Setting up dual nics on a W2K S within the same subnet

[SirKenin]

This is driving me crazy. A client has a D-Link professional grade router, but it has the same problem as all the cheapos. It has a fixed subnet of 192.168.1.xxx. There is no way around this unless you use the DMZ, effectively eliminating the firewall. In and of itself that would not be a problem. HOWEVER...

This office has all their machines on the same subnet. The IP of the second NIC is 192.168.1.100. All of the machines are on DHCP and of course use the same subnet. The copiers, the presses, the RIP server, EVERYTHING is on this same subnet.

So. Here is the problem. When I try to manipulate the computer into giving the WAN port an IP in the same range, the internet connection dies. I can give the IP to one or the other, but I can not give an IP in the same range to both or the incoming connection pukes.

I think I need to move the WAN IP to a different subnet in order to get this to work, but I have spent two hours of my time trying to manipulate this router and server into allowing me to do it and it won't let me.

I really need something to work here and I urgently need suggestions before I go back to the site next week. I appreciate any help you can give.

 

[ktwebb]

WAN port? On a workstation? Your DLink is your WAN interface right? Any card you put in a computer on inside of that you'd call a LAN port. Well you wouldn't call a NIC anything other than NIC or perhaps you could say ethernet port. Anyway, wy do you want to give your machine two IP's. Are you trying to do NIC bonding or teaming?

Point is, your post doesn't make a whole lot of sense beyond what I can gather, I assume anyway, is you have a broadband connection and DLink NAT router. All workstations are behind the NAT firewalla nd working. For some reason you want to run two NIC's on a workstation and when you try to use IP's on the same network your internet connection dies. Again, assumably you want to do some NIC teaming for the added bandwidth but that's just a guess. Please expand on your topology and needs in more detail.

 

[SirKenin]

I have labelled the incoming NIC on the server WAN. I have labelled the outgoing LAN. I am pretty sure that I was very clear that this is a server and not a workstation.... You don't run Windows 2k Server on a workstation last I looked.

The topology is as follows. From the modem to the D-Link. From the D-Link to the WAN port on the server. The LAN port on the server to the Gigabit switch. Five workstations and a RIP server on the Gigabit switch. The rest of the machinery including the fax server is going through the Nortel switch.

I am trying to manually assign 192.168.1.100 for the LAN port and I tried all kinds of things including assigning 192.168.1.2 to the WAN port. As soon as I try to use the same subnet, though, it pukes. When I try to change it in the router it doesn't work.

So what is left? I must have some kind of option available to me.

 

[Lazn_Work]

I think I understand what you are describing.

You will have to change the subnet of the LAN side of the Dlink. (it can do this) Use a 10.10.X.X or some other private IP block for it's LAN side, and the "WAN" nic on the server. (with just the one computer plugged into it, I would just disable DHCP on the Dlink too)

edit: I am assuming you have it hooked up like this:

Internet -> Dlink -> Win2kServer -> Gigabit switch -> workstations

And what is happening is that you can't have the two NIC's on the server use the same subnet. (this is true, you can't)

fyi: Private IP addresses = 10.0.0.0 - 10.255.255.255, 172.16.0.0 - 172.31.255.255, 192.168.0.0 - 192.168.255.255

==>Lazn

 

[SirKenin]

I have already tried to change the LAN side of the D-Link to 192.168.2.xxx. That did not work. Why would 10.10.xxx.xxx be any different? I must admit that I don't get it.

Thanks for your help so far, and you are right about the topology.

 

[jpmkm]

What's wrong with just using a different subnet for your lan? You said all the machines use DHCP so it should be a simple change. Your server<->router link would still be on the 192.168.1.x subnet, while everything else would be on a different subnet. Also, when you say changing the subnet on the dlink didn't work, what exactly didn't work? It wouldn't even let you change it?

 

[ktwebb]

Still not clear on why you want two NICs in the server. Is the Dlink NOT doing NAT routing for you?

192.168.x.x is not a WAN address but maybe your provider is using that scheme?

Edit: Think I may see what your trying to do. Segment your existing LAN behind the server, with the server behind the DLink firewall/Router. Very unusual if that is what your trying to do. Can't imagine your logic there but why not just change the IP scheme of the office if your set on it.

 

[Lazn_Work]

I have already tried to change the LAN side of the D-Link to 192.168.2.xxx. That did not work. Why would 10.10.xxx.xxx be any different? I must admit that I don't get it.

Thanks for your help so far, and you are right about the topology.

Then there is something wrong with the Dlink. I have changed subnets on every router I have ever used. (I don't use 1.x or 0.x)

==>Lazn

 

[SJConsultant]

Is there a need to route internet traffic thru the 2k server?

If not simply plug the dlink lan connection into the same network switch as the workstations and servers and change DHCP to hand out the IP address of the Dlink as the gateway address.

 

[Darkstar850]

Ya, as said, you have to be able to change the LAN subnet IP for the dlink. I have been able to do this with every router I have owned, so I don't know why it wont work on yours. I am running the same topology at a small business I help out, except its DSL modem - Netger FS318 router - SBS2k3 box - Linksys switch - clients. Works great. I have the LAN side on the SBS box set to a 192.168 address, and the WAN side set to a 10. address (consequentially the LAN side of the FS318 is also on 10.)

 

[ktwebb]

There both LAN's. Just routed between the two segments by the server box. Odd setup to me but I guess you guys have your reasons. The router should be all the firewall you need but I suppose you are adding another hop/layer of protection. Seems like it would be difficult for apps that need out to the actual WAN, the internet

 

[ktwebb]

Is there a need to route internet traffic thru the 2k server?

If not simply plug the dlink lan connection into the same network switch as the workstations and servers and change DHCP to hand out the IP address of the Dlink as the gateway address.

yeah, that was what was throwing me off as well. I can only guess they are doing this as another layer of protection. peculiar

 

[alienb]

It amazes me what they call "IT Professionals" today.

 

[Darkstar850]

The reason I am doing it is that it is the recommended best practice both by microsoft and by experienced SBS consultants for SBS setups where the server is doing DHCP (and recommended as the best architecture for a SBS network in general).

 

[ktwebb]

Interesting. I found a few references to it but no recommendation. Not disagreeing with you. I don't have any SBS experience. Corporate/Enterprise only. Seems like overkill to me but I understand the thinking, just not sure I agree it's necessary.

 

[Fint]

Anyone who uses the phrase "professional grade router" to describe *anything* made by D-Link needs a reality check.

 

[SJConsultant]

Interesting. I found a few references to it but no recommendation. Not disagreeing with you. I don't have any SBS experience. Corporate/Enterprise only. Seems like overkill to me but I understand the thinking, just not sure I agree it's necessary.

A majority of my clients use SBS, I can attest to Darkstar850's comments. A router on the outside interface of an SBS system is not necessary, but can be configured if one so desires.

 

[ktwebb]

yeah, wasn't really disagreeing. Just don't have any experience with SBS haven't heard or seen that design. Seems a bit much.

 

[Skud]

I recently ran into this setup not aoo long ago.. One of our (new) clients were sick of their current IT support and brought us in to replace their current network . It was setup the same way..

Internet-->Netopia DSL Router (172.16.x.x) ---> Win2k SBS --> Internal LAN (192.168.x.x)

I think Microsoft's reasoning is because ISA server is included with SBS and that they should use ISA for DHCP, content filtering, NAT, and logging.

Riley

 

[Darkstar850]

Well ISA, at least for SBS2k3, is only included in the premium version of SBS. I believe that the recommendation for SBS to be in the path is that overall things work better (like software distribution, DHCP, not entirely sure) with it acting as the client's gateway. I have never tried it with only 1 NIC on the SBS box, so I am not sure how it behaves in that config, as my current config works great.

 

[SirKenin]

It is not that unusual a configuration actually. I am adding an extra layer of protection for him. I don't want him to depend on that router for all his protection, considering that routers can be easily hacked and he is protecting an astronomical amount of data. To give you an idea, one project for one client is 3-600 megs. He has 1200 clients. That is just print jobs, never mind anything else. He also wants to add VPN to the mess.

When I go into the D-Link router to try and change the subnet of the LAN, it fails. The router resets itself back to default if you even try. You have to bypass the NAT if you are planning on changing the subnet for some reason. This is a $700 D-Link router. Wierd. Very wierd.

I have the exact same configuration in my office, but my router is on a different subnet than my LAN and it came that way by default.

If this does not work, I am just going to put the D-Link into the Gigabit switch and put the server into the same switch. I will be disappointed if I have to resort to that, however.

 

[SirKenin]

It amazes me what they call "IT Professionals" today.

If you don't have anything useful to contribute kindly keep your trap shut because I don't really want to smell that vile smell that's billowing out of your hole. Ok? Thanks.

I have tried everything. Not one person here has told me anything I haven't tried yet. Maybe you could make your clam useful for once and contribute something I haven't thought of so I can solve this problem.

 

[SirKenin]

The reason I am doing it is that it is the recommended best practice both by microsoft and by experienced SBS consultants for SBS setups where the server is doing DHCP (and recommended as the best architecture for a SBS network in general).

It sure is easy to tell the people that don't know what they are talking about, but like to pretend that they do, isn't it Darkstar?

It IS the best practice. Period. And this should work so it's pissing me off to no end.

 

[SirKenin]

Anyone who uses the phrase "professional grade router" to describe *anything* made by D-Link needs a reality check.

Maybe you better do your homework before you come off looking like an idiot. D-Link does make some "professional grade" pieces. There is one sitting there. I have used it. Next time I am on site I will give you the part number even.

I HATE D-Link, but this particular model is not even available in most stores.

 

[SJConsultant]

$700? Which model? For that amount of money you'd better call tech support and figure out if you have a faulty router.

On the other hand if this customer is that worried, then you should be employing a better firewall that performs inbound and outbound controls as well as detailed logging. In fact you should *not* be routing internet traffic thru the same server that houses the information you are trying to protect if at all possible.

 

[Lazn_Work]

In fact you should *not* be routing internet traffic thru the same server that houses the information you are trying to protect if at all possible.

Ding ding. winner.

==>Lazn

 

[SirKenin]

$700? Which model? For that amount of money you'd better call tech support and figure out if you have a faulty router.

On the other hand if this customer is that worried, then you should be employing a better firewall that performs inbound and outbound controls as well as detailed logging. In fact you should *not* be routing internet traffic thru the same server that houses the information you are trying to protect if at all possible.

I agree. The server is not a file server though. The files are stored on the workstations and on a remote FTP server, the profiles on the server. I don't want a hacker to get past the defenses to those workstations.

If I had MY way it would be Linux router > W2K Server > Workstations. However, seeing as how he gave all his spare computers to me I somehow doubt that he wants to do that. lol. Soooo.. That's what I will be doing in my office instead.

 

[SJConsultant]

I agree. The server is not a file server though. The files are stored on the workstations and on a remote FTP server, the profiles on the server. I don't want a hacker to get past the defenses to those workstations.

You can put all the firewalls you want in place, but IMHO, you should be focusing more attention on internal security than external. A majority of the time security breaches are not made directly thru a firewall.

 

[ktwebb]

It sure is easy to tell the people that don't know what they are talking about, but like to pretend that they do, isn't it Darkstar?

It IS the best practice. Period. And this should work so it's pissing me off to no end.

Well I believe he was responding to me so by proxy your referencing me. easy big fella. I dont' think I've been derogatory in my remarks towards you. I support over 400 servers physical and VM's. I have not had a chance however to support SBS and this is an interesting thread that is teaching me something I might be able to use in my side work. No need to get bent out of shape.

 

[Darkstar850]

When I go into the D-Link router to try and change the subnet of the LAN, it fails. The router resets itself back to default if you even try. You have to bypass the NAT if you are planning on changing the subnet for some reason. This is a $700 D-Link router. Wierd. Very wierd.

Can you RMA it? That sounds seriously broken. I actually had a netgear cheap-o wireless router that would do something similar if I tried to use a dynamic dns service that you could configure on the router.

 

[Darkstar850]

In fact you should *not* be routing internet traffic thru the same server that houses the information you are trying to protect if at all possible.

I understand your concern, but microsoft and the SBS MVP consultants disagree with you in a SBS environment. I guess that falls under the "if at all possible" umbrella however, since most SBS setups have only one server.

 

[MrGuvernment]

You can put all the firewalls you want in place, but IMHO, you should be focusing more attention on internal security than external. A majority of the time security breaches are not made directly thru a firewall.

Exactly!

Also, if the profiles are on the server if someone gets into the servre they can easily get into the workstations..... the only "server" that should be potentiall open the net is a firewall server and everything else NAT'd / routerd behind that - segmented networks keeping server completly seperate from workstations etc.koe


Also for a $700 router - as suggested why not call D-link ?

 

[SirKenin]

I am going to call D-Link if this one idea I got in my head this evening doesn't work...

This whole thing should work fine. I do it myself here at the office with no problem.

 

[SJConsultant]

I understand your concern, but microsoft and the SBS MVP consultants disagree with you in a SBS environment. I guess that falls under the "if at all possible" umbrella however, since most SBS setups have only one server.

The OP has not indicated whether the environment is running SBS or not and yes SBS is the exception to the rule. Until the OP tells us otherwise I am basing my suggestions on a plain vanilla server OS.

 

[Darkstar850]

Ok, SJConsultant, youve got me there

 

[SirKenin]

It is running Windows 2000 Server and I am running Windows 2000 Advanced Server in my own network, same topology.

 

[alienb]

If you don't have anything useful to contribute kindly keep your trap shut because I don't really want to smell that vile smell that's billowing out of your hole. Ok? Thanks.

I have tried everything. Not one person here has told me anything I haven't tried yet. Maybe you could make your clam useful for once and contribute something I haven't thought of so I can solve this problem.

Ok. What nobody here has realized including you is the reason you're having a hard time routing traffic, is because you're using the same subnet. Duh you say? ok. Here's your fix

Your professional dlink router whatever it is, set it to 192.168.0.1
Set your Win box to 192.168.1.1, and have it assign IP's in the 192.168.1.x range. It cant route traffic to the internet if the subnets are the same, mmkay?

 

[jpmkm]

Ok. What nobody here has realized including you is the reason you're having a hard time routing traffic, is because you're using the same subnet. Duh you say? ok. Here's your fix

Your professional dlink router whatever it is, set it to 192.168.0.1
Set your Win box to 192.168.1.1, and have it assign IP's in the 192.168.1.x range. It cant route traffic to the internet if the subnets are the same, mmkay?

Actually I think we all do understand that and that is the entire point of this thread. Have you even read the thread? He has said several times that he has tried to change the subnet on his dlink router and it doesn't work. I'd say rma that bitch because it is broken.

 

[ktwebb]

Re-read his post. He is suggesting, and it appears to be the only solution if the DLink router cannot have it's network subnet changed, to change the subnet on the SBS server and the internal LAN. If the clients are all DHCP then this wouldn't be a huge administrative hassle.

"What nobody here has realized including you is the reason you're having a hard time routing traffic, is because you're using the same subnet."

I do however think that was established early on in this thread. Changing the subnet on the LAN instead of the router appears to be the easiest and workable solution.

 

[jpmkm]

Re-read his post. He is suggesting, and it appears to be the only solution if the DLink router cannot have it's network subnet changed, to change the subnet on the SBS server and the internal LAN. If the clients are all DHCP then this wouldn't be a huge administrative hassle.

No he's not. He is suggesting changing the subnet on the dlink. I was the one who suggested changing the lan subnet earlier.