Multihomed 2008 Server for firewall

[JonnStar]

I have a multihomed win2008r2 server that needs to be a DHCP and TMG and a print server.

My intention is to put TMG on a VM using Hyper-V. But before I can even get to that part I am struggling with the configuration for this multihomed server admittedly this is not something I have played around with before.

Basically it looks like this:

Internet <-----> Router <-----> Server <-----> Switch <-----> LAN

- So the router is just a standard telkom router with pppoe and the ADSL details dialled in
- This is all on a workgroup, no AD or DNS on the server
- The server (host) IP on the "INTERNAL" NIC is 192.168.38.11
- I am undecided what IP to use on the "EXTERNAL" NIC on the server
- Currently the router is configured with a default IP of 10.0.0.2.
- The internal network (LAN) has an IP range of 192.168.38.0-255.

What configuration is required to get Internet access working for all those on the LAN? I would like to get this part right first before configuring TMG.

To my knowledge this will require configuring gateways correctly and also configuring routes on the server correctly. With the reading and about 4-5 hours work I have done thus far I still haven't managed to get it right though

I have only got as far as being able to ping the "EXTERNAL" NIC of the server from the LAN if I set the gateway on the EXTERNAL NIC to the routers IP 10.0.0.2, but I still can't ping the router itself.

Can anyone offer any assistance?

 

[The_Unbeliever]

Why multihomed? Which IP ranges do you want to use?

A multihomed setup might not be the answer you want - maybe a simple netmask change will do the same thing?

eg on a network of 192.168.50.0/24 I can only see devices on the .50.0 network.
Change the subnet mask from 255.255.255.0 to 255.255.248.0 and I can see 192.168.50.0, 192.168.49.0 and 192.168.48.0

Once that is done, you can then decide whether to put the router into bridged mode (so that the Windows box will do the PPPoE auth) or leave the router to do the PPPoE auth. Then you share this.

NOTE : Other windows admins may blap me for using Internet Connection Sharing, I have no experience with setting Windows Server up this way to share an internet connection For that I use Smoothwall...

If bridged, then you won't have to worry about the IP ranges between the Windows box and the router.

 

[JonnStar]

I haven't installed routing and remote access but I did enable the regkey for IP routing. I now think that wasn't good enough and I have to configure NAT as well. Thoughts?

 

[JonnStar]

Why multihomed? Which IP ranges do you want to use?

A multihomed setup might not be the answer you want - maybe a simple netmask change will do the same thing?

eg on a network of 192.168.50.0/24 I can only see devices on the .50.0 network.
Change the subnet mask from 255.255.255.0 to 255.255.248.0 and I can see 192.168.50.0, 192.168.49.0 and 192.168.48.0

Once that is done, you can then decide whether to put the router into bridged mode (so that the Windows box will do the PPPoE auth) or leave the router to do the PPPoE auth.

If bridged, then you won't have to worry about the IP ranges between the Windows box and the router.

Thanks. I am going back to the site on Friday to play around some more. I am rather new to this but what you say makes sense.

The internal IP range must preferably stay at 192.168.38.x but anything else can change as long as ultimately I can get TMG up and running.

 

[The_Unbeliever]

What's TMG?

 

[JonnStar]

What's TMG?

Sorry Microsoft Forefront Threat Management Gateway 2010 to be specific (ISA server). The intention is to get the firewall up and running on this server specifically on a VM. I haven't many options, this is the task I was given lol one box that must run DHCP, print server and TMG.

So TMG is probably the reason behind it being multihomed. TMG must run by itself which is why I will ultimately install and configure it on a VM, but I first need to get the Internet access right.

Its a new small site with just this one server given and they require the firewall to block certain traffic like porn sites and facebook etc... and of course protect the internal network. They only have a handful of users.

 

[ShawnStar]

Rather install TMG on a standalone box, installing other roles with it will just cause headaches and you will end up opening the firewall completely so that things actually work for your internal clients, thereby making your firewall less secure...

Anyway, haven't installed TMG for years (moved on to Fortigate) but as far as I remember ping (and everything else) is blocked by default, so if you want to ping your your router you will have to open a port for that. Then there should only be one gateway on one of the interfaces, external one, so make external IP on TMG 10.0.0.10(or anything else except .2) and gateway 10.0.0.2 and make sure you have no gateway specified on your internal network interface with IP 192.168.38.11/24

Clients will obviously use the TMG box as their gateway IP and TMG will take care of the routing (if it was setup correctly) to pass it out over internet if rules allow it to go out over internet....

 

[MadMailMan]

Hmmm. Pesonally I would rather get an old PC, slap Linux on it and make that the "firewall" and just have the Wind00s server do the DHCP etc etc. From what I remember, and this is going back some time, Wind00s server will not route traffic unless it is configure for NAT or it has some sort of ISA/Proxy/TMG installed and configured on it. Even if you routing works fine on the server itself it will not route trafic recieved on one NIC over to another without ISA/Prox/TMG. What you can do is put 3 NICs into the server. Install TMG in a VM and configure two of the NICs to belong to the VM, one internal and one external. Then configure the 3rd NIC to be used by the physical server. Make the default gateway of the server's own NIC and all client NICs to point to the VM internal NIC.

That should work.

 

[ponder]

Basically it looks like this:

Internet <-----> Router <-----> Server <-----> Switch <-----> LAN

What you describe is not multihoming.