I tried to set up a Full NAT, RemoteAccess + IpNAT (not ICS), on Windows Server 2008 R2.
I found out that you can't set the global NAT parameter, `netsh routing ip nat set global ...`, without giving an error. While the netsh allow it to be entered and doesn't complain of any error, however this is VERY misleading as actually the command registers an error event under 'System' window event logging, event 32003 from SharedAccess_NAT:
The first indication is, that if you have dnsproxy on, after the reboot, it won't open UDP port 53 for listening anymore, `netstat -na`. And if you really try to use it from a client PC, the DNS query is not answered by Win2K8 (as gateway and DNS Proxy) and any traffic to outside network is not NATed.
All you need to be in this situation is JUST entered the `set global` command ONCE, even if you actually set it to the same default value from a freshly installed NAT (use `dump` to get the current default value then set a parameter to the same value printed):
The only way to recover from this is to uninstall the NAT and reinstall it again:
I believe this is a very severe error as we can't modify the global NAT parameter. For me the most important I want to achieve is to prolong the UDP mapping timeout to 5 min. And I can't do that anymore in Win2K8, I'm stuck with the default of 1 min.
A quick response from Microsoft technical staff is highly appreciated so this issue is addressed properly. It's 100% reproducible.
I found out that you can't set the global NAT parameter, `netsh routing ip nat set global ...`, without giving an error. While the netsh allow it to be entered and doesn't complain of any error, however this is VERY misleading as actually the command registers an error event under 'System' window event logging, event 32003 from SharedAccess_NAT:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-SharedAccess_NAT" Guid="{A6F32731-9A38-4159-A220-3D9B7FC5FE5D}" EventSourceName="ipnathlp" /><EventID Qualifiers="0">32003</EventID><Version>0</Version><Level>2</Level><Task>0</Task><Opcode>0</Opcode><Keywords>0x80000000000000</Keywords><TimeCreated SystemTime="2014-06-12T16:57:22.000000000Z" /><EventRecordID>101092</EventRecordID><Correlation /><Execution ProcessID="0" ThreadID="0" /><Channel>System</Channel><Computer>xxx</Computer><Security /></System><EventData Name="IP_NAT_LOG_IOCTL_FAILED" /></Event>
So now, if at least ONCE this `set global` command is entered, the NAT will actually stop working on the NEXT REBOOT. You don't really see it from `netsh routing ip dump`, as retain all the information as you entered them, BUT the NAT actually simply not working.The first indication is, that if you have dnsproxy on, after the reboot, it won't open UDP port 53 for listening anymore, `netstat -na`. And if you really try to use it from a client PC, the DNS query is not answered by Win2K8 (as gateway and DNS Proxy) and any traffic to outside network is not NATed.
All you need to be in this situation is JUST entered the `set global` command ONCE, even if you actually set it to the same default value from a freshly installed NAT (use `dump` to get the current default value then set a parameter to the same value printed):
%netsh routing ip nat uninstall %netsh routing ip nat install %netsh routing ip nat dump %netsh routing ip nat set global tcptimeoutmins=1440And you will be trapped in this situation. The next reboot, your NAT is actually stop working, without apparent indication what so ever. Meaning the `netsh routing ip dump` looks good, both IpNAT and RemoteAccess service are running fine. No critical error is seen in the 'System' windows event logging since the reboot. The only indication you may see, just as I stated in the above, that if you have dnsproxy on, `netstat -na` will show that UDP port 53 is no longer opened for listening.
The only way to recover from this is to uninstall the NAT and reinstall it again:
%netsh routing ip nat uninstall %netsh routing ip nat installAnd as long as you don't enter the `set global` command, the NAT will survive the reboot.
I believe this is a very severe error as we can't modify the global NAT parameter. For me the most important I want to achieve is to prolong the UDP mapping timeout to 5 min. And I can't do that anymore in Win2K8, I'm stuck with the default of 1 min.
A quick response from Microsoft technical staff is highly appreciated so this issue is addressed properly. It's 100% reproducible.