2 WAN + 1 LAN on 1 box

I have a 2003 server acting as a webserver. It has 3 nics in it:

WAN #1: 72.18.243.A / 255.255.255.248

WAN #2: 72.18.243.B / 255.255.255.248

LAN: 172.16.2.C / 255.255.255.0

IIS6 is running 2 websites. Website A is listening on WAN .A, and website B
is listening on WAN .B. The LAN nic does not run a website.

Here's what I think I know, stop me where I'm wrong:

I should not assign a default gateway to the LAN nic while either WAN nic
also has a default gateway assigned, because default gateways on different
subnets is "bad".

If I create a 0.0.0.0 route of last resort in RRAS that routes through WAN
..A, requests for WAN .B will appear to come from WAN .A which is erroneous,
and vice versa if 0.0.0.0 routes through WAN .B. A request sent to WAN .B
needs to be returned by WAN .B and a request sent to WAN .A needs to be
returned by WAN .A.

I can assign default gateways to my WAN nics .A and .B because they're on
the same subnet. They both have the same gateway.

Because I cannot assign a default gateway to LAN once a default gateway has
been assigned to WAN, I can create a 172.16.2.0 route in RRAS that routes
local traffic through the LAN nic.

So this is how I configure TCP on each nic:

WAN #1: 72.18.243.A / 255.255.255.248
default gateway 72.18.243.G

WAN #2: 72.18.243.B / 255.255.255.248
default gateway 72.18.243.G

LAN: 172.16.2.C / 255.255.255.0
[no default gateway]

And then in RRAS, one static route is created:
172.16.2.0 / 255.255.255.0
routes to 172.16.2.G via LAN nic 172.16.2.C

The problem is that when I set this up, everything works fine for an
arbitrary period of time (say a week) before the server will spontaenously
decide it doesn't want to route packets over either of it's WAN interfaces
anymore. From the WAN side of the network, I can no longer ping either WAN
nic .A or .B (and I can't visit the website either). However, during this
time of WAN routing failure I can ping and visit the website from the LAN
side of the server. IIS remains functional and as far as I can tell this is
a routing problem.

This is driving me nuts, what am I doing wrong? I don't know how else to
configure this box.

"1388-2/HB" <(E-Mail Removed)> wrote in message
news:P7JCh.15982$(E-Mail Removed) et...
>I have a 2003 server acting as a webserver. It has 3 nics in it:
>
> WAN #1: 72.18.243.A / 255.255.255.248
>
> WAN #2: 72.18.243.B / 255.255.255.248
>
> LAN: 172.16.2.C / 255.255.255.0
>
> IIS6 is running 2 websites. Website A is listening on WAN .A, and website B
> is listening on WAN .B. The LAN nic does not run a website.
>
> Here's what I think I know, stop me where I'm wrong:
>
> I should not assign a default gateway to the LAN nic while either WAN nic also
> has a default gateway assigned, because default gateways on different subnets
> is "bad".
>
> If I create a 0.0.0.0 route of last resort in RRAS that routes through WAN .A,
> requests for WAN .B will appear to come from WAN .A which is erroneous,

Traffic doesn't come from a "network",...traffic comes from a *Host*.
The host is identified by the IP# of the network representing the network that
the nic belongs to based on the nic that the traffic left on. The Nic the
traffic leaves on is determined by the routing table based on the route that is
calculated to be the proper route to the destination.

> I can assign default gateways to my WAN nics .A and .B because they're on the
> same subnet. They both have the same gateway.

You can't have two nics on the same subnet.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

The views expressed (as annoying as they are, and as stupid as they sound), are
my own and not those of my employer, or Microsoft, or anyone else associated
with me, including my cats.
-----------------------------------------------------

You can only have one default gateway per machine, not one per interface.
Put both IPs on one NIC. Set the default geteway on it. Leave the default
gateway on the LAN NIC blank.

"1388-2/HB" <(E-Mail Removed)> wrote in message
news:P7JCh.15982$(E-Mail Removed) et...
>I have a 2003 server acting as a webserver. It has 3 nics in it:
>
> WAN #1: 72.18.243.A / 255.255.255.248
>
> WAN #2: 72.18.243.B / 255.255.255.248
>
> LAN: 172.16.2.C / 255.255.255.0
>
> IIS6 is running 2 websites. Website A is listening on WAN .A, and website
> B is listening on WAN .B. The LAN nic does not run a website.
>
> Here's what I think I know, stop me where I'm wrong:
>
> I should not assign a default gateway to the LAN nic while either WAN nic
> also has a default gateway assigned, because default gateways on different
> subnets is "bad".
>
> If I create a 0.0.0.0 route of last resort in RRAS that routes through WAN
> .A, requests for WAN .B will appear to come from WAN .A which is
> erroneous, and vice versa if 0.0.0.0 routes through WAN .B. A request
> sent to WAN .B needs to be returned by WAN .B and a request sent to WAN .A
> needs to be returned by WAN .A.
>
> I can assign default gateways to my WAN nics .A and .B because they're on
> the same subnet. They both have the same gateway.
>
> Because I cannot assign a default gateway to LAN once a default gateway
> has been assigned to WAN, I can create a 172.16.2.0 route in RRAS that
> routes local traffic through the LAN nic.
>
> So this is how I configure TCP on each nic:
>
> WAN #1: 72.18.243.A / 255.255.255.248
> default gateway 72.18.243.G
>
> WAN #2: 72.18.243.B / 255.255.255.248
> default gateway 72.18.243.G
>
> LAN: 172.16.2.C / 255.255.255.0
> [no default gateway]
>
> And then in RRAS, one static route is created:
> 172.16.2.0 / 255.255.255.0
> routes to 172.16.2.G via LAN nic 172.16.2.C
>
> The problem is that when I set this up, everything works fine for an
> arbitrary period of time (say a week) before the server will spontaenously
> decide it doesn't want to route packets over either of it's WAN interfaces
> anymore. From the WAN side of the network, I can no longer ping either
> WAN nic .A or .B (and I can't visit the website either). However, during
> this time of WAN routing failure I can ping and visit the website from the
> LAN side of the server. IIS remains functional and as far as I can tell
> this is a routing problem.
>
> This is driving me nuts, what am I doing wrong? I don't know how else to
> configure this box.
>

"Phillip Windell" <@.> wrote in message
news:(E-Mail Removed)...
>
> Traffic doesn't come from a "network",...traffic comes from a *Host*.

Ok, I think I see the problem. You can't have 2 nics on a subnet because
routing becomes ambiguous. I have a default gateway, but, which nic should
it use to reply with? I gues Windows arbitrarily chooses one of the nics to
be the host but this is not reliable.

What's the typical resolution to this? ISP's typically assign static IPs in
a block on the same subnet... what do people do, NAT the inbound traffic to
split it up onto different subnets or just host each IP on a seperate box?

"1388-2/HB" <(E-Mail Removed)> wrote in message
news:e6LCh.65137$(E-Mail Removed). net...
>
> "Phillip Windell" <@.> wrote in message
> news:(E-Mail Removed)...
>>
>> Traffic doesn't come from a "network",...traffic comes from a *Host*.
>
> Ok, I think I see the problem. You can't have 2 nics on a subnet because
> routing becomes ambiguous. I have a default gateway, but, which nic should it
> use to reply with?

Exactly.

> I gues Windows arbitrarily chooses one of the nics to be the host but this is
> not reliable.

It takes the first nic in the binding order (will also be the first listed in
the routing table),...but things can interferre with that and you get
unpredictable results.

> What's the typical resolution to this? ISP's typically assign static IPs in a
> block on the same subnet... what do people do, NAT the inbound traffic to
> split it up onto different subnets or just host each IP on a seperate box?

Depends on exactly what you are doing. You can do a *lot* with just one IP# if
handled properly. The "Line Technology" also matters.

With T1 lines you have an Internet Router (a real router) at the end of the line
that "faces" the nic of your Firewall,...this creates a network segment between
those two devices where machines can be placed if you want them to run "outside"
of the LAN on public numbers. For the internal machines that need exposed you
bind multiple IP#s to the same nic on the firewall and Static-NAT (aka
Reverse-NAT) the traffic "backwards" into the LAN to the target machines so they
become associated with the Public IP# that is bound to the firewall nic when
using the Protocol (port#) when setting it up. The port# is basically treated as
a "traffic indentifier" to be able to trigger the decision when the Static-NAT
occurs or does not occur.

With Home User Lines (xDSL, CableTV) you have a Broadband NAT Device which is
effectively still just a NAT based Firewall (commonly called "routers" but they
are *not* real routers). In the case of those you have to bind all of the IP#s
the ISP granted to the WAN interface of the box and then Static-NAT (aka
Reverse-NAT) the traffic "backwards" into the LAN to the target machines. These
home user devices often call this "Port Forwarding", but that is a non-sense
term,...there is no such thing as port forwarding,...the ports aren't going
anywhere and nothing is being done to them,...the ports are not even the true
focus of the action,..the IP#s are the focus of the action so Static-NAT (aka
Reverse-NAT) is the true accuarte term for the action. It is primarily a Layer3
action but the ports are Layer4 Addresses, this is two different layers. There
is a such thing as Port Address Translation (PAT) but that is not what this is
either.

I do not think it is possible to connect multiple devices between the Broadband
device and the DSL/Cable Modem like you can do with the T1s between the Router
and Firewall. But I admit that I have never tried that.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

The views expressed (as annoying as they are, and as stupid as they sound), are
my own and not those of my employer, or Microsoft, or anyone else associated
with me, including my cats.
-----------------------------------------------------