Nat Problems On Hyper-V Server

[nasomi]

I'm hoping someone can make a suggestion as I'm at a loss.

 

I have one server with 3 NIC's, WAN, LAN, and VLAN. WAN has the internet. LAN has a static IP assigned to it. VLAN is the hyper-v network adapter.

 

I install Hyper-V and configure it to use VLAN. Several restarts occur. Then, I install DHCP, list LAN as the adapter to bind to, set the scope, and set server option 3 to the LAN ip address. I then install Network Policy & Access, select NAT, select WAN as the adapter sourcing the internet, and LAN as the adapter to share internet with. LAN and VLAN are connected to the same switch, VLAN gets it's ip from LAN's scope. VM's get their ip from the VLAN adapter, as well as other machines connected to the switch. At this point, it looks like this:

 

WAN IP: 192.168.1.101(DHCP)

 

LAN IP: 10.0.0.1(Static)

 

VLAN IP: 10.0.0.15(DHCP)

 

VM1 IP: 10.0.0.16(DHCP)

 

VM2 IP: 10.0.0.17(DHCP)

 

Everything works. All computers have internet access.

 

Then, I restart the server, and suddenly no computer has internet access. All computers receive an IP from the dhcp server, the server's WAN port receives an IP from it's DHCP server, however there is no internet access any longer. I have reconfigured close to 30 times this weekend, started from scratch, jumped through all hoops, to no avail. If someone could point me in the direction of what to check, I would appreciate it. I'm at a loss here.

[ICTCity]

Hi,

 

I don't understand why do you have a VLAN on the same class of your LAN. Anyway, you may have 2 problems.

 

1) You don't have a default GW assigned, to verify this, when you don't have internet access, try to ping something BEHIND your router (another server, computer, printer, ...) on the same LAN.

 

2) Your switch is not properly configured, in other words it doesn't understand how to manage your class 10.0.0.0 (LAN) and 10.0.0.0 (VLAN) which are 2 physical network on the same switch. I assume you have the 802.11q protocol enabled and configured on your switch.

 

Let me know.

[nasomi]

Hi,

 

I have set up an isolated network for this little project until I can get it working properly. I am able to ping other machines on the mini-lan. I can remote into them. I'm not the most well versed in terminology, this is a side project, so please forgive me. Default gateway is assigned in the dhcp scope as option 003 router, and set to 10.0.0.1. Without that setting, NAT doesn't work, and things did work post setup and pre restart. Once I restarted, no internet access.

 

I don't understand how the switch has 2 physical networks on it. If LAN is the dhcp server and VLAN is the dhcp client, I've never had to configure the switch before for this. The part that is strange to me, is that the host server does not have internet access, which makes me think it doesn't know how to send requests to the internet, so even if everything else is configured properly, nothing will work until the host can access the internet.

 

To better illistrate it, here is a rough sketch of my network:

.

Now, from the server in question, i can remote into any vm, the pc on that network, in addition to remote into big on the previous network. And I can do it by either IP or computer name.

 

Thanks for your help.

Edited February 9, 2014 by AWS

[ICTCity]

For me the problem is still the VLAN. VLan is used for separate physical LANs, the point is that your switch MUST support VLAN tagging (protocol 802.11q). I cannot test your solution, but actually I don't think you can have a LAN with IP 10.0.0.0 and a VLAN with the same address. Are you sure your switch supports VLAN TAGGING?

[nasomi]

Honestly, I don't know. It's a linksys srw-224. It's old, but it has always worked well for me.

 

Perhaps I should explain what I'm doing and maybe you have a better suggestion. I have 4 1u servers on the rack that I want to consolidate onto one. One server runs DHCP & RRAS, and 3 are remote desktop servers. Not a lot of cpu being used, consumes a lot of power, and produces a lot of heat. So the plan was to replace them with a single 4u that would run DHCP, RRAS, and virtualize the other 3 servers. This is my first time playing with vlan's, and hyper-v. When I had the virtual servers in place, they worked perfectly. Migration from physical to virtual was seemless. So at that point I have the 4u running hyper-v, and one 1u running DHCP & RRAS, which connected to the switch, then to the 4u. Everything worked good. I put everything on the 4u and create a mini-network as shown in hte illistration above, and everything works. Until I restart the server. Then, the only functionality I lose is internet. All other network access works, I can remote into everything from the main server. In the past, this has always pointed to a RRAS configuration problem, however my experience with vlans is limited at best. Initially I had wanted to create a virtual network adapter for the vlan to pull ip's from LAN adapter, and not use a 3rd network card, but I couldn't figure out how.

 

Also, I'm not sure I understand how the LAN and VLAN have the same ip. LAN is manually configured with 10.0.0.1 and VLAN adapter gets it's ip from that, as 10.0.0.15.

[ICTCity]

VLANs are used to SEPARATE networks, it's like having two NICs, one goes to X and the other goes to Y but one doesn't know anything about the other. Now, if you say that VLAN take an IP from the LAN, there's something wrong. VLAN cannot communicate with LAN unless you UNtag the packet. If you have a VLAN is to separate things, so, WHY you should put everything back together?

 

Every switch / router has its own config, but from what I know, a switch MUST be programmable (and programmed) to manage VLANs. VLANs are easy: when the packet arrives, it's tagged with the VLAN ID, somewhere it will be UNTAGGED to come back.

 

What I think is that when you configure your network, everything works because of you have the same IP (10.0.0.X) on every server and everything is on the same network. When you restart, the "real" configuration is applied and your switch doesn't know HOW to manage the VLAN tag.

 

You can do a test: when you have lost connectivity to internet, try to ping 192.168.1.101, then ping 192.168.0.1 then traceroute the ip 8.8.8.8. In other words run the following command in the command prompt and post results:

 

ping 192.168.0.101 && ping 192.168.0.1 && tracert 8.8.8.8

[nasomi]

Perhaps I'm using incorrect terminology. I did not create the vlan. When I deploy hyper-v, and select a network adapter, it disables that network adapter and creates a new one that it calls virtual network adapter. Perhaps what I'm just calling VLAN actually exists as something else, and I'm incorrect in calling it that. That's just what I named it because it's not a physical lan. Unfortunately I'm at the office and the server is at home, and it was restarted and currently hanging at the bios screen waiting for me to hit F1 because the front panel connector isn't detected. Stupid "feature" that I haven't figured out how to bypass yet. From my tinkering though, 192.168.1.101 can ping 192.168.0.1. it can rdp into it. it can rdp into every computer on either side of the network, 10.0.0.x or 192.168.0.x. However when it tries to resolve 8.8.8.8 or any external address, it times out.

[ICTCity]

Yeeeeep, VLAN is a VLAN, Virtual Network is a Virtual Network :P

 

So now it's a bit more clear.

 

I just want to know WHERE it stops, this can be made only by issuing a tracert command.

[nasomi]

Cheers, this makes perfect sense now thanks to that tracert command. It seems to be routing inet traffic through the vlan ip, the tracert over 30 hops merely goes to 10.0.0.1 again and again and again. So, I need a way to point inet traffic to the wan ip right?

[ICTCity]

Yep, in some way yes...

 

But let's start from the beginning.

 

You started a traceroute from 10.0.0.X to 10.0.0.1? You should be a bit more precise :)

[nasomi]

sitting at the server i did tracert 8.8.8.8. What network port it went over I'm not sure. I'm guessing it went over 10.0.0.15 through to 10.0.0.1 I also did it from a vm and it stopped and just looped on 10.0.0.1.

[ICTCity]

Ok, now try to reconfigure your server so it will have access to internet and retry the tracert. Let me know.

[nasomi]

That's the thing, after that restart, I can't get it to work again until I do a fresh install of the OS. I'll try removing all the roles, but that hasn't worked in the past.

[ICTCity]

I can't understand what is happening. Here's my though: if your traceroute stops to your "router", it means your router doesn't know where to send packets. But this is something which should apply to all devices on the 10.0.0.0 network and cannot be resolved with a fresh install. After a fresh install, everything works fine, but IN WHICH WAY your server can change the routing of your router? The only thing I can think is that your server is starting to be a router and "spoof" the IP 10.0.0.1 in some way. This theory can be correct because the problem starts when you RESTART your computer (so the routing service is started). Can you reinstall the server without any roles?

[nasomi]

Yeah, I've become pretty damned efficient at that, i did it about 30 times last weekend trying to figure out what i was doing wrong or doing out of order(because order affects how rras and dhcp roles play together...).

[ICTCity]

That's ok, install DHCP and nothing else. Tell me if after a reboot something changes.

[nasomi]

C:\Users\Administrator>tracert 8.8.8.8

 

Tracing route to google-public-dns-a.google.com [8.8.8.8]

over a maximum of 30 hops:

 

1

[nasomi]

DHCP & RRAS works perfectly. Everything works fine with dhcp and rras. everyone gets the internet. The moment i install hyper-v and the vlan is created, everything stops.

[nasomi]

I was thinking about that for a minute, jumping through more hoops than necessary. I ran dhcp and rras forever and it was fine, and i ran hyper-v and it was fine. it was when i put it together. that the problem came up.

[ICTCity]

Be sure that RRAS doesn't use that interface to do something.

[nasomi]

That's why I had to have the 3rd interface added. When I would install hyper-v, it makes you select a network interface for the vm's. I select the 3rd interace, which should route traffic from the vlan over the router to the lan port, then RRAS translates traffic coming in on the lan port over to the wan port.

[ICTCity]

Wait, if you have the 3rd Nic with the same IP class of your LAN 10.0.0.0 you must do the same work you do for the other interface, so routing will be made correctly.

[nasomi]

I'm not sure I understand what you mean by the same work.

[ICTCity]

Hyper v has an address of 10.0.0.0 and the other interface (LAN) is on the same network (10.0.0.0)

[nasomi]

Yes, but traffic trying to work on the clients of the LAN should be routed through to the WAN. If a computer gets it's IP from LAN, it goes computer >> lan >> wan for internet route. Why doesn't this work with the 3rd nic? Perhaps if i add the vlan adapter to the NAT portion of the RRAS role and set it to private network, it will route it's internet through the WAN port. OR!!! What if I disinclude the 3rd nic, install hyper-v first to create the vlan adapter, then go into ipv4 of that and set the ip manually to 10.0.0.1, then configure DHCP to work off the vlan adapter instead of the LAN adapter, the configure RRAS on the VLAN >> WAN route. It's so crazy it just might work...