Windows can't reach IP host through two routes

Question

Problem: Windows 10 can't reach an IP host behind two routers, where the path is specified in static routes.

Windows has the following setup:

Windows Host (192.168.3.1/24 for the local LAN with default gw 192.168.3.254/24 and
              10.0.0.101/28 for the VPN to the secured systems) ->
VPN Router (10.0.0.97/28 - IP on Windows host's end) ->
Security Router (10.212.69.3 - behind VPN endpoint) ->
Target host (100.102.1.136 - somewhere behind Security Router)

I have the following static routes defined on the Windows host:

(Note: The Windows system is set to German locale, so I translated the most-difficult-to-understand parts into English manually)

           IP          Netmask          Gateway    Metric
      0.0.0.0          0.0.0.0    192.168.3.254  Standard
  100.102.0.0      255.254.0.0      10.212.69.3         1 <<- Target network
  10.212.69.3  255.255.255.255        10.0.0.97         2 <<- Security Router behind VPN

When I ping the target host 100.102.1.136 I would expect the IP package to go from the Windows host to the VPN router, through the VPN tunnel, to the Security router and from there to the target network. It does, however, go directly to the default gateway of the Windows network (192.168.3.254), where - of course - it can't be processed.

I can ping the Security Router (10.212.69.3), so that is working fine, but Windows is chosing the wrong path for the target behind the Security Router

C:\>tracert 100.102.3.136

Routenverfolgung zu 100.102.3.136 über maximal 30 Hops

  1    <1 ms    <1 ms    <1 ms  fritz.box [192.168.3.254]
  2  p4fabf621.dip0.t-ipconnect.de [62.155.246.33]  meldet: Zielnetz nicht erreichbar.

C:\>tracert 10.212.69.3

Routenverfolgung zu 10.212.69.3 über maximal 30 Hops

  1     8 ms     7 ms     8 ms  10.0.0.97
  2     9 ms     8 ms     8 ms  10.212.69.3

What am I missing?

This is the route print and ipconfig output

IPv4-Routentabelle
===========================================================================
Aktive Routen:
     Netzwerkziel    Netzwerkmaske          Gateway    Schnittstelle Metrik
          0.0.0.0          0.0.0.0    192.168.3.254       10.0.0.101    281
        10.0.0.96  255.255.255.240          On-Link        10.0.0.101    281
       10.0.0.101  255.255.255.255          On-Link        10.0.0.101    281
       10.0.0.111  255.255.255.255          On-Link        10.0.0.101    281
      10.212.69.3  255.255.255.255        10.0.0.97       10.0.0.101     27
      100.102.0.0      255.254.0.0      10.212.69.3       10.0.0.101     26
        127.0.0.0        255.0.0.0          On-Link         127.0.0.1    331
        127.0.0.1  255.255.255.255          On-Link         127.0.0.1    331
  127.255.255.255  255.255.255.255          On-Link         127.0.0.1    331
      188.144.0.0      255.254.0.0      10.212.69.3       10.0.0.101     26
      192.168.3.0    255.255.255.0          On-Link        10.0.0.101    281
      192.168.3.1  255.255.255.255          On-Link        10.0.0.101    281
    192.168.3.255  255.255.255.255          On-Link        10.0.0.101    281
        224.0.0.0        240.0.0.0          On-Link         127.0.0.1    331
        224.0.0.0        240.0.0.0          On-Link        10.0.0.101    281
  255.255.255.255  255.255.255.255          On-Link         127.0.0.1    331
  255.255.255.255  255.255.255.255          On-Link        10.0.0.101    281
===========================================================================
Persistent routes:
  Netzwerkadresse          Netzmaske  Gatewayadresse  Metrik
          0.0.0.0          0.0.0.0    192.168.3.254  Standard 
      100.102.0.0      255.254.0.0      10.212.69.3       1
      10.212.69.3  255.255.255.255        10.0.0.97       2
===========================================================================


Windows-IP-Konfiguration

   Knotentyp . . . . . . . . . . . . : Hybrid
   IP-Routing aktiviert  . . . . . . : Nein
   WINS-Proxy aktiviert  . . . . . . : Nein

Ethernet-Adapter LAN1:

   Beschreibung. . . . . . . . . . . : Intel(R) I210 Gigabit Network Connection #2
   DHCP aktiviert. . . . . . . . . . : Nein
   IPv4-Adresse  . . . . . . . . . . : 10.0.0.101(Bevorzugt) 
   Subnetzmaske  . . . . . . . . . . : 255.255.255.240
   IPv4-Adresse  . . . . . . . . . . : 192.168.3.1(Bevorzugt) 
   Subnetzmaske  . . . . . . . . . . : 255.255.255.0
   Standardgateway . . . . . . . . . : 192.168.3.254

vidarlo · Accepted Answer · 2023-10-03 18:51:26Z

2

I can ping the Security Router (10.212.69.3), so that is working fine, but Windows is chosing the wrong path for the target behind the Security Router

Routers route based on their routing table, not the routing table of the client. You can only specify next hop, you can't instruct upstream routers what to do.

Thus your route should be 100.102.1.136 via 10.0.0.97.

edited Oct 3, 2023 at 18:51

answered Oct 3, 2023 at 18:46

vidarlo

9,8963 gold badges24 silver badges36 bronze badges

Geeeesh... that worked. "You can only specify the next hop, you can't instruct upstream routers what to do." was the key - but I still don't quite understand that. I mean, that package needs to get to 10.212.69.3 so I gave MY Windows a route from 100.102.0.0/28 to 10.212.69.3 and also told MY Windows that packages to 10.212.69.3 must be sent through 10.0.0.97. Doing it your way (the right way!) makes this even simpler, but I would have thought that passing data through two routes on a single Windows machine should work, too... I didn't (and still don't) see MY Windows box as being two routers.
– Thomas
Commented Oct 3, 2023 at 22:09
Every machine is a router. It may be routing only for packets originating from itself, but it uses the routing table to look up where to send them. Source routing was a thing, but security implications basically killed it a long time ago.
– vidarlo
Commented Oct 4, 2023 at 8:00
"Every machine is a router." My thoughts exactly: One Windows box -> one router - MY router ;-) I gave it plenty of info how to route the package (through two hops, all on the same Windows machine). I fully agree that one route is suffcient and technically works, but I still don't quite see why giving it two hops should confuse it so much that it rather sends it to the default gateway instead.
– Thomas
Commented Oct 4, 2023 at 8:29
Because it has no idea of how to reach 10.212.69.3 on a local interface. Remember that IP packets doesn't contain routing information; they contain source and destination address. Look up the IP header; it doesn't have a Next hop-option; it has src and dst IP.
– vidarlo
Commented Oct 4, 2023 at 8:31
well, yes, but that's why I gave it a static route for this: 10.212.69.3 255.255.255.255 10.0.0.97
– Thomas
Commented Oct 5, 2023 at 7:10

Add a comment |

Stack Exchange Network

Windows can't reach IP host through two routes

1 Answer 1

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged
windows
networking
routing
ip-routing
.

Hot Network Questions

Windows can't reach IP host through two routes

1 Answer 1

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged windowsnetworkingroutingip-routing.

Related

Hot Network Questions

Not the answer you're looking for? Browse other questions tagged
windows
networking
routing
ip-routing
.