Nat – Windows Server 2008 R2, RRAS and NAT

nat;rraswindows-server-2008

I have a server running VMWare ESXi with one physical NIC.

This server is running 3 VMs (S1, S2, and S3) which are all running Windows Server 2008 R2.

I want to set up NAT routing on this server such that only one of those servers has an external IP, and all incoming requests go to that single VM (say S1.) That VM would do nothing but route requests and act as a firewall. It would, for instance, route all http requests to S2 — port forward, in other words. I also want all 3 machines to be able to talk to one another (share files, access network services, whisper sweet nothings.)

I am convinced the answer lies somewhere in Routine and Remote Access Services (RRAS) in Windows Server 2008. But so far, none of my illiterate poking has come up with something workable. I can configure RRAS for NAT on S1, and make it look like it will work, but I cannot make any of the other machines (S2 and S3) able to talk to S1.

I have read many articles which try to explain how to set this up. But so far, none have worked. And even worse, they all give slightly different advice.

Is anyone aware of a definitive article on this subject. Or can give a specific set of instructions on how to configure RRAS to do what I want it to do?

Thank you.

Best Answer

  • Create a virtual switch in ESXi for your "internal" network.
  • Give your "internal" VMs a single virtual network adapter and connect it to the internal virtual switch.
  • Give your "router" VM two network adapters; connect one to the internal virtual switch, connect the other to whatever virtual switch you're using to access your "real" network.
  • Choose an IP subnet for your internal network; for this example, let's use 192.168.0.0/255.255.255.0.
  • Configure your "router" VM's internal network adapter to have an IP address on the above network; f.e. 192.168.0.1/255.255.255.0. Don't set any default gateway on this adapter.
  • Configure your "internal" VMs to also have an IP address/subnet mask in the above network; f.e. 192.168.0.10/255.255.255.0 and 192.168.0.20/255.255.255.0.
  • Configure those "internal" VM's default gateway to be the internal IP address of your "router" VM, i.e. 192.168.0.1.
  • Configure your "router" VM's external network adapter to have whatever address is appropriate for your "real" network; configure also its default gateway to be the one you'd use in your "real" network.
  • Now, the three VMs should be able to ping each other using their internal IP addresses; the "router" VM should also be able to ping external IP addresses. If they doesn't, then something is wrong; the most common error is switching the two virtual adapters in the "router" VM, as Windows tends to detect adapters in a totally arbitrary order. Regardless of all, anyway, the two "internal" VMs should be able to ping each other.
  • If you're absolutely certain everything is configured correctly yet it still doesn't work, disable Windows Firewall on all your VMs and try again.

If the three VMs can succesfully talk to each other and the "router" VM can talk to external hosts, now it's time to enable RRAS.

  • From Server Manager, add the "Network Policy and Access Services" role to your server.
  • In Server Manager, go to the "Network Policy and Access Services" node and then to "Routing and Remote Access".
  • Select "Configure and enable Routing and Remote Access".
  • Choose the NAT configuration from the proposed templates.
  • Select the public and private networks.
  • You can now choose to enable automatic DNS and DHCP services for your router, or you can skip this and rely on your own ones.
  • Complete the wizard and start the services.

Now you should be able to ping external IP addresses from the "internal" VMs too.

For DNS and DHCP, you can choose to use the RRAS' built-in ones, or do whatever else is appropriate for your setup (using static IP addresses, using external DNS servers, set up your own internal AD domain with DNS and DHCP, etc.).

Related Topic