Defualt gatway - internet connection - server 2003 ent edition domain

Posted on 2009-02-17
Medium Priority
Last Modified: 2012-05-06
I need to understand what is a default gateway.  Till now to me a default gateway is a server which is the only server allow clients access to the internet?  Undermentioned is a scenario where the clients are getting the first IP as default gateway from 003 Router entry:

I am running server 2003 ent domain, 2 domain controllers (One NIC each) with AD, DNS, DHCP.  On my DHCP under scope options I have:
003 Router,
006 DNS servers,
015 DNS Domain name  mydomain.com
Under my clients NIC the value of default gateway as they get is  I think it is coming from 003 Router? am I right?
How and where can I set only 1 default gateway settings for my domain (is my setting above for DHCP correct?).  Also how can I make other servers not to allow any internet connection to clients?
Question by:amanzoor
  • 7
  • 3
  • 2

Expert Comment

ID: 23660470
The default gateway is the IP address by which your network access external resources (the internet).

You need to get rid of that router entry and specify the "Default Gateway" scope option.
ref: http://support.microsoft.com/kb/139904

To deny access to your resources, you need a firewall.

Author Comment

ID: 23660751
Thanks for the response.
I tried finding 'Default Gateway'  under configure scope but there is none.  How and where can I find the 'default gateway scope option'?  The article defines how the scope should look like.
*******To deny access to your resources, you need a firewall.********I meant how to prevent other member servers from becoming default gateway

Assisted Solution

brittonv earned 400 total points
ID: 23660878
I appolgize, I haven't used windows DHCP in a while.  Yes the router entry is the default gateway.  You need to change it to list only your intended default gateway.

You need to specify the default gateway server.  This is the server or device that has the internet connection?  Only the server that has the Internet connection can act as the default gateway, so I don't really understand your question.

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.


Author Comment

ID: 23661116
Thats ok.  
Some of my clients find other member servers on the domain and point their NIC configuration to be as 'Default gateway = Member server IP' and gain access to internet.  What precautionary measures, and how can I stop this from happening.  May be they have some malicious programs which find other member servers addresses for them and they use those IP addresses as their default gateway and set it manually in their NICs.  Which ports I have to disable in those member servers?
LVL 11

Expert Comment

ID: 23668434
It's not a "port" as it is a routing protocol. Windows server by default (off the top of my head) run routing and remote access service. This service performs routing between multiple IP addresses on a machine, but is not port restricted. It is a layer 3 service which applies before a layer 4 port restriction coming from a firewall.

Also, an important definition, is a "gateway" device. This is a device which typically has two or more network cards, with one being denoted as public and one (or more) being denoted as private.

like this:    <network>------><gateway><-------<internet>
A public ip address will be applied to the internet side of the gateway.
A private ip will be on the network side of the gateway.

thus, most off-the-shelf residential routers are gateway devices. <lan>--<router>PUB.LIC.IPA.DDY--<ISP>

so, what the above statement, "003 Router," is saying, is to use as the default gateway (aka primary gateway), and to use as a fallback or backup gateway.

if the client sees is not available (powerdown/crash/etc...) it will try to use instead, basicly.

I dont have a 2003 server available to me right now to get you an exact click-by-click but basicly you want to go into your DHCP configuration, select the scope in which the DHCP pool is defined, right click on that scope, and select "configure scope" or "configure scope options" or something simmilar.

Then scroll down the list (should be at or near the top actually) and check off and define rule 003 with set as the only gateway.

Finally, if your feeling paranoid, stop the "routing and remote access" service on if you feel so inclined. (its 99% probable that it's not running anyway).

-- Chris


Author Comment

ID: 23670269
Thanks for the description:
I have installed server 2003 ent edition many times and RRAS never comes on as default.  I thought RRAS is only required for VPN only? since I am running VPN I had to enable RRAS on  If I understood you correctly, RRAS makes a machine a 'default gateway'??, if a server is not running RRAS and clients put its IP into their NIC they will not be able to go to internet?
 In my situation:
I have Cisco 2811........>>>>My two servers and >>>>>clients.  According to your defination of default gateway so my two servers are NOT as both of them have one NIC each and cannot be assigned external IP as my NAT is performed at the router.  
I 100% aggree with you on the scope level of 003 router where 2 addresses mean the next one is the backup one.
Sorry to ask you many questions, I would like to clear myself before I start 'stopping and enabling services' at the router or on the servers.
-A server running RRAS is the default gateway?, it should have 2 NICs? (according to microsoft they always suggest never to put 2 NICs on a domain controller).  My 2 servers are domain controllers, I had some trouble putting in 2 NICs in them in past.  

Author Comment

ID: 23670372
Hello asdlkf:
Correction I just checked my is also running RRAS.  I just changed the default IP of my laptop to the IP of a member server which is not running RRAS and I was not able to browse the internet.  I could ping others, etc but NO internet.
LVL 11

Accepted Solution

asdlkf earned 1600 total points
ID: 23677043
well, 2 things:

2 nic's is for redundancy, not for two physical connections. What they want you to do is to put a 2nd nic in each machine and then bridge those two connections so your server has one IP address, but two physical connections to provide physical fault tolerance(and cable redundancy). But this is entirely optional.

I'm fairly sure that what you have is simmilar to this picture:


If thats correct, then what you need to do is stop thinking that your clients need to go through your servers. the 003 option (router/default gateway) can just be your cisco box.

Depending on how many clients you have setup and how you are doing active directory, I would actually turn off dhcp and routing and remote access/etc/etc/etc on the windows boxes and implement that on the cisco boxes. (i can write you a config script for the cisco box if you want).

The cisco box is capable of running DHCP (instead of doing it on windows) and it is more granular and precise than the windows implementation of the dhcp server.

but, wether you are using windows or cisco for your dhcp service, what you need to realize is that the cisco box (10.10.10.WHATEVER the cisco box's ip is) is the default gateway, not the servers.)

What the RRAS does is allow vpn connectivity into you rnetwork

I imagine you have use cases where you want to permit users on the internet to access your network resources and they do so by connecting a PPPoE connection to your servers running RRAS through a port-forward through your router. A much cleaner (and encrypted) solution is to use an IPsec tunnel from your clients to your router and let the router handle the vpn connectivity, the DHCP, and the gateway services. Let the windows boxes do the 'windows-ey' stuff like dns, active directory, authentication, authrization, etc...

You can even install a proxy authentication agent that will support radius or tacacs+ on your windows servers to allow the cisco's VPN connection to authenticate against windows AD.

If I am way off base here, please draw a network diagram and (if available) post the output of "show run brief | exclude !" (remove any passwords/public IP addresses and replace with XXXXX or something).

-- Chris


Author Comment

ID: 23755712
Excellent description,  how to bridge 2 NICs on a server I will find out or you can tell me how, in the past I had 2 NICS in each server and I am using 1 in each at the moment, it will be good to know how to bridge them.
Correct my diagram is exactly like that.  (I have a detailed one I can send it to you, I have to hide some names over it)
-I have 2 servers at the moment running dhcp on my site and one on another site, will be good to know how to enable dhcp on my cisco 2811.  Please send the config script with commands so that I can enable it,  please note that I have many 'manually assigned IP's which I want to set in the cisco 2811 as well (the same way exactly as I am running now).
****but, wether you are using windows or cisco for your dhcp service, what you need to realize is that the cisco box (10.10.10.WHATEVER the cisco box's ip is) is the default gateway, not the servers.)
*******  so it means it does not matter what ever I write in my 003 entry in DHCP my default gateway is my cisco.  Good to know.
-Good to know that RRAS is providing vpn connection.
****A much cleaner (and encrypted) solution is to use an IPsec tunnel from your clients to your router and let the router handle the vpn connectivity, the DHCP, and the gateway services. Let the windows boxes do the 'windows-ey' stuff like dns, active directory, authentication, authrization, etc...
********  PLease let me know how to configure this IPsec tunnel from my cisco?
-Will be good to know how to install the proxy to authenticate for my cisco connections.
-You are not at all off the base.  I am enclosing my config.


Author Comment

ID: 23755857
This diagram will help you.  I made it few years back.
LVL 11

Expert Comment

ID: 23759246
Um, well, to be fair, you have several questions now that really should be looked at separtly.

ultimately, thats still not enough information for me to say what should be what.

basicly I would need to know what network services are running where in order to define all of that for you.

If this information can't be provided (for legal/other reasons) what you need to do is determine where all of your:

collision domains
broadcast domains
gateway devices
VPN endpoints
DNS servers
DHCP servers
Authentication servers
Application servers


Once you know where all of these things running on your network are (physicly and logically), you will need to know the following for each of them:

ip address / subnet mask
default gateway
what services are running here

Then, I would ask new questions on EE with the relevent details. For example, From looking at your cisco config file, you have no isakmp crypto key defined, but you have a wan address

You should ask one question to start:
"How do I configure an IPSEC gateway to receive inbound IPSEC connections from the internet/remote sites on a cisco 2811. I want it to accept inbound connections from <LOCATIONS> and I probably want a GRE over IPSEC tunnel to support a broader range of protocols. I also want to use TACACS+ or RADIUS or another method and ultimately have the VPN server authenticate against a windows 2003 AD database." (include the above picture, the just requested documentation, and your cisco config file).

then, another question:
"How do I configure a DHCP pool on a cisco 2811 to give out addresses in the 10.x.x.0 range (mask /24, on a router that is already configured as a VPN gateway? I need to exclude the following IP addresses: (list your staticly assigned addresses (servers/gatway devices/other things that don't use DHCP)"

One last point: I realize it can be intimidating to release information to the internet, but some of it is still needed (i.e. in pictures like the one just posted, black out the destination, but then just use an arrow to point to where it is or something). Also, where do the wireless links connect to?

for the level of questions your going to be asking, you probably want a much more detailed network diagram so that people can give you the correct answers.

Oh, and as to how to bridge - just select one of the NIC's, hold down CTRL, select the other NIC (so they are both selected), right click one of them and select bridge. Then assign the IP address that the first NIC WAS using to the new "bridge" device that will appear.

-- Chris

Author Closing Comment

ID: 31547790
Thanks asdlkf I really appreciate your time.  At least I have some specific questions to ask at EE.  Also I know which direction I should take to resolve few of my issues.  Thanks brittnov for pointing out and clarifying for default gateway.  Regards!

Featured Post

Restore individual SQL databases with ease

Veeam Explorer for Microsoft SQL Server delivers an easy-to-use, wizard-driven interface for restoring your databases from a backup. No expert SQL background required. Web interface provides a complete view of all available SQL databases to simplify the recovery of lost database

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I had an issue with InstallShield not being able to use Computer Browser service on Windows Server 2012. Here is the solution I found.
LinkedIn blogging is great for networking, building up an audience, and expanding your influence as well. However, if you want to achieve these results, you need to work really hard to make your post worth liking and sharing. Here are 4 tips that ca…
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

862 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question