Adding Router to Network with 2 NIC Server

Mickah · 18-12-2008 2:03pm #1

Server: SBS 2003, controlling DHCP, RRAS Firewall
2 NICS on Server:
1st: Internal with Static IP: 192.168.0.99
2nd: Internet with Static IP from provider: 99.88.77.66

All PCs are on the same subnet with IPs 192.168.0.?? and Gateway 192.168.0.99

Everything works perfectly at the moment.

I want to install a firewall box between Server and Internet. Plug Internet wire into WAN on box, plug NIC #2 into LAN on box. The box takes the Internet IP 99.88.77.66, gateway 99.88.77.1 and all DNS obviously.

But what do I set the old Internet NIC IP/Gateway to? Do I need to change RRAS at all?

Cheers for any help.

ntlbell · 18-12-2008 2:09pm

Not really sure what your asking?

Wan -> outside firewall --> inside--> Switch---->SBS--Nic1

no need for two nics?

plus if that SBS box is sitting currently externally facing the internet...get it off.....

macrubicon · 18-12-2008 2:13pm

If it's SBS2003 are your using ISA 2004 as a proxy or do you allow direct access out ?

If you use ISA ( to do all the NAT etc. ) you could simple put another ip from your Internal range on the formerly outside interface and just update ISA with the new details etc.

All the gateways would be the inside IP of the Firewall most likely in this case.

So

Public Net
|
Firewall Outside ( your public IP )
|
Firewall Inside ( your "old" gateway IP )
|
Proxy "Outside" (New IP from your internal range)
|
Proxy (Same old internal IP )
|
Clients

Or something similar!

ISA works equally well as a single arm, so you could do away with the In and Out as seperate interfaces now you have another Firewall device to take on that role.

Mickah · 18-12-2008 2:16pm

Response to ntlbell:
Right now it's:
WAN > SBS NIC #2 (acting firewall) > SBS NIC #1 > Switch > PC

I thought I'd have to:
WAN > Firewall > SBS NIC #2 (just a NIC) > SBS NIC#1 > Switch > PC

Are you saying?

WAN > Firewall > Switch > SBS NIC #1 > PC

If so, does that mean maintaining Routing tables? With PCs' default gateway set as the Server, how will they know to goto Firewall for Internet?

ntlbell · 18-12-2008 2:17pm

Mickah wrote: »

Right now it's:
WAN > SBS NIC #2 (acting firewall) > SBS NIC #1 > Switch > PC

I thought I'd have to:
WAN > Firewall > SBS NIC #2 (just a NIC) > SBS NIC#1 > Switch > PC

Are you saying?

WAN > Firewall > Switch > SBS NIC #1 > PC

If so, does that mean maintaining Routing tables? With PCs set to default gateway on the Server how will they know to goto Firewall for Internet?

the gateway will be the inside of the firewall...

macrubicon · 18-12-2008 2:19pm

More like

WAN > Firewall > Switch > PC's
|-> SBS NIC #1

If so, does that mean maintaining Routing tables? With PCs set to default gateway on the Server how will they know to goto Firewall for Internet?

If you change the default gateway in the DHCP setting it will be the easiest way of swapping it over.

For routing it's not really that hard - everything is default routed to the next hop... point everything at your firewall and your firewall points everything at your ISP - they look after it from there.

Mickah · 18-12-2008 2:27pm

macrubicon:
OK I get the topology. I'm confused as to how I point PC's in the direction of the internet.

They're looking to the server (192.168.0.99) as their default gateway. Do I need to change a setting on the server to point any internet traffic in the direction of the firewall box?

Or it just a case of plugging the internet into the firewall box. Plugging the firewall box into the switch and done? No change in settings?

ntlbell · 18-12-2008 2:30pm

Mickah wrote: »

macrubicon:
OK I get the topology. I'm confused as to how I point PC's in the direction of the internet.

They're looking to the server (192.168.0.99) as their default gateway. Do I need to change a setting on the server to point any internet traffic in the direction of the firewall box?

Or it just a case of plugging the internet into the firewall box. Plugging the firewall box into the switch and done? No change in settings?

If DHCP assigns 192.168.0.99 to the pc's change it in the DHCP to give out the new gateway of the inside of the firewall

say 192.168.0.100

change the gateway off the SBS to same

bobs your uncle

macrubicon · 18-12-2008 2:31pm

The PC's get to the internet via their default gateway.

If you are putting in a dedicated firewall this gateway should probably be the IP address of the Inside interface of that Firewall.

You will need to either - change the IP of the server ( the current gateway address ) and give that to the firewall's inside interface - but that's less than ideal for lots of reasons

or

Update your clients to have a new gateway which will be a new IP you will assign to the Inside I/F of your firewall.

If it's SBS you are probably using DHCP, so the easiest way is to plan to do this a few days in advance and bring down the DHCP lease time so the client check in more often. Change the gateway in here and away you go. Just remember to up the lease time when it's all up and running.

Mickah · 18-12-2008 3:32pm

Changed DHCP settings to point to Firewall Box, working perfectly.

Thanks lads

Mickah · 18-12-2008 3:38pm

Spoke too soon. Net is now going up and down regularly now.

I can ping the Firewall box internal IP and external IP, when it's down but not the Internet gateway.

macrubicon · 18-12-2008 3:40pm

"Firewall box internal IP" should be your Gateway. Do you mean your ISP's gateway ?

If it's fairly regular you could have a duplicate IP or route...

Mickah · 18-12-2008 4:04pm

Yeah the firewall internal IP was the gateway, I renewed IP leases @ each machine.

It's very regular, IP spiking from 2/3ms to 50ms and then losing connect every 4/5 mins.

How would I track down a duplicate IP or route?

macrubicon · 18-12-2008 4:07pm

Given that the server used to do everything, I would make sure that the config there has been modified to reflect the new arrangements.

WinMTR will give you a view of the hop that introduces the latency or drops so will give you a starting point.

Aside from that have a look at the Arp tables and make sure everything is as expected.

Mickah · 18-12-2008 5:12pm

I think it's a DNS problem. Can't resolve addresses despite being able to ping out.

My knowledge is limited on IP, but I've no clue on DNS.

How would I go about pointing DNS in the right direction?

ntlbell · 18-12-2008 5:14pm

What DNS servers are assigned to the firewall?

What DNS servers get assigned to the DHCP clients?

In the previous setup how was DNS setup?

macrubicon · 18-12-2008 6:09pm

On SBS your DNS was the Windows server. This should still be the case. Check the settings for DNS Servers in your DHCP Scopes.

Mickah · 18-12-2008 7:25pm

DHCP clients are pointed to the server for DNS 192.168.0.99

Firewall Exterior is DNS servers from ISP primary and secondary. Firewall Interior has no DNS servers.

DHCP Scope: DNS Server is the server 192.168.0.99

In DNSmgmt, DNS forwarders point to my ISP DNS servers.

Adding Router to Network with 2 NIC Server

Comments