none
Using dual NICs for different LANs

    Question

  • Hello,

    I have a Windows Server 2008 R2 SP1 VM using VMware.  I am using that server to host a network scanning tool to find vulnerabilites on other machines on the network.  My question is, is there a downside to using dual NICs to give me the ability to scan two different LANs?  The OS gives the warning... 

    "Warning - Multiple default gateways are intended to provide redundancy to a single network (such as an intranet or the Internet).  They will not function properly when the gateways are on two separate, disjoint networks (such as one on your intranet and one on the Internet).  Do you want to save this configuration?"

    I just wanted to know the standard practice or if there was any major issues in doing this.  The program I am using (Retina) seems to do just fine utilizing the two NICs to scan the different LANs.  Of course the alternative is to build a different VM for each network.

    Thanks for any help,

    -LineDrop

    Friday, March 11, 2011 4:02 PM

Answers

  • You can use dual NICs for connecting a computer to different VLANs, however, having a default gateway configured on both interfaces, doesn't make a lot of sense, from a networking perspective.  Is that second NIC only connecting to a single segment (no other routers on that subnet)?  If so, again, there is no need for a default gateway for that NIC.

    The default gateway is only used by the computer to figure out where to send the packet to if the destination address or a route to the segment is not listed in the local routing table of the computer.

    If there are multiple routers (gateways) available for the computer that has more than one NIC, you could use the ROUTE command to tell the computer which interface you want the packets to leave from.  Its a bit hard to explain without having more information about your network layout.

    Maybe these resources can help you understand:

    How IP Packets are Routed on a Local Area Network
    http://www.anitkb.com/2010/06/how-ip-packets-are-routed-on-local-area.html

    Using the Windows Route Command
    http://www.anitkb.com/2010/03/using-windows-route-command.html

     


    Visit: anITKB.com, an IT Knowledge Base.
    • Marked as answer by Tiger Li Wednesday, March 16, 2011 10:30 AM
    Friday, March 11, 2011 5:51 PM
  • To add to JM's comments:   In 'theory' you can use multiple gateways in conjunction with metrics. The concept is a packet designed for an unknown subnet defaults to the default gateway with the highest priority metric. In the event this gateway is unavailable the packet is then routed to the gateway with the next highest priority metric. However, it doesn't work properly in a Windows network. It will 'usually' fail-over as it is supposed to, but it will never revert back when the higher priority gateway is available. A reboot or manual intervention is required. As a result, multiple default gateways are problematic and unsupported. If you need to use a second gateway, manual routes need to be assigned for specific remote IP's or subnets using the route add command, as pointed out by JM.


    Rob Williams
    • Marked as answer by Tiger Li Wednesday, March 16, 2011 10:30 AM
    Friday, March 11, 2011 6:13 PM
  •   If you only want to scan the VLANs which have a NIC in the server you do not need any default gateway settings anywhere. The default gateway (or default router) address is only required if you want to reach a network which is not directly connected. It tells the networking software where to send traffic which is not reachable directly.

       The APIPA addresses (169.254.0.0) addresses are a worry. Do you have interfaces set to obtain an IP automatically which cannot find a DHCP server?

      


    Bill
    • Marked as answer by Tiger Li Wednesday, March 16, 2011 10:30 AM
    Saturday, March 12, 2011 12:58 AM
  • In addition to my earlier comments, ignoring metrics, you cannot have a default gateway as it is just that a "default". The server as Bill mentions uses various NIC's for known subnets. Unknown subnets are routed to the default gateway. How can it randomly choose which one? Also if you have incoming traffic such as a VPN the reply has to be sent to the default gateway as it is an unknown remote subnet. If sent to the wrong gateway  it is lost. Windows does not support multiple gateways as per the message you received.
    Rob Williams
    • Marked as answer by Tiger Li Wednesday, March 16, 2011 10:30 AM
    Saturday, March 12, 2011 1:30 AM
  • In addition to Bill and Rob's replies, which I am also concerned about the APIPA numbers showing, I see three default gateways:

              0.0.0.0          0.0.0.0      192.168.0.1    192.168.0.250    266

              0.0.0.0          0.0.0.0     192.168.14.1    169.254.92.47     10

              0.0.0.0          0.0.0.0     192.168.24.1   169.254.153.18     10

    I would honestly recommended only one "default" gateway, which has already been pointed out by JM, Rob and Bill, would be the way to get off the network, or to put it another way, "to get to the outside world."

    I look at it as a person being in a room with multiple doors. You would know which door to go through to leave the building, but the computer doesn't know which gate to use to leave the network. I would use only one default gateway, then on that router, define routes to get to the other networks you have.

    Here's a static route example and what sort of static routes would be configured on the routers to get to the outside world . You can adjust this to your RRAS machine that has more than one interface on multiple networks, but there should only be one "default" gateway. You can also define additional "gateways" as pointed out, in RRAS using specific Static Routes with lower metrics, but if they don't apply to the packet being sent, then the default will be used.

     

     

    Oh, by the way, I hope this server is not a domain controller. :-)

    Ace


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    • Marked as answer by Tiger Li Wednesday, March 16, 2011 10:29 AM
    Saturday, March 12, 2011 4:33 PM
  • There is no problem having 3 NIC, with 3 network segments (subnets), and 3 routers. It's just that you can only add a default gateway address to 1 NIC. To access the other 2 routers requires static routes either on the server itself or the default gateway router.


    Rob Williams
    • Marked as answer by Tiger Li Wednesday, March 16, 2011 10:29 AM
    Monday, March 14, 2011 1:15 PM

All replies

  • You can use dual NICs for connecting a computer to different VLANs, however, having a default gateway configured on both interfaces, doesn't make a lot of sense, from a networking perspective.  Is that second NIC only connecting to a single segment (no other routers on that subnet)?  If so, again, there is no need for a default gateway for that NIC.

    The default gateway is only used by the computer to figure out where to send the packet to if the destination address or a route to the segment is not listed in the local routing table of the computer.

    If there are multiple routers (gateways) available for the computer that has more than one NIC, you could use the ROUTE command to tell the computer which interface you want the packets to leave from.  Its a bit hard to explain without having more information about your network layout.

    Maybe these resources can help you understand:

    How IP Packets are Routed on a Local Area Network
    http://www.anitkb.com/2010/06/how-ip-packets-are-routed-on-local-area.html

    Using the Windows Route Command
    http://www.anitkb.com/2010/03/using-windows-route-command.html

     


    Visit: anITKB.com, an IT Knowledge Base.
    • Marked as answer by Tiger Li Wednesday, March 16, 2011 10:30 AM
    Friday, March 11, 2011 5:51 PM
  • To add to JM's comments:   In 'theory' you can use multiple gateways in conjunction with metrics. The concept is a packet designed for an unknown subnet defaults to the default gateway with the highest priority metric. In the event this gateway is unavailable the packet is then routed to the gateway with the next highest priority metric. However, it doesn't work properly in a Windows network. It will 'usually' fail-over as it is supposed to, but it will never revert back when the higher priority gateway is available. A reboot or manual intervention is required. As a result, multiple default gateways are problematic and unsupported. If you need to use a second gateway, manual routes need to be assigned for specific remote IP's or subnets using the route add command, as pointed out by JM.


    Rob Williams
    • Marked as answer by Tiger Li Wednesday, March 16, 2011 10:30 AM
    Friday, March 11, 2011 6:13 PM
  • Thank you both for responding and assisitance.  Please bare with me, I am a recent college graduate trying to put the theory I learned into action.

    I understand the function of a default gateway but figured since each NIC was connected to a different VLAN, that each VLAN should have its network configuration.  And that the NIC that dealt with all general traffic, unless traffic was trying to contact a different VLAN, would be the persistent gateway.  

    The network connectivity to seems to work well and is routed to each VLAN properly.  I am able to get to each machine on all three networks.  The warning about an issue doesn't occur until I try and give the non-persistent NICs a static IP.

    I also haven't had an issue of it failing over to the other gateways and not returning.  Could just be luck?

    If this seems like a lost cause and I'm going about it all wrong, please let me know and I'll find another solution.

     

    I couldn't attach a screen shot but here is what the routing table looks like

    v4 Route Table

    ===========================================================================

    Active Routes:

    Network Destination        Netmask          Gateway       Interface  Metric

              0.0.0.0          0.0.0.0      192.168.0.1    192.168.0.250    266

              0.0.0.0          0.0.0.0     192.168.14.1    169.254.92.47     10

              0.0.0.0          0.0.0.0     192.168.24.1   169.254.153.18     10

            127.0.0.0        255.0.0.0         On-link         127.0.0.1    306

            127.0.0.1  255.255.255.255         On-link         127.0.0.1    306

      127.255.255.255  255.255.255.255         On-link         127.0.0.1    306

          169.254.0.0      255.255.0.0         On-link     169.254.92.47    266

          169.254.0.0      255.255.0.0         On-link    169.254.153.18    266

        169.254.92.47  255.255.255.255         On-link     169.254.92.47    266

       169.254.153.18  255.255.255.255         On-link    169.254.153.18    266

      169.254.255.255  255.255.255.255         On-link     169.254.92.47    266

      169.254.255.255  255.255.255.255         On-link    169.254.153.18    266

          192.168.0.0    255.255.255.0         On-link     192.168.0.250    266

        192.168.0.250  255.255.255.255         On-link     192.168.0.250    266

        192.168.0.255  255.255.255.255         On-link     192.168.0.250    266

            224.0.0.0        240.0.0.0         On-link         127.0.0.1    306

            224.0.0.0        240.0.0.0         On-link     192.168.0.250    266

            224.0.0.0        240.0.0.0         On-link     169.254.92.47    266

            224.0.0.0        240.0.0.0         On-link    169.254.153.18    266

      255.255.255.255  255.255.255.255         On-link         127.0.0.1    306

      255.255.255.255  255.255.255.255         On-link     192.168.0.250    266

      255.255.255.255  255.255.255.255         On-link     169.254.92.47    266

      255.255.255.255  255.255.255.255         On-link    169.254.153.18    266

    ===========================================================================

    Persistent Routes:

      Network Address          Netmask  Gateway Address  Metric

              0.0.0.0          0.0.0.0      192.168.0.1  Default 

     

    Thanks,

     

    -LineDrop

     

     

    • Marked as answer by Tiger Li Wednesday, March 16, 2011 10:30 AM
    • Unmarked as answer by Tiger Li Wednesday, March 16, 2011 10:30 AM
    Friday, March 11, 2011 8:04 PM
  •   If you only want to scan the VLANs which have a NIC in the server you do not need any default gateway settings anywhere. The default gateway (or default router) address is only required if you want to reach a network which is not directly connected. It tells the networking software where to send traffic which is not reachable directly.

       The APIPA addresses (169.254.0.0) addresses are a worry. Do you have interfaces set to obtain an IP automatically which cannot find a DHCP server?

      


    Bill
    • Marked as answer by Tiger Li Wednesday, March 16, 2011 10:30 AM
    Saturday, March 12, 2011 12:58 AM
  • In addition to my earlier comments, ignoring metrics, you cannot have a default gateway as it is just that a "default". The server as Bill mentions uses various NIC's for known subnets. Unknown subnets are routed to the default gateway. How can it randomly choose which one? Also if you have incoming traffic such as a VPN the reply has to be sent to the default gateway as it is an unknown remote subnet. If sent to the wrong gateway  it is lost. Windows does not support multiple gateways as per the message you received.
    Rob Williams
    • Marked as answer by Tiger Li Wednesday, March 16, 2011 10:30 AM
    Saturday, March 12, 2011 1:30 AM
  • In addition to Bill and Rob's replies, which I am also concerned about the APIPA numbers showing, I see three default gateways:

              0.0.0.0          0.0.0.0      192.168.0.1    192.168.0.250    266

              0.0.0.0          0.0.0.0     192.168.14.1    169.254.92.47     10

              0.0.0.0          0.0.0.0     192.168.24.1   169.254.153.18     10

    I would honestly recommended only one "default" gateway, which has already been pointed out by JM, Rob and Bill, would be the way to get off the network, or to put it another way, "to get to the outside world."

    I look at it as a person being in a room with multiple doors. You would know which door to go through to leave the building, but the computer doesn't know which gate to use to leave the network. I would use only one default gateway, then on that router, define routes to get to the other networks you have.

    Here's a static route example and what sort of static routes would be configured on the routers to get to the outside world . You can adjust this to your RRAS machine that has more than one interface on multiple networks, but there should only be one "default" gateway. You can also define additional "gateways" as pointed out, in RRAS using specific Static Routes with lower metrics, but if they don't apply to the packet being sent, then the default will be used.

     

     

    Oh, by the way, I hope this server is not a domain controller. :-)

    Ace


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    • Marked as answer by Tiger Li Wednesday, March 16, 2011 10:29 AM
    Saturday, March 12, 2011 4:33 PM
  • Thanks Ace, Bill and Rob for your responses,

    I have obviously configured the server wrong and from your comments I will make the routing tables on the router and use a single NIC with a single default gateway to connect to it.  I guess the idea of having three NICs on one server pointing to three different routers wasn't the clever idea I thought it was. It is not a DC, just a dedicated VM to host a network vulnerability scanning tool.  Thank you all for your assistance, links, and diagrams!  This is my first time posting to technet and it was definitely worth it.

     

    -LineDrop

    Monday, March 14, 2011 12:36 PM
  • There is no problem having 3 NIC, with 3 network segments (subnets), and 3 routers. It's just that you can only add a default gateway address to 1 NIC. To access the other 2 routers requires static routes either on the server itself or the default gateway router.


    Rob Williams
    • Marked as answer by Tiger Li Wednesday, March 16, 2011 10:29 AM
    Monday, March 14, 2011 1:15 PM
  •  I require to re-read this as it does have deep insight though the similiar problem I am having is multi-homing & NetBIOS with this problem / error. I have 4 NICs (2008 R2 Ent SP1 no VM / HyperV stuff), 1 nic to iSCSI, no gateway configured runs fine (NAT 10.0 range). I have 3 NICs all set to the same subnet ( IP's on another subnet range, not same as iSCSI & range 3 IPs in same subnet range ->.7 .8 .9 ) that I need to use for backup purposes, to allow multiple backups from multiple locations (clients) at same time, it is a huge performance assist to run it in this manner. What I am reading is in theory to rid this error, I could just have default gateway set on the .9 IP, leave .7 & .8 free of a gateway and the error would go away though as a backup server many clients are assign to talk to a specific IP, I can't help but wonder if this multi home sitation reuires that info and for the most part I can safely ignore the error. I static entry a multi home range in my WINS server to show  that .7 & .8 & .9 are all on the same server (for Netbios resolution). The only reason I have concern is we do use it during the day for some printing and we see odd delays or hang ups of a minute or greater (1 GBs network) and it really makes no sense to the delay.

     


    Until later .... Brett
    • Edited by Poomba1 Wednesday, February 01, 2012 5:51 AM
    Wednesday, February 01, 2012 5:48 AM
  • In the above diagram, will the 192.168.1.5 machine be able to ping 192.168.3.12 machine and vice versa, or say rather someone from the internet will be able to access the 192.168.1.5 machne via a port forward?

    I hava situaation akin to the above diagram. I will just copy /paste the ontent what I have put on other forums. Could you please suggest the best way out? Alenthy post though...

    "

    I am stuck in a networking soup. My client has recently got MPLS installed for connecting his two offices. He has asked me to connect the two networks, so that the server is accessibe from the spoke location.

    I shall first describe the two networks (Hub & Spoke). The Hub location has two segments working out on the same physical network i.e 192.168.0.X and 192.162.1.X. The internet router /gateway (192.168.1.1) is also connected to the same physical network. The MPLS gateway (192.168.0.1) also terminates in the same switch. Server in theis location have two network cards each, one catering to the LAN nodes on 192.168.0.x and one for access via the internet on 192.168.1.x. The ip config on 1 server for eg would be:
    NIC1 - 
    ip: 192.168.0.105
    SubNet : 255.255.255.0

    NIC2 -
    ip: 192.168.1.10
    SubNet: 255.255.255.0
    Gateway: 192.168.1.1
    DNS: 202.144.115.4
    202.144.66.6

    The other office has just the MPLS gateway (192.168.16.1) terminating into a switch, and connected to machines on the segment : 192.168.16.x with a subnet mask 255.255.255.0 and gateway : 192.168.16.1.

    We tried pinging one computer at spoke location from the hub location with a machine having a single lan card configured to 192.168.0.207 subnet 255.255.255.0 and gateway 192.168.0.1 and it was successful.

    We also tried vice versa from the spoke location with a computer (192.168.16.63, subnet 255.255.255.0 and gateway 192.168.16.1) to the hub computer (the same parameters as mentioned above i.e192.168.0.207, subnet : 255.255.255.0 and gateway192.168.0.1) and that too was a success.
    However when we try pinging from the spoke location to the server on 192.168.0.105 (with 1 Nic for LAN: 192.168.0.105/ 255.255.255.0 & the other NIc connected to the internet: 192.168.1.10/ 255.255.255.0 and gateway: 192.168.1.1), it is unsuccessful ( which is logical because the gateway for the machine is 192.168.1.1). I cannot change the setup at the hub location, because there are other issues.The servers also require internet access for users to connect from outside .Is there any way, I can get this working , so that a ping from 192.168.16.63 goes to 192.168.0.105. I also understand that we cannot have two gateways on the same machine since these are disjoint networks.. Is there any way that the traffic for 192.168.0.105 goes right to that machine even if the gateway is on the 192.168.1.x segment? Or any other aternate option? Please help"
    __________________
    Saturday, June 22, 2013 6:44 AM
  • What other threads have you posted this to?

    In the diagram, yes, any machine can ping any other machine in the network as well as on the internet as long as the Windows firewall and any other third party installed firewall, and your network routers & firewalls, are allowing ICMP. If ICMP is allowed and you still cannot ping, then it's a static route misconfiguration.

    If you are using MPLS, the idea behind that is the ISP provides interconnectivity between the MPLS endpoints. There are no reasons to multihome your servers (with more than one NIC and IP) for functionality. In the scenarios that I've worked in with MPLS with multiple, global locations, all servers were single-homed (one NIC and one IP) in every location. The gateway was a Cisco ASA 5505, which then goes into the MPLS devices.

    If you are having problems with your MPLS configuration communicating between offices, the best bet is to contact your ISP that provided your MPLS connectivity. They should have worked with you to get interconnectivity working.

    When you multihome your servers and using them as a NAT or whatever reason you multihomed them, then you are introducing an additional, unnecessary complexity, and must update your static routes company-wide to include them as routers.


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Monday, June 24, 2013 4:04 PM