RRAS server separating two subnets - one subnet cannot reach the Internet and computers can't ping each other between subnets

Gurus,

I have a small lab with a bunch of servers setup on two different subnets,
192.168.1.1 is the gateway for one and 172.16.1.1 is the gateway for the
other. Installed on my Windows 2003 SP2 RRAS server are three NICs, the
third NIC is the gateway to the Internet.

What works: The RRAS server can reach the Internet as well as the computers
in the 192.168.1.0/24 subnet (the first subnet built).

What's broken: The computers on the 172.16.1.0/16 subnet cannot get to the
Internet AND no computer in either subnet can ping any computer in the other
subnet. What am I doing wrong?

Additional details:

192.168.1.0/24 subnet computer XP1:

Host Name . . . . . . . . . . . . : XP1
Primary Dns Suffix . . . . . . . : alpha.local
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : alpha.local
alpha.local

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . : alpha.local
Description . . . . . . . . . . . : VMware Accelerated AMD PCNet
Adapter #2
Physical Address. . . . . . . . . : 00-0C-29-4C-D8-52
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 192.168.1.200
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1
DHCP Server . . . . . . . . . . . : 192.168.1.10
DNS Servers . . . . . . . . . . . : 192.168.1.10
Lease Obtained. . . . . . . . . . : Thursday, September 18, 2008
9:31:05 PM
Lease Expires . . . . . . . . . . : Friday, September 26, 2008
9:31:05 PM

------------------------------------------------------

172.16.1.0/16 subnet computer XP2:

Host Name . . . . . . . . . . . . : XP2
Primary Dns Suffix . . . . . . . : alpha.local
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : alpha.local

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : VMware Accelerated AMD PCNet
Adapter

Physical Address. . . . . . . . . : 00-0C-29-E1-E7-07
Dhcp Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 172.16.1.2
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . : 171.16.1.1
DNS Servers . . . . . . . . . . . : 192.168.1.10

--
Spin

"Spin" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Gurus,
>
> I have a small lab with a bunch of servers setup on two different subnets,
> 192.168.1.1 is the gateway for one and 172.16.1.1 is the gateway for the
> other. Installed on my Windows 2003 SP2 RRAS server are three NICs, the
> third NIC is the gateway to the Internet.
>
> What works: The RRAS server can reach the Internet as well as the
> computers in the 192.168.1.0/24 subnet (the first subnet built).
>
> What's broken: The computers on the 172.16.1.0/16 subnet cannot get to
> the Internet AND no computer in either subnet can ping any computer in the
> other subnet. What am I doing wrong?
>
> Additional details:
>
> 192.168.1.0/24 subnet computer XP1:
>
> Host Name . . . . . . . . . . . . : XP1
> Primary Dns Suffix . . . . . . . : alpha.local
> Node Type . . . . . . . . . . . . : Unknown
> IP Routing Enabled. . . . . . . . : No
> WINS Proxy Enabled. . . . . . . . : No
> DNS Suffix Search List. . . . . . : alpha.local
> alpha.local
>
> Ethernet adapter Local Area Connection:
>
> Connection-specific DNS Suffix . : alpha.local
> Description . . . . . . . . . . . : VMware Accelerated AMD PCNet
> Adapter #2
> Physical Address. . . . . . . . . : 00-0C-29-4C-D8-52
> Dhcp Enabled. . . . . . . . . . . : Yes
> Autoconfiguration Enabled . . . . : Yes
> IP Address. . . . . . . . . . . . : 192.168.1.200
> Subnet Mask . . . . . . . . . . . : 255.255.255.0
> Default Gateway . . . . . . . . . : 192.168.1.1
> DHCP Server . . . . . . . . . . . : 192.168.1.10
> DNS Servers . . . . . . . . . . . : 192.168.1.10
> Lease Obtained. . . . . . . . . . : Thursday, September 18, 2008
> 9:31:05 PM
> Lease Expires . . . . . . . . . . : Friday, September 26, 2008
> 9:31:05 PM
>
> ------------------------------------------------------
>
> 172.16.1.0/16 subnet computer XP2:
>
> Host Name . . . . . . . . . . . . : XP2
> Primary Dns Suffix . . . . . . . : alpha.local
> Node Type . . . . . . . . . . . . : Unknown
> IP Routing Enabled. . . . . . . . : No
> WINS Proxy Enabled. . . . . . . . : No
> DNS Suffix Search List. . . . . . : alpha.local
>
> Ethernet adapter Local Area Connection:
>
> Connection-specific DNS Suffix . :
> Description . . . . . . . . . . . : VMware Accelerated AMD PCNet
> Adapter
>
> Physical Address. . . . . . . . . : 00-0C-29-E1-E7-07
> Dhcp Enabled. . . . . . . . . . . : No
> IP Address. . . . . . . . . . . . : 172.16.1.2
> Subnet Mask . . . . . . . . . . . : 255.255.0.0
> Default Gateway . . . . . . . . . : 171.16.1.1
> DNS Servers . . . . . . . . . . . : 192.168.1.10
>
> --
> Spin
>

That is how IP routing works.

As soon as you have multiple routers and multiple default gateways,
default routing fails. Traffic from your internal network can get to the
gateway router by default, but there is no return path. You will need to add
some extra routing to your gateway router to get it running (or run the
router as a NAT router).

Running with NAT solves the routing issue (because all traffic from the
internal subnet will be using the router's "public" IP) but also isolates
the inner network from the other. (ie the machines behind NAT can see the
machines in the other subnet and the Internet, but not vice versa because
NAT is a one-way translation). This is how I run my private virtual network.

If you really want normal routing between the subnets you need a route on
the gateway router to bounce traffic for the internal network back to the
internal router. The default route of the gateway router points out to the
Internet!

Internet
|
gateway router
192.168.1.1
|
workstations
192.168.1.x dg 192.168.1.1
|
192.168.1 254 dg 192.168.1.1
RRAS
172.16.1.1/16 dg blank
|
workstations
172.16.x.y/16 dg 172.16.1.1

If RRAS is configured as a NAT router, this works. All traffic from the
172.16 network reaching the gateway is using the RRAS server's 192.168.1.254
address. The replies come back to the NAT router and it delivers to the
client.

Without NAT, this fails. If you try to access a machine in the 192.168
subnet, the reply goes to the default gateway at 192.168.1.1 which has no
idea where the 172.16 subnet is, so it tries to send it using default route
(out to the Internet). This fails because it is a private IP and the packet
is discarded. If you try to access the Internet, much the same thing
happens. The router has nowhere to send the reply.

To make it work you need to add a static route to the gateway router so
that it knows where the 172.16 subnet is and how to reach it. The simplest
way is to add a static subnet router to the gateway router. eg

172.16.0.0 255.255..0.0 192.168.1.254

Now everything works. Packets arriving at the gateway router for 172.16
addresses are forwarded to the RRAS router which delivers them directly from
its private NIC.

Bill,

My RRAS server has three NICs. Below is it's IP configuration. In it's
RRAS configuration I added a static route to it's 172.16.1.1 interface, with
the following configuration: Destination: 172.16.0.0, Network Mask:
255.255.0.0, Gateway: 192.168.1.1, Interface: 172.16.1.1, Metric: 1. I must
be still doing something wrong as the computers on the 172.16.1.0/16 subnet
cannot get to the Internet AND no computer in either subnet can ping any
computer in the other subnet.

RRAS IP configuration:

Windows IP Configuration

Host Name . . . . . . . . . . . . : RRAS1
Primary Dns Suffix . . . . . . . : alpha.local
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : Yes
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : alpha.local
localdomain

Ethernet adapter 192.168.1.1 Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : VMware Accelerated AMD PCNet Adapter
Physical Address. . . . . . . . . : 00-0C-29-F5-69-20
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.1.1
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
DNS Servers . . . . . . . . . . . : 192.168.1.10

Ethernet adapter NAT Connection:

Connection-specific DNS Suffix . : localdomain
Description . . . . . . . . . . . : VMware Accelerated AMD PCNet Adapter
#2
Physical Address. . . . . . . . . : 00-0C-29-F5-69-2A
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 192.168.149.128
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
DHCP Server . . . . . . . . . . . : 192.168.149.254
DNS Servers . . . . . . . . . . . : 192.168.149.2
Primary WINS Server . . . . . . . : 192.168.149.2
Lease Obtained. . . . . . . . . . : Friday, September 19, 2008 9:52:12 AM
Lease Expires . . . . . . . . . . : Friday, September 19, 2008 10:22:12
AM

Ethernet adapter 172.16.1.1 Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : VMware Accelerated AMD PCNet Adapter
#3
Physical Address. . . . . . . . . : 00-0C-29-F5-69-34
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 172.16.1.1
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . :
DNS Servers . . . . . . . . . . . : 192.168.1.10

I am confused about this RRAS configuration. I don't see any default gateway
point to an IP address. You may post server and client routing table here.

--
Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN Troubleshooting on
http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on
http://www.HowToNetworking.com
"Spin" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Bill,
>
> My RRAS server has three NICs. Below is it's IP configuration. In it's
> RRAS configuration I added a static route to it's 172.16.1.1 interface,
> with the following configuration: Destination: 172.16.0.0, Network Mask:
> 255.255.0.0, Gateway: 192.168.1.1, Interface: 172.16.1.1, Metric: 1. I
> must be still doing something wrong as the computers on the 172.16.1.0/16
> subnet cannot get to the Internet AND no computer in either subnet can
> ping any computer in the other subnet.
>
> RRAS IP configuration:
>
> Windows IP Configuration
>
> Host Name . . . . . . . . . . . . : RRAS1
> Primary Dns Suffix . . . . . . . : alpha.local
> Node Type . . . . . . . . . . . . : Hybrid
> IP Routing Enabled. . . . . . . . : Yes
> WINS Proxy Enabled. . . . . . . . : No
> DNS Suffix Search List. . . . . . : alpha.local
> localdomain
>
> Ethernet adapter 192.168.1.1 Connection:
>
> Connection-specific DNS Suffix . :
> Description . . . . . . . . . . . : VMware Accelerated AMD PCNet Adapter
> Physical Address. . . . . . . . . : 00-0C-29-F5-69-20
> DHCP Enabled. . . . . . . . . . . : No
> IP Address. . . . . . . . . . . . : 192.168.1.1
> Subnet Mask . . . . . . . . . . . : 255.255.255.0
> Default Gateway . . . . . . . . . :
> DNS Servers . . . . . . . . . . . : 192.168.1.10
>
> Ethernet adapter NAT Connection:
>
> Connection-specific DNS Suffix . : localdomain
> Description . . . . . . . . . . . : VMware Accelerated AMD PCNet Adapter
> #2
> Physical Address. . . . . . . . . : 00-0C-29-F5-69-2A
> DHCP Enabled. . . . . . . . . . . : Yes
> Autoconfiguration Enabled . . . . : Yes
> IP Address. . . . . . . . . . . . : 192.168.149.128
> Subnet Mask . . . . . . . . . . . : 255.255.255.0
> Default Gateway . . . . . . . . . :
> DHCP Server . . . . . . . . . . . : 192.168.149.254
> DNS Servers . . . . . . . . . . . : 192.168.149.2
> Primary WINS Server . . . . . . . : 192.168.149.2
> Lease Obtained. . . . . . . . . . : Friday, September 19, 2008 9:52:12
> AM
> Lease Expires . . . . . . . . . . : Friday, September 19, 2008 10:22:12
> AM
>
> Ethernet adapter 172.16.1.1 Connection:
>
> Connection-specific DNS Suffix . :
> Description . . . . . . . . . . . : VMware Accelerated AMD PCNet Adapter
> #3
> Physical Address. . . . . . . . . : 00-0C-29-F5-69-34
> DHCP Enabled. . . . . . . . . . . : No
> IP Address. . . . . . . . . . . . : 172.16.1.1
> Subnet Mask . . . . . . . . . . . : 255.255.0.0
> Default Gateway . . . . . . . . . :
> DNS Servers . . . . . . . . . . . : 192.168.1.10
>
>

"Robert L. (MS-MVP)" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
>I am confused about this RRAS configuration. I don't see any default
>gateway point to an IP address. You may post server and client routing
>table here.

RRAS1 Server Routing table:
C:\>route print

IPv4 Route Table
================================================== =========================
Interface List
0x1 ........................... MS TCP Loopback interface
0x10003 ...00 0c 29 f5 69 20 ...... VMware Accelerated AMD PCNet Adapter
0x10004 ...00 0c 29 f5 69 2a ...... VMware Accelerated AMD PCNet Adapter #2
0x10005 ...00 0c 29 f5 69 34 ...... VMware Accelerated AMD PCNet Adapter #3
================================================== =========================
================================================== =========================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.149.2 192.168.149.128 10
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
172.16.0.0 255.255.0.0 172.16.1.1 172.16.1.1 10
172.16.1.1 255.255.255.255 127.0.0.1 127.0.0.1 10
172.16.255.255 255.255.255.255 172.16.1.1 172.16.1.1 10
192.168.1.0 255.255.255.0 192.168.1.1 192.168.1.1 10
192.168.1.1 255.255.255.255 127.0.0.1 127.0.0.1 10
192.168.1.255 255.255.255.255 192.168.1.1 192.168.1.1 10
192.168.149.0 255.255.255.0 192.168.149.128 192.168.149.128 10
192.168.149.128 255.255.255.255 127.0.0.1 127.0.0.1 10
192.168.149.255 255.255.255.255 192.168.149.128 192.168.149.128 10
224.0.0.0 240.0.0.0 172.16.1.1 172.16.1.1 10
224.0.0.0 240.0.0.0 192.168.1.1 192.168.1.1 10
224.0.0.0 240.0.0.0 192.168.149.128 192.168.149.128 10
255.255.255.255 255.255.255.255 172.16.1.1 172.16.1.1 1
255.255.255.255 255.255.255.255 192.168.1.1 192.168.1.1 1
255.255.255.255 255.255.255.255 192.168.149.128 192.168.149.128 1
Default Gateway: 192.168.149.2
================================================== =========================
Persistent Routes:
None

XP1 Client Routing table:

C:\>route print
================================================== =========================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 0c 29 4c d8 52 ...... VMware Accelerated AMD PCNet Adapter #2 -
Packe
Scheduler Miniport
================================================== =========================
================================================== =========================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.200 10
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.1.0 255.255.255.0 192.168.1.200 192.168.1.200 10
192.168.1.200 255.255.255.255 127.0.0.1 127.0.0.1 10
192.168.1.255 255.255.255.255 192.168.1.200 192.168.1.200 10
224.0.0.0 240.0.0.0 192.168.1.200 192.168.1.200 10
255.255.255.255 255.255.255.255 192.168.1.200 192.168.1.200 1
Default Gateway: 192.168.1.1
================================================== =========================
Persistent Routes:
None

The configuration I justed posted is working insofaras XP1 can successfulkly
get to the Internet thru RRAS1. However, XP1 and XP2 cannot ping each
other. Also XP2 cannot get to the Internet.

XP2 Client Routing table:

C:\>route print
================================================== =========================
Interface List
0x1 ........................... MS TCP Loopback interface
0x10003 ...00 0c 29 e1 e7 07 ...... VMware Accelerated AMD PCNet Adapter
================================================== =========================
================================================== =========================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 171.16.1.1 172.16.1.2 10
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
172.16.0.0 255.255.0.0 172.16.1.2 172.16.1.2 10
172.16.1.2 255.255.255.255 127.0.0.1 127.0.0.1 10
172.16.255.255 255.255.255.255 172.16.1.2 172.16.1.2 10
224.0.0.0 240.0.0.0 172.16.1.2 172.16.1.2 10
255.255.255.255 255.255.255.255 172.16.1.2 172.16.1.2 1
Default Gateway: 171.16.1.1
================================================== =========================
Persistent Routes:
None

Pursuant to what Bill Grant said, I think I need a statis route on the RRAS1
server but am unsure of how to configure that static route, I believe it
needs to be configured against the 172.16.x.y NIC. In doing that, what
would be my:

Destination
Network mask
Gateway

No, you do not need extra routing when you are using NAT. Even if you did
need it, it would not be on this server. It would be on the gateway router
at 192.168.149.2 .

From the details you have now supplied, you are running RRAS as a NAT
router for the 192.168.1 0 subnet. To also do NAT for the new subnet, you
need to add the third NIC (172.16.1.1) as a private interface in NAT. You do
that from the NAT section of the RRAS MMC.

Your network should look like this.

Internet
|
gateway router
192.168.1.2
|
192.168.149.128 dg 192.168.149.2
RRAS/NAT
_________|______________________
| |
192.168.1.1 dg blank 172.16.1.1 dg blank
| |
192.168.1.x 172.16.x.y
dg 192.168.1.1 dg 172.16.1.1

Note that the DG on the 192.168.1.1 and 172.16.1.1 interfaces should be
blank.

To run it without NAT, you would need to add static routes to the
gateway router (not this RRAS server) to forward traffic for the internal
subnets to this RRAS server. The only default gateway setting is on the NIC
pointing to the gateway router.

The required routes would be

192.168.1.0 255.255.255.0 192.168.149.128 int 192.168.1.2

172.16.0.0 255.255.0.0 192.168.149.128 int 192.168.1.2


"Spin" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Pursuant to what Bill Grant said, I think I need a statis route on the
> RRAS1 server but am unsure of how to configure that static route, I
> believe it needs to be configured against the 172.16.x.y NIC. In doing
> that, what would be my:
>
> Destination
> Network mask
> Gateway
>

Bill, if I were using VMware, is that configuration supported by MS when
your running RRAS machines as VMs?

"Spin" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Bill, if I were using VMware, is that configuration supported by MS when
> your running RRAS machines as VMs?
>
Who knows? I don't use VMWare, so I can't comment on that. If you had
problems Microsoft might ask you to reproduce it on hard metal.

Having said that, I can't think of any reason why it would make any
difference. IP routing is pretty independent of the underlying "hardware".
Once you get to the routing level there is nothing to indicate what happens
at the hardware level. I have never struck a situation where virtual
machines or virtual networks didn't behave the same way at the routing
level, and I've been at it for a while now with VPC, Virtual Server and now
Hyper-V.

There have been problems at the hardware level where some NIC drivers
don't always work well with the virtualization software.