2 Gateway's on 1 NIC on Windows Server 2003

Greetings all,

Here is my situation.

I have 2 internet connections to our company.

1. Comcast Cable Service
2. A local ISP DSL

This is necessary due to the fact that since we host our own mail server, we
need to have reverse DNS resolution. Something Comcast does not offer. Only
in/out bound email travels through the DSL. All other web traffic uses
Comcast.

My company network has ip info such as:

192.168.1.DHCP
255.255.255.0
192.168.1.1

I have a linksys router on the dsl service that routes packets to our
server. My server has 1 NIC in it.

Because the router has an IP addy of 1.250, I need to designate the Gateway
of 1.250

So, while the network clients point to 1.1 for a gateway, my server uses
1.250 for its gateway. This is presenting a problem when communicating with
that server. If a client with 1.1 connects to it, some small probelems
arise.

Is there an effective way to give 2 gateways to 1 NIC, or maybe even 2 NICs?
I have tried to enter the second gateway number (1.250) in, and give it a
metric of 2, while giving 1.1 a metric of 1. But none of the SMTP traffic
comes through.

 

No,...almost always,...but sometimes,... yes. I don't understand what you
are attempting well enough to say. Can you explain in a more focused way
what you are trying to do.

I don't want to know about clients pointing here and there and this pointing
there and that point here. What I want to know is:.......

You have two INet connections:

1. Comcast Cable Service
2. A local ISP DSL

What do you want to do with each one specifically?

How does each one connect to your LAN? Using the same device? Separate
devices?

What Servers are involved and where/how are they *physically* located with
respect to these two Connections?

 

Sorry about that.. I sorta figured I wasn't describing this well.

Here is a link to a JPG image outputted from visio of our network topography.

http://pride.fites.net/netlayout.jpg

If you look at the diagram, you will see that on the right side (corporate
office), we have 2 Inet connections coming in. Each has a different
router/firewall.

The Planetcable DSL line comes in, hits the linksys firewall (who's IP is
192.168.1.250) and forwards any smtp packets through port 25 on to the AV
Server (which is our company Anti Virus Server), where it is then scanned and
forwarded onto our SMTP email server.

The problem is, the AVServer (192.168.1.17) needs to connect to the
192.168.1.250 linksys router gateway, as well as the rest of our network.
The rest of the network uses 192.168.1.1 as its gateway.

Essentially, AVServer does not see Davinci. It sees 192.168.1.9, but not
the DNS name Davinci.

So, I would like to have 2 gateways set up on the AVServer, 1 for the
linksys router side (1.25), and 1 for the rest of the network (1.1)

That help?

 

Excellent! If everyone gave a diagram like that life here would be so easy
it would be a sin!

1. Get rid of the second Nic in the AV Server. Adjust the PlanetCable box to
pass the SMTP to 192.168.1.17 instead of 192.168.1.96
2. Plug *both* DSL Devices into the Switches. Do not plug the PlanetCable
box into the AV server directly as the diagram shows.
3. The AV Server will use the PlanetConnect Box as the Default Gateway (It
is the only machine that does). It will never use the ComCast box, don't
worry about it,...it is irrelevant.
4. All the other machines will use the ComCast Box as the Default Gateway.
They will use the PlanetConnect box to get to the Corp LAN due to my next
comment, #5.
5. On the ComCast box, add a Static Route that tells it to use 192.168.1.250
as the Gateway to 192.168.10.1

Your duel nics is causing this. If you do what I described above then this
problem won't even exist to begin with.

For futher details concerning DNS,...you should have you DNS setup as
described below,...if you aready do, then good,...if not, you'd better
change it.

All devices,..everything,... must use your Active Directory DNS Server as
thier DNS Server,...and only that server(s). Your ISP's DNS (nor the DSL
Devices) should ever appear in any of the network settings of any device on
your LAN,...ever.

Then,...within the configuration of the AD DNS Server itself find the
Forwarder List.

MMC--> Servername ---> Properties ---> Forwarders Tab

List the ISP's DNS Server(s) here.

 

Sorry for the delayed response. I rolled out exchange server last week, so
this got put on hold.

I feel that I am right with you on the theory of this... but just not sure
how to actually accomplish it.

You are saying to add a static route on davinci? or on avserver?

remote users are using 192.168.10.1 for a gateway, coming through the VPN,
hitting the comcast modem, and then the pix firewall/vpn. Then they hop onto
our network just like veryone else.

So, which server do I need to add the static route to?

 

Static routes only effect "1 hop" so the Static route goes on the device
that immediately preceeds the "next hop". In other words it goes on the
Device that has to make the decision, and decisions are always asking "what
is the next hop?",...not... "what is the hop after the next hop?"

 

Next hop from who to who?

This is where I am confused.

The pix firewall sits on the same switch as the servers. So does the switch
need to be configured for routing?

I guess I didn't understand as much as I thought.

 

A switch can't route (lets keep the layer3 switch out of this one). You need
the default gateway to be the inside address of your PIX. Philip is correct
in what he stated, but I'll try and explain it another way. Let's say you
have three routers in a line. If your on router 1 and you want to get to
router 3, you will have to go through router 2. If you set your default
gateway to router 3 you may or may not get there. Why? If router 2 knows how
to get to router 3, you'll be OK. If router 2 doesn't know how to get to
router 3 your traffic will die there. No matter what route statements you
put in router 1, you'll never get there if router 2 does not know how to get
there. A good test is from router 1 do a traceroute to router 3 and see if
it crosses router 2. If it does router 2 it knows where to go! If it fails,
either router 1 or router 2 does not where to go. The next step is get on
router 2 and ping router 3. If it pings, it knows how to get there and the
problem is on router 1. If it can't get there, look at the route table
because the problem is on router 2.
BTW I've never seen a windows box that has two IP's on one NIC that can
route off it's configured subnets. If you get it working, please post for
the rest of us.

HTH

 

I understand all of that, but I appreciate your reply.

What I am getting from all of this, is I need to have 1 NIC enabled on this
particular server.

It has the IP 192.168.1.17
SNM 255.255.255.0
GW 192.168.1.250

Clients who have an IP of 192.168.1.1xx and a GW of 192.168.1.1 can see the
server just fine. Clients who have an IP of 192.168.10.1xx and a GW of
192.168.10.1 cannot.

So essentially, any PC with a GW of 192.168.10.1 cannot see a gateway of
192.168.1.250.

I need to know how do a static route that fixes that.

 

I need a little more background. What is the device (router/firewall) at
192.168.1.250? Why do your clients have a different gw than your server? Is
the server supposed to be their gw? How does the 192.168.10.x network
connect to 192.168.1.x network (does this connect to the same router as
192.168.1.250 or is this your secondary IP on the server or ....)?

 

Here is a network diagram.

http://pride.fites.net/netlayout.jpg

We have 2 ISP connections. 1 Comcast Cable and 1 PlanetCable DSL

The reason for this is that comcast will not reverse resolve our Mail
Server's IP address/and/or name. So we use a local isp to handle our email
routing and dns service.

Comcast has the speed though, so that is what we have our VPN tunnel coming
in through, as well as all internet activity and FTP.

Essentially what is going on here is... for my AV server to process incoming
email for virus control and spam filtering, it is has to have the same
gateway as the router connected to the DSL modem (1.250)... and NOT that of
the router connected to the Cable modem (1.1).

All clients point to the gateway of the cable modem (1.1)

My clients at our remote office have a gateway of their router connected to
their internet connection (10.1)

10.1 can see 1.1 just fine. 1.1 can see 1.250 just fine, but 10.1 cannot
see 1.250 at all.

I currently have 1 NIC in my AV server. Its connected to the same switch
that my 2 routers are connected to. So, to direct traffic in/out of the DSL
line, it has to have the same GW IP as the router connected to the DSL line
(1.250)

The problem is, my 10.x clients cannot see my AV server (cannot even ping
it) since the AV Server is on 1.250

Hope that helps.

 

OK, from the AVServer, you can not ping anything on 192.168.10.x correct? It
only has two routes, one for the local subnet, 192.168.1.x and one default
route for all other traffic, 0.0.0.0 pointing to 192.168.1.250. (I know you
know this, just keeping it straight in my head). To get to the 192.168.10.x
network, you need the following static route in the AVServer.

route ADD 192.168.10.0 MASK 255.255.255.0 192.168.1.1 -p

The -p is to set it persistent, so it won't disappear after a reboot. Try
this and let me know how it goes.

 

THis fixed the problem. Thanks a million for your help! And now I have a
better understanding of how this all works. Thanks everyone!

 

good to hear

 

You never fixed to one huge issue that I told you to correct several weeks
ago, unless you just haven't updated the diagram.

The physical link that runs directly between the PlanetCable DSL Device and
the AV Server must be eliminated.

The AVServer must run only one Nic (192.168.1.17)

Both DSL Devices must connect into the LAN at Layer#2 (the Switches) just as
the Comcast DSL Device is already doing.

The AVServer,... according to your requirements last time we dealt with
this,...must use the PlanetConnect DSL Device (192.168.1.250) as it Default
Gateway.

All other machines except for the AVServer must use the Comcast Device as
their Default Gateway (192.168.1.1). The machines then will all need
(except the AVServer) a Static Route that uses 192.168.1.250 at the
"gateway" to network 192.168.10.*

"C:\> Route add 192.168.10.0 mask 255.255.255.0 192.168.1.250 -p"

 

That's incorrect. Your adding an additional hop. Also, you should never
create a static route on all the client PC's. Your telling all client
traffic, if you want to get to 192.168.10.x go to the Planet router. The
Planet router hopefully has a route to 192.168.10.x, but maybe not. Let's
assume it does (that route would be 192.168.10.0 255.255.255.0 192.168.1.1).
The Planet router then forwards all traffic for 192.168.10.x to the Comcast
Router because it's the VPN endpoint and knows about that remote subnet. Now
let's say the AVServer is only connected to the Planet router and not the
access switch. You would want to create a host route on the routers for
192.168.1.17.

 

No it isn't. There is no additonal hop,...it is just that all the machines
(except the AVServer) normally use the Comcast Device for Internet traffic,
but to get to the Remote Office (192.168.10.1) they have to use a different
Gateway than the Default,....So,...it isn't an additional Hop, it is just
using a different gateway,...that is not the same thing. It would only be
an additional Hop if it went through the Comcast Device to get to the
PlanetCable Device, but that is not what it is doing.

That's my line. I'm always telling people that.
Yes,...if the ComCast Device can except "Static Routes" then you could place
just the one static route only on the ComCast Device telling it that all
traffic to 192.168.10.0 uses 192.168.1.250. If it can do that, great,
excellent,..that is the best way to go and you only have to worry about one
static route on one device,...but I don't know that it is capable of doing
that.

192.168.1.1).

It does. That is one of its primary reasons to exist.

The AVServer has two Nics with one connected to the PlanetCable Device and
one Nic connected to the LAN Switch. Both Nics are in the same subnet (the
diagram just doesn't show both addresses). That is a bad design. It should
only have one NIC. The original intent was that the AV Server use the
PlanetCable Device for Internet Access instead of the Comcast one. All other
machines are supposed to use the Comcast Device instead of the PlanetCable
Device. What I suggested both then and now does exactly what is supposed to
be done,...the only question is if the Comcast Device can accept static
routes or not,....if it can,... then add the "route" there,..if not,..then
it has to be done on every individual machine becuase there is no "LAN
Router" since the LAN is a single subnet (192.168.1.0).

He and I have dealt with this quite some time ago, so I am familiar with the
context he is dealing with. Ironically I had just thrown out the printouts
of the diagram this morning because I didn't think I would need them anymore
and they had been cluttering my desk for that last week or so.