3

I've got a Windows 2008 machine with two network adapters in it. One's connected to the corporate network, and the other's connected to a private (lab) network. They're both configured by DHCP. They don't overlap: the corporate network is a 192.168.x.y network, and the lab network is a 10.a.b.c network. Both networks are always up.

That said, the lab itself is partitioned into two subnets: 10.5.26.x and 10.5.24.x. There's an R/RAS box connecting those subnets. This machine is connected to 10.5.26.x. I don't particularly need this box to get directly to the 10.5.24.x network (it's simulating a low-bandwidth link), so I've not set up static routing.

The lab is only connected to this computer. I have squid (and WSUS) configured on the machine to allow the lab to access the outside world.

I'd like this machine to ignore the lab network's 003 Router option (the default gateway) and the 006 DNS Servers option. If it uses these, its connection to the Internet becomes unreliable (because of the conflicting gateway options).

I also don't particularly want to use static IP on the private adapter, because then network location awareness doesn't work, and I can't then easily configure the private/public setting.

I guess that I can configure the DHCP server on the private network to issue the "external" router and DNS server entries for that particular reservation, but that seems like a hack.

Anyone got any better ideas?

Roger Lipscombe
  • 2,057
  • 5
  • 24
  • 37
  • Can you provide a bit more information? Are the networks overlapping? A subnet? Is one of the connections intermittent? – Avery Payne Jul 13 '09 at 13:56

3 Answers3

3

You could try using the "Interface Metric" option on each interface under the Advanced settings to control which interface is higher priority than the other. You can look at your "route print" command to see what metrics are currently used but setting the interface you wish to use to 1 should do the trick and would still allow you to fail back to the other connection in case something went wrong with your primary interface.

Kevin Kuphal
  • 9,064
  • 1
  • 34
  • 41
  • Turns out that this Windows box automatically assigned a higher metric to the correct gateway (once I'd provided one), but I can see that this would have been the right answer. – Roger Lipscombe Jul 14 '09 at 08:36
1

DNS is easy because you can configure a NIC for DHCP but still specify the DNS servers manually.

I can't think of an elegant way to handle the duplicate default gateway. You can change the default gateway from a batch file using:

route delete 0.0.0.0
route add 0.0.0.0 mask 0.0.0.0 <gateway> metric 1

But note that this change will be overwritten whenever the DHCP lease is renewed. Still, if you put it in your login script it would work most of the time.

JR

John Rennie
  • 7,756
  • 1
  • 22
  • 34
0

I really need to see more info about how things are set up, so I can't make more than a few generalized recommendations here.

Multi-homed Windows installations are not something that I've had great luck with. Not just because of the issues you're having but also because File and Print services are not keen on multi-homed setups either.

The second thing that comes to mind is that your machine is turning into a possible security issue. I don't know the circumstances surrounding your install, and I'm sure you're taking precautions, but connecting a foreign network (your labs) to your corporate network opens up a potential attack vector that most corporations don't want to expose themselves to. I'm guessing that this is a non-issue for you and you're not exposing yourself to unnecessary liability.

One possibility (one you probably don't want) is to only enable one adapter at a time. This will eliminate all confusion at all levels and doesn't require any additional setup.

Another possibility is that you should eliminate both of those options from your DHCP grant. If you are getting full-time access from your corporate network, why bother with another default gateway?

A third possibility is that you reconfigure your existing (lab) gateway to act as the only gateway, and make your corporate connection run through it. This has several advantages - you no longer have to multi-home the host, the existing (local/lab) gateway handles the networking, and you don't have to mucky-muck with any settings once it's done.

A four possibility is that you run a single gateway locally (see third, above) and then run a VPN thorough it to your corporate connection. This is the "traditional" approach and would probably work best. It also requires the most effort.

Avery Payne
  • 14,326
  • 1
  • 48
  • 87