NAT without DHCP? (w2k3)

Discussion in 'Server Networking' started by Alex Smirnoff, Aug 12, 2006.

  1. Setup scenario: Windows Server 2003 R2 x64, two network cards - one public
    and one private. I followed all instructions and installed routing and remote
    access services, configured one network interface as public and another as
    private (with IP 10.0.0.16). Everything works fine and server can access
    internet.

    Then I started configuring another machine on the internal network to use
    first machine as router and got stuck. I dont want to use DHCP allocator and
    want to assign internall addresses manually. So I configured second machine
    as such (it is another W2K3 R2 x64, if it matters):

    IP Address. . . . . . . . . . . . : 10.0.2.10
    Subnet Mask . . . . . . . . . . . : 255.0.0.0
    Default Gateway . . . . . . . . . : 10.0.0.16
    DNS Servers . . . . . . . . . . . : 10.0.0.16

    Again, everything works and I can ping one machine from another. But I
    cannot access outside world from the second machine. I realized that first
    server will not do NAT because it doesnt know that it should do it for
    particular internal IP.

    So how I can the main server to do NAT for all internal network without
    using DCHP?

    I would really appreciate any help/advice.

    Alex
     
    Alex Smirnoff, Aug 12, 2006
    #1
    1. Advertisements

  2. Alex Smirnoff

    Bill Grant Guest

    You do not have to use the DHCP-style allocator in NAT. You can use
    static IPs or you can run DHCP on one of your servers. But you do have to
    configure NAT on the RRAS server. Just leave the area for IP addresses
    blank. As long as you set the RRAS server's private IP as the default
    gateway on the second machine (which you have done) it should work for any
    10.x.x.x address.
     
    Bill Grant, Aug 12, 2006
    #2
    1. Advertisements

  3. When you say "But you do have to configure NAT on the RRAS server, just
    leave the area for IP addresses blank", what do you mean? NAT is enabled on
    the public interface of the RRAS server already. What is this "area for IP
    addresses" - I just dont see it.
     
    Alex Smirnoff, Aug 12, 2006
    #3
  4. Alex Smirnoff

    Bill Grant Guest

    The dhcp-style allocator in NAT is not configured automatically. If you
    want to use it, you configure a pool of IP addresses for NAT to allocate to
    the client machines. (You do this from the NAT Properties sheet). If you do
    not configure any addresses, you need to set up a DHCP server on the LAN or
    use static config for the hosts. Either setup should work.

    NAT is a fairly simple setup. There are really only a few things that
    must be set for it to work.

    1. The public interface must have a default route out to the Interent.
    2. The public and private interfaces to be used must be assigned in NAT.
    3. The client machines must use the NAT router's private interface as their
    default gateway.

    What are you doing about DNS? If the client uses the server's private
    NIC IP address for DNS, NAT will act as a DNS relay and forward the DNS
    requests to your ISP (or whatever the server's public NIC uses).
     
    Bill Grant, Aug 13, 2006
    #4
  5. Ok, if I right-click NAT/Basic Firewall node in the tree and then select
    properties, on address assignment tab I see "Automatically assign IP
    addresses by using DHCP allocator" - not what I need. If I right-click on my
    public interface, I see "Address pool" tab but it defines "range of public IP
    addresses assigned to you", according to the documentation. So how that pool
    of internal IP addresses is configured?

    Configuring DNS was really easy - I just enabled name resolution it in the
    NAT/Basic firewall properties.
     
    Alex Smirnoff, Aug 13, 2006
    #5
  6. Alex Smirnoff

    Bill Grant Guest

    That is a different address pool. That applies to your public interface
    and is only used if you have been allocated a number of public IP addresses
    by your ISP.

    (Just to add to the confusion there is another pool of addresses in RRAS
    which you can allocate to remote access clients. You don't need to do
    anything with them either in your case).
     
    Bill Grant, Aug 13, 2006
    #6
  7. Bill, I'm still confused. Can you knock me on the forehead :) and tell where
    is that dialog to configure address pool for the private network? What should
    I right-click first?
     
    Alex Smirnoff, Aug 13, 2006
    #7
  8. Alex Smirnoff

    Bill Grant Guest

    You said earlier that you enabled DNS from the tab in the NAT properties
    sheet.. Right alongside that tab on the properties sheet is the address
    allocation tab. Click that, check the box to allocate IPs and put the IP
    subnet you want to use in the box (or use the default setting of
    192.168.0.0/24) .
     
    Bill Grant, Aug 14, 2006
    #8
  9. Yes, I finally figured it out (_really_ confusing): this property page is
    located in the computer properties dialog and initially I was looking at
    "nat/rras" dialog

    However, it still doesn't work. This is what I have in the dialog:

    Static address pool
    From: 10.0.0.0
    To: 10.255.255.255
    Number of addresses:16,277,216
    IP address: 10.0.0.0
    Mask: 255.0.0.0

    What is confusing this time is ip address: 10.0.0.0. Why it is not set to
    the private address of the NAT machine?

    I also enabled NAT tracing - may be this can help? (ipnathlp.log):

    [1860] 23:53:08: DnsReadCompletionRoutine
    [1860] 23:53:08: DnsProcessQueryMessage
    [1860] 23:53:08: DnsProcessQueryMessage: Dns_ParseMessage succeeded!!
    [1860] 23:53:08: DnsProcessQueryMessage: www.yahoo.com (FALSE)
    [1860] 23:53:08: DnsProcessQueryMessage: (0x000025e5) DNS record does not
    exist.
    [1860] 23:53:08: DnsIsPendingQuery
    [1860] 23:53:08: DnsRecordQuery
    [1860] 23:53:08: DnsSendQuery
    [1860] 23:53:08: DnsSendQuery: sending query 2480 interface 65543 to
    xx.xx.xx.xx
    [1860] 23:53:08: DnsSendQuery: sending query 2480 interface 65543 to
    xx.xx.xx.xx
    [528] 23:53:08: DnsWriteCompletionRoutine
    [528] 23:53:08: DnsMapResponseToQuery
    [528] 23:53:08: DnsWriteCompletionRoutine: sent query 2480 interface 65543
    [1860] 23:53:08: DnsWriteCompletionRoutine
    [1860] 23:53:08: DnsMapResponseToQuery
    [1860] 23:53:08: DnsWriteCompletionRoutine: sent query 2480 interface 65543
    [1860] 23:53:08: DnsReadCompletionRoutine
    [1860] 23:53:08: DnsProcessResponseMessage
    [1860] 23:53:08: DnsMapResponseToQuery
    [1860] 23:53:08: DnsWriteCompletionRoutine
    [1860] 23:53:08: DnsMapResponseToQuery
    [1860] 23:53:08: DnsWriteCompletionRoutine: removing query 2480 interface
    65543
    [1860] 23:53:08: DnsDeleteQuery
    [1860] 23:53:08: DnsReadCompletionRoutine
    [1860] 23:53:08: DnsProcessResponseMessage
    [1860] 23:53:08: DnsMapResponseToQuery
    [1860] 23:53:11: DnspQueryTimeoutCallbackRoutine
    [1860] 23:53:11: DnsLookupInterface
    [1860] 23:53:11: DnsMapResponseToQuery
    [1860] 23:53:11: DnspQueryTimeoutCallbackRoutine: query 2480 interface 65543
    not found
     
    Alex Smirnoff, Aug 14, 2006
    #9
  10. Alex Smirnoff

    Bill Grant Guest

    What it says is correct. You have selected the IP subnet 10.0.0.0 with a
    subnet mask of 255.0.0.0 . That subnet contains over 16 million IP
    addresses starting from 10.0.0.1 Addresses ending in zero are subnet
    addresses, not individual machine addresses.

    Making this change should not have made any difference to your setup,
    except that you could now use NAT to give your client machine its network
    config (by setting it back to obtain its IP and DNS addresses
    automatically)..

    My guess is that you have not configured the public interface correctly.
    How does your server connect to the Internet? Does it use a PPPoE
    connection?

     
    Bill Grant, Aug 14, 2006
    #10
  11. My guess is that you have not configured the public interface correctly.
    It has direct connection with static ip. I can access the Internet from the
    main server machine without any problems.
     
    Alex Smirnoff, Aug 14, 2006
    #11
  12. How I can troubleshoot the problem and see why ip packets from the private
    network don't go outside? DNS works perfectly fine but nothing else. tracert
    displays timeout on the first hop.

    I have no idea where else to look. Firewall allows all outgoing packets from
    the main server.

    Alex

     
    Alex Smirnoff, Aug 15, 2006
    #12
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.