|
|
Is there a guide online dealing with using RRAS as just a LAN router?
I've got a setup using a dual-NIC win2k8 enterprise box to route two
networks. Each has their own internet connection. I just need to route
network A on 192.168.12.0 with network B on 192.168.1.0. The w2k8 box is
192.168.12.38 and 192.168.1.38. The RAS box itself can see both networks
and all devices just fine. The outbound router for each network is running
dd-wrt and are numbered 192.168.12.1 and 192.168.1.1 respectively. Clearly
something's not sharing routing info. But before I go digging through docs,
I thought it'd be worth asking here.
Thanks,
-Bill Kearney
|
|
Hello Bill,
For a proper routing choose a router to connect the networks not the server.
Especially if the server is also a DC, multihoming is a bad solution.
Best regards
Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
[Quoted Text] > Is there a guide online dealing with using RRAS as just a LAN router?
>
> I've got a setup using a dual-NIC win2k8 enterprise box to route two
> networks. Each has their own internet connection. I just need to
> route network A on 192.168.12.0 with network B on 192.168.1.0. The
> w2k8 box is 192.168.12.38 and 192.168.1.38. The RAS box itself can
> see both networks and all devices just fine. The outbound router for
> each network is running dd-wrt and are numbered 192.168.12.1 and
> 192.168.1.1 respectively. Clearly something's not sharing routing
> info. But before I go digging through docs, I thought it'd be worth
> asking here.
>
> Thanks,
> -Bill Kearney
|
|
|
[Quoted Text] > For a proper routing choose a router to connect the networks not the
> server. Especially if the server is also a DC, multihoming is a bad
> solution.
What, is RAS incapable of doing this? This is not a DC, nor does it run
services used by workstations.
|
|
"Bill Kearney" <wkearney99[ at ]hotmail.com> wrote in message
news:_ZmdnUOr1eiRfdfUnZ2dnUVZ_uCdnZ2d[ at ]speakeasy.net...
[Quoted Text] >> For a proper routing choose a router to connect the networks not the
>> server. Especially if the server is also a DC, multihoming is a bad
>> solution.
>
> What, is RAS incapable of doing this? This is not a DC, nor does it run
> services used by workstations.
>
Routing between two segments "just works" only if the router is the
default gateway for both segments. If each network is using an existing
default router, installing and enabling an internal router (RRAS or anything
else) won't do anything because traffic will never use it. All traffic will
still go to the default router, which has no information about your internal
router.
The easiest fix is to add a static route to each gateway router to bounce
the traffic for the "other" local network to the internal router.
|
|
|
[Quoted Text] > The easiest fix is to add a static route to each gateway router to bounce
> the traffic for the "other" local network to the internal router.
This much I assumed. Yet in setting up static routes it's not working.
Thus my inquiry as to setup guide info for this sort of thing. If it CAN
work then it must be some missing configuration. Either on the RRAS box,
the segment routers or both. I don't expect to hash it all out here, just
trying to find links to docs online.
Thanks,
-Bill Kearney
|
|
"Bill Kearney" <wkearney99[ at ]hotmail.com> wrote in message
news:1tednbj9iqHlTNbUnZ2dnUVZ_h-dnZ2d[ at ]speakeasy.net...
[Quoted Text] > This much I assumed. Yet in setting up static routes it's not working.
> Thus my inquiry as to setup guide info for this sort of thing. If it CAN
> work then it must be some missing configuration. Either on the RRAS box,
> the segment routers or both. I don't expect to hash it all out here, just
> trying to find links to docs online.
The root of your problem is the two Internet connections. That is, I mean,
each LAN has its own.
Using a design with single RRAS box between the LANs assumes there is only
one Internet connection. In that model each LAN uses the RRAS box as their
Default Gateway,..and then the RRAS box uses the Firewall as its default
Gateway. It all works fine & dandy when there is only one internet
connection. But it fails in your case.
Since each LAN has their own internet connection you have to work it like
there is a WAN connection between the two LANs (even if it isn't really a
WAN).
What is a WAN connection like??? Well it has two Routers,...one on each
end of the WAN link,...meaning each site has their "own" router. So how do
you do it here?? Well you have to use two RRAS boxes with a /30bit network
(a 2-host network) between them.
Like this:
[Internet] [Internet]
| |
<firewall #1> <firewall #2>
| |
[LAN #1]----<RRAS #1>---<RRAS #2>----[LAN #2]
1. All Host on LAN#1 use RRAS#1 as their Default Gatetway
2. RRAS#1 uses Firewall#1 as its Default Gateway
3. So RRAS#1 is the primary routing "decision maker" for LAN#1
4. All Host on LAN#2 use RRAS#2 as their Default Gatetway
5. RRAS#2 uses Firewall#2 as its Default Gateway
6.So RRAS#2 is the primary routing "decision maker" for LAN#2
7. The two RRAS boxes either use Dynamic Routing Protocols (like maybe RIP)
so that they "know" how to get the traffic to the correct LAN between
themselves. If you don't want to use Dynamic Routing Protocols then a
couple Static Routes should work.
--
Phillip Windell
www.wandtv.com
The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------
|
|
|
[Quoted Text] > The root of your problem is the two Internet connections. That is, I
> mean, each LAN has its own.
No, not if I don't expect the devices on each segment to use the other
outbound gateway. I just want the hosts to connect to each other. This
should be a simple case of static routes. 0.0.0.0 defaults to each
segment's own 192.168.x.1 router. The traffic for the other network should
be handled by a static route.
The reason for using the RAS box is the networks are gigabit Ethernet, and
the server already has dual NIC ports. I'd rather not have to upgrade to a
gig-E capable router.
> [LAN #1]----<RRAS #1>---<RRAS #2>----[LAN #2]
Two RAS boxes? That's a stupid waste of money.
|
|
|
[Quoted Text] > The easiest fix is to add a static route to each gateway router to bounce
> the traffic for the "other" local network to the internal router.
That would only work if the router was actually working properly. I loaded
a firmware update to it and now things are routing properly.
|
|
Before I address this futher below,...keep in mind that the root cause is
due to you having a single subnet LAN that does not already have a LAN
Router making the Routing Decisions which leave your Firewall as the Default
Gateway of everything.
If you LAN was multi-segment with a LAN Router as the Default Gateway of
everything (meaning the firewall would not be such),...you would not even be
having this problem.
Now,...onward....
"Bill Kearney" <wkearney99[ at ]hotmail.com> wrote in message
news:ysqdnYkCa5qpV9HUnZ2dnUVZ_gmdnZ2d[ at ]speakeasy.net...
[Quoted Text] >> The root of your problem is the two Internet connections. That is, I
>> mean, each LAN has its own.
>
> No, not if I don't expect the devices on each segment to use the other
> outbound gateway.
No, just the opposite, two routers as I described is what let's each side
use thier own internet connection instead of one side being forced to use
the "other side's" Internet connection,..which is what a single router
causes.
Think this illustration through. Your problem is the exact same situation
you would create if you had two Subnets on your lan with a single router
between them,...then tried to have each subnet with its own separate
firewall and internet connection. It just would not work like that because
both subnets would need to use the LAN Router as the Default Gateway which
is turn would use one of the Firewalls as its Default Gateway (leaving the
other firewall unused).
> I just want the hosts to connect to each other.
Then it takes what I described. Although I have another suggestion below..
> Two RAS boxes? That's a stupid waste of money.
That is a matter of opinion. If that is what the network structure
requires,..then that is what it requires.
However with modern Firewalls there is a new option if the Firewalls are
multi-interfaced (more than just 2). Many Firewalls have other interfaces
that can be used for additional "internal" segments or DMZ segments. If the
two firewalls involved can have an additional "internal" (that's internal,
not DMZ) on one of their other interfaces then you would connect the two
"extra" interfaces of the firewalls to each other and give it the "2-host"
IP Segment,..then establish a "routed" relationship (not a firewalled NAT)
between the real LAN segments and this one. It would look like this
[Internet] [Internet]
| |
<Firewall #1>---2-host link---<Firewall #2>
| |
[LAN #1] [LAN #2]
Now each LAN can use their own Firewall as their Default Gateway and it
works fine because the Firewall is pulling double-duty by acting as a LAN
Router and A Firewall at the same time. Notice with this that you **still**
have two router boxes involved :-),...it is just that you didn't have to
buy anything because something you already have in place is doing multiple
jobs.
Hope that makes sense...
--
Phillip Windell
www.wandtv.com
The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------
|
|
"Bill Kearney" <wkearney99[ at ]hotmail.com> wrote in message
news:8OidnWhrDrWcps_UnZ2dnUVZ_uWdnZ2d[ at ]speakeasy.net...
[Quoted Text] >> The easiest fix is to add a static route to each gateway router to
>> bounce the traffic for the "other" local network to the internal router.
>
> That would only work if the router was actually working properly. I
> loaded a firmware update to it and now things are routing properly.
This update allows it to do the "Network behind a Network" model without
dropping the traffic as spoofed. This is kind of a step *down* in security
rather than a step up. But if people complain that they want something bad
enough the manufactures will give it to them even if it is a bad thing.
Some firewall products still won't do this because it breaks the "state" of
the traffic in that the Firewall only sees half of the conversation because
return traffic coming back from the other side goes directly to the original
client and not through the firewall.
Here is an article describing the situation when using SBS Premium with
ISA2004 on it:
The Official SBS Blog : Network Behind a Network
http://blogs.technet.com/sbs/archive/2007/11/29/network-behind-a-network.aspx
Notice that thier diagram has two routers between the subnets in a "WAN
style" configureuation and their solution is the same as mine.
--
Phillip Windell
www.wandtv.com
The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------
|
|
|
[Quoted Text] > Before I address this futher below,...keep in mind that the root cause is
> due to you having a single subnet LAN that does not already have a LAN
> Router making the Routing Decisions which leave your Firewall as the
> Default Gateway of everything.
No, that was not the problem. The problem was only that one router wasn't
properly passing route info. All the rest of your explanation really
doesn't apply either.
In my particular case I've got two gigE networks, each with an internet
connection via a 100mb link (the speed to the ISPs varies, but one is
20mbps). The routers for those are 10/100 units. Routing two gigE networks
through those, or more consumer grade routers is a stupid idea as you'd lose
considerable speed. Using a relatively idle host that has two gigE NICs is
a more cost-effective solution. Upgrading to routers or a firewall with
gigE connections would be cost prohibitive for this situation (and likely
most others).
|
|
"Bill Kearney" <wkearney99[ at ]hotmail.com> wrote in message
news:3o6dnbgFuN4tasXUnZ2dnUVZ_o7inZ2d[ at ]speakeasy.net...
[Quoted Text] >> Before I address this futher below,...keep in mind that the root cause is
>> due to you having a single subnet LAN that does not already have a LAN
>> Router making the Routing Decisions which leave your Firewall as the
>> Default Gateway of everything.
>
> No, that was not the problem. The problem was only that one router wasn't
> properly passing route info. All the rest of your explanation really
> doesn't apply either.
Sorry Bill,
But I don't think you understood what I was explaining. I know exactly what
you were doing and how you were doing it. I see that same thing over and
over in these groups day after day.
What you are calling "routers" I am calling "firewalls" because that is how
they are being used. It did not route as you expected before the firmware
update and it did do so after the firmware update and I gave a reasonable
explaination as to why that is the case and I gave some amount of
documentation of what I was originally trying to say.
Please, to avoid confusion in the future, refer to the RRAS box as just RRAS
boxes,...refer to "devices" performing NAT or ACLs as Firewalls and refer
the name routers only to devices that are appliances that are actaully
acting as "LAN Routers" between IP Segments. This way we are all on the
same page and will know what each other is saying by the words we use.
--
Phillip Windell
www.wandtv.com
The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------
|
|
[Quoted Text] > Please, to avoid confusion in the future...
How about you just stick to the topic at hand and solutions that work with
it? It's you that wandered off onto this whole other mess. Solve your own
problems first.
|
|
What's with the attitude dude?
I took more time than anyone to deal with it, for free even. I was dead on
with the topic (whether you think so or not), and gave articles (not written
by me I might add) that described the situation exactly and the correct
approach to deal with it.
I was exactly on topic and I am not the one with the problem. If you don't
agree with my suggestions that's just too bad,...it ain't my problem.
These posts are archived practically forever across the Internet and my
suggestions will probably help others who might be "Googling" for the answer
to their issue in the future. They might even learn a little about network
design before they create a mess to start with.
--
Phillip Windell
www.wandtv.com
The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------
"Bill Kearney" <wkearney99[ at ]hotmail.com> wrote in message
news:s9adnb17rsgflMfUnZ2dnUVZ_oTinZ2d[ at ]speakeasy.net...
[Quoted Text] >
>> Please, to avoid confusion in the future...
>
> How about you just stick to the topic at hand and solutions that work with
> it? It's you that wandered off onto this whole other mess. Solve your
> own problems first.
>
|
|
|