none
2008 R2 NAT Can't Use External IP from Internal LAN RRS feed

  • Question

  • I have a 2008 R2 NAT setup with an IIS FTP server on another PC.  From a PC on the LAN I can connect to the LAN address of the FTP server - this shows me that everything on the LAN is setup correctly.  From a PC on the WAN I can connect to the WAN address of the FTP server - this shows me that everything on the WAN is setup correctly.  I now have a requirement for a PC on the LAN to connect to the FTP with the WAN address - this does not work, it does not connect.  How can I get a PC on the LAN to be able to use the WAN address of LAN servers?
    Monday, May 13, 2013 10:34 PM

Answers

  • Come on Microsoft, this is a standard feature.  Cisco calls it hairpinning.  Most Linux distros call it NAT reflection.  The generic term is recursive traffic or recursive requests or recursive lookups.  DD-WRT calls it reverse NAT.  Linksys calls it NAT Loopback.  This works on Belkin, Netgear, Zyxel, everything I've come across.  Now I come to 2008 R2 and this seems to be a feature that was deliberately left out, I don't know why.

    I have however found a solution - stop using Microsoft products.  I have once again migrated away from 2008 R2 and am now using pfSense, NAT reflection is working out great.


    Tizzom

    Wednesday, May 15, 2013 10:56 PM

All replies

  • Hello,

    this will not work, either connect via WAN or LAN.

    Your internal LAN with private ip ranges can not be used with a public ip address. This requires routing through the internet and then back to the LAN.

    Why do you need this setup?


    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    Tuesday, May 14, 2013 10:51 AM
  •  "this will not work," - you can't be serious that a D-Link router is more feature rich than Microsoft's server platform?  I can't connect either via WAN or LAN address, the address is hard-coded into the applications I need to use.

    This used to work with a cheap SOHO router, a D-Link, but these routers only support 20 ports to forward, I need more.  I have many apps that are hard-coded to connect to a sub-domain here - a ChunkVNC support app that allows our technicians, well, it's VNC, you're undoubtedly familiar with that, I have a file downloader app built with NSIS, I have technician portals, I have a Spiceworks ticket system, etc.  There are many apps and services that my technicians and I need to use regardless of location.  I need to be able to use the same app whether I'm at work, at home, or any other location.

    How can I get 2k8 R2 to allow this recursive traffic?


    Tizzom

    Tuesday, May 14, 2013 3:17 PM
  • Hello,

    please provide a drawing from your network with LAN, WAN and server and how the ip addresses are connected. So we understand your built up.


    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    Wednesday, May 15, 2013 8:06 AM
  • IAD (Integrated Access Device - essentially the ISP's modem)
      -> 2008 R2 NAT (one NIC on public ISP side [66.28.xxx.xxx], one NIC on private LAN side [172.16.xxx.xxx])
             ->  Switch (Uplink port connected to private LAN NIC in 2008 R2 NAT server)
                    ->  My Workstation & Other Workstations, IIS, FTP, VNC Repeater, hMail, etc. [172.16.xxx.xxx]

    From the LAN [172.16.xxx.xxx] I need to be able to access my public IP [66.28.xxx.xxx].  Some of my support applications are hard coded and thus I cannot use the LAN address.  Changing the email server IP every time I enter or leave the building on my phone from the LAN to the WAN and vice versa is unacceptable for me and my technicians.  I need to be able to just simply walk into Mordor, I need recursive traffic.



    Tizzom

    Wednesday, May 15, 2013 3:11 PM
  • Hi.

    you can't be serious that a D-Link router is more feature rich than Microsoft's server platform?  I can't connect either via WAN or LAN address, the address is hard-coded into the applications I need to use.

    Well first of Windows Server is a platform a D-Link router is a router. If you were complaining about UAG or TMG I would understand. But back to the question.

    You say that the address is hard-coded. Unless the address in IP format (really bad) and you are using an internal DNS you could create an authorative zone with the same name as the FTP host, then you would get the internal IP on the inside, and external on the outside.


    Oscar Virot

    Wednesday, May 15, 2013 7:58 PM
  • Hello Tizzum,

    There are many router/firewalls out there, but only a few, very few, will allow a "U-Turn" meaning to access the WAN IP and then send it back in. The only routers I am aware of that support a u-turn feature are the DLink and Grayteks. I'm sure there are others out there.

    THe best way to access an internal resources is to create internal DNS zones that match the external name. For example, the public record for mail.yourdomain.com may be your WAN IP. Internally, we can create a mydomain.com zone, then create a mail A record under it, and provide the private IP address of the mail server. You can also create a zone called mail.mydomain.com, then create a blank A record with the internal IP.

    These methods I described are pretty much defacto that 99% of companies use in the field. This way, when you connect internally, your phone, laptopp, etc, is still configured to use mail.mydomain.com, but when they are connected to the network, they will get the private IP and things will be seamless to the user.

    I hope I explained it properly and clearly. If you have any questions, please post back.


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Wednesday, May 15, 2013 8:18 PM
  • You are suggesting split DNS zones, I need this to be configured on a per-port basis.  For example mydomain.com:21 will need to go to an FTP server with a LAN address 172.16.0.100 and mydomain.com:88 will need to go to a Spiceworks (web server) server with a LAN address 172.16.0.101 and mydomain.com:5901 will need to go to a VNC Repeater server with a LAN address of 172.16.0.102, etc.



    Tizzom

    Wednesday, May 15, 2013 8:33 PM
  • DNS does not deal with ports. It's a simple name to IP resolver. After you configured split-DNS, you still use the same name in the browser.

    However, what you're now saying is everything is using http://mydomain.com:88. If your Active Directory domain name is mydomain.com, then that may cause a problem internally. The LdapIpAddress under the AD DNS zone, points to a record that looks like "(same as parent)  A  172.16.0.something.

    That record is one of the SRV records that AD uses, called the LdapIpADdress. Each DC registers an LdapIpAddress. It's used by clients for GPO, DFS, and DC to DC communications. Late edit: You CANNOT ALTER the LdapIpAddress or it will create major problems with AD.

    From the IPs you listed, 172.16.0.100, .101 & .102, I assume that they are DCs? And you are installing IIS and Spiceworks on a DC?

    If I may suggest, it may be better to use specific hostnames, and create the necessary records internally, such as:

    • ftp.mydomain.com  A  172.160.0.100
    • spiceworks.mydomain.com A 172.16.0.101 
      (FYI, for Spiceworks, I usually create a support.mydomain.com to make it easier for users to remember)
    • vnc.mydomain.com A 172.16.0.102
    • etc

    -

    If you use the same names internally and externally, then you shouldn't have a problem with the above.

    -


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBookTwitterLinkedIn


    Wednesday, May 15, 2013 9:43 PM
  • Come on Microsoft, this is a standard feature.  Cisco calls it hairpinning.  Most Linux distros call it NAT reflection.  The generic term is recursive traffic or recursive requests or recursive lookups.  DD-WRT calls it reverse NAT.  Linksys calls it NAT Loopback.  This works on Belkin, Netgear, Zyxel, everything I've come across.  Now I come to 2008 R2 and this seems to be a feature that was deliberately left out, I don't know why.

    I have however found a solution - stop using Microsoft products.  I have once again migrated away from 2008 R2 and am now using pfSense, NAT reflection is working out great.


    Tizzom

    Wednesday, May 15, 2013 10:56 PM
  • Come on Microsoft, this is a standard feature.  Cisco calls it hairpinning.  Most Linux distros call it NAT reflection.  The generic term is recursive traffic or recursive requests or recursive lookups.  DD-WRT calls it reverse NAT.  Linksys calls it NAT Loopback.  This works on Belkin, Netgear, Zyxel, everything I've come across.  Now I come to 2008 R2 and this seems to be a feature that was deliberately left out, I don't know why.

    I have however found a solution - stop using Microsoft products.  I have once again migrated away from 2008 R2 and am now using pfSense, NAT reflection is working out great.


    Tizzom

    I'm happy to hear you've found a solution that meets your needs.

    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Thursday, May 16, 2013 12:30 AM