Any Way To Route Outbound Packets on Same Interface as Incoming?

  • Thread starter Thread starter CHANGE USERNAME TO westes
  • Start date Start date
C

CHANGE USERNAME TO westes

What is required in order to force a Windows 2000 host to always route
outbound IP packets to the same interface that they came in on? We have
a mail server that we want to connect to two different ISP networks
simultaneously, and for this to work as we want it to, outbound packets
should go back through the same ISP network they came in.
 
Outbound traffic will follwing the routing table which in W2K can contain only
one active default gateway at a time. You can configure specific routes if you
do not want that traffic to go to the default gateway. Use "route print" to view
the routing table. I noticed that Linksys has a new nat router that can use two
ISP connections at the same time to balance internet traffic if something like
that would help. --- Steve

http://www.linksys.com/products/product.asp?grid=34&scid=29&prid=589
 
I don't need to load balance at all, so that isn't the issue.

Route tables won't help here. I don't need to make decisions based on
where the packet is *going*. I need to make decisions based on which
interface the packet *arrived from*.

Is there any firewall I could run on a Windows 2000 host that would let me
affect routes based on which interface a packet arrives on?
 
Hi Will.

Not that I know of. W2K uses the routing table to make those decisions. --- Steve
 
Understood. And firewalls like Checkpoint that use Windows IP routing are
subject to playing by Windows' rules. But is there a firewall that does
*not* use Windows IP routing, that maybe implements its own IP stack, and
can do much fancier kinds of routing based on rulesets?

--
Will
westes AT earthbroadcast.com


Steven L Umbach said:
Hi Will.

Not that I know of. W2K uses the routing table to make those
Click to expand...
cisions. --- Steve
 
It isn't "Windows Routing",....there is no such thing anyway.

It is TCP/IP routing, and it is across the board for all products. What you
see is simply the way TCP/IP Routing works.

The reason some devices do what you describe is because of packet processing
abilities that go beyond Layer3 routing, so it is *not* "routing" that you
are descibing.
 
Phil, when I say "Windows Routing" what I more precisely mean is the
Microsoft Windows 2000 implementation of IP routing.

Most IP stack implementations provide for a default outgoing route. But
there is nothing in the RFCs that would prevent a vendor from implementing
an option on an IP stack implementation something like "send outbound
packets on same interface as incoming". Moreover, one could imagine an
implementation where each interface has its own routing table. That would
be very useful for some applications.

Regarding going beyond layer 3: Checkpoint's firewall does modify packet
headers based on higher levels of abstraction than IP. But what many
people don't realize is that Checkpoint just re-uses the standard Windows
2000 routing when it finally delivers a packet to an interface. That is
the source of a lot of hassle by the way, since you end up having to create
static arp entries for each of the incoming IP addresses that the firewall
will service.

In any case, it doesn't matter to me whether a box uses its own IP stack, or
whether it uses the standard Windows 2000 IP stack and uses higher level
abstractions to change the source IP to make the packet look like it came
from a different host based on the interface the original packet arrived at.
I just want to find a solution to a specific problem.
 
CHANGE USERNAME TO westes said:
In any case, it doesn't matter to me whether a box uses its own IP stack, or
whether it uses the standard Windows 2000 IP stack and uses higher level
abstractions to change the source IP to make the packet look like it came
from a different host based on the interface the original packet arrived at.
I just want to find a solution to a specific problem.
Click to expand...

I understand. Well, I don't think there is a solution within the parameters
you are looking for a solution. However, I don't have any past messages from
this thread, so I really don't have any "context" or description of your
situation.
 
I have one mail server that I want to make look like two different hosts,
each with unique MX records. Each MX record corresponds to a public IP
address on a different ISPs network. Outside hosts will initiate sessions
to our server on the two different IP addresses. I need to make sure that
any packets returned by the mail server go back out on the same interface
they came in.
 
CHANGE USERNAME TO westes said:
I have one mail server that I want to make look like two different hosts,
each with unique MX records. Each MX record corresponds to a public IP
address on a different ISPs network. Outside hosts will initiate sessions
to our server on the two different IP addresses. I need to make sure that
any packets returned by the mail server go back out on the same interface
they came in.
Click to expand...

That won't happen. It doesn't need to happen either, it's kind of pointless
with a mail server anyway. Outbound traffic is always anonymous between your
mail server and the destination mail server. The only important thing is
that the mail server response to Incomming on the same IP# listed in the MX
record. You can also make the mail server look like "two hosts" by having
both MX records point to the same IP# incomming. Worrying about what IP# is
being used in either direction is really the wrong approach.
 
Making the two MX records point to the same IP defeats the entire point.
We want redundancy in our mail services. If one ISP goes down, the other
keeps working, automatically. You must have different IPs on different
networks to do that.

As you say, the important thing is that the mail server respond to incoming
connections on the same IP that is listed. So how do I make that happen
when there are two IPs corresponding to two MX records on two different
ISPs?
 
CHANGE USERNAME TO westes said:
Making the two MX records point to the same IP defeats the entire point.
We want redundancy in our mail services. If one ISP goes down, the other
keeps working, automatically. You must have different IPs on different
networks to do that.
Click to expand...

I don't think what you want can be done. The goal is to have a single ISP
that is dependable and can quickly recover from downtime.
 
Back
Top