Windows Server 2012, two NICs & routing with RRAS

nicroutingrraswindows-server-2012

Windows Server 2012, two NICs, only rras role installed.

PC2 can PING anything at 192.168.2.xx by IP, but not by name.
PC2 in Network Neighborhood has only itself and mserver, but can access anything at \\192.168.2.xx (by IP, but not by name).
PC2 has Internet.
PC1 cannot see, nor PING anything beyond NIC1.

I'm kind of stuck trying to figure out why routing doesn't work proper for local traffic between the two LANs while internet routing works fine.

Best Answer

You're most likely missing routes for the 10.0.0.0/8 network on the gateway 192.168.2.1.

You see, when packets from PC1 try to reach PC2, first PC1 checks:

Am I on the same network as the destination? (Nope, I'm on 192.168.2.0/24, my destination is on 10.0.0.101.)
Do I know a route specifically for this network? (Nope, probably not, because you likely didn't install any, nor is it typically done to install specific routes on individual hosts.)
It ends up finding a "default route" to your gateway 192.168.2.1. At that point it goes through the same process. No route is installed for 10.0.0.0/8, so the gateway just ends up sending it out towards the internet, where your ISP will likely just drop it into a black hole somewhere at some point (unless they have internet-exposed systems in RFC1918 address space).

So, by all rights this setup shouldn't work at all, without a route for 10.0.0.0/8 setup in the 192.168.2.1 router, because even requests to the internet shouldn't be able to find a way back.

The reason this is working at all is because you've set up RRAS to do NAT of the traffic from your 10.0.0.0/8 network. Any outbound traffic from PC2 will have its address translated, first by MSERVER, so that its source IP on the 192.168.2.0/24 LAN will be 192.168.2.101.

So in this scenario, when PC2 sends out a ping, PC1 will see it as coming from 192.168.2.101 and will know to send the response there as well.

In this scenario, you add a route for 10.0.0.0/8 via 192.168.2.101 on your 192.168.2.1 router, and then disable NAT in RRAS.

Network browsing will still probably not work since it will only work within one broadcast domain unless special measures are taken. Hostnames will also require a specific setup to work properly.

Related Solutions

Windows – SSTP on Windows 2008 cannot ping in either direction

Two things I noticed. 1) AD should never have more than one NIC. A multi-homed DC is not supported by MS. But I don't think that's causing your problem. 2) You turned off the Windows Firewall Service. Probably not a good idea. Try turning the service back on and running the following command to disable the profiles.

Netsh advfirewall set allprofiles state off

I'm still not sure if this will solve your problem, but those two things jumped out at me.

Windows Server 2012 VPN route from LAN to client

I think I have found the answer, although if anyone could explain why it is this way I would be grateful.

I checked the Network Policy Service settings, and there were packet filters enabled for IPv4 to allow only "User's network". Removing this filter allows unrestricted connection.

I do not know why this causes the behaviour I saw, nor do I know why (if it does block VPN traffic) it is set by default... but I am glad the problem is fixed.

Best Answer

Related Solutions

Windows – SSTP on Windows 2008 cannot ping in either direction

Windows Server 2012 VPN route from LAN to client

Related Topic