2 NICs in server 2003 - data being sent back through wrong NIC
-
Sunday, May 06, 2012 7:24 PM
Hi!
I've read a bunch of threads about this and none of them seem to be helping so I need help!
The setting:
Windows Server 2003
2 NICs
1st IP is 192.168.1.11 - part of our internal network. No default gateway. Metric is currently 20
2nd IP is 192.168.112.157 - specifically for 1 to 1 NAT to an external public IP, access for websites and email server. Default gateway is 192.168.112.1. Metric is 1
The Problem:
If someone tries to send an email (to the public IP address) is sent from outside our network (ie anywhere on the internet) everything works fine. Websites and RDP as well.
If someone tries to send an email (to the public IP address) from inside our private network, there is no response. Exactly the same thing happens for the website and RDP (ie they don't respond).
Additional info: If I pull the cable of the NIC with 192.168.1.11, email, websites, rdp all work perfectly. However, we then have no access to network shares on the computer.
Additional info: Both private networks are in one firewall. One on the LAN1 port, the other on the Optional Network port.
My feeling is that the server is deciding that the shortest route back (when the sender is initially on 192.168.1.*) is through the 192.168.1.11 NIC.
The simple answer is to change the SMTP setting on all our internal computers to the private IP, BUT the problem is a few people use laptops and sometimes they are here, sometimes they are outside of the office. I can even RDP to the server on the private net (192.168.1.11) although this wouldn't solve the website issue.
But my feeling is there MUST be a way to get the routing to work! I've tried various static routes and nothing has worked so far.
Simply put, I need to tell the server to send packets out the same NIC they come in on.
Thanks for any help anyone can give me.
Scott
All Replies
-
Sunday, May 06, 2012 8:48 PM
Sorry, after thinking it all through and explaining it to someone else I realized something else was important.
Until recently the nic with 192.168.112.157 actually had a public IP and everything was working perfectly. Now that that nic is being routed through the same firewall as the private network (but on a different port and a different subnet), I suspect the firewall is the source of the routing shenanigans. It is a Firebox x55e and I think I need to look into it's routing now.
But thanks for any information that might help anyway!
scott
-
Monday, May 07, 2012 4:02 AM
Hi Scott,
It may well be a problem on the Firebox as you've pointed out, but there's one behaviour from the original post that contradicts that.
You said that when you pull the network cable from the 192.168.11 interface that services then responded on the external interface just fine. This wouldn't normally happen if it were a firewall issue alone. It sounds more to me like you've got the default gateway incorrectly specified.
Your "external" adapter (192.168.112.157) should have a default gateway specified on it while the "internal" adapter should be left blank. If you have multiple internal subnets present, you'll need to define those with the route command as follows (these are just examples):
route -p add 192.168.12.0 mask 255.255.255.0 192.168.11.1 route -p add 192.168.13.0 mask 255.255.255.0 192.168.11.1
The last IP address in each command is that of your "internal" gateway, which should have the actual value of the gateway of your 192.168.11.0/24 subnet, since that's the gateway for your local "internal" adapter.
Again, check your Firebox, but if this looks okay, then it'll probably be an incorrect networking configuration on your dual-homed server.
Cheers,
Lain -
Monday, May 07, 2012 4:07 AM
I'm leaning towards Lain's response.
In addition, I would like to add,l it appears based on your description, that you may have a split zone. THerefore, instead of using the SMTP server's IP, use an FQDN for the POP3 client's SMTP server, and assuming you are using DNS internally, then create a zone name for the smtp server, such as smtp.yourdomain.com with the private IP, and on the internet, your public DNS servers will have the same record, but with the public WAN IP.
.
Ace Fekay
MVP, MCT, MCITP EA, MCTS Windows 2008/R2, Exchange 2007 & Exchange 2010, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.phpThis post is provided AS-IS with no warranties or guarantees and confers no rights.
-
Monday, May 07, 2012 2:46 PM
Hi!
Thanks for the info!
I have been suspecting the default gateway and have tried many static routes but nothing has worked.
I've also left the default gateway for the internal NIC blank.
There is only 1 internal subnet: 192.168.1.* (and that nic has 192.168.1.11).
So just so I'm clear on this:
The external NIC should have the default gateway set (192.168.112.1), and the default gateway for the internal should be blank, BUT I should add a static route to the defaut gateway for the internal nic?
Like this:
route -p add 192.168.1.0 mask 255.255.255.0 192.168.1.1
or did you mean that I should only add a static route(s) if there was more than 1 internal subnet? If yes , then that was my initial setup that did not work.
To me (not knowing a lot about networking) this seems pretty simple so it's odd that it doesn't work, but that's why I am suspecting the firewall now. We had the exact same problem with a different web server once as well. When it was connected to the Optional port and also had a cable from a second NIC to our internal network, we couldn't see the web site at all internally, yet everyone outside the network said it was working perfectly. As soon as the "internal" NIC was disabled, all worked perfectly.
Let me add one more bit of information just in case this has relevance and in case someone can solve this for me too:
At one time the internal NIC stopped working and I replaced it. Now every time I change the settings on the new internal NIC the server tells me the IP has already been used in another NIC, meaning the old one that is no longer in the computer.
A: Could that be causing any routing problems?
B: Is there a way to remove the references to that old NIC to get rid of the error messages? I found some kind of problem fix download on the MS site when I looked that up. It ran and said it couldn't fix the problem.
Also, I will try asking about the firewall on the Watchguard site and see if they have any info.
Thanks again!!
scott
-
Monday, May 07, 2012 2:49 PM
Hi
I don't run DNS here so I don't think that will work. Also remember (I don't know if I said it in the original message) that it's not just email, it's also a web site, FTP and RDP. The website does use a FQDN so that might be another clue. All of these things stop functioning as soon as a cable is plugged into the NIC connected to our internal private network (192.168.1.*).
Thanks!
scott
-
Monday, May 07, 2012 7:27 PM
Then maybe Lain's route suggestions may be helpful.
Otherwise, if it's a matter of the same name, but different IPs internally, you can simply install DNS on your local server, make sure all machines ONLY use that DNS, and following the rest of my suggestions. This way it will work with the same name outside and inside, and whether a laptop is inside or outside.
.
Ace Fekay
MVP, MCT, MCITP EA, MCTS Windows 2008/R2, Exchange 2007 & Exchange 2010, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.phpThis post is provided AS-IS with no warranties or guarantees and confers no rights.
-
Tuesday, May 08, 2012 1:40 PM
Thanks for the help guys. Unfortunately the person at Watchguard was much less helpful and I got nowhere. He did, however, suggest (very poorly worded!) that I simply access the server's private network from the trusted network and that's what I ended up doing. I would love to try other things and see if I can get it going the other way but as usual, there is other work to do!
So I ended up disabling the second NIC (on 192.168.1.11) then allowing traffic in the firewall to pass from 192.168.1.0 to 192.168.112.0. The next problem was getting the mail server to log into the DC since I use login authentication for the shares on that server. I set default routes on each server to each default gateway and could ping each server and gateways in both directions but the mail server still wouldn't login to the DC. I even added the DC into the HOSTS file and could ping it by IP or name and still no go!
Eventually I randomly tried setting the DC's ip as the WINS server on the mail server and suddenly everything worked!
So for now, that'll do.
Thanks again!
- Marked As Answer by Tiger LiModerator Wednesday, May 09, 2012 6:36 AM
-
Tuesday, May 08, 2012 4:49 PM
I still don't quite get it, and I would probably need to see a Visio diagram of your setup to better understand this, but as long as you got it working, whether best practice or not, the point is it's now working. :-)
And note - WINS provides Netbios support across routers. It will help "find" a DC based on NetBIOS name, but subsequent AD-client communications is all DNS. Therefore, you may still find some things not working, such as GPOs and other AD functions provided to clients.
.
Ace Fekay
MVP, MCT, MCITP EA, MCTS Windows 2008/R2, Exchange 2007 & Exchange 2010, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.phpThis post is provided AS-IS with no warranties or guarantees and confers no rights.
.png)
