Configuring 2 routers in the same LAN

[Sneakers]

I have been trying to build an internet redundancy with two routers.

The coniguration is as follows:

I got 1 router (A) connected to ISP-X.
I got 1 router (B) connected to ISP-Y.

The ISPs are off course different, and both are connected just fine.

I have configured my DNS servers like this (by priority):

1) Main DC
2) Router (A)
3) Router (B)

Now, everything works just fine (all clients have their network configured automatically, and all connect to the internet), however, when Router (A) disconnects from ISP-X, the clients can't resolve the DNS since they won't switch to router (B).
I have both routers configured in the DHCP scope options (prioritized as shown above), I also have them configured in the DHCP scope - DNS options.

Why won't my clients try to use Router (B) when Router (A) DNS routing is down?

[NooNoo]

OK all you need to do is configure the dns settings.

For each isp you get two dns server addresses.
Depending on your router configuration you can either put the dns address of one isp in the other router or you can put the dns addresses in the clients directly.

[Sneakers]

...you can put the dns addresses in the clients directly.

This is exactly what I have done.
Via the DHCP all clients get the following DNS addresses (in the following order):

1) DC IP
2) Router (A) DNS1
3) Router (B) DNS1
4) Router (A) DNS2
5) Router (B) DNS2

However, when Router A is offline, the clients can't resolve DNS addresses. (they seem unable to switch to Router B).
What am I doing wrong?

[pbolduc]

You can't just take two residential gateway routers from Staples, CompUSA or Future Shop and expect to network them with WAN fail over. They aren't designed to do that. What Model of Router's are you using?

In order to achieve dual ISP redundancy you should be only using 1 Router with 2 Wan ports. This router must support WAN port fail over. Fail over is achived by a ping server built into the router and configured on one of the WAN port interfaces.

Please Note: DNS has nothing to do with WAN fail-over. You can use any DNS server you want to resolve internet addresses as long as the DNS server permitts you to use their service. (Best practice is to use your assigned ISP's DNS for each connection).

Typically on most routers when you enable redundancy on the primary WAN port this internet connection remains unused until the first WAN port goes down. At this point the outgoing WAN port becomes WAN port 2. It is possible however to route traffic out different WAN port's simulataneously but that requires advanced networking experience.

Keeping things simple, you enable the ping server on WAN port 1 to perform a constant ping to the gateway of that ISP & set the "Dead Gateway Detection" value of 60 seconds and "Fail-over Detection" to 5 Seconds.

Now you need to create a policy to direct traffic out WAN port 2 when WAN port 1 goes down. For Example: Firewall Policy > Source Internal: All --> Destination WAN 2 > All: Destination > All: Schedule > Always: Service > Any: Action > Accept: Enable NAT on Policy.

Now when the Ping server is enabled on WAN Interface 1 that will automatically indicate to the router that upon 60 seconds with 5 failed ping attempts fail-over to WAN2 and your firewall policy will automatically direct traffic out the second WAN port using your second internet provider connection.

[pbolduc]

If I had the time and I was to setup 2 cheap routers and want WAN redundancy this is how I would first attempt it.

First put both routers on the same network segment. For Example:
Router 1: 192.168.1.1
Router 2: 192.168.1.2
Turn off the DHCP service on both router's If your DC is handing DHCP so they don't interfere.

The problem with Microsoft Dead Gateway detection:

1.) It does not distinguish whether the local default gateway has failed or a remote gateway (router) has failed
2.) Provide a fail-back method to change the default gateway back to the primary default gateway when the primary routing path is restored.
However the next generation TCP/IP stack provides fail-back for default gateway changes
3) Do not expect ISA to allow configuration of fail-over as it does not have this capability.

Even if you were able to set the correct gateway to change for the functional internet connection you still would have to come up with a way of being able to refresh your client's DHCP information to reflect the network change. Then have it change back on the server/client once the primary gateway connection was restored.

Okay this is getting way too complicated for such a simple task. Time to replace your router. Or maybe you can find a programmer that can write this up as a Client/Host service that can automate these changes for you on each windows system. To me that sounds like a more expensive route.

[pbolduc]

Okay... i've done a bit of searching and found this VB script for altering "the default gateway" upon dead gateway detection. Just follow the comments in the script and input your values as required. Make sure the public IP PING_IP is something other than your internal network IP address preferably the ISPs Gateway IP for the primary segment. This assumes you have 2 NIC's in your DC configured each with their own gateway to the internet through each router.

----> Beginning of Script

' The script will check the availability of the PING_IP on the current ISP and then switch between them
' when one fails every XX seconds (managed by WaitVal). If SwitchBack is 1 then it will switch back
' to ISP1 when it is available. The script does NOT change NIC configuration values, only the
' routing table for the default route.
'
strDebug = 2 ' Set variables for output - 0 is no output, 1 is output for initialization, 2 is full output
SwitchBack = 0 ' If switchback=1 then switch back to ISP1 when available
RouteFlag=1 ' Set RouteFlag = 1, 1 is ISP1, 2 is ISP2
WaitVal = 5000 ' Number of milliseconds to wait between gateway checks
SwitchWait = 720 ' Number of loops before rechecking ISP1 if SwitchBack is one. The check may disconnect all internet traffic
'
' Set up the two different ISP IP addresses and names
ISP1_IP = "xx.xx.xx.xx"
ISP1_GateWay = "xx.xx.xx.xx"
ISP2_IP = "xx.xx.xx.x"
ISP2_GateWay = "xx.xx.xx.xx"
PING_IP = "xx.xx.xx.xx"
'
' These adapter names must match the NIC exactly
ISP1_AdapterName = "Primary ISP"
ISP2_AdapterName = "Secondary ISP"
'
' Create necessary objects
Dim WshShell
Dim ISP1MAC
Dim ISP2MAC
Set WshShell = CreateObject("WScript.Shell")
'On Error Resume Next
strComputer = "." ' This computer
'
' Choose ISP1 adapter by Name
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
Set objISP1Adapter = objWMIService._
ExecQuery("Select * from Win32_NetworkAdapter where NetConnectionID = '" _
& ISP1_AdapterName & "'") ',,48)
'
' Choose ISP2 adapter by Name
Set objISP2Adapter = objWMIService._
ExecQuery("Select * from Win32_NetworkAdapter where NetConnectionID = '" _
& ISP2_AdapterName & "'") ',,48)
'
' Store the MAC addresses of each interface
if strDebug <> 0 then Wscript.Echo "================================================= =================="
For Each objItem in objISP1Adapter
if strDebug <> 0 then Wscript.Echo "Primary ISP MACAddress: " & objItem.MACAddress
ISP1MAC = objItem.MACAddress
ISP1InterfaceIndex = Hex(objItem.InterfaceIndex)
if strDebug <> 0 then Wscript.Echo "Primary ISP InterfaceIndex: " & ISP1InterfaceIndex
Next
For Each objItem in objISP2Adapter
if strDebug <> 0 then Wscript.Echo "Secondary ISP MACAddress: " & objItem.MACAddress
ISP2MAC = objItem.MACAddress
ISP2InterfaceIndex = Hex(objItem.InterfaceIndex)
if strDebug <> 0 then Wscript.Echo "Secondary ISP InterfaceIndex: " & ISP2InterfaceIndex
Next
if strDebug <> 0 then Wscript.Echo "================================================= =================="
'
' Choose ISP1 adapter CONFIGURATION by MACAddress
Set CONFobjISP1Adapter = objWMIService._
ExecQuery("Select * from Win32_NetworkAdapterConfiguration where MACAddress = '" _
& ISP1MAC & "'") ',,48)
' Choose ISP2 adapter CONFIGURATION by MACAddress
Set CONFobjISP2Adapter = objWMIService._
ExecQuery("Select * from Win32_NetworkAdapterConfiguration where MACAddress = '" _
& ISP2MAC & "'") ',,48)
For Each objItem in CONFobjISP1Adapter
if strDebug <> 0 then Wscript.Echo "Primary ISP Description: " & objItem.Description
ISP1MAC = objItem.MACAddress
Next
For Each objItem in CONFobjISP2Adapter
if strDebug <> 0 then Wscript.Echo "Secondary ISP Description: " & objItem.Description
UltraMAC = objItem.MACAddress
Next
if strDebug <> 0 then Wscript.Echo "================================================= =================="
SwitchCount = 0
Do
'
' The loop checks the public IP PING_IP to see if it is reachable. If so, then it is assumed the
' ISP is up. If not, it is assumed the ISP is down. Later a periodic check is done which
' will see if ISP1 is up and switch to it if it is up.
'
Set objPing = GetObject("winmgmts:{impersonationLevel=impersonat e}")._
ExecQuery("select * from Win32_PingStatus where address = '" _
& PING_IP & "'")
For Each ISPStatus in objPing
If IsNull(ISPStatus.StatusCode) or ISPStatus.StatusCode<>0 Then
if RouteFlag = 1 Then
if strDebug = 2 Then WScript.Echo "Primary ISP Status PING Status Code: " & ISPStatus.StatusCode
if strDebug = 2 Then WScript.Echo " " & Now() & " ####### Switching to Secondary ISP ##########"
' Change the routing table to use ISP2 gateway for default route
WshShell.Run "route DELETE 0.0.0.0", True
WshShell.Run "route ADD 0.0.0.0 MASK 0.0.0.0 " & ISP2_Gateway, True
RouteFlag = 2
SwitchCount = 0
ElseIf RouteFlag = 2 Then
if strDebug = 2 Then WScript.Echo "Secondary ISP Status PING Status Code: " & ISPStatus.StatusCode
if strDebug = 2 Then WScript.Echo " " & Now() & " ####### Switching to Primary ISP ##########"
WshShell.Run "route DELETE 0.0.0.0", True
WshShell.Run "route ADD 0.0.0.0 MASK 0.0.0.0 " & ISP1_Gateway, True
RouteFlag = 1
End If
End If
Next
' If switchback is set then increment the counter and see if we should test again
If SwitchBack = 1 And RouteFlag = 2 Then
SwitchCount = SwitchCount + 1
If SwitchCount = SwitchWait Then
if strDebug = 2 Then WScript.Echo "Checking Primary ISP Status"
if strDebug = 2 Then WScript.Echo " " & Now() & " ####### Switching to Primary ISP ##########"
WshShell.Run "route DELETE 0.0.0.0", True
WshShell.Run "route ADD 0.0.0.0 MASK 0.0.0.0 " & ISP1_Gateway, True
RouteFlag = 1
Set objPing = GetObject("winmgmts:{impersonationLevel=impersonat e}")._
ExecQuery("select * from Win32_PingStatus where address = '" _
& PING_IP & "'")
For Each ISPStatus in objPing
If IsNull(ISPStatus.StatusCode) or ISPStatus.StatusCode<>0 Then
if strDebug = 2 Then WScript.Echo "Primary ISP Status PING Status Code: " & ISPStatus.StatusCode
if strDebug = 2 Then WScript.Echo " " & Now() & " ####### Switching back to Secondary ISP ##########"
' Change the routing table to use ISP2 gateway for default route
WshShell.Run "route DELETE 0.0.0.0", True
WshShell.Run "route ADD 0.0.0.0 MASK 0.0.0.0 " & ISP2_Gateway, True
RouteFlag = 2
SwitchCount = 0
Else
if strDebug = 2 Then WScript.Echo "Primary ISP up, leaving active"
End If
Next
End If
End If
WScript.Sleep WaitVal
Loop


<---- End of Script

Now we need to find a way to have the client PC's receive the updated gateway information without causing too much of a hassle.

[pbolduc]

Unfortunately if you were running a Terminal Server this script would work wonders for TS Clients. However, due to complications (DHCP Server Service and Clients obtaining IP information from this service) I'm not sure we can address this with a simple software solution. Even by creating a script to run on the individual client workstations it would require admin permissions to run on the local workstation which would prove to be a security risk for your network. Here's a couple links to finding a hardware device that can suite your needs:
http://www.freedom9.com/products/product.php?p=28
http://www.sonicwall.com/us/products/TZ_170_Series.html

[Sneakers]

Thanks Pbolduc.
I am using two low-profile 3COM routers with a single WAN port and built-in WLAN AP.
Both have the DHCP service disabled, and are on the same segment as my entire domain.

I thought about the possibilty of replacing my routers to a dual-WAN router to handle the fail over.
Unfortunatly, my routers are located on two different floors and they also provide WLAN AP services.

So, if I undrestand correctly, you are saying that the problem is with the clients, which are unable to auto-update their DHCP to use Router (B) when Router (A) fails.
I was certain that if I input both Routers IPs in the DHCP scope options (under "array of routers") for my domain, the clients will be able to use both routers.
I thought that if the client will not succeed in routing a packet outside my domain using Router (A) it will automatically try to route it using Router (B), since both appear in the client's DHCP addresses as gateways.

So, my options are to either replace the routers to a router which supports fail over (dual WAN) or use a script (like your example above) to force the clients to switch to the working router in case of a fail over?

[slgrieb]

Sneakers, if you don't have a large number of computers to deal with it might be simpler to add the IP address of the second router as a second gateway along with the relevant DNS settings by using the Advanced Properties menu for TCP settings on individual machines. Especially if you are already using assigned IP addresses for the workstations. I have a couple of clients where I've done this, and it has worked fine.

[CeeBee]

It is possible to do it even with consumer routers. Hint: RIP

[pbolduc]

Well, it has been to my understanding that a local subnet can only have 1 gateway at a time and because the gateway of the first router isn't really going down (Just the Internet Connection for that router) that is why the server and the clients aren't switching to the second gateway. There would have to be a physical loss of connection to your primary router private IP before the second gateway would come into effect. Therefore, that doesn't help you out.

Secondly, even if you did manage to make use of the second gateway as per slgrieb suggested, which by the sounds of things you have already configured in your DHCP Scope, then what happens when your primary gateway becomes available again? The Workstations will still use the backup gateway until the ip cache has been manually reset. Of course you could always make a simple bat file to update the routing table of the client PC's to use the second gateway by using the "route add 0.0.0.0 mask 0.0.0.0 backupgatewayip" command. That will have to be run twice though, once to make the secondary primary and then a second batch file to make the primary secondary.

One thing you could test after hours and by the sounds of things I'm pretty sure it will work the way you would expect it to. Unplug your primary router's power. That will break the primary gateway connection and your DHCP clients should go out through the second routers gateway to the internet. I realize this is not really what your after but it would prove your theory. Also CeeBee has an interesting point about RIP (Rest In Peace) you may want to plug him for more information about that protocol and if its configurable on your router.

[CeeBee]

Also CeeBee has an interesting point about RIP (Rest In Peace) you may want to plug him for more information about that protocol and if its configurable on your router.

For those who didn't get the joke.. RIP=Routing Information Protocol
http://en.wikipedia.org/wiki/Routing...ation_Protocol

[CeeBee]

My approach would be one with 3 routers to reduce the pain.

Code:

                       ---ROUTER1----ISP1
LAN---ROUTER3-|
                       ---ROUTER2----ISP2

At least in theory the 3 routers should exchange information about the available routes and if one ISP goes down ROUTER3 should learn to redirect packets to the other one (after all this is how the Internet works...)

[slgrieb]

For anyone who wants a better understanding of gateway detection and configuration in XP, here's an article from TechWeb. This article is targeted at computers using mulitple network adapters, where the issues differ from a single NIC setup. Though the article is about Vista, the process is basically the same. And, in this scenario, I'd say RIP is probably the simplest method.

[pbolduc]

I wouldn't waste too much time with that vista article as the TCP/IP stack in Vista has been modified to provide for proper dead gateway detection fail-over... Where as, in XP and prior operating systems it really wasn't fully designed for that. Vista has its advantages =)