[2K8 R2] RRAS NAT houd er mee op

Wellicht dat jullie hier een antwoord op weten...

Had dit probleem gisteren toch 2 hele minuten opgelost, totdat RRAS NAT niet meer werkte...

I have a Windows Server 2008 R2 32-bit server in a datacenter and a 64-bit at the office. The office connection doesn't allow incoming port 25. To make sure mail can be received, I've set up a user account in the AD and assigned it a fixed ip of 192.168.2.254. The VPN server doesn't have DHCP installed, so I've set a fixed host range of 192.168.2.5 till 192.168.2.254. The VPN server automatically takes 192.168.2.5, and when my mails erver dials in, it gets his desired IP as wel.

So far, so good.

I then added NAT for port 25 incoming to be rerouted to port 587 on 192.168.2.5 via netsh

netsh routing ip nat>add portmapping "name=Local Area Connection" tcp 0.0.0.0 25 192.168.2.254 587

After realizing I should have just mapped it to port 25, I've updated it with netsh

netsh routing ip nat>add portmapping "name=Local Area Connection" tcp 0.0.0.0 25 192.168.2.254 25

I have to say that at first, this worked, but I got a 5.7.1. when trying to deliver mail because the service via port 587 expects you to always identify first...

Too bad, because now it won't do any NAT routing. If I look at the NAT section, all the packet counts, etc. just stay at "-", I've tried rebooting and making custom firewall rules, changing the rules on the other end, but I can't seem to get it to work. I can still telnet in fine from the VPN server to the mail server over port 25, but the NAT routing fails.

I've removed the role, rebooted and added the role again, but all settings, etc. are remembered, so it has no effect... isn't there anything I can do or is there alternative software that works?

Ok, one bright spot; if you disable RRAS, it does clear its settings...

Observations so far: Every time you add a new mapping, the old ones are cleared and added one by one again (causes VPN disconnect when the VPN mapping is recreated). The total mappings field goes down to 0, and then up to 7 again (takes a lot longer then I expected). When I try one fo the two rules i created myself, I see the number of mappings decreasing; as if it crashed and is no longer active. Weird thing is that out of +/- 400 inbound and 400 outbound packets, the amount of packets rejected ramains zero.

To make sure that my firewall rules are properly configured, I tested with netcat to see if I can get in, but that's not the issue; connecting in works, it's really the RRAS/NAT section that messes up

Any ideas?

Thanks,

Nick.

[ Voor 21% gewijzigd door CMG op 09-09-2010 22:59 ]

Mocht het helpen:

Hier is de netwerk config:

[IPCONFIG]

Windows IP Configuration

Host Name . . . . . . . . . . . . : Windows14111
Primary Dns Suffix . . . . . . . : nkcss.com
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : Yes
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : nkcss.com

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : HP NC105i PCIe Gigabit Server Adapter
Physical Address. . . . . . . . . : 00-23-7D-AA-25-49
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::5462:e749:4d0f:6597%10(Preferred)
IPv4 Address. . . . . . . . . . . : 95.211.30.21(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.128
IPv4 Address. . . . . . . . . . . : 95.211.30.70(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.128
IPv4 Address. . . . . . . . . . . : 95.211.30.71(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.128
IPv4 Address. . . . . . . . . . . : 95.211.30.72(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.128
Default Gateway . . . . . . . . . : 95.211.30.126
DHCPv6 IAID . . . . . . . . . . . : 251667325
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-12-F1-00-F4-00-23-7D-AA-25-49
DNS Servers . . . . . . . . . . . : ::1
127.0.0.1
NetBIOS over Tcpip. . . . . . . . : Enabled

PPP adapter RAS (Dial In) Interface:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : RAS (Dial In) Interface
Physical Address. . . . . . . . . :
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 192.168.2.5(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . :
NetBIOS over Tcpip. . . . . . . . : Disabled

Tunnel adapter Local Area Connection* 8:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : isatap.{431729D4-D4CE-40F8-89B0-A0FC8AC767B0}
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 9:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : 6TO4 Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : 2002:5fd3:1e15::5fd3:1e15(Preferred)
IPv6 Address. . . . . . . . . . . : 2002:5fd3:1e46::5fd3:1e46(Preferred)
IPv6 Address. . . . . . . . . . . : 2002:5fd3:1e47::5fd3:1e47(Preferred)
IPv6 Address. . . . . . . . . . . : 2002:5fd3:1e48::5fd3:1e48(Preferred)
Default Gateway . . . . . . . . . : 2002:c058:6301::c058:6301
DNS Servers . . . . . . . . . . . : ::1
127.0.0.1
NetBIOS over Tcpip. . . . . . . . : Disabled

Tunnel adapter Local Area Connection* 11:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 12:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 02-00-54-55-4E-01
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
[/IPCONFIG]

[ROUTE]
===========================================================================
Interface List
10 ...00 23 7d aa 25 49 ...... HP NC105i PCIe Gigabit Server Adapter
15 ........................... RAS (Dial In) Interface
1 ........................... Software Loopback Interface 1
12 ...00 00 00 00 00 00 00 e0 isatap.{431729D4-D4CE-40F8-89B0-A0FC8AC767B0}
13 ...00 00 00 00 00 00 00 e0 6TO4 Adapter
20 ...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
14 ...02 00 54 55 4e 01 ...... Teredo Tunneling Pseudo-Interface
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 95.211.30.126 95.211.30.21 21
95.211.30.0 255.255.255.128 On-link 95.211.30.21 276
95.211.30.21 255.255.255.255 On-link 95.211.30.21 276
95.211.30.70 255.255.255.255 On-link 95.211.30.21 276
95.211.30.71 255.255.255.255 On-link 95.211.30.21 276
95.211.30.72 255.255.255.255 On-link 95.211.30.21 276
95.211.30.127 255.255.255.255 On-link 95.211.30.21 276
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.2.5 255.255.255.255 On-link 192.168.2.5 291
192.168.2.254 255.255.255.255 192.168.2.254 192.168.2.5 36
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 95.211.30.21 276
224.0.0.0 240.0.0.0 On-link 192.168.2.5 291
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 95.211.30.21 276
255.255.255.255 255.255.255.255 On-link 192.168.2.5 291
===========================================================================
Persistent Routes:
Network Address Netmask Gateway Address Metric
0.0.0.0 0.0.0.0 95.211.30.126 1
===========================================================================

IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
13 1125 ::/0 2002:c058:6301::c058:6301
1 306 ::1/128 On-link
13 1025 2002::/16 On-link
13 281 2002:5fd3:1e15::5fd3:1e15/128
On-link
13 281 2002:5fd3:1e46::5fd3:1e46/128
On-link
13 281 2002:5fd3:1e47::5fd3:1e47/128
On-link
13 281 2002:5fd3:1e48::5fd3:1e48/128
On-link
10 276 fe80::/64 On-link
10 276 fe80::5462:e749:4d0f:6597/128
On-link
1 306 ff00::/8 On-link
10 276 ff00::/8 On-link
===========================================================================
Persistent Routes:
None

[/ROUTE]

[NETSH ROUTE IP NAT SHOW INTERFACE]

NAT Local Area Connection Configuration
---------------------------
Mode : Address and Port Translation


NAT Static Port Mapping Configuration
-------------------------------------
Protocol : TCP
Public address : 0.0.0.0
Public port : 25
Private address : 192.168.2.254
Private port : 25

Protocol : UDP
Public address : 0.0.0.0
Public port : 500
Private address : 127.0.0.1
Private port : 500

Protocol : UDP
Public address : 0.0.0.0
Public port : 4500
Private address : 127.0.0.1
Private port : 4500

Protocol : TCP
Public address : 0.0.0.0
Public port : 3389
Private address : 192.168.2.5
Private port : 3389

Protocol : TCP
Public address : 0.0.0.0
Public port : 443
Private address : 192.168.2.5
Private port : 443

Protocol : UDP
Public address : 0.0.0.0
Public port : 1701
Private address : 127.0.0.1
Private port : 1701

Protocol : TCP
Public address : 0.0.0.0
Public port : 1723
Private address : 127.0.0.1
Private port : 1723

Protocol : TCP
Public address : 0.0.0.0
Public port : 80
Private address : 192.168.2.5
Private port : 80

Protocol : TCP
Public address : 0.0.0.0
Public port : 555
Private address : 192.168.2.6
Private port : 80

Protocol : TCP
Public address : 0.0.0.0
Public port : 666
Private address : 192.168.2.254
Private port : 587

NAT Local Area Connection 2 Configuration
---------------------------
Mode : Private Interface


NAT Internal Configuration
---------------------------
Mode : Private Interface


[/NETSH ROUTE IP NAT SHOW INTERFACE]

Heb het inmiddels maar opgelost door een een alternatief portmapping programma te gebruiken.

Heb nu zelf ook een programma geschreven die portmappings kan doen (ook op afwijkende poorten), nu nog even een Windows Service er van maken (dat is de reden dat ik zelf aan de slag ben gegaan met C#; huidige oplossing is een windows appje; moet je ingelogd blijven & problemen na reboot, etc...). Als ik het hele verhaal af heb post ik hier wel een linkje, mochten er meer mensen genoeg hebben van RRAS NAT.