LAN routing

Discussion in 'Server Networking' started by exchangerookie1994, Aug 18, 2005.

  1. We have a remote office currently connected by 2 mb long haul Dsl connection
    to inside of our main lan. We are interested in configuring a 2003 server as
    a router at the remote location and setting them on a new IP scheme/ subnet.
    I have tried to set up RRAS in several different roles with no luck. We would
    like for the connection between the 2 lans to be seemless without having to
    add static routes on each PC, server, and outher routers.

    Thanks for your time
     
    exchangerookie1994, Aug 18, 2005
    #1
    1. Advertisements

  2. exchangerookie1994

    Jason Gurtz Guest

    [only need to post once please]

    you should just use a hardware router IMO. Check out the Cisco 831, it's
    not too expensive (few hundred) and will be much more reliable. RIP
    protocol should be able to handle dynamic adding of routes in a small WAN
    network but honestly, is it that bad to put a couple static routes in, one
    time, when you set it up? Clients can have their gateway changed via DHCP.

    You could try a cheapo SOHO router but they tend to be not to feature
    complete for a corp WAN since they are designed for mostly DSL/Cable
    gateway applications. They also tend to crash under load.

    ~Jason

    --
     
    Jason Gurtz, Aug 18, 2005
    #2
    1. Advertisements

  3. I would not mind at all to put a couple of routes in on each of the subnet
    routers.
    I would like for every host in main Lan to be able to talk to every host on
    remote Lan.
    What I have done so far-
    Main lan = 192.168.100.0/24
    Gateway (PIX 506) = 192.168.100.1
    All clients on this LAN have DG of 192.168.100.1

    Remote Lan = 192.168.101.0/24
    Gateway WIn2k3 Server = 192.168.101.1
    All clients have 192.168.101.1 AS DG

    I have added static routes to both default gateways
    Main site - route add 192.168.101.0 MASK 255.255.255.0 192.168.100.241
    METRIC 1
    Remote Site - route add 192.168.100.0 MASK 255.255.255.0 192.168.100.1
    METRIC 1
    enabled IP routing in registry

    I can ping 192.168.100.1 at main site from client at remote site, but cannot
    ping any other hosts on main site

    I can ping 192.168.101.5 (host pc at remote site) from 192.168.100.1 at main
    site

    Ideally I would like every host at main site to ping every host on remote
    site seemlessly.
    Do I have to add static routes to every host on both networks to be able to
    do this?

    Thanks







     
    exchangerookie1994, Aug 18, 2005
    #3
  4. exchangerookie1994

    Jason Gurtz Guest

    We're missing info about the network in between 192.168.100.0 and
    192.168.101.0

    What I see is
    +-------------+ +-----+
    Remote LAN<->| Win2K3 Srv? |<->DSL (private?)<->| Pix |<->MainLAN
    +-------------+ +-----+
    ^ ^
    \________________/
    |
    Need to know addys here---------------+

    Then paste route print output on each router. Are there any other routers
    in between? Any filtering going on (esp. on the pix)?
    No, you just need the routes in your routers. Also, use tracert command
    to see were your packets are falling off the edge of the planet; that will
    give clues.

    ~Jason

    --
     
    Jason Gurtz, Aug 18, 2005
    #4
  5. We have a 2 MB copper conection between the 2 lans now. 1 DSL modem on each
    side. Each modem has ethernet out which is going into a switch. Simply put,
    it is just like a long patch cable between internal switches.
    I am on the inside on the pix going out, no filtering on the inside clients.
    Show route output on PIX

    outside 0.0.0.0 0.0.0.0 70.16.191.1 1 OTHER static
    outside 70.16.191.0 255.255.255.0 70.16.191.146 1 CONNECT static
    inside 192.168.100.0 255.255.255.0 192.168.100.1 1 CONNECT static
    inside OaklandRoads 255.255.255.0 192.168.100.241 1 OTHER static

    Route Print on Windows server 2003

    IPv4 Route Table
    ===========================================================================
    Interface List
    0x1 ........................... MS TCP Loopback interface
    0x10003 ...00 50 da 1a 5b 13 ...... 3Com EtherLink XL 10/100 PCI TX NIC
    (3C905B-TX)
    0x10004 ...00 14 22 0b f3 72 ...... Broadcom NetXtreme 5721 Gigabit Controller
    ===========================================================================
    ===========================================================================
    Active Routes:
    Network Destination Netmask Gateway Interface Metric
    0.0.0.0 0.0.0.0 192.168.100.1 192.168.100.241 20
    127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
    192.168.100.0 255.255.255.0 192.168.100.241 192.168.100.241 20
    192.168.100.241 255.255.255.255 127.0.0.1 127.0.0.1 20
    192.168.100.255 255.255.255.255 192.168.100.241 192.168.100.241 20
    192.168.101.0 255.255.255.0 192.168.101.1 192.168.101.1 20
    192.168.101.1 255.255.255.255 127.0.0.1 127.0.0.1 20
    192.168.101.255 255.255.255.255 192.168.101.1 192.168.101.1 20
    224.0.0.0 240.0.0.0 192.168.100.241 192.168.100.241 20
    224.0.0.0 240.0.0.0 192.168.101.1 192.168.101.1 20
    255.255.255.255 255.255.255.255 192.168.100.241 192.168.100.241 1
    255.255.255.255 255.255.255.255 192.168.101.1 192.168.101.1 1
    Default Gateway: 192.168.100.1
    ===========================================================================
    Persistent Routes:
    None
     
    exchangerookie1994, Aug 18, 2005
    #5
  6. Let's backup to the beginning. If you already have a VPN in place then why
    do you think you need to add another 2003 Server as a "router"? Why would
    "setting them on a new IP scheme/ subnet" have anything to do with that?
    What do you mean by that?,...changing the IP Range of the entire remote
    LAN?,...or just adding a new subnet to what they already have?,...that is
    two different things.

    --
    Phillip Windell [MCP, MVP, CCNA]
    www.wandtv.com
    -----------------------------------------------------
    Understanding the ISA 2004 Access Rule Processing
    http://www.isaserver.org/articles/ISA2004_AccessRules.html

    Microsoft Internet Security & Acceleration Server: Guidance
    http://www.microsoft.com/isaserver/techinfo/Guidance/2004.asp
    http://www.microsoft.com/isaserver/techinfo/Guidance/2000.asp

    Microsoft Internet Security & Acceleration Server: Partners
    http://www.microsoft.com/isaserver/partners/default.asp
    -----------------------------------------------------
     
    Phillip Windell, Aug 18, 2005
    #6
  7. No - never had a VPN inplace. Everyone is right now on 192.168.100.0/24
    subnet. The remote office is expanding as is the main office. We need to
    segment internal network. The remote lan will have 1 scheme only
    192.168.101.0/24. The main site will have 192.168.100.0 /24. We just need
    these two subnets to communicate seamlesly.
     
    exchangerookie1994, Aug 18, 2005
    #7
  8. exchangerookie1994

    Bill Grant Guest

    From a routing point of view, that is about as simple as you can get.
    You don't really need a server to do it. (you could use a simple hardware
    router or even a workstation). But if you were thinking of using the server
    as a DC as well as a router, my advice is "forget it"! DCs and routing or
    remote access don't mix.

    There is nothing required at the router except to enable IP routing.
    What is important is what you haven't told us. What is the current network
    setup? Does either site have an Internet connection? What is the default
    gateway for the workstations in the two sites?

    If this is the only router the setup is trivial. It looks like this.

    192.168.100.x dg 192.168.100.1
    |
    192.168.100.1 dg blank
    router
    192.168.101.1 dg blank
    |
    192.168.101.x dg 192.168.101.1

    No static routes, no nothing. As long as IP routing is enable, it works.
    All traffic for the "other" subnet is sent to the router which delivers it
    directly (from its other interface).

    If either site has an Internet connection, the clients will be using the
    Internet router as the default gateway. In that case you will need extra
    routing info to get the traffic to your internal router. You can't add the
    info at the internal router itself.
     
    Bill Grant, Aug 19, 2005
    #8
  9. Sorry for not going into more detail. The main site has the Internet
    connection,-(DSL through PIX 506 firewall,) Antivirus servers, File servers,
    terminal servers, SQL servers, the remote site is only going to have 1 2003
    file server multihomed and setup for lan routing.
    I turned on Lan routing option in RRAS on the remote file server, but I
    could not ping PIX 506 192.168.100.1 at main site from a client 192.168.101.5
    at the remote site. The client 192.168.101.5 has as its DG 192.168.101.1 =
    remote file server.

    I added a static route to the PIX at the main site of 192.168.101.1
    255.255.255.0
    gateway 192.168.100.241 ( which is the IP of the 2003 file server on the
    "main" segment)
    I could then browse internet from remote site from 192.168.101.5.

    However, I could still not ping 192.168.100.3 (AV server) or any of the
    other servers at main site from 192.168.101.5.

    All of the servers at the main site have as there GG 192.168.100.1 -(PIX 506)

    Is it not recommened that I use 2003 file server as a router as well?

    Thanks for your time

     
    exchangerookie1994, Aug 19, 2005
    #9
  10. Sorry to keep pounding with more questions than answers, but there is still
    too many "mysteries". I am only 50% concerned with want you want to do when
    it is done,... I am equally 50% concerned with where you are now before the
    project begins. You can't figure out how to get somewhere until you
    understand where you are leaving from.
    Please to not run off and start "trying things" until we have established
    what is really the right thing to "try". Between me an Bill we can usually
    figure out most things,...but wait till we figure it out first.

    So here's what I know....

    1. You have two sites connected by two DSL lines of **unkown** type and
    configuration. But "whatever" it is,...it does not use VPN.

    2. At least one of the Sites has an IP Range of 192.168.100.x.

    3. The other site uses an **unknown** IP Range and has no functional
    routing, but wishes to have 192.168.101.x and functioning routing when
    finished.

    4. The one site has a PIX in an unknown location on an unknown DSL, but it
    is unknown if the this DSL is one of the same two DSL mentioned in item #1

    5. There are currently (it appears) no routing devices in place,...but you
    have "tinkered" with RRAS to no avail.

    Can you see why at this point nothing can be suggested for certain?

    Here is what we need to know:

    1. I need to know what is the IP Range of both Sites as they stand before
    you do anything to them.

    2. How are they *currently* communicating over the DSL Lines and yet somehow
    not be using VPN.

    3. What Devices are at each end of the two DSL Lines? Two lines would imply
    4 Devices (2 per Site),..or it could be one Device at each Site if they are
    designed with Duel WAN ports.

    4. If these two DSL Lines are dedicated to these two Sites (like a closed
    private system), then what is being currently being used to access the
    Internet? How will that change when the project is completed?

    --
    Phillip Windell [MCP, MVP, CCNA]
    www.wandtv.com
    -----------------------------------------------------
    Understanding the ISA 2004 Access Rule Processing
    http://www.isaserver.org/articles/ISA2004_AccessRules.html

    Microsoft Internet Security & Acceleration Server: Guidance
    http://www.microsoft.com/isaserver/techinfo/Guidance/2004.asp
    http://www.microsoft.com/isaserver/techinfo/Guidance/2000.asp

    Microsoft Internet Security & Acceleration Server: Partners
    http://www.microsoft.com/isaserver/partners/default.asp
    -----------------------------------------------------
     
    Phillip Windell, Aug 19, 2005
    #10
  11. Here is what we need to know:

    1. I need to know what is the IP Range of both Sites as they stand before
    you do anything to them.
    answer = both sites are at 192.168.100.0/24 right now


    2. How are they *currently* communicating over the DSL Lines and yet somehow
    Answer = they are communicating over a direct copper circuit between the 2
    sites.
    I believe it is called a ladda circuit. Again, everyting right now is on the
    inside of the firewall. Think of it as another floor in the same building the
    only thing being different is the connection speed of 2 MB between the 2 sites


    3. What Devices are at each end of the two DSL Lines? Two lines would imply
    Answer = between the 2 site there are DSL modems 1 at each site that convert
    the DSL (ladda circuit) to ethernet. At the main site we have 1 Internet DSL
    line that everyone shares to get to the internet - this is the only way out
    to Internet.

    4. If these two DSL Lines are dedicated to these two Sites (like a closed
    Answer = This is a private closed circuit between offices. Currently main
    site and remote site all go through the only Internet DSL line which is at
    the main site- this will not change.

     
    exchangerookie1994, Aug 19, 2005
    #11
  12. Ah! Very good. There isn't as much to that as what first seemed. About all
    you do is change the IP Range on the segment you want to change and then add
    one router,....a "real" router, not a NAT Device,... but I think you know
    that..., at either one end or the other. It doesn't matter at which end it
    phsically goes on. You do not actually change anything on the Private DSL
    and the modems are simply (or should simply be) Layer2 devices and should
    not have any IP#s. If they do have IP#s for management purposes just be
    sure to keep both of them on the same side of the router with compatible
    addresses and they must also use the LAN Router as a their Default Gateway
    just as all the other hosts do.

    There are *no* static routes to create on the router,...routers
    automatically know what to do with networks that they are "directly
    connected" to,...and in your case they are directly connected. All the
    Clients in both segments will use the LAN Router as their Default Gateway
    (not the Internet Device),...then the Router will use the Internet Device as
    its Default Gateway.

    On the Internet Sharing Device at the main site (whatever the device it is
    you are using for that),...requires the new remote IP Range be added to the
    Local Address Table (LAT). They may use a different name for it, but that
    it technically what it really is. Then there is one (only one) static route
    that is added on the Internet Device that tells it to use the LAN Router to
    reach the remote segment.

    I don't have any documents for using RRAS as a LAN router anymore but there
    isn't much to it,..you just have to keep in mind that you are doing regular
    Layer3 Routing,..Not NAT. Also be sure to do everything from the RRAS
    interface and don't fool around with "reg hacks" or "commandline
    stuff",...everything you need is in the GUI for RRAS,...use it.


    --
    Phillip Windell [MCP, MVP, CCNA]
    www.wandtv.com
    -----------------------------------------------------
    Understanding the ISA 2004 Access Rule Processing
    http://www.isaserver.org/articles/ISA2004_AccessRules.html

    Microsoft Internet Security & Acceleration Server: Guidance
    http://www.microsoft.com/isaserver/techinfo/Guidance/2004.asp
    http://www.microsoft.com/isaserver/techinfo/Guidance/2000.asp

    Microsoft Internet Security & Acceleration Server: Partners
    http://www.microsoft.com/isaserver/partners/default.asp
     
    Phillip Windell, Aug 19, 2005
    #12
  13. That did it. Thanks for the extra effort.



     
    exchangerookie1994, Aug 19, 2005
    #13
  14. Very good, sir!

    --
    Phillip Windell [MCP, MVP, CCNA]
    www.wandtv.com
    -----------------------------------------------------
    Understanding the ISA 2004 Access Rule Processing
    http://www.isaserver.org/articles/ISA2004_AccessRules.html

    Microsoft Internet Security & Acceleration Server: Guidance
    http://www.microsoft.com/isaserver/techinfo/Guidance/2004.asp
    http://www.microsoft.com/isaserver/techinfo/Guidance/2000.asp

    Microsoft Internet Security & Acceleration Server: Partners
    http://www.microsoft.com/isaserver/partners/default.asp
    -----------------------------------------------------
     
    Phillip Windell, Aug 22, 2005
    #14
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.