Windows – Accept incoming connection from a second gateway

gatewaynat;routeroutingwindows

I searched a lot about the question, but can't find solution for my situation.

We've got a Windows 2003 server that runs Advantage Database Server (ADS) through which our site connects to our accounting system. The site connects to static IP 82.xxx.xxx.147, runs several queries and disconnects. And does it every 5 minutes. Server has 2 NICs – one is for the site (192.168.5.1), another is for local network (192.168.0.1). Server connected to internet via ADSL modem/router (LAN IP 192.168.5.9), router's NAT is configured to forward port 45677 to the server.

Everything works fine, except for one thing – internet connection is not stable enough.
So we got another ADSL connection with another IP address 178.xxx.xxx.181 and also forwarded that port to the server. Second modem/router's LAN IP is 192.168.5.3.

Our site is checking IP address 82.xxx.xxx.147 and if it's not responding, it tries another IP 178.xxx.xxx.181. But it doesn't connect. It looks like server rejects connections from the second router.

I tried to add second router's IP 192.168.5.9 as a second gateway in advanced TCP/IP settings of to server NIC's. But it doesn't help.

I understand, that it's something connected with routes, but I can't understand anything in those masks, metrics, gateway IPs. It's too tough for me.

I don't want the server to use any of the gateways for internet access (browser and other services). I just want it to receive incoming connections from both gateway IPs from fixed port number. Is that possible?

Best Answer

Unless I have misunderstood your design, which I believe could be described with less ambiguity:

So your site has a really good internet connection. It connects to another place on the internet where your accounting is taken care of. This other place has two internet connections, one public address each, due to poor internet uptime. Both of these public addresses should be usable by your site to reach your accounting system on its local address. The accounting system has only one active default route which points to either but not both of its internet connection routers. It is unaware of the state of the routers.

You could either go redundant appliance configured as a HA pair with (for example) internal VRRP set to failover on external link loss and dual WAN support, as stated in another answer.

Or perform source address rewriting (aka Source NAT or snat), whereby your server will perceive that the client is a local address rather than a remote address. Therefore it will not use its default route to communicate with your site, but either of your snat:ing router interfaces (either the traffic came from 192.168.5.3 or from 192.168.5.9). This assuming that your routers are capable of doing snat on incoming connections.

If they can't you could configure intermediary devices (one per router, default routing that-a-way) which can. This technique is commonly used by load balancers in order to short-circuit the default route which the internal server(s) would otherwise use, instead of replying through the load balancer(s) which one commonly wants.

So if your routers aren't up to the task you could get cheap load balancers or use free software (two solutions in one link) as intermediaries. Or use state-of-the-art stuff, but somehow this seems like not that kind of scenario.

Related Solutions

Web-server – Traceroute showing weird path. Is load balancing router is responsible for this

1 thing, if you're using solaris based traceroute, you can do a traceroute -I rtcamp.com which will use icmp for the traceroute. We do this at work since UDP traceroute is blocked on our Firewall.

The other thing, you may have an ACL on you're WAN router, or a Firewall not mentioned, that is blocking the icmp time-exceeded message. If you allow these messages, at least internally, traceroute should work (and there is no risk to allowing this, only some types of icmp messages are bad).

As for the clients not being able to talk to the servers, are they on the same subnet, or are they on a seperate, possible secured network that is non-routable? It sounds like a rather simple network, but it sounds like you're WAN router might be specialized, and not to actual routing internally???

Linux – Handling Connections from Multiple Gateways

It is possible, and quite easy to setup. We will use iproute2 and iptables MARK and CONNMARK for this.

The idea is we will mark packets comming in from the second gateway (not the default gateway the server is using), and on reply we will route these packets out the same interface.

Suppose the IP address of the second gateway is 2.2.2.2 and the interface on the server connected to the gateway is eth2.

First let's set up a routing table for the second gateway (we use table 20 for this):

# ip route add default via 2.2.2.2 table 20

And set a rule that says packets marked with 200 will get routed using table 20:

# ip rule add fwmark 200 table 20

You can verify using:

# ip route list table 20
# ip rule list

Now using iptables we mark packets comming in from second gateway (in interface eth2) with mark 200:

1 # iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark
2 # iptables -t mangle -A PREROUTING -m mark ! --mark 0 -j ACCEPT
3 # iptables -t mangle -A PREROUTING -i eth2 -j MARK --set-mark 200
4 # iptables -t mangle -A PREROUTING -j CONNMARK --save-mark

For more explanation on how these MARK and CONNMARK work, see here

If 2 of your gateways are on the same network, and your server using only one interface to connect to both of them, then definitely the iptables command number 3 above will not work. You can use another, based on MAC address like this:

# iptables -t mangle -A PREROUTING -m mac --mac-source AA:BB:CC:DD:EE:FF -j MARK --set-mark 200

Of course, AA:BB:CC:DD:EE:FF is the MAC address of the second gateway.

Best Answer

Related Solutions

Web-server – Traceroute showing weird path. Is load balancing router is responsible for this

Linux – Handling Connections from Multiple Gateways

Related Topic