I have 2 physical servers on my domain: 1 that is a Hyper-V server containing the 4 servers with 2 PDCs for the domain, hosting AD, DNS and DHCP, on a trusted A-class network 10.0.0.1/24, and a webserver that has 2 NICs - one static of 10.0.0.75 that is
on the trusted network (from my router), and the other static of 10.0.1.80 directly linked to the Optional port of my Watchguard router. DNS/DHCP servers are both on the 10.0.0.1/24 subnet.
I am trying to create a public web server on the 10.0.1.1/24 subnet ported to the 10.0.1.80 IIS 7.5 server. I use mydnsdns.org as my name server for resolution to my domain and Comcast is my ISP provider. Currently I have DNS forwarders listed as the two
internal DNS servers and also the 2 mydynsdns.org servers but not Comcast. Firewall policies have static external requests for ports 21 and 80 going to 10.0.1.80 (again this is a dual-homed server, 10.0.0.75 is the port listening in on domain traffic) so
10.0.1.80 comes up as public.
I'm a little confused how to get incoming requests from the optional port (80 or FTP 21) to point to 10.0.1.80. External pings to port 80 say the port is open, but I get a time out. Do I need to setup RRAS server as well on this web server. DNS? Am
I missing something? Windows firewall allows all incoming/outgoing traffic from both 21 and 80.
I'd attach a PDF of my network config but have no clue how this works here...
DHCP and static servers are set to the subnet of 10.0.0.1/24 with a netmask of 255.255.255.0 (10.0.0.1 = watchguard firewall device). The public web server has 2 nics, 10.0.1.80 and 10.0.0.75.
If I bind IIS 7.5 Website on 10.0.1.80, I get time-outs because it's on a separate subnet. So how do I map the incoming requests from optional network to my website? Should I create a DNS config on this public-facing server? And if so, how does that resolve
to my internal DNS servers?
From what I gather you have a WatchGuard router with 3 interfaces; WAN - Public IP, LAN - 10.0.0.0/24, DMZ - 10.0.1.0/24. What you need to do is use your WatchGuard router as a router. Here is an example:
1st Domain Controller Interface
LAN IP Address: 10.0.0.101
Subnet Mask: 255.255.255.0
Default Gateway: 10.0.0.1 (WatchGuard Router)
DNS: 10.0.0.101
2st Domain Controller Interface
LAN IP Address: 10.0.0.102
Subnet Mask: 255.255.255.0
Default Gateway: 10.0.0.1 (WatchGuard Router)
DNS: 10.0.0.102
Web Server Interface
DMZ IP Address: 10.0.1.80
Subnet Mask: 255.255.255.0
Default Gateway: 10.0.1.1 (WatchGuard Router)
DNS: 10.0.0.101 (1st Domain Controller)
DNS: 10.0.0.102 (2nd Domain Controller)
Next configure access rules in your WatchGuard Router/Firewall to allow the LAN to communicate to the DMZ and another rule for the DMZ to communicate to the LAN.
Next configure access rules in your WatchGuard Router/Firewall to allow the LAN and DMZ to access the WAN.
Next configure publishing (NAT\Port Forwarding) rules that route WAN requests to your web server (10.0.1.80) for ports 80(HTTP) and 21(FTP)
Next configure your WatchGuard Router/Firewall to act as a DHCP server for the LAN specifying the DNS servers as 10.0.0.101 and 10.0.0.102 (Domain Controllers), unless you are PXE booting workstations, but I am going to guess not.
Also do not use DNS forwarders on your Active Directory Domain Controllers, the stock built-in root name servers will work just fine.
Lastly I am also going to guess your WAN interface is obtaining a dynamic IP address because you pointed out mydynsdns.org if your WatchGuard firewall has the ability to update the dns record when your WAN IP changes great set it there, if not I recommend
getting DirectUpdate from http://www.directupdate.net and install it on your webserver, this application will pull your WAN IP and in the event it changes and can connect to mydyndns.org and update your dns records
for your web site automatically.
Best of luck,
Marked as answer by oisin53 on Apr 26, 2012 08:20 PM
Thanks for the reply, Nathan. I did have most of your suggestions already as policies on the Watchguard firewall, and external users could see the sites just not internal. I had to change the bindings on the site and add a couple DNS entries and then,
voila, works. Also corrected the netmasks on 2 wireless firewalls that were connected to the switches -- not sure if that made a difference but didn't need a 255.0.0.0 address range.
oisin53
5 Posts
Issues with dual-homed server with subnets
Apr 25, 2012 05:25 PM|LINK
I have 2 physical servers on my domain: 1 that is a Hyper-V server containing the 4 servers with 2 PDCs for the domain, hosting AD, DNS and DHCP, on a trusted A-class network 10.0.0.1/24, and a webserver that has 2 NICs - one static of 10.0.0.75 that is on the trusted network (from my router), and the other static of 10.0.1.80 directly linked to the Optional port of my Watchguard router. DNS/DHCP servers are both on the 10.0.0.1/24 subnet.
I am trying to create a public web server on the 10.0.1.1/24 subnet ported to the 10.0.1.80 IIS 7.5 server. I use mydnsdns.org as my name server for resolution to my domain and Comcast is my ISP provider. Currently I have DNS forwarders listed as the two internal DNS servers and also the 2 mydynsdns.org servers but not Comcast. Firewall policies have static external requests for ports 21 and 80 going to 10.0.1.80 (again this is a dual-homed server, 10.0.0.75 is the port listening in on domain traffic) so 10.0.1.80 comes up as public.
I'm a little confused how to get incoming requests from the optional port (80 or FTP 21) to point to 10.0.1.80. External pings to port 80 say the port is open, but I get a time out. Do I need to setup RRAS server as well on this web server. DNS? Am I missing something? Windows firewall allows all incoming/outgoing traffic from both 21 and 80.
I'd attach a PDF of my network config but have no clue how this works here...
DHCP and static servers are set to the subnet of 10.0.0.1/24 with a netmask of 255.255.255.0 (10.0.0.1 = watchguard firewall device). The public web server has 2 nics, 10.0.1.80 and 10.0.0.75.
If I bind IIS 7.5 Website on 10.0.1.80, I get time-outs because it's on a separate subnet. So how do I map the incoming requests from optional network to my website? Should I create a DNS config on this public-facing server? And if so, how does that resolve to my internal DNS servers?
Thanks,
Tom
nathanstorms
1 Post
Re: Issues with dual-homed server with subnets
Apr 26, 2012 04:04 AM|LINK
Hello Tom,
From what I gather you have a WatchGuard router with 3 interfaces; WAN - Public IP, LAN - 10.0.0.0/24, DMZ - 10.0.1.0/24. What you need to do is use your WatchGuard router as a router. Here is an example:
Hyper-V Host Management Interface
LAN IP Address: 10.0.0.100
Subnet Mask: 255.255.255.0
Default Gateway: 10.0.0.1 (WatchGuard Router)
DNS: 10.0.0.101 (1st Domain Controller)
DNS: 10.0.0.102 (2nd Domain Controller)
1st Domain Controller Interface
LAN IP Address: 10.0.0.101
Subnet Mask: 255.255.255.0
Default Gateway: 10.0.0.1 (WatchGuard Router)
DNS: 10.0.0.101
2st Domain Controller Interface
LAN IP Address: 10.0.0.102
Subnet Mask: 255.255.255.0
Default Gateway: 10.0.0.1 (WatchGuard Router)
DNS: 10.0.0.102
Web Server Interface
DMZ IP Address: 10.0.1.80
Subnet Mask: 255.255.255.0
Default Gateway: 10.0.1.1 (WatchGuard Router)
DNS: 10.0.0.101 (1st Domain Controller)
DNS: 10.0.0.102 (2nd Domain Controller)
Next configure access rules in your WatchGuard Router/Firewall to allow the LAN to communicate to the DMZ and another rule for the DMZ to communicate to the LAN.
Next configure access rules in your WatchGuard Router/Firewall to allow the LAN and DMZ to access the WAN.
Next configure publishing (NAT\Port Forwarding) rules that route WAN requests to your web server (10.0.1.80) for ports 80(HTTP) and 21(FTP)
Next configure your WatchGuard Router/Firewall to act as a DHCP server for the LAN specifying the DNS servers as 10.0.0.101 and 10.0.0.102 (Domain Controllers), unless you are PXE booting workstations, but I am going to guess not.
Also do not use DNS forwarders on your Active Directory Domain Controllers, the stock built-in root name servers will work just fine.
Lastly I am also going to guess your WAN interface is obtaining a dynamic IP address because you pointed out mydynsdns.org if your WatchGuard firewall has the ability to update the dns record when your WAN IP changes great set it there, if not I recommend getting DirectUpdate from http://www.directupdate.net and install it on your webserver, this application will pull your WAN IP and in the event it changes and can connect to mydyndns.org and update your dns records for your web site automatically.
Best of luck,
oisin53
5 Posts
Re: Issues with dual-homed server with subnets
Apr 26, 2012 09:33 PM|LINK
Thanks for the reply, Nathan. I did have most of your suggestions already as policies on the Watchguard firewall, and external users could see the sites just not internal. I had to change the bindings on the site and add a couple DNS entries and then, voila, works. Also corrected the netmasks on 2 wireless firewalls that were connected to the switches -- not sure if that made a difference but didn't need a 255.0.0.0 address range.
Best,
Tom