Two-NIC, two-gateway setup

[Academician]

We have a setup in a colocation facility with a server running Windows
2003 (Web Edition) and a Netscreen-5GT firewall/VPN device. The Windows
machine has two network cards, one of which is plugged directly to the
Internet, the other of which is plugged into the Netscreen. Here is a
diagram:

___ Key:
------------------ NIC1| | NS = Netscreen-5GT FW
/ | | W = W2K3 server
Internet | W | NIC1 = 1st NIC (live net)
\ | | NIC2 = 2nd NIC (private net)
--------NS-------- NIC2|___| (u) = "Untrust" zone on NS
(u) (t) (t) = "Trust" zone on NS

Network config:
NIC1 = 66.66.66.214, MASK 255.255.255.192, GW 66.66.66.193
NIC2 = 192.168.1.100, MASK 255.255.255.0, GW 192.168.1.1
NS(u) = 66.66.66.213, MASK 255.255.255.192, GW 66.66.66.193
NS(t) = 192.168.1.1, MASK 255.255.255.0

The external IPs are not real, of course, but they should be good for an
example.

So the problem here is that when I try to connect either to the VPN on
the firewall or to forwarded ports (or masqueraded IPs) on the firewall,
it sends the data to NIC2 on the server (W) but then the server tries to
send the data back through NIC1. What I need it to do is send data back
through NIC2 (to the firewall) that was sent to it through the firewall
originally. If I delete and try to add the 192.168.1.1 gateway to NIC2,
then NIC2 takes over as primary "internet" card and all data goes
through it - which is likewise undesirable, since if I try to send data
to 66.66.66.214 it tries to reach back through NIC2 (which does not work).

I hope this problem description makes sense. I know it is a rather odd
setup, but I am sure that it is what I want. Right now we only want to
route certain traffic through the Netscreen, but not ALL traffic since
the last one we had before it turned out to be unreliable. Thus, this
is sort of a "testing" period for the non-critical traffic.

I've tried setting up persistent routes through the "route" command on
the command-line but haven't been able to figure out one that helps me.
I am not the greatest at networking (I took the Cisco classes 1 and 2
about 4 years ago, and have forgotten quite a bit), so I am hoping
someone more familiar with Windows networking will be able to help me
out here. Thanks!

--Academician

 

[Phillip Windell]

You can only have one Default Gateway. That is why it is called the
*Default* Gateway.

157025 - Default Gateway Configuration for Multihomed Computers
http://support.microsoft.com/default.aspx?scid=kb;en-us;157025&Product=win2000

272294 - Active Directory Communication Fails on Multihomed Domain
Controllers
http://support.microsoft.com/default.aspx?scid=kb;en-us;272294

191611 - Symptoms of Multihomed Browsers
http://support.microsoft.com/default.aspx?scid=kb;EN-US;191611

Microsoft Windows XP - Multihoming Considerations
http://www.microsoft.com/resources/documentation/windows/xp/all/reskit/en-us/prcc_tcp_qpzj.asp?

128978 - Dead Gateway Detection in TCP/IP for Windows NT
http://support.microsoft.com/default.aspx?scid=kb;EN-US;128978

171564 - TCP/IP Dead Gateway Detection Algorithm Updated for Windows NT
http://support.microsoft.com/default.aspx?scid=kb;EN-US;171564

 

[Academician]

Alright, so I can not add two default gateways. Is there no way to do
what I'm trying to do, then? As it describes in the "Microsoft Windows
XP - Multihoming Considerations" article, I suppose I have a "disjointed
network". Then it says that I can "either add static routes or use a
dynamic routing protocol to provide connectivity to subnets reachable on
the other network". That is what I was trying to do initially, but will
I be able to use that for what I am trying to do or should I give up on
this issue?

--Academician

 

[Jeff Cochran]

I hope this problem description makes sense. I know it is a rather odd
setup, but I am sure that it is what I want. Right now we only want to
route certain traffic through the Netscreen, but not ALL traffic since
the last one we had before it turned out to be unreliable. Thus, this
is sort of a "testing" period for the non-critical traffic.

I've tried setting up persistent routes through the "route" command on
the command-line but haven't been able to figure out one that helps me.
I am not the greatest at networking (I took the Cisco classes 1 and 2
about 4 years ago, and have forgotten quite a bit), so I am hoping
someone more familiar with Windows networking will be able to help me
out here. Thanks!

For your testing, set your default gateway as the NIC that bypasses
the Netscreen and persistent routes to those IP ranges you want to
test through the Netscreen. Note that the routes will likely need to
be in any workstations you also use.

Jeff

 

[Phillip Windell]

I couldn't follow your description well enough to know what you are
attemtping. Diagrams don't "hold their shape" in email messages so that
diagram doesn't help me. so all I can give are general principles to place
the "boundaries" and what you are doing.

Here are probably the main things to keep in mind.

1. Keep the design simple, manageable, and understandable
2. Only one Default Gateway on any muti-homed device (as perviously stated)
3. Keep LAN Routing separate from Internet routing. Internet routing should
depend
upon LAN routing, but LAN routing should never be dependent on Internet
routing. In other words never make the Firewall device the "Default
Gateway" of
the servers and workstation when the LAN has multiple segments.
A. The LAN router(s) handles routing of the LAN segments
B. The Firewall will be the Default Gateway of only *one* LAN
Router while
other router pass "unknown destinations" from router to
router via the
default gateways until it finally reaches the one router
that uses the Firewall
for its default gateway.
4. Keep it simple. Repeat step #1 over and over till memorized. I say it in
a light-hearted way, but it is probably the most important point.