1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Multiple IPs on single NIC connection issues

Discussion in 'Networks' started by garyb, Dec 19, 2007.

  1. garyb

    garyb Byte Poster

    179
    2
    22
    Hi,
    I have a huge problem which I have been trying to resolve for 3 days now with no success.

    I have been running our business website on II6 in a DMZ connecting back to the LAN SQL 2000 server on port 1433 with no issues for a few years. We now are looking to add another 2 websites onto IIS using virtual IPs on the single NIC identical to the above but a differing SQL box. This is wehre the problems begin!

    IIS [DMZ]
    NIC1 - 10.0.10.10 [connect to server1 on 1433]
    Virtual IP on NIC1 - 10.0.10.11 & 10.0.10.12 [connect to server2 on 1434]

    SQL [LAN]
    Server 1 - 192.168.40.40
    Server 2 - 192.168.40.41

    On the firewall I have created 3 access rules to allow websites to connect back to the relative SQL boxes on SQL ports above but as soon as I start the new website to connect to SQL server 2 it 404s the original website. Firewall logs show attempts from the primary IP [10.0.10.10] to access SQL Server2 which will never work as there is no access rule for this!

    Even when a client accesses the website on 10.10.10.11 the connection is initiated by 10.10.10.10 [primary NIC] which is casuing me grief as I cant host more than one website now!

    As a test I setup a firewall rule to allow Telnet full access from DMZ to LAN. Telnet to the 192.168.40.40 sql box from IIS is fine, but to the 192.168.40.41 fails. I need to somehow force the connection to be made from the virtual IP on NIC1 but am clueless how to!

    I am really lost here and have delayed the rollout of the 2 additonal website because of this, any ideas appreciated
     
    WIP: MCSA 2003
  2. Stoney

    Stoney Megabyte Poster

    731
    23
    69
    Have you tried this without the virtual IP's?

    Just add the websites in IIS and then give them different host header names.

    eg: www.website1.com, www.website2.com, www.website3.net

    We have a couple of sites hosted through IIS that connect to SQL, and I don't think there's anything special setup for them.
     
    Certifications: 25 + 50 metre front crawl
    WIP: MCSA - Exam 70-270
  3. garyb

    garyb Byte Poster

    179
    2
    22
    Hi Stoney, thanx for the reply.
    I did try this but theres some confusion when the SQL attempts to route from DMZ to LAN. As I said there are 2 differing SQL servers on the LAN, when the connection is initiated on the website the packets get sent to the wrong server: ie:

    website1 should route on 1433 to sqlserver1
    website2 should route on 1434 to sqlserver2

    What actually happens is website2 connects on 1434 to sqlserver1 breaking both websites..

    Baffling me I can tell you..
     
    WIP: MCSA 2003
  4. ffreeloader

    ffreeloader Terabyte Poster

    3,661
    106
    167
    I'm not familiar with your entire setup so don't know how workable this will be for your entire situation. In open source products I can customize what ports will be used by the individual database servers and the ports each Apache virtual server or instance will go looking for at each database server. If you can do the same, and I seem to remember that port settings are at least customizable on SQL Server, that should solve your problem.
     
    Certifications: MCSE, MCDBA, CCNA, A+
    WIP: LPIC 1
  5. Stoney

    Stoney Megabyte Poster

    731
    23
    69
    Have you tried creating an access rule to open up 10.0.10.10 to the second sql box to see if the websites work then? I'm not too sure how IIS deals with virtual IP's but it sounds like it acts as some sort of NAT agent for the virtual IP's. At the moment all traffic is originating from the IP on the physical NIC.

    Are the virtual IP's visible on the LAN.? Are they registered in DNS at all? Can you ping the websites hostname or virtual IP?
     
    Certifications: 25 + 50 metre front crawl
    WIP: MCSA - Exam 70-270
  6. garyb

    garyb Byte Poster

    179
    2
    22
    Hi,
    yes this is the same in my setup:

    IIS [DMZ]
    NIC1 - 10.0.10.10 [connect to server1 on 1433]
    Virtual IP on NIC1 - 10.0.10.11 & 10.0.10.12 [connect to server2 on 1434]

    SQL Server[LAN]
    Server 1 - 192.168.40.40 listening on 1433
    Server 2 - 192.168.40.41 listening on 1434

    The problem is the connection to Server2 on UDP 1434 cant get through. I can telnet this server on that port from any LAN machine, but impossible to do so on the webserver even after creating an access rule to route?

    Cheers

    G
     
    WIP: MCSA 2003
  7. garyb

    garyb Byte Poster

    179
    2
    22
    On my firewall NAT allows any to any interface so any traffic from DMZ to LAN is allowed. Then on the access rules you filter traffic as required, with the last rule being deny any to any. As a test I disabled that rule effectively allowing any traffic from DMZ subnets to LAN subnets, still no success!:eek:

    I can ping the virtual IPs from the LAN..

    Arggghhhh!
     
    WIP: MCSA 2003
  8. garyb

    garyb Byte Poster

    179
    2
    22
    Hmm, have you ever heard the phrase cant see the wood for the trees!!

    Taking your advice I put all websites on the primary NIC using host headers, then created an access rule to allow 1433 TCP, 1434 TCP & 1434 UDP from primary NIC to both SQL servers. This works!!

    However, I now have another problem. Each website needs SSL which cant be done using this method, hence my original attempt at stick each on a virtual IP.

    Wonder why I cant initiate the SQL connection from a virtual IP?

    Thanx for you clear thinking though, it made me sit back and look from a different angle..:eek:
     
    WIP: MCSA 2003
  9. ffreeloader

    ffreeloader Terabyte Poster

    3,661
    106
    167
    Take a look at this.

    http://www.microsoft.com/technet/pr...108-b1a7-494d-885d-f8941b07554c.mspx?mfr=true
     
    Certifications: MCSE, MCDBA, CCNA, A+
    WIP: LPIC 1
  10. Stoney

    Stoney Megabyte Poster

    731
    23
    69
    Do you have any SSL certificates installed on the server? As Freddy's link suggests, you can't configure SSL host headers yourself.

    This link may help you as well, although I think you may have gone past this point now.
     
    Certifications: 25 + 50 metre front crawl
    WIP: MCSA - Exam 70-270
  11. garyb

    garyb Byte Poster

    179
    2
    22
    Thanx to you all for your kind input, the websites are up and connecting to SQL so short term I may still get to enjoy xmas festivities:blink

    Will leave the SSLs till next year.

    Merry xmas
     
    WIP: MCSA 2003
  12. r.h.lee

    r.h.lee Gigabyte Poster

    1,011
    52
    105
    garyb,

    Which operating system is "IIS6" installed on?
     
    Certifications: MCSE, MCP+I, MCP, CCNA, A+
    WIP: CCDA

Share This Page

Loading...