Windows Domain routing question - dual-nic

DustinB3403

I've setup a DC in my lab with multiple NICS on Windows Server 2019 (trial license), and have setup DHCP and DNS to be handed out on the second interface (Ethernet 4), DHCP is working. however I can only ping the LAN side at 10.200.1.1 (Eth4)

Ethernet 3 is my actual LAN connection for my host and has access to the internet without issue, statically assigned and can reach the world.

I'm certain there is a way to do this, I'm just uncertain of how to do so. Any help is appreciated.

IRJ

Are you just verifying it works? ICMP is disabled in windows firewall quite often, and really isn't necessary.

DustinB3403

@IRJ said in Windows Domain routing question - dual-nic:

Are you just verifying it works? ICMP is disabled in windows firewall quite often, and really isn't necessary.

No I can confirm that DHCP works, but from my client which is on an separate network I'm unable to route to the internet. Which is what I'm attempting to do.

I want to route internet traffic from 10.200.1.X network through 192.168.1.9 so that the scope has internet connectivity.

Obsolesce

@DustinB3403 said in Windows Domain routing question - dual-nic:

@IRJ said in Windows Domain routing question - dual-nic:

Are you just verifying it works? ICMP is disabled in windows firewall quite often, and really isn't necessary.

No I can confirm that DHCP works, but from my client which is on an separate network I'm unable to route to the internet. Which is what I'm attempting to do.

I want to route internet traffic from 10.200.1.X network through 192.168.1.9 so that the scope has internet connectivity.

A Windows Server with DC, DNS, and DHCP server roles does not do network traffic routing. Are you wanting to do RRAS?

DustinB3403

@Obsolesce said in Windows Domain routing question - dual-nic:

@DustinB3403 said in Windows Domain routing question - dual-nic:

@IRJ said in Windows Domain routing question - dual-nic:

Are you just verifying it works? ICMP is disabled in windows firewall quite often, and really isn't necessary.

No I can confirm that DHCP works, but from my client which is on an separate network I'm unable to route to the internet. Which is what I'm attempting to do.

I want to route internet traffic from 10.200.1.X network through 192.168.1.9 so that the scope has internet connectivity.

A Windows Server with DC, DNS, and DHCP server roles does not do network traffic routing. Are you wanting to do RRAS?

Yes, that is what I was looking for. RRAS, I'm adding that role right now and will tinker.

DustinB3403

Okay so RRAS is installed, but I can't figure out what this route would look like.

I'm guessing (incorrectly) that it would be 10.200.1.0, mask 255.255.255.0 GW 192.168.1.9

This isn't working though, any additional pointers (and explanation)?

Dashrender

what are you handing out as the gateway in DHCP?

DustinB3403

@Dashrender the LAN host , 10.200.1.9

Dashrender

@DustinB3403 said in Windows Domain routing question - dual-nic:

GW 192.168.1.9

what is this? If this is the IP of the LAN side of the server, that would be wrong. It should be the internet gateway IP.

Also, assuming there is a firewall at the internet gateway, you'll need a route on that device as well pointing the 10.x network to the LAN side IP of the server.

Providing a picture of the network layout could be helpful.

DustinB3403

@Dashrender that is the LAN side yeah. The wan side would be a 192 sub.

Even though it's all technically on my LAN

taurex

Whatever device does the local routing for you, it needs to be aware of the Eth 4 LAN and have
a static route pointing to it as @Dashrender already advised. ICMP needs to be allowed on Windows Firewall of the host to test this. You should only have a single default gateway per host. Create a persistent route in CMD on the host for your 10.200.1.0 network traffic to exit out of its own interface or next-hop address instead.

dafyre

So is your set up like this?

192.x.y.z WAN --- SERVER2019 --- 10.x.y.z LAN ?

Edit:
You have to set up SERVER2019 to Route for you RRAS is the right way to go for that....

You also need to set up your WAN Router to point at SERVER2019's 192.x.y.z address for the 10.x.y.z network.

Make sense?

DustinB3403

@dafyre said in Windows Domain routing question - dual-nic:

So is your set up like this?

192.x.y.z WAN --- SERVER2019 --- 10.x.y.z LAN ?

Yeah

dbeato

Having the server do the routing seems weird in this case, maybe your firewall/router can do this without the need of the server. Otherwise maybe a layer 3 switch.

Dashrender

@dbeato said in Windows Domain routing question - dual-nic:

Having the server do the routing seems weird in this case, maybe your firewall/router can do this without the need of the server. Otherwise maybe a layer 3 switch.

or an ER-L, just something to act as a router.

DustinB3403

The issue is this is a segmented network, I only want routing to exist in this workspace so I can test and toy around with things.

Normally I would agree, but I need to have these segmented as any overlap would cause network issues.

The thing I'm playing with and have setup is a DC on the separated network segment, but wanted to route internet through the second nic on this VM so I could pull updates etc on my client machine. .

DustinB3403

@Dashrender said in Windows Domain routing question - dual-nic:

@dbeato said in Windows Domain routing question - dual-nic:

Having the server do the routing seems weird in this case, maybe your firewall/router can do this without the need of the server. Otherwise maybe a layer 3 switch.

or an ER-L, just something to act as a router.

No, the way this is setup is that I have my true LAN, and then I have an internal to my VM LAN. These are separated networks and I'm not going to buy a router for my VM's.

Dashrender

@DustinB3403 said in Windows Domain routing question - dual-nic:

@Dashrender said in Windows Domain routing question - dual-nic:

@dbeato said in Windows Domain routing question - dual-nic:

Having the server do the routing seems weird in this case, maybe your firewall/router can do this without the need of the server. Otherwise maybe a layer 3 switch.

or an ER-L, just something to act as a router.

No, the way this is setup is that I have my true LAN, and then I have an internal to my VM LAN. These are separated networks and I'm not going to buy a router for my VM's.

oh - then this is even easier - setup a PFSense VM and have it do your routing.

scottalanmiller

@Dashrender said in Windows Domain routing question - dual-nic:

@DustinB3403 said in Windows Domain routing question - dual-nic:

@Dashrender said in Windows Domain routing question - dual-nic:

@dbeato said in Windows Domain routing question - dual-nic:

Having the server do the routing seems weird in this case, maybe your firewall/router can do this without the need of the server. Otherwise maybe a layer 3 switch.

or an ER-L, just something to act as a router.

No, the way this is setup is that I have my true LAN, and then I have an internal to my VM LAN. These are separated networks and I'm not going to buy a router for my VM's.

oh - then this is even easier - setup a PFSense VM and have it do your routing.

VyOS

Dashrender

Though - if you have a second layer network like this, you'll need to inform your external router on the internal networks and how to route them.