3

as some of you may be aware, I'm currently involved in an on-going saga in getting our servers up and running. As pretty much a newb, I'm slowly making progress, but I've hit a stumbling block.

Here's a bit more about us: We're a website. We've grown too big for our server and hit the ceiling our lowly PowerEdge can handle. For a solution we're adding two servers: One as a Firewall/Router/VPN and one as a Web Application server. The original will be altered to become a DB server.

All three boxes are running Windows Server 2008 R2 and I'm using RRAS to configure it all. All three boxes are DIRECTLY connected (there are no hardware hubs, switches or routers).

This diagram hopefully gives a clearer idea of what I'm talking about (even though it's pretty vague).

alt text

The IP addresses are the static IPs I'm configuring for each network adapter.

Focussing on the "left-hand leg" (10.0.1.1 to 10.0.2.1), we currently have the following setup:

FIREWALL/ROUTER

For the adapter facing the Web App server (10.0.1.1):

  • IP: 10.0.1.1
  • Subnet: 255.255.255.0
  • Default gateway: (blank)

WEB APPLICATION SERVER

For the adapter facing the Firewall/Router (10.0.2.1):

  • IP: 10.0.2.1
  • Subnet: 255.255.255.0
  • Default gateway: 10.0.1.1

What's odd is that the Web Application server thinks that the connection is an identified network and thus I've been able to set it to Private Network (Work), but on the Firewall/Router it classes the connection to the Web Application server as unidentified Public.

Why would it do this? How can I fix it? What should I put in the (blank) space?

Thankfully the Web Application server is able to get an internet connection through RRAS's NAT on the Firewall/Router, so things appear to be configured correctly so far. Am I going about this the right way?

Thanks for any help or pointers.

UPDATE

Thanks to advice from Massimo and Sim, we've decided to get a switch. Now our configuration looks more like this...

alt text

Thanks again, folks. This has been (and will continue to be) a real learning experience.

Community
  • 1
Django Reinhardt
  • 2,286
  • 3
  • 38
  • 58
  • What is **10.0.100.2** in your diagram? Does the firewall have two internal interfaces, or two internal IP addresses on the same one? – Massimo Nov 25 '09 at 19:54
  • Thanks for helping, Massimo, you rock! It has two internal interfaces (so three in total). – Django Reinhardt Nov 25 '09 at 19:56
  • It shouldn't. Why is it this way? – Massimo Nov 25 '09 at 19:56
  • ? I'm confused. Would shouldn't it have two internal interfaces? It's a router :-/ – Django Reinhardt Nov 25 '09 at 19:59
  • To possibly pre-empt your next question: We need to be able to administer the database from a remote IP. – Django Reinhardt Nov 25 '09 at 20:01
  • It should have an internal interface with an internal private IP address (which should be used by internal computers as their default gateway), and it should have an external interface with an external public IP address. But why that **second** internal address? – Massimo Nov 25 '09 at 20:08
  • Are you saying that two different network adapters can have the same IP address? If so, I didn't realise. I shall fix it ASAP. – Django Reinhardt Nov 25 '09 at 20:11
  • 1
    Hmmm. Windows will not allow two network adapters to be enabled at the same time with the same IP address. Does that answer your question? :-/ – Django Reinhardt Nov 25 '09 at 20:16
  • This is twisting my brain. It has two internal interfaces... how else could this be physically set up? With two interfaces comes two IP addresses (Windows kicks up a big fuss if I try to give them the same IP address). So I'm forced to give them two... What am I doing wrong? – Django Reinhardt Nov 25 '09 at 20:21
  • I still don't understand why you are using two internal network interfaces. Why exactly do you think one is not enough? Why two of them? – Massimo Nov 25 '09 at 21:36
  • There is obviously some sort of a communication problem here. We're talking physical connections, right? There are two ethernet ports. One goes to the Web Application server, the other goes to the Database server. In Windows Server these are shown under Network Connections. In order to give them Static IPs I have changed their TCP/IPv4 settings. The plan is to VPN (SSTP) to the Firewall/Router server and then Remote Desktop to each of the machines as necessary (and also open ports to the VPN as necessary). Does this go any way to explaining what's going on and why? – Django Reinhardt Nov 25 '09 at 22:01
  • @Django Reinhardt Are you saying there are no intermediary networking equipment like switches involved and that everything is directly connected together? – Sim Nov 26 '09 at 02:46
  • @Sim Yep, that is correct. – Django Reinhardt Nov 26 '09 at 09:25
  • 1
    This is going to be a pain to manage. Why don't you get a simple 4/8 port switch to tie your network together? – Massimo Nov 26 '09 at 10:03
  • Simple answer... We don't have the space in the server cabinet we rent. It might be a pain to manage, but once it's set-up we'll be good to go. – Django Reinhardt Nov 26 '09 at 11:26
  • Well it might be good to go now for you but will it be ok in 6 months or a year for someone else? – Sim Nov 26 '09 at 12:54
  • 1
    The problem is, in this scenario each internal server (web and database) is going to have two network interfaces, and would need to use the firewall's interface it is connected to as its default gateway; the firewall should also be configured to do routing for *both* internal interfaces. It's not a pain, it's a **royal** pain. And may God help you if you ever need to connect a third server... – Massimo Nov 26 '09 at 12:55
  • Good points Massimo. Not too mention that if you lose a NIC the whole thing falls over. Dual NICs in servers are normally used for redundancy and more bandwidth. Does Dell have teaming software for the PowerEdge? – Sim Nov 26 '09 at 13:18
  • @Django Reinhardt - when you say that the PowerEdge *hit the ceiling* what was the limitation - CPU, Memory, I/O? – Sim Nov 26 '09 at 13:21
  • @Massimo I see what you're saying now, it's an extremely short-sighted architecture, but unfortunately it's one born out of necessity. A cheap switch wouldn't be able to handle the amount of throughput required and we don't have the money for an enterprise model or even another 1U of space. At the moment, apart from the problem stated in this Question, everything is now configured correctly and pretty much working exactly as planned. – Django Reinhardt Nov 26 '09 at 13:40
  • @Sim CPU and RAM (and probably I/O, too). Plus we've expecting a huge amount of growth in the coming months. Adding more RAM/CPU is not a sensible option. The site needs to be able to comfortably handle multiples of our current userbase AND improve the speed it's currently running at. With the planned set-up there will be a caching layer on the Web App server to help with this. – Django Reinhardt Nov 26 '09 at 13:43
  • 5
    @Django: "A cheap switch wouldn't be able to handle the amount of throughput required" What kind of throughput are you needing? Greater than 1Gb? A Procurve 1800-8G would do nicely if 1Gb is enough for you. It has nice features, a web management interface and it's around $150. You didn't hear this from me, but you could dangle it behind the servers if you really had to. =) – Wesley Nov 26 '09 at 16:59
  • 2
    I absolutely agree. And I must add I think even 100 Mbit would be more than enough for 99% of web applications. The kind of web apps which could need 1 GBit throughput to their database wouldn't fit on a single server. – Massimo Nov 26 '09 at 17:18
  • Haha! Thanks for that, Nonapeptide. It's not just raw throughput (even though that's what I said), but the number of concurrent connections, surely? – Django Reinhardt Nov 26 '09 at 18:41
  • 4
    @DJango: I know this conversation is straying far from your original question, but permit me to take it just a bit further. Concurrent connections aren't going to be an issue for the switch. The unique concurrent connections will be to the front end RRAS server. The server's internal interfaces would be connected to the switch where there would be no concurrent connection problem. It would simply be a matter of raw throughput, PPS, backplane bandwidth and MAC address table limits, all of which will not come anywhere near being maxed out even on the 1800-8g. – Wesley Nov 26 '09 at 19:07
  • Hmm. I really coming around to this Switch idea. I wonder if we could stretch to it? – Django Reinhardt Nov 27 '09 at 09:34
  • Nonapeptide... Do you think the Procurve 1400-8g would do us? It's exactly the same as the 1800-8g except it's UNMANAGED. That's the only difference, but I suppose it's quite a big one. How much control will we need? We're not going to want to set-up multiple networks, turn off ports, etc. Any thoughts? – Django Reinhardt Nov 27 '09 at 21:04
  • I personally think any 100 MBit switch will be enough for your needs; anyway, if you *really* think you will need a **great** throughput, just take the simplest GBit switch you can find. You don't need a managed one, because you only have three servers, so you definitely aren't going to need VLANs. Obviously, if you can get a managed switch, it *could* get useful in the future... but for now, if you are on a budget, I think you just don't need to worry at all about network equipment. Just get something that can get you going. – Massimo Nov 28 '09 at 05:15
  • I did a bit of research into switches and it seems that reliability and latency are also pretty important things. I don't think getting a really chap switch (no matter what speed) would be a great idea, but I take your point. Unfortunately we've left it too late to meet our deadline, so this will have to be something that's added in the future :( – Django Reinhardt Nov 28 '09 at 14:45

3 Answers3

4

This is the same question as "Windows 7, network connection with no default gateway: any way to change the “Unknown network” status?".

Short answer is: this is normal behavior. Unfortunately you won't be able to make the "unidentified network" message go away unless you specify a default gateway on the adapter. The specified gateway must respond to ARP requests (meaning: it must be alive).

Community
  • 1
Etienne Dechamps
  • 2,194
  • 8
  • 24
  • 28
  • It's not quite the same, as I'm interested to know if I *should* be putting something as the default gateway... Do you know? – Django Reinhardt Nov 29 '09 at 21:37
  • 1
    There are ways to make it work with a default gateway specified (playing with route metrics), but you shouldn't. More specifically, you shouldn't have to. – Etienne Dechamps Nov 29 '09 at 22:39
1

To change the network location type you could try:

  • Start the Local Security Policy (secpol.msc)
  • Select Network List Manager Policies
  • Find the network and try and change its type.

If you right click on Network List Manager Policies you can change the networks it displays from Connected Networks to Show All Networks.

Why did this happen? Possibly because the Web Application Server had the Router as its default gateway and hence could identify the network where as the Router didn't have enough information on the Web Application Server and defaulted it to the untrusted public type. Have a read of What settings does Windows use to determine network location?

Community
  • 1
Sim
  • 1,858
  • 2
  • 17
  • 17
  • +1 I understand it's the router's internal NI that needs to have its default gateway changed... but to what? Surely the default gateway should be itself, or something? If set the default gateway to 10.0.2.1 then it creates two networks for the same adapter on the Router: One private and one "unidentified" public. How does that work?? – Django Reinhardt Nov 26 '09 at 15:13
  • The default gateway is itself. 10.0.1.1 – Wesley Nov 26 '09 at 17:00
  • Thanks for the advice, Nonapeptide, but the network is still listed as "Unidentified" (Public). The only difference is that now pinging www.google.com from the Firewall/Router returns "Reply from 10.0.1.1: Destination host unreachable." (Although the next three pings all come back fine.) By this logic should the default gateway not be the external facing IP? Or do I have to tell the Router where the "Default" Default Gateway is or something? :) – Django Reinhardt Nov 26 '09 at 18:24
  • Hmmm. It now seems I get that weird ping reply no matter what I enter. Ugh. – Django Reinhardt Nov 26 '09 at 18:29
  • 3
    Now you know why I dislike Windows's new Network Location Awareness feature. It's to nebulous as to what it does and too quirky to change. Nonetheless, chekc out this article on NLA and see if it applies to you: http://blogs.technet.com/networking/archive/2009/02/20/why-is-my-network-detected-as-unknown-by-windows-vista-or-windows-server-2008.aspx and then check out this thred for further info http://social.technet.microsoft.com/Forums/en-US/winservergen/thread/2e1fea01-3f2b-4c46-a631-a8db34ed4f84 – Wesley Nov 26 '09 at 19:15
  • Have you added static routes on the Router for the other two networks? The weird pings is probably a result of the OS not knowing which NIC to route the packets down for the different networks. What is the result of a **print route** command? – Sim Nov 26 '09 at 22:42
  • Ah! Of course! The **route** command is showing that the 10.0.0.1 has the lowest metric and so it trying there first. Logically that makes sense: The 10.0.0.1 is on the same machine, whereas the correct external default gateway is somewhere else. Question is: How do I permanently change a route? According to /?, -p is only applicable to the ADD command. – Django Reinhardt Nov 27 '09 at 10:04
  • Ok, so I set-up the following persistent routes... DEST: 10.0.2.1/24 GATEWAY: 10.0.1.1 METRIC: 1 // DEST: 10.0.3.1/24 GATEWAY: 10.0.1.2 METRIC: 1 // DEST: 0.0.0.0/0 GATEWAY: (ext gateway) METRIC: 1 ...that's correct, I believe? – Django Reinhardt Nov 27 '09 at 10:22
  • Excellent. That has fixed the dodgy pinging, but not the "unidentified" public network... Am I right in saying the local IPs are on a different subnet, or should they be /16? Damn. – Django Reinhardt Nov 27 '09 at 10:27
  • Argh. Thinking about it more, I think I setup my local routes incorrectly...? Shouldn't they be something like: DEST: 10.0.2.1/24 GATEWAY: 10.0.2.1 METRIC: 1 IF: 10.0.1.1 // DEST: 10.0.3.1/24 GATEWAY: 10.0.3.1 METRIC: 1 IF: 10.0.1.1 ...(where IF = interface number) – Django Reinhardt Nov 27 '09 at 11:10
  • Typo in the last IP... should read 10.0.1.2 – Django Reinhardt Nov 27 '09 at 16:20
  • Have you tried your new routing config? – Sim Nov 30 '09 at 11:46
1

This seems confusing to me because all the network interfaces are on the same 10.0.0.0/16 network.

I think you should have 4 separate networks for each line in your drawing, if you're insisting on not using hubs or switches. Otherwise you're going to have to put in a static route on your web server to your database server and vice-versa.

Philip Wigg
  • 104
  • 4
  • Thanks for your reply. I've already setup static (persistent?) routes like this (from the Router/Firewall box): DEST: 10.0.2.1/24 GATEWAY: 10.0.2.1 METRIC: 1 IF: 10.0.1.1 // DEST: 10.0.3.1/24 GATEWAY: 10.0.3.1 METRIC: 1 IF: 10.0.1.2 ...(where IF = interface number). Could you explain more about your "four networks" solution? Thanks. – Django Reinhardt Nov 27 '09 at 16:14