Quick Tip: Multiple IP’s on Adapter and Firewalls

Published on Friday, January 3, 2014 in

Typically a server has one network interface with one IP on it. Especially in virtualized environments. However in certain scenario’s, like web servers, multiple IP’s can be bound to one network interface. When configuring firewalls external to the host, e.g. a hardware device shielding the server segment from other segments, people often wonder what address the server is going to use for outgoing traffic. People tend to think that the first address on the adapter is the one that is used for all outgoing traffic. Perhaps that was true for some earlier versions for Windows, but it seems that somewhere in time this has shifted:

It seems that the server verifies which address has the longest matching prefix with the gateway configured on the adapter.

You can read the details here: http://blogs.technet.com/b/networking/archive/2009/04/25/source-ip-address-selection-on-a-multi-homed-windows-computer.aspx

The example the blog uses:

There’s a server with address and (gateway: The server will use the address because it has the longest matching prefix. To see this more clearly, consider the IP addresses in binary:

  • 11000000 10101000 00000001 00001110 = (Bits matching the gateway = 25)
  • 11000000 10101000 00000001 01000100 = (Bits matching the gateway = 26)
  • 11000000 10101000 00000001 01111111 =

The address has more matching high order bits with the gateway address Therefore, it is used for off-link communication.

In the above example you could force the address by using the SkipAsSource parameter you can pass along with netsh. In order to use SkipAsSource we have to add additional address from the command line:

  • Netsh int ipv4 add address <Interface Name> <ip address> <netmask> skipassource=true

In order to verify this we can execute the following command:

  • Netsh int ipv4 show ipaddresses level=verbose

Related Posts

No Response to "Quick Tip: Multiple IP’s on Adapter and Firewalls"

Add Your Comment