Multi-homing with win2k srv

[Guest]

Is this a normal behavior in Windows 2000 Server or is this an issue

Here is the situation

- Windows 2000 Server sp4
- NIC1 LAN ( 192.168.x.x , default GW field empty
- NIC2 WAN ( 194.x.x.y , default GW 194.x.x.1
- NIC3 WAN ( 213.x.x.z , default GW field empty
- RRAS with NAT enable
- no static route
So, with this configuration the default route is set to 194.x.x.
The visibility from Internet is as follows
- pinging 194.x.x.y from any host ( any IP address ) the result is o
- pinging 213.x.x.z from any host ( any IP address ) the result is "Request timed out" !!

If I add to this configuration a static route on NIC3 with destination 62.0.0.0 mask 255.0.0.0 the visibility from Internet is as follows
- pinging 194.x.x.y from a host with an IP address like 62.x.x.x the result is "Request timed out
- pinging 213.x.x.z from a host with an IP address like 62.x.x.x the result is o
- pinging 194.x.x.y from any host ( excepting 62.x.x.x like address ) the result is o
- pinging 213.x.x.z from any host ( excepting 62.x.x.x like address ) the result is "Request timed out

If I make 213.x.x.1 the default GW on NIC3 ( and the static route also in NIC3 ) the result is inversed

So I made up a "definition": The result from pinging a multi-homed host with Windows 2000 Server OS will be ok only if you are pinging the IP address that is the default way for your IP address from that router to your host

I've posted a similar message on other forums and I've got an answer that said that Windows 2000 Server doesn't use "source routing" that will resolve my problem ( and that Linux does use this feature )
I didn't found anything about "source routing" and Windows 2000 Server

I hope I've made myself understood

thanks

 

[Herb Martin]

I hope I've made myself understood.

It's real hard to discover your PROBLEM in all the verbage.
(Which may be important, but do try to put the problem first.)

Several ideas: Use tracert to determine which paths are being taken
(Instead of simple ping.)

Don't feel that every NIC must have a (different) default gateway.
And if you do make them different, don't expect to guess the order
without paying very careful attention to the BINDING order of the
NICs.
And if you do make them different, don't expect an automatic
fail over unless the ADJACENT router fails completely (as opposed
to something later in the path which is common with DSL and Cable
modems.)

Is this a normal behavior in Windows 2000 Server or is this an issue ?

Here is the situation :

- Windows 2000 Server sp4
- NIC1 LAN ( 192.168.x.x , default GW field empty)
- NIC2 WAN ( 194.x.x.y , default GW 194.x.x.1 )
- NIC3 WAN ( 213.x.x.z , default GW field empty)
- RRAS with NAT enabled
- no static routes
So, with this configuration the default route is set to 194.x.x.1
The visibility from Internet is as follows:
- pinging 194.x.x.y from any host ( any IP address ) the result is ok
- pinging 213.x.x.z from any host ( any IP address ) the result is "Request timed out" !!!

If I add to this configuration a static route on NIC3 with destination

62.0.0.0 mask 255.0.0.0 the visibility from Internet is as follows:

- pinging 194.x.x.y from a host with an IP address like 62.x.x.x the result is "Request timed out"
- pinging 213.x.x.z from a host with an IP address like 62.x.x.x the result is ok
- pinging 194.x.x.y from any host ( excepting 62.x.x.x like address ) the result is ok
- pinging 213.x.x.z from any host ( excepting 62.x.x.x like address ) the result is "Request timed out"

If I make 213.x.x.1 the default GW on NIC3 ( and the static route also in NIC3 ) the result is inversed.

So I made up a "definition": The result from pinging a multi-homed host

with Windows 2000 Server OS will be ok only if you are pinging the IP
address that is the default way for your IP address from that router to your
host.

I've posted a similar message on other forums and I've got an answer that

said that Windows 2000 Server doesn't use "source routing" that will resolve
my problem ( and that Linux does use this feature ).

I didn't found anything about "source routing" and Windows 2000 Server.

 

[Fatboyslimro]

thanks for the effort
OK
let me try to be more specific
I have 2 Internet connections with different ISPs ( broadband cable on each
connection ).
The primary goal is to provide complete visibility from Internet to our web
site through this 2 ISPs ( for redundancy )
The secondary goal is to provide some kind of load balancing of the total
Internet bandwidth for users on the LAN ( or better said to use both
Internet connections in the same time ).
The configuration is like this ( Windows 2000 server SP4 ):
- Nic1 - LAN - IP address 192.168.0.1 - mask 255.255.255.0 - default GW
field empty
- Nic2 - WAN to ISP1 - IP address 194.1.2.3 - mask 255.255.255.0 - default
GW 194.1.2.1 ( provided by the ISP1 )
- Nic3 - WAN to ISP2 - IP address 213.5.6.7 - mask 255.255.255.0 - default
GW field empty
- IIS for the web site
- DNS for holding the adcdef.ro domain zone and for resolving DNS queries
from users
- RRAS with NAT enabled ( all of the interfaces are present in the NAT
configuration portion in IP Routing from RRAS snap-in )
- static routes for "load balancing" ( each static route is created with
"New static route..." option from Static Routes from RRAS snap-in, like
this: select the interface name Nic3 - WAN to ISP2, then Destination
62.0.0.0., then Network Mask 255.0.0.0 and then the GW 213.5.6.1 - provided
by ISP2 )
- the routing table looks like this( Destination - Netmask - Gateway -
Interface ):
0.0.0.0 - 0.0.0.0 - 194.1.2.1 - 194.1.2.3
62.0.0.0 - 255.0.0.0 - 213.5.6.1 - 213.5.6.7
127.0.0.0 - 255.0.0.0 - 127.0.0.1 - 127.0.0.1
192.168.0.0 - 255.255.255.0 - 192.168.0.1 - 192.168.0.1
192.168.0.1 - 255.255.255.255 - 127.0.0.1 - 127.0.0.1
192.168.0.255 - 255.255.255.255 - 192.168.0.1 - 192.168.0.1
194.1.2.0 - 255.255.255.0 - 194.1.2.3 - 194.1.2.3
194.1.2.3 - 255.255.255.255 - 127.0.0.1 - 127.0.0.1
194.1.2.255 - 255.255.255.255 - 194.1.2.3 - 194.1.2.3
213.5.6.0 - 255.255.255.0 - 213.5.6.7 - 213.5.6.7
213.5.6.7 - 255.255.255.255 - 127.0.0.1 - 127.0.0.1
213.5.6.255 - 255.255.255.255 - 213.5.6.7 - 213.5.6.7
255.255.255.255 - 255.255.255.255 - 192.168.0.1 - 192.168.0.1
Default Gateway:194.1.2.1
Persistent Routes: None
I didn't mentioned all of the static routes that I use because they are the
same as the one earlier created ( and also I omitted the routes that begin
with 224 ).
- complete visibility is a must as I have the 2 IP addresses registered as
primary NS and secondary NS ( also in my DNS records host "www" is assigned
to both addresses) , and when a user from Internet tries to resolve
www.abcdef.ro if it gets the IP address that it cannot be pinged from that
location neither the web browsing to our web site will work ).
Testing:
pinging from an Internet host ( 202.1.1.1):
ping 194.1.2.3 --> ok
ping 213.5.6.7 --> request timed out

pinging from another Internet host ( 62.1.1.1 ):
ping 194.1.2.3 --> request timed out
ping 213.5.6.7 --> ok
( normally, if I remove the static route to 62... the request time out will
be obtained by pinging 213.5.6.7 and ok if pinging 194.1.2.3)

I think the situation is somthing like this: answers are not returned on the
same interface that received the request ( but why ? ).
Hope there is enough information to troubleshoot.

 

[Herb Martin]

thanks for the effort
OK let me try to be more specific
I have 2 Internet connections with different ISPs ( broadband cable on each
connection ).
The primary goal is to provide complete visibility from Internet to our web
site through this 2 ISPs ( for redundancy )

That part is easy, if you advertise (through DNS) both IP addresses.
Note: this part is dependent on the requests.
Of course, you will also have to configure the web sites to support
both addresses but that is either automatic or trivial.

The secondary goal is to provide some kind of load balancing of the total
Internet bandwidth for users on the LAN ( or better said to use both
Internet connections in the same time ).

Not likely to work with Windows as the router. This is not an
included feature.

One of the folks here did write a script for SWITCHING the
default gateway when one of the paths goes down, but that
only provides redundancy.

I played around with using the one of the (rather large, Roadrunner)
ISPs address range in manual routes, 24.0.0.0/8 out through the
Roadrunner and everything else out through the DSL.

It did very minimal load "adjustment" (not good enough to call
"balancing" <grin>)

 

[Fatboyslimro]

Let's forget about the second goal.
Let's forget about having static routes.
Lets's focus on the visibility from internet.
So now the configuration is: default GW to ISP1 and no static routes to
ISP2.
Now if we go to ANY Internet host and ping the interface connected to ISP2
we will get "request timed out" ( here is how I see the situation: packets
come to interface connected to ISP2 but are leaving on the interface
connected to ISP1; the Internet host receives ICMP echo reply from IP
address connected to ISP1 and not from that connected to ISP2, so it does
not see that the host is alive - that's how I see the situation )
or
The packets (with source address being the IP address of the interface
connected to ISP2) are leaving on the interface connected to ISP1, but ISP1
has filering that do not allow packets coming from other networks exept
those that they own to pass through.
Do you agree that one of the situation is present ?
and if this is the situation why packets aren't routed to the same interface
that received the request ? ( I think this is the main problem that needs to
be troubleshooted )

thanks

 

[Herb Martin]

--
Herb Martin

Let's forget about the second goal.
Let's forget about having static routes.
Lets's focus on the visibility from internet.
So now the configuration is: default GW to ISP1 and no static routes to
ISP2.
Now if we go to ANY Internet host and ping the interface connected to ISP2
we will get "request timed out" ( here is how I see the situation: packets
come to interface connected to ISP2 but are leaving on the interface
connected to ISP1; the Internet host receives ICMP echo reply from IP
address connected to ISP1 and not from that connected to ISP2, so it does
not see that the host is alive - that's how I see the situation )
or

This should be irrelevant. Something else is happening (like
that network is filtering ICMP or some such.)

There is no rule -- in fact NO GUARANTEE whatsoever -- that any
IP packet will follow a particular route, just because the incoming packet
did.

The packets (with source address being the IP address of the interface
connected to ISP2) are leaving on the interface connected to ISP1, but ISP1
has filering that do not allow packets coming from other networks exept
those that they own to pass through.

Perfectly normal as long as that network supports the traffic.

 

[Fatboyslimro]

Do you suspect where the problem is ?
Do you see any solution ?

thanks

 

[Fatboyslimro]

Here is a post from a "sysop" from another forum.
Please tell me what is your opinion.
" Interesting but somewhat complex. First, let me exercise my right as an
unpaid answerer to offer some unhelpful advice<g>. You should abandon your
plan! You would (probably) get much better results from paying one of the
very professional web server companies that have REALLY good systems and
quite inexpensive services.

The big web service companies (usually) have all the security issues sorted
out, whereas you will have to spend the rest of your life wondering if your
server has been hacked. For a fee, they can offer much better speeds and
load balancing than you can achieve. Now, back to your problem...

I trust you have W2000 SP4 and visit Windows Update and take all the
Critical Updates (only) each week. You should also have a firewall on each
interface that connects to the Internet (two hardware firewalls).

For more thorough testing with the pings, use the -w 8000 (wait 8 seconds)
option. From the 202.1.1.1 client:

ping -w 8000 213.5.6.7

I expect this to fail, but you should check.

I would install Network Monitor and capture packets on each external
interface. The NetMon provided with W2000 Server is fine. You would have to
run it twice (at the same time). In one instance, use the Capture menu to
select NIC2. In the other instance, select NIC3. Run 'ipconfig /all' at
command prompt to help learn which NIC is which.

I am very confident that NetMon would confirm the following.

When 202.1.1.1 issues 'ping 213.5.6.7', the ping would arrive on NIC3
because ISP2 routes all traffic for destination 213.5.6.7 to your interface
that is connected to ISP2.

Your computer will send a reply to 202.1.1.1. The reply is routed by your IP
software and it has no regard for how the packet arrived. The reply will be:
From source 213.5.6.7 to destination 202.1.1.1.

The destination does not match any specific route so it will be sent to your
default gateway (via NIC2 to ISP1). I suspect that filtering performed by
ISP1 will drop your packet because ISP1 is not supposed to send spoofed or
otherwise stupid packets to the Internet.

Similarly, when client 62.1.1.1 pings 194.1.2.3, the ping will arrive at
NIC2 from ISP1, but the reply will exit from NIC3 to ISP2 (because of your
route for network 62.0.0.0). ISP2 will drop the packet because it is from
194.1.2.3.

You are attempting to have two connections to the Internet. The proper way
to do this is to negotiate with each ISP and explain what you want. A
transfer of money will be involved (from you to them<g>). You would need
quite an expensive system using the BGP routing protocol. I haven't done
this but I suspect that the costs involved would be much more than paying
for a professional (and much better) web hosting service.

Sorry, but I think you have a problem that can't be fixed by adjustments at
your end. It is possible that using a moderately sophisticated router would
overcome most of your issues. It would have three interfaces: ISP1, ISP2,
your server. Some routers can be configured with elaborate routing tables
and could possibly use the incoming interface for a reply (pretty tricky)."