Server with two Network Adapters, one on WAN side and a second on LAN side

2010-06-09

Question

_{Wednesday, June 9, 2010 4:47 PM}

Hello,

Our LAN (including Win XP SP3 workstations) isn't connected to the Web, but I would like that a (or several) server (Win 2003R2 SP2) is connected to Internet while also connected to LAN.

If a server has two Network Adapters, is it possible to connect one adapter to a router (WAN side) and the second one to a switch (LAN side), and to do that the server could communicate correctly with both networks?

I don't want to use this server as router (or Internet sharing), I only want to allow this server to do some online updates (console antivirus, WSUS...), without to have to connect the LAN to Internet.

The infrastructure will include a DSL Access plugged to a router (192.168.1.254), the router will be connected to the first Network Adapter of the server (192.168.1.1), the second Network Adapter of the server (192.168.1.2) will be connected to the switch (192.168.1.3-253).

In this case, if the server is a Domain Controller (AD, DNS, DHCP), is it correct to use the router IP address (192.168.1.254) as Default Gateway, while the LAN workstations won't have access to the router?

Thanks a lot for your help and your advice,
Christopher

All replies (9)

_{Wednesday, June 9, 2010 6:37 PM ✅Answered}

Christopher,

Yes, you can have two LAN adapters, one for the WAN and one for the LAN using RRAS. However, I DO NOT recommend connecting your DC directly to the Internet. I would keep it behind a hardware firewall. Reason being is that one small configuration error could expose your server and your entire LAN to a malicious attack.

If you want to achieve your goal of granting your DC Internet access while eliminating WS's from accessing the Internet, there are routers that have packet filter with rules that allow you to pick and choose which hosts on your LAN subnet will have access to what.

Sonicwall TZ-200 is one example and it's relatively inexpensive.

Miguel

Miguel Fra / Falcon ITS
Computer & Network Support, Miami, FL
Visit our Knowledgebase Sharepoint Site

_{Wednesday, June 9, 2010 7:09 PM ✅Answered}

A slight modification to your design.

Router (192.168.1.254) --> (192.168.1.1) [Server NIC 1-Server NIC 2] (192.168.2.1) --> Switch <-- (192.168.2.x) Workstations.

If you do NOT want to provide the workstations with access to the internet, do NOT provide them with a default gateway address, and do NOT enable RRAS on the server.

The Server's default gateway is going to be the router (192.168.1.254).

Visit: anITKB.com, an IT Knowledge Base.

_{Thursday, June 10, 2010 3:07 AM ✅Answered | 1 vote}

Hello,

Our LAN (including Win XP SP3 workstations) isn't connected to the Web, but I would like that a (or several) server (Win 2003R2 SP2) is connected to Internet while also connected to LAN.

If a server has two Network Adapters, is it possible to connect one adapter to a router (WAN side) and the second one to a switch (LAN side), and to do that the server could communicate correctly with both networks?

I don't want to use this server as router (or Internet sharing), I only want to allow this server to do some online updates (console antivirus, WSUS...), without to have to connect the LAN to Internet.

The infrastructure will include a DSL Access plugged to a router (192.168.1.254), the router will be connected to the first Network Adapter of the server (192.168.1.1), the second Network Adapter of the server (192.168.1.2) will be connected to the switch (192.168.1.3-253).

In this case, if the server is a Domain Controller (AD, DNS, DHCP), is it correct to use the router IP address (192.168.1.254) as Default Gateway, while the LAN workstations won't have access to the router?

Thanks a lot for your help and your advice,
Christopher

Hi chrbar,

In general with member servers, it's no problem to connect to two interfaces, but you will want to disable registration and NetBIOS, and File & Print Services on the outside interface. In Network Connections window, you will also want to make sure the internal interface is on the top of the binding order.

However, with a DC, this can be problematic. This is due to the DC's Netlogon service registering necessary records in DNS so clients and other DCs can find DCs. The Netlogon service registration process is independent of the operating system's registration process, so simply unchecking registration in the outside interface properties will not stop the outside interface from registrating it's IP in DNS. This requires more alterations on the DC.

For more specific information on what happens when multihoming a DC, the implications, and how to alter a DC to stop registration, I've written a blog on multihomed DCs. I actually do NOT suggest making these alterations, and simply suggest to single home a DC (or team the NICs), and leave it on the internal network to let it do it's job. However, if you feel you need it multihomed, please read more on it...

Multihomed DCs with DNS, RRAS, multiple IPs, and/or PPPoE adapters (Applies to Windows 2000, 2003, 2003 R2, 2008 and 2008 R2)
http://msmvps.com/blogs/acefekay/archive/2009/08/17/multihomed-dcs-with-dns-rras-and-or-pppoe-adapters.aspx

I hope you find this helpful.

Ace

Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003, Microsoft Certified Trainer, Microsoft MVP - Directory Services. This posting is provided AS-IS with no warranties or guarantees and confers no rights.

_{Monday, July 12, 2010 4:42 AM ✅Answered | 1 vote}

Hi Christopher,

I'll see if I can help.

First, the blog is about multihomed DCs. It appears you are trying to multihome your WSUS server, which is not a DC, nor does it run DNS, so that's a good thing when it comes to controlling DNS registration. Therefore, there are numerous steps in my blog that can be skipped because of this reason.

As for the WSUS NIC configs:

My WSUS server is Domain member and has two NICs.
My objective is to connect the first one to the LAN (to communicate with the other workstations and servers) and to connect the second one to my router to be able to update the WSUS database.

The router IP Address is 192.168.3.1 (and it's configured with the ISP informations).

On the WSUS server, I named the first NIC "LAN" (connected to the Switch) with the values:
IP Address: 192.168.3.208
Subnet Mask: 255.255.255.0
Default Gateway: 192.168.3.1
DNS Server: 192.168.3.200
WINS Server: 192.168.3.200

and I named the second NIC "WAN" (connected to the Router) with the values:
IP Address: 192.168.3.209
Subnet Mask: 255.255.255.0
Default Gateway: 192.168.3.1
DNS Server: 192.168.3.200
WINS Server:

Keeping min mind, that no other machine on the network has access to the internet, then your WSUS server needs to be able to resolve external records in order to pull Updates from Microsoft's site. However, with what you have going on, this won't work, because you now have two networks, one between the server and the router, and the internal network. Therefore, you must create a whole new subnet, either for the internal network or the network between the WSUS server and the router. From looking at it, it would be much easier to configure the network between the server and the switch, since you are only changing two hosts, and not all the internal machine.

So my suggestion is to re-configure the NICsand create a new subnet between the server and the router:

LAN
IP Address: 192.168.3.208
Subnet Mask: 255.255.255.0
Default Gateway: **There should be no gateway on the internal interface, otherwise it constitutes multiple gateways and creates havoc with the routing tables and it won't work
**DNS Server: 192.168.3.200
WINS Server: 192.168.3.200

"WAN" (connected to the Router):
IP Address: 192.168.2.209
Subnet Mask: 255.255.255.0
Default Gateway: 192.168.2.1
DNS Server: You would need to put your ISP's address on this interface otherwise you can't resolve internet names because the internal DNS server, your DC, does not have access to the internet.
WINS Server: leave blank

Also for the WAN interface and other configuration changes:

Disable NetBIOS in NIC, IP properies, Advanced, WINS tab
Uncheck File & Print Service
In IP properties, Advanced, DNS tab, uncheck 'register this connection..."
Then go to Network Connections window (where the NICs are listed), click on the Advanced menu item, and then click on Advanced under it. This is your binding order. Make sure the WAN interface is at the bottom of the binding order, and the LAN interface is at the top. This way by default, the machine first tries the internal interface when trying to communicate.
You will have to change the internal IP of the router from 192.168.3.1 to 192.168.2.1

That's pretty much it.

Curious, any reason you are not providing access to the whole network? Security possibly?

Ace

_{Sunday, June 13, 2010 11:32 PM}

Thanks all for your advices.
Ace, I've a question about your process...

Ace, I saw how to disable NetBIOS or "File and Printer Sharing", and modify the binding order... but I don't know about "disable registration" when you say "disable registration and NetBIOS" about the outside interface.
Could you tell how to do that?

Thanks a lot!

In general with member servers, it's no problem to connect to two interfaces, but you will want to disable registration and NetBIOS, and File & Print Services on the outside interface. In Network Connections window, you will also want to make sure the internal interface is on the top of the binding order.

_{Monday, June 14, 2010 3:50 AM | 1 vote}

Thanks all for your advices.
Ace, I've a question about your process...

Ace, I saw how to disable NetBIOS or "File and Printer Sharing", and modify the binding order... but I don't know about "disable registration" when you say "disable registration and NetBIOS" about the outside interface.
Could you tell how to do that?

Thanks a lot!

In general with member servers, it's no problem to connect to two interfaces, but you will want to disable registration and NetBIOS, and File & Print Services on the outside interface. In Network Connections window, you will also want to make sure the internal interface is on the top of the binding order.

Hi chrbar,

The specific steps are in Step# 3 my blog. Have you had a chance to review the steps? Here's step #3:

3. Disable the ability for the outer NIC to register. The procedure, as mentioned, involves identifying the outer NIC’s GUID number. The following link will show you how:

246804 - How to Enable-Disable Windows 2000 Dynamic DNS Registrations (per NIC too):
http://support.microsoft.com/?id=246804

If you have any other questions, post back.

Ace

_{Sunday, July 11, 2010 6:58 PM}

Hello Ace,

I meet some difficulties with this problem
I've tried to follow the steps but I do something wrong and I don't know what.
Could you help me to resolve this issue?

I give you more information below.
Thanks a lot for your help.

All Workstations run Windows XP Pro SP3.
All servers run Windows Server 2003R2 SP2.

The Workstations and the Domain Controller (AD, DNS, DHCP) have only one NIC which is connected to a Switch.
They communicate together correctly and this LAN is not connected to Internet.

The router IP Address is 192.168.3.1 (and it's configured with the ISP informations).

and I named the second NIC "WAN" (connected to the Router) with the values:
IP Address: 192.168.3.209
Subnet Mask: 255.255.255.0
Default Gateway: 192.168.3.1
DNS Server: 192.168.3.200
WINS Server:

On the "WAN" NIC (the outside interface),

1/ I've disabled File & Print Services by unchecking the "File and Printer Sharing for Microsoft Network".

2/ I've disabled NetBIOS Services (under IP properties, Advanced settings, “WINS” tab).

3/ I've disabled DNS registration by adding the keys below (http://support.microsoft.com/kb/246804/en-us):
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DisableDynamicUpdate(value:1)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\RegistrationEnabled(value:0)

4/ I've check the binding order to be sure that the "WAN" NIC was in second position (under the "LAN" NIC).

But the WSUS server can't go on Internet (via the "WAN" NIC), when the "LAN" NIC is up (it's correct when "LAN" NIC is disabled).

I've tried to add some steps from your "Multihomed DCs" proccess:

I've disabled the “MS Client Service” on the outer NIC (step #5).

I've unchecked “Register this connection” under IP properties, Advanced settings, “DNS” tab (step #6).

I've check that all the NICs only point to your internal DNS server only (step #1), but I think this step is more for a DC than a server Domain Member.

But the resultat is the same, the WSUS server can't go on Internet, when the "LAN" NIC is up.
There is something that I do wrong but I don't see what... could be the Default Gateway or the DNS settings on the DC?

Thanks a lot,
Christopher

_{Saturday, August 7, 2010 10:45 PM}

Thanks a lot Ace for these informations and your help, I'll try it...

_{Sunday, August 8, 2010 6:01 PM}

Thanks a lot Ace for these informations and your help, I'll try it...

You are welcome. :-)Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003, Microsoft Certified Trainer, Microsoft MVP - Directory Services. This posting is provided AS-IS with no warranties or guarantees and confers no rights.

Share via

Server with two Network Adapters, one on WAN side and a second on LAN side

Question

All replies (9)

Additional resources