locked
Windows 2008 primary IP address RRS feed

  • Question

  • Hey guys,

    I am still trying to get my head around on why you (Microsoft) have changed how IP works in Windows 2008.  Better if I use an example to demonstrate as it is hard to explain:

    My NIC has 2 IP addresses:

    192.168.31.205
    192.168.31.250

    Subnet Mask:

    255.255.255.0

    Default Gateway

    192.168.31.253

    My firewall is configured to NAT on 192.168.31.205. IP address 192.168.31.250 is ONLY used for LAN connectivity between servers on the same segment.

    Ok in Windows 2003 thats fine as the "primary" IP address has been set to 192.168.31.205. On Windows 2008 there is NO MORE Primary IP address option so the TCP/IP Stack now uses the IP that is "closest" to the gateway IP address.. So all my outbound traffic is been translated as 192.168.31.250 because it is closer to 192.168.31.253! The firewall does not know anything about 192.168.31.250 (I can make it learn ;) )

    Ok to prove this I changed the IP around and I assigned the following IP addresses to the server:

    192.168.31.250
    192.168.31.251

    Changed the gateway to 192.168.31.1 ... NAT is on 192.168.31.251 (If it was on 250 i know it will work) and now the outbound IP address used is 192.168.31.250 as it is closer to 192.168.31.1

    Like I said I know I can change the NAT translation to match to be the address closest to the gateway but this is not just one server (10,000s of servers)

    So the big questions:

    1. What is the point on doing so ? I might be completely wrong and missed something
    2. What logic makes it think that the host bit closer to the host bit on the gateway IP is the best option?
    3. Please tell me there is a way I can reverse back to the old fashion way !! :)


    I have done numerous tests with different ranges and always the outbound IP used is the one that is closer to the gateway IP address. Insane :P

    Yeah and it can be fixed by changing the NAT information but if you work for a company with 10,000s it is not that simple ...

    Here is another topic that had a simliar issues:

    http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/4a5f845f-4c08-42ca-bd19-b5539b8e9bb9/

    Obviously the Gateway on the above example has a lower host bit which is why the server returns the IP from low to high..

    Please let me know there is a way to switch this genious feature off!!


    Thanks guys..


    Mario


    Friday, October 9, 2009 4:09 PM

All replies

  • http://support.microsoft.com/kb/975808

    Hotfix addresses using any IP on the interface as outbound IP, also addresses registering all IPs in DNS. The hotfix will let you configure the box to behave the way Windows 2003 behaves... it's a bit of an ugly fix but it does work.
    Sunday, November 15, 2009 2:48 AM
  • This is unbelievable.

    I am in a situation where my SMTP server has been compromised, causing all mail servers to blacklist me. Now that I have the issue fixed, I need to change my IP address and use a new one for my outbound SMTP.

    BUT I CAN'T.

    This is ridiculous. Is there no workaround, nothing that can be done? Am I just stuck?
    Monday, November 16, 2009 10:00 PM
  • Andrew.

    RBL's are a law unto themselves. Have you setup a smtp relay via your isp using smarthost. Then as your mail server is doing it's job contact the rbl's to remove which they do after approx 24hrs if they see no futher spam being sent from the ip. Once done still use the smtp relay anyway.
    Tuesday, November 17, 2009 4:26 AM
  • Hi Mario-V, Users MedalsUsers MedalsUsers MedalsUsers MedalsUsers Medals

    your question:
    2. What logic makes it think that the host bit closer to the host bit on the gateway IP is the best option?


    I think it was related to Routing Summarization. The closer address will be thougt the most possible address on the same subnet. That's why RFC doing this and MSFT follows.

    Friday, November 20, 2009 2:34 AM
  • Hello Steve,

    If the IP belongs to the same subnet that would mean that the number of hops will be the same. As well how does routing summarization have anything to do with it:

    Route summarization, also called route aggregation, is a method of minimizing the number of routing tables in an IP (Internet Protocol) network. It works by consolidating selected multiple routes into a single route advertisement, in contrast to flat routing in which every routing table contains a unique entry for each route.

    To implement route summarization in IP Version 4 (IPv4), Classless Inter-Domain Routing (CIDR ) must be used. All IP address es in the route advertisement must share identical high-order bits. The length of the prefix must not exceed 32 bits.

    Route summarization offers several important advantages over flat routing. Route summarization can minimize the latency in a complex network, especially when many router s are involved. Because of the reduced number of routing entries, the overhead for routing protocols is minimized. Network stability can be improved by reducing or eliminating unnecessary routing updates after part of the network undergoes a change in topology. Route summarization also greatly reduces processor workload s, memory requirements and bandwidth demand.


    As the above definition CIDR and what MSFT have done are not in anyway related.

    Friday, November 20, 2009 2:02 PM
  • This is unbelievable.

    I am in a situation where my SMTP server has been compromised, causing all mail servers to blacklist me. Now that I have the issue fixed, I need to change my IP address and use a new one for my outbound SMTP.

    BUT I CAN'T.

    This is ridiculous. Is there no workaround, nothing that can be done? Am I just stuck?

    The only thing you can do at the moment is change your IPs.. It is not pretty I know , I am stuck as well believe me


    Friday, November 20, 2009 2:03 PM
  • Hello Mario-V,

    yes, your above description about Route summarization is correct. Let's see an example below:

    For example, consider the following addresses:

    Client machine IP Address (assume that we don't know the subnet mask)
    -192.168.1.14
    -192.168.1.68
     
    Default Gateway
    -192.168.1.127

    11000000 10101000 00000001 00001110 = 192.168.1.14 (Bits matching the gateway = 25)
    11000000 10101000 00000001 01000100 = 192.168.1.68 (Bits matching the gateway = 26)
    11000000 10101000 00000001 01111111 = 192.168.1.127

    The 192.168.1.68 address has more matching high order bits with the gateway address 192.168.1.127. 

    If the router will do a routing summarization, .68 and .127 addresses have the most possiblity belong to the same subnet, here is 192.168.1.0/26. So, choose an IP belongs to the same subnet is better for communicating to default gateway. But I'm not saying 192.168.1.14 cannot be the same subnet as 192.168.1.127, just for routing summarization, 192.168.1.68 is more possible.

    Sunday, November 22, 2009 5:26 AM
  • Mario-V :    "If the IP belongs to the same subnet that would mean that the number of hops will be the same. "

    yes, we human know they belongs to the same subnet, but the machine may not. It can choose 192.168.1.14 or 192.168.1.68, both is OK for communicating with defalut gateway. But considering for routing summarization, 192.168.1.68 is the best choice because they will belong to the same subnet 192.168.1.0/26, but not 192.168.1.14.
    Sunday, November 22, 2009 5:32 AM
  • If I may repost what Patrick wrote and provide a little more detail:

    This Hotfix http://support.microsoft.com/kb/975808 adds the command "Netsh int ipv4 add address <Interface Name> <ip address> skipassource=true"

    The skipassource flag will cause outbound connection requests to ignore this address*.  The address will function normally for inbound communications.  If you mark all of the addresses as "skipassource" except one, that one address will be used for all outbound connections.  I think this will provide the behavior you need.

    *A minor point of technical clarification: the address may still be used for outbound communication if the application has explicitly bound to the address.  Most outbound connections do not explicity bind.

    Tuesday, November 24, 2009 12:04 AM
  • Hello Samer,

    is there any way to do this on R2? The patch you linked is not available for R2 and the netsh command does not have the 'skipassource' parameter...

    Many thanks!

    R.*
    Tuesday, March 9, 2010 10:19 AM
  • Hello Ravo2,

    You are correct; the hot fix is not available for Server 2008 R2.  The SkipAsSource functionality will be provided in a later patch or service pack.  If you like, I can forward a request to our servicing team to see if they can release a version of the hot fix for R2 sooner – no guarantees.

    Wednesday, March 10, 2010 6:41 PM
  • I just spent an entire week of my life trying to migrate ISA 2006 to a new TMG 2010 server and wondering why it wouldn't work because of this!

    Not happy. Not happy at all.
    Thursday, March 18, 2010 2:14 AM
  • Hello Samer,

    it would be great if you can ask the develop team to release the patch as soon as possible. It's very annoying because of some internet IP-based services are not available to our users occasionally...

    Thanks!

    R.*
    Thursday, March 18, 2010 7:14 AM
  • Yup agreed, this has stuffed me also, please release a fix urgently!
    Monday, March 22, 2010 5:43 PM
  • This is unbelievable.

    I am in a situation where my SMTP server has been compromised, causing all mail servers to blacklist me. Now that I have the issue fixed, I need to change my IP address and use a new one for my outbound SMTP.

    BUT I CAN'T.

    This is ridiculous. Is there no workaround, nothing that can be done? Am I just stuck?

    The only thing you can do at the moment is change your IPs.. It is not pretty I know , I am stuck as well believe me


    If you have a business plan with your ISP check whether you can use their smarthost server. I had a client that had their mailserver blacklisted for a total of 30 days so we routed all outgoing mail through the smarthost. Worked a treat then we worked on getting the IP removed from the blacklists.
    Tuesday, March 23, 2010 12:53 AM
  • Anything yet? Has a hotfix or something been released for 2008 R2?
    Wednesday, April 28, 2010 4:06 PM
  • We, too, would like a fix for 2008 R2 for this one, any news?
    Monday, May 10, 2010 11:34 PM
  • Hello Samer,

    do you have any feedback from the servicing team ?

    This fix is really important in a number of scenarios.

    Thanks,

    Claudio


    MCSA, MCSE, MCT
    Friday, May 28, 2010 3:13 PM
  • I have this issue as well.  However, as I am in the initial stages of configuring a system that is affected by it, I can set the IP's any way required to work.  If that means setting things so the one I consider the primary is the one closest to my gateway address, that would be fine.  However, that is not the behavior I am seeing.

    IP addresses:

    10.1.1.22

    10.1.1.23

    10.1.1.37

    10.1.1.38

    Default gateway is 10.1.1.13

    Doing a "route print" shows the default gateway will be accessed using interface 10.1.1.22, however, when I do a packet capture with wireshark, it is actually using 10.1.1.23 with outbound connections!

    If the expected behavior was what I was seeing it would be no big deal to work in those parameters, but how can I be guaranteed any IP will stay the primary, and why isn't traffic being routed according to the route table?

    Pete

     

    Wednesday, June 2, 2010 8:54 PM
  • This is unbelievable.

    I am in a situation where my SMTP server has been compromised, causing all mail servers to blacklist me. Now that I have the issue fixed, I need to change my IP address and use a new one for my outbound SMTP.

    BUT I CAN'T.

    This is ridiculous. Is there no workaround, nothing that can be done? Am I just stuck?


    I just got my company out of that hole when I started a little over a month ago. They hit blacklists and were paying out of the ying-yang just to have contractors come in, diagnose, and remove them from blacklists. They never stopped sending spam though, and routinely had email issues.

    I came in, found the source, removed it... no more blacklists.

    You'll have to get on the horn, fax, or email from web-based email provider to get the domain removed from the blacklist manually because they are added automatically.

    Some of those block for strange reasons as well, for instance if a linux server sends smtp traffic and it gets caught by exchange and relays mail from localhost.localdomain, that is enough to get you blocked.

    MXToolBox "SUPER" Blacklist Lookup Tool

    http://www.mxtoolbox.com/blacklists.aspx?AG=GBL&gclid=CN_ZyfyjjqICFZFV2god_CeiWA

    Other good email testing resource, http://www.abuse.net

    Most of the times you can submit requests to be removed. They will keep lookouts for the email coming from you to check reports of spam from your domain/IP.

     


    Technology is dominated by two types of people: those who understand what they do not manage, and those who manage what they do not understand. - Archibald Putt's (Putt's Law)
    Monday, June 7, 2010 3:27 PM
  • Hi All,

    Has there been an update on the status of this problem in Windows server 2008 R2 yet?

     

    Really starting to annoy me here, looks like I need the same fix to resolve the issue that 2008 adds all IP addresses to the DNS server (even if u have the "register this connection's addresses in DNS" box unchecked)

     

    Anybody know of an update, work-around, hotfix, or anything else that could get me on my way to fixing this godawfull w2k8 problem.

     

    Regards,

     

    Jay

    Tuesday, June 29, 2010 3:53 PM