Help with multihomed server

[kt]

Here's how the server is configured.

2 NIC's

NIC1 is configured with an internal IP address with a default gateway.

NIC2 is configured with an external IP address without a default gateway.

I want all outgoing packets to go through the internal IP address even if the requests were made from the external network. This was working for a while then it suddenly stop working. Is there something I should add to the routing table? The server is running Windows 2003, btw.

 

[randal]

If a packet comes in on NIC2, it will try to go back out on NIC2. same for NIC1. Replying to external requests from the internal interface is probably not going to happen, but could experiment by removing the external NIC's default gateway, or editing your route priorities ("Metric" in the advanced tab).

 

[kt]

I didn't set a default gateway for the external NIC. So all outgoing traffic should go out through default gateway configured for NIC1.

And for clarification, the internal interface can access the internet. It just has to go through our firewall to do so. So replying to external requests using the internal interface should be possible, in theory.

 

[randal]

You are correct on your first line there, except in the case that the External NIC receives LAN traffic - it will still reply directly.

Theoretically I guess it could be done with some packet forwarding / next-hop / divert software, but realistically I don't see an easy solution to making replies go out the `wrong` nic. I mean, I don't think the client would even accept the packets, as the External IP and the Internal/NAT'd/Firewalled IPs have to differ -- meaning that the client would be receiving the reply from a differing IP address / non-initiated tcp session, and subsequently drop it.

I'm sure some of the heavyweights in here might be able to chime in with something more knowledgable, though.

 

[ScottMac]

Um, actually, once the packet ahs been received, the host forgets where it came from and uses the Default Gateway for all non-local transmission.

The arp table will have entries for the internal address, the ISP gateway router, and any broadcast addresses it hears on the switch or from the ISP - like all the arp broadcasts on a cable network (or all traffic heard on a hub).

The issue, if there is one, is which address the ISP has for the account. Obviously, you'll need (at least) two addresses, but if you're using a stateful firewall, you're gonna confuse the heck out of it (and / or a software firewall on the host ... since a session was opened with the internal address and gets a response from the external address ... the session probably never gets set up and is dropped). Split routes are usually not supported by (at least consumer-grade) firewalls.

If the ISP has a statefull filter set up, you could lose some traffic there as well.

Another issue would be the source address in the packet. Any NAT on the outbound side should replace the inside address with the outside address of the NATing device. That is the address that the receiving host will return the packet to.

That could be handled by putting the "outside" interface in the router / firewall's DMZ: Then all the traffic comes and goes through the same external interface, but a rule can be set up to forward all inbound traffic to the "outside" interface of the host.

I'm sure there's a few more wrinkles ....

It's a strange thing you're trying to do.

Good Luck

Merry Christmas / Happy New Year!

Scott