Static routes needed to LAN routing aspect of RRAS?

Hi folks

I am trying to setup the following, purely as a learning excercise and am
having a touch of difficulty...

Windows 2003 box as a LAN router - simple you would think, I have a dsl
router connected to a DSL line, this is connected to a 2K3 box with 2 NICs
(the supposed LAN router!) the other NIC in the box goes to a switch and in
turn the rest of my LAN

DSL router IP 10.10.0.1
Subnet mask 255.255.0.0
Default GW 84.x.x.x

NIC 1 IP 10.10.0.2
255.255.0.0
10.10.0.1

NIC 2 IP 10.0.0.1
255.255.0.0
NO defalt GW - is this correct??

All I in effect wanted to do was route from the 10.0.0.0. network to the 10.
10.0.0 network> there seems to be very little info on how to set this very
basic function of RRAS(in a steip by step idiot guid way!)

Do i need to setup anything other than installing RRAS and using the secure
connection between to LANs option, assuming LAN routing and IP forwarding are
enabled too. Like maybe a static route?

I cannot find decent enough info on exactly what static route to create and
what the interface, destination and default gateway settings should be when
creating a new static route (you would think that this would be easily
explained but I cannot find definitions anywhere!)

Sincere thanks if you read this far and any pointers,solutions would be great,
I can get this to work ie the clients behind the RRAS box to connect to the
10.10.0.0 subnet only if I enable NAT on the NIC 1 interface but why when I
dont need to translate to a public IP anywhere, I just need to route between
two subnets.

I am yet to get my head around routing as you can prolly see!

Cheers

Simon
MCDST MCP A+

--
Message posted via http://www.winserverkb.com

Greetings,

I believe you are going to have to use the "route add" command in DOS to
tell Windows to route data from one subnet to the other.

Maybe someone can back this up.

Hope this helps,
--
Louis Vitiello Jr.
------------------------------
MCSE, MCSA, MCP, A+/N+
ERCP XP Pro / Net Concepts

"si via WinServerKB.com" <u11670@uwe> wrote in message
news:604f61f298b18@uwe...
> Hi folks
>
> I am trying to setup the following, purely as a learning excercise and am
> having a touch of difficulty...
>
> Windows 2003 box as a LAN router - simple you would think, I have a dsl
> router connected to a DSL line, this is connected to a 2K3 box with 2 NICs
> (the supposed LAN router!) the other NIC in the box goes to a switch and
> in
> turn the rest of my LAN
>
> DSL router IP 10.10.0.1
> Subnet mask 255.255.0.0
> Default GW 84.x.x.x
>
> NIC 1 IP 10.10.0.2
> 255.255.0.0
> 10.10.0.1
>
> NIC 2 IP 10.0.0.1
> 255.255.0.0
> NO defalt GW - is this correct??
>
> All I in effect wanted to do was route from the 10.0.0.0. network to the
> 10.
> 10.0.0 network> there seems to be very little info on how to set this very
> basic function of RRAS(in a steip by step idiot guid way!)
>
> Do i need to setup anything other than installing RRAS and using the
> secure
> connection between to LANs option, assuming LAN routing and IP forwarding
> are
> enabled too. Like maybe a static route?
>
> I cannot find decent enough info on exactly what static route to create
> and
> what the interface, destination and default gateway settings should be
> when
> creating a new static route (you would think that this would be easily
> explained but I cannot find definitions anywhere!)
>
> Sincere thanks if you read this far and any pointers,solutions would be
> great,
> I can get this to work ie the clients behind the RRAS box to connect to
> the
> 10.10.0.0 subnet only if I enable NAT on the NIC 1 interface but why when
> I
> dont need to translate to a public IP anywhere, I just need to route
> between
> two subnets.
>
> I am yet to get my head around routing as you can prolly see!
>
> Cheers
>
> Simon
> MCDST MCP A+
>
> --
> Message posted via http://www.winserverkb.com

This is one of those things that isn't as easy as you might think. RRAS
as a LAN router is simple if it is the only router involved. If you have an
Internet connection things change because of the way default routing works.

Enabling RRAS as a LAN router (which simply means enabling IP
forwarding) is sufficient if this is the only router. You simply make the
router the default gateway for both segments. eg

10.0.0.x/24 dg 10.0.0.1
|
10.0.0.1 dg blank
router
10.0.1.1 dg blank
|
10.0.1.x/24 dg 10.0.1.1

Traffic which is not local is sent to the router, which delivers it in
the other segment.

If one segment has an Internet connection, this fails because the
default route of the Internet router is out to the Internet. Traffic for the
"other" subnet never reaches the internal router (the RRAS router in your
case).

If all you need is to give the LAN machines Internet access, you can run
NAT on the RRAS router. The setup would be

Internet
|
public IP dg <another public IP>
DSL router
10.0.0.1 dg blank
|
10.0.0.2 dg 10.0.0.1
RRAS/NAT
10.0.1.1 dg blank
|
clients
10.0.1.x dg 10.0.1.1

Without NAT on the RRAS router routing fails because the DSL router does
not know anything about the internal subnet 10.0.1.0/24 . NAT solves this
problem because all traffic reaching the DSL router is using the RRAS/NAT
router's external IP of 10.0.0.2, which the DSL router knows about.

To get it to run without NAT you need to be able to add a static route
to the DSL router. You cannot fix it by adding routes to the RRAS router.
The DSL router must know how to get the traffic for the internal subnet to
the internal router. The setup then looks like this

Internet
|
public IP
DSL router {static route 10.0.1.0 255.255.255.0 10.0.0.2}
10.0.0.1 dg blank
|
10.0.0.2 dg 10.0.0.1
RRAS
10.0.1.1/24 dg blank
|
10.0.1.x/24 dg 10.0.1.1


si via WinServerKB.com wrote:
> Hi folks
>
> I am trying to setup the following, purely as a learning excercise
> and am having a touch of difficulty...
>
> Windows 2003 box as a LAN router - simple you would think, I have a
> dsl router connected to a DSL line, this is connected to a 2K3 box
> with 2 NICs (the supposed LAN router!) the other NIC in the box goes
> to a switch and in turn the rest of my LAN
>
> DSL router IP 10.10.0.1
> Subnet mask 255.255.0.0
> Default GW 84.x.x.x
>
> NIC 1 IP 10.10.0.2
> 255.255.0.0
> 10.10.0.1
>
> NIC 2 IP 10.0.0.1
> 255.255.0.0
> NO defalt GW - is this correct??
>
> All I in effect wanted to do was route from the 10.0.0.0. network to
> the 10.
> 10.0.0 network> there seems to be very little info on how to set this
> very basic function of RRAS(in a steip by step idiot guid way!)
>
> Do i need to setup anything other than installing RRAS and using the
> secure connection between to LANs option, assuming LAN routing and IP
> forwarding are enabled too. Like maybe a static route?
>
> I cannot find decent enough info on exactly what static route to
> create and what the interface, destination and default gateway
> settings should be when creating a new static route (you would think
> that this would be easily explained but I cannot find definitions
> anywhere!)
>
> Sincere thanks if you read this far and any pointers,solutions would
> be great, I can get this to work ie the clients behind the RRAS box
> to connect to the
> 10.10.0.0 subnet only if I enable NAT on the NIC 1 interface but why
> when I dont need to translate to a public IP anywhere, I just need to
> route between two subnets.
>
> I am yet to get my head around routing as you can prolly see!
>
> Cheers
>
> Simon
> MCDST MCP A+

"si via WinServerKB.com" <u11670@uwe> wrote in message
news:604f61f298b18@uwe...

> DSL router IP 10.10.0.1
> Subnet mask 255.255.0.0
> Default GW 84.x.x.x
>
> NIC 1 IP 10.10.0.2
> 255.255.0.0
> 10.10.0.1
>
> NIC 2 IP 10.0.0.1
> 255.255.0.0
> NO defalt GW - is this correct??

That is fine except you are missing the Static route on the DSL NAT Device
that tells it to use 10.10.0.2 as the gateway to 10.0.0.0 / 255.0.0.0. You
could also do the same for the other two full RFC Private Ranges since those
will never be in the Internet.

RRAS doesn't need anything. It is just a LAN Router, it is not a NAT Device
itself and because all of the LAN Networks are "directly connected" it is
already "aware" of them.

Make sure the Client machines *all* use the LAN Router that "faces" them and
that they do *not* use the DSL NAT Device as their DFG.


--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/IS...cessRules.html

Troubleshooting Client Authentication on Access Rules in ISA Server 2004
http://download.microsoft.com/downlo...7/ts_rules.doc

Microsoft Internet Security & Acceleration Server: Guidance
http://www.microsoft.com/isaserver/t...dance/2004.asp
http://www.microsoft.com/isaserver/t...dance/2000.asp

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp

Deployment Guidelines for ISA Server 2004 Enterprise Edition
http://www.microsoft.com/technet/pro...isaserver.mspx
-----------------------------------------------------

"Bill Grant" <not.available@online> wrote in message
news:(E-Mail Removed)...
> If all you need is to give the LAN machines Internet access, you can
run
> NAT on the RRAS router. The setup would be

Bill,
There is no need for NAT on RRAS. All that is needed is for all the LAN
Hosts to use the RRAS box as their DFG, then the the RRAS box uses the DSL
Device for its DFG.
The DSL Device then just needs a simple static route pointing to the RRAS
box for any destinations within 10.*.*.*. All of the DSL Devices I have
seen give you the ability to add static routes.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

That works, but is not likely to be the most efficient way to go. If
most traffic is to the Internet, the logical way to go is to make the
Internet router the default gateway. Only traffic for the new internal
subnet needs to bounce off the gateway router.

If you make the RRAS box the default gateway for the original subnet,
all Internet traffic from that subnet needs to bounce off the RRAS router to
get to the Internet.

Phillip Windell wrote:
> "Bill Grant" <not.available@online> wrote in message
> news:(E-Mail Removed)...
>> If all you need is to give the LAN machines Internet access, you
>> can run NAT on the RRAS router. The setup would be
>
> Bill,
> There is no need for NAT on RRAS. All that is needed is for all the
> LAN Hosts to use the RRAS box as their DFG, then the the RRAS box
> uses the DSL Device for its DFG.
> The DSL Device then just needs a simple static route pointing to the
> RRAS box for any destinations within 10.*.*.*. All of the DSL
> Devices I have seen give you the ability to add static routes.

Hi Gents

Firstly thankyou both so much for clearing this up for me, I had read that I
required a static route for this to work without using NAT however it wasnt
clear where it was required - I know understand and you're right my dsl
router does have option to add static routes

Bill I understand that this is not efficient is was a training exercise the
idea was to get the ras box to route to the dsl router and back - adding a
hop like you say so internal clients can access the internet(extra hop -
lower efficiency) - I have a weird way of learning........try it, fail , try
again , fail ,read , try , read , post , succeed is the normal way it goes...
lol

I had made the RAS box the DFG for clients but hadnt realised quite where the
static route needed to be!! - this highights my poor understanding of routing
concepts, something i am trying to address :-)

When I couldnt ping the other subnet from a client ie the one between ras and
the dsl router I didnt click that this is because the router doesnt know
about the other subnet and therefore needs static route to tell it where to
send ping packets back too

I still think the documentation from MS is somewhat confusing

How to Use Static Routes with Routing and Remote Access Service
http://support.microsoft.com/?kbid=178993

Was all I could really find (nothing on 2k3) and that article , no offence to
who ever authored it but the diagrams etc dont help - needless to say now
you guys have explained it I can see what the KB art is saying but surely
this is not the aim!!

Again big respect to Phillip and Bill its guys like you that make these
groups such a cool place for info

One thing I dont wuite get is why it works with NAT - I understand NAT is
used to share a (normally public) IP between several private clients and that
it adds someinfo to the packet header but I dont get how packets are routed
from the dsl router to the internal lan without adding the aformentioned
static route to my dsl router. Some more reading is in order. Routing is my
next conquest as I have about sussed AD,DNS,RIS,DHCP,IIS and various other
acronyms

Many thanks

Simon




Bill Grant wrote:
> That works, but is not likely to be the most efficient way to go. If
>most traffic is to the Internet, the logical way to go is to make the
>Internet router the default gateway. Only traffic for the new internal
>subnet needs to bounce off the gateway router.
>
> If you make the RRAS box the default gateway for the original subnet,
>all Internet traffic from that subnet needs to bounce off the RRAS router to
>get to the Internet.
>
>>> If all you need is to give the LAN machines Internet access, you
>>> can run NAT on the RRAS router. The setup would be
>[quoted text clipped - 6 lines]
>> RRAS box for any destinations within 10.*.*.*. All of the DSL
>> Devices I have seen give you the ability to add static routes.

--
Message posted via http://www.winserverkb.com

It works with NAT enabled because you no longer have a routing problem.
The gateway router never sees the IP addresses of the "new" subnet. All
traffic coming from that subnet is behind the NAT. By the time it reaches
the gateway router, the IP address has been changed to the "public" IP of
the NAT router (and that is in the same IP subnet as the gateway router). So
the gateway router delivers the reply to the NAT router. The NAT router then
looks up its translation table to see which NAT client the request came from
and delivers it.

si via WinServerKB.com wrote:
> Hi Gents
>
> Firstly thankyou both so much for clearing this up for me, I had read
> that I required a static route for this to work without using NAT
> however it wasnt clear where it was required - I know understand and
> you're right my dsl router does have option to add static routes
>
> Bill I understand that this is not efficient is was a training
> exercise the idea was to get the ras box to route to the dsl router
> and back - adding a hop like you say so internal clients can access
> the internet(extra hop - lower efficiency) - I have a weird way of
> learning........try it, fail , try again , fail ,read , try , read ,
> post , succeed is the normal way it goes... lol
>
> I had made the RAS box the DFG for clients but hadnt realised quite
> where the static route needed to be!! - this highights my poor
> understanding of routing concepts, something i am trying to address
> :-)
>
> When I couldnt ping the other subnet from a client ie the one between
> ras and the dsl router I didnt click that this is because the router
> doesnt know about the other subnet and therefore needs static route
> to tell it where to send ping packets back too
>
> I still think the documentation from MS is somewhat confusing
>
> How to Use Static Routes with Routing and Remote Access Service
> http://support.microsoft.com/?kbid=178993
>
> Was all I could really find (nothing on 2k3) and that article , no
> offence to who ever authored it but the diagrams etc dont help -
> needless to say now you guys have explained it I can see what the KB
> art is saying but surely this is not the aim!!
>
> Again big respect to Phillip and Bill its guys like you that make
> these groups such a cool place for info
>
> One thing I dont wuite get is why it works with NAT - I understand
> NAT is used to share a (normally public) IP between several private
> clients and that it adds someinfo to the packet header but I dont get
> how packets are routed from the dsl router to the internal lan
> without adding the aformentioned static route to my dsl router. Some
> more reading is in order. Routing is my next conquest as I have about
> sussed AD,DNS,RIS,DHCP,IIS and various other acronyms
>
> Many thanks
>
> Simon
>
>
>
>
> Bill Grant wrote:
>> That works, but is not likely to be the most efficient way to go.
>> If most traffic is to the Internet, the logical way to go is to make
>> the Internet router the default gateway. Only traffic for the new
>> internal subnet needs to bounce off the gateway router.
>>
>> If you make the RRAS box the default gateway for the original
>> subnet, all Internet traffic from that subnet needs to bounce off
>> the RRAS router to get to the Internet.
>>
>>>> If all you need is to give the LAN machines Internet access,
>>>> you can run NAT on the RRAS router. The setup would be
>> [quoted text clipped - 6 lines]
>>> RRAS box for any destinations within 10.*.*.*. All of the DSL
>>> Devices I have seen give you the ability to add static routes.

"Bill Grant" <not.available@online> wrote in message
news:%(E-Mail Removed)...
> That works, but is not likely to be the most efficient way to go. If
> most traffic is to the Internet, the logical way to go is to make the
> Internet router the default gateway. Only traffic for the new internal
> subnet needs to bounce off the gateway router.

I understand.
I've just always been religously opposed to making the LAN's routing scheme
dependent in any way to any kind of "Internet device". I always believe in
making the LAN function on its own first with no Intenet involved,..then the
Internet (and any related devices) simply "hangs off the side" of the LAN.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

That's fair enough. The problem is that it complicates the way that ICMP
redirects works. If the Internet router is the default route, the machines
in the Internet -connected subnet only get redirects for the "internal"
subnet machines. That is the maximum number of added routes is equal to the
number of machines in the internal network.

If their gateway is set to an internal router they will get redirects
for every external address that they access. This number can get pretty big.

Phillip Windell wrote:
> "Bill Grant" <not.available@online> wrote in message
> news:%(E-Mail Removed)...
>> That works, but is not likely to be the most efficient way to
>> go. If most traffic is to the Internet, the logical way to go is to
>> make the Internet router the default gateway. Only traffic for the
>> new internal subnet needs to bounce off the gateway router.
>
> I understand.
> I've just always been religously opposed to making the LAN's routing
> scheme dependent in any way to any kind of "Internet device". I
> always believe in making the LAN function on its own first with no
> Intenet involved,..then the Internet (and any related devices) simply
> "hangs off the side" of the LAN.