2 Nics and 2 subnets traffic configuration

Discussion in 'Server Networking' started by Brian Swain, Jul 23, 2005.

  1. Brian Swain

    Brian Swain Guest

    I was hoping someone can help me out w/ this.

    I have a 2003 server dual homed w/ DNS, DHCP, and DC configured. There are
    2 locations w/ different subnets, this first location has a 192.168.0.x
    range and the second location has a 192.168.2.x range. I want to be able to
    pass traffic traffic bettwen the 2 networks including AD authentication.
    The firewall, which is also the default gateway for the 192.168.0.x network
    has an ip address of 192.168.0.250. I've also set up 2 scopes on the DHCP
    server for the 2 different subnets.

    The NICs are configured as the following:

    NIC 192.168.0.x:
    IP: 192.168.0.1
    Subnet Mask: 255.255.255.0
    Default Gateway: 192.168.0.250 (firewall)
    DNS: 192.168.0.1

    NIC 192.168.2.x:
    IP: 192.168.2.1
    Subnet Mask: 255.255.255.0
    Default Gatewat: (blank)
    DNS: 192.168.2.1

    Are the NICs setup correctly? The network on the 192.168.0.x range is
    perfect, everything is working excellent. I have full internet connection
    and can access network resources. The second NIC (192.168.2.x) is not giving
    out IP addresses and is having problems passing traffic (e.g. internet,
    internal network, etc..). If I set a static ip on a workstation connected
    to the 192.168.2.x network I can ping it from the server, but can't ping
    anything from the workstation. I'm also testing it by connecting a
    cross-over cable from the 2nd nic to the workstation. Should I try using a
    switch?
     
    Brian Swain, Jul 23, 2005
    #1
    1. Advertisements

  2. Hi Brian,

    What are you trying to ping on 192.168.2.x network? What did you set for
    default gateway on clients on 192.168.2.x network (it should be
    192.168.2.1)... Can you ping default gateway?

    After you ping a resource on local subnet (e.g. anything on 192.168.2.x)
    check the ARP table with this command:

    arp -a

    It should list MAC addresses of the computers that you pinged. If it doesn't
    then something is wrong with cables or swtich/hub connection.
     
    Miha Pihler [MVP], Jul 23, 2005
    #2
    1. Advertisements

  3. Also, if the 192.168.0.x machines use 192.168.0.250 as a default gateway,
    then either the gateway itself or each 192.168.0.x machine (other than the
    server) must have a static route to the 192.168.2.x network:

    route -p add 192.168.2.0 mask 255.255.255.0 192.168.0.1

    If you cannot configure the static route on the gateway, then 192.168.2.x
    machines will not have Internet access - you could probably fix this by
    running NAT on the server.

    Doug Sherman
    MCSE, MCSA, MCP+I, MVP
     
    Doug Sherman [MVP], Jul 24, 2005
    #3
  4. Brian Swain

    Brian Swain Guest

    I was trying to ping a client on the 192.168.2.x network. I have
    192.168.2.1 set as the defaultt GW for the clients.

    I'll try checking the arp cache when I get into the office.
    Thanks!
     
    Brian Swain, Jul 25, 2005
    #4
  5. Brian Swain

    Brian Swain Guest

    I'll see if I can add a static route on the firewall. How do I NAT traffic
    so both subnets get internet traffic? If I NAT port 80 traffic to the
    192.168.2.x network won't that disable internet access on the 192.168.0.x
    network?

    Would it work better if I use the server as the gateway?
     
    Brian Swain, Jul 25, 2005
    #5
  6. I want to go back to the first post.

    1. You should never multi-home a DC

    272294 - Active Directory Communication Fails on Multihomed Domain
    Controllers
    http://support.microsoft.com/default.aspx?scid=kb;en-us;272294

    2. You should never multi-home a machine with WINS

    191611 - Symptoms of Multihomed Browsers
    http://support.microsoft.com/default.aspx?scid=kb;EN-US;191611

    3. Even if you still choose to multi-home the DC, I see nowhere where you
    have configured RRAS on the DC to act as a regular LAN Routing Service. It
    will not route between LAN segments automatically,..you have to configure it
    to do so. The Hosts on 192.168.2.x can never get to the Firewall if the
    Server isn't performing normal standard Layer3 Routing with RRAS.

    All Hosts on the LAN will use the DC as their Default Gateway (the interface
    according to the subnet they are on). Then, as the others suggested,..the
    Firewall needs a static route assinged on it that tells it to use
    192.168.0.1 as the "gateway" for the 192.168.2.x network.

    --
    Phillip Windell [MCP, MVP, CCNA]
    www.wandtv.com
    -----------------------------------------------------
    Understanding the ISA 2004 Access Rule Processing
    http://www.isaserver.org/articles/ISA2004_AccessRules.html

    Microsoft Internet Security & Acceleration Server: Guidance
    http://www.microsoft.com/isaserver/techinfo/Guidance/2004.asp
    http://www.microsoft.com/isaserver/techinfo/Guidance/2000.asp

    Microsoft Internet Security & Acceleration Server: Partners
    http://www.microsoft.com/isaserver/partners/default.asp
    -----------------------------------------------------
     
    Phillip Windell, Jul 25, 2005
    #6
  7. Brian Swain

    Brian Swain Guest

    I've seen multiple multihomed DC's running 2003 w/o any problems... isn't
    most SBS servers multihomed?

    RRAS is configured on the DC for LAN routing. So I shouldn't use the
    firewall as a gateway? I'll I tried using the DC as the gateway when I
    only had the 192.168.0.x subnet but couldn't get internet access unless I
    use the firewall as the default gateway. play w/ a couple settings and see
    if I could get it to work correctly.

    Thanks for the response guys! Keep them coming!!

     
    Brian Swain, Jul 26, 2005
    #7
  8. SBS doesn't count. It is it's "own animal" and is a special case. I didn't
    say you couldn't do it,..I said you shouldn't do it. If you examine the
    articles I gave, they inform you of all the problems with doing so and then
    they try to work around the problems. But is has been common knowledge for
    many years that with the exception of SBS,...DCs and WINS Servers should not
    be multi-homed, it is just simply a troublesome configuration and a bad
    idea. It may not be your problem (probably isn't) but you should be aware
    of it, and I made you aware of it.

    Anyway, you still have to use RRAS to configure the machine to act as a LAN
    Router or you are not going to get anywhere.

    --
    Phillip Windell [MCP, MVP, CCNA]
    www.wandtv.com
    -----------------------------------------------------
    Understanding the ISA 2004 Access Rule Processing
    http://www.isaserver.org/articles/ISA2004_AccessRules.html

    Microsoft Internet Security & Acceleration Server: Guidance
    http://www.microsoft.com/isaserver/techinfo/Guidance/2004.asp
    http://www.microsoft.com/isaserver/techinfo/Guidance/2000.asp

    Microsoft Internet Security & Acceleration Server: Partners
    http://www.microsoft.com/isaserver/partners/default.asp
    -----------------------------------------------------
     
    Phillip Windell, Jul 26, 2005
    #8
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.