none
How to manually define Gateway address with DHCP

    Question

  • I have a need to be able to manually add a default gateway that is different than the gateway address supplied by DHCP. On our network we have two paths to the Internet.  One group of users have a need to go out via the second route for certain websites.  I'll spare you the details :-)
    What I need to be able to do is to override the default gateway issued by our DHCP servers and manually enter another gateway address.  When I do so via the TCP/IP (IPv4) properties the new gateway address does not replace the one from DHCP.
    When I run IPCONFIG I see two Default Gateways:  the one supplied by the DHCP server and the one I manually entered.

    I need to be able to delete the DHCP supplied gateway address and use only the one I manually enter.   Or at a minimum, is there a way to change the order of the gateway address?  If so, I can swap the order of the addresses and put the manual one at the top, which would probably work.

    Something else I noticed my proxy server will not complete pass through authentication with my Windows 2003 using Active Directory.  The proxy server verifies the username and password of the account logged onto Windows and searches AD to determine if the user is authorized to access the Internet.  This is done by assigning authorized users to a Global Security group.  Seems that the proxy server is not getting the username / password combination from Win 7?  Anyone else see a similar situation?  The proxy server we are using is Endian which is an open source firewall / proxy.  And of course it works fine for any XP users, just not Win 7 at the moment.

    Thanks for any suggestions.
    Monday, February 09, 2009 7:44 PM

Answers

  • No, you didn't muddle it up.  Clarified things quite a bit - thanks.

    From my (admittedly quick) read of things on the 'net (yeah, Google!), and my understanding of it, what you're seeing on the Win7 clients is normal operation (read:  by design.)  One of the many changes to the networking stack in Vista was to add (or, to improve) 'dead-gateway detection.'  To do this, you have a primary and secondary gateway configured.  If the primary (what you're handing out via DHCP) goes down, the secondary (configured on client; can also be handed out via DHCP) is used.  When the primary comes back up, it's used again.
    Therefore, I'm not sure that you can delete the primary gateway, when said address is handed out via DHCP.

    My suggestions (and, this is assuming that you're running everything in a Server 2003 or later domain, and that the Server 2k3 box is also handing DHCP):
    - Does Group 3 need to be in the same network scope as Groups 1 & 2?  If not, then create a new scope for that group, and set DHCP reservations for each workstation in it.  Tedious, yes.  But, in the second scope, you can set a different gateway address.
    - Use GPOs to redirect Group 1 & Group 2 to the proxy (different GPOs for each.)  Set internet-access policy for each group at the proxy (if it'll support multiple user groups), or set up a second proxy for the second group.  Group 3 gets no proxy.

    Question:  I take it that the WatchGuard box is the primary gateway?  Or, is it kind of hung off of the actual gateway (two-parallel-networks kind of thing?)

    Looking all of that (your posts, and mine), I think that a second DHCP scope (with reservations) might be easiest, so long as Group 3 isn't all that big.
    Group 1 still gets the proxy via GPO (right?), and Group 2 gets their thing (also via GPO?)  Group 3, since they're all getting reserved addresses (and, with their own gateway address), and aren't pushed to the proxy via GPO, get full internet access.

    I hope all that makes sense - I kind of jumped around a bit.  Sorry.

    -Chris
    [If this post helps to resolve your issue, please click the "Mark as Answer" or "Helpful" button at the top of this message. By marking a post as Answered, or Helpful you help others find the answer faster.]
    • Marked as answer by Ken Wolf Wednesday, February 11, 2009 3:46 AM
    Wednesday, February 11, 2009 3:27 AM
  • Hi,

    While Windows 7 won't let you change this in the UI, it *can* be done from the command line, using the "route" command. (This may require an elevated command prompt; I used an elevated copy of PowerShell in testing.)

    Let's assume your machine is assigned 192.168.0.79 and has a subnet mask of 255.255.255.0. Let's further assume the DHCP server is handing you a default gateway of 192.168.0.1, but you actually want to use 192.168.0.250 as your default gateway.

    Two commands will accomplish this for you:

    route delete 0.0.0.0 mask 0.0.0.0 192.168.0.1
    route add 0.0.0.0 mask 0.0.0.0 192.168.0.250
    • Marked as answer by Ken Wolf Monday, February 16, 2009 9:10 PM
    Friday, February 13, 2009 4:10 PM

All replies

  • You're using a GPO to force certain XP users to go thru the web proxy, correct?  But, it won't work on the Win7 systems.  Again, correct?
    I get 'the details' - you have a certain group of users that you don't want to do random websurfing on the company dime.  So, you're running IE thru a proxy, yes?

    Win7 uses the same Group Policy tools & settings that Vista did; however, they can't be directly administered thru the Server 2003 group-policy console.  Rather, they need to be administered thru RSAT.
    See this Technet article for details.

    If I read your issue incorrectly, please clarify as necessary.

    HTH,
    Chris


    [If this post helps to resolve your issue, please click the "Mark as Answer" or "Helpful" button at the top of this message. By marking a post as Answered, or Helpful you help others find the answer faster.]
    • Proposed as answer by Brian Borg Tuesday, February 10, 2009 4:20 AM
    Tuesday, February 10, 2009 4:12 AM
  • Chris
    Thanks for the reply....actually all I need to be able to do is define a default gateway manually.  You are correct in that we have certain users that we push proxy settings to, however they are restricted to just one website that they can visit.  That is working fine in Win7, I do get the proxy settings (although in Win7 I have a authentication issue with that proxy server). 

    We have another group that are members of an internet access group that have to, via web browser, log into our WatchGuard through a shortcut using java.  This is not the same as above, by the way. That too works fine.

    We have a third group that does not fit the already defined groups of users above.  This group needs to have DHCP assigned IP and DNS, but needs a different gateway address.  Because of a HR specific site that does not work via the WatchGuard and the for other reasons we are not able to assign proxy address, they are in effect bypassing the proxy and going straight out.

    So, my challenge is how do I in Win7 override the default gateway that is assigned by DHCP?  As described in my earlier post, when I manually add a gateway, I end up with two.  The first on in the list is the one assigned via DHCP and the second is the one I manually added.  In XP and earlier, if you added a gateway it would replace the one assigned by DHCP.  This doesn't occur in Win7.

    Hope I didn't muddle things up trying to explain.....bottom line is the last paragraph :-)

    Thanks again.
    Wednesday, February 11, 2009 12:21 AM
  • No, you didn't muddle it up.  Clarified things quite a bit - thanks.

    From my (admittedly quick) read of things on the 'net (yeah, Google!), and my understanding of it, what you're seeing on the Win7 clients is normal operation (read:  by design.)  One of the many changes to the networking stack in Vista was to add (or, to improve) 'dead-gateway detection.'  To do this, you have a primary and secondary gateway configured.  If the primary (what you're handing out via DHCP) goes down, the secondary (configured on client; can also be handed out via DHCP) is used.  When the primary comes back up, it's used again.
    Therefore, I'm not sure that you can delete the primary gateway, when said address is handed out via DHCP.

    My suggestions (and, this is assuming that you're running everything in a Server 2003 or later domain, and that the Server 2k3 box is also handing DHCP):
    - Does Group 3 need to be in the same network scope as Groups 1 & 2?  If not, then create a new scope for that group, and set DHCP reservations for each workstation in it.  Tedious, yes.  But, in the second scope, you can set a different gateway address.
    - Use GPOs to redirect Group 1 & Group 2 to the proxy (different GPOs for each.)  Set internet-access policy for each group at the proxy (if it'll support multiple user groups), or set up a second proxy for the second group.  Group 3 gets no proxy.

    Question:  I take it that the WatchGuard box is the primary gateway?  Or, is it kind of hung off of the actual gateway (two-parallel-networks kind of thing?)

    Looking all of that (your posts, and mine), I think that a second DHCP scope (with reservations) might be easiest, so long as Group 3 isn't all that big.
    Group 1 still gets the proxy via GPO (right?), and Group 2 gets their thing (also via GPO?)  Group 3, since they're all getting reserved addresses (and, with their own gateway address), and aren't pushed to the proxy via GPO, get full internet access.

    I hope all that makes sense - I kind of jumped around a bit.  Sorry.

    -Chris
    [If this post helps to resolve your issue, please click the "Mark as Answer" or "Helpful" button at the top of this message. By marking a post as Answered, or Helpful you help others find the answer faster.]
    • Marked as answer by Ken Wolf Wednesday, February 11, 2009 3:46 AM
    Wednesday, February 11, 2009 3:27 AM
  • Chris
    Reading your first paragraph certainly explains why I am not able to delete the first gateway and manually assign a different gateway address.  Thank you for clearing that up!  Also explains why we had the same problem when testing Vista.  I guess this change was considered a benefit? Rhetorical question :-)  Funny though that after all these years the dialog box for "adding" a gateway now means exactly what is says.

    You are correct in assuming we are running in a Server 2003 environment.  I could set up specific DHCP scopes for the different types of user groups as you suggested and push out a different default gateway for that specific group.  And this is what I may have to do to get around this issue.  Doing it this way makes management a bit more complicated.

    You are also correct in that WatchGuard is the primary gateway. 

    Thank you for your help and yes it all makes sense.  Not the answer I wanted, but you are probably right on target.

    So, the last question then is my authentication problems with Endian Firewall /Proxy.  I will start a new thread for that one, so as not to "muddle" this one up :-)

    Thanks again Chris, most helpful!

    Wednesday, February 11, 2009 3:46 AM
  •  Ken Wolf 


    It is clear that you just want to cheat admin and to browse the web instead to work, and this is why people does not replay to you
    Wednesday, February 11, 2009 5:27 AM
  • Ventsislav

    I will assume your reply was meant to be funny.  So I will reply with LOL!! 

    Thanks
    Ken
    Wednesday, February 11, 2009 10:33 AM
  • Hi,

    While Windows 7 won't let you change this in the UI, it *can* be done from the command line, using the "route" command. (This may require an elevated command prompt; I used an elevated copy of PowerShell in testing.)

    Let's assume your machine is assigned 192.168.0.79 and has a subnet mask of 255.255.255.0. Let's further assume the DHCP server is handing you a default gateway of 192.168.0.1, but you actually want to use 192.168.0.250 as your default gateway.

    Two commands will accomplish this for you:

    route delete 0.0.0.0 mask 0.0.0.0 192.168.0.1
    route add 0.0.0.0 mask 0.0.0.0 192.168.0.250
    • Marked as answer by Ken Wolf Monday, February 16, 2009 9:10 PM
    Friday, February 13, 2009 4:10 PM
  •  Hint: You can use "netstat -rn" to view the routing table. (The -n is optional; it just tells netstat not to try to resolve all those IPs in DNS.)
    Friday, February 13, 2009 4:12 PM
  • Texas ~

    Thanks for the suggestion.  I will give that a try via elevated command prompt.  Did you at the -p switch to make the change persistent on reboot?

    I did find in the registry an entry for EnableDeadGWDetect (located at HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{A8554E30-.....} ) that had a value of 1 (for on I assumed).  I edited the key and changed to a 0 (for off?).  Restarted and attempted to add a gateway through adapter settings.  Had no effect.  I wonder then what that is for?  In my sarcastic opinion.....that was put in there to give registry hackers like me something to do, lol!!  Thought I had found something there for a minute.

    I do hope MS will provide a means to disable the dead GW detection.  There are environments, especially for testing purposes, that this design "feature" would be a hinderence. 

    I will give your suggestion a try and let you know how it goes.  If this works, it would sure make implementation a lot easier.

    Thanks again!

     
    Saturday, February 14, 2009 2:19 AM
  • Good luck. Yes, you can use -p to make the change persistent.
    Monday, February 16, 2009 12:53 AM
  • Texas

    I gave your suggestion a try this morning.  It works!  That did the trick.  The static route entry seems to have solved the problem with manually assigning a default gateway.


    Thanks again,

    Monday, February 16, 2009 9:13 PM
  • As a further follow up...
    I have discovered that defining a route as suggested does not persist on a reboot.   I have restarted since my earlier comment and discovered the persistent route was gone and was back to the gateway address issued by DHCP.  I re-entered the route and was able to override the DHCP issued gateway address.

    I will be testing a login script to add the route on each login or maybe using a machine GP if one exists.


    Thursday, February 19, 2009 2:45 AM
  • I know it's a late bump, but .... extensive searching for a solution to this problem yielded little.

    I added a logon.cmd script using the Local Group Policy Editor in the Computer section (so it would run with Admin priviledges).

    The script contains the  "route delete 0.0.0.0 192.168.0.1"  command.
    Works great!

    I never did find a registry solution or any other way to mitigate this new multi-default gateway *feature* in Win7. bleh!

    Friday, November 09, 2012 8:57 PM