Skip to main content
Super User

Return to Answer

explain route table output for 0.0.0.0
Source Link
Preston Maness
Preston Maness
  • 1.5k
  • 11
  • 16

172.27.0.1/18

192.168.2.1/24

172.28.48.1/20

172.22.128.1/20

Your VMs themselves should still have network connectivity; they'll just go through the VPN. If you're able to log into the VMs "locally" via a console log-in, you could confirm that.

Edit:

A note on your comment about the route table:

the table shows majority of routes go through my home router 192.168.2.1 and other routes (to office) go through officer router: 172.27.0.1

I don't think that's what the route table shows. Specifically, for non-specific networks --0.0.0.0-- there are two routes specified:

IPv4 Route Table
=================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.2.1     192.168.2.13     35
          0.0.0.0          0.0.0.0       172.27.0.1     172.27.31.15      2

Here, again, the VPN gateway has the lower Metric and so all traffic that matches 0.0.0.0 rather than a more specific one will go to the VPN (and we have already demonstrated above that the more specific routes are also configured to go through the VPN).

172.27.0.1

192.168.2.1

172.28.48.1

172.22.128.1

Your VMs themselves should still have network connectivity; they'll just go through the VPN. If you're able to log into the VMs "locally" via a console log-in, you could confirm that.

172.27.0.1/18

192.168.2.1/24

172.28.48.1/20

172.22.128.1/20

Your VMs themselves should still have network connectivity; they'll just go through the VPN. If you're able to log into the VMs "locally" via a console log-in, you could confirm that.

Edit:

A note on your comment about the route table:

the table shows majority of routes go through my home router 192.168.2.1 and other routes (to office) go through officer router: 172.27.0.1

I don't think that's what the route table shows. Specifically, for non-specific networks --0.0.0.0-- there are two routes specified:

IPv4 Route Table
=================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.2.1     192.168.2.13     35
          0.0.0.0          0.0.0.0       172.27.0.1     172.27.31.15      2

Here, again, the VPN gateway has the lower Metric and so all traffic that matches 0.0.0.0 rather than a more specific one will go to the VPN (and we have already demonstrated above that the more specific routes are also configured to go through the VPN).

Source Link
Preston Maness
Preston Maness
  • 1.5k
  • 11
  • 16

Thanks for the routing table. I think it lines up with John's assumption that Split Tunnel is not enabled on your VPN provider. That is, the VPN client, when establishing a connection to the VPN server, is configured to update the operating system's routing table and move all traffic through the VPN.

You mention the following hosts being unreachable:

  1. 172.27.0.1 (Unreachable)
  2. 192.168.2.1 (Unreachable)
  3. 172.28.48.1 (Unreachable)
  4. 172.22.128.1 (Unreachable)

172.27.0.1

This is IP is given as the default gateway for your Cisco AnyConnect interface:

Ethernet adapter Ethernet 2:

   Description . . . . . . . . . . . : Cisco AnyConnect Secure Mobility Client Virtual Miniport Adapter for Windows x64
   ...
   IPv4 Address. . . . . . . . . . . : 172.27.31.15(Preferred)
   Default Gateway . . . . . . . . . : ::
                                   172.27.0.1

That you cannot ping this particular IP address is likely just a firewall rule on the server side that prevents ICMP (ping) traffic. If it were truly unreachable then you would not have any connectivity at all according to state of the route table.

192.168.2.1

This is, I'm assuming, the default gateway for a wireless access point that your device is connecting to:

Wireless LAN adapter Wi-Fi:
   ...
   IPv4 Address. . . . . . . . . . . : 192.168.2.13(Preferred)
   Default Gateway . . . . . . . . . : 192.168.2.1
   ...

The relevant pieces from the routing table are:

IPv4 Route Table
=================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
    192.168.2.0    255.255.255.0       172.27.0.1     172.27.31.15      2

Here, traffic destined for the 192.168.2.0/24 subnet has only one option, to go through the 127.27.0.1 gateway. There is no other route saying to use the 192.168.2.1 Gateway on the 192.168.2.13 Interface.

As such, traffic destined for the 192.168.2.0/24 subnet hits the VPN gateway, and there is nothing on the other side. Hence, destination unreachable.

172.28.48.1

The relevant pieces from the routing table are:

IPv4 Route Table
=================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
      172.28.48.0    255.255.240.0         On-link       172.28.48.1    271
      172.28.48.0    255.255.240.0       172.27.0.1     172.27.31.15      2

Here, you have two different routes for the same network, 172.28.48.0/20. The On-link one is what you want the traffic to go through. However, its Metric is 271, which is higher than the Metric for the VPN gateway, which is 2. The lower metric wins, and so traffic to the 172.28.48.0/20 network goes to the VPN gateway, and there is nothing on the other side. Hence, destination unreachable.

172.22.128.1

The relevant pieces from the routing table are:

IPv4 Route Table
=================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
     172.22.128.0    255.255.240.0       172.27.0.1     172.27.31.15      2
     172.22.128.0    255.255.240.0         On-link      172.22.128.1    271

(This is a similar situation to the 172.28.48.0/20 network.)

For the 172.22.128.0/20 network, two routes are specified. You want the On-link one, but the metric for the VPN gateway is lower. So, traffic for 172.22.128.0/20 goes to the VPN gateway, and there is nothing on the other side. Hence, destination unreachable.

In order for you to reach the desired networks from your host machine, you will need to remove the routes that the Cisco AnyConnect VPN client has installed in the routing table. I do not know whether or not the VPN client will detect this and update them again though; typically, when administrators configure their VPNs this way, it is intentional, and manually trying to work around the VPN client configuration without permission might be viewed negatively.

I also don't think this is a WSL2 vs WSL1 issue, or a Windows 10 vs 11 issue, or a virtual bridge vs virtual NAT issue (but I readily admit I could be mistaken). So long as the routing table on the host is configured this way, any traffic from the host machine is going to go through the VPN rather than to the relevant interfaces on the host machine that would push the traffic to the local VM network.

Your VMs themselves should still have network connectivity; they'll just go through the VPN. If you're able to log into the VMs "locally" via a console log-in, you could confirm that.