Solved

windows - multi-homed routing issue

Posted on 2013-06-12
13
843 Views
Last Modified: 2013-09-18
I have a Windows 2008 R2 server with 2 NIC's - both have private IP's on different subnets.  The server uses the "wrong" gateway for 1 public IP address.

NIC-1:  10.0.1.10/24, gateway 10.0.1.1
NIC-2:  10.0.100.10/24, gateway 10.0.100.1

Each NIC is NAT'd at its router to a different public IP in different public IP blocks

NIC-1: 66.66.66.114
NIC-2: 209.209.209.60 (only port 25/tcp)

Here's where it gets weird.  From the server, if I tracert to every IP in the 209.209.209.56/29 block, the first hop is the NIC-1 gateway, as I would expect, *EXCEPT* one IP in the middle of the block.

There are no /32 routes, and this is all based on IP, not name.  I've rebooted the server, cleared the ARp cache, and flushed DNS.

I don't know why this one public IP would "choose" a different gateway.

tracert 209.209.209.59
1. 10.0.1.1
2. 209.209.209.62
3. 209.209.209.59

tracert 209.209.209.60
1. 10.0.1.1
2. 209.209.209.62
3. 209.209.209.60

tracert 209.209.209.61
1. 10.0.100.1           <-- the first hop is the wrong gateway!
2. 209.209.209.62
3. 209.209.209.61
0
Comment
Question by:snowdog_2112
  • 8
  • 5
13 Comments
 
LVL 10

Expert Comment

by:rjanowsky
ID: 39243537
Windows uses only one gateway per server. Normally the second default gateway will be ignored. Best practice is to have a default gateway for one nic configured.
0
 

Author Comment

by:snowdog_2112
ID: 39244362
Thanks, but in this case I need the 2nd gateway for the NAT to work on the 2nd NIC.

My question still remains - why would Windows "arbitrarily" choose a different gateway for a single public IP?

I manually set a higher metric on the 2nd gateway than the "primary", and that seems to satisfy Windows.
0
 

Author Comment

by:snowdog_2112
ID: 39244384
However...with the higher metric, traffic coming in on the 2nd NIC is redirected out the 1st NIC - including ACK's.

So, my problem remains.  Windows, for some unknown reason, is choosing a different gateway for an IP in the middle of a block (no matter how small it is divided)
0
 
LVL 10

Expert Comment

by:rjanowsky
ID: 39244877
Have a look into this book here at page 332 Default Gateways and Using multihomed servers. In the last part before "Using the route command". This describes clearly the behavior you are seeing at your system.
0
 

Author Comment

by:snowdog_2112
ID: 39307901
sorry - I haven't had a moment to look into this.  Will check that out and report back.
0
 

Author Comment

by:snowdog_2112
ID: 39393514
Um..that is in German?  And it's a dead link.
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 
LVL 10

Expert Comment

by:rjanowsky
ID: 39393623
The book itself is in English and I can open the link. You might try this one http://books.google.com/books?id=ANRixVBgm38C&pg=PA332&dq=two+default+gateways+windows+2008+microsoft&hl=de&sa=X&ei=KMoDUv2fK4WzhAfsgYGwDw&ved=0CC8Q6AEwAA. Or you open books.google.com and put two default gateways windows 2008 microsoft in the search field. In my search it's the first result on first page named "MCTS Guide to Configuring Microsoft Windows Server 2008 Active"
0
 

Author Comment

by:snowdog_2112
ID: 39434323
Ok - i'm not looking for a book, I'm looking for an answer to my question.

Page 327 to 335 are "broken" - I don't see any text on those pages.  Pages before and after appear fine, but nothing about the route command.  

As I scroll the link, it talks about ping, tracert and how to add an IP to a NIC.

I am very well aware of those concepts.  The issue eluding me is very specific:  Windows uses a different NIC and gateway for a destination IP address in the middle of one specific public IP address block.  209.209.209.61 is not a boundary address (network ID or broadcast) in any standard IP subnet.

Again, here is what I see:

tracert 209.209.209.59
1. 10.0.1.1
2. 209.209.209.62
3. 209.209.209.59

tracert 209.209.209.60
1. 10.0.1.1
2. 209.209.209.62
3. 209.209.209.60

tracert 209.209.209.61
1. 10.0.100.1           <-- the first hop is the wrong gateway!
2. 209.209.209.62
3. 209.209.209.61

tracert 209.209.209.62
1. 10.0.1.1            <-- back to the "correct" gateway
2. 209.209.209.62
3. 209.209.209.61
0
 
LVL 10

Expert Comment

by:rjanowsky
ID: 39438051
I understood your problem from the start of your question. What I was trying to make clear is, Windows doesn't support multiple default gateways. That's simple a fact! I think that the observation of using a different gateway in the middle of a address range is by coincidence and not a specific fault in the routing logic of Windows.
0
 

Author Comment

by:snowdog_2112
ID: 39459059
Thanks for clarification - so often people respond based on what they *assume* the problem is rather than reading and fully understanding the OP.

Perhaps a better question, then, is how I can have one IP address on a server accepting connections from one router/gateway, while the "main" IP address uses the "main" gateway IP.

In other words, maybe a different configuration will avoid the problem, rather than needing to solve the problem I currently have.

This secondary IP is specific to a "special case" mail NAT to a different point of egress on the LAN.

Thanks.
0
 
LVL 10

Accepted Solution

by:
rjanowsky earned 500 total points
ID: 39459490
If I understand your correctly, the second nic should be used only for smtp mail and for that traffic you are using a different Internet provider. In that case you can't work with network routes, because it's not possible to do the routing at protocol level (smtp tcp/25) -  AFAIK Windows can't do this.

My first idea would be implementing some kind of a central firewall/router, which could use rules to deliver traffic for port 25 outgoing to the gateway of provider 1 and the rest via provider 2. But that isn't an easy task.
0
 

Author Comment

by:snowdog_2112
ID: 39503078
Yeah, I was thinking the source of the incoming packets would dictate the response packets, and by binding the SMTP service to the one NIC, outgoing SMTP would use that gateway.

It's a mess either way, and probably needs a re-design.

Thanks for the input!
0
 

Author Closing Comment

by:snowdog_2112
ID: 39503081
Sometimes the answer is: it ain't gonna work.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

OfficeMate Freezes on login or does not load after login credentials are input.
A procedure for exporting installed hotfix details of remote computers using powershell
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now