the Windows firewalls to restrict
traffic between machines on your network.
2) If the netopia is capable of it, create two VLANs on the router, and put
Server A in one, and everything else on the other. As you are still allowing
inbound traffic to Server C this is marginal benefit, but I guess there's a
difference in that traffic to Server C is restricted to 1 IP address only,
whereas to Server B it is open.
Hope that helps,
Anthony, http://www.airdesk.com



"Martijn Tonies" <(E-Mail Removed)> wrote in message
news:473af82b$0$29019$(E-Mail Removed)4a ll.nl...
> Hi,
>
> Thank you for reading this message, let me first state I'm not a
> Network Wizard at all. This question is regarding my home office
> setup and I could need some help.
>
> What I have here, is the following:
>
> A) 1 ADSL router, internal IP address 192.168.1.1, type Netopia 3356
> B) 1 Windows 2003 Server, connected to (A) with a LAN card, IP
> address 192.168.1.100. Also connected to the "internal" network via a
> separate LAN card, IP address 192.168.2.1
> C) A 2nd Windows 2003 Server, connected to (B) via a hub, IP address
> 192.168.2.5, gateway 192.168.2.1
> D) several workstations/client PCs, running W2000, XP etc, DNS IP
> addresses, gateway 192.168.2.1 (also via DNS)
>
> Server (B) runs several small websites and newsgroups by forwarding
> some ports on the outside to 192.168.1.100. This works fine.
>
> What I would like, is to create 1 "server" on the outside and forward it
> to 192.168.2.5 on the inside. On the outside, I would like only 1 IP
> address to gain access to that particular "service".
>
> Server B has IP Routing turned ON, the router A is able to create static
> routes and so on.
>
> However, I have no idea whatsoever how to create this.
>
> Should I change something at Server B? Or in Router A?
>
> Can someone help me with this?
>
> --
> Martijn Tonies
>
>

Hello Anthony,

Thank you for your reply.

> To make this work you would create a static route on the router A, sending
> all 192.168.2.0 traffic to the gateway 192.168.1.100.

Router A has an subnet of 255.255.252.0, default IP gateway of 127.0.0.2
and backup IP gateway of 194.159.73.22 (as per ISP settings). I changed
the subnet from 255.255.255.0 to what it is now.

I created a static route of 192.168.2.0/255.255.255.255 to 192.168.1.100
as the "next gateway".

However, when I use "telnet" to test the connection to the outside (ADSL)
IP address at the correct port, it does not connect to Server C.

>Server B would forward
> it automatically to its 192.168.2.1 interface and on to Server C.

Are you sure this will happen automatically? See above, it doesn't appear
to be happening, or I still have something wrong somewhere. I have been
trying this before, but no luck yet :-/

> However I think it is a complicated design that is not achieving much. In
my
> opinion your best approaches would be:
> 1) One flat network behind the router. Use the Windows firewalls to
restrict
> traffic between machines on your network.

You mean everything to 192.168.1.x ?

Should I then only accept incoming traffic at router A via the defined ports
(servers) as I'm running now?

> 2) If the netopia is capable of it, create two VLANs on the router, and
put
> Server A in one, and everything else on the other. As you are still
allowing
> inbound traffic to Server C this is marginal benefit, but I guess there's
a
> difference in that traffic to Server C is restricted to 1 IP address only,
> whereas to Server B it is open.

What I noticed when setting up "Servers" in the Router A, is that I can
specify
a specific "public address", wouldn't that be my restriction then?

--
Martijn



> "Martijn Tonies" <(E-Mail Removed)> wrote in message
> news:473af82b$0$29019$(E-Mail Removed)4a ll.nl...
> > Hi,
> >
> > Thank you for reading this message, let me first state I'm not a
> > Network Wizard at all. This question is regarding my home office
> > setup and I could need some help.
> >
> > What I have here, is the following:
> >
> > A) 1 ADSL router, internal IP address 192.168.1.1, type Netopia 3356
> > B) 1 Windows 2003 Server, connected to (A) with a LAN card, IP
> > address 192.168.1.100. Also connected to the "internal" network via a
> > separate LAN card, IP address 192.168.2.1
> > C) A 2nd Windows 2003 Server, connected to (B) via a hub, IP address
> > 192.168.2.5, gateway 192.168.2.1
> > D) several workstations/client PCs, running W2000, XP etc, DNS IP
> > addresses, gateway 192.168.2.1 (also via DNS)
> >
> > Server (B) runs several small websites and newsgroups by forwarding
> > some ports on the outside to 192.168.1.100. This works fine.
> >
> > What I would like, is to create 1 "server" on the outside and forward it
> > to 192.168.2.5 on the inside. On the outside, I would like only 1 IP
> > address to gain access to that particular "service".
> >
> > Server B has IP Routing turned ON, the router A is able to create static
> > routes and so on.
> >
> > However, I have no idea whatsoever how to create this.
> >
> > Should I change something at Server B? Or in Router A?
> >
> > Can someone help me with this?
> >
> > --
> > Martijn Tonies
> >
> >
>
>

Hi Martijn,
Just an explanation: 255.255.25x.x is a "mask". It tells the routing which
part of the address to look at.
1) You should leave the IP address, mask and gateway of the router as
whatever the ISP settings were.
2) The static route should be 192.168.2.0/255.255.255.0 192.168.1.100 (note
the mask. 255.255.255.255 would be a specific host, not an address range.)
3) Yes, just put all the computers on the 192.168.1.0 subnet
4) Yes, you should only allow specific traffic to specific IP addresses. I
don't know that router. With consumer routers you are dealing with wizards
and web pages to simplify the configuration. The principles are the same
though. To access from outside you need to:
- specify the source: either a specific host, or "any"
- specify the port or protocol (e.g SMTP or 25)
- specify the destination: which server
- specify the external address to translate (NAT) to an internal address
"Forwarding" on consumer routers is a way of simplifying this. For example,
if you only have one external IP address, you can "forward" different ports
to different servers, meaning the router will translate to different
internal addresses for different types of traffic.
Hope that helps,
Anthony, http://www.airdesk.com



"Martijn Tonies" <(E-Mail Removed)> wrote in message
news:473b278e$0$26319$(E-Mail Removed)4a ll.nl...
> Hello Anthony,
>
> Thank you for your reply.
>
>> To make this work you would create a static route on the router A,
>> sending
>> all 192.168.2.0 traffic to the gateway 192.168.1.100.
>
> Router A has an subnet of 255.255.252.0, default IP gateway of 127.0.0.2
> and backup IP gateway of 194.159.73.22 (as per ISP settings). I changed
> the subnet from 255.255.255.0 to what it is now.
>
> I created a static route of 192.168.2.0/255.255.255.255 to 192.168.1.100
> as the "next gateway".
>
> However, when I use "telnet" to test the connection to the outside (ADSL)
> IP address at the correct port, it does not connect to Server C.
>
>>Server B would forward
>> it automatically to its 192.168.2.1 interface and on to Server C.
>
> Are you sure this will happen automatically? See above, it doesn't appear
> to be happening, or I still have something wrong somewhere. I have been
> trying this before, but no luck yet :-/
>
>> However I think it is a complicated design that is not achieving much. In
> my
>> opinion your best approaches would be:
>> 1) One flat network behind the router. Use the Windows firewalls to
> restrict
>> traffic between machines on your network.
>
> You mean everything to 192.168.1.x ?
>
> Should I then only accept incoming traffic at router A via the defined
> ports
> (servers) as I'm running now?
>
>> 2) If the netopia is capable of it, create two VLANs on the router, and
> put
>> Server A in one, and everything else on the other. As you are still
> allowing
>> inbound traffic to Server C this is marginal benefit, but I guess there's
> a
>> difference in that traffic to Server C is restricted to 1 IP address
>> only,
>> whereas to Server B it is open.
>
> What I noticed when setting up "Servers" in the Router A, is that I can
> specify
> a specific "public address", wouldn't that be my restriction then?
>
> --
> Martijn
>
>
>
>> "Martijn Tonies" <(E-Mail Removed)> wrote in message
>> news:473af82b$0$29019$(E-Mail Removed)4a ll.nl...
>> > Hi,
>> >
>> > Thank you for reading this message, let me first state I'm not a
>> > Network Wizard at all. This question is regarding my home office
>> > setup and I could need some help.
>> >
>> > What I have here, is the following:
>> >
>> > A) 1 ADSL router, internal IP address 192.168.1.1, type Netopia 3356
>> > B) 1 Windows 2003 Server, connected to (A) with a LAN card, IP
>> > address 192.168.1.100. Also connected to the "internal" network via a
>> > separate LAN card, IP address 192.168.2.1
>> > C) A 2nd Windows 2003 Server, connected to (B) via a hub, IP address
>> > 192.168.2.5, gateway 192.168.2.1
>> > D) several workstations/client PCs, running W2000, XP etc, DNS IP
>> > addresses, gateway 192.168.2.1 (also via DNS)
>> >
>> > Server (B) runs several small websites and newsgroups by forwarding
>> > some ports on the outside to 192.168.1.100. This works fine.
>> >
>> > What I would like, is to create 1 "server" on the outside and forward
>> > it
>> > to 192.168.2.5 on the inside. On the outside, I would like only 1 IP
>> > address to gain access to that particular "service".
>> >
>> > Server B has IP Routing turned ON, the router A is able to create
>> > static
>> > routes and so on.
>> >
>> > However, I have no idea whatsoever how to create this.
>> >
>> > Should I change something at Server B? Or in Router A?
>> >
>> > Can someone help me with this?
>> >
>> > --
>> > Martijn Tonies
>> >
>> >
>>
>>
>
>

Hello Anthony,

> Just an explanation: 255.255.25x.x is a "mask". It tells the routing which
> part of the address to look at.
> 1) You should leave the IP address, mask and gateway of the router as
> whatever the ISP settings were.

Right.

> 2) The static route should be 192.168.2.0/255.255.255.0 192.168.1.100
(note
> the mask. 255.255.255.255 would be a specific host, not an address range.)

Right, added to the Router A.

But how does the network card with 192.168.1.100 on Server B know to
forward this IP address to the internal network?

As in: nope, it still doesn't work :-(

> 3) Yes, just put all the computers on the 192.168.1.0 subnet

Hmm, tried that, for some reason it failed miserably.

> 4) Yes, you should only allow specific traffic to specific IP addresses. I

I figured.

> don't know that router. With consumer routers you are dealing with wizards
> and web pages to simplify the configuration. The principles are the same
> though. To access from outside you need to:
> - specify the source: either a specific host, or "any"
> - specify the port or protocol (e.g SMTP or 25)
> - specify the destination: which server
> - specify the external address to translate (NAT) to an internal address
> "Forwarding" on consumer routers is a way of simplifying this. For
example,
> if you only have one external IP address, you can "forward" different
ports
> to different servers, meaning the router will translate to different
> internal addresses for different types of traffic.

Yes, I figured that out, but the router A cannot reach 192.168.2.x ...
--
Martijn


>
>
>
> "Martijn Tonies" <(E-Mail Removed)> wrote in message
> news:473b278e$0$26319$(E-Mail Removed)4a ll.nl...
> > Hello Anthony,
> >
> > Thank you for your reply.
> >
> >> To make this work you would create a static route on the router A,
> >> sending
> >> all 192.168.2.0 traffic to the gateway 192.168.1.100.
> >
> > Router A has an subnet of 255.255.252.0, default IP gateway of 127.0.0.2
> > and backup IP gateway of 194.159.73.22 (as per ISP settings). I changed
> > the subnet from 255.255.255.0 to what it is now.
> >
> > I created a static route of 192.168.2.0/255.255.255.255 to 192.168.1.100
> > as the "next gateway".
> >
> > However, when I use "telnet" to test the connection to the outside
(ADSL)
> > IP address at the correct port, it does not connect to Server C.
> >
> >>Server B would forward
> >> it automatically to its 192.168.2.1 interface and on to Server C.
> >
> > Are you sure this will happen automatically? See above, it doesn't
appear
> > to be happening, or I still have something wrong somewhere. I have been
> > trying this before, but no luck yet :-/
> >
> >> However I think it is a complicated design that is not achieving much.
In
> > my
> >> opinion your best approaches would be:
> >> 1) One flat network behind the router. Use the Windows firewalls to
> > restrict
> >> traffic between machines on your network.
> >
> > You mean everything to 192.168.1.x ?
> >
> > Should I then only accept incoming traffic at router A via the defined
> > ports
> > (servers) as I'm running now?
> >
> >> 2) If the netopia is capable of it, create two VLANs on the router, and
> > put
> >> Server A in one, and everything else on the other. As you are still
> > allowing
> >> inbound traffic to Server C this is marginal benefit, but I guess
there's
> > a
> >> difference in that traffic to Server C is restricted to 1 IP address
> >> only,
> >> whereas to Server B it is open.
> >
> > What I noticed when setting up "Servers" in the Router A, is that I can
> > specify
> > a specific "public address", wouldn't that be my restriction then?
> >
> > --
> > Martijn
> >
> >
> >
> >> "Martijn Tonies" <(E-Mail Removed)> wrote in message
> >> news:473af82b$0$29019$(E-Mail Removed)4a ll.nl...
> >> > Hi,
> >> >
> >> > Thank you for reading this message, let me first state I'm not a
> >> > Network Wizard at all. This question is regarding my home office
> >> > setup and I could need some help.
> >> >
> >> > What I have here, is the following:
> >> >
> >> > A) 1 ADSL router, internal IP address 192.168.1.1, type Netopia 3356
> >> > B) 1 Windows 2003 Server, connected to (A) with a LAN card, IP
> >> > address 192.168.1.100. Also connected to the "internal" network via a
> >> > separate LAN card, IP address 192.168.2.1
> >> > C) A 2nd Windows 2003 Server, connected to (B) via a hub, IP address
> >> > 192.168.2.5, gateway 192.168.2.1
> >> > D) several workstations/client PCs, running W2000, XP etc, DNS IP
> >> > addresses, gateway 192.168.2.1 (also via DNS)
> >> >
> >> > Server (B) runs several small websites and newsgroups by forwarding
> >> > some ports on the outside to 192.168.1.100. This works fine.
> >> >
> >> > What I would like, is to create 1 "server" on the outside and forward
> >> > it
> >> > to 192.168.2.5 on the inside. On the outside, I would like only 1 IP
> >> > address to gain access to that particular "service".
> >> >
> >> > Server B has IP Routing turned ON, the router A is able to create
> >> > static
> >> > routes and so on.
> >> >
> >> > However, I have no idea whatsoever how to create this.
> >> >
> >> > Should I change something at Server B? Or in Router A?
> >> >
> >> > Can someone help me with this?
> >> >
> >> > --
> >> > Martijn Tonies
> >> >
> >> >
> >>
> >>
> >
> >
>
>

Martijn,
First off, you would be best off not using the server as a router, but just
having them all on the same subnet behind the router. Its the simplest
solution. However...
Can you clarify for me. You said in your first post that you have
workstations D and a server C on a subnet with Server B as the gateway,
going on to the router A. If this worked, and you could get onto the
internet, then you have routing working on Server B. Is that the case?
How are you establishing whether outside traffic can get in to your network?
What are you doing on the router to test the connection back to C? Do you
have the firewalls on the servers and workstations blocking icmp?
Anthony, http://www.airdesk.com




In your first post
"Martijn Tonies" <(E-Mail Removed)> wrote in message
news:473b46a7$0$26307$(E-Mail Removed)4a ll.nl...
> Hello Anthony,
>
>> Just an explanation: 255.255.25x.x is a "mask". It tells the routing
>> which
>> part of the address to look at.
>> 1) You should leave the IP address, mask and gateway of the router as
>> whatever the ISP settings were.
>
> Right.
>
>> 2) The static route should be 192.168.2.0/255.255.255.0 192.168.1.100
> (note
>> the mask. 255.255.255.255 would be a specific host, not an address
>> range.)
>
> Right, added to the Router A.
>
> But how does the network card with 192.168.1.100 on Server B know to
> forward this IP address to the internal network?
>
> As in: nope, it still doesn't work :-(
>
>> 3) Yes, just put all the computers on the 192.168.1.0 subnet
>
> Hmm, tried that, for some reason it failed miserably.
>
>> 4) Yes, you should only allow specific traffic to specific IP addresses.
>> I
>
> I figured.
>
>> don't know that router. With consumer routers you are dealing with
>> wizards
>> and web pages to simplify the configuration. The principles are the same
>> though. To access from outside you need to:
>> - specify the source: either a specific host, or "any"
>> - specify the port or protocol (e.g SMTP or 25)
>> - specify the destination: which server
>> - specify the external address to translate (NAT) to an internal address
>> "Forwarding" on consumer routers is a way of simplifying this. For
> example,
>> if you only have one external IP address, you can "forward" different
> ports
>> to different servers, meaning the router will translate to different
>> internal addresses for different types of traffic.
>
> Yes, I figured that out, but the router A cannot reach 192.168.2.x ...
> --
> Martijn
>
>
>>
>>
>>
>> "Martijn Tonies" <(E-Mail Removed)> wrote in message
>> news:473b278e$0$26319$(E-Mail Removed)4a ll.nl...
>> > Hello Anthony,
>> >
>> > Thank you for your reply.
>> >
>> >> To make this work you would create a static route on the router A,
>> >> sending
>> >> all 192.168.2.0 traffic to the gateway 192.168.1.100.
>> >
>> > Router A has an subnet of 255.255.252.0, default IP gateway of
>> > 127.0.0.2
>> > and backup IP gateway of 194.159.73.22 (as per ISP settings). I changed
>> > the subnet from 255.255.255.0 to what it is now.
>> >
>> > I created a static route of 192.168.2.0/255.255.255.255 to
>> > 192.168.1.100
>> > as the "next gateway".
>> >
>> > However, when I use "telnet" to test the connection to the outside
> (ADSL)
>> > IP address at the correct port, it does not connect to Server C.
>> >
>> >>Server B would forward
>> >> it automatically to its 192.168.2.1 interface and on to Server C.
>> >
>> > Are you sure this will happen automatically? See above, it doesn't
> appear
>> > to be happening, or I still have something wrong somewhere. I have been
>> > trying this before, but no luck yet :-/
>> >
>> >> However I think it is a complicated design that is not achieving much.
> In
>> > my
>> >> opinion your best approaches would be:
>> >> 1) One flat network behind the router. Use the Windows firewalls to
>> > restrict
>> >> traffic between machines on your network.
>> >
>> > You mean everything to 192.168.1.x ?
>> >
>> > Should I then only accept incoming traffic at router A via the defined
>> > ports
>> > (servers) as I'm running now?
>> >
>> >> 2) If the netopia is capable of it, create two VLANs on the router,
>> >> and
>> > put
>> >> Server A in one, and everything else on the other. As you are still
>> > allowing
>> >> inbound traffic to Server C this is marginal benefit, but I guess
> there's
>> > a
>> >> difference in that traffic to Server C is restricted to 1 IP address
>> >> only,
>> >> whereas to Server B it is open.
>> >
>> > What I noticed when setting up "Servers" in the Router A, is that I can
>> > specify
>> > a specific "public address", wouldn't that be my restriction then?
>> >
>> > --
>> > Martijn
>> >
>> >
>> >
>> >> "Martijn Tonies" <(E-Mail Removed)> wrote in message
>> >> news:473af82b$0$29019$(E-Mail Removed)4a ll.nl...
>> >> > Hi,
>> >> >
>> >> > Thank you for reading this message, let me first state I'm not a
>> >> > Network Wizard at all. This question is regarding my home office
>> >> > setup and I could need some help.
>> >> >
>> >> > What I have here, is the following:
>> >> >
>> >> > A) 1 ADSL router, internal IP address 192.168.1.1, type Netopia 3356
>> >> > B) 1 Windows 2003 Server, connected to (A) with a LAN card, IP
>> >> > address 192.168.1.100. Also connected to the "internal" network via
>> >> > a
>> >> > separate LAN card, IP address 192.168.2.1
>> >> > C) A 2nd Windows 2003 Server, connected to (B) via a hub, IP address
>> >> > 192.168.2.5, gateway 192.168.2.1
>> >> > D) several workstations/client PCs, running W2000, XP etc, DNS IP
>> >> > addresses, gateway 192.168.2.1 (also via DNS)
>> >> >
>> >> > Server (B) runs several small websites and newsgroups by forwarding
>> >> > some ports on the outside to 192.168.1.100. This works fine.
>> >> >
>> >> > What I would like, is to create 1 "server" on the outside and
>> >> > forward
>> >> > it
>> >> > to 192.168.2.5 on the inside. On the outside, I would like only 1 IP
>> >> > address to gain access to that particular "service".
>> >> >
>> >> > Server B has IP Routing turned ON, the router A is able to create
>> >> > static
>> >> > routes and so on.
>> >> >
>> >> > However, I have no idea whatsoever how to create this.
>> >> >
>> >> > Should I change something at Server B? Or in Router A?
>> >> >
>> >> > Can someone help me with this?
>> >> >
>> >> > --
>> >> > Martijn Tonies
>> >> >
>> >> >
>> >>
>> >>
>> >
>> >
>>
>>
>
>

Hello Anthony,

> First off, you would be best off not using the server as a router, but
just
> having them all on the same subnet behind the router. Its the simplest
> solution. However...

I just tried that, but server B has 2 network cards (no hub available at
that physical location, the hub is somewhere else). The "internal" card
goes to the hub and the "external" card goes to the Router A.

The IP address of "internal" is used as the gateway on Server C and
workstations.

> Can you clarify for me. You said in your first post that you have
> workstations D and a server C on a subnet with Server B as the gateway,
> going on to the router A. If this worked, and you could get onto the
> internet, then you have routing working on Server B. Is that the case?

Yes, network card "external" has "connected to the internet" turned ON
in Windows 2003 server, while "internal" has "private network" checked.

> How are you establishing whether outside traffic can get in to your
network?

Using telnet from one of the workstations on a specific port. I also used
telnet
from an external internet connection while the incoming port was still
available
for "all external addresses" in Router A.

> What are you doing on the router to test the connection back to C? Do you
> have the firewalls on the servers and workstations blocking icmp?

I've tried setting up a "static route" on "external" to "internal" and
allowing ports,
but no luck yet.

--
Martijn


> Anthony, http://www.airdesk.com
>
>
>
>
> In your first post
> "Martijn Tonies" <(E-Mail Removed)> wrote in message
> news:473b46a7$0$26307$(E-Mail Removed)4a ll.nl...
> > Hello Anthony,
> >
> >> Just an explanation: 255.255.25x.x is a "mask". It tells the routing
> >> which
> >> part of the address to look at.
> >> 1) You should leave the IP address, mask and gateway of the router as
> >> whatever the ISP settings were.
> >
> > Right.
> >
> >> 2) The static route should be 192.168.2.0/255.255.255.0 192.168.1.100
> > (note
> >> the mask. 255.255.255.255 would be a specific host, not an address
> >> range.)
> >
> > Right, added to the Router A.
> >
> > But how does the network card with 192.168.1.100 on Server B know to
> > forward this IP address to the internal network?
> >
> > As in: nope, it still doesn't work :-(
> >
> >> 3) Yes, just put all the computers on the 192.168.1.0 subnet
> >
> > Hmm, tried that, for some reason it failed miserably.
> >
> >> 4) Yes, you should only allow specific traffic to specific IP
addresses.
> >> I
> >
> > I figured.
> >
> >> don't know that router. With consumer routers you are dealing with
> >> wizards
> >> and web pages to simplify the configuration. The principles are the
same
> >> though. To access from outside you need to:
> >> - specify the source: either a specific host, or "any"
> >> - specify the port or protocol (e.g SMTP or 25)
> >> - specify the destination: which server
> >> - specify the external address to translate (NAT) to an internal
address
> >> "Forwarding" on consumer routers is a way of simplifying this. For
> > example,
> >> if you only have one external IP address, you can "forward" different
> > ports
> >> to different servers, meaning the router will translate to different
> >> internal addresses for different types of traffic.
> >
> > Yes, I figured that out, but the router A cannot reach 192.168.2.x ...
> > --
> > Martijn
> >
> >
> >>
> >>
> >>
> >> "Martijn Tonies" <(E-Mail Removed)> wrote in message
> >> news:473b278e$0$26319$(E-Mail Removed)4a ll.nl...
> >> > Hello Anthony,
> >> >
> >> > Thank you for your reply.
> >> >
> >> >> To make this work you would create a static route on the router A,
> >> >> sending
> >> >> all 192.168.2.0 traffic to the gateway 192.168.1.100.
> >> >
> >> > Router A has an subnet of 255.255.252.0, default IP gateway of
> >> > 127.0.0.2
> >> > and backup IP gateway of 194.159.73.22 (as per ISP settings). I
changed
> >> > the subnet from 255.255.255.0 to what it is now.
> >> >
> >> > I created a static route of 192.168.2.0/255.255.255.255 to
> >> > 192.168.1.100
> >> > as the "next gateway".
> >> >
> >> > However, when I use "telnet" to test the connection to the outside
> > (ADSL)
> >> > IP address at the correct port, it does not connect to Server C.
> >> >
> >> >>Server B would forward
> >> >> it automatically to its 192.168.2.1 interface and on to Server C.
> >> >
> >> > Are you sure this will happen automatically? See above, it doesn't
> > appear
> >> > to be happening, or I still have something wrong somewhere. I have
been
> >> > trying this before, but no luck yet :-/
> >> >
> >> >> However I think it is a complicated design that is not achieving
much.
> > In
> >> > my
> >> >> opinion your best approaches would be:
> >> >> 1) One flat network behind the router. Use the Windows firewalls to
> >> > restrict
> >> >> traffic between machines on your network.
> >> >
> >> > You mean everything to 192.168.1.x ?
> >> >
> >> > Should I then only accept incoming traffic at router A via the
defined
> >> > ports
> >> > (servers) as I'm running now?
> >> >
> >> >> 2) If the netopia is capable of it, create two VLANs on the router,
> >> >> and
> >> > put
> >> >> Server A in one, and everything else on the other. As you are still
> >> > allowing
> >> >> inbound traffic to Server C this is marginal benefit, but I guess
> > there's
> >> > a
> >> >> difference in that traffic to Server C is restricted to 1 IP address
> >> >> only,
> >> >> whereas to Server B it is open.
> >> >
> >> > What I noticed when setting up "Servers" in the Router A, is that I
can
> >> > specify
> >> > a specific "public address", wouldn't that be my restriction then?
> >> >
> >> > --
> >> > Martijn
> >> >
> >> >
> >> >
> >> >> "Martijn Tonies" <(E-Mail Removed)> wrote in message
> >> >> news:473af82b$0$29019$(E-Mail Removed)4a ll.nl...
> >> >> > Hi,
> >> >> >
> >> >> > Thank you for reading this message, let me first state I'm not a
> >> >> > Network Wizard at all. This question is regarding my home office
> >> >> > setup and I could need some help.
> >> >> >
> >> >> > What I have here, is the following:
> >> >> >
> >> >> > A) 1 ADSL router, internal IP address 192.168.1.1, type Netopia
3356
> >> >> > B) 1 Windows 2003 Server, connected to (A) with a LAN card, IP
> >> >> > address 192.168.1.100. Also connected to the "internal" network
via
> >> >> > a
> >> >> > separate LAN card, IP address 192.168.2.1
> >> >> > C) A 2nd Windows 2003 Server, connected to (B) via a hub, IP
address
> >> >> > 192.168.2.5, gateway 192.168.2.1
> >> >> > D) several workstations/client PCs, running W2000, XP etc, DNS IP
> >> >> > addresses, gateway 192.168.2.1 (also via DNS)
> >> >> >
> >> >> > Server (B) runs several small websites and newsgroups by
forwarding
> >> >> > some ports on the outside to 192.168.1.100. This works fine.
> >> >> >
> >> >> > What I would like, is to create 1 "server" on the outside and
> >> >> > forward
> >> >> > it
> >> >> > to 192.168.2.5 on the inside. On the outside, I would like only 1
IP
> >> >> > address to gain access to that particular "service".
> >> >> >
> >> >> > Server B has IP Routing turned ON, the router A is able to create
> >> >> > static
> >> >> > routes and so on.
> >> >> >
> >> >> > However, I have no idea whatsoever how to create this.
> >> >> >
> >> >> > Should I change something at Server B? Or in Router A?
> >> >> >
> >> >> > Can someone help me with this?
> >> >> >
> >> >> > --
> >> >> > Martijn Tonies
> >> >> >
> >> >> >
> >> >>
> >> >>
> >> >
> >> >
> >>
> >>
> >
> >
>
>

Can you successfully access the internet from workstations D, or not?
"Martijn Tonies" <(E-Mail Removed)> wrote in message
news:473b75cf$0$16063$(E-Mail Removed)4a ll.nl...
> Hello Anthony,
>
>> First off, you would be best off not using the server as a router, but
> just
>> having them all on the same subnet behind the router. Its the simplest
>> solution. However...
>
> I just tried that, but server B has 2 network cards (no hub available at
> that physical location, the hub is somewhere else). The "internal" card
> goes to the hub and the "external" card goes to the Router A.
>
> The IP address of "internal" is used as the gateway on Server C and
> workstations.
>
>> Can you clarify for me. You said in your first post that you have
>> workstations D and a server C on a subnet with Server B as the gateway,
>> going on to the router A. If this worked, and you could get onto the
>> internet, then you have routing working on Server B. Is that the case?
>
> Yes, network card "external" has "connected to the internet" turned ON
> in Windows 2003 server, while "internal" has "private network" checked.
>
>> How are you establishing whether outside traffic can get in to your
> network?
>
> Using telnet from one of the workstations on a specific port. I also used
> telnet
> from an external internet connection while the incoming port was still
> available
> for "all external addresses" in Router A.
>
>> What are you doing on the router to test the connection back to C? Do you
>> have the firewalls on the servers and workstations blocking icmp?
>
> I've tried setting up a "static route" on "external" to "internal" and
> allowing ports,
> but no luck yet.
>
> --
> Martijn
>
>
>> Anthony, http://www.airdesk.com
>>
>>
>>
>>
>> In your first post
>> "Martijn Tonies" <(E-Mail Removed)> wrote in message
>> news:473b46a7$0$26307$(E-Mail Removed)4a ll.nl...
>> > Hello Anthony,
>> >
>> >> Just an explanation: 255.255.25x.x is a "mask". It tells the routing
>> >> which
>> >> part of the address to look at.
>> >> 1) You should leave the IP address, mask and gateway of the router as
>> >> whatever the ISP settings were.
>> >
>> > Right.
>> >
>> >> 2) The static route should be 192.168.2.0/255.255.255.0 192.168.1.100
>> > (note
>> >> the mask. 255.255.255.255 would be a specific host, not an address
>> >> range.)
>> >
>> > Right, added to the Router A.
>> >
>> > But how does the network card with 192.168.1.100 on Server B know to
>> > forward this IP address to the internal network?
>> >
>> > As in: nope, it still doesn't work :-(
>> >
>> >> 3) Yes, just put all the computers on the 192.168.1.0 subnet
>> >
>> > Hmm, tried that, for some reason it failed miserably.
>> >
>> >> 4) Yes, you should only allow specific traffic to specific IP
> addresses.
>> >> I
>> >
>> > I figured.
>> >
>> >> don't know that router. With consumer routers you are dealing with
>> >> wizards
>> >> and web pages to simplify the configuration. The principles are the
> same
>> >> though. To access from outside you need to:
>> >> - specify the source: either a specific host, or "any"
>> >> - specify the port or protocol (e.g SMTP or 25)
>> >> - specify the destination: which server
>> >> - specify the external address to translate (NAT) to an internal
> address
>> >> "Forwarding" on consumer routers is a way of simplifying this. For
>> > example,
>> >> if you only have one external IP address, you can "forward" different
>> > ports
>> >> to different servers, meaning the router will translate to different
>> >> internal addresses for different types of traffic.
>> >
>> > Yes, I figured that out, but the router A cannot reach 192.168.2.x ...
>> > --
>> > Martijn
>> >
>> >
>> >>
>> >>
>> >>
>> >> "Martijn Tonies" <(E-Mail Removed)> wrote in message
>> >> news:473b278e$0$26319$(E-Mail Removed)4a ll.nl...
>> >> > Hello Anthony,
>> >> >
>> >> > Thank you for your reply.
>> >> >
>> >> >> To make this work you would create a static route on the router A,
>> >> >> sending
>> >> >> all 192.168.2.0 traffic to the gateway 192.168.1.100.
>> >> >
>> >> > Router A has an subnet of 255.255.252.0, default IP gateway of
>> >> > 127.0.0.2
>> >> > and backup IP gateway of 194.159.73.22 (as per ISP settings). I
> changed
>> >> > the subnet from 255.255.255.0 to what it is now.
>> >> >
>> >> > I created a static route of 192.168.2.0/255.255.255.255 to
>> >> > 192.168.1.100
>> >> > as the "next gateway".
>> >> >
>> >> > However, when I use "telnet" to test the connection to the outside
>> > (ADSL)
>> >> > IP address at the correct port, it does not connect to Server C.
>> >> >
>> >> >>Server B would forward
>> >> >> it automatically to its 192.168.2.1 interface and on to Server C.
>> >> >
>> >> > Are you sure this will happen automatically? See above, it doesn't
>> > appear
>> >> > to be happening, or I still have something wrong somewhere. I have
> been
>> >> > trying this before, but no luck yet :-/
>> >> >
>> >> >> However I think it is a complicated design that is not achieving
> much.
>> > In
>> >> > my
>> >> >> opinion your best approaches would be:
>> >> >> 1) One flat network behind the router. Use the Windows firewalls to
>> >> > restrict
>> >> >> traffic between machines on your network.
>> >> >
>> >> > You mean everything to 192.168.1.x ?
>> >> >
>> >> > Should I then only accept incoming traffic at router A via the
> defined
>> >> > ports
>> >> > (servers) as I'm running now?
>> >> >
>> >> >> 2) If the netopia is capable of it, create two VLANs on the router,
>> >> >> and
>> >> > put
>> >> >> Server A in one, and everything else on the other. As you are still
>> >> > allowing
>> >> >> inbound traffic to Server C this is marginal benefit, but I guess
>> > there's
>> >> > a
>> >> >> difference in that traffic to Server C is restricted to 1 IP
>> >> >> address
>> >> >> only,
>> >> >> whereas to Server B it is open.
>> >> >
>> >> > What I noticed when setting up "Servers" in the Router A, is that I
> can
>> >> > specify
>> >> > a specific "public address", wouldn't that be my restriction then?
>> >> >
>> >> > --
>> >> > Martijn
>> >> >
>> >> >
>> >> >
>> >> >> "Martijn Tonies" <(E-Mail Removed)> wrote in message
>> >> >> news:473af82b$0$29019$(E-Mail Removed)4a ll.nl...
>> >> >> > Hi,
>> >> >> >
>> >> >> > Thank you for reading this message, let me first state I'm not a
>> >> >> > Network Wizard at all. This question is regarding my home office
>> >> >> > setup and I could need some help.
>> >> >> >
>> >> >> > What I have here, is the following:
>> >> >> >
>> >> >> > A) 1 ADSL router, internal IP address 192.168.1.1, type Netopia
> 3356
>> >> >> > B) 1 Windows 2003 Server, connected to (A) with a LAN card, IP
>> >> >> > address 192.168.1.100. Also connected to the "internal" network
> via
>> >> >> > a
>> >> >> > separate LAN card, IP address 192.168.2.1
>> >> >> > C) A 2nd Windows 2003 Server, connected to (B) via a hub, IP
> address
>> >> >> > 192.168.2.5, gateway 192.168.2.1
>> >> >> > D) several workstations/client PCs, running W2000, XP etc, DNS IP
>> >> >> > addresses, gateway 192.168.2.1 (also via DNS)
>> >> >> >
>> >> >> > Server (B) runs several small websites and newsgroups by
> forwarding
>> >> >> > some ports on the outside to 192.168.1.100. This works fine.
>> >> >> >
>> >> >> > What I would like, is to create 1 "server" on the outside and
>> >> >> > forward
>> >> >> > it
>> >> >> > to 192.168.2.5 on the inside. On the outside, I would like only 1
> IP
>> >> >> > address to gain access to that particular "service".
>> >> >> >
>> >> >> > Server B has IP Routing turned ON, the router A is able to create
>> >> >> > static
>> >> >> > routes and so on.
>> >> >> >
>> >> >> > However, I have no idea whatsoever how to create this.
>> >> >> >
>> >> >> > Should I change something at Server B? Or in Router A?
>> >> >> >
>> >> >> > Can someone help me with this?
>> >> >> >
>> >> >> > --
>> >> >> > Martijn Tonies
>> >> >> >
>> >> >> >
>> >> >>
>> >> >>
>> >> >
>> >> >
>> >>
>> >>
>> >
>> >
>>
>>
>
>

> Can you successfully access the internet from workstations D, or not?

Yes, that's what I'm doing right now :-)

This is what ipconfig says on my workstation:

DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 192.168.2.153
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.2.1
DHCP Server . . . . . . . . . . . : 192.168.2.1
DNS Servers . . . . . . . . . . . : 194.159.73.136
194.159.73.135

--
Martijn

Hi Martijn,
That's great, so we have established that Server B is already routing
between your two subnets.
Does traffic successfully enter from the internet to Server B for the web
sites etc you have set up?
Anthony, http://www.airdesk.com




"Martijn Tonies" <(E-Mail Removed)> wrote in message
news:473c048d$0$1171$(E-Mail Removed)4al l.nl...
>> Can you successfully access the internet from workstations D, or not?
>
> Yes, that's what I'm doing right now :-)
>
> This is what ipconfig says on my workstation:
>
> DHCP Enabled. . . . . . . . . . . : Yes
> Autoconfiguration Enabled . . . . : Yes
> IP Address. . . . . . . . . . . . : 192.168.2.153
> Subnet Mask . . . . . . . . . . . : 255.255.255.0
> Default Gateway . . . . . . . . . : 192.168.2.1
> DHCP Server . . . . . . . . . . . : 192.168.2.1
> DNS Servers . . . . . . . . . . . : 194.159.73.136
> 194.159.73.135
>
> --
> Martijn
>
>