Re: Setting up separate network on same wire with RRAS

On Mon, 4 Jan 2010 06:02:29 -0800 (PST), steve <>
wrote:

>I want to set up a phantom network, that is, a copy of our existing
>network computers, eg print server, file server, exchange. I want to
>put them all on a couple computers as Virtual machines. This is for
>testing purposes. I will create the machines and then backup the
>original servers and restore them to the Virutal Machines.
>
>The key issue for me is how can I keep them separate. Eg that the one
>network does not see the other network.
>
>So far I have restored a print server to the phantom network.
>The host is on our 10.1.0.x network.
>The VM is has two Virtual nics. One is the outsite using dhcp to pick
>up info on the 10.1.0.x network and is listed as linking with the nic
>on the host computer. The other nic i have configured as local. and
>using ips of 192.168.10.1.
>
>However when I restored the print server PRNSRV it says there was a
>duplicate name on the network. I thought that I had set this up so
>that the network was separate. (this machine is also a domain
>controller) secondary.
>It was suggested that I use Routing and Remote Access to separate the
>two networks. At first I tried it and it and it said that the icf was
>enabled and had to be disabled. Well I looked High and low and the ICF
>was not enabled it clearly said it was disabled but I still could not
>run the "Configure and Enable routing and remote access" wizard.
>
>After doing some reading it appears others were having the same
>problem and most didnt know how to solve it. Finally I found this
>script which seems to fix the problem. I ran it on the PRNSRV (VM)
>
>Set WMI = GetObject("WinMgmts:\root\Microsoft\HomeNet")
>Set Objs = WMI.InstancesOf("HNet_ConnectionProperties")
>For Each Obj In Objs
>Obj.IsFirewalled = False
>Obj.Put_
>Next
>
>Well that worked when run as a .vbs
>
>Now the wizard is open but I’m not sure what to do to activate the
>RRAS role on the router and set it up to route local traffic to the
>internet via the "outside" NIC. And keep the one network separate from
>the other. I have never used RRAS. It was not in my Microsoft course.
>
>Regards


Maybe ths is a dumb question but if this is for testing, why are you
not doing it in a lab that has no connectivity to the production
network?

That's what I'd do ... no RRAS.

That said, the virtualization software / hypervisor you're using
should have the option to disable VM<-->LAN connectivity.

"Lanwench [MVP - Exchange]"
< ahoo.com> wrote in message
news:...
> On Mon, 4 Jan 2010 06:02:29 -0800 (PST), steve <>
> wrote:
>
>>I want to set up a phantom network, that is, a copy of our existing
>>network computers, eg print server, file server, exchange. I want to
>>put them all on a couple computers as Virtual machines. This is for
>>testing purposes. I will create the machines and then backup the
>>original servers and restore them to the Virutal Machines.
>>
>>The key issue for me is how can I keep them separate. Eg that the one
>>network does not see the other network.
>>
>>So far I have restored a print server to the phantom network.
>>The host is on our 10.1.0.x network.
>>The VM is has two Virtual nics. One is the outsite using dhcp to pick
>>up info on the 10.1.0.x network and is listed as linking with the nic
>>on the host computer. The other nic i have configured as local. and
>>using ips of 192.168.10.1.
>>
>>However when I restored the print server PRNSRV it says there was a
>>duplicate name on the network. I thought that I had set this up so
>>that the network was separate. (this machine is also a domain
>>controller) secondary.
>>It was suggested that I use Routing and Remote Access to separate the
>>two networks. At first I tried it and it and it said that the icf was
>>enabled and had to be disabled. Well I looked High and low and the ICF
>>was not enabled it clearly said it was disabled but I still could not
>>run the "Configure and Enable routing and remote access" wizard.
>>
>>After doing some reading it appears others were having the same
>>problem and most didnt know how to solve it. Finally I found this
>>script which seems to fix the problem. I ran it on the PRNSRV (VM)
>>
>>Set WMI = GetObject("WinMgmts:\root\Microsoft\HomeNet")
>>Set Objs = WMI.InstancesOf("HNet_ConnectionProperties")
>>For Each Obj In Objs
>>Obj.IsFirewalled = False
>>Obj.Put_
>>Next
>>
>>Well that worked when run as a .vbs
>>
>>Now the wizard is open but I'm not sure what to do to activate the
>>RRAS role on the router and set it up to route local traffic to the
>>internet via the "outside" NIC. And keep the one network separate from
>>the other. I have never used RRAS. It was not in my Microsoft course.
>>
>>Regards
>
>
> Maybe ths is a dumb question but if this is for testing, why are you
> not doing it in a lab that has no connectivity to the production
> network?
>
> That's what I'd do ... no RRAS.
>
> That said, the virtualization software / hypervisor you're using
> should have the option to disable VM<-->LAN connectivity.

I agree. I would run it on a virtual network with no connection to the
physical network.

If you want to connect this virtual network to the physical network (to
get Internet access for example) but keep it isolated from the "real"
network, run a NAT router in a vm with one NIC in the virtual network and
one bridged to the physical LAN. You need to have all the virtual machines
running on one host so that they are in the same virtual network. Trying to
run two networks "on the wire" is very tricky.

"steve" <> wrote in message
news:73d72489-9718-45c6-af8c-...

> I have set up two nics on the Virtual Macnine one as an outside card
> and one as an inside card. (local ) but for some reason I still am
> connected to the domain.

Some of the confusion is caused by misused terminology.

Domains are not networks. You connect to networks,...but you "join" and
"interact" with Domains,...you do not "connected to" a Domain,...at least
not in the context that we are using the term "connect".

Yes the "outside" Nic on the VM is of couse going to communicate over the
LAN that the Domain "lives" on,...it has to if you are going to get to the
Internet with it. That doesn't mean it is doing anything with the
Domain,...plus if the VM is not a member of the Domain then it is not
possible for it to use the Domain,...membership is a requirement.

90% of your Lab "happenings" are happening on the internal (local) side
which only exists inside the Virtual World. This is where all the VMs "see"
each other. The other nic being a means to get to the Internet via the
"real world" network is almost inconsequential as long as the VM is not a
Domain Member and is not actually trying to interact with the Domain itself
or the rest of the "real world" LAN for any reason.

In most Virtualization systems you can take that "outside" nic and set it to
NAT,...but this does nothing more than prevent the "real world" LAN from
communicating with the "virtual world" LAN,...but it is not preventing flow
in the opposite direction,...it can't,...it shouldn't,...it would be
worthless if it did.


--
Phillip Windell

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------

Configure the Nic of the VM to be "NAT" instead of being bridged to the
physical Nic. This makes it behave as if there were an "invisible Linksys
box",..if you will,..between it and the Physical host. You then need to
configure the TCP/IP on the Nic to DHCP at the same time so it picks up an
IP Config from the "invisible NAT device" that is compatible with the built
in NAT/DHCP ability of the Virtual Environment.

You may want to unjoin it from the domain too,... yes it will complain about
not finding the DC,...but it should still unjoin itself anyway,...use the
Local Administrator Account when you do that. DO NOT let is see the real DC
during this or it will remove the "real" machine from the Domain causing an
inconsitancy because the "real machine" will still think it is a member when
it is not. Disable the Virtual Nic if you have to,..just make sure it
cannot possibly find the real DC during hte "unjoining".

Make the workgroup name the same that the Domain was to aid in being able to
get files from the real LAN.

There could be other "gotchas",..but that is the best I can suggest for now
with what little I know of your situation.

--
Phillip Windell

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------





"steve" <> wrote in message
news:ada470f0-7f21-4c21-b21d-...
>
> Phil,
> Thanks your right I was perhaps not clear. And your right I am talking
> about two things a network and a domain. But here is the problem (as I
> see it anyway)
> When I do a restore of a system to the Virtual world/machine a message
> pops up and says there is already a machine with that name on the
> network. Im asuming that is because when I restore to a virutal
> computer now there are two computers witht he same name. The Physical
> comptuer and the vitural have the same name on the same domain. When
> you do the restore it restores it witht he original domain name so the
> virtual computer IS a part of the domain. Thus there is a conflict. So
> I really DO want to separate the DOMAINS so that they dont see each
> other, but that I still can get internet access, (maybe if possible
> also that I can access at least on server on the real domain so I can
> download files from the NETWORK.) [emphasis for clarity.]
>
> How can I do that ? Will a nat router on the outside nic do the job?
> What is a test if this is true that they really are separate. If I
> rename the comptuer to a computer that is on the real nework, and it
> doesnt conflict does that prove it?
>
> Regards
>

"steve" <> wrote in message
news:9463b470-c833-49c9-8410-...
> On Jan 4, 7:03 pm, "Bill Grant" <not.available@online> wrote:
>> "Lanwench [MVP -
>> Exchange]"<lanwe...@heybuddy.donotsendme.unsolicitedmail.at yahoo.com>
>> wrote in message
>>
>> news:...
>>
>>
>>
>>
>>
>> > On Mon, 4 Jan 2010 06:02:29 -0800 (PST), steve <stevesem...@lycos.com>
>> > wrote:
>>
>> >>I want to set up a phantom network, that is, a copy of our existing
>> >>network computers, eg print server, file server, exchange. I want to
>> >>put them all on a couple computers as Virtual machines. This is for
>> >>testing purposes. I will create the machines and then backup the
>> >>original servers and restore them to the Virutal Machines.
>>
>> >>The key issue for me is how can I keep them separate. Eg that the one
>> >>network does not see the other network.
>>
>> >>So far I have restored a print server to the phantom network.
>> >>The host is on our 10.1.0.x network.
>> >>The VM is has two Virtual nics. One is the outsite using dhcp to pick
>> >>up info on the 10.1.0.x network and is listed as linking with the nic
>> >>on the host computer. The other nic i have configured as local. and
>> >>using ips of 192.168.10.1.
>>
>> >>However when I restored the print server PRNSRV it says there was a
>> >>duplicate name on the network. I thought that I had set this up so
>> >>that the network was separate. (this machine is also a domain
>> >>controller) secondary.
>> >>It was suggested that I use Routing and Remote Access to separate the
>> >>two networks. At first I tried it and it and it said that the icf was
>> >>enabled and had to be disabled. Well I looked High and low and the ICF
>> >>was not enabled it clearly said it was disabled but I still could not
>> >>run the "Configure and Enable routing and remote access" wizard.
>>
>> >>After doing some reading it appears others were having the same
>> >>problem and most didnt know how to solve it. Finally I found this
>> >>script which seems to fix the problem. I ran it on the PRNSRV (VM)
>>
>> >>Set WMI = GetObject("WinMgmts:\root\Microsoft\HomeNet")
>> >>Set Objs = WMI.InstancesOf("HNet_ConnectionProperties")
>> >>For Each Obj In Objs
>> >>Obj.IsFirewalled = False
>> >>Obj.Put_
>> >>Next
>>
>> >>Well that worked when run as a .vbs
>>
>> >>Now the wizard is open but I'm not sure what to do to activate the
>> >>RRAS role on the router and set it up to route local traffic to the
>> >>internet via the "outside" NIC. And keep the one network separate from
>> >>the other. I have never used RRAS. It was not in my Microsoft course.
>>
>> >>Regards
>>
>> > Maybe ths is a dumb question but if this is for testing, why are you
>> > not doing it in a lab that has no connectivity to the production
>> > network?
>>
>> > That's what I'd do ... no RRAS.
>>
>> > That said, the virtualization software / hypervisor you're using
>> > should have the option to disable VM<-->LAN connectivity.
>>
>> I agree. I would run it on a virtual network with no connection to
>> the
>> physical network.
>>
>> If you want to connect this virtual network to the physical network
>> (to
>> get Internet access for example) but keep it isolated from the "real"
>> network, run a NAT router in a vm with one NIC in the virtual network and
>> one bridged to the physical LAN. You need to have all the virtual
>> machines
>> running on one host so that they are in the same virtual network. Trying
>> to
>> run two networks "on the wire" is very tricky.- Hide quoted text -
>>
>> - Show quoted text -
>
> You are right Bill, I do want to connect to the internet at least.
> My set up on the Virtual machine is that the outside network is
> connected to the physical nic on the host, then the second nic on the
> Virtual Machine is on the local network, at least thats what it says
> in the VM, Are you saying to put the nat router on the outside nic and
> that should stop the two networks from conflicting.
>
> Regards
>

There has not been a discussion on running multiple networks "on the
wire" here for some time. There are basically three techniques.

1. Protocols. A machine on a network will only see other machines if they
are running the same protocol. Machines running TCP/IP will not see machines
running IPX or AppleTalk. You can have three networks completely unaware of
each other.

2. If they all run TCP/IP, you separate them by using different IP subnets.
Machines can only communicate directly with other machines in the same IP
subnet. To communicate between subnets you need an IP router. This is the
basis of VLANs. The VLAN switch routes between the subnets. These were
called virtual networks and virtual LANs before virtual machines (with their
virtual networks) became popular, and there is now a bit of confusion
because of this.

3. Tunnels. This is a big topic which can't be handled in a few lines (and
isn't relevant to this case) but I felt should be mentioned.

For this particular case, I would use different IP subnets. Configure all
machines with one NIC and set the virtual machines to use bridged mode (so
that they are simply additional machines on the LAN as far as networking is
concerned). This is the only solution which will work if the vms are running
on more than one host. If you put the vms in local virtual networks you
would need to tunnel through the LAN for a vm on one host to see a vm
running on a different host.

Now put all of the machines (physical or virtual) you want to be in the
"new" network in a different IP subnet. All the machines in the new network
can see each other but not any machines in the original subnet.

You only need RRAS if you want machines in this new subnet to have access
to the "old" network and/or the Internet. Only the RRAS router has two
interfaces, one in each subnet. This router can be any machine on the
network, but I would use a vm. If you only want to give the "new" network
Internet access, run it as a NAT router. eg

Internet
|
router
10.1.0.1
|
"old" network
10.1.0.x dg 10.1.0.1
|
10.1.0.254 dg 10.1.0.1
RRAS/NAT
192.168.10.1 dg blank
|
192.168.10.x dg 192.168.10.1

You will need to configure the 192.168.10 machines manually. You cannot
run two DHCP servers in a setup like this. You will also have to be careful
with machine names to avoid duplicates.