none
Hyper-V + RRAS + NAT + VPN

    問題

  • Hello at all,

    I'm having a little problem with a specific RRAS setup, which I've read many articles here about, but couldn't find an answer.

    I have a 2008 R2 server running at a german providers network.

    It has assigned to public IP adresses with a 32 bit subnetmask.

    On this server, RRAS and Hyper-V is installed, the two public adresses are assigned to the external NIC, an internal NIC is setup as Hyper-V network (192.168.20.1), with some VMs (Internal Network is 192.168.20.0/24)

    Two IPsec connections are setup on the main server as advanced firewall rules, to connect to two remote locations (192.168.21.0/24 and 192.168.22.0/24)

    RRAS is acting as NAT Gateway for the 192.168.20.0 network

    I had to setup two static routes in RRAS (192.168.21.0 mask 255.255.255.0 to 192.168.20.1 and 192.168.22.0 mask 255.255.255.0 to 192.168.20.1), so that the VM Traffic to the remote locations is not NATed.

    This setup is running perfectly.

    The problem is:

    I want to port forward traffic from the outside static IPs to the VMs. This is working, as long as I configure "This interface" as source in the RRAS NAT setting. As soon as I ad the two IP adresses to the NAT adress pool, NAT stops working.

    This meas, the VMs are still able to connect to the two remote locations, but not to the internet through the RRAS NAT.

    I would like to point one port 80 to another internal VM than the other port 80 ... this is not possible because I can't ad pool adresses ... any idea?

    Thank you!

    2012年6月21日 下午 12:17

所有回覆

  • Hi MasterBratac,

    Thanks for posting here.

    So may I know if we had created VPN tunnel between this Hyper-V server and the remote 192.168.21.0/24 and 192.168.22.0/24 cos this Hyper-V is directly connect to internet with binding two valid internet addresses .

    VMs(192.168.20.0/24)—RRAS—(VPN over Internet?) —(?)—(private subnets 192.168.21.0/24 and 192.168.22.0/24)

    What do you mean NAT would stop when we added addresses into address pool ? these VMs were unable to access internet anymore ?

    Have we band the multiple internet addresses to the external facing interface before we created the NAT by the RRAS wizard ? perhaps we can reconfigure the NAT by rerunning the wizard.

    Setting static port mapping should achieve the goal you want that access internal websites where hosted on different VMs via multiple internet addresses .

    NAT Processes and Interactions

    http://technet.microsoft.com/en-us/library/cc756722(WS.10).aspx#w2k3tr_nat_how_rlsm

    Thanks.

    Tiger Li


    Tiger Li

    TechNet Community Support

    2012年6月22日 上午 06:23
  • Hello Tiger Li,

    The situation is this:           

                                                       VMs(192.168.20.0/24)

                                                                    |

                                                       HyperV server with RRAS (Internal HyperV network 192.168.20.1)

                                                                    |

          NAT to internet for VMs  ------   External NIC (two adresses 1.1.1.1/32 and 2.2.2.2/32)

                                                                    |

                                                          IPSEC to remote locations (192.168.21/22.0)

    NAT to internet from VMs is OK, Traffic from and to remote locations is also OK.

    The problem is portforwarding traffic from Internet to the VMs

    If I let the Adresspool tab in the NAT settings of the external NIC empty, and setup portforwarding from "this interface" to an internal IP, this is working on both external IP adresses.

    As soon as I put both external adresses in the pool tab, to be able to split the traffic from one port 80 to eg 192.168.20.11 and the other port 80 to 192.168.20.12, the VMs are not able anymore to talk to the internet.

    This happens even with no port forardings configured ... set adress in the pool ... NAT to outside is dead.

    The VMs are still able to access the remote locations.

    All external Adresses are bound to the external interface, the RRAS wizard was running after I bound the adresses.


    2012年6月22日 下午 03:19
  • Hi,

    Thanks for posting here.

    >As soon as I put both external adresses in the pool tab, to be able to split the traffic from one port 80 to eg 192.168.20.11 and the other port 80 to 192.168.20.12, the VMs are not able anymore to talk to the internet.

    >This happens even with no port forardings configured ... set adress in the pool ... NAT to outside is dead.

    Have we tried to restart the RRAS and see if VMs could access internet through its NAT service ?

    Please show us the results of commands “ipconfig /all” , “netsh routing ip nat show interface” and “netsh routing ip nat show global” form Hyper-V host here. You may want to hide the internet addresses in the results .

    http://technet.microsoft.com/de-de/library/cc754535(WS.10).aspx#BKMK_103

    Thanks.

    Tiger Li


    Tiger Li

    TechNet Community Support

    2012年6月25日 上午 06:34
  • >Have we tried to restart the RRAS and see if VMs could access internet through its NAT service ?

    I tried this allready ... doesn't change anything.

    C:\Users\Administrator>ipconfig /all

    Windows-IP-Konfiguration

       Hostname  . . . . . . . . . . . . : XXX
       Primäres DNS-Suffix . . . . . . . :
       Knotentyp . . . . . . . . . . . . : Hybrid
       IP-Routing aktiviert  . . . . . . : Ja
       WINS-Proxy aktiviert  . . . . . . : Nein

    PPP-Adapter RAS (Dial In) Interface:

       Verbindungsspezifisches DNS-Suffix:
       Beschreibung. . . . . . . . . . . : RAS (Dial In) Interface
       Physikalische Adresse . . . . . . :
       DHCP aktiviert. . . . . . . . . . : Nein
       Autokonfiguration aktiviert . . . : Ja
       IPv4-Adresse  . . . . . . . . . . : 192.168.20.109(Bevorzugt)
       Subnetzmaske  . . . . . . . . . . : 255.255.255.255
       Standardgateway . . . . . . . . . :
       NetBIOS über TCP/IP . . . . . . . : Aktiviert

    Ethernet-Adapter Hyper-V internal:

       Verbindungsspezifisches DNS-Suffix:
       Beschreibung. . . . . . . . . . . : Hyper-V internal
       Physikalische Adresse . . . . . . : 00-15-5D-82-60-03
       DHCP aktiviert. . . . . . . . . . : Nein
       Autokonfiguration aktiviert . . . : Ja
       IPv4-Adresse  . . . . . . . . . . : 192.168.20.1(Bevorzugt)
       Subnetzmaske  . . . . . . . . . . : 255.255.255.0
       Standardgateway . . . . . . . . . :
       NetBIOS über TCP/IP . . . . . . . : Aktiviert

    Ethernet-Adapter External:

       Verbindungsspezifisches DNS-Suffix:
       Beschreibung. . . . . . . . . . . : Broadcom NetLink (TM) Gigabit Ethernet
       Physikalische Adresse . . . . . . : 00-19-99-A7-90-D2
       DHCP aktiviert. . . . . . . . . . : Nein
       Autokonfiguration aktiviert . . . : Ja
       IPv4-Adresse  . . . . . . . . . . : 1.1.1.1(Bevorzugt)
       Subnetzmaske  . . . . . . . . . . : 255.255.255.255
       IPv4-Adresse  . . . . . . . . . . : 2.2.2.2(Bevorzugt)
       Subnetzmaske  . . . . . . . . . . : 255.255.255.255
       Standardgateway . . . . . . . . . : 10.255.255.1
       DNS-Server  . . . . . . . . . . . : 8.8.8.8
                                           8.8.4.4
       NetBIOS über TCP/IP . . . . . . . : Aktiviert

    Tunneladapter isatap.{2A032AF1-795D-4BAF-94DE-0CDC325060CA}:

       Medienstatus. . . . . . . . . . . : Medium getrennt
       Verbindungsspezifisches DNS-Suffix:
       Beschreibung. . . . . . . . . . . : Microsoft ISATAP Adapter
       Physikalische Adresse . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP aktiviert. . . . . . . . . . : Nein
       Autokonfiguration aktiviert . . . : Ja

    Tunneladapter 6TO4 Adapter:

       Verbindungsspezifisches DNS-Suffix:
       Beschreibung. . . . . . . . . . . : Microsoft 6to4 Adapter
       Physikalische Adresse . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP aktiviert. . . . . . . . . . : Nein
       Autokonfiguration aktiviert . . . : Ja
       IPv6-Adresse. . . . . . . . . . . : 2002:d9a0:8260::d9a0:8260(Bevorzugt)
       IPv6-Adresse. . . . . . . . . . . : 2002:d9a0:ce85::d9a0:ce85(Bevorzugt)
       Standardgateway . . . . . . . . . : 2002:c058:6301::c058:6301
       DNS-Server  . . . . . . . . . . . : 8.8.8.8
                                           8.8.4.4
       NetBIOS über TCP/IP . . . . . . . : Deaktiviert

    Tunneladapter Local Area Connection* 9:

       Medienstatus. . . . . . . . . . . : Medium getrennt
       Verbindungsspezifisches DNS-Suffix:
       Beschreibung. . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
       Physikalische Adresse . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP aktiviert. . . . . . . . . . : Nein
       Autokonfiguration aktiviert . . . : Ja

    Tunneladapter isatap.{6E06F030-7526-11D2-BAF4-00600815A4BD}:

       Medienstatus. . . . . . . . . . . : Medium getrennt
       Verbindungsspezifisches DNS-Suffix:
       Beschreibung. . . . . . . . . . . : Microsoft ISATAP Adapter #2
       Physikalische Adresse . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP aktiviert. . . . . . . . . . : Nein
       Autokonfiguration aktiviert . . . : Ja

    Tunneladapter isatap.{87E63AC2-EC40-42B8-A5CD-866C9EE4781D}:

       Medienstatus. . . . . . . . . . . : Medium getrennt
       Verbindungsspezifisches DNS-Suffix:
       Beschreibung. . . . . . . . . . . : Microsoft ISATAP Adapter #3
       Physikalische Adresse . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP aktiviert. . . . . . . . . . : Nein
       Autokonfiguration aktiviert . . . : Ja

    C:\Users\Administrator>netsh routing ip nat show global

    NAT-Konfigurationsinformationen
    -------------------------------
    TCP-Zeitlimit (Minuten)   : 1440
    UDP-Zeitlimit (Minuten)   : 1
    Protokollierungsstufe     : Nur Fehler

    ----------------------------------------------------------------------------------------------------------------------------------------------------

    With this setting, NAT outside is OK, no pool adresses.

    ----------------------------------------------------------------------------------------------------------------------------------------------------

    C:\Users\Administrator>netsh routing ip nat show interface

    Konfiguration für NAT External
    ---------------------------
    Modus             : Adress- und Portübersetzung


    Statische NAT-Portzuordnungskonfiguration
    ----------------------------------------------
    Protokoll         : UDP
    Öffentl. Adresse  : 0.0.0.0
    Öffentl. Port     : 500
    Private Adresse   : 127.0.0.1
    Privater Port     : 500

    Protokoll         : UDP
    Öffentl. Adresse  : 0.0.0.0
    Öffentl. Port     : 4500
    Private Adresse   : 127.0.0.1
    Privater Port     : 4500

    Protokoll         : UDP
    Öffentl. Adresse  : 0.0.0.0
    Öffentl. Port     : 1701
    Private Adresse   : 127.0.0.1
    Privater Port     : 1701

    Protokoll         : TCP
    Öffentl. Adresse  : 0.0.0.0
    Öffentl. Port     : 1723
    Private Adresse   : 127.0.0.1
    Privater Port     : 1723

    Konfiguration für NAT Hyper-V internal
    ---------------------------
    Modus             : Private Schnittstelle


    Konfiguration für NAT Intern
    ---------------------------
    Modus             : Private Schnittstelle

    ----------------------------------------------------------------------------------------------------------------------------------------------------

    With this setting, 1 address in pool, NAT outside isn't working anymore

    ----------------------------------------------------------------------------------------------------------------------------------------------------

    C:\Users\Administrator>netsh routing ip nat show interface

    Konfiguration für NAT External
    ---------------------------
    Modus             : Adress- und Portübersetzung


    NAT-Adresspoolkonfiguration
    ---------------------------
    Startadresse      : 1.1.1.1
    Endadresse        : 1.1.1.1
    Subnetzmaske      : 255.255.255.255

    Statische NAT-Portzuordnungskonfiguration
    ----------------------------------------------
    Protokoll         : UDP
    Öffentl. Adresse  : 0.0.0.0
    Öffentl. Port     : 500
    Private Adresse   : 127.0.0.1
    Privater Port     : 500

    Protokoll         : UDP
    Öffentl. Adresse  : 0.0.0.0
    Öffentl. Port     : 4500
    Private Adresse   : 127.0.0.1
    Privater Port     : 4500

    Protokoll         : UDP
    Öffentl. Adresse  : 0.0.0.0
    Öffentl. Port     : 1701
    Private Adresse   : 127.0.0.1
    Privater Port     : 1701

    Protokoll         : TCP
    Öffentl. Adresse  : 0.0.0.0
    Öffentl. Port     : 1723
    Private Adresse   : 127.0.0.1
    Privater Port     : 1723

    Konfiguration für NAT Hyper-V internal
    ---------------------------
    Modus             : Private Schnittstelle


    Konfiguration für NAT Intern
    ---------------------------
    Modus             : Private Schnittstelle


    2012年6月25日 上午 10:38
  • No idea's anybody?
    2012年7月3日 上午 11:50
  • Hi, I had the very same problem and found the rout cause. Problem is that i have no idea how to fix it right now.

    The problem is the subnet mask 255.255.255.255 for the additional public ip´s that you configure as pool ip´s

    for the NAT interface.

    Remove the IPs from the NAT pool list and instandly (no need to restart the RRAS service) works for the VMs again.

    I try to find a solutions since a couple of days. 

    As I´m member of the Microsoft Infrastructure Inner Circle in Germany i forward this issue now to my MS friends.

    Lets see what they tell me.

    Cheers

    2014年4月27日 下午 11:25