dual nic and subnet with dual isp's

[WillieLoMain]

We have DSL on a static IP with router set to 192.168.200.1. Up to the present we use this for outbound internet and also for trafic inbound through RDP only. There has been no public WAN access permitted.

Recently we added a T1 to the environment and we would like to use this exclussively for WAN access to one of the servers. The problem is that this server needs to be accessed from the LAN and also I would like to be able to continue to get to it through the VPN.

Initially I though that the addition of a second nic (on a different subnet) was all that would be required but this was not the case.

Here is where I am at now

DSL Gateway 192.168.200.1
Server Nic 1 192.168.200.20

T1 Gateway 192.168.201.1
Server Nic 2 192.168.201.20

Machine in question is WIN2k Server with no active directory running in the environment.

From the work I have done so far it seems that I need to add a route to the win2k server but I have never ventured into this area before. I am wondering if anyone agrees and has the specific route required.

Of course alternate suggestions are welcome.

The present route table follows

Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.200.1 192.168.200.20 1
0.0.0.0 0.0.0.0 192.168.201.1 192.168.201.20 1
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.200.0 255.255.255.0 192.168.200.20 192.168.200.20 1
192.168.200.20 255.255.255.255 127.0.0.1 127.0.0.1 1
192.168.200.255 255.255.255.255 192.168.200.20 192.168.200.20 1
192.168.201.0 255.255.255.0 192.168.201.20 192.168.201.20 1
192.168.201.20 255.255.255.255 127.0.0.1 127.0.0.1 1
192.168.201.255 255.255.255.255 192.168.201.20 192.168.201.20 1
224.0.0.0 224.0.0.0 192.168.200.20 192.168.200.20 1
224.0.0.0 224.0.0.0 192.168.201.20 192.168.201.20 1
255.255.255.255 255.255.255.255 192.168.200.20 192.168.200.20 1
Default Gateway: 192.168.200.1

 

[cajuntank]

Stop. Go get you a firewall that has ability to plug in 2 WAN connections. You are asking for trouble trying to handle this from your server. Can it do it, yes. Would you want to, NO!

Your DSL router and your T1 router are evidently both NAT'ing since I don't see any other mention of hardware besides those two.

Watchguard, Sonicwall, Nokia, Juniper, etc... make very good security appliances that also provide a seconday "optional" WAN port to use as either purely a failover or load balancing. Depending on your user count, the additional security services you might want to implement (IPS, Anti-X, Content filtering, etc...), will dictate the model. If you decide on load balancing, then you can also create rules on what traffic you want to allow out what interface.

Get your ISP to stop NAT'ing on their router(s) and give you a public IP subnet; you do the same with the DSL (if it's just 1 static, you can bridge the IP across the LAN side of the DSL router so your public address will be on one of the firewall's public interfaces). You firewall will now have two public WAN connetions that will NAT to the internal private interface of 192.168.200.1

This is how to properly do it. Hope I could help.

 

[dearingkr]

There is an easy solution here provided your network is very simple i.e. a single subnet.

Assumptions:
[tab]All clients (DHCP?) default gateway is 192.168.200.1
[tab]Server is not used as a web proxy
[tab]VPN endpoint is on the 192.168.200.0 subnet

Here's what to do:
[tab]Eliminate the 192.168.201.0 subnet
[tab]Set T1 router to 192.168.200.2/24
[tab]Set default gateway of server to 192.168.200.2

Results:
[tab]All client traffic uses DSL (192.168.200.1)
[tab]All server traffic uses T1 (192.168.200.2)
[tab]External server access is through the T1
[tab]Internal server access is unaffected
[tab]VPN-sourced server access is unaffected


MCSE CCNA CCDA

 

[burtsbees]

I totally agree with cajuntank myself...

Burt

 

[dearingkr]

You're right, I'm not disagreeing with cajuntank.
That is the proper way to do it.

However, the method I suggested will work on a simple network and avoid the cost of replacing equipment unnecessarily.

He's still running a Win2k server, so one can assume he may have significant budget constraints.


MCSE CCNA CCDA

 

[burtsbees]

Possibly, but then again, they have dsl and a T1, the T1 used specifically for access to a server---budget restraints, why not another dsl?...it may cost a lot more if his network were to be compromised. I agree that your method will work, though.

Burt

 

[WillieLoMain]

Dearingkr:

Your assumptions are correct and the network is a relatively simple one. Specifically, a single subnet of 192.168.200.0, one dsl modem, one Linksys BEFVP41 router, one switch with 10 users on the LAN, 10 remote users at various locations all with the same BEFVP41 at their end

This changed a bit with the introduction of the T1 and my attempt to setup the second submnet for its exclussive use of the T1.

In time I will migrate to the better solution but for now I have to go simple (knowing that there are risks associated with it)

If, I use the single subnet scenario you have presented:

1. Do I continue to use two Nic Cards (both on the same subnet of course)or can I revert to a single nick?

2. After I change the subnet on the T1 router to 192.168.200.0, do I physically connect it to the VPN Router?

I would like to explain the last thing that I tried while still on the two subnets:

Prior to the addition of the T1, the server had the single Nic with static IP 192.168.200.20. DHCP is handled by the VPN Router and is 192.168.200.100 and above).

Recently, remote usage exceeded the capacity of the DSL(limited by distance to the CO to 1.5/386) and so the T1 solution was initiated.

When the T1 came in I added the second NIC to the server and gave it a static IP on the new subnet (192.168.201.20). Request on the public IP to the T1 router are forwarded to the new nic on the server.

Today I performed my final failing test of this setup by doing the following:

I removed the gateway from Nic1 in the server and this resulted in loss of the VPN but local LAN traffic was maintained.

I enabled Nic2 on the 192.168.201.0 subnet and set its gateway to the T1 router address 192.168.201.1)

After the change remote users no longer had the ability to come in through the VPN but did have access through the public IP.

Initially it seemed like this worked and I thought that all was going to be ok, but I had the same problem that I have been experiencing with variations of this setup, and that is:

Remote users keep losing their connection to the server BUT the connections are reported as active in TS Manager. When a remote users sees the "drop" they rdp in again, but this comes in as a new connection and now there are two active connections for that users.

I am wondering (hoping) that this problem is the result of the two nic setup and that it will be resolved with your suggestion. If that is not the case, I may troubleshooting the wrong problem.

Again, for the near term, I am not overly interested in security. I will get to that once I can demonstrate successfull exclussive usage of the T1 with a simple setup.

Thanx to all for the advice and assistance.

 

[dearingkr]

WillieLomain:
1. yes, you can revert back to a single nic
2. they need to be logically connected, usually just plug them into the same switch.

As far as your final test...
with the server having 2 configured nics and routing probably enabled on the server, the results can be difficult to predict.

MCSE CCNA CCDA

 

[WillieLoMain]

Everything is working well now. Thanks to all for the fine advice and assistance.

I wanted to update and close the thread because it turns out there were multiple good configurations that I used (the last with the single nic, others with two nics and two subnets)

The problem that we were experiencing was solved by enabling keepalive in the win2k registry. It seems that there were latency issues at the main remote location and this was the cause of the drops, not the T1 configuration.

When using the VPN over DSL previously, we were able to prevent the issue from being seen because we had keepalive running in the VPN router. Then, once we switched over to the T1 the drops related to latency at the remote location were seen.

For thos who stuble upon this in the future I am attaching a link that explains the keep-alive registry setting in Win2k server

http://redmondmag.com/features/article.asp?editorialsid=473