RRAS server separating two subnets - one subnet cannot reach the Internet and computers can't ping e

Discussion in 'Windows Networking' started by Spin, Sep 19, 2008.

  1. Spin

    Spin Guest

    Gurus,

    I have a small lab with a bunch of servers setup on two different subnets,
    192.168.1.1 is the gateway for one and 172.16.1.1 is the gateway for the
    other. Installed on my Windows 2003 SP2 RRAS server are three NICs, the
    third NIC is the gateway to the Internet.

    What works: The RRAS server can reach the Internet as well as the computers
    in the 192.168.1.0/24 subnet (the first subnet built).

    What's broken: The computers on the 172.16.1.0/16 subnet cannot get to the
    Internet AND no computer in either subnet can ping any computer in the other
    subnet. What am I doing wrong?

    Additional details:

    192.168.1.0/24 subnet computer XP1:

    Host Name . . . . . . . . . . . . : XP1
    Primary Dns Suffix . . . . . . . : alpha.local
    Node Type . . . . . . . . . . . . : Unknown
    IP Routing Enabled. . . . . . . . : No
    WINS Proxy Enabled. . . . . . . . : No
    DNS Suffix Search List. . . . . . : alpha.local
    alpha.local

    Ethernet adapter Local Area Connection:

    Connection-specific DNS Suffix . : alpha.local
    Description . . . . . . . . . . . : VMware Accelerated AMD PCNet
    Adapter #2
    Physical Address. . . . . . . . . : 00-0C-29-4C-D8-52
    Dhcp Enabled. . . . . . . . . . . : Yes
    Autoconfiguration Enabled . . . . : Yes
    IP Address. . . . . . . . . . . . : 192.168.1.200
    Subnet Mask . . . . . . . . . . . : 255.255.255.0
    Default Gateway . . . . . . . . . : 192.168.1.1
    DHCP Server . . . . . . . . . . . : 192.168.1.10
    DNS Servers . . . . . . . . . . . : 192.168.1.10
    Lease Obtained. . . . . . . . . . : Thursday, September 18, 2008
    9:31:05 PM
    Lease Expires . . . . . . . . . . : Friday, September 26, 2008
    9:31:05 PM

    ------------------------------------------------------

    172.16.1.0/16 subnet computer XP2:

    Host Name . . . . . . . . . . . . : XP2
    Primary Dns Suffix . . . . . . . : alpha.local
    Node Type . . . . . . . . . . . . : Unknown
    IP Routing Enabled. . . . . . . . : No
    WINS Proxy Enabled. . . . . . . . : No
    DNS Suffix Search List. . . . . . : alpha.local

    Ethernet adapter Local Area Connection:

    Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . : VMware Accelerated AMD PCNet
    Adapter

    Physical Address. . . . . . . . . : 00-0C-29-E1-E7-07
    Dhcp Enabled. . . . . . . . . . . : No
    IP Address. . . . . . . . . . . . : 172.16.1.2
    Subnet Mask . . . . . . . . . . . : 255.255.0.0
    Default Gateway . . . . . . . . . : 171.16.1.1
    DNS Servers . . . . . . . . . . . : 192.168.1.10
     
    Spin, Sep 19, 2008
    #1
    1. Advertisements

  2. Spin

    Bill Grant Guest

    That is how IP routing works.

    As soon as you have multiple routers and multiple default gateways,
    default routing fails. Traffic from your internal network can get to the
    gateway router by default, but there is no return path. You will need to add
    some extra routing to your gateway router to get it running (or run the
    router as a NAT router).

    Running with NAT solves the routing issue (because all traffic from the
    internal subnet will be using the router's "public" IP) but also isolates
    the inner network from the other. (ie the machines behind NAT can see the
    machines in the other subnet and the Internet, but not vice versa because
    NAT is a one-way translation). This is how I run my private virtual network.

    If you really want normal routing between the subnets you need a route on
    the gateway router to bounce traffic for the internal network back to the
    internal router. The default route of the gateway router points out to the
    Internet!

    Internet
    |
    gateway router
    192.168.1.1
    |
    workstations
    192.168.1.x dg 192.168.1.1
    |
    192.168.1 254 dg 192.168.1.1
    RRAS
    172.16.1.1/16 dg blank
    |
    workstations
    172.16.x.y/16 dg 172.16.1.1

    If RRAS is configured as a NAT router, this works. All traffic from the
    172.16 network reaching the gateway is using the RRAS server's 192.168.1.254
    address. The replies come back to the NAT router and it delivers to the
    client.

    Without NAT, this fails. If you try to access a machine in the 192.168
    subnet, the reply goes to the default gateway at 192.168.1.1 which has no
    idea where the 172.16 subnet is, so it tries to send it using default route
    (out to the Internet). This fails because it is a private IP and the packet
    is discarded. If you try to access the Internet, much the same thing
    happens. The router has nowhere to send the reply.

    To make it work you need to add a static route to the gateway router so
    that it knows where the 172.16 subnet is and how to reach it. The simplest
    way is to add a static subnet router to the gateway router. eg

    172.16.0.0 255.255..0.0 192.168.1.254

    Now everything works. Packets arriving at the gateway router for 172.16
    addresses are forwarded to the RRAS router which delivers them directly from
    its private NIC.
     
    Bill Grant, Sep 19, 2008
    #2
    1. Advertisements

  3. Spin

    Spin Guest

    Bill,

    My RRAS server has three NICs. Below is it's IP configuration. In it's
    RRAS configuration I added a static route to it's 172.16.1.1 interface, with
    the following configuration: Destination: 172.16.0.0, Network Mask:
    255.255.0.0, Gateway: 192.168.1.1, Interface: 172.16.1.1, Metric: 1. I must
    be still doing something wrong as the computers on the 172.16.1.0/16 subnet
    cannot get to the Internet AND no computer in either subnet can ping any
    computer in the other subnet.

    RRAS IP configuration:

    Windows IP Configuration

    Host Name . . . . . . . . . . . . : RRAS1
    Primary Dns Suffix . . . . . . . : alpha.local
    Node Type . . . . . . . . . . . . : Hybrid
    IP Routing Enabled. . . . . . . . : Yes
    WINS Proxy Enabled. . . . . . . . : No
    DNS Suffix Search List. . . . . . : alpha.local
    localdomain

    Ethernet adapter 192.168.1.1 Connection:

    Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . : VMware Accelerated AMD PCNet Adapter
    Physical Address. . . . . . . . . : 00-0C-29-F5-69-20
    DHCP Enabled. . . . . . . . . . . : No
    IP Address. . . . . . . . . . . . : 192.168.1.1
    Subnet Mask . . . . . . . . . . . : 255.255.255.0
    Default Gateway . . . . . . . . . :
    DNS Servers . . . . . . . . . . . : 192.168.1.10

    Ethernet adapter NAT Connection:

    Connection-specific DNS Suffix . : localdomain
    Description . . . . . . . . . . . : VMware Accelerated AMD PCNet Adapter
    #2
    Physical Address. . . . . . . . . : 00-0C-29-F5-69-2A
    DHCP Enabled. . . . . . . . . . . : Yes
    Autoconfiguration Enabled . . . . : Yes
    IP Address. . . . . . . . . . . . : 192.168.149.128
    Subnet Mask . . . . . . . . . . . : 255.255.255.0
    Default Gateway . . . . . . . . . :
    DHCP Server . . . . . . . . . . . : 192.168.149.254
    DNS Servers . . . . . . . . . . . : 192.168.149.2
    Primary WINS Server . . . . . . . : 192.168.149.2
    Lease Obtained. . . . . . . . . . : Friday, September 19, 2008 9:52:12 AM
    Lease Expires . . . . . . . . . . : Friday, September 19, 2008 10:22:12
    AM

    Ethernet adapter 172.16.1.1 Connection:

    Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . : VMware Accelerated AMD PCNet Adapter
    #3
    Physical Address. . . . . . . . . : 00-0C-29-F5-69-34
    DHCP Enabled. . . . . . . . . . . : No
    IP Address. . . . . . . . . . . . : 172.16.1.1
    Subnet Mask . . . . . . . . . . . : 255.255.0.0
    Default Gateway . . . . . . . . . :
    DNS Servers . . . . . . . . . . . : 192.168.1.10
     
    Spin, Sep 19, 2008
    #3
  4. I am confused about this RRAS configuration. I don't see any default gateway
    point to an IP address. You may post server and client routing table here.

    --
    Bob Lin, MS-MVP, MCSE & CNE
    Networking, Internet, Routing, VPN Troubleshooting on
    http://www.ChicagoTech.net
    How to Setup Windows, Network, VPN & Remote Access on
    http://www.HowToNetworking.com
     
    Robert L. \(MS-MVP\), Sep 19, 2008
    #4
  5. Spin

    Spin Guest

    RRAS1 Server Routing table:
    C:\>route print

    IPv4 Route Table
    ===========================================================================
    Interface List
    0x1 ........................... MS TCP Loopback interface
    0x10003 ...00 0c 29 f5 69 20 ...... VMware Accelerated AMD PCNet Adapter
    0x10004 ...00 0c 29 f5 69 2a ...... VMware Accelerated AMD PCNet Adapter #2
    0x10005 ...00 0c 29 f5 69 34 ...... VMware Accelerated AMD PCNet Adapter #3
    ===========================================================================
    ===========================================================================
    Active Routes:
    Network Destination Netmask Gateway Interface Metric
    0.0.0.0 0.0.0.0 192.168.149.2 192.168.149.128 10
    127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
    172.16.0.0 255.255.0.0 172.16.1.1 172.16.1.1 10
    172.16.1.1 255.255.255.255 127.0.0.1 127.0.0.1 10
    172.16.255.255 255.255.255.255 172.16.1.1 172.16.1.1 10
    192.168.1.0 255.255.255.0 192.168.1.1 192.168.1.1 10
    192.168.1.1 255.255.255.255 127.0.0.1 127.0.0.1 10
    192.168.1.255 255.255.255.255 192.168.1.1 192.168.1.1 10
    192.168.149.0 255.255.255.0 192.168.149.128 192.168.149.128 10
    192.168.149.128 255.255.255.255 127.0.0.1 127.0.0.1 10
    192.168.149.255 255.255.255.255 192.168.149.128 192.168.149.128 10
    224.0.0.0 240.0.0.0 172.16.1.1 172.16.1.1 10
    224.0.0.0 240.0.0.0 192.168.1.1 192.168.1.1 10
    224.0.0.0 240.0.0.0 192.168.149.128 192.168.149.128 10
    255.255.255.255 255.255.255.255 172.16.1.1 172.16.1.1 1
    255.255.255.255 255.255.255.255 192.168.1.1 192.168.1.1 1
    255.255.255.255 255.255.255.255 192.168.149.128 192.168.149.128 1
    Default Gateway: 192.168.149.2
    ===========================================================================
    Persistent Routes:
    None

    XP1 Client Routing table:

    C:\>route print
    ===========================================================================
    Interface List
    0x1 ........................... MS TCP Loopback interface
    0x2 ...00 0c 29 4c d8 52 ...... VMware Accelerated AMD PCNet Adapter #2 -
    Packe
    Scheduler Miniport
    ===========================================================================
    ===========================================================================
    Active Routes:
    Network Destination Netmask Gateway Interface Metric
    0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.200 10
    127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
    192.168.1.0 255.255.255.0 192.168.1.200 192.168.1.200 10
    192.168.1.200 255.255.255.255 127.0.0.1 127.0.0.1 10
    192.168.1.255 255.255.255.255 192.168.1.200 192.168.1.200 10
    224.0.0.0 240.0.0.0 192.168.1.200 192.168.1.200 10
    255.255.255.255 255.255.255.255 192.168.1.200 192.168.1.200 1
    Default Gateway: 192.168.1.1
    ===========================================================================
    Persistent Routes:
    None
     
    Spin, Sep 19, 2008
    #5
  6. Spin

    Spin Guest

    The configuration I justed posted is working insofaras XP1 can successfulkly
    get to the Internet thru RRAS1. However, XP1 and XP2 cannot ping each
    other. Also XP2 cannot get to the Internet.

    XP2 Client Routing table:

    C:\>route print
    ===========================================================================
    Interface List
    0x1 ........................... MS TCP Loopback interface
    0x10003 ...00 0c 29 e1 e7 07 ...... VMware Accelerated AMD PCNet Adapter
    ===========================================================================
    ===========================================================================
    Active Routes:
    Network Destination Netmask Gateway Interface Metric
    0.0.0.0 0.0.0.0 171.16.1.1 172.16.1.2 10
    127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
    172.16.0.0 255.255.0.0 172.16.1.2 172.16.1.2 10
    172.16.1.2 255.255.255.255 127.0.0.1 127.0.0.1 10
    172.16.255.255 255.255.255.255 172.16.1.2 172.16.1.2 10
    224.0.0.0 240.0.0.0 172.16.1.2 172.16.1.2 10
    255.255.255.255 255.255.255.255 172.16.1.2 172.16.1.2 1
    Default Gateway: 171.16.1.1
    ===========================================================================
    Persistent Routes:
    None
     
    Spin, Sep 19, 2008
    #6
  7. Spin

    Spin Guest

    Pursuant to what Bill Grant said, I think I need a statis route on the RRAS1
    server but am unsure of how to configure that static route, I believe it
    needs to be configured against the 172.16.x.y NIC. In doing that, what
    would be my:

    Destination
    Network mask
    Gateway
     
    Spin, Sep 19, 2008
    #7
  8. Spin

    Bill Grant Guest

    No, you do not need extra routing when you are using NAT. Even if you did
    need it, it would not be on this server. It would be on the gateway router
    at 192.168.149.2 .

    From the details you have now supplied, you are running RRAS as a NAT
    router for the 192.168.1 0 subnet. To also do NAT for the new subnet, you
    need to add the third NIC (172.16.1.1) as a private interface in NAT. You do
    that from the NAT section of the RRAS MMC.

    Your network should look like this.

    Internet
    |
    gateway router
    192.168.1.2
    |
    192.168.149.128 dg 192.168.149.2
    RRAS/NAT
    _________|______________________
    | |
    192.168.1.1 dg blank 172.16.1.1 dg blank
    | |
    192.168.1.x 172.16.x.y
    dg 192.168.1.1 dg 172.16.1.1

    Note that the DG on the 192.168.1.1 and 172.16.1.1 interfaces should be
    blank.

    To run it without NAT, you would need to add static routes to the
    gateway router (not this RRAS server) to forward traffic for the internal
    subnets to this RRAS server. The only default gateway setting is on the NIC
    pointing to the gateway router.

    The required routes would be

    192.168.1.0 255.255.255.0 192.168.149.128 int 192.168.1.2

    172.16.0.0 255.255.0.0 192.168.149.128 int 192.168.1.2
     
    Bill Grant, Sep 20, 2008
    #8
  9. Spin

    Spin Guest

    Bill, if I were using VMware, is that configuration supported by MS when
    your running RRAS machines as VMs?
     
    Spin, Sep 21, 2008
    #9
  10. Spin

    Bill Grant Guest

    Who knows? I don't use VMWare, so I can't comment on that. If you had
    problems Microsoft might ask you to reproduce it on hard metal.

    Having said that, I can't think of any reason why it would make any
    difference. IP routing is pretty independent of the underlying "hardware".
    Once you get to the routing level there is nothing to indicate what happens
    at the hardware level. I have never struck a situation where virtual
    machines or virtual networks didn't behave the same way at the routing
    level, and I've been at it for a while now with VPC, Virtual Server and now
    Hyper-V.

    There have been problems at the hardware level where some NIC drivers
    don't always work well with the virtualization software.
     
    Bill Grant, Sep 22, 2008
    #10
  11. Spin

    Spin Guest

    Fianlly Bill, would it matter if the systems on one subnet had a different
    subnet mask then the systems on the other? I mean, the router, with an
    interface on each, takes care of all that translation right?
     
    Spin, Sep 23, 2008
    #11
  12. Spin

    Bill Grant Guest

    No that doesn't matter. The NIC can deliver traffic to any machine in its
    own subnet directly (ie using hardware addressing).
     
    Bill Grant, Sep 24, 2008
    #12
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.