Everyone says IP routing must work...

  • Thread starter Thread starter Alexander Bach
  • Start date Start date
A

Alexander Bach

....but it doesn't :(

Hello gentlemen,

We have a network of several XP workstations and a Win2000 Server which is a
domain controller, DHCP server, DNS server etc.
One of the workstations has 2 network cards, one of which is connected to
internet, another one is in the LAN.

Obviously, we wanted all computers to be able to access internet. For that,
I did the following:
1. Set the appropriate registry key to enable IP routing on that machine.
2. Set that machine to have a persistent IP address on the local network:
192.168.0.10
3. Set the DHCP server on the domain controller to give the clients the
Default Gateway value pointing to 192.168.0.10
4. Made sure no proxies or firewalls are on.

I thought that would be enough, but it doesn't work.

Some additional info:
Internet works on the router machine.
Tried to ping outer hosts by their IP addresses rather than domain names -
doesn't work
Tried tracert: shows the first hop to the router machine, then silence.
Tried to turn on the firewall in the internet connection properties and
turned all logging on just to see what would appear in log. A lot of DROP
messages appeared, but with no explanation why.

Here is the 'route print'
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x10003 ...00 50 fc 91 14 fb ...... Realtek RTL8139/810X Family PCI Fast
Ethet NIC
0x10004 ...00 02 a5 54 6b 3d ...... Intel(R) PRO/100 VM Network Connection
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 213.133.161.21 213.133.161.22 30
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.0.0 255.255.255.0 192.168.0.10 192.168.0.10 30
192.168.0.10 255.255.255.255 127.0.0.1 127.0.0.1 30
192.168.0.255 255.255.255.255 192.168.0.10 192.168.0.10 30
213.133.161.20 255.255.255.252 213.133.161.22 213.133.161.22 30
213.133.161.22 255.255.255.255 127.0.0.1 127.0.0.1 30
213.133.161.255 255.255.255.255 213.133.161.22 213.133.161.22 30
224.0.0.0 240.0.0.0 192.168.0.10 192.168.0.10 30
224.0.0.0 240.0.0.0 213.133.161.22 213.133.161.22 30
255.255.255.255 255.255.255.255 192.168.0.10 192.168.0.10 1
255.255.255.255 255.255.255.255 213.133.161.22 213.133.161.22 1
Default Gateway: 213.133.161.21
===========================================================================
Persistent Routes:
None

Here is 'ipconfig /all'

Windows IP Configuration

Host Name . . . . . . . . . . . . : ALEXANDER
Primary Dns Suffix . . . . . . . : BPLAN-KIEV.local
Node Type . . . . . . . . . . . . : Broadcast
IP Routing Enabled. . . . . . . . : Yes
WINS Proxy Enabled. . . . . . . . : Yes
DNS Suffix Search List. . . . . . : BPLAN-KIEV.local

Ethernet adapter Internet Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Realtek RTL8139/810X Family PCI
Fast Ethernet NIC
Physical Address. . . . . . . . . : 00-50-FC-91-14-FB
Dhcp Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 213.133.161.22
Subnet Mask . . . . . . . . . . . : 255.255.255.252
Default Gateway . . . . . . . . . : 213.133.161.21
DNS Servers . . . . . . . . . . . : 213.133.160.24
213.133.160.64

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) PRO/100 VM Network
Connection
Physical Address. . . . . . . . . : 00-02-A5-54-6B-3D
Dhcp Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.0.10
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
DNS Servers . . . . . . . . . . . : 192.168.0.1

Cheers,
Alex
 
Alexander Bach said:
...but it doesn't :(

Hello gentlemen,

We have a network of several XP workstations and a Win2000 Server which is a
domain controller, DHCP server, DNS server etc.
One of the workstations has 2 network cards, one of which is connected to
internet, another one is in the LAN.

Obviously, we wanted all computers to be able to access internet. For that,
I did the following:
1. Set the appropriate registry key to enable IP routing on that machine.
2. Set that machine to have a persistent IP address on the local network:
192.168.0.10
3. Set the DHCP server on the domain controller to give the clients the
Default Gateway value pointing to 192.168.0.10
4. Made sure no proxies or firewalls are on.

I thought that would be enough, but it doesn't work.
Click to expand...

<snippage>


It's not enough to use IP routing to connect your private LAN to the
Internet.
All the machines on your LAN are on a private non-routable IP address range,
and no return path is possible.
You need to use some form of NAT device.

Your options:

Hardware NAT device:

1) Buy a broadband router for the Internet connection.
Assign it's LAN side a static IP address on your LAN ( perhaps
192.168.0.1 )
Disable it's DHCP server, so as not to interfere with the win2k server.
Set up the win2k DHCP to push out the router's address as default GW.
Be sure to leave your XP clients pointing to the server as DNS server.
(This is how I'd set it up.)

Software NAT:

2) Dual-home the server machine, and then
use ICS or RRAS on the server machine.

I don't know how nicely ICS will play alongside the
existing DNS and DHCP on the same machine.
It may wish to bind to the DNS and DHCP server ports.
It's not a configuration I've tried.

RRAS is more complex to set up, but would play
OK alongside your existing DNS and DHCP.


3) Set up ICS on the existing XP box.
It will demand to be 192.168.0.1.
Again, I'm not sure how well ICS will play here.
It's DHCP allocator may interfere with the real DHCP server.
I'm not sure if ICS will detect the presence of the
real DHCP and shut off it's allocator.

In short, unless you feel like learning about RRAS, I'd buy a cheap router.
 
"Alexander Bach" said:
...but it doesn't :(

Hello gentlemen,

We have a network of several XP workstations and a Win2000 Server which is a
domain controller, DHCP server, DNS server etc.
One of the workstations has 2 network cards, one of which is connected to
internet, another one is in the LAN.

Obviously, we wanted all computers to be able to access internet. For that,
I did the following:
1. Set the appropriate registry key to enable IP routing on that machine.
2. Set that machine to have a persistent IP address on the local network:
192.168.0.10
3. Set the DHCP server on the domain controller to give the clients the
Default Gateway value pointing to 192.168.0.10
4. Made sure no proxies or firewalls are on.

I thought that would be enough, but it doesn't work.

Some additional info:
Internet works on the router machine.
Tried to ping outer hosts by their IP addresses rather than domain names -
doesn't work
Tried tracert: shows the first hop to the router machine, then silence.
Tried to turn on the firewall in the internet connection properties and
turned all logging on just to see what would appear in log. A lot of DROP
messages appeared, but with no explanation why.

Here is the 'route print' [remainder snipped]
Click to expand...

I'm sorry, but everyone is wrong. ;-)

IP routing simply repeats all incoming packets on all network
connections. It isn't sufficient for sharing an Internet connection..

Internet sharing requires NAT (network address translation), where the
host computer receives Internet packets from other computers, replaces
their LAN IP addresses with its own external IP address, remembers
which computer sent the packets, sends the packets to the Internet,
gets the replies, and returns each reply to the computer that
requested it.

That's best done on the domain controller. Microsoft specifically
recommends not using Internet Connection Sharing on a domain client,
probably because of the DNS and DHCP problems that it would create.
--
Best Wishes,
Steve Winograd, MS-MVP (Windows Networking)

Please post any reply as a follow-up message in the news group
for everyone to see. I'm sorry, but I don't answer questions
addressed directly to me in E-mail or news groups.

Microsoft Most Valuable Professional Program
http://mvp.support.microsoft.com
 
Back
Top