Configuring a Demand-Dial Router
Broadband is becoming available in most metropolitan areas, but DSL is highly sensitive to the distance from the central office and digital cable is only just now being offered to businesses. Other full-time connection alternatives, such as fractional T-1s, are pricey even in an area with reasonable tariffs.
Often, the only affordable solution for branch-office or SOHO connectivity is a circuit-switched connection using modems or ISDN lines. There is no difference, at least conceptually, between routing over a circuit-switched connection or a leased line. The only practical difference is the speed and the delay as the connections are made and broken. For ISDN, this is a matter of a few hundred milliseconds. For modems, it should be no more than 15 to 20 seconds.
A Windows Server 2003 RRAS server can be configured to make and maintain a circuit-switched connection that can function as a tolerably good point-to-point solution. By using multiple modems, you can often achieve faster throughput than with ISDN and low-cost dedicated circuits.
Many ISDN routers have demand-dial routing built in, but you can get an attractive price for a simple ISDN terminal adapter that does not do "B" channel (bearer channel) bonding or demand-dial routing, then let RRAS do the chores. This section describes how to initialize routing services in an RRAS server and configure demand-dial connections to the Internet, either by using public IP addresses or NAT and a firewall.
Initializing Routing Services
To use any of the demand-dial alternatives, it is necessary to enable both Remote Access and Routing features in RRAS. Enabling routing in an existing remote access server involves restarting the service, so perform these steps after working hours, if necessary. You will not lose any existing remote access settings. Proceed as directed in Procedure 20.10.
Procedure 20.10 Initial Configuration of Routing Services
Open the Routing and Remote Access console.
Select the Remote Access Clients icon and verify that no users are connected to the server.
Right-click the local server name and select DISABLE ROUTING AND REMOTE ACCESS from the flyout menu. A warning appears informing you that disabling the service requires reconfiguration when it is re-enabled. Click Yes to acknowledge the warning and disable the service.
After the service stopsЧand this might take a whileЧthe icon associated with the server changes to a red down-arrow. After the service has stopped, reinitialize RRAS using the instructions in Procedure 20.9 with the following additional steps.
At the Routing and Remote Access window, select Enable Server as a Router and select the Local and Remote Routing (LAN and WAN) radio button.
At the Dial-in or Demand Dial Interfaces window, select the Enable All Devices For Both Routing and Remote Access radio button.
The remaining steps are the same. When the RRAS service restarts, the Routing and Remote Access console contains an additional icon called Routing Interfaces.
After you have enabled routing, you can configure the server to be a demand-dial router to another office, a demand-dial Internet router, or a demand-dial Internet NAT gateway. The next two sections describe how to configure a demand-dial Internet router and an Internet NAT gateway. Demand-dial routing between offices is not covered because it is becoming increasingly rare as organizations move their commerce to the Internet.
Configuring a Demand-Dial Internet Router
If you want to retain public addresses in your network, then you will need a routed interface to the Internet. If this is a dial-up connection, then you need to configure the RRAS sever to automatically make a connection whenever a client attempts to touch an Internet host. Here are the prerequisites for configuring a demand-dial Internet connection:
Windows Server 2003 equipped with a modem or ISDN adapter. If you have multiple modems or bearer channels, you can use multilink to bundle them together after the interface has been created.
Routing must be enabled on the server. See "Initializing Routing Services."
Assign the LAN interface on the demand-dial server a static address and do not assign a gateway. Configure the clients on the network to use the demand-dial server as their default gateway.
You must have a valid PPP account at the ISP. The ISP must agree to let you connect to its network using a router. This generally involves an agreement to filter all unacceptable traffic. This includes NETBEUI, IPX, and any other transport protocols other than IP. You must also block broadcasts, although ISPs are good about doing that for you at their boundary routers.
The ISP must also agree to add your network to the routing tables on its routers. This usually comes as part of the fee for the IP addresses. If you provide your own addresses, an extra fee is added. ISPs generally charge fees at the top of the market for this service because they know that without their routers, you cannot connect to the Internet. The routing fee often comes bundled with a service package that includes DNS and email. You may or may not want this package.
Your network must use an IP subnet with sufficient public addresses to support all IP devices, including those that might never access the Internet. Getting those addresses might cost quite a bit of money.
Installing a Demand-Dial Interface
With the prerequisites in place, you're ready to install the demand-dial interface, configure it to route to the Internet, and configure automatic connection pickup. Start with installing the interface by following Procedure 20.11.
Procedure 20.11 Installing a Demand-Dial Interface
Open the Routing and Remote Access console.
Each communications device must be configured for demand-dial routing. Right-click the Ports icon and select PROPERTIES from the flyout menu. The Port Properties window opens.
Double-click a device that will be used for the demand-dial interface to open its Configure Device window.
Select the Demand-Dial Routing Connections option and click OK.
Repeat for each device that will be used for demand-dial routing then close the Ports Properties window.
At the RRAS console window, right-click the Routing Interfaces icon and select NEW DEMAND-DIAL INTERFACE from the flyout menu. The Demand Dial Interface Wizard starts.
Click Next. The Interface Name window opens. Enter a name that describes the destination of the router. For example, use a name like ISP_rtr.
Click Next. The Connection Type window opens. Select the Connect Using a Modem, ISDN Adapter unless you are using a VPN. If you select the VPN option, the wizard presents an additional window for VPN Type (set to Automatic by default) and the IP address or host name of the VPN server.
Click Next. If you have multiple circuit-switched devices, the Select A Device list appears. Select the device you want to associate with the demand-dial interface. If you want to use more than one device and multilink them together, you can do that after creating the demand-dial interface.
If the device you want to use does not appear on the list but it does appear on the Port list, make sure you configured it for demand-dial routing.
Click Next. The Phone Number window opens. Enter the phone number of the modem or ISDN line at the remote location. The Alternate option permits adding more numbers to call if the first is busy.
Click Next. The Protocols and Security window opens. Leave the Route IP Packets On This Interface selected. If you normally need to use login scripts when connecting to the ISP, select the Use Scripting option. The wizard presents you with a Router Scripting window to select a script.
Click Next. The Dial Out Credentials window opens. Enter the Name and Password for the account that will make the dial-up connection. Because this is a connection to the Internet, you should not need a domain unless your ISP uses NT or Windows Server 2003 to perform authentications.
Click Next. The final wizard window opens. Click Finish to add the interface and return to the Routing and Remote Access console.
Configuring the Demand-Dial Router
Now that the interface is in place, it must be configured to connect to the Internet Service Provider's access server (see Procedure 20.12).
Procedure 20.12 Configuring a Demand-Dial Router
Highlight the Routing Interfaces icon. The new demand-dial interface is listed in the right pane with a status of Enabled.
Right-click the demand-dial icon and select PROPERTIES from the flyout menu to open a properties window. At the General tab, under Connect Using, you can select additional modems or ISDN adapters if your ISP supports multilink.
Select the Options tab. Use the Connection Type option to set an inactivity time for the interface. You can choose to make this a Persistent Connection, but this generally violates the ISPs fair use agreement unless you have contracted for a full-time connection.
The default value for Redial Attempts is set to 0. The value you set depends on how often you need to retry the ISP line during the busiest time of the day.
Select the Networking tab then open the Properties window for Internet Protocol.
You must obtain a fixed IP address for the WAN interface from the ISP. This is the address that the ISP will put in its routing tables to get to your network. Some ISPs assign a fixed address automatically based your logon ID. In this case, you can leave the Obtain An Address Automatically radio button selected.
Click OK to save the changes and return to the RRAS console.
Test the connection by right-clicking the demand-dial interface icon and selecting CONNECT from the flyout menu. When the connection is made and the interface status changes to Connected, ping a few Internet addresses and names to make sure you have connectivity and proper DNS operation.
If the connection does not work, test using a standard dial-up connection. If that works, check the name and password you're using by right-clicking the demand-dial interface icon under Routing Interfaces and selecting CREDENTIALS from the flyout menu.
Configuring Automatic Connection Pickup
Now that the ISP connection is made, you must add a routing table entry so that traffic from clients in the local LAN is routed to the Internet interface. It is impossible to define a routing table that contains all the different IP addresses on the Internet, so the alternative is to configure a gateway that routes all non-local traffic to the demand-dial interface.
The default gateway is defined by a single routing table entry consisting of zeros for network destination and subnet mask. Default gateways are configured automatically for dial-up clients but you must enter the route manually for demand-dial interfaces.
You have already removed the default gateway from the LAN interface as part of the prerequisites for demand-dial routing. At this point, before configuring a default gateway, verify that one does not already exist. Run route print from the command line. There should be no 0.0.0.0 entries, meaning that there is no default gateway for the router. Here is an example routing table before adding a gateway entry:
0x1 ........................... MS TCP Loopback interface
0xe000004 ...00 53 45 00 00 00 ...... WAN (PPP/SLIP) Interface
0x11000002 ...00 c0 4f 53 6a f2 ......3Com 3C918
Network Destination Netmask Gateway Interface Metric
10.1.0.0 255.255.0.0 10.1.1.1 10.1.1.1 1
10.1.1.1 255.255.255.255 127.0.0.1 127.0.0.1 1
10.255.255.255 255.255.255.255 10.1.1.1 10.1.1.1 1
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
127.0.0.1 255.255.255.255 127.0.0.1 127.0.0.1 1
220.127.116.11 255.255.255.255 127.0.0.1 127.0.0.1 1
18.104.22.168 255.255.255.255 22.214.171.124 126.96.36.199 1
188.8.131.52 240.0.0.0 10.1.1.1 10.1.1.1 1
184.108.40.206 240.0.0.0 220.127.116.11 18.104.22.168 1
255.255.255.255 255.255.255.255 10.1.1.1 10.1.1.1 1
255.255.255.255 255.255.255.255 22.214.171.124 126.96.36.199 1
Addresses with host octets of 255 represent subnet broadcasts. Addresses of 255.255.255.255 represent general broadcasts. Addresses starting with 188.8.131.52 represent multicast subnets. Procedure 20.13 shows how to configure the interface for automatic pickup.
Procedure 20.13 Configuring Automatic Connection Pickup
From the RRAS console, expand the tree under the Local Server icon to show the IP Routing icon.
Right-click Static Routes and select CREATE A NEW STATIC ROUTE from the flyout menu. The Static Route window opens (see Figure 20.33).
Figure 20.33. Static Route window showing default gateway route.
Under Interface, select the new ISP demand-dial interface you just created.
Under Destination and Network Mask, enter all zeros (0). This designates the demand-dial interface as the default gateway for the router. The Gateway entry itself is dimmed because demand-dial connections have no gateways.
Leave Metric set for 1.
Verify that Use This Route To Initiate Demand-dial Connections is selected. This tells RRAS to pick up the demand-dial circuit when any traffic arrives that is not bound for an address on the local subnet.
Click OK to save the changes and return to the RRAS console. The new static route appears in the right pane.
Now test the connection. From a client that is configured to use the demand-dial router as a gateway, ping the WAN interface on the server. When that ping succeeds, start a continuous ping to an Internet address, such as ping Цt 184.108.40.206. Wait for the demand-dial connection to the ISP to pick up.
At that point, the ping succeeds. If either ping fails, use TRACERT or PATHPING to see where the connection is failing. If you get an Internet Control Management Protocol (ICMP) echo from the demand-dial router but not from the Internet, check that you correctly configured the routing table at the ISP router. Make sure to keep connection up while you troubleshoot.
Unless you select the Persistent Connection option, the demand-dial connection will eventually time out and disconnect. If you are using a modem, you need to educate your users to wait for a few seconds after they fire off their browsers while the modem picks up. For ISDN links, you have the opposite problem. You do not want the ISDN line to stay hot continuously. Ask anyone who has gotten a $2000 phone bill the month after installing his spanking new ISDN line. Stay aware of the traffic patterns at the demand-dial router until you're sure that you won't get any surprises.
One note of caution: In this demand-dial router configuration, your network is bare to the Internet. The NAT option in the next section includes the ability to enable the Internet Connection Firewall (ICF) in Windows Server 2003. This is preferable than the simple demand-dial routing configuration outlined in this section. If you do not want to use NAT, you should install a firewall in front of the demand-dial router.