Solved

Two NIC's on a server

Posted on 2012-03-27
28
799 Views
Last Modified: 2012-08-13
We have a single Windows 2003 server with two NIC’s.  Until now only one has been used and the other has been disabled.  We now need to setup a VPN and wanted to use the second NIC for this.
This is how NIC1 was already configured and how I configured NIC2 for the proposed VPN.  

NIC 1
IP       192.168.11.10
SM       255.255.255.0
DG       192.168.11.1

NIC 2
IP      192.168.11.11
SM      255.255.255.0
DG      192.168.11.1

However, as soon as I enable NIC2, the network loses connectivity to the Internet, although it comes back at intervals of something like 15 minutes and then goes again.  Incidentally, NIC2 doesn’t even have a patch cable connected yet.
Clearly I am doing something wrong and would appreciate some guidance on this.

Thanks
0
Comment
Question by:gerlis
  • 11
  • 7
  • 7
  • +1
28 Comments
 
LVL 8

Expert Comment

by:TSGITDept
ID: 37771351
One thing that Windows doesn't like is two default gateways.  It gets confused on where to send traffic.  In your case it may get confused on which NIC to use.

Even if the default gateway is the same on both NICs it may have trouble deciding whether to use NIC1 or NIC2 to send traffic that isn't bound for your subnet.

Try removing the default gateway from NIC2.  That will likely help make your IP traffic work more consistently.

Additionally, it may be a good idea to disable any unused network protocols that are bound to your NIC:  IPv6 for example.  It will preferentially try IPv6 when communicating and fall back to IPv4.  This is a minor thing but it might make sense.
0
 
LVL 1

Author Comment

by:gerlis
ID: 37771431
Only ipv4 is running on this server.  I have removed the default gateway but will wait until after the office closes to re-enable the NIC and will let you know the outcome.
Thanks for your advice.
0
 
LVL 76

Expert Comment

by:arnold
ID: 37771449
For the purposes of the VPN the interface has to be up and should not use the same segment as the existing one assigning VPN IPs that are separate from the LAN IPs.
The network connection for VPN can be forced on by using a loopback plug
Pins (1 and 3) and (2 and 6) are interconnected. No default gateway setting.

Which VPN are you setting up, pptp, l2tp?
There are many step by step guides online.
0
 
LVL 8

Expert Comment

by:TSGITDept
ID: 37771594
arnold is right, the 2nd NIC should ideally be on a separate subnet.  Actually you could even connect it directly to your DMZ switch so that it's not even on your LAN.

Also be careful with DNS.
If you connect NIC2 to your LAN it will try to register the 2nd IP address in DNS.  Any users trying to access your server may end up with one of two different IPs.  This could cause issues, particularly if you are running websites that are tied to a particular IP address.  I'll bet if you look in your DNS console you will see two entries for your server's name:  one with 192.168.11.10 and the other with 192.168.11.11.  If you ping the machine name from one pc or another you may get one of these two IP addresses.
0
 
LVL 5

Expert Comment

by:9660kel
ID: 37775912
You can stop the DNS registration for the NIC in the advanced properties for tcp/ip. Just clear the check box on the DNS tab.

The DNS registration is the problem, not the gateway. Ideally the secondary NIC would be on a separate subnet, but it's not an absolute.

A note about VPN, the subnet for the server side of the VPN must be on a different subnet than the target VPN network. (this is a common oversight for people new to VPN, so I thought I'd mention it)
0
 
LVL 8

Expert Comment

by:TSGITDept
ID: 37776503
I've had to do this on some of our internal IIS servers that have multiple active NICs.

Here's a link for more info on 9660kel's post
http://technet.microsoft.com/en-us/library/bb727009.aspx

To view the settings type:  "netsh interface ip show dns"

DisableDynamicUpdate Registry setting
http://technet.microsoft.com/en-us/library/cc959739.aspx
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\ interface-name

It doesn't say if a reboot is required for the change to take effect, fyi.

You can also do this from a command prompt
Netsh commands for Interface IP
http://technet.microsoft.com/en-us/library/cc738592(v=ws.10).aspx
0
 
LVL 5

Expert Comment

by:9660kel
ID: 37776539
If you change the setting via the tcp/ip properties page, then no reboot, but if you change it with regedit, then yes. Not sure about the netsh command, but I would think no re-boot there either.
0
 
LVL 1

Author Comment

by:gerlis
ID: 37778628
Thanks very much for the very helpful replies.
I have removed the default gateway from the TCP/IP properties of NIC2 and that resolved the problem.  I have also cleared the check box for “Register this connection’s address in DNS”.  Do I also remove the DNS address from the TCP/IP properties?  If not, should it be the same as NIC1?
0
 
LVL 76

Expert Comment

by:arnold
ID: 37778659
The name server references are not as relevant.
0
 
LVL 1

Author Comment

by:gerlis
ID: 37778693
Thanks.
0
 
LVL 76

Expert Comment

by:arnold
ID: 37778717
To clarify the point as long as there are name servers defined on an active network interface, those will be queried. in your case there is no chance that the current primary interface go down without an impact given there is no Default gateway setup on the second nic.

Manually using the Metrics setting one could have a default gateway in each NIC defined and the metric will differentiate between the preferred (lower metric value.)
0
 
LVL 1

Author Comment

by:gerlis
ID: 37778775
TSGITDept - you made a comment, "...you could even connect it directly to your DMZ switch so that it's not even on your LAN."  We only have one switch; to keep it separated from the LAN, could it/should it be connected directly to the router?  We only have one server, one router, one switch here.  

Also, I have found this guide, although there are many: .  Is this OK or should I be looking at something else?  If it's not obvious already, I've not done this before, so I will need a clear set of instructions.

Thanks
0
 
LVL 1

Author Comment

by:gerlis
ID: 37778796
Sorry, the link was missed out.  It is:

 

Thanks
0
 
LVL 1

Author Comment

by:gerlis
ID: 37778802
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 5

Expert Comment

by:9660kel
ID: 37779126
It looks like a decent guide.
0
 
LVL 8

Expert Comment

by:TSGITDept
ID: 37782503
>TSGITDept - you made a comment, "...you could even connect it directly to your DMZ switch so that it's not even on your LAN."  We only have one switch; to keep it separated from the LAN, could it/should it be connected directly to the router?  We only have one server, one router, one switch here.  

Here's something you could do inexpensively:
-Connect the 2nd NIC directly to the router's DMZ port (or a port that's configured as a DMZ), possibly using a cross over cable or
-Connect a cheap 5 port switch to the router's DMZ port.  That will effectively give you lots of ports in the DMZ to work with for things like WEB server, Email server, etc.
0
 
LVL 5

Expert Comment

by:9660kel
ID: 37783685
How are you going to use the VPN connection?

Is this for remote access for a user, or a link to another office?
0
 
LVL 1

Author Comment

by:gerlis
ID: 37783705
Remote access
0
 
LVL 5

Expert Comment

by:9660kel
ID: 37783846
If you are going to use multiple connections, TSGIT makes a good point regarding the DMZ. (DMZ stands for De-Militarized Zone, and does not have any firewall or other controls. Make sure to secure the server with a local firewall, A/V etc.)

Smaller routers can usually only passthrough 1 point to point connection at a time.
0
 
LVL 1

Author Comment

by:gerlis
ID: 37784023
The server is indeed protected with AV and the software firewall is active.

Is it possible to allocate a physical port as a DMZ on a Netgear?  I don't think it can do that.  Can any of the Draytek models do this, or can you suggest one.
0
 
LVL 8

Expert Comment

by:TSGITDept
ID: 37784055
To add to that you can add some firewall controls on the DMZ port if you like, depending on your router/firewall.  The advantage is that you can create looser protection than on your LAN, but you can still put some firewall security if you choose to.  That would be up to you.

DMZ security example:
If you have a web server on your DMZ you can allow Port 80 but block other ports like 443 to that server
If you have an email server you can allow only email ports to that server's IP, etc.
And you could limit connections so that only your branch offices, and/or certain customer's IP addresses/ranges are allowed through.

9660kel is correct, you have a variety of choices but that depends on the capabilities of your firewall.

What brand and model firewall do you have?
0
 
LVL 1

Author Comment

by:gerlis
ID: 37784078
We have a Zhone 1518-A1-xxx combined modem/router supplied by the ISP.  However, we are going to change this as the ISP wont give us access to it and we have to call them when we want port re-directions and such like added.  As we haven't got the new router yet, we are open about this.
0
 
LVL 5

Expert Comment

by:9660kel
ID: 37784158
I like Adtran, but they are on the pricey side compared to a home router.

They are very feature rich.
0
 
LVL 8

Expert Comment

by:TSGITDept
ID: 37786931
Adtran, Cisco ASA, and Sonicwall are some good business choices.  I'd say that Cisco and Sonicwall are more popular in terms of getting support.  But they're all business class products.  Sonicwall may be easier to configure in terms of the WEB interface.  I'm not as familiar with the Adtran products these days but the Cisco ASA 5505 and Sonicwall TZ series are good.

http://sonicwall.com/us/products/TZ_Series.html#tab=compare
0
 
LVL 8

Accepted Solution

by:
TSGITDept earned 250 total points
ID: 37787148
BTW you can still keep your ISPs router if you like.  Just put your firewall behind it.  They'll deliver your Internet service wide open and then you secure it on your own with your own hardware.

This is a very common config:
1 - terminate your Internet service with a router (either your ISPs or your own)
2 - secure your Internet service with a firewall that is placed after the router.

Routers are great for managing traffic but not necessarily for security.
Firewalls are great for security but often are lacking in routing capabilities.
0
 
LVL 5

Assisted Solution

by:9660kel
9660kel earned 250 total points
ID: 37787151
Adtran tends to be deployed where VIOP services are in play, but they handle pretty much the same as cisco, most of the CLI commands are the same. The web interface is pretty easy as well.
0
 
LVL 1

Author Comment

by:gerlis
ID: 37882498
Sorry for the delay.  The ISP has now said that we can use our own router (instead of their Zhone router).  I would prefer this as they will not give me access to their router.  However, I am now awaiting connection details from them. I have found out that Draytek Vigor 3200 series routers will allow one physical port to be setup as a DMZ.  So I will order one of those and install it as soon as I have the connection details from the ISP.
0
 
LVL 1

Author Closing Comment

by:gerlis
ID: 38167823
I decided to use the vpn feature within the Draytek router as this was much simpler to set-up.  However, your advice will be useful in the future, should I use a Windows based vpn.<br /><br />Thanks for your help with this.
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

Citrix XenApp, Internet Explorer 11 set to Enterprise Mode and using central hosted sites.xml file.
Learn about cloud computing and its benefits for small business owners.
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now