Routing

[Guest]

I am having a problem getting my network to communicate using 2 subnets and a multihomed NT 4 server. I will explain my setup first and then my problem.

All Subnet masks are 255.255.255.0
DG = Default gateway
My server has 2 Network cards with ip forwarding enabled
N1: IP 200.200.200.120
DG 200.200.201.120

N2: IP 200.200.201.120
DG 200.200.200.120

My clients are all Win 9x
on subnet 200.200.200.0 clients are config. as
IP 200.200.200.x
DG 200.200.200.120

on subnet 200.200.201.0 clients are config. as
IP 200.200.201.x
DG 200.200.201.120

on subnet 200.200.200.0 I have a an NT4 server acting as a web proxy using an ASDL connection. It has 2 netwirk cards on it. IP forwarding enabled
N1: connects to the ASDL modem
N2: IP 200.200.200.17
DG 200.200.200.120

Problem:
All clients on Subnet 201 are able to communicate (ping) clients on subnet 200 and vice versa. Clients on subnet 200 can communicate with the web proxy and therefore load web pages. Clients on subnet 201 are unable to communicate (ping, destination host unreachable) with the web proxy. The web proxy is unable to ping 200.200.201.120 (Request time out)

All help is welcomed,

Ron

 

[Lucol]

I honestly can't be certian of this, but shouldn't your subnet mask be 255.255.0.0
I also can't be certain of the following, but for the 200.200.201.0 client config, the default gateway I think should be the IP address of your web proxy, so it should be 200.200.200.120 and not 200.200.201.120
<P ID="edit"><FONT SIZE=-1><EM>Edited by Lucol on 12/19/00 10:03 AM.</EM></FONT></P>

 

[Guest]

Your configuration is strange. Some of your default gateways are redundant or wrong, and you need a route command set up on the proxy server.

Here's what you need to do:

On the NT Server that is your internal router:

N1: IP 200.200.200.120
SM: 255.255.255.0
DG: 200.200.200.17 (See note 1)

N2: IP 200.200.201.120
SM: 255.255.255.0
DG: Leave Blank. (See Note 2)

Clients on subnet 200.200.200.0:
IP: 200.200.200.x
SM: 255.255.255.0
DG 200.200.200.120

Clients on subnet 200.200.201.0:
IP 200.200.201.x
SM: 255.255.255.0
DG 200.200.201.120

Proxy Server:
N1: connects to the ASDL modem
N2: IP 200.200.200.17
SM: 255.255.255.0
DG: Leave Blank. (See Note 3)

There is one final requirement: Since the proxy server is connected to the internet and to 200.200.200.x, it does not know that it has to reach 200.200.201.x through the internal router and NOT the Internet. To fix this, you need to add a routing table entry on the proxy server as follows:

Open a command prompt on the proxy server and type:

route -p ADD 200.200.201.0 MASK 255.255.255.0 200.200.200.120

This forces the proxy server to send any packets for 200.200.201.x (i.e. 200.200.201.0 with a MASK of 255.255.255.0) to the gateway interface 200.200.200.120, and the NT router will then take care of the packets. The "-p" makes this route change a permanent change that will not be lost at a reboot.

Note 1:

What exactly is the "Default Gateway", anyway? The first thing to know is that the term "Default Gateway" is a really BAD name. It should really be called the "Gateway of Last Resort". What happens is this: If a system has a packet to go to an IP address that it does not have an explicit route to send it, it will send that packet to the "Default Gateway".

So, the NT router needs to do the following:
1) Any packet for 200.200.200.0 should go out the NIC 200.200.200.120.
2) Any packet for 200.200.201.0 should go out the NIC 200.200.201.120.
3) Any OTHER packet is on the Internet so it should go out to the proxy server which is at 200.200.200.17, which can be reached through the interface 200.200.200.120.

Since NT automatically adds a route for any local interface, you only need to set the configuration as shown above to handle all packets.

Note 2:

The reason that you want NO default gateway on this interface is that you do not want the NT server sending packets out this interface if they are not destined for 200.200.201.x addresses.

Note 3:

The reason that you set the default gateway to blank in this case is that you want any packets that are not for 200.200.200.x or 200.200.201.x to go to the Internet, which is the other interface. This is why you need to do the "route add" command listed.

John Sloan.

 

[Guest]

On the NT Server that is your internal router Both default gateways should be blank.
A proxy server recieves requests from clients, and creates corresponding requests on the net, as far as TCP/IP is concerned there are 2 separate communications. It does not forward packets, or do ip masquerading, etc. All internet requests should be addressed directly to the proxy, therefore there's no need for it to be the default gateway.

IP Forwarding should also be disabled on the proxy server. IP Frowarding allows the proxy machine to forward packets from one of the 200.200.20x.x machines out onto the net. This is wrong, the only packets sent onto the net should be from the address you were allocated for your ADSL connection.

 

[Guest]

I see what you are getting at, but I don't entirely agree.

The "default gateway" settings on the internal router should be set to the proxy server, since client software on hosts on the 200.200.201.X subnet may not be "proxy aware". Let me explain:

One of the long-standing problems with proxy servers has always been the need for the client software to be "proxy aware". Some proxy server products have got around this by introducing so-called "invisible proxies" which behave a lot like NAT for specific ports. These intercept packets on a port-wise basis, assume those packets are for a particular protocol, and forward those packets after doing NAT (or ip masquerading, whichever term you prefer.)

Note that the original poster "Ronrcg" indicated he is using proxy software on an NT4 server, so he is likely to be using a "proxy server" that includes this capability. This is why I added in the "default gateway" information.

As an example, he could be running "WinProxy" or WinRoute Pro", which include both proxy and NAT capabilities. If this is the case, you would set the default gateway to the proxy server, so that the proxy software could handle the packets for the clients that were not proxy-aware.

As a counter-example, with NT4 proxy software like MS Proxy Server 2.0, you would NOT want to set the default gateway to the proxy server itself, since there is client software for clients to replace winsock.dll and wsock32.dll to manage the traffic for these client applications that are not proxy-aware. Also, if you are implementing security by restricting client access to only those clients that are already proxy-aware and configured with the correct proxy information, then you would be correct.

The other issue is the "IP forwarding" setting on the proxy server. This should in general be turned off as you point out, but again this can be dependent on the proxy server software he is using. For example, if he is using "MS Proxy Server 2.0", he should have this turned off. However, if he is using "WinRoute Pro 4.0" (This is a NAT/proxy product), this setting will be turned on and managed by the software. I believe that the "WinProxy" software also sets this setting, but I have not used it in a while so I can't say for certain.

That could lead to misunderstandings about the exact state and meaning of the "IP forwarding" setting, so I thought I'd leave it alone. Whatever proxy server software he is using will take care of that anyway, and if he had any further questions we could address them after he gets it all working.

I am sure that he will come back and ask us if he has any more problems, and we can look at the situation again.

Merry Christmas and a Happy New Year!

JS