Client PC's routing through multi NIC 2008R2 server

[ianh64]

Now that I have narrowed down my issue to a routing problem, I am posting here in the hope that this forum is more active. Previously started in Windows Server 2008R2 forum here.

Basically I am setting up a new office network for a local school. Its a fresh build and currently running in a testbed environment at my home, hence O2 router etc.

The initial requirement is 3xoffice Windows 7 PCs (office1,2,3) running on an active directory domain Windows 2008R2 server - configured as a host (griffin) and two hyper-V virtual machines - one for applications (leo) and the other for security/firewall (eagle).

The host has 4 NIC's, one for office LAN (192.168.3.x) host only, one school LAN (192.168.4.x) host only for future use, one IT LAN (192.168.2.x) host and VMs and one Internet WAN (192.168.1.x) VM only. The security/firewall app runs a trial of Microsoft Forefront TMG that is routing 192.168.2.x and 192.168.1.x.

Internally I am happy with the configuration, however, when I attach a client to the Office or School LANs, they cannot see the internet. I tracked this issue down to a routing issue where the security server (the default gateway of the host) could not route back to the office and school LANs. I thought that I had fixed this by setting up static routes on the security server back to the host, but subsequent testing indicated that this had, in some circumstances (when the destination IP was unavailable) caused circular routing and DHCP and domain membership of the office and school LANs are highly intermittent.

My configuration is as follows...omitted school LAN for clarity.

Code:

                                        office1 - Windows 7
DHCP - IP:192.168.3.100, Mask 255.255.255.0, Gateway 192.168.3.1 (Access type - No Internet access unless static route on eagle added)
                                             |
                                             |
                        Netgear GS108T Smartswitch
Static - IP:192.168.3.2, Mask 255.255.255.0, Gateway 192.168.3.1
                                             |
                                             |
                            griffin - Windows 2008R2 Server
                  AD Domain Controller, DNS, DHCP, Hyper-V host
Office NIC   Static - IP:192.168.3.1, Mask 255.255.255.0 (Access type - Internet)
                                             |
IT LAN NIC  Static - IP:192.168.2.1, Mask 255.255.255.0, Gateway 192.168.2.11 (Access type - Internet)
                                             |
                                             |
                            eagle - Windows 2008R2 Server (Virtual)
IT LAN NIC Static - IP:192.168.2.11, Mask 255.255.255.0 (Access type - No Internet access)
static route added dest 192.168.3.0, Mask 255.255.255.0, gateway 192.168.2.1
                                             |
                           Forefront TMG 2010 Eval
                                             |
Internet NIC Static - IP:192.168.1.50, Mask 255.255.255.0, Gateway 192.168.1.254  (Access type - Internet)

                                             |
                                             |
                            O2 Router (homebased testbed)
Internet NIC Static - IP:192.168.1.254, Mask 255.255.255.0, Gateway as O2 default

When the circular route is detected, its basically bouncing between griffin (192.168.2.1) and eagle (192.168.3.11) as follows...
C:\Users\Administrator>tracert 192.168.3.100

Tracing route to 192.168.3.100 over a maximum of 30 hops

1 * * * Request timed out.
2 <1 ms <1 ms <1 ms griffin.???.school [192.168.2.1]
3 <1 ms * <1 ms eagle.???.school [192.168.2.11]
4 <1 ms <1 ms <1 ms griffin.???.school [192.168.2.1]
5 <1 ms * <1 ms eagle.???.school [192.168.2.11]
6 <1 ms <1 ms <1 ms griffin.???.school [192.168.2.1]
7 1 ms * <1 ms eagle.???.school [192.168.2.11]
8 <1 ms <1 ms <1 ms griffin.???.school [192.168.2.1]
9 <1 ms * <1 ms eagle.???.school [192.168.2.11]
etc

I am assuming that DHCP, active directory domain join requests and other broadcast messages etc are getting lost in the circular routing as they are broadcast so do not have a valid destination address.

Appreciate any help on this.

Unfortunately, it is a small primary school and finance is very limited. The configuration may not be ideal/best practice, but the fact is, I have to work with what I have available to me.

[SYNACK]

I would suggest doing a "route print" command on each of the computers in the setup then posting them here, you may just need a few more static routes to make it all end to end aware.

Is there any particular reason you have chosen to go with multiple subnets internally, from the sounds of it, it will be a small network and would probably work smoother on a single internal ip range. If you are worried about security there are other methods like ipsec that would help you to achieve a much more secure environment.

[ianh64]

Hi

Thanks for getting back.

The DHCP issue may be a red herring - it was found in connectivity testing that I could not swap from Office NIC to School NIC and have DCHP provide me a valid scoped set of addresses. Seems to be a 'non issue' in a real world environment because I have since discovered that the Windows DHCP server needs to be restarted to bind the newly connected NIC port to the DCHP server - the old NIC port would then drop off. In addition, I had not realised that if the subnet of the Netgear Smart switch changed, it also needed a reboot to pickup a new IP address (via DHCP). Had incorrectly assumed that the IP address only affected the management of the switch and not that the IP address also affected the switch operation itself - first time that I have used a smart/managed switch.

The reason for multiple subnets is for two reasons.

Firstly it is something that I am comfortable with. In a former life I was an application developer for global applications. Subnets were a way of life, even if we had dedicated network guys to manage them. Its been 15 years since I last configured a windows server, back in NT Server 3.51days. I've got alot of catching up to do in a short time frame. Sticking with what is familiar and avoiding additional complexities over and above all the necessary new things that I am having to implement should have given me a fighting chance.

Second, the school that I am doing this for has a very dated IT infrastructure. By using multiple NICs and subnets, I am largely mirroring what they already have. So migrating legacy bits across should be alot easier and will be in logical chunks.

Anyway, back to my problem...
Apart from the circular routing issue which appears only to be detectable by tracert/ping to unknown IP addresses on the Office/School LANs, i'm not sure if its going to be an issue in the future.

I have added routing tables from the office client, server host and security gateway below. One slight difference from above is that IP address of office1 is now 192.168.3.101 due to smartswitch being assigned .100 in dhcp. I will go back and edit initial post for consistency. I should also note that I have disabled IPV6 to remove added complexity.

office1, Windows 7
DHCP assigned IP 192.168.3.101, mask 255.255.255.0, gateway 192.168.3.1 (griffin Office LAN), dns 192.168.2.1, dhcp server 192.168.3.1

Code:

===========================================================================
Interface List
 11...00 25 64 b8 42 7a ......Broadcom NetLink (TM) Gigabit Ethernet
  1...........................Software Loopback Interface 1
 12...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
 13...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.3.1    192.168.3.101     10
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
      192.168.3.0    255.255.255.0         On-link     192.168.3.101    266
    192.168.3.101  255.255.255.255         On-link     192.168.3.101    266
    192.168.3.255  255.255.255.255         On-link     192.168.3.101    266
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link     192.168.3.101    266
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link     192.168.3.101    266
===========================================================================
Persistent Routes:
  None

griffin, Windows Server 2008r2
office LAN NIC static IP 192.168.3.1, mask 255.255.255.0, gateway nc, dns 192.168.2.1
school LAN NIC static IP 192.168.4.1, mask 255.255.255.0, gateway nc, dns 192.168.2.1
IT LAN NIC static IP 192.168.2.1, mask 255.255.255.0, gateway 192.168.2.11 (eagle IT LAN), dns 192.168.2.1

Code:

C:\Users\Administrator>route print
===========================================================================
Interface List
 21...a4 ba db 0a af 88 ......GB2 - IT LAN
 17...00 10 18 6b a8 00 ......Broadcom BCM5709C NetXtreme II GigE (NDIS VBD
nt) #2
 13...00 10 18 6b a8 02 ......Broadcom BCM5709C NetXtreme II GigE (NDIS VBD
nt)
  1...........................Software Loopback Interface 1
 12...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
 14...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
 16...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0     192.168.2.11      192.168.2.1    261
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
      192.168.2.0    255.255.255.0         On-link       192.168.2.1    261
      192.168.2.1  255.255.255.255         On-link       192.168.2.1    261
    192.168.2.255  255.255.255.255         On-link       192.168.2.1    261
      192.168.3.0    255.255.255.0         On-link       192.168.3.1    266
      192.168.3.1  255.255.255.255         On-link       192.168.3.1    266
    192.168.3.255  255.255.255.255         On-link       192.168.3.1    266
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link       192.168.2.1    261
        224.0.0.0        240.0.0.0         On-link       192.168.3.1    266
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link       192.168.2.1    261
  255.255.255.255  255.255.255.255         On-link       192.168.3.1    266
===========================================================================
Persistent Routes:
  Network Address          Netmask  Gateway Address  Metric
          0.0.0.0          0.0.0.0     192.168.2.11  Default
===========================================================================

eagle, security gateway, Windows Server 2008r2 hyper-v virtual machine running Microsoft Forefront TMG evaluation
IT LAN NIC static IP 192.168.2.11, mask 255.255.255.0, gateway nc, dns 192.168.2.1
Internet WAN NIC static IP 192.168.2.50, mask 255.255.255.0, gateway 192.168.1.254 (O2 router), dns 192.168.2.1
static routes
destination 192.168.3.0 (office LAN), mask 255.255.255.0, gateway 192.168.2.1 (griffin IT NIC), interface Office LAN
destination 192.168.4.0 (school LAN), mask 255.255.255.0, gateway 192.168.2.1 (griffin IT NIC), interface Office LAN (unused)

Code:

C:\Users\Administrator>route print
===========================================================================
Interface List
 12...00 15 5d 00 c1 01 ......Microsoft Virtual Machine Bus Network Adapter
 11...00 15 5d 00 c1 00 ......Microsoft Virtual Machine Bus Network Adapter
  1...........................Software Loopback Interface 1
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0    192.168.1.254     192.168.1.50    556
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
      192.168.1.0    255.255.255.0         On-link      192.168.1.50    556
     192.168.1.50  255.255.255.255         On-link      192.168.1.50    556
    192.168.1.255  255.255.255.255         On-link      192.168.1.50    556
      192.168.2.0    255.255.255.0         On-link      192.168.2.11    261
     192.168.2.11  255.255.255.255         On-link      192.168.2.11    261
    192.168.2.255  255.255.255.255         On-link      192.168.2.11    261
      192.168.3.0    255.255.255.0      192.168.2.1     192.168.2.11    261
      192.168.4.0    255.255.255.0      192.168.2.1     192.168.2.11    261
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link      192.168.1.50    556
        224.0.0.0        240.0.0.0         On-link      192.168.2.11    261
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link      192.168.1.50    556
  255.255.255.255  255.255.255.255         On-link      192.168.2.11    261
===========================================================================
Persistent Routes:
  Network Address          Netmask  Gateway Address  Metric
          0.0.0.0          0.0.0.0    192.168.1.254  Default
===========================================================================

for completeness only
leo, application server, Windows Server 2008r2 hyper-v virtual machine
IT LAN NIC static IP 192.168.2.21, mask 255.255.255.0, gateway 192.168.2.11 (eagle IT LAN), dns 192.168.2.1

[SYNACK]

For what its worth the configuration does look right and should function as you want it to as far as I can see.

[ianh64]

OK. I have broken things and its stopped working!

Basically I am in the process of doing a production ready full rebuild (rather than a prototype test environment likely to change) and the rebuild is not working like the prototype environment. Theoretically both should be identical, except the test environment was used for experimenting with configurations so would have at some stage, been had its network reconfigured many times trying to sort out the original problem. Prior to destroying the prototype environment, I documented the final build configuration of the prototype environment, plus routing tables were documented in these threads.

Everything looks the same, but the main server (griffin) seems not to be routing the subnets to the main gateway.

Quickly recapping, I have 4 networks, across a mix of physical and virtual networks.

192.168.3.x (Office LAN) and 192.168.4.x (School LAN) are physical networks. The school LAN has nothing connected yet, the Office LAN has one Windows 7 PC in addition to the switch. It gets its IP (reserved 192.168.1.101) by DHCP and that all looks fine. In addition, there is a virtual LAN 192.168.2.x (IT LAN) which has a couple of Hyper-V virtual machines hanging off of it, one of which, 192.168.2.11, is the Internet WAN gateway via Microsoft Forefront TMG 2010 firewall and routing. Everything hanging off of the IT LAN is working fine, including the griffin server 192.168.2.1 so the internet gateway is fine.

The problem is that, from Windows 7 client, which is untouched from prototype config, I cannot PING 192.168.2.1 or any other subnet, or any devices on other subnets. But PING of 192.168.3.1 is fine.

Code:

                                        office1 - Windows 7
DHCP - IP:192.168.3.100, Mask 255.255.255.0, Gateway 192.168.3.1, Access type - No Internet access
                                             |
-----------------------------------------------------------------------------------------------
                                             |
                        Netgear GS108T Smartswitch
Static - IP:192.168.3.2, Mask 255.255.255.0, Gateway 192.168.3.1
                                             |
-----------------------------------------------------------------------------------------------
                                             |
                            griffin - Windows 2008R2 Server
                  AD Domain Controller, DNS, DHCP, Hyper-V host
                                             |
           Office NIC   Static - IP:192.168.3.1, Mask 255.255.255.0
                                             X
                                    No access ie PING
                                             X
IT LAN NIC  Static - IP:192.168.2.1, Mask 255.255.255.0, Gateway 192.168.2.11, Access type - Internet
School NIC  Static - IP:192.168.4.1, Mask 255.255.255.0, currently unused subnet - for info only
                                             |
-----------------------------------------------------------------------------------------------
                                             |
                           Internet via TMG Gateway

At some point in the prototype phase, I will have installed and configured in various guises, RRAS routing, but its not documented in my build document so I either removed this role or, failed to document it as an over sight, not sure which.

So my question is, would I expect clients connected to 192.168.3.1 NIC to route to the default gateway on 192.168.2.1 or, do I have to install and configure RRAS routing?

[ianh64]

Actually this was going to hold me up so I decided to install RRAS and select LAN routing and its fixed my issue. Seeing the management roles screen, memories of RRAS still being installed have come flooding back, but I decided not the document it because I thought that I had removed all the configuration options - the issue being that LAN routing was still installed.

Thanks anyway

PS. Must stop talking/posting to myself.