routing query

[dhaywood]

Hi,

I have a feeling I should be posting this to at least 2 other forums but I guess here is as good a place to start as anywhere.

I have a single server running Windows 2K server, Exchange 2000 Server and ISA. We have 2 broadband connections that run through separate routers connected directly to the main network, not to the back of the server.

Our current situation is that all our in/oubound traffic (VPN to other sites included) goes via router IP 192.168.1.1 with router 192.168.1.5 being there purely for backup purposes.

What I would like to do is use router 192.168.1.1 purely for the VPN in/outbound traffic and re-route all the current ISA and Exchange traffic through 192.168.1.5. I know that to collect the mail I just need to change our MX record to reflect the public static IP of the connection but I don't have a clue how to change outbound mail or the ISA routes.

Just in case you need to know the VPN sites have differnt IPs of
192.168.2.X
192.168.3.x
192.168.4.x
192.168.5.x

I appreciate this is probably very simple but if someone can point me in the right direction I'd be grateful.

Cheers

Duncan

 

[AlexIT]

The default gateway in IP properties defines outbound traffic that is not on the computer's subnet. So if on the server you have 192.168.1.5 as the gateway (and that router public IP is specified in your domain's MX record) you will receive mail through that router.

BUT if you tracert you will see a packet that comes in from the outside on your 192.168.1.1 router will then be replied to through the default gateway of 192.168.1.5. Any query from 192.168.1.1 that gets replied from 192.168.1.5 doesn't go anywhere...the other computer cannot send a question to one public IP and expect an answer on a completely different IP (it drops those packets as being junk.)

If you are doing this for redundency, try this:
Default Gateway 192.168.1.1
192.168.1.5

MX 10 yourdomain.com 192.168.1.1
MX 20 192.168.1.5

Doing this means that all traffic goes through the first router until it fails, then all traffic switches to the second. Any mail occurring at the moment of failure will get lost, but the other server usually re-tries if the connection is lost anyway. If both routers are identical and both can host the same VPN clients, just have your remote users connect to a subdomain by name instead of a router's public IP (i.e. outsideaccess.yourdomain.com) and you add a couple A records:

A 10 outsideaccess.yourdomain.com 192.168.1.1
A 20 192.168.1.5

Now if the one connection fails even your VPN users will automatically reconnect to the spare...

If you are trying this for bandwidth allocation you must buy a single router that hosts multiple WAN connections (or DSL bonding.)

Alex

 

[dhaywood]

Thanks Alex that goes someway towards helping but I feel I may have mislead you a little.

The origin of the problem I'm trying to solve/improve is that currently the 4 external branches connect via vpn into the router with private IP 192.168.1.1 and they are experiencing unacceptable delays from what I assume is a bottleneck as the router deals with standard web browsing from our main site and the incoming and outgoing mail.

What I was hoping to be able to acheive is specifically routing the VPN traffic via the one router and having all other traffic route via the second in an effort to free up bandwith for the VPN traffic.

I thought it may be possible to set up 192.168.1.5 as the default gateway and then possibly add in four extra entries for the other networks to specifically point at the other router. In theory there shouldn't be any problem with packets being dropped as they will be going out on the same route they cam in.

Now partially answering my own question am I correct in assuming that ISA always uses the default gateway set for the NIC cards in the server? And if that is the case where would I put the 4 extra entries pointing any traffic destined for the other networks to the router 192.168.1.1?

I hope that's a little clearer as I'm beginning to confuse myself!!

Duncan

 

[AlexIT]

Every communication (to those not in your subnet) always uses the default gateway set (in order.)

Since they use the gateways in order, and only change when one stops acking their requests, you must have other equipment to route traffic destined for the other networks elsewhere than 192.168.1.1.

ISA is hosting the four VPN connections, right? So the only place the server knows to route to is the default gateway (unless the destination is on the NIC subnet.)

Try this, add a third NIC to the server (I think ISA requires two right?) You will have three private IP ranges now (Inside 192.168.1.X for your LAN, Wan One 192.168.2.X to DSL ONE, Wan Two 192.168.3.X to DSL TWO.) The DSL routers change to 192.168.2.1 and 192.168.3.1. The server is always IP ending in 10. Like this:
192.168.1.10, default gateway = 127.0.0.1
192.168.2.10, default gateway = 192.168.2.1
192.168.3.10, default gateway = 192.168.3.1

ISA can handle the NAT, so any traffic from one NIC is going to go back to the same NIC. Other computers on the internal network can still NAT through ISA as you decide.

Alex