Setup Windows Server 2016 as a NAT Router
Introduction
In this article I’ll be setting up Windows Server 2016 as a NAT router to route traffic between my virtual lab LAN and the internet. Please note that this article was written in context with the configuration used in my virtual lab. You’ll have to adapt it to your network setup. Also, you will need to have a DHCP server to provide IP addresses to your client computers and a DNS server so that your client computers are able to resolve names. As a quick-ref, my LAB environment is as below:
| If you’d like to add another subnet to your router and have NAT working for both of them, please read LAN Routing and NAT with Windows Server 2016 If you’d like to read how to setup IPFire, a very simple to install Linux router and firewall, with a more generic configuration that will achieve the same goal, read Installing Ipfire – A Linux router and firewall. |
If you’d like to continue following this article, you can read on how to install Windows Server 2016 and, after installing, read how to rename the server so that you can identify its primary role by its name. I called mine SRVGW01 (GW=Gateway).
The server must have two NICs, one configured for the internal network (LAN) and another one configured to access the internet. I’ll call it WAN.
The first thing I’ll do is to rename the network interfaces to better identify them.
Configuring the NICs
Open “Settings”
Choose “Network & Internet”
And choose “Change adapter options”
From the “Network Connections” window, it is pretty easy to spot what is the LAN connection (Unidentified network) and the WAN connection (bellow identified as Network). Let’s rename them. Select the connection to rename and press the “Rename this connection” button. Rename them accordingly.
It should look like this:
The LAN adapter needs to be configured with a static address, while the WAN adapter should be set to DHCP. The address configured on the LAN adapter is the address the client computers will use as their gateway. Right-click on the LAN adapter and select “Properties”.
Highlight “Internet Protocol Version 4 (TCP/IPv4)” and select “Properties”.
Setup the IP address settings to match your network configuration and press OK. Note that you need to have a DNS server setup on the network. It can the same server where this role is being installed.
Adding the “Remote Access” server role
Now it’s time to install the “Remote Access” server role. Open Server Manager and select “Add roles and features”.
Press “Next” until you reach the screen below. Select the “Remote Access” role and press “Next”.
Press “Next” at the following screen.
Press “Next” and then select “Routing”, as shown below:
Click on “Add Features”.
Go till the end of the wizard by pressing “Next”. Press “Install” at the confirmation screen.
Configuring the “NAT router”
Wait for the installation to finish and open the “Routing and Remote Access” console. Press “Start” and under “Windows Administrative Tools” find “Routing and Remote Access”.
Right-click on the server name and select “Configure and Enable Routing and Remote Access”.
Press “Next” at the wizard welcome screen. Choose “Network address translation (NAT)” and press “Next”.
Select the WAN adapter and press “Next”.
Press “Finish”, wait for the configuration to finish and verify that the NAT router is working properly. Expand the IPv4 node, select “NAT” and you should see that packets have been translated.
As always, if you found this article useful, share it with your friends.
If you have any question or suggestion, leave your comment.
Thank you for reading!
Hi! And thanks for a great How-To!
But … there is always a but, in your 2nd to last image, where I should pick the adapter, I cant find any interfaces at all, but I do have them bot working propperly, the WAN have internet access, and the WAN have a connection to my LAN router.
Have any suggestions?
Hi!
Thank you for your comment and sorry for the late reply!
Yes, have you tried to remove and re-add the “Remote Service” role?
I’ve seen something similar happen when you add a new NIC after the role has been enabled.
Let me know.
Cheers!
Have you assigned an IP for both? I had to assign IPs and start again the Configuration Wizard
Thanks. I get the following error after I click Finish on the add roles wizard:
“Routing and Remote Access – Remote Access Service is unable to enable Routing and Remote Access for the probable reason like: unable to open ports for Routing and Remote Access in Windows Firewall service. In this case RAS may not accept vpn connections.
User Action: Manually open the port of Routing and Remote Access in the windows firewall.”
I also get an extra page of features after Add Features and before Install.
I have tried manually opening the port using the rules already in the firewall but this didn’t work. I have tested by disabling the firewall completely as this is a lab I’m setting up for training and it still doesn’t work. I have completely rebuilt the server from a new VM and still have the same issue. Any ideas?
Pingback:You need to configure Server1 as a network address translation (NAT) server. - Exam 70-743 at ExamsDB
Dear Pedro Pina,
I followed your guide. I installed Windows Server 2016 on a Hyper-V second generation virtual machine with 2048 MB RAM and two network cards named ext and int, and updated it. Then I set up Windows Server 2016 as a NAT router. Then I installed Windows 8.1 on a Hyper-V first generation virtual machine with 1024 MB RAM and one network card named int. During the installation there was not any Internet connection for the Windows 8.1 virtual machine. There is not any Internet connection after the installation for the Windows 8.1 virtual machine.
Truly yours, Adam Holes
Hi Adam,
First of all thank you for your comment and for reading.
Could you please be a bit more specific regarding your setup? How do you have the Hyper-V virtual switches configured?
Do you have a DHCP server in place in your LAN so that the client gets an IP address? Or have you set it up manually?
Thank you.
Best regards,
Pedro
Hi Pedro,
thank you for your quick reply to my comment.
the `int’ virtual switch is “Internal only”.
The `ext’ virtual switch is “Intel(R) Dual Band Wireless-AC 8265”.
I checked the “Allow _m_anagement operating system to share this network adapter” check box.
I named the virtual machines after the planets of the Solar System.
The Windows Server 2016 virtual machine is `Mercury’.
I renamed the Windows Server 2016 computer to `mercury’.
`Mercury’ connects to the Internet through the `ext’ virtual switch.
`mercury’ checked for updates, downloaded updates and installed updates successfully.
This is the equivalent of the update/upgrade terminology in Ubuntu/Debian.
I even managed to browse the Internet with Internet Explorer in `Mercury’.
The Windows 8.1 virtual machine is `Venus’.
The Windows 8.1 computer name is `venus’.
I configured `mercury”s LAN.
The “Internet Protocol Version 4 (TCP/IPv4) Properties” were as shown in your figure:
The “Use the following IP address:” radio button was selected.
“IP address:” 10.0.0.30,
“Subnet mask:” 255.255.255.224,
“Default gateway:” left empty.
The “Use the following DNS server addresses:” radio button were selected.
“Preferred DNS server:” 10.0.0.1,
“Alternate DNS Server:” left empty.
After reading your reply to my comment,
I tried the following:
In the “Internet Protocol Version 4 (TCP/IPv4) Properties” configuration window,
I selected the “Obtain an IP address automatically” radio button.
I also selected the “Obtain DNS server address automatically” radio button.
Then I restarted `mercury’.
This is the equivalent of the reboot terminology in Ubuntu/Debian.
Then I logged in to `mercury’ and waited for the “Server Manager” to load entirely.
Then I started the `Venus’ virtual machine.
There was not Internet in `venus’.
Or was the problem the following: I should have configured fix IPv4 address in `venus’?
Truly yours, Adam
Hi Adam,
First of all, do you have communication between both machines, i.e., can you ping Mercury from Venus and Venus from Mercury?
Mercury:
WAN – should be left as DHCP if it is connected to your internet access.
LAN – The IP address configuration shown in the tutorial reflects the IP address configuration I was using in my lab at the time of writing. You have to use a static IP configuration for the LAN. You should also have a DNS server in place in your LAN. In my case my DNS server was my Domain Controller which had an IP address of 10.0.0.1
Venus:
Should be connected to your “int” virtual switch. It should be configured to use DHCP, if you have a properly configured DHCP server in place in your LAN. If not, you should configure a static IP address, with the gateway pointing to Mercury’s LAN IP address and the DNS pointing to whatever server you configured as a DNS server. Mercury?
Best regards,
Pedro
so i did this but still not getting a connection on internal network help???
so we have google wifi so we are on 192.168.86.1-254. my server external ip is 192.1168.1.239 but when i try ping 192.168.81.1 or 8.8.8.8 i get the reply error “reply from192.168.86.31 error host destination unreachable.
Hi Logan,
Thank you for your comment.
This means that you have the IP address 192.168.86.31 set as a gateway and this gateway doesn’t know where to redirect your ping request.
What is your setup/environment?
Regards,
Pedro
Pingback:Exam 70-743 – Upgrading Your Skills to MCSA: Windows Server 2016 | Alex Ø. T. Hansen
hello there,
I have configured NAT properly but my server 2012R2 is very slow while restarting and i couldn’t get shared files in the server.
Hi Bet, thank you for commenting and reading.
Could you please explain further the issue you are experiencing?
Thank you.
Cheers,
Pedro
Pingback:Anleitungen Server als Router – IT-Wiki
Pingback:how to enable nat on router – Savlo
ok I set this up in vmware workstation. i have LAN at 172 and WAN to 192. can i remote in to the 172 from my pc? if so, how can i set it up? firewall inbound?
Hi Luisa,
thank you for your comment.
You should be able to inbound from your WAN to your LAN, like with any other router, but for that, yes, you need to configure inbound firewall rules.
Worked for me perfectly, thank you for sharing the document.
Cheers,
Kapil
Hi Kapil!
Thank you for reading! I’m glad it worked for you.
Cheers
Hi,
Your article helped me a lot. Thanks a lot
My virtual environment can now reach external IP addresses through the RRAS server. However, the name resolution to external domains like google.com from the clients does not work. Do you have any idea what could be the reason for this.
My environment is very similar to yours. I only have the DHCP installed on the DNS / AD server.
Thanks
Hi Eric Stolz,
I almost thought that you were an homonym of Eric Stoltz, the guy fired from “Back To The Future” 🙂
Well, are your clients configured with the correct DNS server address, via DHCP (or manually)? Is the DNS server able to reach the internet or have forward enabled and configured?
EDIT: check this comment, most probably it is what you need to do: https://www.experiencingit.net/windows/windows-server/lan-routing-nat-windows-server-2016/#comment-24870
Let me know.
Regards,
Pedro