This guide is for those who wants to simulate I virtual enterprise environment, and use a Windows Server as a virtual Gateway. In this example I´m going to use 2 separate VLAN and use the Gateway as a Router and also NAT all communications to the Internet. This way only one server faces the internet, and you could also have a firewall on the server.
SETUP:
1 Server 2016 Core, Name (GW) , Workgroup (but could be domain joined), used as gateway and router.
2 Server 2016 GUI, Name (MGM,MGM2), Workgroup (but could be domain joined), used for verification.
Setup Hyper-V:
On the GW server I need 3 network cards. One connected to an External switch and the other two connected to the same Private switch.
The two Private Switches I configure with VLAN ID.
The MGM server has the VLAN 102 and the MGM2 has the VLAN 103 switch connected to them.
Setup GW Server:
Server is installed and fully patched.
On the server we now have three network cards. And I will rename them to External, VLAN 102 and VLAN 103.
First we check what Network cards we have, so logon to the server and start Powershell, and then we check what network adapters we have.
Get-NetAdapter
When looking at the LinkSpeed I see that one connection is at 1 Gbps, so that should be my External network, and the rest the internal. Bydefault the names of the cards is in order of installation, so if you first create the internal ones, they will have the lower number. So if you add them one by one, you will know which adapter is which.
Then we rename the cards, just so it will be easier to see.
Get-NetAdapter -Name "Ethernet" | Rename-NetAdapter -NewName "External" Get-NetAdapter -Name "Ethernet 2" | Rename-NetAdapter -NewName "VLAN 102" Get-NetAdapter -Name "Ethernet 3" | Rename-NetAdapter -NewName "VLAN 103"
And when we check again we see the new names.
Get-NetAdapter
Then we must set a IP-address of the network cards, in this case External gets from a DHCP, so we don´t need to change that one.
So for the VLAN 102
New-NetIPAddress -InterfaceAlias "VLAN 102" -IPAddress 192.168.102.1 -PrefixLength 24 -DefaultGateway 192.168.102.1
And for VLAN 103
New-NetIPAddress -InterfaceAlias "VLAN 103" -IPAddress 192.168.103.1 -PrefixLength 24 -DefaultGateway 192.168.103.1
This is not needed but I always want to enable IMCP, so lets enable that in the windows firewall.
Enable-NetFirewallRule -DisplayName "File and Printer Sharing (Echo Request - ICMPv4-In)"
Just a quick check that we have internet connectivity
Test-NetConnection
So now on with installing the RRAS. So install the Routing role and restart the server.
Install-WindowsFeature Routing -IncludeManagementTools -Restart
When the server has rebooted, log on to it again and start powershell.
Configuration RRAS:
The next part there is two solutions as I see it, the old way by using he GUI from another server, and another when you using NETSH. If you ever want to use the GUI and see what NAT that is in use and the stats for packages, then I recommend using the GUI. If anyone know a way to be able to use powershell or other ways to configure this and it will show up the same in the GUI let me know. I will now show both ways to configure this.
RRAS GUI:
From the MGM server, set it up on VLAN 102 with a IP and set the default GW to the IP of the GW server IP for VLAN 102. If using MGM2 set up with that IP and use that GW IP. Below I use MGM.If the server is in workgroup make sure that the same Admin account is on both servers with same password for easier management. If in domain, make sure your account has admin rights.
Now. On the MGM server. Install RSAT för RRAS via powershell. Restart not needed.
Install-WindowsFeature RSAT-RemoteAccess -IncludeAllSubFeature
Now start the “Routing and Remote Access” GUI.
In the GUI, right click on top of the tree and choose “Add Server”
Check The following computer and type in the IP-address of the gateway (in this case the MGM server is on VLAN 102 so we choose 192.168.0.1 to connect to the GW), and then click on connect.
Now right click on 192.168.102.1 and choose “Configure and Enable Routing and Remote Access”.
Click Next.
Select NAT and click on Next.
Select our External Network card and click on Next.
Select one of the cards (VLAN) that will be able to access internet, and click Next. In this you can´t add more then one card, but we will add it later.
The next screen will only show up if server is in a workgroup. You can choose if you want the GW to forward all DNS request towards the internet or if you will use a internal DNS and DHCP. In this case just to show how it works, so I will chose to let the GW forward all traffic. In a fully simulated environment, I would have the GW domain joined.
Click Next.
Click Finish and led RRAS be configured.
NB if you have enabled “Windows Firewall Remote Management” in the firewall you will get the following error message. This is not an Issue, because installing the Routing Role in the GW already has enabled the FW rules (at least on core).
Now expand 192.168.102.1 and the IPv4 and then NAT. If NAT does not show up, there is probably a GUI error, and a reboot of the RRAS console or the MGM server will fix that. We see that our VLAN 102 and the External Network is connected in NAT.
To add VLAN 103, right click on NAT and choose “New Interface.”
Select VLAN 103 and click on OK.
Select Private Interface and click on OK.
Now VLAN 103 should be visible under NAT.
Now, we can go on with verification.
RRAS Core:
NB, if you use this way you cant use the GUI from a 2016 server to view anything, it will throw a message that legacy is not supported and powershell must be used.
On the GW server install the install the RomoteAccess, and just because we want an output we add -PassThru
Install-RemoteAccess -VpnType RoutingOnly -PassThru
The next commands is using NETSH so start it by typing in NETSH and enter the NETSH interface. Then type “routing ip nat” to enter that.
And now add config in netsh. The first row will install the NAT functionality, this will throw a message that it does not find the file specified, but it will stil work. Row 2 will add the External Adapter with mode Full. Row 3 will add the VLAN 102 adapter. Row 4 will add the VLAN 103 adapter
install add interface "External" mode=full add interface "VLAN 102" add interface "VLAN 103" exit
And the its on to verification.
Verfification:
Now from the MGM server, make sure you have a functional DNS-server setting, or set google as one and the run Test-NetConnection.
Test-NetConnection
And from VLAN 103
So we see that internet access is working from both WLAN, and to test if the Routing works (starts working as soon NAT is in place). From VLAN 102 to VLAN 103, and we add -TraceRoute just to see the route.
Test-NetConnection 192.168.103.33 -TraceRoute
And from VLAN 103 to VLAN 102
Test-NetConnection 192.168.102.33 -TraceRoute
DONE