Routing between two NICs (subnets) on local machine without RRAS (2008 server core) possible?
I have an old application that has licensing that is tied to a specific IP=192.168.0.61. In re-architecting the network because all devices (production servers, lab/test, equipment, etc. -- scary) are currently in the same subnet/vlan (default), I would like to move this server to a dedicated server VLAN at IP = 192.168.51.31. The 2008 server core machine running this app is a VM on a VMWare ESX3i Free server (hardware doesn't support Hyper-V :( ) so I can add NICs, virtual switches, etc. Is there some way to locally (on machine without using RRAS because its server core) route between a the NIC assigned 192.168.51.31 (/24) and a NIC assigned 192.168.0.61 (/32) so that I can accept connections on 192.168.51.31 and forward them to 192.168.0.61 where the application is bound using forwarding and static routes, for example? I am open to other suggestions, e.g. two IPs on same NIC (haven't been able to get this to work because the routing table automatically changes using the numerically lowest IP address on the NIC as the send/receive interface).Seems like I am just missing something obvious.I appreciate all help and suggestions. Thanks in advance.
February 19th, 2010 8:28pm

Configuring RRAS as a router automatically enables IP forwarding (which is disabled by default). To enable it without RRAS you need to enaqble it in the registry.http://support.microsoft.com/default.aspx/kb/323339 These instructions are for Server 2003. It is still in the same place in 2008.Bill
Free Windows Admin Tool Kit Click here and download it now
February 20th, 2010 4:23am

Bill,Thanks for the reply. I've headed home to see the kiddos so I'll try this remotely over the weekend. I thought this might be the case but had also seen: netsh interface ipv4 set interface "ID" forwarding=ENABLED store=staticand thought that might do it as well. Couldn't ever find the command to "show" whether or not it had been enabled. I'll give the above a whirl and get back to you.Thanks:)
February 20th, 2010 4:36am

Great article Bill, I had not come across that one. I imagine he will still need to add the static route for this, right?RC6, You can also enable ICS or Internet Connection Sharing in 2008, though I have never tried this on a 2008 core machine myself. Here is the article, in case Bill's fix does not work for you (which it sounds like it will) and you want to give it a try:http://technet.microsoft.com/en-us/library/cc770507(WS.10).aspxIf you need extra help, you can reach us at: InitialAssist@cbfive.com See my blogs at http://www.cbfive.com/blog - Jared Crandall
Free Windows Admin Tool Kit Click here and download it now
February 21st, 2010 3:18am

Quick update gentlemen...Bill, that has done the trick =) Jared, I layed down a static route as mentioned but haven't confirmed yet whether or not is "strictly necessary". In particular, I had to explicitly configure the firewall "current profile" to Allowinbound as I was losing connection as soon as the 2nd NIC was added. I've got a bit more tweaking to do but will reply back with the full implementation details.Thank you both.
February 23rd, 2010 8:19pm

Hello gentlemen. I afraid that I must report having some type of Alzheimer's like regression...it worked...and now it doesn't. I'll explain. Bill's suggestion seemed to be the key. (Though, in my case, I did a bit of tweaking) I did two additional things: 1. Modified the "CurrentProile" to AllowInbound connections. Seems that when I add the second virtual network adapter, that the profile moves from Domain to Public and was immediately prohibiting all connectivity: RDP, etc. 2. Per Jared's inference, I added a static route to point the 192.168.0.61 interface toward the default gateway at 192.168.51.1 via 192.168.51.31. (Bill, per the numerous other posts that you have answered around this topic, seems that it should not necessarily need the route. If I understand correctly, Windows should inherently now how to route the on-link paths to the default gateway) As I mentioned in my previous post, I need to verify that this route was in fact necessary. So thinking that I was quite clear about what was necessary to make this work (after all I had just done it), shamefully, I didn't properly document the original proceedure as I thought I would simultaneously replicate the working model and verifiy whether or not the static route was strictly necessary. I proceeded to modify the same machine to verify that this would work with our second server that needs to be moved: 192.168.0.210. These are slightly newer binaries, but again they seem to operate properly as the service starts up and I can talk to the service via the 192.168.0.210 address on the local box. The problem now, however, is that I can't talk to the service via the 192.168.51.31 address though I was able to do this when it was 192.168.0.61. So for clarity let me see if I can create a diagram: Other VLANs <---> Core Router <---> Server VLAN (192.168.51.1) <---> Primary vNIC (192.168.51.31/24) --- Forwarder Service (Port 16xx) >-- GW (192.168.51.1) <-------------------------- | | | Secondary vNIC( 192.168.0.210/32) >---------------------- | listening (port 16xx) <----------------------------------------------- This is the fundamental idea: 1. Receive a request on port 16xx @ 192.168.51.31 and forward the port to 192.168.0.210 which is listening on 16xx (netstat -a says so). 2. The response needs to go from 192.168.0.210 through 192.168.51.31 back to the requesting party. (This interface is connected to an internal only virtual switch that doesn't go anywhere though I don't think that it should matter with the /32...the 192.168.51.0/24 vSwitch is on VLAN 51) The settings: NIC #1: IP: 192.168.51.31/24 GW: 192.168.51.1 NIC #2: IP: 192.168.0.210/32 You might be wondering what this "Forwarder Service" is: http://www.rouvali.com/index.php?id=53 Simple port forwarding service and again it worked when the address was 192.168.0.61. Not ruling out that the problem might be here though. Part of the obvious difficulty here is that some of the things that a person could normally do on a full blown Win2008 install aren't done easily on the Server Core install. For example, I could test the Forwarding Service by using another program (e.g., telnet, ftp, etc) and redirecting 192.168.51.31 port 16xx to 192.168.0.210 port 23 if I could bind the telnet service to that IP address only. I am certainly willing to go down this path and research the necessary command line adverture to do this having confirmed with you gentlemen what the correct IP and routing (static if necessary) should be. Maybe I need to change the NIC #2 IP, maybe a static route, maybe I can do the port forwarding natively rather than with the extra service (BTW...Jared, I don't believe RRAS is available on Server Core)...maybe I'm loosing what little bit of my mind was left having stared at that little black and white console for too long. Your suggestions have been and continue to be greatly appreciated!!! Layne
Free Windows Admin Tool Kit Click here and download it now
March 8th, 2010 10:28pm

Well that diagram turned out a garbled mess. Let's try again. Other VLANs <---> Core Router <---> Server VLAN (192.168.51.1) <---> Primary vNIC (192.168.51.31/24) --- Forwarder Service (Port 16xx) >-- GW (192.168.51.1) <-------------------------- | | | Secondary vNIC( 192.168.0.210/32) >---------------------- | listening (port 16xx) <-----------------------------------------------
March 8th, 2010 10:31pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics