0

On windows server 2008 I have 2 network cards both configured on the same network (i will explain the purpose in a second) NIC1: 10.35.1.98 Mask:255.255.0.0 Gateway: 10.35.1.254 NIC2: 10.35.1.99 Mask:255.255.0.0 Gateway: 10.35.1.254

What I am looking to do is route traffic to cisco VPN client's who get IP's in the range of 1.1.3.x via the 10.35.1.98 IP and all other traffic through the 10.35.1.99 IP. Right now traffic is sucessfully going through the .99 IP.

The reason I need to have 2 IP's is that we have an application that we want to be able to work via the cisco vpn client (when laptops are connected via aircards with cisco) but another application that we don't want to work when the cars are on the aircard/cisco vpn. Our cisco vpn profile basically makes the .99 IP inaccessible when the laptop is not connected to WIFI, once the laptop connects to WIFI at the main network the .99 IP becomes accessible and communication to that second app completes sucessfully.

Both of these apps are related and cannot be separated to different servers thats why they both reside on the same server.

I feel like there must be a route that I can add to the routing table but cant figure out how to specify a specific interface to use especially since they are both on the same network. Most other people looking to do this are simply trying to give one connection preference over the other for internet purposes. That is not the case here.

Thanks in advance!

John
  • 3
  • 1
  • 1
  • 2
  • 1
    Your question seems to contain a fundamental confusion that makes it impossible to understand and likely relates to why you are having problems. The question says you want to "force traffic out a specific **nic**" but then your text says you want to route traffic "via the 10.35.1.98 **IP**". So which is it? Do you want to control the NIC or the IP? And what do you think it means to route traffic **via** an IP? – David Schwartz Oct 18 '12 at 14:02
  • Sorry. It is confusing. I am using NIC and IP interchanably and maybe I am wrong in doing that. What my end result needs to be is that the laptop needs to see the traffic coming from 10.35.1.98 for application A, and 10.35.1.99 for application B to both function properly. The reason why we cannot use the same IP for both is that one application B essentially needs to be blocked from working when the laptop is not on the WIFI of the main network due to bandwith consumption of Application B. SO... regardless of how I would accomplish this thats how the client needs to see the traffic. – John Oct 18 '12 at 15:19
  • Okay, so you don't care which NIC sends the traffic, right? You just want the correct source IP address? Do you care how the return traffic gets to the machine? You might be able to formulate your question better if you read [RFC4907](http://www.ietf.org/rfc/rfc4907.txt)'s section on strong end system model versus weak end system model. – David Schwartz Oct 18 '12 at 15:57
  • David, thank you. I think Smithians solution is what will work. Whether somehow or another this application is somehow working off the strong end system model it seems, but I am not sure. All i know is that the application runs on the laptop but does not contact the server on its own. The server actually "polls" out in regular intervals looking for clients. If the client is connected and receives this "poll" the client then checks to make sure it's receiving it from the correct IP which is why this is necessary. Then somehow it connects to the server and beings talking. I dont think that CONT- – John Oct 18 '12 at 17:19
  • the server then necessarilly needs to talk back via the same route, it just kind of only answers the request of the IP address that it expects to be receiving the poll from. SO... When my server was sending on IP#1 and the client app was expecting to get the poll from IP#2 it basically ignored it. Whether this was the application receiving it but choosing not to respond to it OR the "strong end model" coming into play and "Silently dropping it" I am not totally sure... Thanks again!! – John Oct 18 '12 at 17:21

2 Answers2

1

Disclaimer: This is ugly and bad, and you should not do it.

Here's how to do it (from an elevated command prompt):

First, do a route print and get the name of the interface that you want to force traffic out of. This will be the number all the way to the left of the entry in the Interface list. Then, enter this command: 

route add -p 1.1.3.0 MASK 255.255.255.0 10.35.1.254 METRIC 1 IF <foo>

If you do a route print, you should see the route in the route table. Make sure it has the lowest metric.

Adrian Frühwirth
  • 356
  • 5
  • 16
smithian
  • 1,746
  • 14
  • 15
  • That was what my command was however the part I didnt understand (or see) was the interface list to know what the corresponding 'foo' was to put in the command initially. Your response made me look harder at the ROUTE PRINT results and see the listing. Thank you. – John Oct 18 '12 at 17:10
0

use NETSH.

IT actually solves a ton of trouble.

from an elevated command line - find the name of the interface you want the traffic to go out: netsh interface ipv4 show interface

Note this. then you will route your traffic out it. I typically go to the HOST level at this point- and just make post installation scripts to manage it so I dont have a mess of network routes to debug later... so:

netsh interface ipv4 add route xxx.xxx.xxx.xxx/32 interface="" metric=1

you put the metric=1 in there in an attempt to not let the traffic go out your default route right?

Anyway - i have to do this all the time because of a variety of reasons. If you dont know about NETSH this is a very complex and ugly process. If you do you just smile at these problems knowingly.

Max Dercum
  • 1
  • dont forget if you have lots of networks hanging off a server farm, that you might need to add a lot of these to a lot of servers. If you take some time and script this out you can save yourself a ton of trouble. I like to have powershell figure out the interface names for me, and what IP is attached to the server im executing on and just generate and execute the command. – Max Dercum Jan 21 '13 at 18:42
  • also - if you are worried about persistence - go read the manual on netsh. – Max Dercum Jan 21 '13 at 18:42