[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 816
  • Last Modified:

Two NIC's on a server

We have a single Windows 2003 server with two NIC’s.  Until now only one has been used and the other has been disabled.  We now need to setup a VPN and wanted to use the second NIC for this.
This is how NIC1 was already configured and how I configured NIC2 for the proposed VPN.  

NIC 1
IP       192.168.11.10
SM       255.255.255.0
DG       192.168.11.1

NIC 2
IP      192.168.11.11
SM      255.255.255.0
DG      192.168.11.1

However, as soon as I enable NIC2, the network loses connectivity to the Internet, although it comes back at intervals of something like 15 minutes and then goes again.  Incidentally, NIC2 doesn’t even have a patch cable connected yet.
Clearly I am doing something wrong and would appreciate some guidance on this.

Thanks
0
gerlis
Asked:
gerlis
  • 11
  • 7
  • 7
  • +1
2 Solutions
 
BillCommented:
One thing that Windows doesn't like is two default gateways.  It gets confused on where to send traffic.  In your case it may get confused on which NIC to use.

Even if the default gateway is the same on both NICs it may have trouble deciding whether to use NIC1 or NIC2 to send traffic that isn't bound for your subnet.

Try removing the default gateway from NIC2.  That will likely help make your IP traffic work more consistently.

Additionally, it may be a good idea to disable any unused network protocols that are bound to your NIC:  IPv6 for example.  It will preferentially try IPv6 when communicating and fall back to IPv4.  This is a minor thing but it might make sense.
0
 
gerlisAuthor Commented:
Only ipv4 is running on this server.  I have removed the default gateway but will wait until after the office closes to re-enable the NIC and will let you know the outcome.
Thanks for your advice.
0
 
arnoldCommented:
For the purposes of the VPN the interface has to be up and should not use the same segment as the existing one assigning VPN IPs that are separate from the LAN IPs.
The network connection for VPN can be forced on by using a loopback plug
Pins (1 and 3) and (2 and 6) are interconnected. No default gateway setting.

Which VPN are you setting up, pptp, l2tp?
There are many step by step guides online.
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
BillCommented:
arnold is right, the 2nd NIC should ideally be on a separate subnet.  Actually you could even connect it directly to your DMZ switch so that it's not even on your LAN.

Also be careful with DNS.
If you connect NIC2 to your LAN it will try to register the 2nd IP address in DNS.  Any users trying to access your server may end up with one of two different IPs.  This could cause issues, particularly if you are running websites that are tied to a particular IP address.  I'll bet if you look in your DNS console you will see two entries for your server's name:  one with 192.168.11.10 and the other with 192.168.11.11.  If you ping the machine name from one pc or another you may get one of these two IP addresses.
0
 
9660kelCommented:
You can stop the DNS registration for the NIC in the advanced properties for tcp/ip. Just clear the check box on the DNS tab.

The DNS registration is the problem, not the gateway. Ideally the secondary NIC would be on a separate subnet, but it's not an absolute.

A note about VPN, the subnet for the server side of the VPN must be on a different subnet than the target VPN network. (this is a common oversight for people new to VPN, so I thought I'd mention it)
0
 
BillCommented:
I've had to do this on some of our internal IIS servers that have multiple active NICs.

Here's a link for more info on 9660kel's post
http://technet.microsoft.com/en-us/library/bb727009.aspx

To view the settings type:  "netsh interface ip show dns"

DisableDynamicUpdate Registry setting
http://technet.microsoft.com/en-us/library/cc959739.aspx
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\ interface-name

It doesn't say if a reboot is required for the change to take effect, fyi.

You can also do this from a command prompt
Netsh commands for Interface IP
http://technet.microsoft.com/en-us/library/cc738592(v=ws.10).aspx
0
 
9660kelCommented:
If you change the setting via the tcp/ip properties page, then no reboot, but if you change it with regedit, then yes. Not sure about the netsh command, but I would think no re-boot there either.
0
 
gerlisAuthor Commented:
Thanks very much for the very helpful replies.
I have removed the default gateway from the TCP/IP properties of NIC2 and that resolved the problem.  I have also cleared the check box for “Register this connection’s address in DNS”.  Do I also remove the DNS address from the TCP/IP properties?  If not, should it be the same as NIC1?
0
 
arnoldCommented:
The name server references are not as relevant.
0
 
gerlisAuthor Commented:
Thanks.
0
 
arnoldCommented:
To clarify the point as long as there are name servers defined on an active network interface, those will be queried. in your case there is no chance that the current primary interface go down without an impact given there is no Default gateway setup on the second nic.

Manually using the Metrics setting one could have a default gateway in each NIC defined and the metric will differentiate between the preferred (lower metric value.)
0
 
gerlisAuthor Commented:
TSGITDept - you made a comment, "...you could even connect it directly to your DMZ switch so that it's not even on your LAN."  We only have one switch; to keep it separated from the LAN, could it/should it be connected directly to the router?  We only have one server, one router, one switch here.  

Also, I have found this guide, although there are many: .  Is this OK or should I be looking at something else?  If it's not obvious already, I've not done this before, so I will need a clear set of instructions.

Thanks
0
 
gerlisAuthor Commented:
Sorry, the link was missed out.  It is:

 

Thanks
0
 
gerlisAuthor Commented:
0
 
9660kelCommented:
It looks like a decent guide.
0
 
BillCommented:
>TSGITDept - you made a comment, "...you could even connect it directly to your DMZ switch so that it's not even on your LAN."  We only have one switch; to keep it separated from the LAN, could it/should it be connected directly to the router?  We only have one server, one router, one switch here.  

Here's something you could do inexpensively:
-Connect the 2nd NIC directly to the router's DMZ port (or a port that's configured as a DMZ), possibly using a cross over cable or
-Connect a cheap 5 port switch to the router's DMZ port.  That will effectively give you lots of ports in the DMZ to work with for things like WEB server, Email server, etc.
0
 
9660kelCommented:
How are you going to use the VPN connection?

Is this for remote access for a user, or a link to another office?
0
 
gerlisAuthor Commented:
Remote access
0
 
9660kelCommented:
If you are going to use multiple connections, TSGIT makes a good point regarding the DMZ. (DMZ stands for De-Militarized Zone, and does not have any firewall or other controls. Make sure to secure the server with a local firewall, A/V etc.)

Smaller routers can usually only passthrough 1 point to point connection at a time.
0
 
gerlisAuthor Commented:
The server is indeed protected with AV and the software firewall is active.

Is it possible to allocate a physical port as a DMZ on a Netgear?  I don't think it can do that.  Can any of the Draytek models do this, or can you suggest one.
0
 
BillCommented:
To add to that you can add some firewall controls on the DMZ port if you like, depending on your router/firewall.  The advantage is that you can create looser protection than on your LAN, but you can still put some firewall security if you choose to.  That would be up to you.

DMZ security example:
If you have a web server on your DMZ you can allow Port 80 but block other ports like 443 to that server
If you have an email server you can allow only email ports to that server's IP, etc.
And you could limit connections so that only your branch offices, and/or certain customer's IP addresses/ranges are allowed through.

9660kel is correct, you have a variety of choices but that depends on the capabilities of your firewall.

What brand and model firewall do you have?
0
 
gerlisAuthor Commented:
We have a Zhone 1518-A1-xxx combined modem/router supplied by the ISP.  However, we are going to change this as the ISP wont give us access to it and we have to call them when we want port re-directions and such like added.  As we haven't got the new router yet, we are open about this.
0
 
9660kelCommented:
I like Adtran, but they are on the pricey side compared to a home router.

They are very feature rich.
0
 
BillCommented:
Adtran, Cisco ASA, and Sonicwall are some good business choices.  I'd say that Cisco and Sonicwall are more popular in terms of getting support.  But they're all business class products.  Sonicwall may be easier to configure in terms of the WEB interface.  I'm not as familiar with the Adtran products these days but the Cisco ASA 5505 and Sonicwall TZ series are good.

http://sonicwall.com/us/products/TZ_Series.html#tab=compare
0
 
BillCommented:
BTW you can still keep your ISPs router if you like.  Just put your firewall behind it.  They'll deliver your Internet service wide open and then you secure it on your own with your own hardware.

This is a very common config:
1 - terminate your Internet service with a router (either your ISPs or your own)
2 - secure your Internet service with a firewall that is placed after the router.

Routers are great for managing traffic but not necessarily for security.
Firewalls are great for security but often are lacking in routing capabilities.
0
 
9660kelCommented:
Adtran tends to be deployed where VIOP services are in play, but they handle pretty much the same as cisco, most of the CLI commands are the same. The web interface is pretty easy as well.
0
 
gerlisAuthor Commented:
Sorry for the delay.  The ISP has now said that we can use our own router (instead of their Zhone router).  I would prefer this as they will not give me access to their router.  However, I am now awaiting connection details from them. I have found out that Draytek Vigor 3200 series routers will allow one physical port to be setup as a DMZ.  So I will order one of those and install it as soon as I have the connection details from the ISP.
0
 
gerlisAuthor Commented:
I decided to use the vpn feature within the Draytek router as this was much simpler to set-up.  However, your advice will be useful in the future, should I use a Windows based vpn.<br /><br />Thanks for your help with this.
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

  • 11
  • 7
  • 7
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now