Multiple NICs

Multiple Network Interface Cards can pose a problem for Windows applications: how does the application know which IP address to use?

Usually applications are written using standard Windows libraries, which binds to a random Network Interface Card (and hence IP) that is a available. If there is more than one Network Interface Card, then the application might pick the secondary IP address (such as an internal IP address).

If the Network Interface Card is multi-homed (multiple IP addresses assigned on a NIC), this is made even more unpredictable.

This can result in the following problems:

  1. Can't send out data from the client: If the server is on a different subnet, there is no way for the client to know which interface to send the traffic out of.

The solution to this is to add a persistent route to the client:

route -p s.s.s.s mask m.m.m.m r.r.r.r

where s.s.s.s is the server IP, m.m.m.m is the subnet, and r.r.r.r is the router IP.

  1. One-way communications: The data may actually be sent to the server OK, since the destination server is known to the router. But when the server replies to the client, it will use a destination IP address that the router won't know about.

The solution to this is to add a specific static route to the router:

ip route i.i.i.i 255.255.255.255 c.c.c.c

where i.i.i.i is the client secondary IP address, and c.c.c.c is the client's primary IP address.

  1. Server application rejects unknown IP address: The server application may decide that it doesn't know the IP address because it doesn't match the registered client. If so, then the server may need to be reconfigured to understand this new address. Depending on how the server application is written, may not be able to understand this IP address, or it cannot be made to associate both client IP addresses to a single endpoint. If so, then the connection will fail.

  2. Firewall rules block the communications: Since the secondary IP address is not normally routed, a firewall in the client, intermediate network devices, or server, may block communications.

This can be resolved by adding extra firewall exceptions, but this may open up security vulnerabilities since this might allow internal traffic to leak through this firewall exception.

Another method may be to start the application using a special executable called "ForceBindIP".

This command-line application allows you to specify an IP address for the application to bind to. It uses DLL injection to override the way Windows assigns IP addresses to applications. Note that this application doesn't cater for every case.