Need help with specific router/Win2003 server setup

Discussion in 'Server Networking' started by Martijn Tonies, Nov 14, 2007.

  1. Hi,

    Thank you for reading this message, let me first state I'm not a
    Network Wizard at all. This question is regarding my home office
    setup and I could need some help.

    What I have here, is the following:

    A) 1 ADSL router, internal IP address 192.168.1.1, type Netopia 3356
    B) 1 Windows 2003 Server, connected to (A) with a LAN card, IP
    address 192.168.1.100. Also connected to the "internal" network via a
    separate LAN card, IP address 192.168.2.1
    C) A 2nd Windows 2003 Server, connected to (B) via a hub, IP address
    192.168.2.5, gateway 192.168.2.1
    D) several workstations/client PCs, running W2000, XP etc, DNS IP
    addresses, gateway 192.168.2.1 (also via DNS)

    Server (B) runs several small websites and newsgroups by forwarding
    some ports on the outside to 192.168.1.100. This works fine.

    What I would like, is to create 1 "server" on the outside and forward it
    to 192.168.2.5 on the inside. On the outside, I would like only 1 IP
    address to gain access to that particular "service".

    Server B has IP Routing turned ON, the router A is able to create static
    routes and so on.

    However, I have no idea whatsoever how to create this.

    Should I change something at Server B? Or in Router A?

    Can someone help me with this?
     
    Martijn Tonies, Nov 14, 2007
    #1
    1. Advertisements

  2. Martijn Tonies

    Anthony Guest

    Hi Martijn,
    To make this work you would create a static route on the router A, sending
    all 192.168.2.0 traffic to the gateway 192.168.1.100. Server B would forward
    it automatically to its 192.168.2.1 interface and on to Server C.
    However I think it is a complicated design that is not achieving much. In my
    opinion your best approaches would be:
    1) One flat network behind the router. Use the Windows firewalls to restrict
    traffic between machines on your network.
    2) If the netopia is capable of it, create two VLANs on the router, and put
    Server A in one, and everything else on the other. As you are still allowing
    inbound traffic to Server C this is marginal benefit, but I guess there's a
    difference in that traffic to Server C is restricted to 1 IP address only,
    whereas to Server B it is open.
    Hope that helps,
    Anthony, http://www.airdesk.com
     
    Anthony, Nov 14, 2007
    #2
    1. Advertisements

  3. Hello Anthony,

    Thank you for your reply.
    Router A has an subnet of 255.255.252.0, default IP gateway of 127.0.0.2
    and backup IP gateway of 194.159.73.22 (as per ISP settings). I changed
    the subnet from 255.255.255.0 to what it is now.

    I created a static route of 192.168.2.0/255.255.255.255 to 192.168.1.100
    as the "next gateway".

    However, when I use "telnet" to test the connection to the outside (ADSL)
    IP address at the correct port, it does not connect to Server C.
    Are you sure this will happen automatically? See above, it doesn't appear
    to be happening, or I still have something wrong somewhere. I have been
    trying this before, but no luck yet :-/
    You mean everything to 192.168.1.x ?

    Should I then only accept incoming traffic at router A via the defined ports
    (servers) as I'm running now?
    What I noticed when setting up "Servers" in the Router A, is that I can
    specify
    a specific "public address", wouldn't that be my restriction then?

    --
    Martijn


     
    Martijn Tonies, Nov 14, 2007
    #3
  4. Martijn Tonies

    Anthony Guest

    Hi Martijn,
    Just an explanation: 255.255.25x.x is a "mask". It tells the routing which
    part of the address to look at.
    1) You should leave the IP address, mask and gateway of the router as
    whatever the ISP settings were.
    2) The static route should be 192.168.2.0/255.255.255.0 192.168.1.100 (note
    the mask. 255.255.255.255 would be a specific host, not an address range.)
    3) Yes, just put all the computers on the 192.168.1.0 subnet
    4) Yes, you should only allow specific traffic to specific IP addresses. I
    don't know that router. With consumer routers you are dealing with wizards
    and web pages to simplify the configuration. The principles are the same
    though. To access from outside you need to:
    - specify the source: either a specific host, or "any"
    - specify the port or protocol (e.g SMTP or 25)
    - specify the destination: which server
    - specify the external address to translate (NAT) to an internal address
    "Forwarding" on consumer routers is a way of simplifying this. For example,
    if you only have one external IP address, you can "forward" different ports
    to different servers, meaning the router will translate to different
    internal addresses for different types of traffic.
    Hope that helps,
    Anthony, http://www.airdesk.com



     
    Anthony, Nov 14, 2007
    #4
  5. Hello Anthony,
    Right, added to the Router A.

    But how does the network card with 192.168.1.100 on Server B know to
    forward this IP address to the internal network?

    As in: nope, it still doesn't work :-(
    Hmm, tried that, for some reason it failed miserably.
    I figured.
    Yes, I figured that out, but the router A cannot reach 192.168.2.x ...
     
    Martijn Tonies, Nov 14, 2007
    #5
  6. Martijn Tonies

    Anthony Guest

    Martijn,
    First off, you would be best off not using the server as a router, but just
    having them all on the same subnet behind the router. Its the simplest
    solution. However...
    Can you clarify for me. You said in your first post that you have
    workstations D and a server C on a subnet with Server B as the gateway,
    going on to the router A. If this worked, and you could get onto the
    internet, then you have routing working on Server B. Is that the case?
    How are you establishing whether outside traffic can get in to your network?
    What are you doing on the router to test the connection back to C? Do you
    have the firewalls on the servers and workstations blocking icmp?
    Anthony, http://www.airdesk.com




    In your first post
     
    Anthony, Nov 14, 2007
    #6
  7. Hello Anthony,
    I just tried that, but server B has 2 network cards (no hub available at
    that physical location, the hub is somewhere else). The "internal" card
    goes to the hub and the "external" card goes to the Router A.

    The IP address of "internal" is used as the gateway on Server C and
    workstations.
    Yes, network card "external" has "connected to the internet" turned ON
    in Windows 2003 server, while "internal" has "private network" checked.
    network?

    Using telnet from one of the workstations on a specific port. I also used
    telnet
    from an external internet connection while the incoming port was still
    available
    for "all external addresses" in Router A.
    I've tried setting up a "static route" on "external" to "internal" and
    allowing ports,
    but no luck yet.
     
    Martijn Tonies, Nov 14, 2007
    #7
  8. Martijn Tonies

    Anthony Guest

    Can you successfully access the internet from workstations D, or not?
     
    Anthony, Nov 14, 2007
    #8
  9. Can you successfully access the internet from workstations D, or not?

    Yes, that's what I'm doing right now :)

    This is what ipconfig says on my workstation:

    DHCP Enabled. . . . . . . . . . . : Yes
    Autoconfiguration Enabled . . . . : Yes
    IP Address. . . . . . . . . . . . : 192.168.2.153
    Subnet Mask . . . . . . . . . . . : 255.255.255.0
    Default Gateway . . . . . . . . . : 192.168.2.1
    DHCP Server . . . . . . . . . . . : 192.168.2.1
    DNS Servers . . . . . . . . . . . : 194.159.73.136
    194.159.73.135
     
    Martijn Tonies, Nov 15, 2007
    #9
  10. Martijn Tonies

    Anthony Guest

    Hi Martijn,
    That's great, so we have established that Server B is already routing
    between your two subnets.
    Does traffic successfully enter from the internet to Server B for the web
    sites etc you have set up?
    Anthony, http://www.airdesk.com
     
    Anthony, Nov 15, 2007
    #10
  11. Hello Anthony,
    At least to the "outside", yes.
    Yes, but Server B runs the websites etc on the "external" card, which is
    on the 192.168.1.x subnet.

    I can ping - obviously - Server C (192.168.2.5) when I'm on Server B
    (which has 192.168.2.1 as the IP on "internal").

    --
    Martijn

     
    Martijn Tonies, Nov 15, 2007
    #11
  12. Martijn Tonies

    Anthony Guest

    Hi Martijn,
    You've told us it is not working, just from your posts we don't know _where_
    it is not working. I am trying to narrow the problem down to exactly where.
    So far we've established that your server B is routing between the subnets
    and that the firewall is allowing specified inbound traffic.
    As I said, a flat subnet, or a VLAN, would do this for you more easily, but
    doing it with a dual NIC in one server makes it more difficult to track
    down.
    Next questions (two)
    - exactly how are you testing that outside traffic can not reach Server C?
    - did you set up the RRAS on Server B as only LAN routing (RRAS
    Configuration, Custom configuration, LAN routing) or have you also set up
    VPN and NAT?
    Anthony, http://www.airdesk.com



     
    Anthony, Nov 15, 2007
    #12
  13. Hello Anthony,
    Yes, it allows traffic to 192.168.1.100 (Server B, "external" card) and runs
    websites from it.
    Using telnet to the public IP address on a port that is open. In W2003,
    Routing and Remote Access, I opened up the port under "NAT/Basic
    Firewall", card "external" on tab "Services and Ports". If I do that, I
    immediately
    get "connection lost" when I try to telnet, if I disable the port on that
    tab,
    I get "Could not open a connection to host on port xx".
    Is RRAS "Routing and Remote Access", from reading the Help on that, it
    seems so.
    I cannot find what you are asking me.
    On "external", the radiobutton "Public interface connected to the internet"
    is checked as well as "Enable NAT on this interface".

    On "internal", the radiobutton "Private interface connected to the private
    network" is checked.

    Thanks for the help so far Anthony.
     
    Martijn Tonies, Nov 15, 2007
    #13
  14. Martijn Tonies

    Anthony Guest

    Hi Martijn,
    On Server B, in RRAS, I would remove the configuration and then set it up
    again as I described, with a custom configuration, LAN routing only. You are
    not routing between the internet and the LAN, you are routing between two
    LANs. Your ADSL router is doing the routing between the internet and the
    LAN. You don't want NAT or VPN on your RRAS configuration. You already have
    NAT on the ADSL router. For the time being you also don't want to filter
    anything on Server B, just let the traffic that is allowed by your
    firewall/router through to Server C,
    Lets see how that goes,
    Anthony, http://www.airdesk.com
     
    Anthony, Nov 15, 2007
    #14
  15. Hello Anthony,
    are

    I have both the "external" and "internal" LAN card set to
    "Private interface connected to the private network" now, the internet
    connection
    from everywhere seems to work fine. I also removed any static routes on
    Server B.
    In Router A, I can now ping to Server C, that's new :)

    OK, in Router A I now have set up a "service" to the Server C that's under
    NAT
    on the specific port I want to open, currently publicly available.

    If I now use Telnet to Server C directly, then I get a proper response, but
    when
    using the public IP address instead of IP on Server C, I immediately get
    "connection to host lost".

    Are we getting closer?
     
    Martijn Tonies, Nov 15, 2007
    #15
  16. Martijn Tonies

    Anthony Guest

    Hi Martijn,
    Well I guess so!
    1) What is the service on Server C?
    2) Is there any difference between the way you have set the firewall to
    allow traffic to B compared to C?
    Anthony, http://www.airdesk.com
     
    Anthony, Nov 15, 2007
    #16
  17. Hi Anthony,
    The behaviour I'm seeing now, the immediate "connection lost", I had had
    before when everything else was still the same.

    Your mention of "Firewall" here reminded me of something, now that I
    could ping from Router A to Server C, I was sure that at least that part
    of the traffic was getting through.

    I just remembered that the service on Server C has it's own access control
    (not controlled by Windows), I just modified it to accept "outside"
    connections (well, my external IP only) and it worked via telnet!

    Good news!

    But, as I said, I have been to this stage before, WITH routing enabled on
    Server B and so on ...


    Anthony, many thanks for talking me through this.

    I do have a question for you though --

    The original configuration with 2 subnets and the routing on Server B
    was an idea I had to make the network safer, as in: even if you got
    through Router A, you wouldn't be able to touch Server C, cause the
    router A couldn't get to there. Would this hold true? Or would blocking
    the ports on Router A be sufficient?
     
    Martijn Tonies, Nov 16, 2007
    #17
  18. Martijn Tonies

    Anthony Guest

    Hi Martijn,
    Glad it works.
    You could debate different security configurations all year and not get very
    far. With your design if server B is compromised, it has access to your LAN.
    If you don't think it can be compromised, why have it separate? So flat or
    VLAN is my opinion. You can also use the local firewalls to isolate the
    computers a bit more from one another, especally as you don't have a domain.
    Regards,
    Anthony, http://www.airdesk.com
     
    Anthony, Nov 16, 2007
    #18
  19. You could debate different security configurations all year and not get
    very
    domain.

    Right, the external connection works.

    What is strange though, that if I set my router to only accept incoming
    connections for that particular service to my external IP address, it works
    fine, but if I set it to the IP address this particular client is coming
    from,
    it fails to connect. I'm a bit puzzled there.

    I now set a filter on the service at Server C so that it only accepts from
    the external IP address for this particular client.

    I've tried setting up IP filtering in Windows 2003 on Server B, but it
    resulted it the client being able to connect to Server C, but the rest
    of the stations not being able to get on to the internet, that cannot be
    right *g*
     
    Martijn Tonies, Nov 16, 2007
    #19
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.