Default route and static persistent route

[WarlockLord]

I have a Dell PowerEdge server with SBS 2003 hosting Microsoft Exchange 2003 for one of my clients.

There are 2 NIC's in this server, one with a Public Facing IP, which also has the default gateway; one with a private IP (192.168.219.250) with no gateway defined.

This server plugs into a managed Cisco switch with its own IP address, then there is a SecureWorks bridge device in place that monitors all incoming and outgoing traffic to the network, followed by a Sonicwall TZ190 router which tunnels via VPN to a branch office that has an IP range of 192.168.220.0/24.

With no gateway on the private IP side, I can ping the sonicwall and all IP's on the local network from the server, and all PC's on the network can ping the server. But, the sonicwall cannot ping the server, which also means my VPN clients cannot ping the server.

If I disable the public interface and give the server the default gateway of the sonicwall, the sonicwall can ping the server, and remote office clients can ping the server.

So what route do I need to add to be able to keep the public gateway as the default gateway but maintain connectivity to my outside office and soft VPN clients?

I have tried "route add 192.168.219.0 MASK 255.255.255.0 192.168.219.99" but it doesn't work. I'm at the end of my rope and the CEO is pissed because he can't access Exchange over VPN and the remote office can't access it without using Outlook Anywhere/HTTP over RPC.

Please help!

[Suncoast]

I suspect it's about the route metrics. And your using the Sonicwall, not Routing and Remote Access, right? Why no default gateway on Private LAN? You want it to route all unknown routes out the public interface? Or have you setup static routing that encompasses all private IP space subnets? Eww, 4 day old post. I hope you already found an answer elsewhere. If not, post your complete SBS2003 routing table.

[WarlockLord]

Yes using sonicwall for routing and not routing & remote access.

Here is my routing table:


IPv4 Route Table
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x10003 ...00 22 19 51 d3 2b ...... Broadcom BCM5708C NetXtreme II GigE (NDIS VBD Client)
0x10004 ...00 22 19 51 d3 2d ...... Broadcom BCM5708C NetXtreme II GigE (NDIS VBD Client) #2
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 99.26.234.62 99.26.234.57 20
0.0.0.0 0.0.0.0 192.168.219.99 192.168.219.250 25
99.26.234.56 255.255.255.248 99.26.234.57 99.26.234.57 20
99.26.234.57 255.255.255.255 127.0.0.1 127.0.0.1 20
99.255.255.255 255.255.255.255 99.26.234.57 99.26.234.57 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.219.0 255.255.255.0 192.168.219.99 192.168.219.250 1
192.168.219.250 255.255.255.255 127.0.0.1 127.0.0.1 10
192.168.219.255 255.255.255.255 192.168.219.250 192.168.219.250 10
224.0.0.0 240.0.0.0 99.26.234.57 99.26.234.57 20
224.0.0.0 240.0.0.0 192.168.219.250 192.168.219.250 10
255.255.255.255 255.255.255.255 99.26.234.57 99.26.234.57 1
255.255.255.255 255.255.255.255 192.168.219.250 192.168.219.250 1
Default Gateway: 99.26.234.62
===========================================================================
Persistent Routes:
None

[Suncoast]

Edit: I'm removing that original message, as I see Windows adds that for some reason.

Please send me your real routing table if this isn't it by Private Message, so I can compare when I look at this. (See top right corner of your screen.) I will not post the real info. Just to be safe, please also give me a list of the important IP addresses including the private IP of the Sonic, and the Network and Subnet mask for the remote network.

I think I see what is happening, but I need the additional information to be sure.

[Suncoast]

Well, before I forget... This is a start.

Code:

route add 192.168.220.0 MASK 255.255.255.0 SONIC_GW_IP_HERE METRIC 5 IF 10003

I don't know which interface is facing the private network, 10003 or 10004.

To make the route permanent, you have to delete then add the route with the -p flag,

route del (Same as above)
route -p add (same as above)

And it should stay in the routing table until you delete it again.

[WarlockLord]

Yeah but routing to 192.168.220.0/24 is not the problem. The problem is when a soft-vpn connects, it receives an IP address of 192.168.219.x where X is defined by a dhcp server. The exchange server can ping the IP of the soft VPN nic, but the soft vpn client cannot ping the exchange server.

If I assign a default G/W of 192.168.219.99 and disable public facing IP, I can ping and connect both ways.

[Suncoast]

So, this is remote access type VPN, such as connecting a laptop from a Hot-Spot. Not a virtual Network to Network WAN link over VPN? (I'm not familiar with the term "Soft" VPN.)

And I don't know where the "soft vpn" nic is. Is this the client PC?

[Suncoast]

Ok, I'm back. (Coffee is good.) In response to your point about disabling the Public IP Interface, the only relevant route change you're making is forcing this route to become default:

0.0.0.0 0.0.0.0 192.168.219.99 192.168.219.250 25

This is forcing the device at 192.168.219.99 to make routing decisions for unknown networks rather than the public facing interface. All other routes are already at a lower metric, or higher priority so no changes are being made anywhere else.

Try loading Wireshark on the SBS2003, monitor the Public Interface, and have the remote connection attempt a connect. See if any private IP traffic is attempting to leave the Public Interface. I'm thinking you'll see traffic going out the Public Interface with a private IP destination other than 192.168.219.0/24.

[WarlockLord]

Quote:

Originally Posted by Suncoast

So, this is remote access type VPN, such as connecting a laptop from a Hot-Spot. Not a virtual Network to Network WAN link over VPN? (I'm not familiar with the term "Soft" VPN.)

And I don't know where the "soft vpn" nic is. Is this the client PC?

There is a site to site VPN in place (remote network uses 192.168.220.0/24) and a remote access vpn which shares the 192.168.219.0/24 network.

I can fix not be able to talk to 220 by the route add statement you suggested, but this does not fix remote access VPN clients.

When I say soft VPN, the vpn client I am using install a virtual nic card on the client pc and that gets assigned the 219.0/24 IP address.

The sonicwall has its own public facing IP (actually its a totally separate DSL line,) so if I set the def G/W to 219.99 it is going to route all unknown traffic out through THAT dsl line, and thats not going to work. I need to have public traffic route the exchange server's secondary NIC.

Maybe we could talk through IM or something next time you're on? Might make this process a little easier.

[Suncoast]

Quote:

The sonicwall has its own public facing IP (actually its a totally separate DSL line,) so if I set the def G/W to 219.99 it is going to route all unknown traffic out through THAT dsl line, and thats not going to work. I need to have public traffic route the exchange server's secondary NIC.

I agree. I'm just making this point; When you made the test referred to earlier, the only applicable route changed is kicking in the private net default route. So there has to be an issue there. That's why I'm wondering if the packets coming through the soft VPN are sourcing from an IP other than subnet 192.168.219.0/24. We could prove/disprove this by expanding the private net default route from 192.168.219.0/24 to say 192.168.0.0/16, but then it could be sourcing from 172.16.0.0/12 or 10.0.0.0/8. That's why I suggested running Wireshark to see whats actually coming through.

Quote:

With no gateway on the private IP side, I can ping the sonicwall and all IP's on the local network from the server, and all PC's on the network can ping the server. But, the sonicwall cannot ping the server, which also means my VPN clients cannot ping the server.

Well, you do have Gateways setup on the Private side. However none of them are the Default gateway. But then we have the issue of these one sided pings. Have you looked at the Sonicwall's routing table while a soft VPN is connected?

I originally ignored this, because I thought it inert. Now I'm not so sure. Why was this route changed? This is pushing all traffic for all local network 192.168.219.0/24 traffic through the Sonicwall interface.

Code:

192.168.219.0    255.255.255.0    192.168.219.99    192.168.219.250    1

Assuming a classful network, it would originally have been

Code:

192.168.219.0   255.255.255.0     192.168.219.250   192.168.219.250    20

But you would want a 10 metric instead.

And you can change your subscription to this thread to be notified whenever someone replies. At the top of this thread, click Thread Tools, then Subscribe to this thread, and change the notification from daily to instant and save.

[WarlockLord]

I'm starting to think my problem may be in the managed switch. My server was originally plugged into the switch and that was the scenario. If I plug the server directly into the sonicwall, the sonicwall and VPN clients can talk to it, but nothing plugged into the managed switch can. So something's not right somewhere...

[Suncoast]

It's not the switch.

Edit: Unless it's a Switch plus something, such as a Firewall. Or it has a Router card and VLAN's. Otherwise, the reason that works is you're not relying on arp to make switching decisions.