Multihomed network - troubles with routing

Discussion in 'Server Networking' started by L. Hummel, Jan 28, 2004.

  1. L. Hummel

    L. Hummel Guest

    Hi all,

    I have a problem with a multihomed network, which I am
    currently trying to configure. I have a domain controller
    with 2 NICs - the first with IP 192.168.0.100 connecting
    to an internal network. The second NIC has the IP address
    192.168.1.10, and it connects via a network cable to a
    router which provides Wireless access for notebooks
    running XP. This router has IP 192.168.1.254. Another
    port of the router connects to a cable modem for internet
    access.

    The Domain Controller is working as DHCP server.

    Now, all hosts can connect to the Internet, and when I
    connect a notebook through the wireless router, I can
    ping the notebook from the domain server, but when I try
    to ping the domain server from the notebook, I receive
    either no reply (time-out), or, when I try to connect the
    notebook directly to the NIC (192.168.1.10), I get the
    message that the server is not available.

    I have checked that DHCP is enabled and activated, but
    nevertheless the problem remains.

    Does anybody have a clue what could be wrong?

    Thanks in advance.

    Best regards,
    L. Hummel, Denmark
     
    L. Hummel, Jan 28, 2004
    #1
    1. Advertisements

  2. L. Hummel

    Rob Elder Guest

    Is the DNS setting on the 192.168.1.x network pointing to the server
    hosting your AD domain?

    Rob Elder
     
    Rob Elder, Jan 28, 2004
    #2
    1. Advertisements

  3. L. Hummel

    Guest Guest

    Yes, it is.

    L. Hummel

     
    Guest, Jan 28, 2004
    #3
  4. You need to configure static routes on your laptops so they can find the
    192.168.0.x network:

    route -p add 192.168.0.0 mask 255.255.255.0 192.168.1.10

    Or - you may be able to configure this route on your router.

    Doug Sherman
    MCSE Win2k/NT4.0, MCSA, MCP+I, MVP
     
    Doug Sherman [MVP], Jan 28, 2004
    #4
  5. L. Hummel

    L. Hummel Guest

    I have tried that - without luck

    L. Hummel
     
    L. Hummel, Jan 28, 2004
    #5
  6. L. Hummel

    sharad Guest

    how does the notebook get the IP? Static or through DHCP? What scope, have
    you set in DHCP, in 192.168.1.x subnet
    or 192.168.0.x subnet? Did you configure BOOTP/DHCP Relay agent on the
    router and enterted the IP helper address
    as the DHCP server IP ?

    Sharad
     
    sharad, Jan 28, 2004
    #6
  7. Is the domain controller running Windows Server 2003? If so, and you
    enabled routing through RRAS, you may have also enabled the basic firewall?

    Doug Sherman
    MCSE Win2k/NT4.0, MCSA, MCP+I, MVP
     
    Doug Sherman [MVP], Jan 28, 2004
    #7
  8. L. Hummel

    Bill Grant Guest

    I can see a couple of potential problems here. The first is the routing,
    and the second separate problem is the multihomed DC.

    The routing should work as long as the Internet router knows how to
    reach the 192.168.0 subnet via the W2k machine. (By default it will try to
    send this traffic to the Internet.) So you need a static route on this
    router to forward 192.168.0 traffic to the W2k router. eg

    192.168.0.0 255.255.255.0 192.168.1.10

    The network looks like this?

    Internet
    |
    public IP
    router ------------wireless network IP?
    192.168.1.254 dg?
    |
    192.168.1.10 dg 192.168.1.254
    W2k
    192.168.0.100 dg blank
    |
    workstations
    192.168.0.x dg 192.168.0.100

    If the wireless network clients use the router as their default gateway
    and you add the static route to the router, you should be able to ping
    between the local networks by IP.

    The multihomed DC could give you assorted browsing and name resolution
    problems. I would disable Netbios over TCP/IP on the 192.168.1.10 interface,
    so that the DC is only seen on its 192.168.0 IP address. DNS can also be
    affected if you have enabled dynamic DNS. Make sure DNS only listens on the
    192.168.0.100 interface, so that it does not register multiple IPs for the
    server.
     
    Bill Grant, Jan 28, 2004
    #8
  9. L. Hummel

    L. Hummel Guest

    Yes, indeed the basic firewall was activated - when I
    unchecked it, everything worked perfectly. Great!

    Thanks very much for your help.
     
    L. Hummel, Jan 29, 2004
    #9
  10. L. Hummel

    L. Hummel Guest

    Hi...

    Well, the troubles didn't completely stop, although I am
    now able to ping the NIC from the workstation. I now have
    a different problem. First, the network is Windows Server
    2003 based, and all workstations and notebooks run either
    W2K or XP Pro. An illustration of the topology of the
    network is shown here:

    WWW (through T1 line)
    |
    | Notebooks... 192.168.1.x
    | |
    | Antenna
    | |
    Wireless Router/HUB 192.168.1.254
    | |
    | |
    | Hub---------- Workstations (group 2)
    | 192.168.1.x
    | (dg 192.168.1.10)
    |
    |
    |
    | 192.168.1.x
    192.168.1.10 |
    Domain Controller/DHCP Server (dg 192.168.1.254)
    192.168.0.100 |
    | 192.168.0.x
    |
    |
    |
    |
    Workstations (group 1) 192.168.0.x
    (dg 192.168.0.100)

    On the server, the NIC with IP 192.168.1.10 has been
    configured as a public interface connected to the
    Internet, and NAT has been enabled.

    The NIC with IP 192.168.0.100 has been configured as a
    private interface connected to a private network.

    First, I can connect to the WWW from all workstations and
    notebooks (although I can only connect the notebooks via
    the HUB in the Wireless Adapter, as the wireless part
    still remains to be configured, which I will do later).

    Now, when I connect a PC to the HUB in the Wireless
    adapter (group 2), It receives an IP via DHCP as it
    should, and I can "ping" the NIC 192.168.1.10 without
    problems.

    Furthermore, from any workstation in group 1, I can also
    ping the IP, which the workstation has received from
    DHCP, so this is also Ok.

    However, the problem arises when I try to "ping" any IP
    in the 192.168.0.x subnet (group 1) from any workstation
    in group 2.

    So, the PCs in group 1 can all "see" the PCs in group 2,
    while the opposite is not the case.

    Does anybody know what the problem can be?

    Thanks in advance.

    L. Hummel
    192.168.1.254 dg?
     
    L. Hummel, Jan 29, 2004
    #10
  11. L. Hummel

    Bill Grant Guest

    To be frank, I think this is a mess! I think you should have a hard look
    at what you are trying to do, and start again.

    It is never a good idea to use a DC as a router, especially the
    first/only DC in a domain or forest. Why are you running NAT on the Windows
    server, when both subnets are private? Surely whatever does NAT for
    192.168.1.0 could also do NAT for 192.168.0.0 ? You must be running NAT
    twice - once at the RRAS server from 0.0 to 1.0 and then again from 1.0 to a
    "real" public IP.

    If you are running NAT on the RRAS server, you will not be able to ping
    the 0.0 machines from 1.0 machines. NAT is a one-way address translation -
    you can get out but not in! That is how it was designed. As far as NAT is
    concerned, the 1.0 subnet is the public Internet, and your private LAN
    cannot be seen from there.

    Begin by looking closely at the hardware (firewall/router) which
    connects your network to the Internet and seeing what it can do. Consider
    linking your LAN directly to this device, with your DC running as a single
    homed server. If it supports LAN routing, you may be able to connect both
    subnets through it. If you can't do it that way, consider using some other
    device to act as a router between the subnets (not your server). It does not
    need to do NAT. All it needs is to act as an IP router between the subnets.
    Your firewall/router should do NAT for both subnets.

    Adding the wireless connection should not make any difference to your
    LAN routing. The wireless AP just bridges your wireless LAN to your
    192.168.1.0 wired LAN. As far as the rest of the network is concerned, they
    are the same!
     
    Bill Grant, Jan 30, 2004
    #11
  12. L. Hummel

    L. Hummel Guest

    Hi,

    Yes, I admit that it is a little bit messy; however, as we
    within a short time receive an additional (and very
    powerful) machine which is going to take over the role as
    domain controller, everything is going to be more straight
    at that time. However, as we are in a bit hurry, we need
    to set as much up as possible as fast as possible.

    Anyway, I have removed the NAT features and now I can ping
    everything from everywhere - except from my machines on
    the group 1 subnet. On these machines I can ping all
    machines on the group 2 network; however, the IP of the
    Wireless router (192.168.1.254) is _not_ reachable,
    although I can reach all other machines on the 192.168.1.x
    network.

    However, from the server as well as all machines on the
    group 2 network, I can ping the router as well as
    everything else in both groups.

    But, as the router IP cannot be reached from group 1, the
    machines in group cannot reach the Internet either.

    I think that we are "almost there", but I hope that the
    last details can be sorted out. Anybody has an idea of
    what is missing?

    Thanks in advance.

    L. Hummel
     
    L. Hummel, Jan 30, 2004
    #12
  13. L. Hummel

    Bill Grant Guest

    To make the wireless router pingable you need to add a static route to
    it. It needs to know that it can reach the 192.168.0.0 subnet through the
    W2k router. (Otherwise it uses its default route, which is out to the
    Internet!) So give it a static route

    192.168.0.0 255.255.255.0 192.168.1.10
     
    Bill Grant, Jan 31, 2004
    #13
  14. L. Hummel

    L. Hummel Guest

    Hi again,

    Yes, now everything seems to function perfectly.

    Thanks very much for your help.

    Best regards,

    L. Hummel, Denmark
     
    L. Hummel, Feb 4, 2004
    #14
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.