• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

Using Server 2008 r2 as nat causing slow internet speed

P

pollardhimself

Senior member
I was planning on using my server as a second firewall but when NAT is enabled my client computers internet browsing is extremely slow any ideas why?
 
Double-NATing can cause that. Browsing can be slow and you won't be able to access certain sites, such as SSL sites. SBS is set up to handle double-NATing, and I thought that straight server 2003/2008 was set up to do that, too, but I haven't tried it.
 
RebateMonger said:
Double-NATing can cause that. Browsing can be slow and you won't be able to access certain sites, such as SSL sites. SBS is set up to handle double-NATing, and I thought that straight server 2003/2008 was set up to do that, too, but I haven't tried it.
Click to expand...

thats probably my problem ill do more testing

was planning on

1st server as ISA of something of that nature
(right now its nat'ed) still have figure out what firewall software to use

to

switch with webserver

to

Server 2008 r2

to

lan
 
Unless there is a real reason for using the Server as a Router and Centeral Firewall, then it is useless to do so.

If it is a router and Firewall the whole topology as to be adjusted to it. Otherwise, adding it in line to a regular Cable/DSL Router it is Not a smart move.

So if you have a real functional reason state to do so explain why/why, or it looks like you are just playing "ignorantly" around.

http://ts2blogs.com/blogs/rwagg/archive/2009/10/23/how-do-i-make-my-server-2008-or-r2-a-router.aspx


😎
 
I was actually following what my Microsoft certification instructor's network topology.



Straight from MS

clip_image004_thumb.jpg


My version

43152128.png
 
They are showing something that is often a single firewall using policies.

The 'external firewall' is the public to DMZ, the 'internal firewall' is public to private. There are often good reasons to either block or heavily restrict the DMZ to Private. In reality that 'external firewall' would be providing public IP service (not NAT) to the 'internal firewall' if you were using two devices to simulate a DMZ.
 
imagoon said:
They are showing something that is often a single firewall using policies.

The 'external firewall' is the public to DMZ, the 'internal firewall' is public to private. There are often good reasons to either block or heavily restrict the DMZ to Private. In reality that 'external firewall' would be providing public IP service (not NAT) to the 'internal firewall' if you were using two devices to simulate a DMZ.
Click to expand...

The external firewall is going to be something like microsofts ISA software not NAT i just dont have it set up now
 
I remember setting up natting server using routing and remote access on windows server, and performance is great 🙂
 
pollardhimself said:
that would be stupid, didnt you see my drawing?
Click to expand...

Ya...but your drawing has your DC setup as the 2nd firewall (seperating your DMZ from your LAN. Not quite as stupid, but still not recommended. Your DC really shouldn't be performing any kind of Firewall/NAT function...
 
seepy83 said:
Your DC really shouldn't be performing any kind of Firewall/NAT function...
Click to expand...
There are, I'm sure, tens (hundreds?) of thousands of SBS 2003 and SBS 2000 servers that have been serving as NAT firewalls in small business networks for the past ten years. That was Microsoft's recommended "best practice" for small business servers and works just fine.
 
Last edited:
RebateMonger said:
There are, I'm sure, tens (hundreds?) of thousands of SBS 2003 and SBS 2000 servers that have been serving as secondary or primary NAT firewalls in small business networks for the past ten years. That was Microsoft's recommended "best practice" and works just fine.
Click to expand...

It works fine when you have a single AD server, but from experience, once you got to Windows Server 'real editions' with AD servers out at sites etc you might run in to issues. I personally have experienced this and I finally deduced it was the routing and remote access that knocked the server offline. Removed the R&RA and had to demote and promote to fix it. With R&RA active it wouldn't even demote and I wanted to avoid a /forceremoval.
 
imagoon said:
It works fine when you have a single AD server, but from experience, once you got to Windows Server 'real editions' with AD servers out at sites etc you might run in to issues. I personally have experienced this and I finally deduced it was the routing and remote access that knocked the server offline. Removed the R&RA and had to demote and promote to fix it. With R&RA active it wouldn't even demote and I wanted to avoid a /forceremoval.
Click to expand...

SBS is a real server. It is ideal for small companies and is designed expressly to be used as a DC, Exchange Server, ISA server and so forth depending upon the edition.

For larger companies, dedicated servers are appropriate but don't shortchange SBS.
 
RebateMonger said:
There are, I'm sure, tens (hundreds?) of thousands of SBS 2003 and SBS 2000 servers that have been serving as NAT firewalls in small business networks for the past ten years. That was Microsoft's recommended "best practice" for small business servers and works just fine.
Click to expand...

Yes, but SBS is a niche product for a niche market (albiet a very large market).

If you're not running SBS, and you have (or can afford) more than 1 server, then your DC is the last server that I would suggest you use as a NAT/Firewall. That's the only point I'm trying to make.
 
windows dns sucks ballz. it is far slower than bind even when set to forward all but local domain.

last time i checked it was about 2-3x slower than bind (local unix boxen dns server cache only mode).

but you are kind of stuck with windows dns if you want AD integration without pain
 
you can go to sourceforge and get namebench (google dns page has a link) it will benchmark your dns versus opendns/google versus locals vesus localnet).

uu-net cache dns (internet) was always faster for lookups than my local windows dns servers (or the router itself) ; probably due to massive caching and quick response to dns [that is all it does].
 
seepy83 said:
Ya...but your drawing has your DC setup as the 2nd firewall (seperating your DMZ from your LAN. Not quite as stupid, but still not recommended. Your DC really shouldn't be performing any kind of Firewall/NAT function...
Click to expand...

I don't believe it is generally regarded as a good idea to multi-home a domain controller either, though it is technically supported.
 
blanghorst said:
I don't believe it is generally regarded as a good idea to multi-home a domain controller either, though it is technically supported.
Click to expand...
That's because people often don't configure them properly. A properly-configured multi-homed Domain Controller works just fine.

You want the NICs to be on different subnets and you don't want the "External" NIC to be registered in DNS.

http://support.microsoft.com/kb/272294
 
Last edited:
dphantom said:
SBS is a real server. It is ideal for small companies and is designed expressly to be used as a DC, Exchange Server, ISA server and so forth depending upon the edition.

For larger companies, dedicated servers are appropriate but don't shortchange SBS.
Click to expand...

I am perfectly aware of what SBS is.
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top