Cannot get NAT to route in RRAS

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

My current setup:

Win2k server, SP4 (AD, DHCP server, DNS server, IIS server, Exchange Server)
Two NICs:
NIC1 on subnet 192.168.1.0/255.255.255.0 IP 192.168.1.1
NIC2 on subnet 192.168.0.0/255.255.255.0 IP 192.168.0.1 but disabled and not
connected
ADSL modem to ISP, using PPP dial-up, link assigns static IP
83.67.xx.yy/255.255.255.255, and server IP at the other end 194.106.aa.bb, as
well as DNS addresses etc

NIC1 connected to switch in turn connects to all clients which are assigned
IPs from 192.168.1.5 to 192.168.1.254 by DHCP server.

Internet access to clients is achieved through ICS on the ADSL DUN connection.

This setup has worked fine so far: clients can access internet, DNS server
resolves external addresses for clients OK, external hosts can access IIS web
sites etc.

Here are the routing tables and ipconfig info using ICS:


***** routing table *****

C:\>route print
=====================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 40 f4 2c 9c 19 ...... Realtek RTL8139/810x Family Fast Ethernet NIC
0x41000004 ...00 53 45 00 00 00 ...... WAN (PPP/SLIP) Interface
=====================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 83.67.xx.yy 83.67.xx.yy 1
83.67.xx.yy 255.255.255.255 127.0.0.1 127.0.0.1 1
83.255.255.255 255.255.255.255 83.67.xx.yy 83.67.xx.yy 1
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.1.0 255.255.255.0 192.168.1.1 192.168.1.1 1
192.168.1.1 255.255.255.255 127.0.0.1 127.0.0.1 1
192.168.1.255 255.255.255.255 192.168.1.1 192.168.1.1 1
194.106.aa.bb 255.255.255.255 83.67.xx.yy 83.67.xx.yy 1
224.0.0.0 224.0.0.0 83.67.xx.yy 83.67.xx.yy 1
224.0.0.0 224.0.0.0 192.168.1.1 192.168.1.1 1
255.255.255.255 255.255.255.255 192.168.1.1 192.168.1.1 1
Default Gateway: 83.67.xx.yy
=====================================================
Persistent Routes:
None


***** ipconfig *****

C:\>ipconfig /all

Windows 2000 IP Configuration

Host Name . . . . . . . . . . . . : server
Primary DNS Suffix . . . . . . . : **********
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : Yes
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : **********

Ethernet adapter Sputnik LAN:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Realtek RTL8139/810x Family Fast
Ethernet NIC
Physical Address. . . . . . . . . : 00-40-F4-2C-9C-19
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.1.1
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
DNS Servers . . . . . . . . . . . : 192.168.1.1

PPP adapter ADSLBroadband:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
Physical Address. . . . . . . . . : 00-53-45-00-00-00
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 83.67.xx.yy
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . : 83.67.xx.yy
DNS Servers . . . . . . . . . . . : 194.******
194.******
NetBIOS over Tcpip. . . . . . . . : Disabled


However, I want to allow remote access to the server, through VPN and modem
dial-up. So disabled ISC on ADSL DUN connection and enabled RRAS, manually
setting up NATs and dynamic dial link, with the appropriate static route
added. Link successfully connects, and can browse directly on server. Clients
can resolve internet names to correct IPs through the DNS server but cannot
browse.

Here are the routing tables and ipconfig info for RRAS with NAT:


***** routing table *****

C:\>route print
=====================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 40 f4 2c 9c 19 ...... Realtek RTL8139/810x Family Fast Ethernet NIC
0x1000003 ...00 53 45 00 00 00 ...... WAN (PPP/SLIP) Interface
0x43000004 ...00 53 45 00 00 00 ...... WAN (PPP/SLIP) Interface
=====================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 194.106.aa.bb 83.67.xx.yy 1
83.67.xx.yy 255.255.255.255 127.0.0.1 127.0.0.1 1
83.255.255.255 255.255.255.255 83.67.xx.yy 83.67.xx.yy 1
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.1.0 255.255.255.0 192.168.1.1 192.168.1.1 1
192.168.1.1 255.255.255.255 127.0.0.1 127.0.0.1 1
192.168.1.255 255.255.255.255 192.168.1.1 192.168.1.1 1
192.168.2.1 255.255.255.255 127.0.0.1 127.0.0.1 1
224.0.0.0 224.0.0.0 83.67.xx.yy 83.67.xx.yy 1
224.0.0.0 224.0.0.0 192.168.1.1 192.168.1.1 1
255.255.255.255 255.255.255.255 192.168.1.1 192.168.1.1 1
Default Gateway: 194.106.aa.bb
=====================================================
Persistent Routes:
None


***** ipconfig *****

C:\>ipconfig /all

Windows 2000 IP Configuration

Host Name . . . . . . . . . . . . : server
Primary DNS Suffix . . . . . . . : ********
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : ********

Ethernet adapter Sputnik LAN:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Realtek RTL8139/810x Family Fast
Ethernet NIC
Physical Address. . . . . . . . . : 00-40-F4-2C-9C-19
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.1.1
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
DNS Servers . . . . . . . . . . . : 192.168.1.1

PPP adapter {43EF4B9F-EF8B-4947-8662-20124EAE5B7B}:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
Physical Address. . . . . . . . . : 00-53-45-00-00-00
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 83.67.xx.yy
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . : 194.106.aa.bb
DNS Servers . . . . . . . . . . . : 194.********
194.*********
NetBIOS over Tcpip. . . . . . . . : Disabled

PPP adapter RAS Server (Dial In) Interface:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
Physical Address. . . . . . . . . : 00-53-45-00-00-00
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.2.1
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . :
DNS Servers . . . . . . . . . . . : 127.0.0.1


I have spent weeks troubleshooting this problem and I think I have tracking
the problem down to the default gateway assigned to the ADSL dynamic link.

When ICS is running and the ADSL link is established, you can see that the
default gateway is set to 83.67.xx.yy, same as the assigned IP, which is
understandable, it’s a two host subnet, the client end and server end,
anything will route to the 194.106.aa.bb address. Which is true, routing
works with ICS.

But with RRAS, NAT and a dynamic connection, you can see that the default
gateway is set to the 194.106.aa.bb address, the server end address, not the
client assigned address.

Am I on the right track? Is this the problem? And if so, how do I change the
default gateway? It’s non-settable in RRAS because it’s a dynamic link. Is
there an entry I can add to the routing table? If so, what and how?

Thanks a million in advance for an advice and help, this is really
frustrating.

Andrew.
 
The basic problem is that you are using an ADSL modem on the server.
RRAS likes to work with interfaces, and you can associate routes with
interfaces. (W2k3 now allows you to use a PPPoE interface, but that is not
included in W2k).

I would suggest that you set up a demand-dial interface to act as the
"public" interface in RRAS. You do not need to use "dial on demand" . This
is optional and the server won't dial on demand if you don't put a check
mark in the box. But the demand-dial interface gives you something to attach
a default route to and it also gives you an interface to use as the public
interface for RRAS/NAT.
You can think of the demand dial interface as the symbolic name for your
Internet connection.

So set up a demand dial interface to connect to your ISP. Using the New
Static Route wizard, create a default route using this interface (ie put
0.0.0.0 0.0.0.0 in the boxes and select the interface from the dropdown
list). The system will automatically configure the default route when the
connection is made.

Since you are using AD, all the client machines and the server should be
using your local DNS server, not one at the ISP. You can modify your local
DNS server to resolve "foreign" URLs by setting it to forward to a public
DNS server (such as that at your ISP).
 
Thanks for the reply Bill,

Sorry, but I’ve used the wrong terminology in my first message; where I said
“dynamic dial link†I meant demand-dial. I created a demand-dial interface
called “ADSL Link†and set it as a persistent connection. When it was enabled
it connected to our ISP fine, and I could browse successfully on the server
when the link was up.

ADSL Link was set as the Public interface in NAT, and NIC1 as the internal.
The static route also adds in fine using the ADSL Link interface, but the
routing table still shows the default gateway discrepancy I described before
between the ICS and the RRAS setups.

As for DNS; I’ve left the DNS relay option in NAT unchecked as the server’s
separate DNS server handles client’s requests, and also because of AD. The
same applies to DHCP; NAT DHCP allocation is unchecked, the server’s separate
DHCP server handles client IP allocation, and I’ve checked that the DNS and
DG on clients point to the correct internal address of the server.

With RRAS running, clients are still allocated the correct IP information on
startup. And pinging external web addresses result in the name being resolved
correctly (I assume this is the DNS server happily going about its business
as it can see the internet directly from the demand-dial link) but pings
timeout because nothing is routing correctly.

I have also noticed in the server’s ipconfig info that “IP Routing Enabledâ€
is set to Yes for ISC, but set to No for RRAS. Could this be the problem?

Andrew
 
If the server can browse the Internet, the clients should be able to do
the same using NAT. Do the clients have 192.168.1.1 as their default
gateway? What happens if you do a tracert to a remote site from a LAN client
machine?
 
I think I’ve cracked it, although not working completely 100%.

Once RRAS is setup for internet sharing using NAT, I went into the IP tab of
the RRAS service properties and cleared the “IP Routing†checkbox, applied
the changes, then checked the “IP Routing†checkbox and again applied the
changes. This sets the “IP Routing Enabled†line in ipconfig from No to Yes
and clients can successfully access the internet.

However, you have to repeat this every time the service is started, which is
a pain. Any suggestions as to why this maybe?

But more importantly, private network can see internet.

Thanks again for all your help and suggestions.

Andrew.
 
Back
Top