Software Router Filter
February 17, 2005 9:22 AM
Does a software-based router exist so that I can have essentially two internet connections accessed from one Windows XP computer at the same time? (more)
I have a need to access a VPN connection (which is locked down from web surfing) and still be able to surf at the same time. There is no way the VPN will be opened up to HTTP or FTP access, so what I want to do is establish VPN for one software app, (company softphone) and still handle general email, web surfing, etc through whatever connection I happen to have, such as in a hotel, airport, or even my home network. I figure there should be a way to do this at the software level, so that it effectively routes packets to the various connections. Am I nuts? Can I do this?
I have a need to access a VPN connection (which is locked down from web surfing) and still be able to surf at the same time. There is no way the VPN will be opened up to HTTP or FTP access, so what I want to do is establish VPN for one software app, (company softphone) and still handle general email, web surfing, etc through whatever connection I happen to have, such as in a hotel, airport, or even my home network. I figure there should be a way to do this at the software level, so that it effectively routes packets to the various connections. Am I nuts? Can I do this?
I don't see how this would be a problem unless your VPN is using publicly routable IP addresses.
Most VPNs connect you to a private network which should contain private IP address (10.x.x.x or 192.168.x.x).
Windows 2000 and above should route to these addresses fine. You won't be able to do name-based, since I'm assuming your DNS lies up with your main ISP. You'll typically have to use raw IP addresses to handle this.
posted by patrickje at 10:47 AM on February 17, 2005
Most VPNs connect you to a private network which should contain private IP address (10.x.x.x or 192.168.x.x).
Windows 2000 and above should route to these addresses fine. You won't be able to do name-based, since I'm assuming your DNS lies up with your main ISP. You'll typically have to use raw IP addresses to handle this.
posted by patrickje at 10:47 AM on February 17, 2005
zsazsa's right. If you know the IP address range used by the systems you need to access at your company, and the IP address assigned to your vpn, you should be able to get this to work very easily with the route command.
The caveats are that (1) some VPN software will force you to route all traffic through the VPN, (2) you're probably going to want to access DNS servers to resolve hostnames for machines on the internet and on your company's internet network, (3) you might violate your company's security policy by setting this up, and (4) if you violate the security policy and the company gets hacked through your connection, they probably won't be terribly happy with you.
For dealing with (2), you can add multiple DNS servers to that connection, but doing so will effectively be broadcasting potentially interesting information out through your internet connection if you add your company's DNS server to the bottom of your list, or broadcast inside your company the fact that you're still browsing the internet if you list your company's DNS server first. Another option is to add the names and IPs to the hosts file, which is easy enough if you know the systems you'll need to access.
If (1) isn't a problem, (3) and (4) is your company's own damn fault.
On preview: If your company has appropriated public address spaces illegally, ie, they're using 69.93.29.x internally instead of 10.x or 192.168.x.x, you're not going to be able to access any of the machines on the 69.93.29.0 network while you're connected to the VPN... which means you won't be here on Metafilter (69.93.29.234). OTOH, if they did pick some random not-private address space, the chances of them having picked IPs that collide with anything interesting is quite slim. :)
posted by cactus at 10:59 AM on February 17, 2005
The caveats are that (1) some VPN software will force you to route all traffic through the VPN, (2) you're probably going to want to access DNS servers to resolve hostnames for machines on the internet and on your company's internet network, (3) you might violate your company's security policy by setting this up, and (4) if you violate the security policy and the company gets hacked through your connection, they probably won't be terribly happy with you.
For dealing with (2), you can add multiple DNS servers to that connection, but doing so will effectively be broadcasting potentially interesting information out through your internet connection if you add your company's DNS server to the bottom of your list, or broadcast inside your company the fact that you're still browsing the internet if you list your company's DNS server first. Another option is to add the names and IPs to the hosts file, which is easy enough if you know the systems you'll need to access.
If (1) isn't a problem, (3) and (4) is your company's own damn fault.
On preview: If your company has appropriated public address spaces illegally, ie, they're using 69.93.29.x internally instead of 10.x or 192.168.x.x, you're not going to be able to access any of the machines on the 69.93.29.0 network while you're connected to the VPN... which means you won't be here on Metafilter (69.93.29.234). OTOH, if they did pick some random not-private address space, the chances of them having picked IPs that collide with anything interesting is quite slim. :)
posted by cactus at 10:59 AM on February 17, 2005
I think I understand this stuff...let me elaborate a bit....
1) The VPN is a specific IP address (66.X.X.X)
2) The soft phone connects to a private internal address (192.0.1.201)
So by using this route command thingy, the soft phone can do what it needs to and other web traffic can use the regular internet connection? Apologies if I'm asking dumb questions here.
posted by TeamBilly at 12:04 PM on February 17, 2005
1) The VPN is a specific IP address (66.X.X.X)
2) The soft phone connects to a private internal address (192.0.1.201)
So by using this route command thingy, the soft phone can do what it needs to and other web traffic can use the regular internet connection? Apologies if I'm asking dumb questions here.
posted by TeamBilly at 12:04 PM on February 17, 2005
TeamBilly you are correct.
Your VPN will connect to a valid public IP, but will in effect, route you through to your internal (192.168.x.x) network fine. You shouldn't have to do anything.
I know I connect through VPN from my home network (192.168.12.x) to my work network (192.168.x.x) and I just make sure that my home network has static IPs which do not collide with IPs from my work network.
posted by patrickje at 2:00 PM on February 17, 2005
Your VPN will connect to a valid public IP, but will in effect, route you through to your internal (192.168.x.x) network fine. You shouldn't have to do anything.
I know I connect through VPN from my home network (192.168.12.x) to my work network (192.168.x.x) and I just make sure that my home network has static IPs which do not collide with IPs from my work network.
posted by patrickje at 2:00 PM on February 17, 2005
Actually, prompted by the answers here and a question to my MIS team, I discovered that XP makes this easy.
1) Open up properties on the VPN connection.
2) Click on the "Networking" tab.
3) Click "TCP/IP"
4) Click "Advanced"
5) Uncheck the box marked "Use Default Gateway."
This allows me to do what I want to do. Further correspondence with Cactus indicates that this is a feature which is effectively running the ROUTE command in the background. Whatever the case, it works. Thanks to all of you for the assistance.
posted by TeamBilly at 2:21 PM on February 17, 2005
1) Open up properties on the VPN connection.
2) Click on the "Networking" tab.
3) Click "TCP/IP"
4) Click "Advanced"
5) Uncheck the box marked "Use Default Gateway."
This allows me to do what I want to do. Further correspondence with Cactus indicates that this is a feature which is effectively running the ROUTE command in the background. Whatever the case, it works. Thanks to all of you for the assistance.
posted by TeamBilly at 2:21 PM on February 17, 2005
This thread is closed to new comments.
posted by zsazsa at 9:38 AM on February 17, 2005