Nat – Windows 2008 Server R2 NAT problems with VLANs

nat;networkingvlanwindows-server-2008

My Windows 2008 server R2 has two NICs. First NIC is connected to my ISP (IP assigned with DHCP). Second NIC is dedicated to LAN communication and is connected to HP ProCurve switch "trunk" port with multiple VLANs (Vlan7 and Vlan8).

Configuration of these card are:

First NIC: All settings are from DHCP. (ISPs NIC)

Seconf NIC (Local Area connections):
-LAN7: 192.168.7.1 Mask: 255.255.255.0 Gateway: blank
-LAN8: 192.168.8.1 Mask: 255.255.255.0 Gateway: blank

(Pings from VLAN7 and VLAN8 workstations to server are successful, with such network configurations: PC1/ IP: 192.168.7.100 Mask: 255.255.255.0 Gateway: 192.168.7.1, etc. )

After enabling RRAS on Windows 2008 server with NAT option, I cannot get any of VLANs (VLAN7, VLAN8) gain access to internet (looks like Windows does not know how to translate address to send traffic to outgoing interface).

When connecting NIC2 to simple access port on switch, in this case removing VLANs, then NAT works great.

Looking for help,
thanks.

Jānis

Best Answer

Solved the problem with the help of Hyper-V. In Hyper-V manager you have to use Virtual Network Manager and add those extra Microsoft Hyper-V VLAN interfaces based on NIC native VLAN interfaces.

Microsoft Hyper-V VLAN interface configuration screen in VMN http://i.stack.imgur.com/A0sa1.png

Now I can access internet from any workstation connected to VLAN10 or VLAN7 in my switched network. Hope this helps someone!

Related Solutions

Windows 2008 Server Router and Local Network

Does your external NIC on the server have a public ip / connected straight to a router or does it go in to another router?

What is happening is (if your setup is as I expect above)-

Client looks up IP and sees that it is outside of your local network Client goes to its default gateway (your Windows 2008 Box) and says the ip. Windows 2008 says not here, looks up the default gateway and forwards the request to your router. Router says, that IP is mine, but then hangs and times out!

See if your router supports NAT Loop-back. Basically, NAT inside Windows 2008 is working, but the DNS IP is your public one and RRAS does not realise that it is it's own IP, and therefore doing its job and routing to its external network.

If you say the make/model of your router, I can help you further (if it supports it)

Another way that can get awkward is to install your own local DNS server on the Windows 2008 box and refer all clients to it (make it forward queries to your current DNS servers) and force in a zone for each of your domains that have your internal records.

... Or if you only have a handful of machines and the router does not support NAT Loop-back, and you understandably do not want to buy new hardware, insert your record in to the machines' host file. This is a surprisingly efficent technique and providing you have admin access to shares, you can script this VERY easily by just placing it in a directory then doing

copy hosts \\\computer_name\c$\windows\system32\drivers\etc\hosts

And all done without a reboot!

Of course, the prefrence is just to enable NAT Loopback!

Anyway, hope I helped and this was the issue... Dreading your reply of "I only have a modem and the server is using a external ip in it's config!!"

Nat – RRAS VPN Server on Windows 2008 Behind NAT

Your setup is no different than how many physical RRAS servers are set up including my own at a small office. If you're talking an RRAS VPN you're more than likely talking about a PPTP VPN... unless you have an internal CA and want to futz around with IPSec. (Hint: If you want to futz around with IPSec VPNs, don't. Get an SSL VPN appliance if security is on your mind.)

Simply forward TCP port 1723 and IP Protocol 47 (GRE) to your RRAS server and you're good to go. Also note that you need to edit / add a Remote Access Policy to allow incoming connections. If I recall correctly, by default no incoming connections are allowed. For instance, I created a group called "VPN Users" and then created a policy called "Corp VPN Policy" that has policy conditions set to allow connections if any incoming request is from a user account that is in that group (as well as making sure that only MS-CHAPv2 PWD is being used, but I digress...). You must elevate that policy higher than the default policy which will deny everything. All of this is done in the "Routing and Remote Access" portion of "Network Policy and Access Services" within Server Manager.

There is no special configuration needed on the clients. Windows's built in VPN client will work like a charm. I've even used Linux machines and pptpclient to connect to it with smashing success.

Now, after typing all of this I realized that this was all true for my Server 2003 RRAS box and you said you had a Server 2008 machine. Your mileage may vary. =)

Best Answer

Related Solutions

Windows 2008 Server Router and Local Network

Nat – RRAS VPN Server on Windows 2008 Behind NAT

Related Topic