Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 920
  • Last Modified:

windows - multi-homed routing issue

I have a Windows 2008 R2 server with 2 NIC's - both have private IP's on different subnets.  The server uses the "wrong" gateway for 1 public IP address.

NIC-1:  10.0.1.10/24, gateway 10.0.1.1
NIC-2:  10.0.100.10/24, gateway 10.0.100.1

Each NIC is NAT'd at its router to a different public IP in different public IP blocks

NIC-1: 66.66.66.114
NIC-2: 209.209.209.60 (only port 25/tcp)

Here's where it gets weird.  From the server, if I tracert to every IP in the 209.209.209.56/29 block, the first hop is the NIC-1 gateway, as I would expect, *EXCEPT* one IP in the middle of the block.

There are no /32 routes, and this is all based on IP, not name.  I've rebooted the server, cleared the ARp cache, and flushed DNS.

I don't know why this one public IP would "choose" a different gateway.

tracert 209.209.209.59
1. 10.0.1.1
2. 209.209.209.62
3. 209.209.209.59

tracert 209.209.209.60
1. 10.0.1.1
2. 209.209.209.62
3. 209.209.209.60

tracert 209.209.209.61
1. 10.0.100.1           <-- the first hop is the wrong gateway!
2. 209.209.209.62
3. 209.209.209.61
0
snowdog_2112
Asked:
snowdog_2112
  • 8
  • 5
1 Solution
 
rjanowskyCommented:
Windows uses only one gateway per server. Normally the second default gateway will be ignored. Best practice is to have a default gateway for one nic configured.
0
 
snowdog_2112Author Commented:
Thanks, but in this case I need the 2nd gateway for the NAT to work on the 2nd NIC.

My question still remains - why would Windows "arbitrarily" choose a different gateway for a single public IP?

I manually set a higher metric on the 2nd gateway than the "primary", and that seems to satisfy Windows.
0
 
snowdog_2112Author Commented:
However...with the higher metric, traffic coming in on the 2nd NIC is redirected out the 1st NIC - including ACK's.

So, my problem remains.  Windows, for some unknown reason, is choosing a different gateway for an IP in the middle of a block (no matter how small it is divided)
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
rjanowskyCommented:
Have a look into this book here at page 332 Default Gateways and Using multihomed servers. In the last part before "Using the route command". This describes clearly the behavior you are seeing at your system.
0
 
snowdog_2112Author Commented:
sorry - I haven't had a moment to look into this.  Will check that out and report back.
0
 
snowdog_2112Author Commented:
Um..that is in German?  And it's a dead link.
0
 
rjanowskyCommented:
The book itself is in English and I can open the link. You might try this one http://books.google.com/books?id=ANRixVBgm38C&pg=PA332&dq=two+default+gateways+windows+2008+microsoft&hl=de&sa=X&ei=KMoDUv2fK4WzhAfsgYGwDw&ved=0CC8Q6AEwAA. Or you open books.google.com and put two default gateways windows 2008 microsoft in the search field. In my search it's the first result on first page named "MCTS Guide to Configuring Microsoft Windows Server 2008 Active"
0
 
snowdog_2112Author Commented:
Ok - i'm not looking for a book, I'm looking for an answer to my question.

Page 327 to 335 are "broken" - I don't see any text on those pages.  Pages before and after appear fine, but nothing about the route command.  

As I scroll the link, it talks about ping, tracert and how to add an IP to a NIC.

I am very well aware of those concepts.  The issue eluding me is very specific:  Windows uses a different NIC and gateway for a destination IP address in the middle of one specific public IP address block.  209.209.209.61 is not a boundary address (network ID or broadcast) in any standard IP subnet.

Again, here is what I see:

tracert 209.209.209.59
1. 10.0.1.1
2. 209.209.209.62
3. 209.209.209.59

tracert 209.209.209.60
1. 10.0.1.1
2. 209.209.209.62
3. 209.209.209.60

tracert 209.209.209.61
1. 10.0.100.1           <-- the first hop is the wrong gateway!
2. 209.209.209.62
3. 209.209.209.61

tracert 209.209.209.62
1. 10.0.1.1            <-- back to the "correct" gateway
2. 209.209.209.62
3. 209.209.209.61
0
 
rjanowskyCommented:
I understood your problem from the start of your question. What I was trying to make clear is, Windows doesn't support multiple default gateways. That's simple a fact! I think that the observation of using a different gateway in the middle of a address range is by coincidence and not a specific fault in the routing logic of Windows.
0
 
snowdog_2112Author Commented:
Thanks for clarification - so often people respond based on what they *assume* the problem is rather than reading and fully understanding the OP.

Perhaps a better question, then, is how I can have one IP address on a server accepting connections from one router/gateway, while the "main" IP address uses the "main" gateway IP.

In other words, maybe a different configuration will avoid the problem, rather than needing to solve the problem I currently have.

This secondary IP is specific to a "special case" mail NAT to a different point of egress on the LAN.

Thanks.
0
 
rjanowskyCommented:
If I understand your correctly, the second nic should be used only for smtp mail and for that traffic you are using a different Internet provider. In that case you can't work with network routes, because it's not possible to do the routing at protocol level (smtp tcp/25) -  AFAIK Windows can't do this.

My first idea would be implementing some kind of a central firewall/router, which could use rules to deliver traffic for port 25 outgoing to the gateway of provider 1 and the rest via provider 2. But that isn't an easy task.
0
 
snowdog_2112Author Commented:
Yeah, I was thinking the source of the incoming packets would dictate the response packets, and by binding the SMTP service to the one NIC, outgoing SMTP would use that gateway.

It's a mess either way, and probably needs a re-design.

Thanks for the input!
0
 
snowdog_2112Author Commented:
Sometimes the answer is: it ain't gonna work.
0

Featured Post

Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

  • 8
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now