My setup is (I thought) simplicity itself:
1. Server 2008 (SE) with dual NICs (one to Internet, one to switch). One NIC is named PUBLIC INTERNET and the other is named INTERNAL SWITCH just to make it real e-z for me to know which is which.
2. PUBLIC INTERNET is connected to my ISP and has the static IP addr of my home office. INTERNAL SWITCH has IP addr of 10.1.1.1, mask 255.255.255.0. Gateway left blank which is standard practice, right?
3. Layer2 switch for the intranet, with both the Server 2008 and a wireless router connected to the switch.
4. There is also a wireless router attached to the switch for my internal wireless network. This router has static IP addr of 10.1.1.30, mask 255.255.255.0, gateway of 10.1.1.1. So for the bad guys to get to any stations on the wireless router they gotta break through the firewall on the gateway, then break through the hardware firewall on the wireless router. Plus, I can keep tabs on everyone on the wireless network and filter their internet access with the firewall on the gateway.
I installed rras on the W2K8 and added NAT. I then added the PUBLIC INTERNET to the NAT.
Everything works great!
Except, when I go to Network and Sharing Center it says that my INTERNAL SWITCH is a "public" network and that its name is "Unidentified Network" and that access is Local Only. So that really doesn't seem to matter, except that eventually I plan on putting lots more servers on this network along with VPN and different blog entries indicate that Windows Firewall really doesn't play well with "unidentified networks".
After a bit more futzing I found a blog that provided a workaround related to getting VPN to work correctly in this setup. BTW, the setup I've got is extremely common; there are quite a few complaints that Vista / Windows 7 (and Server 2008) really don't like the fact that you have an interface with no default gateway.
So after reading a bit I understand that a gateway is really nothing more than a default route used to transfer unidentified routing. If my network was completely self contained with static IP addresses then there would be no unidentified routes to handle; thus, no need for a router. However, I do need a route so that unidentified traffic (e.g. traffic to the Internet) can have a destination defined for routing. Basically, traffic from the internal 10.1.1.X network (on the switch) as well as traffic routed from the wireless (which has an internal network number 192.168.1.X) *does* need to have a route defined.
The workaround which appears to do the job is as follows. (It appears to work fine; I'm on a wireless device right now, connected to the wireless router, which has the static external IP of 10.1.1.30 and a gateway of 10.1.1.1, which has a separate NIC connected to my ISP and I'm typing this entry with no problems.)
1. Open the internal NIC on your dual-homed machine. In my case that's the INTERNAL SWITCH interface from above.
2. If you followed standard settings (which I did based on my network engineer's recommendation) then you have a static IP address for the NIC, a subnet mask and an empty gateway. (You will also have DNS entries, but they don't affect the discussion here--I'm assuming your DNS entries are OK).
3. So the blog I read said that you want to put in a default gateway of any other addressable device on the network (printer, computer, etc.). Hey--that wireless router I was talking about is an addressable device! So I can put that in. The key is:
Device A (gateway, internal NIC):
Static IP: x.x.x.1
Mask: x.x.x.y
Gateway: IP address of other device
Device B (other device):
Static IP: x.x.x.2
Mask: x.x.x.y
Gateway: IP address of gateway
In my case it looks like:
Gateway (INTERNAL SWITCH interface):
IP Address: 10.1.1.1
Mask: 255.255.255.0
Gateway: 10.1.1.30 (the wireless router's wired address)
Wireless router (connected to switch by cable):
IP Address: 10.1.1.30
Mask: 255.255.255.0
Gateway: 10.1.1.1 (this was already set)
4. Now, when you click OK on this setup on your gateway box, then you get the warning from Microsoft about "multiple default gateways" and how things will not work right. They are correct, which leads me to the point of this post (which others have done better) which is that you can make multiple default gateways work--but you need to make sure that the metric for the correct default interface is the "winner". Metrics identify the cost associated with a given route and the lowest cost metric always wins. To see what your default route is, you can use the "route print" command. Here's the output from mine:
===========================================================================
Interface List
11 ...00 25 9c d8 83 f9 ...... ASIX AX88772 USB2.0 to Fast Ethernet Adapter
10 ...00 24 81 cd 77 4f ...... Intel(R) 82567V-2 Gigabit Network Connection
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 [isp gateway] [my static ip] 276
10.1.1.0 255.255.255.0 On-link 10.1.1.1 266
10.1.1.1 255.255.255.255 On-link 10.1.1.1 266
10.1.1.255 255.255.255.255 On-link 10.1.1.1 266
[isp gateway] 255.255.255.224 On-link [my static ip] 276
[my static ip] 255.255.255.255 On-link [my static ip] 276
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 10.1.1.1 266
224.0.0.0 240.0.0.0 On-link [my static ip] 276
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 10.1.1.1 266
255.255.255.255 255.255.255.255 On-link [my static ip] 276
===========================================================================Notice the first line in the active routes--that's the "0.0.0.0" line. Basically, it defines the catch-all for all destinations that don't otherwise have an entry. So, when we click OK after adding that bogus route to our internal NIC what Microsoft is complaining about is that we will end up with two"0.0.0.0" lines. One of them (the one you see above) is the "right" one since it leads out to my ISP which presumably can route the IP address. The other one will be a nonsense gateway that leads (in my case) to 10.1.1.30, which leads back to 10.1.1.1, which leads back to 10.1.1.30...you get the idea.
So the magic is to force the correct "0.0.0.0" line to have a lower metric than the one that Microsoft generates for us as a result of Step 3 above. To do this, you open a command prompt as administrator and run the "route change" command. Here's the command I ran to force a very low metric to be assigned:
route -p change 0.0.0.0 mask 0.0.0.0 [ISP gateway IP address] METRIC 25 IF 11
OK, so the way it works is that you pass in the IP address of the interface you care about changing (which from the first line of the route print output we see is "0.0.0.0". Then you use the word "mask" and follow it with the subnet mask (think of it this way: an IP address, a subnet mask and a gateway all make up a unique key on the routing table). Then you put in the gateway and finally you get to specify the metric (yes, you use the word "METRIC" as I have above) as well as the interface (and you use the word "IF" as I show above.How did I find the interface number? Go back up to the "route print" output where the first two lines identify the NICs themselves. The first line is:
11 ...00 25 9c d8 83 f9 ...... ASIX AX88772 USB2.0 to Fast Ethernet Adapter
That's the NIC connected to my ISP, and the number "11" is the interface number. You should see your interface number identified the same way.
So I ran the route change command (don't forget to use the "-p" option as I did above to make the change persistent) and used the trick of setting a bogus default gateway for my...default gateway! The net result of all this when I run the "route print" command is that I see *two* default routes as shown below:
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.1.1.30 10.1.1.1 266
0.0.0.0 0.0.0.0 [isp gateway] [my static ip] 45
Look carefully--see how the first line now shows that my "10.1.1.1" interface has a (bogus!) gateway of "10.1.1.30"? More importantly, you can see that Microsoft gave that route a metric of 266. Now in the second line you see the results of running the "route change" command above. While the routing is a duplicate from a destination and network point of view, because I gave the metric a much lower value I have guaranteed that it will always be selected over the first displayed route.(A separate question: In my "route print" command I gave it a metric value of "25" on the command line but Microsoft turned that into a metric of "45" as we see on the output above. Anyone have an idea why??)
After doing all this, when I go back to Network and Sharing Center, I see that my INTERNAL SWITCH interface is no longer marked as an "Unidentified Network". Plus, I can use the GUI to mark the network as private (which relaxes communications on that network within Windows Firewall) *and* I can even give it a name. Sorry, no screen shots :)