Static routes needed to LAN routing aspect of RRAS?

Discussion in 'Windows Networking' started by si via WinServerKB.com, May 16, 2006.

  1. Hi folks

    I am trying to setup the following, purely as a learning excercise and am
    having a touch of difficulty...

    Windows 2003 box as a LAN router - simple you would think, I have a dsl
    router connected to a DSL line, this is connected to a 2K3 box with 2 NICs
    (the supposed LAN router!) the other NIC in the box goes to a switch and in
    turn the rest of my LAN

    DSL router IP 10.10.0.1
    Subnet mask 255.255.0.0
    Default GW 84.x.x.x

    NIC 1 IP 10.10.0.2
    255.255.0.0
    10.10.0.1

    NIC 2 IP 10.0.0.1
    255.255.0.0
    NO defalt GW - is this correct??

    All I in effect wanted to do was route from the 10.0.0.0. network to the 10.
    10.0.0 network> there seems to be very little info on how to set this very
    basic function of RRAS(in a steip by step idiot guid way!)

    Do i need to setup anything other than installing RRAS and using the secure
    connection between to LANs option, assuming LAN routing and IP forwarding are
    enabled too. Like maybe a static route?

    I cannot find decent enough info on exactly what static route to create and
    what the interface, destination and default gateway settings should be when
    creating a new static route (you would think that this would be easily
    explained but I cannot find definitions anywhere!)

    Sincere thanks if you read this far and any pointers,solutions would be great,
    I can get this to work ie the clients behind the RRAS box to connect to the
    10.10.0.0 subnet only if I enable NAT on the NIC 1 interface but why when I
    dont need to translate to a public IP anywhere, I just need to route between
    two subnets.

    I am yet to get my head around routing as you can prolly see!

    Cheers

    Simon
    MCDST MCP A+
     
    si via WinServerKB.com, May 16, 2006
    #1
    1. Advertisements

  2. Greetings,

    I believe you are going to have to use the "route add" command in DOS to
    tell Windows to route data from one subnet to the other.

    Maybe someone can back this up.

    Hope this helps,
     
    Louis Vitiello Jr., May 16, 2006
    #2
    1. Advertisements

  3. si via WinServerKB.com

    Bill Grant Guest

    This is one of those things that isn't as easy as you might think. RRAS
    as a LAN router is simple if it is the only router involved. If you have an
    Internet connection things change because of the way default routing works.

    Enabling RRAS as a LAN router (which simply means enabling IP
    forwarding) is sufficient if this is the only router. You simply make the
    router the default gateway for both segments. eg

    10.0.0.x/24 dg 10.0.0.1
    |
    10.0.0.1 dg blank
    router
    10.0.1.1 dg blank
    |
    10.0.1.x/24 dg 10.0.1.1

    Traffic which is not local is sent to the router, which delivers it in
    the other segment.

    If one segment has an Internet connection, this fails because the
    default route of the Internet router is out to the Internet. Traffic for the
    "other" subnet never reaches the internal router (the RRAS router in your
    case).

    If all you need is to give the LAN machines Internet access, you can run
    NAT on the RRAS router. The setup would be

    Internet
    |
    public IP dg <another public IP>
    DSL router
    10.0.0.1 dg blank
    |
    10.0.0.2 dg 10.0.0.1
    RRAS/NAT
    10.0.1.1 dg blank
    |
    clients
    10.0.1.x dg 10.0.1.1

    Without NAT on the RRAS router routing fails because the DSL router does
    not know anything about the internal subnet 10.0.1.0/24 . NAT solves this
    problem because all traffic reaching the DSL router is using the RRAS/NAT
    router's external IP of 10.0.0.2, which the DSL router knows about.

    To get it to run without NAT you need to be able to add a static route
    to the DSL router. You cannot fix it by adding routes to the RRAS router.
    The DSL router must know how to get the traffic for the internal subnet to
    the internal router. The setup then looks like this

    Internet
    |
    public IP
    DSL router {static route 10.0.1.0 255.255.255.0 10.0.0.2}
    10.0.0.1 dg blank
    |
    10.0.0.2 dg 10.0.0.1
    RRAS
    10.0.1.1/24 dg blank
    |
    10.0.1.x/24 dg 10.0.1.1
     
    Bill Grant, May 16, 2006
    #3
  4. That is fine except you are missing the Static route on the DSL NAT Device
    that tells it to use 10.10.0.2 as the gateway to 10.0.0.0 / 255.0.0.0. You
    could also do the same for the other two full RFC Private Ranges since those
    will never be in the Internet.

    RRAS doesn't need anything. It is just a LAN Router, it is not a NAT Device
    itself and because all of the LAN Networks are "directly connected" it is
    already "aware" of them.

    Make sure the Client machines *all* use the LAN Router that "faces" them and
    that they do *not* use the DSL NAT Device as their DFG.


    --
    Phillip Windell [MCP, MVP, CCNA]
    www.wandtv.com
    -----------------------------------------------------
    Understanding the ISA 2004 Access Rule Processing
    http://www.isaserver.org/articles/ISA2004_AccessRules.html

    Troubleshooting Client Authentication on Access Rules in ISA Server 2004
    http://download.microsoft.com/download/9/1/8/918ed2d3-71d0-40ed-8e6d-fd6eeb6cfa07/ts_rules.doc

    Microsoft Internet Security & Acceleration Server: Guidance
    http://www.microsoft.com/isaserver/techinfo/Guidance/2004.asp
    http://www.microsoft.com/isaserver/techinfo/Guidance/2000.asp

    Microsoft Internet Security & Acceleration Server: Partners
    http://www.microsoft.com/isaserver/partners/default.asp

    Deployment Guidelines for ISA Server 2004 Enterprise Edition
    http://www.microsoft.com/technet/prodtechnol/isa/2004/deploy/dgisaserver.mspx
    -----------------------------------------------------
     
    Phillip Windell, May 16, 2006
    #4
  5. Bill,
    There is no need for NAT on RRAS. All that is needed is for all the LAN
    Hosts to use the RRAS box as their DFG, then the the RRAS box uses the DSL
    Device for its DFG.
    The DSL Device then just needs a simple static route pointing to the RRAS
    box for any destinations within 10.*.*.*. All of the DSL Devices I have
    seen give you the ability to add static routes.
     
    Phillip Windell, May 16, 2006
    #5
  6. si via WinServerKB.com

    Bill Grant Guest

    That works, but is not likely to be the most efficient way to go. If
    most traffic is to the Internet, the logical way to go is to make the
    Internet router the default gateway. Only traffic for the new internal
    subnet needs to bounce off the gateway router.

    If you make the RRAS box the default gateway for the original subnet,
    all Internet traffic from that subnet needs to bounce off the RRAS router to
    get to the Internet.
     
    Bill Grant, May 17, 2006
    #6
  7. Hi Gents

    Firstly thankyou both so much for clearing this up for me, I had read that I
    required a static route for this to work without using NAT however it wasnt
    clear where it was required - I know understand and you're right my dsl
    router does have option to add static routes

    Bill I understand that this is not efficient is was a training exercise the
    idea was to get the ras box to route to the dsl router and back - adding a
    hop like you say so internal clients can access the internet(extra hop -
    lower efficiency) - I have a weird way of learning........try it, fail , try
    again , fail ,read , try , read , post , succeed is the normal way it goes...
    lol

    I had made the RAS box the DFG for clients but hadnt realised quite where the
    static route needed to be!! - this highights my poor understanding of routing
    concepts, something i am trying to address :)

    When I couldnt ping the other subnet from a client ie the one between ras and
    the dsl router I didnt click that this is because the router doesnt know
    about the other subnet and therefore needs static route to tell it where to
    send ping packets back too

    I still think the documentation from MS is somewhat confusing

    How to Use Static Routes with Routing and Remote Access Service
    http://support.microsoft.com/?kbid=178993

    Was all I could really find (nothing on 2k3) and that article , no offence to
    who ever authored it but the diagrams etc dont help - needless to say now
    you guys have explained it I can see what the KB art is saying but surely
    this is not the aim!!

    Again big respect to Phillip and Bill its guys like you that make these
    groups such a cool place for info

    One thing I dont wuite get is why it works with NAT - I understand NAT is
    used to share a (normally public) IP between several private clients and that
    it adds someinfo to the packet header but I dont get how packets are routed
    from the dsl router to the internal lan without adding the aformentioned
    static route to my dsl router. Some more reading is in order. Routing is my
    next conquest as I have about sussed AD,DNS,RIS,DHCP,IIS and various other
    acronyms

    Many thanks

    Simon




     
    si via WinServerKB.com, May 17, 2006
    #7
  8. si via WinServerKB.com

    Bill Grant Guest

    It works with NAT enabled because you no longer have a routing problem.
    The gateway router never sees the IP addresses of the "new" subnet. All
    traffic coming from that subnet is behind the NAT. By the time it reaches
    the gateway router, the IP address has been changed to the "public" IP of
    the NAT router (and that is in the same IP subnet as the gateway router). So
    the gateway router delivers the reply to the NAT router. The NAT router then
    looks up its translation table to see which NAT client the request came from
    and delivers it.
     
    Bill Grant, May 17, 2006
    #8
  9. I understand.
    I've just always been religously opposed to making the LAN's routing scheme
    dependent in any way to any kind of "Internet device". I always believe in
    making the LAN function on its own first with no Intenet involved,..then the
    Internet (and any related devices) simply "hangs off the side" of the LAN.
     
    Phillip Windell, May 24, 2006
    #9
  10. si via WinServerKB.com

    Bill Grant Guest

    That's fair enough. The problem is that it complicates the way that ICMP
    redirects works. If the Internet router is the default route, the machines
    in the Internet -connected subnet only get redirects for the "internal"
    subnet machines. That is the maximum number of added routes is equal to the
    number of machines in the internal network.

    If their gateway is set to an internal router they will get redirects
    for every external address that they access. This number can get pretty big.
     
    Bill Grant, May 25, 2006
    #10
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.