Routing based on source address in Windows Server 2008 R2

routingwindows-server-2008-r2

I'm implementing a direct routing load balanced solution using Windows Server 2008 R2 as back-end server. I've configured a loopback interface with the external IP address. This works, I am receiving packets with the external IP address and respond to them appropriately. However our infrastructure requires that traffic which is being load-balanced should go through a different gateway then any other traffic originating from the server, ie. updates etc. So basicly I need to route packets based on source address (external IP) to another gateway. The built-in Windows 'route' command allows routing based on destination address only. I've tried setting a default gateway on the loopback interface and mangled with weak/strong host send/receive parameters on the interfaces, however this didn't work.

Is there any way around this, possibly using third party tools?

Best Answer

A somewhat kludgy solution to this would be to have a router/VM running like something DDWRT/OpenWRT in front of the Windows box to achieve the re-routing/mangling. Although, I haven't used this yet, this project also looks somehwat promising, http://wipfw.sourceforge.net/doc.html It almost looks like iptables for Windows?

Related Solutions

Cisco – Source-based routing on Cisco 3750 switch

If you want to direct or tag the traffic originating from the switch or router (will work on IPBASE) I'm guessing you already succeeded but if not.

conf t

access-list 1 any

route-map pbr permit 10

 match ip address 1

 set ip next-hop 3.3.3.3

exit

ip local policy route-map pbr

end

wr

Note that ip local policy is specified in global configuration, not under an interface. And you might want to have a more detailed ACL

This is only for traffic that originates from the device, not traffic that passes through it.

Linux port-based routing using iptables/ip route

"LINUX" is telling "WORKSTATION" to use "GATEWAY" instead of itself because they appear to be on the same subnet. This can only work if you've set up bridging on "LINUX" (see brctl(8)), and if you did then "WORKSTATION" should use "GATEWAY" in its default route.

Make sure you use a subnet per broadcast domain, broadcast packets are never routed so you need a different subnet on all 3 interfaces of "LINUX" (you could use /30s but I recommend sticking to /24s for growth). or have it bridge them. You should probably also configure a separate subnet for the VPN itself.

Next, add the VPN subnet to the VPN table, e.g.:

ip route add 192.168.150.0/24 dev tun0 scope link table VPN proto static

In order to use this table, add a routing rule like so:

ip rule add fwmark 1 lookup VPN priority 500

And see if you can route packets via both "VPN" and "GATEWAY" before you add any fwmark rules, just in case.

And I don't think disabling the reverse path filter is beneficial.

Best Answer

Related Solutions

Cisco – Source-based routing on Cisco 3750 switch

Linux port-based routing using iptables/ip route

Related Topic