ianh64 Posted April 16, 2010 Posted April 16, 2010 (edited) Now that I have narrowed down my issue to a routing problem, I am posting here in the hope that this forum is more active. Previously started in Windows Server 2008R2 forum here. Basically I am setting up a new office network for a local school. Its a fresh build and currently running in a testbed environment at my home, hence O2 router etc. The initial requirement is 3xoffice Windows 7 PCs (office1,2,3) running on an active directory domain Windows 2008R2 server - configured as a host (griffin) and two hyper-V virtual machines - one for applications (leo) and the other for security/firewall (eagle). The host has 4 NIC's, one for office LAN (192.168.3.x) host only, one school LAN (192.168.4.x) host only for future use, one IT LAN (192.168.2.x) host and VMs and one Internet WAN (192.168.1.x) VM only. The security/firewall app runs a trial of Microsoft Forefront TMG that is routing 192.168.2.x and 192.168.1.x. Internally I am happy with the configuration, however, when I attach a client to the Office or School LANs, they cannot see the internet. I tracked this issue down to a routing issue where the security server (the default gateway of the host) could not route back to the office and school LANs. I thought that I had fixed this by setting up static routes on the security server back to the host, but subsequent testing indicated that this had, in some circumstances (when the destination IP was unavailable) caused circular routing and DHCP and domain membership of the office and school LANs are highly intermittent. My configuration is as follows...omitted school LAN for clarity. office1 - Windows 7 DHCP - IP:192.168.3.100, Mask 255.255.255.0, Gateway 192.168.3.1 (Access type - No Internet access unless static route on eagle added) | | Netgear GS108T Smartswitch Static - IP:192.168.3.2, Mask 255.255.255.0, Gateway 192.168.3.1 | | griffin - Windows 2008R2 Server AD Domain Controller, DNS, DHCP, Hyper-V host Office NIC Static - IP:192.168.3.1, Mask 255.255.255.0 (Access type - Internet) | IT LAN NIC Static - IP:192.168.2.1, Mask 255.255.255.0, Gateway 192.168.2.11 (Access type - Internet) | | eagle - Windows 2008R2 Server (Virtual) IT LAN NIC Static - IP:192.168.2.11, Mask 255.255.255.0 (Access type - No Internet access) static route added dest 192.168.3.0, Mask 255.255.255.0, gateway 192.168.2.1 | Forefront TMG 2010 Eval | Internet NIC Static - IP:192.168.1.50, Mask 255.255.255.0, Gateway 192.168.1.254 (Access type - Internet) | | O2 Router (homebased testbed) Internet NIC Static - IP:192.168.1.254, Mask 255.255.255.0, Gateway as O2 default When the circular route is detected, its basically bouncing between griffin (192.168.2.1) and eagle (192.168.3.11) as follows... C:\Users\Administrator>tracert 192.168.3.100 Tracing route to 192.168.3.100 over a maximum of 30 hops 1 * * * Request timed out. 2 <1 ms <1 ms <1 ms griffin.???.school [192.168.2.1] 3 <1 ms * <1 ms eagle.???.school [192.168.2.11] 4 <1 ms <1 ms <1 ms griffin.???.school [192.168.2.1] 5 <1 ms * <1 ms eagle.???.school [192.168.2.11] 6 <1 ms <1 ms <1 ms griffin.???.school [192.168.2.1] 7 1 ms * <1 ms eagle.???.school [192.168.2.11] 8 <1 ms <1 ms <1 ms griffin.???.school [192.168.2.1] 9 <1 ms * <1 ms eagle.???.school [192.168.2.11] etc I am assuming that DHCP, active directory domain join requests and other broadcast messages etc are getting lost in the circular routing as they are broadcast so do not have a valid destination address. Appreciate any help on this. Unfortunately, it is a small primary school and finance is very limited. The configuration may not be ideal/best practice, but the fact is, I have to work with what I have available to me. Edited April 16, 2010 by ianh64
SYNACK Posted April 16, 2010 Posted April 16, 2010 I would suggest doing a "route print" command on each of the computers in the setup then posting them here, you may just need a few more static routes to make it all end to end aware. Is there any particular reason you have chosen to go with multiple subnets internally, from the sounds of it, it will be a small network and would probably work smoother on a single internal ip range. If you are worried about security there are other methods like ipsec that would help you to achieve a much more secure environment.
ianh64 Posted April 16, 2010 Author Posted April 16, 2010 (edited) Hi Thanks for getting back. The DHCP issue may be a red herring - it was found in connectivity testing that I could not swap from Office NIC to School NIC and have DCHP provide me a valid scoped set of addresses. Seems to be a 'non issue' in a real world environment because I have since discovered that the Windows DHCP server needs to be restarted to bind the newly connected NIC port to the DCHP server - the old NIC port would then drop off. In addition, I had not realised that if the subnet of the Netgear Smart switch changed, it also needed a reboot to pickup a new IP address (via DHCP). Had incorrectly assumed that the IP address only affected the management of the switch and not that the IP address also affected the switch operation itself - first time that I have used a smart/managed switch. The reason for multiple subnets is for two reasons. Firstly it is something that I am comfortable with. In a former life I was an application developer for global applications. Subnets were a way of life, even if we had dedicated network guys to manage them. Its been 15 years since I last configured a windows server, back in NT Server 3.51days. I've got alot of catching up to do in a short time frame. Sticking with what is familiar and avoiding additional complexities over and above all the necessary new things that I am having to implement should have given me a fighting chance. Second, the school that I am doing this for has a very dated IT infrastructure. By using multiple NICs and subnets, I am largely mirroring what they already have. So migrating legacy bits across should be alot easier and will be in logical chunks. Anyway, back to my problem... Apart from the circular routing issue which appears only to be detectable by tracert/ping to unknown IP addresses on the Office/School LANs, i'm not sure if its going to be an issue in the future. I have added routing tables from the office client, server host and security gateway below. One slight difference from above is that IP address of office1 is now 192.168.3.101 due to smartswitch being assigned .100 in dhcp. I will go back and edit initial post for consistency. I should also note that I have disabled IPV6 to remove added complexity. office1, Windows 7 DHCP assigned IP 192.168.3.101, mask 255.255.255.0, gateway 192.168.3.1 (griffin Office LAN), dns 192.168.2.1, dhcp server 192.168.3.1 =========================================================================== Interface List 11...00 25 64 b8 42 7a ......Broadcom NetLink (TM) Gigabit Ethernet 1...........................Software Loopback Interface 1 12...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter 13...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface =========================================================================== IPv4 Route Table =========================================================================== Active Routes: Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 192.168.3.1 192.168.3.101 10 127.0.0.0 255.0.0.0 On-link 127.0.0.1 306 127.0.0.1 255.255.255.255 On-link 127.0.0.1 306 127.255.255.255 255.255.255.255 On-link 127.0.0.1 306 192.168.3.0 255.255.255.0 On-link 192.168.3.101 266 192.168.3.101 255.255.255.255 On-link 192.168.3.101 266 192.168.3.255 255.255.255.255 On-link 192.168.3.101 266 224.0.0.0 240.0.0.0 On-link 127.0.0.1 306 224.0.0.0 240.0.0.0 On-link 192.168.3.101 266 255.255.255.255 255.255.255.255 On-link 127.0.0.1 306 255.255.255.255 255.255.255.255 On-link 192.168.3.101 266 =========================================================================== Persistent Routes: None griffin, Windows Server 2008r2 office LAN NIC static IP 192.168.3.1, mask 255.255.255.0, gateway nc, dns 192.168.2.1 school LAN NIC static IP 192.168.4.1, mask 255.255.255.0, gateway nc, dns 192.168.2.1 IT LAN NIC static IP 192.168.2.1, mask 255.255.255.0, gateway 192.168.2.11 (eagle IT LAN), dns 192.168.2.1 C:\Users\Administrator>route print =========================================================================== Interface List 21...a4 ba db 0a af 88 ......GB2 - IT LAN 17...00 10 18 6b a8 00 ......Broadcom BCM5709C NetXtreme II GigE (NDIS VBD nt) #2 13...00 10 18 6b a8 02 ......Broadcom BCM5709C NetXtreme II GigE (NDIS VBD nt) 1...........................Software Loopback Interface 1 12...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter 14...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2 16...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3 =========================================================================== IPv4 Route Table =========================================================================== Active Routes: Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 192.168.2.11 192.168.2.1 261 127.0.0.0 255.0.0.0 On-link 127.0.0.1 306 127.0.0.1 255.255.255.255 On-link 127.0.0.1 306 127.255.255.255 255.255.255.255 On-link 127.0.0.1 306 192.168.2.0 255.255.255.0 On-link 192.168.2.1 261 192.168.2.1 255.255.255.255 On-link 192.168.2.1 261 192.168.2.255 255.255.255.255 On-link 192.168.2.1 261 192.168.3.0 255.255.255.0 On-link 192.168.3.1 266 192.168.3.1 255.255.255.255 On-link 192.168.3.1 266 192.168.3.255 255.255.255.255 On-link 192.168.3.1 266 224.0.0.0 240.0.0.0 On-link 127.0.0.1 306 224.0.0.0 240.0.0.0 On-link 192.168.2.1 261 224.0.0.0 240.0.0.0 On-link 192.168.3.1 266 255.255.255.255 255.255.255.255 On-link 127.0.0.1 306 255.255.255.255 255.255.255.255 On-link 192.168.2.1 261 255.255.255.255 255.255.255.255 On-link 192.168.3.1 266 =========================================================================== Persistent Routes: Network Address Netmask Gateway Address Metric 0.0.0.0 0.0.0.0 192.168.2.11 Default =========================================================================== eagle, security gateway, Windows Server 2008r2 hyper-v virtual machine running Microsoft Forefront TMG evaluation IT LAN NIC static IP 192.168.2.11, mask 255.255.255.0, gateway nc, dns 192.168.2.1 Internet WAN NIC static IP 192.168.2.50, mask 255.255.255.0, gateway 192.168.1.254 (O2 router), dns 192.168.2.1 static routes destination 192.168.3.0 (office LAN), mask 255.255.255.0, gateway 192.168.2.1 (griffin IT NIC), interface Office LAN destination 192.168.4.0 (school LAN), mask 255.255.255.0, gateway 192.168.2.1 (griffin IT NIC), interface Office LAN (unused) C:\Users\Administrator>route print =========================================================================== Interface List 12...00 15 5d 00 c1 01 ......Microsoft Virtual Machine Bus Network Adapter 11...00 15 5d 00 c1 00 ......Microsoft Virtual Machine Bus Network Adapter 1...........................Software Loopback Interface 1 =========================================================================== IPv4 Route Table =========================================================================== Active Routes: Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 192.168.1.254 192.168.1.50 556 127.0.0.0 255.0.0.0 On-link 127.0.0.1 306 127.0.0.1 255.255.255.255 On-link 127.0.0.1 306 127.255.255.255 255.255.255.255 On-link 127.0.0.1 306 192.168.1.0 255.255.255.0 On-link 192.168.1.50 556 192.168.1.50 255.255.255.255 On-link 192.168.1.50 556 192.168.1.255 255.255.255.255 On-link 192.168.1.50 556 192.168.2.0 255.255.255.0 On-link 192.168.2.11 261 192.168.2.11 255.255.255.255 On-link 192.168.2.11 261 192.168.2.255 255.255.255.255 On-link 192.168.2.11 261 192.168.3.0 255.255.255.0 192.168.2.1 192.168.2.11 261 192.168.4.0 255.255.255.0 192.168.2.1 192.168.2.11 261 224.0.0.0 240.0.0.0 On-link 127.0.0.1 306 224.0.0.0 240.0.0.0 On-link 192.168.1.50 556 224.0.0.0 240.0.0.0 On-link 192.168.2.11 261 255.255.255.255 255.255.255.255 On-link 127.0.0.1 306 255.255.255.255 255.255.255.255 On-link 192.168.1.50 556 255.255.255.255 255.255.255.255 On-link 192.168.2.11 261 =========================================================================== Persistent Routes: Network Address Netmask Gateway Address Metric 0.0.0.0 0.0.0.0 192.168.1.254 Default =========================================================================== for completeness only leo, application server, Windows Server 2008r2 hyper-v virtual machine IT LAN NIC static IP 192.168.2.21, mask 255.255.255.0, gateway 192.168.2.11 (eagle IT LAN), dns 192.168.2.1 Edited April 16, 2010 by ianh64 added static route details
SYNACK Posted April 16, 2010 Posted April 16, 2010 For what its worth the configuration does look right and should function as you want it to as far as I can see. 1
ianh64 Posted June 14, 2010 Author Posted June 14, 2010 OK. I have broken things and its stopped working! Basically I am in the process of doing a production ready full rebuild (rather than a prototype test environment likely to change) and the rebuild is not working like the prototype environment. Theoretically both should be identical, except the test environment was used for experimenting with configurations so would have at some stage, been had its network reconfigured many times trying to sort out the original problem. Prior to destroying the prototype environment, I documented the final build configuration of the prototype environment, plus routing tables were documented in these threads. Everything looks the same, but the main server (griffin) seems not to be routing the subnets to the main gateway. Quickly recapping, I have 4 networks, across a mix of physical and virtual networks. 192.168.3.x (Office LAN) and 192.168.4.x (School LAN) are physical networks. The school LAN has nothing connected yet, the Office LAN has one Windows 7 PC in addition to the switch. It gets its IP (reserved 192.168.1.101) by DHCP and that all looks fine. In addition, there is a virtual LAN 192.168.2.x (IT LAN) which has a couple of Hyper-V virtual machines hanging off of it, one of which, 192.168.2.11, is the Internet WAN gateway via Microsoft Forefront TMG 2010 firewall and routing. Everything hanging off of the IT LAN is working fine, including the griffin server 192.168.2.1 so the internet gateway is fine. The problem is that, from Windows 7 client, which is untouched from prototype config, I cannot PING 192.168.2.1 or any other subnet, or any devices on other subnets. But PING of 192.168.3.1 is fine. office1 - Windows 7 DHCP - IP:192.168.3.100, Mask 255.255.255.0, Gateway 192.168.3.1, Access type - No Internet access | ----------------------------------------------------------------------------------------------- | Netgear GS108T Smartswitch Static - IP:192.168.3.2, Mask 255.255.255.0, Gateway 192.168.3.1 | ----------------------------------------------------------------------------------------------- | griffin - Windows 2008R2 Server AD Domain Controller, DNS, DHCP, Hyper-V host | Office NIC Static - IP:192.168.3.1, Mask 255.255.255.0 X No access ie PING X IT LAN NIC Static - IP:192.168.2.1, Mask 255.255.255.0, Gateway 192.168.2.11, Access type - Internet School NIC Static - IP:192.168.4.1, Mask 255.255.255.0, currently unused subnet - for info only | ----------------------------------------------------------------------------------------------- | Internet via TMG Gateway At some point in the prototype phase, I will have installed and configured in various guises, RRAS routing, but its not documented in my build document so I either removed this role or, failed to document it as an over sight, not sure which. So my question is, would I expect clients connected to 192.168.3.1 NIC to route to the default gateway on 192.168.2.1 or, do I have to install and configure RRAS routing?
ianh64 Posted June 14, 2010 Author Posted June 14, 2010 Actually this was going to hold me up so I decided to install RRAS and select LAN routing and its fixed my issue. Seeing the management roles screen, memories of RRAS still being installed have come flooding back, but I decided not the document it because I thought that I had removed all the configuration options - the issue being that LAN routing was still installed. Thanks anyway PS. Must stop talking/posting to myself.
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now