Solved

Windows Routing with Multiple Gateways

Posted on 2010-11-08
14
241 Views
Last Modified: 2013-12-23
Long story short, I have a client who is migrating from one ISP (ISP1) to a new ISP (ISP2). They need to migrate over to the new network (ISP2) without interruption of their on-site hosted e-mail server. They do not have a router on-site and each ISP simply provides them with an Ethernet port for Internet Access. The server has been setup with an additional IP address provided from ISP2 and the server will respond to that IP address however the problem is that I need to specify that traffic coming in through ISP1 should leave via ISP1 and traffic coming in through ISP2, leave via ISP2. I think this can be done with dual gateways in Windows' IP configuration but I also think that static routes need to be added. I don't know how to do this. Can someone help please? The goal is to get it listening on both networks until all DNS changes have propagated.

Here are some sample IP addresses for the two networks:

ISP1:
74.26.144.0/27 - Network Address
74.26.144.1/27 - ISP1 Router (added as default gateway)
74.26.144.2/27 - Old E-mail Server Address
...
74.26.144.31/27 - Broadcast Address


ISP2:
66.172.50.0.0/27 - Network Address
66.172.50.1/27 - ISP2 Router (added as default gateway)
66.172.50.2/27 - New E-mail Server Address
...
66.172.50.31/27 - Broadcast Address



0
Comment
Question by:darrell_chapman
  • 4
  • 4
  • 2
  • +2
14 Comments
 
LVL 8

Assisted Solution

by:ShareefHuddle
ShareefHuddle earned 62 total points
ID: 34088943
Dual gateways are a bad idea. Windows does not play well with that.

Does this server have two network cards in it or are you behind multiple firewalls?

I don't see any reason to have traffic go out through ISP1's connection anymore. I will tell you this though, if that is your true ip you will want to get a PTR(reverse dns) built for it through your ISP2. Otherwise you will get mail kicked back to you and eventually blacklisted.  
0
 

Author Comment

by:darrell_chapman
ID: 34093961
Pointer records will all be setup correctly. I"m not worried about that. The issue is how to keep the server listening on both networks until all DNS changes have been fully propagated. Again, they can have zero downtime. Well, listening is not really the problem as that happens by default. The issue is the gateway. If change the gateway to ISP2's router, the server stops responding to traffic on ISP1. There has to be a way to bind each IP to a specific gateway.

0
 

Author Comment

by:darrell_chapman
ID: 34093974
I do have additional network cards on the servers however I was trying to avoid having to use them for this. That might be the best option so far.
0
 
LVL 29

Accepted Solution

by:
pwindell earned 188 total points
ID: 34094440
Your wasting your time.

There is going to be down time.

There is no way that a published service is going to work symmetrically on two networks at the same time.   What you are asking for is a fantasy (sorry, but it's true).  The server is going to send the traffic back through the established path determined by the Default Gateway,...no matter which line it came in on.  That is just the way TCP/IP and IP Routing function.

DNS does not take that long to change over.   When you change the IP#  of the Host Record on the Authoritative DNS for the Public Domain it happens instantly.  The rest is wating for other people's DNS Cache to expire which is typically 30 minutes.  The only time it takes longer is when you change who is the Authoritive DNS for your Public Domain Name.  In that case you might be able to talk to the old Authority and see if they would change your Host Records to the new IP#s  for a few days before they drop your Zone from their machine,...this way if people incorrectly go to the old Authority for resolution they will at least get the correct new IP#.


0
 
LVL 29

Expert Comment

by:pwindell
ID: 34094596
The normal timeout period for SMTP to make contact with a target SMTP Service is 48 hours (2 days) before sending an NDR.  So no email is going to be lost
0
 

Author Comment

by:darrell_chapman
ID: 34094924
pwindell, thanks for your routing help. That is an area I'm lacking however I am an expert in DNS.

Although the IETF RFC spec tells you how exactly DNS should behave, my years of experience with DNS tell me otherwise. I know for a fact (through testing) that certain ISP's ignore TTL data and cache records for an unspecified amount of time. This is the reason I was hoping to have both Interfaces running concurrently with my current setup.

I understand how SMTP works. Some servers will continue to try to contact the mail server however some will send an "message delayed" e-mail to the original sender. I need to avoid this so that I'm not hounded will calls from their clients asking why they can't send mail to them. Also this particular client cannot afford to have message delays. Although they understand the limitations of e-mail, they are still using their e-mail as a real-time communication platform.

I guess I'll just have to setup additional interfaces on each server.

Again thanks for your help.
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 
LVL 29

Assisted Solution

by:pwindell
pwindell earned 188 total points
ID: 34095104
Although the IETF RFC spec tells you how exactly DNS should behave, my years of experience with DNS tell me otherwise. I know for a fact (through testing) that certain ISP's ignore TTL data and cache records
-----------------------------------------------------

Yes,..people don't always follow the rules,..which creates greif for everyone else.  Sorry to be all Doom & Gloom,...but I'm just being honest with you.
I understand how SMTP works. Some servers will continue to try to contact the mail server however some will send an "message delayed" e-mail to the original sender.
-----------------------------------------------------

Correct.  Ours is that way.
I need to avoid this so that I'm not hounded will calls from their clients asking why they can't send mail to them.
---------------------------------------------

You're going to get hounded.
 Also this particular client cannot afford to have message delays.
-----------------------------------------------

They are going to have to afford it.
 Although they understand the limitations of e-mail, they are still using their e-mail as a real-time communication platform.
-----------------------------------------------

That is their mistake.  Email is not a real-time communication paltform,...no matter how bad they want it to be.

I guess I'll just have to setup additional interfaces on each server.
------------------------------------------------

The return outbound path will still take the single path defined by the Default Gateway. Even if you give it multiple Default Gateways it will still only use the first one, or will use the one on the Nic that is higher in the binding order.  They would receive mail fine,...but sending may trip SPAM filtering systems at the destination because the Source IP# will fail to resolve properly.
I really am sorry I can't give you a more positive prediction.

0
 
LVL 29

Assisted Solution

by:pwindell
pwindell earned 188 total points
ID: 34095265
You probably are better with DNS than I.  Would it be possible for both the old IP# and the new IP# to reverse-resolve to the same Name?  This would keep the SPAM Filters happy.
 
0
 
LVL 5

Expert Comment

by:oneitnz
ID: 35590515
Why don't you just setup another MX record for your domain.

Configure these settings in DNS.
mail.domain.com         74.26.144.2
mail2.domain.com       66.172.50.2
MX  10  mail.domain.com
MX  15  mail2.domain.com

That way if they can't resolve to the first one they will be able to get to the other one.

Set that up first then wait for about 12 hours so every DNS Server has this in their records then switch the gateway over to the Mail 2 IP and there you go, no lost emails.

You can then remove the MX 10 entry and the mail.domain.com entries or just switch the IP's over.

Regards
Brett Smith
One IT - DNS Specialist
0
 
LVL 8

Expert Comment

by:ShareefHuddle
ID: 35725098
Wow, I didn't know this was still running.  You can also setup a third party spam solution.  One out there that I used and was good for just this purpose was GFIMax. The best part is that they give a 30 day free trial.

Although Brett probably has the simpleiest answer which should work well

Shareef
0
 
LVL 15

Expert Comment

by:riteheer
ID: 36895838
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0
 

Author Comment

by:darrell_chapman
ID: 36600008
Sorry everyone. It was not my intention to abandon this question. I do not think I was getting e-mails from Experts-Exchange. I did get the reply that was added today. Thanks for everyone's assistance.
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Trying to figure out group policy inheritance and which settings apply where can be a chore.  Here's a very simple summary I've written which might help.  Keep in mind, this is just a high-level conceptual overview where I try to avoid getting bogge…
I'm a big fan of Windows' offline folder caching and have used it on my laptops for over a decade.  One thing I don't like about it, however, is how difficult Microsoft has made it for the cache to be moved out of the Windows folder.  Here's how to …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now