T
The Hapless Hack
Guest
I have a Windows Swerver 2016 with three active NICs (and some that are used for VM's, but they are not a problem). It is supposed to go like this:
--> 192.168.10.1 --> Airplay/Automation NIC 192.168.10.14 Windows Server 2016 |
ISP Router --> Firewall
--> 192.168.1.1 --> WAN NIC 192.168.1.4 Windows Server 2016 --> RRAS NIC 192.168.0.1 internal net
The probleme is that it doesn't go like that. Because the clients on the internal network, which uses RRAS both to get to the Internet and to a few devices on the external network 192.168.1.x are getting to the 192.168.10.x network as well, creating assymetric routing. And I have no idea how and why that happens! The reason for having an extra network for Airplay/Automation is that the Server needs access to that, but the clients on the internal 0.x net should not under any circumstances have general access to it.
I have a static route in RRAS via the firewall to give access to the GUI's and VNC of the home automation devices (so the firewall only lets through the VNC 5900 port and two other ports), but from packet capture I can see that stuff goes out through the 192.168.10.4 NIC as well, creating assymetric routing. Deactivating that removes all the problems, but that makes my home automation less bulletproof (the 10.x segment is running with all static IP's, so even if the firewall goes down for some reason it will still function and keep the heating, AV and lighting running).
First I tried keeping the 10.4 NIC totally out of RRAS, and that had this effect and created another, unexpected problem because copying files from the Server's shares to clients on the internal 0.x segment almost stopped. When I add the 10.4 NIC to the IGMP pool and removed the tick by "Enable IGMP" that problem went away. But I still have the other problems. What confuses me is that in the routing table for RRAS I only see one route to the 10.1 network, and that's with 192.168.1.1 as the gateway, not 192.168.10.1.
Destination Network mask Gateway Interface Metric Protocol
0.0.0.0 0.0.0.0 192.168.1.1 External net (WAN) 35 Network management
192.168.10.0 255.255.255.0 192.168.1. External net (WAN) 1034 Static (non demand-dial)
On the local routing table of the Server I do see 192.168.10.1, but that's as expected, since the server itself is supposed to have access to that:
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.4 35
192.168.10.0 255.255.255.0 192.168.1.1 192.168.1.4 1034
192.168.10.0 255.255.255.0 On-link 192.168.10.4 512
192.168.10.4 255.255.255.255 On-link 192.168.10.4 512
192.168.10.255 255.255.255.255 On-link 192.168.10.4 512
(I have removed the routes not about the 10.x network on both, and only kept the default route.)
Can somebody please tell me why this happens, and how I can block the 10.4 NIC completely for RRAS clients?
Continue reading...
--> 192.168.10.1 --> Airplay/Automation NIC 192.168.10.14 Windows Server 2016 |
ISP Router --> Firewall
--> 192.168.1.1 --> WAN NIC 192.168.1.4 Windows Server 2016 --> RRAS NIC 192.168.0.1 internal net
The probleme is that it doesn't go like that. Because the clients on the internal network, which uses RRAS both to get to the Internet and to a few devices on the external network 192.168.1.x are getting to the 192.168.10.x network as well, creating assymetric routing. And I have no idea how and why that happens! The reason for having an extra network for Airplay/Automation is that the Server needs access to that, but the clients on the internal 0.x net should not under any circumstances have general access to it.
I have a static route in RRAS via the firewall to give access to the GUI's and VNC of the home automation devices (so the firewall only lets through the VNC 5900 port and two other ports), but from packet capture I can see that stuff goes out through the 192.168.10.4 NIC as well, creating assymetric routing. Deactivating that removes all the problems, but that makes my home automation less bulletproof (the 10.x segment is running with all static IP's, so even if the firewall goes down for some reason it will still function and keep the heating, AV and lighting running).
First I tried keeping the 10.4 NIC totally out of RRAS, and that had this effect and created another, unexpected problem because copying files from the Server's shares to clients on the internal 0.x segment almost stopped. When I add the 10.4 NIC to the IGMP pool and removed the tick by "Enable IGMP" that problem went away. But I still have the other problems. What confuses me is that in the routing table for RRAS I only see one route to the 10.1 network, and that's with 192.168.1.1 as the gateway, not 192.168.10.1.
Destination Network mask Gateway Interface Metric Protocol
0.0.0.0 0.0.0.0 192.168.1.1 External net (WAN) 35 Network management
192.168.10.0 255.255.255.0 192.168.1. External net (WAN) 1034 Static (non demand-dial)
On the local routing table of the Server I do see 192.168.10.1, but that's as expected, since the server itself is supposed to have access to that:
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.4 35
192.168.10.0 255.255.255.0 192.168.1.1 192.168.1.4 1034
192.168.10.0 255.255.255.0 On-link 192.168.10.4 512
192.168.10.4 255.255.255.255 On-link 192.168.10.4 512
192.168.10.255 255.255.255.255 On-link 192.168.10.4 512
(I have removed the routes not about the 10.x network on both, and only kept the default route.)
Can somebody please tell me why this happens, and how I can block the 10.4 NIC completely for RRAS clients?
Continue reading...