Routing Table Issue

Discussion in 'Server Networking' started by DHK, Jul 15, 2009.

  1. DHK

    DHK Guest

    Dear MS Support Engineer:

    This is a re-post of a previous discussion. Unfortunately for me, I did not
    have my profile setup correctly beforehand. Therefore, you did not know to
    respond. I would appreciate your advice in this issue:

    My client has Windows Server 2003 R2 Standard Edition SP2. It has two NICs
    installed. 192.168.10.x is to an internal network. 192.168.20.x is only
    attached to a firewall and the Internet. The metrics are supposed to give
    priority to
    192.168.20.x, but it isn't working out that way. I have written a bat file
    for modifying the routing table, but it isn't working.

    I have including a portion of the routing table below immediately following
    a restart of the server:
    ctive Routes:
    Network Destination Netmask Gateway Interface Metric
    0.0.0.0 0.0.0.0 192.168.10.254 192.168.10.2 10
    0.0.0.0 0.0.0.0 192.168.20.254 192.168.20.5 10
    127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
    192.168.10.0 255.255.255.0 192.168.10.2 192.168.10.2 10
    192.168.10.2 255.255.255.255 127.0.0.1 127.0.0.1 10
    192.168.10.255 255.255.255.255 192.168.10.2 192.168.10.2 10
    192.168.20.0 255.255.255.0 192.168.20.5 192.168.20.5 10
    192.168.20.5 255.255.255.255 127.0.0.1 127.0.0.1 10
    192.168.20.255 255.255.255.255 192.168.20.5 192.168.20.5 10
    224.0.0.0 240.0.0.0 192.168.10.2 192.168.10.2 10
    224.0.0.0 240.0.0.0 192.168.20.5 192.168.20.5 10
    255.255.255.255 255.255.255.255 192.168.10.2 192.168.10.2 1
    255.255.255.255 255.255.255.255 192.168.20.5 192.168.20.5 1
    Default Gateway: 192.168.10.254

    The .bat file I use to modify the routing table is as follows. It is run
    every time the system restarts:
    route change 0.0.0.0 Mask 0.0.0.0 192.168.20.254 Metric 10 IF 0x10004
    route change 0.0.0.0 Mask 0.0.0.0 192.168.10.254 Metric 20 IF 0x10003

    When I run the bat file manually, it does not change the routing table
    metrics.

    If the server is left alone, a user is able to access the server via the
    external address. The router forwards all traffic to 192.168.20.x. A full TCP
    session is established and sustained. However, after a few days, the routing
    table changes as follows:
    ===========================================================================
    Active Routes:
    Network Destination Netmask Gateway Interface Metric
    0.0.0.0 0.0.0.0 192.168.10.254 192.168.10.2 10
    0.0.0.0 0.0.0.0 192.168.20.254 192.168.20.5 20
    127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
    192.168.10.0 255.255.255.0 192.168.10.2 192.168.10.2 10
    192.168.10.2 255.255.255.255 127.0.0.1 127.0.0.1 10
    192.168.10.255 255.255.255.255 192.168.10.2 192.168.10.2 10
    192.168.20.0 255.255.255.0 192.168.20.5 192.168.20.5 20
    192.168.20.5 255.255.255.255 127.0.0.1 127.0.0.1 20
    192.168.20.255 255.255.255.255 192.168.20.5 192.168.20.5 20
    224.0.0.0 240.0.0.0 192.168.10.2 192.168.10.2 10
    224.0.0.0 240.0.0.0 192.168.20.5 192.168.20.5 20
    255.255.255.255 255.255.255.255 192.168.10.2 192.168.10.2 1
    255.255.255.255 255.255.255.255 192.168.20.5 192.168.20.5 1
    Default Gateway: 192.168.10.254

    This issue was addressed more than a year ago and for reasons unknown to me,
    the problem has returned.

    I did notice that the default gateway is the 192.168.10.x network, not the
    192.168.20.x network. Is that part of the problem?

    Can you advise me how I can fix this issue?

    Thanks.
     
    DHK, Jul 15, 2009
    #1
    1. Advertisements

  2. Hello DHK,

    You should avoid multihoming a server, as you did. The easiest way is to
    use one NIC from the server and connect all machine to the same switch. There
    connect also the firewall and use that as the DG for all machines, so the
    netwrok is secured from the firewall and you ahve no communication problem.

    Best regards

    Meinolf Weber
     
    Meinolf Weber [MVP-DS], Jul 15, 2009
    #2
    1. Advertisements


  3. I agree with Meinolf regarding multihoming. Also worse, it appears there are
    two gateways. You can only have one on any given machine.

    --
    Ace

    This posting is provided "AS-IS" with no warranties or guarantees and
    confers no rights.

    Please reply back to the newsgroup or forum to benefit from collaboration
    among responding engineers, and to help others benefit from your resolution.

    Ace Fekay, MCT, MCSE, MCSA 2003 & 2000, MCSA Messaging
    Microsoft Certified Trainer

    http://twitter.com/acefekay

    For urgent issues, you may want to contact Microsoft PSS directly. Please
    check http://support.microsoft.com for regional support phone numbers.
     
    Ace Fekay [MCT], Jul 15, 2009
    #3
  4. DHK

    Bill Grant Guest

    I agree also. Don't try to outsmart the software by writing batch files.
    Set it up correctly.
     
    Bill Grant, Jul 16, 2009
    #4
  5. DHK

    DHK Guest

    Dear Meinolf:

    In brief, the client modified his requirement so that the multi-homed server
    only required access from the internal network.

    Originally, the end user also wanted access via the Internet, thus the extra
    firewall/router.

    So I disabled the second network card. If they end user changes his mind
    down the road, I'll be sure to post here my question regarding how to
    reconfigure the server.

    Thanks for your assistance.
    Herb Kolodny
     
    DHK, Jul 16, 2009
    #5
  6. Hello,

    Thank you for posting here.

    According to your description, I understand that:

    You have a routing table issue in the Window Server 2003 R2 server with 2
    NICs.

    If I have misunderstood the problem, please don't hesitate to let me know.

    Yes, first of all, we don't recommend to configure a server multi-homed
    because of malfunction of some legacy service such as Browser service. If
    you want to configure the server multi-homed to make it act as a
    gateway/router, it is OK. All you need to do is to have a consistent
    routing table on the server.

    On this issue, please answer the following question to make us have a clean
    understanding of your environment?

    1. What is the topology of your network? Is it like:

    Internet
    |
    |
    |
    |
    Firewall
    |
    |
    |
    (192.168.20.x)
    Windows Server 2003 R2
    (192.168.10.x)
    |
    |
    |
    <Switch>
    |
    |
    |
    Clients

    If I understand incorrectly, could you please explain your topology (with
    illustration if possible)?

    2. As the Windows Server 2003 R2 has the interface 192.168.10.x connected
    to the internal network, what is the reason why you need a default gateway
    on the internal interface?

    If you have any questions or concerns, please do not hesitate to let me
    know.




    Best regards,

    Miles Li

    Microsoft Online Newsgroup Support

    ==================================================================
    Please post your SBS 2008 related questions to the SBS newsgroup on Connect
    website:
    https://connect.microsoft.com/sbs08/community/discussion/richui/default.aspx


    Please post your EBS related questions to the EBS newsgroup on Connect
    website:
    https://connect.microsoft.com/ebs08/community/discussion/richui/default.aspx


    If you want to use a newsreader other than a web forum to access these
    newsgroups,
    please refer to the following blog to apply NNTP password and configure a
    newsreader:
    http://msmvps.com/blogs/bradley/archive/2008/11/02/signing-up-for-the-sbs-20
    08-newsgroups.aspx
    ==================================================================
    When responding to posts, please "Reply to Group" via your newsreader so
    that others may learn and benefit from your issue.
    ==================================================================
    This posting is provided "AS IS" with no warranties, and confers no rights.
    ==================================================================
     
    Miles Li [MSFT], Jul 16, 2009
    #6
  7. DHK

    DHK Guest

    Hello Miles. Thanks for your response.

    Yes, you have the correct network topology.
    Yes, the 192.168.10.x network is also connected to the Internet.
    FYI, the 192.168.20.x firewall is configured to allow http and https traffic
    only to pass.

    Regarding your question of why did I need to define a default gateway on the
    internal interface. It was from ignorance that I did it. I thought that I
    had to do it. This is my first and only multi-homed server configuration.

    Regarding the browser service, is there a KB article you can recommend I
    read that explains what bad things would happen?

    Best regards.
    DHK
     
    DHK, Jul 16, 2009
    #7
  8. What happens with the browser service with two NICs is that it tries to
    register the machine's computer name (NetBIOS) name with both IPs, which
    causes a duplicate name error. Keep in mind with NetBIOS, names must be
    unique. Remember the old TV show, Bob Newhart when the one guy introduced
    his brother Larry, and his other brother Larry? That's not possible with
    NetBIOS names. One way to alleviate this is to disable NetBIOS on the outer
    interface, as well as Microsoft File and Print services (which disabled the
    server service on the outer interface).

    The following are some links on multihomed browsers:

    Symptoms of multihomed browsersIf a client requested a list of servers from
    a multihomed browser server, .... To prevent multihomed Microsoft Windows NT
    servers from becoming browser ...
    http://support.microsoft.com/kb/191611

    Common causes and solutions of browser Event ID 8021 and Event ID ...For
    correct browser operation, you should not operate multihomed Windows NT 4.0
    PDCs or Windows 2000 and later PDC Emulators. ...
    http://support.microsoft.com/kb/135404

    Troubleshooting multihomed master browser issueIt is not recommended to
    setup multihomed server as a domain controller. If you do, you may
    experience master browser issue and receive Event ID 8021 - The ...
    www.chicagotech.net/troubleshooting/masterbrowser1.htm


    Hopefully this machine will not be a domain controller, or it extremely
    complicates things if multihomed due to the DNS SRV and other data that gets
    registered into DNS, which can effectively disable or cause AD to
    malfunction. If you decide to make this a DC, I can provide you a complete
    step by step to alter the DC to make it work as a DC. Of course it has
    registry alterations to control DNS registration. However I do recommend to
    not go this route with a DC, and simply get an inexpensive firewall to
    handle the tasks controlling network/internet traffic.

    Ace
     
    Ace Fekay [MCT], Jul 16, 2009
    #8
  9. Hello,

    Thanks for the update. Also thanks for the great sharing from Ace.

    From the description that 192.168.10.x network is also connected to the
    Internet, I'd like to know the topology of your network.

    Why you need 2 NICs both connected to the Internet? Is it possible to
    reconfigure the server's connection and change it to the 1 NIC scenarios?

    If you have any questions or concerns, please do not hesitate to let me
    know.



    Best regards,

    Miles Li

    Microsoft Online Newsgroup Support

    ==================================================================
    Please post your SBS 2008 related questions to the SBS newsgroup on Connect
    website:
    https://connect.microsoft.com/sbs08/community/discussion/richui/default.aspx


    Please post your EBS related questions to the EBS newsgroup on Connect
    website:
    https://connect.microsoft.com/ebs08/community/discussion/richui/default.aspx


    If you want to use a newsreader other than a web forum to access these
    newsgroups,
    please refer to the following blog to apply NNTP password and configure a
    newsreader:
    http://msmvps.com/blogs/bradley/archive/2008/11/02/signing-up-for-the-sbs-20
    08-newsgroups.aspx
    ==================================================================
    When responding to posts, please "Reply to Group" via your newsreader so
    that others may learn and benefit from your issue.
    ==================================================================
    This posting is provided "AS IS" with no warranties, and confers no rights.
    ==================================================================
     
    Miles Li [MSFT], Jul 17, 2009
    #9
  10. DHK

    DHK Guest

    Dear Ace and Miles.

    Ace, many thanks to the list of KB articles. I will be checking them out
    immediately.
    No, the server is not a domain controller. It is just an app server.

    Miles, the computer has been changed to a 1 NIC configuration already. I did
    it by disabling the NIC going to the 192.168.20.x network. The only network
    now is the 192.168.10.x which serves all the internal clients.

    Network Topology Goals: The original network is 192.168.10.x. It is a
    classic single domain controller on a single subnet. When the second network
    was setup, it was not connected to the first. A separate external IP address
    fed into a separate router/firewall dedicated to 192.168.20.x. The server in
    question is/was the only device. It is a dedicated web server for external
    access. Later, the user requested access from the internal network to permit
    file transfers. Without knowing the implications, I simply connected the two
    and tweaked the router table, at least I tried to. I did it that way because
    it was easier than configuring the first router with a DMZ. This client uses
    Watchguard Edge e-series routers.

    Based on the feedback I received on this posting, if and when the client
    wants it both ways, I should setup the DMZ, yes?

    DHK
     
    DHK, Jul 17, 2009
    #10
  11. Hi DHK,

    You are welcome for the links.

    Does your customer need a DMZ? What is the purpose of the DMZ, and why would
    you want an internal File/Print server sitting out in the cold exposed to
    the elements, so to speak?

    From what you've described, and from reading back in the thread, it seems
    the customer wants to access the F/P server from the internet. I wouldn't
    expose it directly, whether with an interface on the outside/DMZ or through
    a re-map. What I would suggest is to utilize the Watchguard's VPN functions
    and setup their workstations with the Watchguard VPN client, or provide
    instructions for them to setup their home machines with the client, to
    access the internal network using VPN. This allows increased security, as
    well as the ability to access all resources, and not just this machine.

    Ace
     
    Ace Fekay [MCT], Jul 17, 2009
    #11
  12. DHK

    DHK Guest

    Hello Ace.

    You make good points. The server's primary task is to support a website.
    Users logon, but there is no VPN like protection for the box.

    You made me realize that even though it's principle task isn't as a file and
    print server, I haven't disabled those services. If I ever put it 'out in
    the cold' again, I'll be sure to harden the server for security.

    Best to all.
    DHK
     
    DHK, Jul 20, 2009
    #12
  13. If it's just a web server, then F/P services, NetBIOS, and many other services can be disabled on it, except ports 80 and 443. You can run the SCW on that machine to secure it so only those two ports are listening. Otherwise, I would put it inside the house, so to speak, and just port remap 80 and 443 to it so they can get to it from the outside. But if you only have one WAN IP and those ports are used for something else, it will not be possible and just leave it outside and secure it.

    Ace
     
    Ace Fekay [MCT], Jul 20, 2009
    #13
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.