Manage multiple Internet connections in XP
March 5, 2008 3:47 PM Subscribe
My system has multiple Internet connections, and I want to be able to specify which of these connections particular applications will use. I run Windows XP Pro.
Connection A is EVDO. It's low-latency but has a limited amount of bandwidth usage per month (with steep overage charges if I exceed it), and is ideal for highly interactive applications (such as VNC, Remote Desktop, SSH, Skype, and certain web sites).
Connection B is satellite. It's high-latency, but without any limitations on monthly bandwidth usage, which makes it ideal for large downloads and general web browsing.
I want to be able to specify that certain applications use connection A (e.g. PuTTY, VNC, and RoyalTS), and have the other applications use connection B. I'd also like to be able to block certain applications from accessing the Internet at all, or only allow them to access certain IP address ranges. If it were possible to have connections from an application to certain IP addresses use connection A, and connections from the same application to other IP addresses use connection B, that would be really cool (but this is functionality I can live without if that is not possible).
Another very nice feature would be the ability to monitor total bandwidth usage on each Internet connection. If it was possible to monitor bandwidth usage per-application, that would be even better!
Can anyone recommend some software that will help? Googling gives me tonnes of hits for blocking and firewall software, but I didn't come across anything that looked like it does what I want.
Ideally, this would be one package with a nice GUI, but mixing and matching is fine, and I'm entirely comfortable with a text editor and the command-line if required. If I need to, I'd be OK with setting up a Linux (or *BSD) firewall box to manage my connections, but I'd rather not have to resort to that (recommendations for distributions that would make this relatively painless are appreciated).
Connection A is EVDO. It's low-latency but has a limited amount of bandwidth usage per month (with steep overage charges if I exceed it), and is ideal for highly interactive applications (such as VNC, Remote Desktop, SSH, Skype, and certain web sites).
Connection B is satellite. It's high-latency, but without any limitations on monthly bandwidth usage, which makes it ideal for large downloads and general web browsing.
I want to be able to specify that certain applications use connection A (e.g. PuTTY, VNC, and RoyalTS), and have the other applications use connection B. I'd also like to be able to block certain applications from accessing the Internet at all, or only allow them to access certain IP address ranges. If it were possible to have connections from an application to certain IP addresses use connection A, and connections from the same application to other IP addresses use connection B, that would be really cool (but this is functionality I can live without if that is not possible).
Another very nice feature would be the ability to monitor total bandwidth usage on each Internet connection. If it was possible to monitor bandwidth usage per-application, that would be even better!
Can anyone recommend some software that will help? Googling gives me tonnes of hits for blocking and firewall software, but I didn't come across anything that looked like it does what I want.
Ideally, this would be one package with a nice GUI, but mixing and matching is fine, and I'm entirely comfortable with a text editor and the command-line if required. If I need to, I'd be OK with setting up a Linux (or *BSD) firewall box to manage my connections, but I'd rather not have to resort to that (recommendations for distributions that would make this relatively painless are appreciated).
Response by poster: Netzapper: you're right - I was hoping there might be something that would hook into the kernel and cause the "default" connection that an application binds to to be changed on a per-application basis, essentially. Or something like an internal "router" that intercepts the packets and somehow knows which application they originated from (maybe by looking at the OS's tables of which port is assigned to which process), and then routes them to different connections based on a ruleset.
Unfortunately, in many cases I am using both kinds of applications at the same time, so just physically changing the connections isn't really going to do it for me. It is totally common for me to be downloading a big package while also using VNC, for instance. One possibility along those lines would be to actually have two separate computers, one for each connection (possibly a VM would work too)... it would be a PITA though, so I'm hoping to be able to avoid that.
I guess I'm hoping for an easy solution that wouldn't require me to spend a lot of time fiddling with router rules or using multiple computers. It strikes me that there would be a way to do this, so I'm hoping that somebody has done it. I'm willing to accept if that turns out not to exist... I wonder if this is something anyone else would need - if there was a market for it, I might actually look into spending some time trying to implement it myself.
posted by Emanuel at 4:19 PM on March 5, 2008
Unfortunately, in many cases I am using both kinds of applications at the same time, so just physically changing the connections isn't really going to do it for me. It is totally common for me to be downloading a big package while also using VNC, for instance. One possibility along those lines would be to actually have two separate computers, one for each connection (possibly a VM would work too)... it would be a PITA though, so I'm hoping to be able to avoid that.
I guess I'm hoping for an easy solution that wouldn't require me to spend a lot of time fiddling with router rules or using multiple computers. It strikes me that there would be a way to do this, so I'm hoping that somebody has done it. I'm willing to accept if that turns out not to exist... I wonder if this is something anyone else would need - if there was a market for it, I might actually look into spending some time trying to implement it myself.
posted by Emanuel at 4:19 PM on March 5, 2008
I know what you're talking about and as far as I know you're going to have to write it.
posted by rhizome at 4:21 PM on March 5, 2008
posted by rhizome at 4:21 PM on March 5, 2008
Perhaps someone better at networking can explain the specifics but XP should handle routes with multiple interfaces. Here is an example. With a little fiddling you can specify what route and interface to take. So if your VNC server is on 192.168.2.5 and your evdo card is interface 3 with the gateway IP of 10.0.0.1 then you could do:
route add 192.168.2.5 10.0.0.1 if 3
posted by damn dirty ape at 5:26 PM on March 5, 2008
route add 192.168.2.5 10.0.0.1 if 3
posted by damn dirty ape at 5:26 PM on March 5, 2008
Also route /? is your friend.
posted by damn dirty ape at 5:26 PM on March 5, 2008
posted by damn dirty ape at 5:26 PM on March 5, 2008
AFAIK this is nearly impossible to do on windows alone. My old roommate has struggled to get this sort of thing to work for a long time and always failed (he's thinking it'll be possible in Server 2008 (maybe backportable to Vista?)).
Your best bet is really to have the internet connections plugged into a box running Linux or BSD, and configure it to route traffic to the different interfaces based on outgoing port number.
I have done this with several cable modems before, using firehol as a configuration interface to the Linux kernel's native iptables. firehol's syntax is the friendliest I've used. You'll be able to install it through the package management on any distribution (If you're using debian or ubuntu it should install the kernel parts for you).
posted by blasdelf at 5:33 PM on March 5, 2008
Your best bet is really to have the internet connections plugged into a box running Linux or BSD, and configure it to route traffic to the different interfaces based on outgoing port number.
I have done this with several cable modems before, using firehol as a configuration interface to the Linux kernel's native iptables. firehol's syntax is the friendliest I've used. You'll be able to install it through the package management on any distribution (If you're using debian or ubuntu it should install the kernel parts for you).
posted by blasdelf at 5:33 PM on March 5, 2008
damn dirty ape's trick should work, but only if you know the IP ranges you want to route in different directions. You could use it to whitelist the specific servers you want on the EVDO, but you couldn't shove all Skype traffic onto it unless the people you talk to have consistent IPs. Everything external host not explicitly whitelisted would have to default to the satellite connection.
posted by blasdelf at 5:40 PM on March 5, 2008
posted by blasdelf at 5:40 PM on March 5, 2008
What you're describing is a level of control and QoS/routing manipulation that would be damn near impossible using existing network configuration elements of XP- or most any OS. As Netzapper noted, you can set up routing rules and prioritization so long as you can tell individual applications to use an IP as a gateway (and thus use routing rules to send that traffic to the interface best matching it, etc), but if the applications are just "I'll use whatever the OS exposes" like most do, what you're describing is basically having a layer 7 router running to filter/manage/track traffic rather automatically. The routing/proxying software or device isn't going to really know which application is sending the request unless it can base that on a) port requested, or b) analyzing the application layer for packet content.
Not trivial to write, and I'd be surprised if such a package exists in the form you want already. Some AV programs- I'm thinking of Norton- do things like this, by inserting their own virtual NIC that intercepts traffic and sends to the real connections- but probably not with the fine tuned control you're looking for.
posted by hincandenza at 5:42 PM on March 5, 2008
Emanuel: Or something like an internal "router" that intercepts the packets and somehow knows which application they originated from (maybe by looking at the OS's tables of which port is assigned to which process), and then routes them to different connections based on a ruleset.Yeah, this is doable. This could be written- basically an all-purpose socket listener/proxy that can make the decisions you want based on incoming port, as in "port 1234, proxy to this connection".
Not trivial to write, and I'd be surprised if such a package exists in the form you want already. Some AV programs- I'm thinking of Norton- do things like this, by inserting their own virtual NIC that intercepts traffic and sends to the real connections- but probably not with the fine tuned control you're looking for.
posted by hincandenza at 5:42 PM on March 5, 2008
I would solve the problem blasdelf mentions with my routes by getting a proxy for dynamic items. So lets say I had a access to a socks server (a box at work running ssh or whatever) Id make firefox run using the socks proxy. Then you just add the route of that proxy as I mentioned above. Should be doable with XP. With a little fiddling and a lot of experimentation you should be ok. You'll definately have problem apps that wont play nice with proxies. In that case you might have to bite the bullet and run virtual PC or look for alternatives.
posted by damn dirty ape at 5:47 PM on March 5, 2008
posted by damn dirty ape at 5:47 PM on March 5, 2008
While this is certainly possible with manual routing setups, it's a complex technical challenge, with a solid working knowledge of routing tables required. I do this stuff for a living, and I still wouldn't do it that way - just too much grief.
I suggest an alternative approach. Setup a virtual machine (in virtualbox, or vmware server or workstation if you can afford it) which does one type of traffic, say evdo. Give that VM access to the evdo network interface only, with default gateway out of that interface. Setup the host os with the other network card as default for bulk use. When you want to do EVDO, wake your vm machine up from sleep, and off you go.
Option B is to setup a dedicated EVDO-only box, running windows (or linux) and use RDP to take over its screen in a window from your main pc when you need that high-speed traffic.
Option C is to have EVDO as your default route on your main box, with a dedicated web-proxy (such as squid) on the satellite route, probably easiest on a dedicated linux box using a distro like smoothwall or ipcop, or a separate hardware proxy. Have a dedicated browser on the main pc that routes through that proxy explicitly in the browser settings for downloads and general browsing, while all other traffic goes out via evdo on the default gateway.
There's a whole ton of tools for measuring bandwidth use on a single network interface locally; I personally use PRTG, but that may well be overkill.
posted by ArkhanJG at 5:51 PM on March 5, 2008 [1 favorite]
I suggest an alternative approach. Setup a virtual machine (in virtualbox, or vmware server or workstation if you can afford it) which does one type of traffic, say evdo. Give that VM access to the evdo network interface only, with default gateway out of that interface. Setup the host os with the other network card as default for bulk use. When you want to do EVDO, wake your vm machine up from sleep, and off you go.
Option B is to setup a dedicated EVDO-only box, running windows (or linux) and use RDP to take over its screen in a window from your main pc when you need that high-speed traffic.
Option C is to have EVDO as your default route on your main box, with a dedicated web-proxy (such as squid) on the satellite route, probably easiest on a dedicated linux box using a distro like smoothwall or ipcop, or a separate hardware proxy. Have a dedicated browser on the main pc that routes through that proxy explicitly in the browser settings for downloads and general browsing, while all other traffic goes out via evdo on the default gateway.
There's a whole ton of tools for measuring bandwidth use on a single network interface locally; I personally use PRTG, but that may well be overkill.
posted by ArkhanJG at 5:51 PM on March 5, 2008 [1 favorite]
Skype proxy settings here. Looks a little tricky but doable.
posted by damn dirty ape at 5:53 PM on March 5, 2008
posted by damn dirty ape at 5:53 PM on March 5, 2008
I just came across a recent article by Lifehacker referencing a tutorial "Application Aware Triggered Quality of Service" I haven't read all of it but it might be helpful to you in some way or other.
posted by mrbloo at 9:33 PM on March 5, 2008
posted by mrbloo at 9:33 PM on March 5, 2008
damn dirty ape: I don't know why I didn't think of ssh -D, I use it almost daily!
Firefox uses SOCKS proxies independently of the operating system it runs on top of ( a great bug/feature, depending), so I use NNW+Safari+Camino for my normal browsing, and just leave Firefox set to proxy via 127.0.0.1:4000 all the time. I have bash aliases for the boxes I ssh to constantly, the main one is aliased to ssh -D 4000 fred@host -t screen -Ux and is pretty much always up.
posted by blasdelf at 10:50 PM on March 5, 2008
Firefox uses SOCKS proxies independently of the operating system it runs on top of ( a great bug/feature, depending), so I use NNW+Safari+Camino for my normal browsing, and just leave Firefox set to proxy via 127.0.0.1:4000 all the time. I have bash aliases for the boxes I ssh to constantly, the main one is aliased to ssh -D 4000 fred@host -t screen -Ux and is pretty much always up.
posted by blasdelf at 10:50 PM on March 5, 2008
I've done this. Well, similar. I had a linux machine that just needed to connect to a VPN for which only windows machines had a client available. Long story shortened - I set up a VMware machine running windows and used that as the router for the linux host. It took some wrestling, but it worked well.
In theory this should work in windows as well. Smoothwall has VMware images available that are fully functioning linux routers. You could run one in a VM session on the windows box and use that for your QOS and applicaton routing.
I imagine that this will take some work. Smoothwall does not out of the box support multiple "red" or internet facing interfaces. There are mods
that allow you to change the default behavior - for example, improving performance on a satellite link.
I don't know that this is the easiest of answers, and it does require a lot of legerdemain on your part, but with the tools here and some advice from the others, this should be doable.
Good luck.
posted by Pogo_Fuzzybutt at 6:12 AM on March 6, 2008
Response by poster: Thanks everyone. Lots of really excellent pointers and ideas. I haven't marked a "best answer" because I think every answer has contributed greatly to my understanding of the options. The Skype proxy options link will probably save me a lot of time at some point!
Initially I will go with what I think is the simplest option. My primary computer will be connected to the satellite, and I'll have a second computer connected to EVDO that I run any low-latency tasks on, which I'll access through a remote desktop connection. I have a spare older system sitting around that will be perfect for the job.
I will probably experiment with the many other options that have been presented as time permits.
posted by Emanuel at 7:29 AM on March 6, 2008
Initially I will go with what I think is the simplest option. My primary computer will be connected to the satellite, and I'll have a second computer connected to EVDO that I run any low-latency tasks on, which I'll access through a remote desktop connection. I have a spare older system sitting around that will be perfect for the job.
I will probably experiment with the many other options that have been presented as time permits.
posted by Emanuel at 7:29 AM on March 6, 2008
Googling around a bit, I found this: NAT32 Windows Software Router
I am interested to hear how it works, so please report back if you happen to try it.
posted by metaplectic at 9:47 PM on November 25, 2008
I am interested to hear how it works, so please report back if you happen to try it.
posted by metaplectic at 9:47 PM on November 25, 2008
« Older Which artists release both vinyl + mp3 downloads ? | Why do T-shirts get shorter and wider? Newer »
This thread is closed to new comments.
My fellow programmers and I generally assume that desktop software is going to run on a machine with a single internet connection. Or, that the user won't care what connection to use in any particular case.
As a result, when we're programming, and we go to select an external IP with which to associate a new remote connection, we just tell the computer to give us whichever one it wants. We certainly could do otherwise, by specifying which of the available external IPs with which to associate. However, you would then be irritated by the fact that every time you browsed to a website, we popped up a little box asking you what external IP you'd like. 99% of people would think there was a virus or something.
So, I think that it would be highly unlikely that you will find an easy and universal way of pulling off per-application bindings.
The router can handle this for you, aside from deep magic traffic shaping. For instance, if you wanted to redirect PuTTY, you'd set up a firewall/router and filter ssh packets out a different interface than HTTP packets. But, you're going to need plenty of technical expertise for this to work like you imagine it.
Honestly, I'd just switch between the two different connections physically depending on what you're doing with it.
posted by Netzapper at 4:01 PM on March 5, 2008