Windows – Force Windows Local Subnet Traffic through a Gateway

gatewaynetworkingroutingsubnetwindows

We are attempting to route all traffic from a certain machine to a gateway. This works ok for traffic destined for subnets outside of the machine's subnet. However, traffic to machines in the same subnet as the source machine goes through an On-Link gateway in Windows. This means that the default gateway is ignored, and traffic in a subnet (for example, 192.168.50.10 -> 192.168.50.11) flows.

Destination Netmask     Gateway     Interface   Metric
192.168.50.0    255.255.255.0   On-link     192.168.50.214  276
  1. This route can be deleted from Windows, but when the machine is rebooted it always comes back.
  2. Adding a persistant static route to the gateway with a lower metric doesn't work, since it will still try the On-Link gateway after the persistant route fails.
  3. Adding each machine in a VLAN isn't an option due to the setup we have
  4. Adding a startup script to delete the gateway isn't a great option either, since users will have full admin access to the machine and might disable the script.
  5. We cannot transperantly intercept all network traffic on the subnet using Gratuitous ARPs or transparent proxying, since there are other machines on the subnet which use a different gateway

The only way we have gotten it to work is by adding a persistant route to the gateway for the subnet traffic, and deleting the On-link route on reboot.

The question is then.

  1. Is there a way to permanently remove this On-link route
  2. If not, is there a way to otherwise force even local subnet traffic to go through a gateway?

Best Answer

There's a difference between forcing traffic through a gateway, and preventing devices from seeing each other on a subnet. I think what you're trying to do is the latter. Probably because you want to host servers for multiple external customers. You're looking in the wrong place if you're editing the routing table to achieve this goal.

My recommendation would be to handle this at the switch using ACLs. What specifically you can block/allow will depend on your switch's capabilities. Another alternative is to block ARP broadcasts, and then set static ARP entries for the default gateway (Technically someone could add more static entries to talk to other devices still).

Also, keep in mind that unless the gateway is set to block traffic from-to that segment it will happily route traffic right back into the same network.

Related Topic