Networks·41,393 discussions

multi-homed server route problems

Locked

Firstly please don’t post an answer unless you’re reasonably sure of your solution so the question doesn’t get wiped off the map without a decent response. If you have any suggestions please e-mail them to me at: ngrunseit@harveyworld.com.au

I amhaving a problem on a server which has two NICs one NIC in the Win 2000 server is connected to my LAN while the other NIC is connected to my Sonicwall Firewall’s DMZ.

Whenever you VPN in via the firewall to the LAN one can ping the IPs of non-multi-homed PCs on the LAN, but not those that ARE multi-homed.

My multi-homed server has a route: 0.0.0.0 mask 0.0.0.0 which lets it contact my internet router via the DMZ based NIC, and thus see the outside world.

If I add any default gateway to the LAN NIC so it may see the firewall too I start having major problems where (despite having no routing/ remote access service enabled) the firewall detects data originating from my DMZ IP coming from the LAN NIC and vice versa. The problem is by adding a default gateway, or merely a static route like: 0.0.0.0 mask 0.0.0.0 it will allow my users that are VPN’d into the network to see the LAN NIC on the multi-homed server, but will cause the firewall to start blocking traffic which appears to be originating from the wrong IP, on the LAN/DMZ ports.

It’s not as complicated as it sounds, but it’s driving me crazy.

I just need to add a route so that my server can see the VPN’d incoming connections,but at the same time not make the server think it can route traffic to the outside world via the LAN NIC

Topic

multi-homed server route problems

In reply to multi-homed server route problems

You answered your own question

(despite having no routing/ remote access service enabled)

Computing systems by nature do not forward/route packets. You need to turn that function on.

Routing and Remote access in 2K is what controls that funtion.

Enable and configure it.

The lan nic does not need a default gateway.
The lan nic should simply connect your system to the lan, accept and pass traffic to the OS which in turn passes traffic to your DMZ nic.

Which in turn should(the 2k srver dmz nic) have NAT installed on it so that it can turn your pvt ip’s into a Public IP.

multi-homed server route problems

In reply to multi-homed server route problems

I turned on Routing and Remote Access as you suggested however it did not have any immediate effect.

I already have a public IP on the DMZ NIC and all internet bound traffic does exit through this NIC because I have not installed any default gateway on the LAN NIC

The only way I could get my VPN connections to be able to ping the LAN NIC on this server was to enable the 0.0.0.0 0.0.0.0 route, which in time makes the traffic from the DMZ IP start exiting on the LAN and vice versa ‘causing spoofing issues on my firewall and thus I am back to square one.

Can you suggest a configuration for RRAS or a route that can get me out of this problem?

multi-homed server route problems

In reply to multi-homed server route problems

Sounds like you need to add a specfic route in the server to point the server at the VPN connected network addresses that come in via your Firewall.

I am assuming that the Firewall terminates the VPN connections and that all the VPN PCs are in the same network range (either by the end PCs using VPN IP addresses supplied by you in a specific network range or by the Firewall using NAT to put them in a range specified by you). For example, that range could be 192.168.1.0

Given that, you need to add a route in the server that says 192.168.1.0 mask 255.255.255.0 . This would send any traffic from VPN PCs in this range back to the firewall via the LAN NIC in your server.

[Author]

Replies