Topic: SME server in MPLS network

[Frank VB]

Hello SME community

We've been running an SME server in server/gateway mode (with a fixed public IP address) behind an ADSL modem/router successfully for years now, but in the coming days we will switch to an MPLS based network. We have two locations which up to now were currently not connected. On each location we'll have a VDSL2 connection with a Cisco router. The two locations will be connected with each other through the routers. Each location will have its own secured internet access, meaning traffic will pass through a netscreen firewall managed by our ISP (as are the routers).

This is how the two locations will look like in the MPLS network:

Location A
IP address range: 192.168.1.x
Subnet: 255.255.255.0
SME Server IP: 192.168.1.1
Cisco Router: 192.168.1.254

Location B
IP address range: 192.168.2.x
Subnet: 255.255.255.0
Cisco Router: 192.168.2.254

I've been reading through the documentation, FAQs and forum posts to learn whether the setup of the SME on location A is the right one but I'm still not 100% sure.

First, I'm planning on switching my server from server/gateway to server only mode. Therefore it will no longer act as firewall or as proxyserver. It will keep acting as domain controller, web-, mail- and samba fileserver. Therefore I've asked the ISP to open/forward the necessary ports to the internal IP of the SME server.

Second, I’ll set the internal IP address to 192.168.1.1 (actually it remains the same as in the current network setup), and I'll enter 192.168.1.254 as gateway address in the SME console configuration screen.

Now the thing that I'm not sure about is the DHCP and especially DNS. I think that DHCP has to be taken over by the Cisco routers because SME server is capable of handing out IP-addresses to the 192.168.1.x network but, correct me if I'm wrong, it can’t hand out IP-addresses to the 192.168.2.x network even if I add this network to the "local networks" in server manager. So I will deactivate the DHCP role of the SME server in the SME configuration console.

Since DHCP will be handled by the routers, it's not clear to me whether client PC's on both networks should use the SME server (192.168.1.1) as DNS or use the providers’  DNS servers? In other words, what DNS information should be provided by the DHCP server to the clients? The SME server IP address or the ISP’s DNS servers? The DNS question is important because I would like to have the possibility of connecting all the clients on location B to the SME domain controller in location A and be able to access the samba shares on this server.

If anyone with much more (networking) experience than mine could shed some light on this I'd be grateful.

Frank

[johnp]

You could hand out addresses to the second network. You would have to do a bit of custom templating and add an ip helper-address on the remote router.

[mmccarn]

I don't know about samba & dns, but on Windows networks I always have trouble with the local network if the workstations aren't getting their DNS from an active directory controller.

If you're worried about latency on your MPLS wan, you could setup a caching dns proxy at site 2 that uses the SME at site 1 for DNS -- then all your workstations would get "sme approved" dns entries.

My first attempt would be:
- Configure routing on the two ciscos so that everyone on .2.x can get to .1.x and vice-versa
- Add a "local network" on the SME for .2.x with a gateway of .1.254
- Try using the Ciscos for DHCP, but specify your SME for DNS from both networks.
(Note: this recommendation depends on how responsive the ISP is.  If you can't afford for your users to be down for the amount of time it takes your ISP to respond, you need to guess right the first time...)

[CharlieBrady]

I think that DHCP has to be taken over by the Cisco routers because SME server is capable of handing out IP-addresses to the 192.168.1.x network but, correct me if I'm wrong, it can’t hand out IP-addresses to the 192.168.2.x network even if I add this network to the "local networks" in server manager.

You can, but not simply, but why do you want to? You have two networks; it's simple to have one DHCP server on each LAN.

I don't see anywhere where you describe how you want each each server to interact with the other LAN. AFAICT, you just want server A to list LAN B as a 'local network' and server B to list LAN A as a 'local network'. That will configure routing and also configure access lists to services.

[Frank VB]

First, thank you all for your replies!

My first attempt would be:
- Configure routing on the two ciscos so that everyone on .2.x can get to .1.x and vice-versa
- Add a "local network" on the SME for .2.x with a gateway of .1.254
- Try using the Ciscos for DHCP, but specify your SME for DNS from both networks.
(Note: this recommendation depends on how responsive the ISP is.  If you can't afford for your users to be down for the amount of time it takes your ISP to respond, you need to guess right the first time...)

This is what I have in mind as a solution. The only thing I'm worried about, apart from the ISP's responsiveness, is clients at location B not being able to resolve addresses (fast enough) with the SME at location A. I guess, that's probably why you're suggesting the dns proxy cache solution. How do I implement this in SME? Do I install a SME at location B and enter the IP address 192.168.1.1 (the server at location A) in the "Corporate DNS server address" panel of the configuration screen?

You can, but not simply, but why do you want to? You have two networks; it's simple to have one DHCP server on each LAN.

Using the server at location A for handing out IP-addresses at location B is certainly not a 'must have' and if it is complicated, as you indicate, then I would rather opt for an easier solution. Having a DHCP server at location B is an option. Actually, I do have a SME running at location B at the moment (it serves only as fileserver) but I'm planning on eliminating this server (= one server less to maintain) and moving all shares/files to the SME server at location A.

Frank

[CharlieBrady]

The only thing I'm worried about, apart from the ISP's responsiveness, is clients at location B not being able to resolve addresses (fast enough) with the SME at location A.

As long as your router does what it is meant to do, route, then that won't be a problem. dnscache on SME server A can resolve for two networks with no problem at all.

[Frank VB]

As long as your router does what it is meant to do, route, then that won't be a problem. dnscache on SME server A can resolve for two networks with no problem at all.

That's a clear and reassuring answer. Thank you, Charlie.