Re: Routing between subnets with a twist
- From: Joe <joe@xxxxxxxxxxxxxx>
- Date: Tue, 27 May 2008 22:28:14 +0100
Ryan wrote:
Right now I have a DHCP server set up on my SBS 2003 (SP2) machine.It's not clear how you're connecting these subnets, where the Internet router is, and whether you're using the conventional SBS-as-firewall two-NIC configuration. The traditional way would be to have the Internet-using machines on the SBS 'LAN' NIC with the other NIC on a different network shared only with the router, then the isolated network connected to the LAN network via a separate router.
It doles out our dns servers, gateway and time server to a 10.0.0.x
subnet.
The problem here is I probably have 20 machines that have no business
being on the internet. So I want to toss them on a separate subnet
for this and some other reasons. But if I set these machines
gateway's to 10.0.1.1 and have RRAS properly configured and the
gateway on the SBS 2003 machine is set to 10.0.0.1 (internet gateway)
on both NIC interfaces they'll still have internet access, right? And
even if I set the GW on the 10.0.0.x NIC up, but not on the 10.0.1.x
NIC they'll still find their way to the internet because of the
routing, I'm assuming.
How can I prevent one subnet from getting to the internet? This
second subnet will NOT be on a DHCP configuration, because the
machines in it hook up to analytical equipment that is picky about the
IP ranges they use. But I need the machines to be able to interact
with machines on the 10.0.0.x subnet.
Does that make sense?
In short 10.0.0.x - Internet OK
10.0.1.x - No internet but talk to 10.0.0.x
I could probably do this with a group policy by adding a separate OU
and putting those machines in it with no gateway address in a GPO..
but for those that need a gateway address if I ever have to change it
there's that 22-23 hour lag before the GPO auto updates that would be
troublesome.
What I suspect you're hoping for is to use the SBS single-NIC, with LAN machines and router all on the same network, and to use the second SBS NIC as the gateway to the isolated network. I have a feeling that would work on Server 2003 but not on SBS, as placing the Internet gateway on the LAN network implies single-NIC, and the wizards are unlikely to cooperate in the use of a second one. I could be wrong there.
However you end up arranging the topology, the answer is to set static routes on the isolated machines, telling them where to find the gateway to the LAN, but not setting a default gateway for them. They won't know that there's a way out to the Internet via their static route, only a default gateway setting would tell them that. Also, unless you tell the Internet router where to find the isolated network, no replies will get back to it. Only the SBS LAN machines need to have routes configured to that network, as you describe things.
I'd also make my usual suggestion of *not* subnetting the 10.0.0.0/255.0.0.0 network, especially if older network-aware software is involved. There are many other private ranges to choose from.
.
- Follow-Ups:
- Re: Routing between subnets with a twist
- From: Ryan
- Re: Routing between subnets with a twist
- References:
- Routing between subnets with a twist
- From: Ryan
- Routing between subnets with a twist
- Prev by Date: Re: Virtual TS on this SBS Box
- Next by Date: Re: How long should it take to re-install SBS 2003 & updates?
- Previous by thread: Re: Routing between subnets with a twist
- Next by thread: Re: Routing between subnets with a twist
- Index(es):
Relevant Pages
|
Loading
