Default route leak packets over to extranet default gateway when arp don't find the destination on private (intra)subnet.
Hi We have stumbled upon a strange behaviour in Vista.The set up is as follow:2 NIC's where one is assigned address from corporate DHCP server and the other is configured manually to 192.168.1.1/16All seems ok, and the route table is ok. The setup is used for testing of interfaces where we produce and send UDP packets of a special protocoland the cable is moved from interface to interaceafter an answer is aquired.When arp do not find the physical interface (it only triesmax 3 times!)to send to on the private network (192...)packetsare sent to the default gateway declared by DHCP on corporate network! (confirmed by sniffing)We have tried to set a default route with lower metricfor 192... interface and managed to steer the things that way as first choice, but still when no receipient found the packets goes out on default gateway interface!In XP and 2k there were no problem, but when migrating to Vista the problem occured.Besides being an annoying problem for us it could be considered a safety issue(?)In my world packets adressed for private (intra)net would NEVER leak to other interface if route rule exist in route table!IPv4 Route Table===========================================================================Active Routes:Network Destination Netmask Gateway Interface Metric0.0.0.00.0.0.0 xxx.yyy.zzz.1 xxx.yyy.zzz.130 20127.0.0.0255.0.0.0 On-link 127.0.0.1 306127.0.0.1255.255.255.255 On-link 127.0.0.1 306127.255.255.255255.255.255.255 On-link 127.0.0.1 306xxx.yyy.zzz.0 255.255.255.0On-link xxx.yyy.zzz.130 276xxx.yyy.zzz.130 255.255.255.255On-link xxx.yyy.zzz.130 276xxx.yyy.zzz.255 255.255.255.255On-link xxx.yyy.zzz.130 276192.168.0.0 255.255.0.0 On-link 192.168.1.1 257192.168.1.1255.255.255.255On-link 192.168.1.1 257192.168.255.255255.255.255.255On-link 192.168.1.1 257224.0.0.0 240.0.0.0 On-link 127.0.0.1 306224.0.0.0 240.0.0.0 On-link 192.168.1.1 257224.0.0.0 240.0.0.0 On-link xxx.yyy.zzz.130 276255.255.255.255 255.255.255.255 On-link 127.0.0.1 306255.255.255.255 255.255.255.255 On-link 192.168.1.1 257255.255.255.255 255.255.255.255On-link xxx.yyy.zzz.130 276===========================================================================Do anyone have a solution to get the packets send to theproper interface even if destination address in is not present at the moment?BRBjorn
September 10th, 2009 4:57pm

Is there any way to set a route to a null (or discard) interface, like you can in Cisco? It seems to me that what you need is a route to 192.168.0.0/16 via the null interface, but with a higher metric than the connected 192.168.1.1 interface, so that the 192.168.1.1 interface would be used in preference.At the moment, if it can find the 192.168.x.y destination through the 192.168.1.1 interface then it uses that. If it cannot, then it goes for the next best thing, which is the default gateway. What you need is a route for 192.168.0.0/16 that looks not as good as the 192.168.1.1 interface, but that is more specific than 0.0.0.0/0 route to the default gateway, and that sends the packet to a black hole. Remember that the more specifc route wins.I don't know whether something like this exists, or what the syntax would be: route add 192.168.0.0 mask 255.255.0.0 metric 300 interface <null>.Kevin DorrellLuxembourg
Free Windows Admin Tool Kit Click here and download it now
September 22nd, 2009 6:27pm

Researching this further, it seems that Windows does not have a null route, unlike IOS, Linux, etc. Some versions allow you to route to 127.0.0.1, but some reject it. Try route add 192.168.0.0 mask 255.255.0.0 127.0.0.1 metric 300. If that does not work, you could try routing it to a non-existant gateway on the private insidenetworkin the hope that if it cannot find that gateway it will give up instead of trying the default route on theoutside interface. That is, route add 192.168.0.0 mask 255.255.0.0 192.168.1.200 metric 300, where 192.168.1.200 does not actually exist. Even if this works, it will not stop all leakage. For example, if the inside interface goes down, you may find a few packets coming out of the outside interface simply because it formed the packets before it realised the inside interface was down, and then sent them on the default route. Windows is horribly leaky like that.Let us know if any of that works.Kevin DorrellCCIE #20765Luxembourg
September 22nd, 2009 6:55pm

Hi Kevin.Thanks for your respond!We tried that path, without any luck, before I posted this question. The core issue is that when the addressee interface is not present, Windows only do 3 arp requests on designated inteface (192.168/24) and then send all packets to default gateway anyway if the addressee interface is not present.Microsoft claim this is the way it should work, but I would have preferred to get them sent out on the right subnet according to the route table just like it have been done in prior Windows version. (at least in 2k&XP).It seems like we are stuck with the way MS have implemented the IP in Vista, and close this question down... :(BRBjorn
Free Windows Admin Tool Kit Click here and download it now
October 5th, 2009 11:19am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics