Windows 2000 Server, Routing, NAT confusion

Maybe someone out there can enlighten me as to what configuration settings I need for Windows 2000 Server's Routing and Remote Access service. Here's the situation:

Current Setup: I've got a multi-system home network on an SMC Barricade 4-port router with a cable internet service. One of my machines is a dedicated server running Windows 2000 Advanced Server. All machines are configured to have static local IP addresses. Currently I have my router's firewall enabled with all 20 available NATing slots in my router's setup being occupied, because I am hosting multiple websites and have many programs on various systems on the network that require their ports to be open to the WAN side of the firewall.

Goal: To get around this limitation I am considering making my server's local address the address of the router's DMZ (demilitarized zone) and setting up Router and Remote Access in Windows 2000 Advanced Server to forward calls across the network to my other systems.

Problem: After reading several guides, I was still unable to find the magic combination that to get port forwarding to work. Will I have to set up the server outside of the router and manage it like a gateway, or is there a way to get it to work the way I initially desired? Below are my settings for RRAS.

RRAS Settings:

Server Settings:

General Tab:
"Router" checked
"Local area network (LAN) routing only" selected
"Remote access server" unchecked
Security Tab:
"Authentication provider ": Windows Authentication
"Accounting provider ": Windows Accounting
IP Tab:
"Enable IP routing" checked
"Allow IP-based remote access..." checked
"DHCP" selected
IPX Tab:
"Allow IPX-based..." checked
"Enable network access..." checked
IPX network number assignment
"Automatically" selected
"Use the same network..." checked
"Allow remote clients..." unchecked
NetBEUI Tab:
"Allow NetBEUI..." checked
"The entire network..." selected
PPP Tab:
All optioned checked
Event Logging
"Log errors and warnings" selected
"Enable PPP logging" unchecked

IP Routing -> Network Address Translation
Only interface listed is "Local Area Connection "

Local Area Connection Properties:
General Tab:
Public interface..." selected
"Translate TCP/UDP headers" checked
Address Pool Tab:
Nothing listed
Special Ports
Public Port: 1234
Public Address: Interface's Address
Private Port: 8888
Private Address: 192.168.2.40 (local ip of machine running test IIS website on port 8888)

The only port forwarding I added was public port 1234 that should have forwarded the packets to my other machine's IIS website running on port 8888 at local ip 192.168.2.40. To test, I tried http://192.168.2.40:8888/ to ensure the website was functional and I directly forwarded to that port from the WAN with the router to ensure proper outside access of website. Both worked. With Win2KAS (local ip: 192.168.2.30) back on DMZ and port forwarding on the router taken off for the website, I tested http://192.168.2.30:1234/ to see if RRAS would forward my request. Unfortunately, the browser reported that the server could not be found. A similar test with VNC (default listening port 5900) was also performed with an equally unsuccessful outcome.

If any RRAS guru (or non-guru alike) can help me out here, I'd be most appreciative. Any suggestions or follow-up questions are welcome. Thanks in advance.

 

Not familiar with the device and can't get a good feel for the meaning of
I have my router's firewall enabled with all 20 available NATing slots in my router's setup being occupied

Could you give some detail on that please. I understand NAT but not the limitations on your specific router/switch.

 

Here's a screen shot of the port forwarding screen to give you an idea of what I mean... http://www.eden.rutgers.edu/~dpollard/smc_nat.jpg. In other words, it let's me forward only 20 ports to machines behind the firewall. This and the router is trivial to the rest of the matter at hand though.

 

Got it. A matter of terminology. SMC calls the settings "virtual server" while the term I'm accustomed to is port forwarding. Thanks.

As a side note, you might enjoy taking a look at the BroadbandReports.com forum. They specialize in this sort of thing. Not to run you off but always nice to have multiple resources available.

I've run this thru my head in every direction I can think of and am having no luck at all figuring out how RRAS will solve your problems. But I'd love to find out if you would be willing to explain.

 

Essentially, my goal is to use RRAS on my Windows 2000 Server machine to do my routing for me instead of having my hardware router do it. The reason is the hardware router only allows me to forward a maximum of 20 ports. I think one reason RRAS is not working for me is because Win2KAS is not providing connectivity to the other systems on my network (by ICS or whatnot). I think what I may have to do is have my cable modem connected directly to my Win2KAS dedicated server and then connect the server to my router and have my router work essentially as a hub. I'd like to avoid this if possible and use RRAS to send all packet routing throughout the network, but if I can't then I'll have to settle for whatever works. What do you think? Thanks.

 

It might be possible to make RRAS do what you want. I found lots of discussion topics but not much good, hard information.

ICS would probably melt if you stressed it that much. Software trying to do a hardware job is normally a bad idea if you have other choices. Even if it should somehow work, it would be slow.

Putting your 2K server in the DMZ would basically remove any and all protection from the SMC device so you'd need a good firewall (statefull for sure) on the server. And you'd still have the issue of passing all that port info.

The only real suggestions I can make that I'm sure will work for you is to move up to a "real" router. Cisco makes a number of good ones that have port forwarding tables you can set up and not have a limitation on how many ports you can involve and that will do regular NAT as well. To that I'd add a good hardware firewall.

This would leave you using the SMC device only as a switch which is sort of a waste.

I didn't check in too much detail about the features of your router though. Some will allow forwarding ranges of ports and if yours will do that, you might be able to make it work for you by using 20 ranges rather than 20 individual ports.

Sorry to be of no help on RRAS but I'm only familiar with it as a means of setting up a VPN and that's not at all what you want. Possibly someone at the BroadbandReports.com forum will know how to direct you to make RRAS work for you.

 

Thanks a bunch for your insight into this problems of mine. I'm pretty much on the same page as you are about the concerns and suggestions you made, but I'll drop a post at BroadbandReports.com and see if anyone there could shed more light on this. Thanks again. I'll keep you posted on my results.

 

Good. If somebody has a tweak that will allow this, I'd love to know about it 'cause it would be a really useful thing.