New to RASS for Routing

Discussion in 'Server Networking' started by Stephen S, Aug 3, 2005.

  1. Stephen S

    Stephen S Guest

    Hi,

    I am setting up a testing LAN and would like to get it
    connected to Internet via company's Proxy Server.

    On a Windows 2003 Server, there are 2 NICs are installed.
    For the first one, IP address is assigned so that it will
    connect to my company's LAN.

    On the other NIC, I set it up with a static IP address for
    the testing LAN (192.18.18.10). Besides, that Server is
    set up as a DHCP and DNS Server for the testing LAN.

    I have attempted to assign a Default Gateway IP address to
    the 2nd NIC but there is a warning message saying that
    there should be 1 default gateway. In this way, for the
    clients on the testing network, I enable DHCP but I add
    192.18.18.10 as the Default Gateway, is it correct ?

    I have enabled the RASS in the Windows 2003 Server. I
    would like to know is it necessary for me to manually
    create the Routing Table ? If YES, what should be the IP
    Address used ? Is it the IP address of the NIC or the IP
    address of the Proxy Server in my company ?

    Besides, I find that there are a number of choices when I
    set up routing (RRAS) and I have chosen "Secure Connection
    between 2 private network", is it correct ?

    Besides, is it possible for me to change the settings
    after I have installed / enabled the RRAS ? This is
    because when I attempt to re-configure the settings, I
    find that I can only add server or disable RRAS.

    Your advice is sought
     
    Stephen S, Aug 3, 2005
    #1
    1. Advertisements

  2. Stephen S

    Bill Grant Guest

    You do not need any routes at all on the router. And you do not need any
    default gateway settings on the router. You only need a default gateway on a
    router if it needs to forward traffic to another router. With a proxy
    service, the client has the IP address of the proxy server coded in, so it
    does not need to using default routing to find it.

    What is essential is that the proxy server knows how to reach the client
    to return the information it obtains from the Internet.

    So the RRAS server just needs to be enabled as a LAN router. It should
    have no default gateways set on either NIC. Set the clients in your test LAN
    to use the RRAS server as their default gateway.

    Where you do need to make changes is at the proxy server. You need to
    add your new subnet as part of the LAT (ie the proxy server must know that
    this subnet is local). And the proxy server needs to know that it can reach
    the new subnet through your RRAS router.

    Existing network
    |
    company LAN
    RRAS
    192.168.18.10 dg blank
    |
    192.168.18.x dg 192.168.18.10

    Requests to the proxy will reach it without any extra routing added. All
    you need is extra routing on the proxy server to get replies back to the
    client.
     
    Bill Grant, Aug 4, 2005
    #2
    1. Advertisements

  3. Stephen S

    Stephen S Guest

    Dear Bill and Robert,

    Thank you for your advice. I have set up the Default Gateway according to
    your advice. Besides, I have set up RRAS as well.

    I believe that I should mention the environment more clearly.

    I am setting up a testing LAN and would like to get it connected to Internet
    via company's Proxy Server (Address is 192.17.18.111).

    On a Windows 2003 Server, there are 2 NICs are installed. For the first one,
    IP address (192.17.17.207) is assigned
    so that it will connect to my company's LAN with Default Gateway
    (192.17.17.50). Subnet Mask for my company is also 255.255.255.0

    On the other NIC, I set it up with a static IP address for the testing LAN
    (192.18.18.10). Besides, that Server is
    set up as a DHCP and DNS Server for the testing LAN. I haven't assigned
    Default Gateway for that IP. Subnet mask
    for this subnet is also 255.255.255.0

    When I setup the RRAS and enable routing, I attempt to type the following
    command but it replies that "The route
    addition failed: The specified mask value is invalid":
    route -p add 192.18.18.0 mask 255.255.255.0 192.17.17.207

    In this way, I enter the following and it has no error message. Is it
    correct ? Do you have any idea why the mask 255.255.255.0 fails ?
    route -p add 192.18.18.0 mask 255.255.255.255 192.17.17.207

    For the Internet Connection on the Windows 2003 Server, Proxy Settings I use
    192.17.18.111:8080 for Internet Connection.

    For the clients in the testing LAN, I find that it can
    ping 192.17.17.207 but it fails when I attempt to ping 192.17.17.50, it
    fails when I ping 192.17.17.50, not to mention the Proxy Server
    192.17.18.111.

    Besides, I have attempted to set the Proxy Server for clients in Testing LAN
    to 192.17.17.207:80 but it fails. What value should I choose ?

    Your advice is sought.
     
    Stephen S, Aug 4, 2005
    #3
  4. Stephen S

    Stephen S Guest

    I am sorry that the route add statements should be

    route -p add 192.18.18.10 mask 255.255.255.255 192.17.17.207

    and

    route -p add 192.18.18.10 mask 255.255.255.0 192.17.17.207
     
    Stephen S, Aug 4, 2005
    #4
  5. Why are you trying to enter a route on the RRAS box anyway? There is no
    route to add there.

    The only route added is on the Proxy, and it points to the RRAS box as being
    the gateway for the Testing LAN.

    --
    Phillip Windell [MCP, MVP, CCNA]
    www.wandtv.com
    -----------------------------------------------------
    Understanding the ISA 2004 Access Rule Processing
    http://www.isaserver.org/articles/ISA2004_AccessRules.html

    Microsoft Internet Security & Acceleration Server: Guidance
    http://www.microsoft.com/isaserver/techinfo/Guidance/2004.asp
    http://www.microsoft.com/isaserver/techinfo/Guidance/2000.asp

    Microsoft Internet Security & Acceleration Server: Partners
    http://www.microsoft.com/isaserver/partners/default.asp
     
    Phillip Windell, Aug 4, 2005
    #5
  6. Stephen S

    Stephen S Guest

    Dear Phillip,

    Thank you for your advice. I would like to ask some more questions.

    1) I would like to know the reason why you say that I don't need a route to
    the RRAS Server. Maybe, I may not fully understand what the concept of
    router. If I don't need a route, do I need 2 NIC or just 1 NIC ? Does it
    mean that static route is required only if machines in the 192.18.18.x
    subnet talk to machines in the 192.17.17.x machines & vice versa, routing in
    the RRAS Server has to be set up ? If there is no route set up, can clients
    with 192.18.18.x ping 192.17.17.207 ?

    2) What is the difference between Host Address routing and Network Address
    routing ? Does Host Address means that only 1 machine can talk and Network
    Address means all machines in the subnet (198.18.18.x) can access
    192.17.17.207 ? However, it seems not as although I enter
    route -p add 192.18.18.10 mask 255.255.255.255 192.17.17.207, client can
    ping 192.17.17.207 with no problem.
    If it is too complicated to mention in the newsgroup, would it be possible
    for you to give me some web site that I can learn more ?

    3) I would like to know which NIC does the following statement applies to ?
    route -p add 192.18.18.0 mask 255.255.255.0 192.17.17.207
    This is because I find that the ROUTE ADD can also be done by using GUI.
    However, there is a choice of Network Connection. From the GUI, I find that
    there are "Local Connection" and "Local Connection 2", which one should I
    choose ? OR both of them are the same ?

    Thanking you in anticipation.

     
    Stephen S, Aug 5, 2005
    #6
  7. I didn't quote your posts because the questions in it cannot be followed
    with an answer according to the pattern and order you asked them. I will
    layout the pattern for the design here. It is very simple,...you are making
    it 10 times,..no, 100 times harder than it needs to be.

    1. The RRAS box is the LAN's router. Therefore all hosts on the LAN use it
    as their Default Gateway. The RRAS Router then, in turn, uses the Internet
    Sharing Device as its Default Gateway

    2. The RRAS Router is already directly connected to the different LAN
    segments, therefore it *already* knows about them,..because they are
    directly connected,...therefore you do not add static routes to the RRAS
    Router.

    3. The Internet Sharing Device is only connected to one Internal LAN
    Segment,...therefore it is not directly connected to the other LAN
    Segments,...therefore it does not know about them like the RRAS Router does.
    Therefore the Internet Shareing Device needs a Static Route added to its
    routing table (*its* routing table, not the RRAS box's routing table) for
    the LAN Segments that it is not directly attached to. The RRAS Router would
    be the "gateway" used in the Static Route.

    All done,...simple and clean.

    --
    Phillip Windell [MCP, MVP, CCNA]
    www.wandtv.com
    -----------------------------------------------------
    Understanding the ISA 2004 Access Rule Processing
    http://www.isaserver.org/articles/ISA2004_AccessRules.html

    Microsoft Internet Security & Acceleration Server: Guidance
    http://www.microsoft.com/isaserver/techinfo/Guidance/2004.asp
    http://www.microsoft.com/isaserver/techinfo/Guidance/2000.asp

    Microsoft Internet Security & Acceleration Server: Partners
    http://www.microsoft.com/isaserver/partners/default.asp
    -----------------------------------------------------
     
    Phillip Windell, Aug 5, 2005
    #7
  8. The Internet Sharing Device would also need the other LAN Segments added to
    the Local Address Table (or whatever term is uses for that). The segment it
    is already attached to would already be there,..but you have to add the
    others.

    --
    Phillip Windell [MCP, MVP, CCNA]
    www.wandtv.com
    -----------------------------------------------------
    Understanding the ISA 2004 Access Rule Processing
    http://www.isaserver.org/articles/ISA2004_AccessRules.html

    Microsoft Internet Security & Acceleration Server: Guidance
    http://www.microsoft.com/isaserver/techinfo/Guidance/2004.asp
    http://www.microsoft.com/isaserver/techinfo/Guidance/2000.asp

    Microsoft Internet Security & Acceleration Server: Partners
    http://www.microsoft.com/isaserver/partners/default.asp
    -----------------------------------------------------
     
    Phillip Windell, Aug 5, 2005
    #8
  9. Stephen S

    Stephen S Guest

    Dear Phillip,

    Thank you for your advice. Maybe, I am new to Networking and Routing.

    Would you mind if I ask some more questions ?

    1) In your point 1, all hosts on the LAN = Testing LAN ?
    2) In your point 2, the RRAS Router already connected to different LAN
    segments. Does it mean that it is because I have enable "LAN Routing" in
    Configure, Custom configuration; check the box for LAN routing ?
    3) In your point 3, do you mean the Internet Sharing Device = Proxy Server
    in my office ?
    4) In your next mail, you mention there are entries have to be added to the
    Local Address Table, how many entires have to be added there ?
    a) Testing LAN Address
    b) ???

    Thanks again.
     
    Stephen S, Aug 6, 2005
    #9
  10. Stephen S

    Bill Grant Guest

    Perhaps you could read a basic text on IP routing. A newsgroup like this
    is a place for sorting out networking problems, not an academy. Here is a
    brief outline of the basics.

    To route between two subnets, you do not need any routes on the router
    itself. The router has an interface in each subnet, so it is aware of both
    subnets. If it receives a packet addressed to a machine in a subnet it
    delivers it directly (ie "on the wire" using hardware addressing). The
    important thing is that the packet must actually get to the router!

    Here is an example of the simplest case. All traffic goes to the router
    by default routing and is delivered in the "other" subnet.

    192.168.0.x dg 192.168.0.1
    |
    192.168.0.1 dg blank
    router
    192.168.1.1 dg blank
    |
    192.168.1.x dg 192.168.1.1

    If the default route is not to the internal router, extra routing info
    is required to get the required traffic to that internal router. eg

    Internet
    |
    gateway router
    192.168.0.254
    |
    192.168.0.x dg 192.168.0.254
    |
    192.168.0.1 dg 192.168.0.254
    router
    192.168.1.1 dg blank
    |
    192.168.1.x dg 192.168.1.1

    In this case, routing between the subnets fails. The default route of
    the 192.168.0 subnet clients is to the gateway router, so the traffic for
    192.168.1 never reaches the internal router. To make it work you must add
    extra routing in the 192.168.0 subnet to get traffic for 192.168.1 to the
    internal router.

    This is where you can use static routes. To get the traffic to the
    internal router you could add a static route

    192.168.1.0 255.255.255.0 192.168.0.1

    If you add this route to a machine in the 192.168.0 subnet, that machine
    can be reached from 192.168.1 . If you add the route to the gateway router,
    every machine can be reached, because the gateway router "bounces" the local
    traffic to the internal router.

    Using a proxy server changes the requirements because a proxy server
    does not rely on default routing. The client has the IP address of the proxy
    server coded in and can address it directly. But if the proxy server is in
    another subnet, the proxy server must have the recessary routing information
    to be able to route the return traffic to the client.

    The LAT of a proxy server contains the addresses of all the subnets
    which are "local" (ie on the inside of the local network). So if you add an
    extra subnet to your LAN, you need to check that it is included in the LAT.

     
    Bill Grant, Aug 7, 2005
    #10
  11. Stephen S

    Stephen S Guest

    Dear Bill,

    Thank you for your explanation.

    Regards,
    Stephen

     
    Stephen S, Aug 8, 2005
    #11
  12. Bill's got you covered. I'll just toss in a few comments on your points
    below.

    LAN means the whole thing,...all subnets together. A subnet is effectively a
    network, the LAN is the whole collection of local Networks.
    It means the RRAS router is directly (physically) connected to each segment
    (it sits between them). Therefore they are already in its routing
    table,..therfore it already knows about them,..therefore there are no static
    routes to create.
    Yes, a Proxy, or a Hardware Firewall, or a NAT Server are all consider
    "Internet Sharing Devices". I use that generic form of the term when I do
    not know (or forget) exactly what king of device you are using.
    Just one. It goes on the Proxy itself. The proxy does not know about the
    Segment on the opposite side of the LAN Router because it is obviously not
    directly connected to it. Therefore it needs a Static route to cover that.
    If the "test Lan" is 192.18.17.x and the RRAS Router is 192.168.18.10 then
    the router would be dones as:
    "route add -p 192.168.17.0 mask255.255.255.0 192.168.18.10"

    *Don't* use those exact addresses if they are not correct. I was only
    guessing at what they would be from looking at your other post.

    Don't forget to add the other subnet to the LAT on the Proxy, as Bill also
    reminded you too.

    --
    Phillip Windell [MCP, MVP, CCNA]
    www.wandtv.com
    -----------------------------------------------------
    Understanding the ISA 2004 Access Rule Processing
    http://www.isaserver.org/articles/ISA2004_AccessRules.html

    Microsoft Internet Security & Acceleration Server: Guidance
    http://www.microsoft.com/isaserver/techinfo/Guidance/2004.asp
    http://www.microsoft.com/isaserver/techinfo/Guidance/2000.asp

    Microsoft Internet Security & Acceleration Server: Partners
    http://www.microsoft.com/isaserver/partners/default.asp
    -----------------------------------------------------
     
    Phillip Windell, Aug 8, 2005
    #12
  13. Say Bill,
    You gonna be at the Summit? I didn't think I was going at first, but now it
    looks like I will. I can keep an eye out for ya.

    --
    Phillip Windell [MCP, MVP, CCNA]
    www.wandtv.com
    -----------------------------------------------------
    Understanding the ISA 2004 Access Rule Processing
    http://www.isaserver.org/articles/ISA2004_AccessRules.html

    Microsoft Internet Security & Acceleration Server: Guidance
    http://www.microsoft.com/isaserver/techinfo/Guidance/2004.asp
    http://www.microsoft.com/isaserver/techinfo/Guidance/2000.asp

    Microsoft Internet Security & Acceleration Server: Partners
    http://www.microsoft.com/isaserver/partners/default.asp
    -----------------------------------------------------
     
    Phillip Windell, Aug 8, 2005
    #13
  14. Stephen S

    Bill Grant Guest

    Hi Phillip,

    No, I can't make it this time. I have already been to the Asia Summit in
    Singapore this year.
     
    Bill Grant, Aug 9, 2005
    #14
  15. Stephen S

    Stephen S Guest

    Dear Phillip and Bill,

    Many thanks for your explanation and advice.

    However, I don't understand your saying that "Don't forget to add the other
    subnet to the LAT on the Proxy, as Bill also
    reminded you too". I have added the new subnet to the LAT on the Proxy
    (Just amend you statement). But what is the other subnet ?

    Thanks
    Stephen

     
    Stephen S, Aug 10, 2005
    #15
  16. It's the one you just added to the LAT :)

    --
    Phillip Windell [MCP, MVP, CCNA]
    www.wandtv.com
    -----------------------------------------------------
    Understanding the ISA 2004 Access Rule Processing
    http://www.isaserver.org/articles/ISA2004_AccessRules.html

    Microsoft Internet Security & Acceleration Server: Guidance
    http://www.microsoft.com/isaserver/techinfo/Guidance/2004.asp
    http://www.microsoft.com/isaserver/techinfo/Guidance/2000.asp

    Microsoft Internet Security & Acceleration Server: Partners
    http://www.microsoft.com/isaserver/partners/default.asp
    -----------------------------------------------------
     
    Phillip Windell, Aug 10, 2005
    #16
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.