locked
Windows Server 2003 Routing RRS feed

  • Question

  • I have an application that runs on Server 2003 that provides services to an office full of workstations. All the workstations are on one subnet which is connected to the server thru a NIC.

    I need to add a task that retrieves information from another service that exists on another subnet. I must not allow one subnet to access the other except thru the service on the server.

    The server has two NIC's.

     

    I tried to configure the server as a router using RRAS. I am good at a lot of things, configuring RRAS is obviously not one of them.

    Any direction and/or assistance will be greatly appreciated.

    Mike

    Monday, November 14, 2011 9:41 PM

Answers

  • Hi Mike,

     

    Thanks for update.

     

    > I want the server to be able to talk to both, but any computer connected on the .100.* subnet to be unable to get to the .200.* subnet.

     

    It seems we might have issue on setting static route entries on this host, please first make sure all hosts form subnet 100 can reach the interface 192.168.100.1 . After that please see if they can reach the interface 192.168.200.200 on this server by ping . This will help us to verify if the router entry for IP segment 192.168.200.0/24 has been properly set and bound to the interface ” Local Area Connection 2” . Could you also show us the route table on this server here?

     

    Here is the sample if we properly configured:

     

    192.168.200.0 255.255.255.0 192.168.200.200 192.168.100.1

     

    192.168.100.0 255.255.255.0 192.168.100.1     192.168.200.200

     

    And we need specifying the interface if want to deploy these service on multihomed host and want to service to only specified subnet:

     

    Configuring Multihomed Servers

    http://technet.microsoft.com/en-us/library/cc772564.aspx

     

    DHCP network interface card bindings

    http://technet.microsoft.com/en-us/library/cc770650.aspx

     

    Thanks.

     

    Tiger Li


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Wednesday, November 16, 2011 5:19 AM
  • Hi Mike,


    Thanks for update.

     

    > Allow a service on this server bi-directional access to 192.168.200.* and 192.168.100.* while prohibiting 192.168.100.* form access to 192.168.200.*

     

    Basically we should first set two static route entries on RRAS in order to make hosts could communicate with another subnets through the RRAS router server .After that we can set traffic restrictions base on needs by setting inbound or outbound filter on specified interface.

     

    Navigate to “IP routing” in RRAS mmc and add two static route entries below:

     

    Network Destination        Netmask          Gateway                  Interface

    192.168.100.0                    255.255.255.0    192.168.100.1            NIC1(Local Area Connection)

    192.168.200.0                    255.255.255.0    192.168.200.200       NIC2(Local Area Connection 2)

     

    Add a static route

    http://technet.microsoft.com/en-us/library/cc758356(WS.10).aspx

     

    After that try to test that by using “Ping” command to test the connectivity.

     

    And for the information about filter, we may refer to the link below:

     

    Add a packet filter

    http://technet.microsoft.com/en-us/library/cc738952(WS.10).aspx

     

    Configure Static Packet Filters

    http://technet.microsoft.com/en-us/library/dd469754(WS.10).aspx

     

    Thanks.

     

    Tiger Li


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Friday, November 18, 2011 3:46 PM

All replies

  • Hi Mike,

     

    Thanks for posting here.

     

    So we are going to connect both subnets by using a RRAS installed Windows Server host with two NICs . Basically this can be done by adding several static route entries and binding to the proper interface on this host . But unfortunately the picture that linked on your initial post seems dead , could you recheck the URL please ? or maybe can show us the current route table and ipconfig /all results here.

     

    I’d like to share some materials about how to add static router on RRAS in order to create the connectivity between two subnets:

     

    How to Use Static Routes with Routing and Remote Access Service

    http://support.microsoft.com/kb/178993/en-us

     

    Chapter 5 – IP Routing

    http://technet.microsoft.com/en-us/library/bb727001.aspx

     

    Thanks.

     

    Tiger Li


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Tuesday, November 15, 2011 6:58 AM
  • Sorry the graphic didn't print. It was a drag-n-drop from a jpg of a sketch of the configuration.

    Here is a list of the ipconfig:

    -----------------------------------------------

    C:\Documents and Settings\Administrator.DC01J>ipconfig /all

    Windows IP Configuration

       Host Name . . . . . . . . . . . . : dc01j
       Primary Dns Suffix  . . . . . . . :
       Node Type . . . . . . . . . . . . : Unknown
       IP Routing Enabled. . . . . . . . : Yes
       WINS Proxy Enabled. . . . . . . . : No

    Ethernet adapter Local Area Connection:

       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : BCM5703 Gigabit Ethernet
       Physical Address. . . . . . . . . : 00-0B-CD-EE-75-13
       DHCP Enabled. . . . . . . . . . . : No
       IP Address. . . . . . . . . . . . : 192.168.200.200
       Subnet Mask . . . . . . . . . . . : 255.255.255.0
       Default Gateway . . . . . . . . . : 192.168.200.1

    Ethernet adapter Local Area Connection 2:

       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : BCM5703 Gigabit Ethernet #2
       Physical Address. . . . . . . . . : 00-0B-CD-EE-75-12
       DHCP Enabled. . . . . . . . . . . : No
       IP Address. . . . . . . . . . . . : 192.168.100.1
       Subnet Mask . . . . . . . . . . . : 255.255.255.0
       Default Gateway . . . . . . . . . :
       DNS Servers . . . . . . . . . . . : 192.168.1.254
       NetBIOS over Tcpip. . . . . . . . : Disabled

     

    --------------------------------

    I read the references and understand IP routing in general.

    The 192.168.200.* is a local LAN that is Internet connected thru a gateway at 192.168.200.1.

    The 192.168.100.* is a local LAN that has one workstation for testing.

    I want the server to be able to talk to both, but any computer connected on the .100.* subnet to be unable to get to the .200.* subnet.

    Essentially to isolate the .100.* from the internet connected segment.

    Later I want this server to host DHCP and DNS for the .100.* segment. It will have up to 30 workstations on this segment.

    Thanks again. Got me a lot further ahead.

    Your assist in the next step will be greatly appreciated.

     

    Mike

     

     

    Tuesday, November 15, 2011 10:48 PM
  • Hi Mike,

     

    Thanks for update.

     

    > I want the server to be able to talk to both, but any computer connected on the .100.* subnet to be unable to get to the .200.* subnet.

     

    It seems we might have issue on setting static route entries on this host, please first make sure all hosts form subnet 100 can reach the interface 192.168.100.1 . After that please see if they can reach the interface 192.168.200.200 on this server by ping . This will help us to verify if the router entry for IP segment 192.168.200.0/24 has been properly set and bound to the interface ” Local Area Connection 2” . Could you also show us the route table on this server here?

     

    Here is the sample if we properly configured:

     

    192.168.200.0 255.255.255.0 192.168.200.200 192.168.100.1

     

    192.168.100.0 255.255.255.0 192.168.100.1     192.168.200.200

     

    And we need specifying the interface if want to deploy these service on multihomed host and want to service to only specified subnet:

     

    Configuring Multihomed Servers

    http://technet.microsoft.com/en-us/library/cc772564.aspx

     

    DHCP network interface card bindings

    http://technet.microsoft.com/en-us/library/cc770650.aspx

     

    Thanks.

     

    Tiger Li


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Wednesday, November 16, 2011 5:19 AM
  • Thanks again.

     

    First, a little humor.

    No matter what I did I could reach the Internet from the isolated segment. The Internet is connected to the .200 segment. A lot effort and still no reason that I could find. To test I was pinging my WAP IP.  Finally I discovered why:  I am using a laptop on the .100 segment as a test workstation. It has a WiFi port. It is connecting to a local hotspot.  How stupid of me.

    Ok - I turn off the WiFi and bingo - no route to host.

    The workstation is 192.168.100.4.

    It can ping NIC2 on the server (192.168.100.1).

    It cannot ping NIC1 on the server (192.168.200.200)

    So it seems to be working in that direction.

    I got kicked out of the office and will pick this up in the AM (08:00 EST) GMT -5

    Thanks agaiin.

     

    Mike

     

     

    Thursday, November 17, 2011 1:52 AM
  • Hi Mike,

     

    Thanks for update.

     

    Glad we get some progress!

    If we can reach the interface of RRAS where in same subnet but not the another on then we may check the static route entries like what I suggested previously first and that this should help us to do the trick.

     

    Please keep posting back if any update.

     

    Thanks.


    Tiger Li


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Thursday, November 17, 2011 8:59 AM

  • Here is the current status:

    This table was not setup or modified by me. It is what Windows generated when I installed RRAS.

    If I understand correctly I will need to alter the routing table to restrict access.

    Can you offer what I should enter?

    Also can you point me to a tutorial on how to do this? I need to learn how to setup this on other machines as we deploy different configurations.

    The next message will include the topology drawing.

    Thanks.

     

    Mike

    Friday, November 18, 2011 1:20 AM
  • Friday, November 18, 2011 1:20 AM
  • Hi Mike,


    Thanks for update.

     

    > Allow a service on this server bi-directional access to 192.168.200.* and 192.168.100.* while prohibiting 192.168.100.* form access to 192.168.200.*

     

    Basically we should first set two static route entries on RRAS in order to make hosts could communicate with another subnets through the RRAS router server .After that we can set traffic restrictions base on needs by setting inbound or outbound filter on specified interface.

     

    Navigate to “IP routing” in RRAS mmc and add two static route entries below:

     

    Network Destination        Netmask          Gateway                  Interface

    192.168.100.0                    255.255.255.0    192.168.100.1            NIC1(Local Area Connection)

    192.168.200.0                    255.255.255.0    192.168.200.200       NIC2(Local Area Connection 2)

     

    Add a static route

    http://technet.microsoft.com/en-us/library/cc758356(WS.10).aspx

     

    After that try to test that by using “Ping” command to test the connectivity.

     

    And for the information about filter, we may refer to the link below:

     

    Add a packet filter

    http://technet.microsoft.com/en-us/library/cc738952(WS.10).aspx

     

    Configure Static Packet Filters

    http://technet.microsoft.com/en-us/library/dd469754(WS.10).aspx

     

    Thanks.

     

    Tiger Li


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Friday, November 18, 2011 3:46 PM
  • Thanks Tiger..

    I was involved in a minor accident that kept me away. I will be back working in this, and lots more on Monday next. Thank you and a great holiday to you.

    Mike

    Wednesday, November 23, 2011 6:11 PM