Some problems with RRAS as internet router
- Hello everyone,
I was testing the new Windows Server 2008 R2 in order to test the possability to replace the old 2003 Server.
The server is installed for the following functions
1. Router
2. Backup
3. 2nd RADIUS server
4. maybe Hyper-V
Yesterday I installed the operating system without any problems. I installed the role which contains the RRAS to first set up the router (the server is part of the domain). The internet connection itself is not the problem. This works well for the clients in the network. It is a VDSL dial up connection with dynamic IP from ISP. I started to configure the router
a) set up the routes for internal network
b) setting the NAT settings for the dial up interface (ftp, smtp, HTTPS forwarding) like I did in the Windows 2003 Server
c) correct the routes because of typing error
d) several restarts
Now the problem is that nothing is forwarded. For example SMTP and FTP is not working from external access - I verified that the dynamic IP is up to date. The FTP is in the same subnet, the HTTP and SMTP are in a different subnet (the routes are existing and I can ping the servers).
After one hour searching I was giving up.
Maybe you can help me here. I don't know what could be wrong. Disable the Windows Firewall for testing reasons or setting up a rule to accept ftp or SMTP for example did not change anything.
The second problem is DNS.
As soon as I connect the dial up interface my default dns server is the one which is provided via DHCP from ISP. Is there a way to avoid this (exept enter manually dns addresses). So when I type nslookup in cmd and the default dns server is not the internal. I've taken a look in the rasphone.pbk in System32\ras but I did not saw an entry which could change this.
Just interested to know. The same behavoir is when I dial up a VPN connection to a customer system.
All Replies
OK, found out something interesting. You will need to know few more details about the environment.
There is one 2008 server core in the network runing as DHCP, DNS, AD, fileserver, Hyper-V. The Hyper-V has got an internal interface where the mail- and webservers are connected to. There is also a router between, running as virtual machine. This router has got the LAN interface and the internal interface. Normally this allways worked. But know after setting up the 2008 to replace the 2003 the systems at the internal LAN have no connection to the internet. For example setting up a ping from the webserver gives me following result:
I don't know where the problem is. I am a little confused about the drops there but the clients which are in the LAN have got internet access without any problems.
pathping t-online.deRoutenverfolgung zu t-online.de [217.6.164.162]
über maximal 30 Abschnitte:
0 x [172.16.1.18]
1 s-rras-3.x [172.16.1.17]
2 s-rras-1.x [172.16.0.1]
3 * * *
Berechnung der Statistiken dauert ca. 50 Sekunden...
Quelle zum Abs. Knoten/Verbindung
Abs. Zeit Verl./Ges.= % Verl./Ges.= % Adresse
0 x [172.16.1.18]
0/ 100 = 0% |
1 0ms 0/ 100 = 0% 0/ 100 = 0% s-rras-3.x [172.16.1.17]
18/ 100 = 18% |
2 0ms 18/ 100 = 18% 0/ 100 = 0% s-rras-1.x [172.16.0.1]Ablaufverfolgung beendet.
- Edited byMarkus Schuhmacher Thursday, October 15, 2009 7:00 PMcorrecting wrong information
Hello,
Thanks for your post here.
From the description, the Windows Server 2008 R2 that is running as a router cannot forward the published traffic to internal resources such as FTP, SMTP, HTTPS.
First of all, please double check whether there is any Inbound Filters and Outbound Filters applied on the Demand-dial interface in the RRAS. To check that:
1. In the RRAS MMC, double click the Interface in RRAS server--->IPv4--->General.
2. In the General tab of the Demand-dial interface, make sure that the Inbound Filters and Outbound Filters are all empty.
To effectively troubleshoot the issue, I need to know what your network topology looks like. Does it look like:
Mail & webservers
|
| (internal network)
|
RRAS (VM on 2008 core)------>Demand dial interface to Internet
|
| (LAN network)
|
2008 core(hyper-V)
If you have any questions or concerns, please do not hesitate to let me know
Hello,
thank you for your reply.
:: Maybe you misunderstood me. There are two RRAS server in the network because there are two physical machines. The router for the network for the mail and web server is a hyper-v machine which is set up at the 2008 Server Core.
I will try to make a discription of the network for you. The network looks like
- - LAN 172.16.0.0 /24 - - - - - - - -
==RRAS
- Internet demand dial interface
- 172.16.0.1 /24
- 172.16.1.1 /28 (not that important now)
- routes to 172.16.1.16 /28 and 172.16.1.32 /24 over 172.16.0.4
==2008 server core
- 172.16.0.2 /24
- (hyper-V)
==(VM) 2008 R2 terminal Server test
- 172.16.0.? /24
== (VM) RRAS
- 172.16.0.4 /24
- 172.16.1.17 /28
- 172.16.1.33 /28
==(VM)Windows XP Test
- 172.16.0.x /24 (DHCP)
==Windows 7 Client (2)
- - LAN 2 172.16.1.16 /28- - - - - - - - - - - - - - - - - - - -
==(VM)web
- 172.16.1.18 /28
==(VM)Mail
- 172.16.1.19 /28
So, following information. Further tests shew that the systems which are obtaining DHCP addresses seems all to work. Exept the Windows XP test system on the Hyper-V. Even the physical machine 172.16.0.2 could not ping into the internet for unknown reasons. Neither mail nor web nor test terminal server could ping into the internet. But the internal routing does work. I can ping from Mail server an address from the 172.16.1.0 /28 subnet. I only have got one device in the 172.16.1.0 /28 subnet. The ping ms are enormous but I don't know if this device is deffect.
- edit -
So when I think about the problem it looks like that the NAT is working but because of some reason the systems can not access the internet. The confuse thing is that some clients can. But I haven't configured any NAP things as far as I know.
- edit -
I have checked the DHCP server settings. I saw that the NAP is activated but I provide full access. Anyways I think this is only important if you use the new IAS server.
- edit -
Your graphic will look likeMail & webservers
|
| (internal network)
|
RRAS (VM on 2008 core)
|
| (LAN network)
|
2008 core(hyper-V); ---- 2008 R2 / 2003 ------>Demand dial interface to Internet
(WAN)- Edited byMarkus Schuhmacher Wednesday, October 21, 2009 1:37 PMcorrected graphic
- Edited byMarkus Schuhmacher Friday, October 16, 2009 9:54 AMcorrected LAN 2 information
- Now I think that all virtual machines don't have got internet access. Physical machines have got internet access. Even the Hyper-V Server Core Server. I was wrong about that he haven't got access to the internet.
But it is strange that ftp from external is not working because this is the public ftp and this server have got access to the internet. Hello,
Thanks for the update.
From the description, it seems to be a complicated network (VLSM) that have 2 demand-dial interface to Internet.
Could you please also paste the IPconfig /all output from the VMs that doesn't have Internet access?
Hello,
you must misunderstood me. The network is not that complicated. There is just one demand-dial interface on one physical machine (the 2008 R2 server). I just wrote 2008 R2 / 2003 because I can boot the 2003 Server from the other RAID system but it is the same physical machine.
I will post the ipconfig later.Here is one output of one server in LAN 172.16.0.0 /24 (Mailserver with mailbox role)
C:\>ipconfig /all Windows-IP-Konfiguration Hostname . . . . . . . . . . . . : S-APP-1 Primäres DNS-Suffix . . . . . . . : <DOMAIN> Knotentyp . . . . . . . . . . . . : Hybrid IP-Routing aktiviert . . . . . . : Nein WINS-Proxy aktiviert . . . . . . : Nein DNS-Suffixsuchliste . . . . . . . : <DOMAIN> Ethernet-Adapter LAN-Verbindung: Verbindungsspezifisches DNS-Suffix: Beschreibung. . . . . . . . . . . : Netzwerkkarte für Microsoft Virtual Machine-Bus Physikalische Adresse . . . . . . : 00-15-5D-00-02-13 DHCP aktiviert. . . . . . . . . . : Nein Autokonfiguration aktiviert . . . : Ja Verbindungslokale IPv6-Adresse . : fe80::f561:dfac:2b3f:e4cf%12(Bevorzugt) IPv4-Adresse . . . . . . . . . . : 172.16.0.3(Bevorzugt) Subnetzmaske . . . . . . . . . . : 255.255.255.0 Standardgateway . . . . . . . . . : 172.16.0.1 DHCPv6-IAID . . . . . . . . . . . : 268440925 DHCPv6-Client-DUID. . . . . . . . : 00-01-00-01-0F-DC-F5-29-00-15-5D-00-02-02 DNS-Server . . . . . . . . . . . : 172.16.0.2 172.16.0.6 Primärer WINS-Server. . . . . . . : 172.16.0.6 Sekundärer WINS-Server. . . . . . : 172.16.0.2 NetBIOS über TCP/IP . . . . . . . : Aktiviert Tunneladapter LAN-Verbindung* 11: Medienstatus. . . . . . . . . . . : Medium getrennt Verbindungsspezifisches DNS-Suffix: Beschreibung. . . . . . . . . . . : isatap.{DFC7A392-AC98-4043-B1EB-9AFFC20508E1} Physikalische Adresse . . . . . . : 00-00-00-00-00-00-00-E0 DHCP aktiviert. . . . . . . . . . : Nein Autokonfiguration aktiviert . . . : Ja C:\>Here is one ipconfig from the Edge Transport Server in the internal LAN 172.16.1.16 /28
C:\>ipconfig /all Windows-IP-Konfiguration Hostname . . . . . . . . . . . . : s-dmz-2 Primäres DNS-Suffix . . . . . . . : <DOMAIN> Knotentyp . . . . . . . . . . . . : Hybrid IP-Routing aktiviert . . . . . . : Nein WINS-Proxy aktiviert . . . . . . : Nein DNS-Suffixsuchliste . . . . . . . : <DOMAIN> Ethernet-Adapter DMZ: Verbindungsspezifisches DNS-Suffix: Beschreibung. . . . . . . . . . . : Netzwerkkarte für Microsoft Virtual Machine-Bus Physikalische Adresse . . . . . . : 00-15-5D-00-02-04 DHCP aktiviert. . . . . . . . . . : Nein Autokonfiguration aktiviert . . . : Ja Verbindungslokale IPv6-Adresse . : fe80::c9ad:e184:288b:af3a%10(Bevorzugt) IPv4-Adresse . . . . . . . . . . : 172.16.1.19(Bevorzugt) Subnetzmaske . . . . . . . . . . : 255.255.255.240 Standardgateway . . . . . . . . . : 172.16.1.17 DHCPv6-IAID . . . . . . . . . . . : 285218141 DHCPv6-Client-DUID. . . . . . . . : 00-01-00-01-0F-DD-A1-E9-00-15-5D-00-02-01 DNS-Server . . . . . . . . . . . : 172.16.0.2 172.16.0.6 Primärer WINS-Server. . . . . . . : 172.16.0.6 Sekundärer WINS-Server. . . . . . : 172.16.0.2 NetBIOS über TCP/IP . . . . . . . : Aktiviert Tunneladapter LAN-Verbindung* 9: Medienstatus. . . . . . . . . . . : Medium getrennt Verbindungsspezifisches DNS-Suffix: Beschreibung. . . . . . . . . . . : isatap.{0DB05B67-4298-4FD2-BB91-D3B5741CE8EA} Physikalische Adresse . . . . . . : 00-00-00-00-00-00-00-E0 DHCP aktiviert. . . . . . . . . . : Nein Autokonfiguration aktiviert . . . : Ja C:\>This output is German but you should understand the values. So when I boot :: 2003 Server: works :: 2008 R2 : does not workThe configuration of the routes are the same in comparision from the 2003 Server and the 2008 R2 server (when I set up a ping into internal LAN 172.16.1.16 /28 I do get response, so I assume that the routing is correct?).
The rest of them are configured with the same gw.- OK. The RRAS was getting on my nervs. I tried a little bit.
1. I bootet the server again to look at the problem again. I opened NAT and I saw lots of "-" at the table (not 0). I was confused about that because I remember the "-" that there is something wrong with NAT. So I removed the protocol NAT. After this I wanted to add this again and I get an error message: "Die Daten sind unzulässig". Translated this means something like that the data are not valid. Yesterday I received some script errors while adding the dial on demand interface. So I decided to remove the hole role from the server. I did that and I also deleted the pbk-file in System32\ras.
Then I rebootet and configured everything new. This time I did not see any errors while configuring.
Anyways still not working :).
I logged into a virtual machine. I decided to change the default gateway from 172.16.0.1 (new R2 server) to 172.16.0.3. This is the VM Router which has got the 172.16.1.16 /28 and 172.16.1.32 /28 subnet conected. This did not changed anything. Hello,
Thanks for the update.
From the description, I understand that:
1. Client in 172.16.0.*/24 network can ping internet properly.
2. Client in 172.16.1.18/28 network cannot ping internet properly.
3. Client in 172.16.1.18/28 network can ping a client in the 172.16.1.0/28 network.
To check whether the routing table has the correct entries, please help to collect "route print" result on Mail server, RRAS server running on the VM and the new Windows Server 2008 R2 RRAS server.
If the routing table are correct on those servers to route the traffic from 172.16.1.18 to Internet, please reproduce this issue by pinging an internet name from the mail server and collect the Network Monitor trace on mail server, RRAS server running on the VM, the new Windows Server 2008 R2 RRAS server at the same time. With the network traces, we will be able to identify where the traffic to Internet gets cut.
If you have any questions or concerns, please do not hesitate to let me know.
- I will post the route print as soon as possible. - I guess in 2:30 - 3:00 hours
Some of the informations are not correct
1. Client in 172.16.0.0 /24 can ping internet properly, BUT if they are in that subnet as VM on Hyper-V they CAN NOT
2. The network is 172.16.1.16 /28. 172.16.1.19 is the mail server
3. that is correct
Sorry about the graphic above I, correct it. VM RRAS has no dial up interface
OK Here are the routing tables from
1. Mail server: s-dmz-2
IPv4-Routentabelle =========================================================================== Aktive Routen: Netzwerkziel Netzwerkmaske Gateway Schnittstelle Metrik 0.0.0.0 0.0.0.0 172.16.1.17 172.16.1.19 261 127.0.0.0 255.0.0.0 Auf Verbindung 127.0.0.1 306 127.0.0.1 255.255.255.255 Auf Verbindung 127.0.0.1 306 127.255.255.255 255.255.255.255 Auf Verbindung 127.0.0.1 306 172.16.1.16 255.255.255.240 Auf Verbindung 172.16.1.19 261 172.16.1.19 255.255.255.255 Auf Verbindung 172.16.1.19 261 172.16.1.31 255.255.255.255 Auf Verbindung 172.16.1.19 261 224.0.0.0 240.0.0.0 Auf Verbindung 127.0.0.1 306 224.0.0.0 240.0.0.0 Auf Verbindung 172.16.1.19 261 255.255.255.255 255.255.255.255 Auf Verbindung 127.0.0.1 306 255.255.255.255 255.255.255.255 Auf Verbindung 172.16.1.19 261 =========================================================================== Ständige Routen: Netzwerkadresse Netzmaske Gatewayadresse Metrik 0.0.0.0 0.0.0.0 172.16.1.17 Standard =========================================================================== IPv6-Routentabelle =========================================================================== Aktive Routen: If Metrik Netzwerkziel Gateway 1 306 ::1/128 Auf Verbindung 10 261 fe80::/64 Auf Verbindung 10 261 fe80::c9ad:e184:288b:af3a/128 Auf Verbindung 1 306 ff00::/8 Auf Verbindung 10 261 ff00::/8 Auf Verbindung =========================================================================== Ständige Routen: Keine
2. RRAS Hyper-V: s-rras-3
IPv4-Routentabelle =========================================================================== Aktive Routen: Netzwerkziel Netzwerkmaske Gateway Schnittstelle Metrik 0.0.0.0 0.0.0.0 172.16.0.1 172.16.0.4 405 127.0.0.0 255.0.0.0 Auf Verbindung 127.0.0.1 306 127.0.0.1 255.255.255.255 Auf Verbindung 127.0.0.1 306 127.255.255.255 255.255.255.255 Auf Verbindung 127.0.0.1 306 172.16.0.0 255.255.255.0 Auf Verbindung 172.16.0.4 261 172.16.0.4 255.255.255.255 Auf Verbindung 172.16.0.4 261 172.16.0.255 255.255.255.255 Auf Verbindung 172.16.0.4 261 172.16.1.16 255.255.255.240 Auf Verbindung 172.16.1.17 261 172.16.1.17 255.255.255.255 Auf Verbindung 172.16.1.17 261 172.16.1.31 255.255.255.255 Auf Verbindung 172.16.1.17 261 172.16.1.32 255.255.255.240 Auf Verbindung 172.16.1.33 261 172.16.1.33 255.255.255.255 Auf Verbindung 172.16.1.33 261 172.16.1.47 255.255.255.255 Auf Verbindung 172.16.1.33 261 224.0.0.0 240.0.0.0 Auf Verbindung 127.0.0.1 306 224.0.0.0 240.0.0.0 Auf Verbindung 172.16.1.33 261 224.0.0.0 240.0.0.0 Auf Verbindung 172.16.1.17 261 224.0.0.0 240.0.0.0 Auf Verbindung 172.16.0.4 261 255.255.255.255 255.255.255.255 Auf Verbindung 127.0.0.1 306 255.255.255.255 255.255.255.255 Auf Verbindung 172.16.1.33 261 255.255.255.255 255.255.255.255 Auf Verbindung 172.16.1.17 261 255.255.255.255 255.255.255.255 Auf Verbindung 172.16.0.4 261 =========================================================================== Ständige Routen: Keine IPv6-Routentabelle =========================================================================== Aktive Routen: If Metrik Netzwerkziel Gateway 1 306 ::1/128 Auf Verbindung 10 261 fe80::/64 Auf Verbindung 11 261 fe80::/64 Auf Verbindung 12 261 fe80::/64 Auf Verbindung 12 261 fe80::186e:8cfc:59c7:adf3/128 Auf Verbindung 10 261 fe80::bc53:808e:9bd:2992/128 Auf Verbindung 11 261 fe80::f19d:1817:31ba:f5f3/128 Auf Verbindung 1 306 ff00::/8 Auf Verbindung 10 261 ff00::/8 Auf Verbindung 11 261 ff00::/8 Auf Verbindung 12 261 ff00::/8 Auf Verbindung =========================================================================== Ständige Routen: Keine
3. RRAS 2008 R2: s-rras-2
IPv4-Routentabelle =========================================================================== Aktive Routen: Netzwerkziel Netzwerkmaske Gateway Schnittstelle Metrik 0.0.0.0 0.0.0.0 217.0.119.63 93.218.122.24x 21 93.218.122.24x 255.255.255.255 Auf Verbindung 93.218.122.24x 276 127.0.0.0 255.0.0.0 Auf Verbindung 127.0.0.1 306 127.0.0.1 255.255.255.255 Auf Verbindung 127.0.0.1 306 127.255.255.255 255.255.255.255 Auf Verbindung 127.0.0.1 306 172.16.0.0 255.255.255.0 Auf Verbindung 172.16.0.1 266 172.16.0.1 255.255.255.255 Auf Verbindung 172.16.0.1 266 172.16.0.23 255.255.255.255 Auf Verbindung 172.16.0.23 306 172.16.0.255 255.255.255.255 Auf Verbindung 172.16.0.1 266 172.16.1.16 255.255.255.240 172.16.0.4 172.16.0.1 266 172.16.1.32 255.255.255.240 172.16.0.4 172.16.0.1 266 224.0.0.0 240.0.0.0 Auf Verbindung 127.0.0.1 306 224.0.0.0 240.0.0.0 Auf Verbindung 172.16.0.1 266 224.0.0.0 240.0.0.0 Auf Verbindung 172.16.0.23 306 255.255.255.255 255.255.255.255 Auf Verbindung 127.0.0.1 306 255.255.255.255 255.255.255.255 Auf Verbindung 172.16.0.1 266 255.255.255.255 255.255.255.255 Auf Verbindung 172.16.0.23 306 255.255.255.255 255.255.255.255 Auf Verbindung 93.218.122.24x 276 =========================================================================== Ständige Routen: Keine IPv6-Routentabelle =========================================================================== Aktive Routen: If Metrik Netzwerkziel Gateway 36 1150 ::/0 2002:c058:6301::c058:6301 1 306 ::1/128 Auf Verbindung 36 1050 2002::/16 Auf Verbindung 36 306 2002:5dda:7af8::5dda:7af8/128 Auf Verbindung 14 266 fe80::/64 Auf Verbindung 14 266 fe80::5cb7:b44d:dcd8:ec77/128 Auf Verbindung 1 306 ff00::/8 Auf Verbindung 14 266 ff00::/8 Auf Verbindung =========================================================================== Ständige Routen: Keine- Edited byMarkus Schuhmacher Thursday, October 22, 2009 9:03 AMcorrected IP address
- Edited byMarkus Schuhmacher Wednesday, October 21, 2009 2:34 PMadded 2 routing tables
- Edited byMarkus Schuhmacher Wednesday, October 21, 2009 2:57 PMadded last route
- Edited byMarkus Schuhmacher Wednesday, October 21, 2009 2:58 PMmask
- Regarding to the routes, they seem to be fine.
Now I am tracing at 3 servers, pinging from 172.16.1.19 to google.de
I see
1. S-DMZ-2: ICMP:Echo Request Message, From 172.16.1.19 To 209.85.229.104
2. S-RRAS-3: ICMP:Echo Request Message, From 172.16.1.19 To 209.85.229.104
3. S-RRAS-2: ICMP:Echo Request Message, From 172.16.1.19 To 209.85.229.104
4. S-RRAS-2: ICMP:Echo Reply Message, From 209.85.229.104 To 172.16.1.19
5. S-RRAS-3: No reply
Further information regarding the network configuration:
The internal network 172.16.1.16 /28 and 172.16.1.32 /28 is one private adapter in Hyper-V. The network 172.16.1.16 is with VLAN 2 and 172.16.1.32 /28 is with VLAN3 (so I don't need to add two seperate adapters). But this should not influence the result. It's just for your information.
http://s-nt.net/files/hypervConfiguration.jpg Hi,
Thanks for the update.
Yes, the routing tables on those computer seems to be correct.
From the network trace when you ping google.de from S-DMZ-2, it seems that the ICMP is blocked at the node S-RRAS-2:
S-DMZ-2 ---> S-RRAS-3 ---> S-RRAS-2 ---> google.de
S-RRAS-3 XXX S-RRAS-2 <--- google.de
There are two possibilities that I think:
1. The S-RRAS-2 didn't route the traffic to 172.16.1.19/28 for some reason even when there is routing entry to the destination 172.16.1.16./28.
(please answer the following questions again to make everything clear)
Could the s-rras-2 access (PING) the computers in 172.16.1.18/28? If yes, it indicates that routing from S-RRAS-2 to S-DMZ-2 is OK.
2. Form your description that:
Client in 172.16.0.0 /24 can ping internet properly, BUT if they are in that subnet as VM on Hyper-V they CAN NOT
I think the virtual network that S-RRAS-3 and S-RRAS-2 connect to has some issues. Could you please tell more about how you create this virtual network? Is it a Loopback adapter or something else? Can you Ping 172.16.0.1/24 from S-RRAS-3?
If you have any questions or concerns, please do not hesitate to let me know.
- Hello,
These were my thoughts, too. The routing tables are looking fine. The routing process is correct. The package seems to stop at the 2008 R2 router from its way back from google.de to s-rras-3.
>Could the s-rras-2 access (PING) the computers in 172.16.1.18/28? If yes, it indicates that routing from S-RRAS-2 to S-DMZ-2 is OK.
The s-rras-2 can ping s-dmz-2.
2.
>Client in 172.16.0.0 /24 can ping internet properly, BUT if they are in that subnet as VM on Hyper-V they CAN NOT
Yes, a member of the external Hyper-V adapter can not ping google.de
>I think the virtual network that S-RRAS-3 and S-RRAS-2 connect to has some issues. Could you please tell more about how you create this virtual network? Is it a Loopback adapter or something else? Can you Ping 172.16.0.1/24 from S-RRAS-3?
Hmm, I don't understand your question. As far as I understand your questsion you are talking about the 172.16.0.0 /24 subnet? Some virtual machines are part of this network but but the physical machines, too. For example the Hyper-V Server (s-core-1 172.16.0.2) and the new router 172.16.0.1 (s-rras-2).
172.16.1.16 /28 and 172.16.1.32 /28 complete virtual networks. S-CORE-1 have got 4 network ports. 2 are used 2 are unused. The used ports are from Intel Pro 1000 PT Dual Port Server Adapter. One port is used for physical access. The other port is connected to the same switch but it is only used for the virtual machines. So this is the port which is used for the external network. Virtual machines which have got this adapter installed are part of the 172.16.0.0 /24 LAN.
So S-RRAS-3 have got this external adapter and additional two extra internal adapters (one internal adapter installed twice with different VLAN) - see screenshot from post before.
I hope I unederstood your questions and answered them.- Edited byMarkus Schuhmacher Friday, October 23, 2009 7:46 PM
Hi,
Thanks for your update.
Meanwhile, please also check whether RRAS server S-RRAS-2 is not enabled for routing.
1. In RRAS console, open the Properties dialog of the server and ensure "IPv4 Router" is selected.
2. Check the IPEnableRouter registry value on the server:
1). Start Registry Editor (Regedit.exe).
2). Locate and click the following key in the registry:
3). Set the following registry values
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Value Name: IPEnableRouter
Value type: REG_DWORD
Value Data: 1
4). Rebooted the ServerIf you have any questions or concerns, please do not hesitate to let me know.
- Allright, during you posted your answer I created a Visio file to make it more easy to understand the network.
http://s-nt.net/files/Zeichnung1.vsd - 1. internal pings works
a) S-RRAS-2 can ping S-RRAS-3
b) S-RRAS-2 can ping S-DMZ-2
c) S-RRAS-3 can ping S-RRAS-2 (he is in same subnet)
d) S-DMZ-2 can ping S-RRAS-3 (he is in same subnet)
e) S-DMZ-2 can ping S-RRAS-2
2. IPEnableRouter is 0 but interesting is that this value is 0 at all RRAS in my network. Even at the 2003 System.
--> I set to 1, no change recognized
3. IPv4 Router is selected
Edit:
Thinking about this problem I come to only two possible things
1. It is a bug of Windows or Hyper-V
2. It is a bug in Intel Network driver. I recognized some iSCSI 14.6. So I guess there will be 14.6 drivers from Intel for Windows 7 / 2008 R2 soon. Maybe it is solved there.
BUT - there is allways a but I know - I tested a standard Realtek network card and used it for the LAN. I could not see any changes.
3. Something is wrong with NAT I guess. Maybe bug or a wrong configuration - but I don't what the ____ could be wrong configured because there is not much to configure regarding NAT, add the NAT and add the interface. So there is not much what can be done wrong with configuring NAT. - Now I installed the just released Intel Network driver 14.7. I don't see any changes.
Further more I found out something interesting.
At this enironment there is also a WLAN access point. The WLAN is WPA2 Enterprise. The WLAN uses as first RADIUS Server the 172.16.0.1 and as second RADIUS Server the S-RRAS-3. Because I haven't installed the RADIUS server at S-RRAS-2 the access point asks the S-RRAS-3. Anyways the authentification works, I am connected.
But here is the same. When the laptop is in WLAN I DON'T have internet access. When the laptop is connected to LAN I have got internet access. But with WLAN I can ping in all subnets. - The laptop will use the same DHCP server as LAN clients.
Now I am really confused.- Edited byMarkus Schuhmacher Saturday, October 24, 2009 7:10 AMadded DHCP information
Any further ideas or recommandations?
- I completly reinstalled the server, didn't put him in the domain. I just installed the role and configured NAT and routing. Still the same.
I absolutely need a solution for this, otherwise I am forced to stay at the 2003 Server - it's a pity for the Hyper-V Server and the missing SMB 2 protocol. Hi,
Thanks for your update.
As I mentioned in my first reply, I'd like to suggest you to double check whether there is any filters on the NIC.
· 1. In the RRAS MMC, double click the Interface in RRAS server--->IPv4--->General.
2. In the General tab of the Demand-dial interface, make sure that the Inbound Filters and Outbound Filters are all empty.
Also check how it works if you disable all firewalls (Windows Firewall or any other 3rd party firewalls). Because of the change in the Windows Server 2008 Windows Firewall, you will need to run "Netsh advfirewall set allprofiles state off" instead of terminating the Windows Firewall service to disable it.
If you have any questions or concerns, please do not hesitate to let me know.
- OK, again I checked the values. They are definatelly no IP-filters set. Disabling the firewall did not changed anything (it allready was disabled).
I had the idea to check the mtu size. Unfortunately the MTU size was fine and reducing it did not show any effects.
The only error message I see in the log is at RRAS startup. It sais that there is an error with adding the interface {...} to the IPv6 Router. But this message is totally uninteresting because I don't have IPv6 enabled.
