Super-Networking Blog

So I thought I would discuss the topic of multiple default gateways on Windows Servers today since my buddy blogged about it.

IT and Development Best Practice

First off you should never have two default gateways on your servers. It doesn’t matter which OS you are running, Windows 98/NT is worse at handling the condition but all of them will have problems. Every windows server has a little routing table in memory. If you have one network card it will know to send anything on its own subnet out that adapter even if you don’t have a gateway. It doesn’t know how to get to anything outside of its own subnet without a default gateway. Now if you have two adapters without default gateways the server will know to send traffic for each subnet depending on which it tied to which network card.

When you add a default gateway to a network card the server will then send anything outside of its local subnet(s) to that gateway you specify. The gateway, being a router or firewall, which then pass the traffic on to the correct location. The problem comes in if you have default gateways on more than one network card. The server then gets confused on where to send its traffic when it is off its local subnets.

The way it is supposed to work is the adapter that is bound first to the OS should be the one used but that isn’t what happens. Instead the OS randomly guesses at which gateway to use and some packets may get through some will not. This is not only for different sessions but in mid session as well.

So what do you do when you have a dual-homed server, you want multiple subnets to go out one adapter and everything else to go out the other? You add the default gateway on the adapter that you want the traffic to go when you might not know the subnet like say Internet traffic. Then add a route statement for the subnets you know and want to go out the other adapter.

Example:

Adapter #1 - 10.1.1.20 Mask 255.255.255.0 Default Gateway 10.1.1.1

Adapter #2 - 192.168.2.20 Mask 255.255.255.0

Go to a command prompt and add the below command

“route add 192.168.0.0 mask 255.255.0.0 192.168.2.1″

This would tell the server that all traffic that is heading for anything on the 192.168.0.0 subnets would be directed to the IP 192.168.2.1. That adapter would not have a default gateway. The other adapter has the default gateway and all other traffic would go out that adapter and to the IP specified. Note that the command above will go away on restart unless you specify -p and it will stay until you do a route delete.

If you want to see all the routes your server is currently using run the command “route print”

One thing to ask yourself before going through this, do I really need a dual-homed server? What security holes am I opening up? Am I bypassing a firewall?