Microsoft Forefront TechCenter >

Forefront Forums >

Read Only - Forefront Edge Security - Internet Access >

Default gateway on different subnet

Default gateway on different subnet

Saturday, April 24, 2010 10:25 AM

0

Hi everyone,

Having an issue setting up TMG at the moment.

My TMG server has 2 network cards. One is connected to the internal private network with an IP of 192.168.0.91 subnet 255.255.255.0.

The other one is connected to the internet as per the ISP settings with an IP of 82.133.xxx.xxx subnet 255.0.0.0. The problem I have is that the internet connection has a default gateway of 212.74.xxx.xxx which obviously is on a different subnet. Windows complains about it, but lets me carry on anyway and it then works fine, however TMG throws up the same error during configuration but won't let me continue anyway.

Is there any way to work around this problem?

Thanks in advance,
Graham
~~ Graham

All Replies

Monday, April 26, 2010 1:03 AM

0
Hi Graham,

A default gateway on a different subent makes hardly any sense as even to reach that subnet, your local interface will need a gateway.

I know I am not suggesting a workaround or a solution and I am sure you must have done this already but could you confirm the gateway IP agin with your ISP?

Regards.
- Proposed As Answer by Nick Gu - MSFTMicrosoft Contingent Staff, Moderator Thursday, April 29, 2010 9:45 AM
- Marked As Answer by Keith AlabasterMVP, Owner Wednesday, August 11, 2010 6:43 PM
Thursday, April 29, 2010 2:47 PM

Answerer

0

You cannot have a default gateway on a different subnet. The very first thing that your external NIC is going to do is send out an ARP broadcast for the MAC address of the default gateway. ARP is layer 2 and does not route. Talk to your ISP about this, I think they gave you the wrong default gateway.
Thursday, April 29, 2010 6:16 PM

0
Thanks for the replies so far! I totally agree with you - it doesn't make sense to me either...but somehow it works! The external NIC is set up with just that and RRAS NAT routes internet traffic just fine.

The address is definately right - it's set up to get everything automatically assigned by the ISP via DHCP and that is the value returned.

Regards
~~ Graham
- Marked As Answer by Nick Gu - MSFTMicrosoft Contingent Staff, Moderator Friday, April 30, 2010 5:58 AM
- Unmarked As Answer by Graham Wager Friday, April 30, 2010 1:37 PM
Sunday, May 02, 2010 3:06 AM

0

Principle of routing:

If the destination is not myself, nor in my local n/w, nor do I have a router for it, i will give it to my DG for taking it further.

Now, to contact the DG, I need to know its MAC. To know the MAC, I will do an ARP Query whcih is broadcast and which will only be picked by machines in my subnet.

Hence, since your external NIC and DG are in diffrent subnets, routing should ideally fail.

Is there any device before TMG, which may be playing a role in this? Did you speak to your ISP?

Also, are you running external NIC on Dynamic IP?
Regards.
Wednesday, May 12, 2010 7:53 PM

0

Actually that first statement isn't really true. You can have a DG on a different subnet, however that DG must have an L2 connection to the DG on the PCs (or server's) subnet.

Example:

PC (10.0.1.10) on subnet 10.0.1.0/24 can use 10.0.2.1 as its DG, provided that the router that acts as this DG on that other network (10.0.2.0/24) also has an interface interconnecting it to the switch on 10.0.1.0/24. This is unusual but plausible.
Thursday, May 13, 2010 2:06 PM

0

Hi Marcos SA,

I like your answer to this, but I was wondering if you could review my question below and see what you think?

Here's the scenario:

- I have a LAN that connects to an overseas company via MPLS. This connection provides the gateway for all traffic on our local subnet to include internet, email, and mainframe access and network resources. That GW is 10.1.17.1

- I also have a cable modem that is not part of the LAN but provides testing and other issues as needed.

- Due to the remarkably slow network speed of the MPLS (T1), management wants me to set this up so that internet traffic would go out the cable modem vs. the MPLS due to the constant bottlenecking and lack of consistent access for our network.

- I would like to setup several PCs that will utilize the MPLS gateway for internal traffic but push internet traffic out through the cable modem.

- Each PC has only one NIC installed.

- Our MPLS equipment is managed through the overseas company and is not accessible by me.

- My cable modem and Fortinet Firewall are available and managed by me exclusively. I setup this GW at 10.1.11.1.

I have a detailed drawing I wanted to attach but it appears I can’t. I've tried manipulating the routing table via DOS (e.g. route -p ADD) but apparently I'm still missing something. I've tried to massage the IP addressing on the NIC to support the two gateways to no avail.

After talking with Comcast, here's what they told me to do if I were to have a client PC directly attached to their cable modem and NOT on the LAN:

The Fortinet LAN side for client PCs is as follows:
IP: 10.1.11.100
SNM: 255.255.255.0
GW: 10.1.11.1
DNS:  10.1.11.1 (DNS Settings within Fortinet point to Comcast DNS Servers)

Comcast GW: 70.X.X.234
Comcast DNS: 68.X.X.162 (This is the DNS IP provided by Comcast)
Fortinet GW: 10.1.11.1

FORTINET:
WAN Port: 70.X.X.233
Subnet Mask: 255.255.255.252
Default GW: 70.X.X.234

For PCs that I want to use both networks, I added the following static routes to the Fortinet:

Static Routes:
       IP Addresses: 0.0.0.0/0.0.0.0
Gateway: 70.X.X.234
Interface: WAN1

       IP Addresses: 10.1.11.0/255.255.255.0
Gateway: 10.1.11.1
Interface: Internal

       IP Addresses: 10.1.17.0/255.255.255.0
Gateway: 10.1.17.1
Interface: Internal

I removed all static routes and started over. When running a tracert to www.yahoo.com the trace goes through 10.1.11.1, then to an external IP that I don’t recognize as it is the next hop during the trace.

I realize this is more of just a small network setup vs. trying to have two networks on the same physical network, but since I started over, I at least need to get this right.  I just need to know how to set up the client to allow this to happen. I've looked at this until I can see straight. ANY help would be greatly appreciated!

Thanks for your help!

Getnoldfast
Thursday, May 27, 2010 5:22 PM

0

Principle of routing:

If the destination is not myself, nor in my local n/w, nor do I have a router for it, i will give it to my DG for taking it further.

Now, to contact the DG, I need to know its MAC. To know the MAC, I will do an ARP Query whcih is broadcast and which will only be picked by machines in my subnet.

Hence, since your external NIC and DG are in diffrent subnets, routing should ideally fail.

Is there any device before TMG, which may be playing a role in this? Did you speak to your ISP?

Also, are you running external NIC on Dynamic IP?

Regards.

Thanks for your reply Amit,

The only device between the internet and the TMG machine is a router configured as a bridge. It doesn't appear in a traceroute (to yahoo.com):

1    <1 ms    <1 ms    <1 ms server-1.xxx [xxx.xxx.0.1]    (TMG machine, ext IP 82.133.xxx.xxx)
  2    27 ms    28 ms    26 ms lo98.sc-acc-sip-1.as9105.net [212.74.xxx.xxx]
  3    26 ms    28 ms    31 ms 10.72.4.66
  4    28 ms    27 ms   120 ms 10.72.9.217
  5    27 ms    43 ms    28 ms xe-2-2-0-10.lon10.ip4.tinet.net [213.200.78.117]
  6   104 ms   104 ms   104 ms xe-4-3-0.was12.ip4.tinet.net [213.200.80.25]
  7   105 ms   105 ms   106 ms as10310.ip4.tinet.net [213.200.84.126]
  8   105 ms   104 ms   108 ms ae-6.pat2.dce.yahoo.com [216.115.102.176]
9   109 ms   109 ms   106 ms ae2-p141.msr1.re1.yahoo.com [216.115.108.59]
10   110 ms   111 ms   139 ms te-9-4.bas-a1.re1.yahoo.com [66.196.112.207]
11   110 ms   109 ms   109 ms ir1.fp.vip.re1.yahoo.com [69.147.125.65]

ISP haven't been much help, far as they're concerned is it works as it is, what's the problem!

~~ Graham
Sunday, May 30, 2010 6:27 AM

Answerer

0

Since your network config is non standard, have another machine in front of TMG . Configure your TMG with 2 NICs . Internal and External . Have your own PVT IP range for the TMG External. Connect the External to a Windows NAT device with 2 NICs again . Internal of the NAT device connected your TMG's external NIC and external of NAT connected to your weired External router bridge. Now TMGs External will have default gateway point tot he Internal of the NAT device.

Redirect all incoming traffic from NAT external to TMG external ( NAT 1-1 config ) . Hope this non standardsolution! help your non standard config
Bala Natarajan [MSFT]| Sr. Support Escalation Engineer | CSS Security
Monday, May 31, 2010 9:34 PM

0

To add to Bala's note, see if your router may act as the NAT and bear the public IP itself. At my home I have similar setup.
Regards.
Thursday, August 05, 2010 8:27 PM

Owner

0

Any update to this question please?

Keith
Keith Alabaster - MVP/Forum Moderator
Wednesday, August 11, 2010 6:43 PM

Owner

0

No response - question closed out.

Keith
Keith Alabaster - MVP/Forum Moderator

Frequently asked questions - Forums help