qumpus
asked on
2 NICs, one w/ VPN the other w/ normal web traffic?
So I'm a developer. Our db is only accessible locally through our VPN. In order to develop my apps on a local machine I must be connected to the VPN. However, this also re-routes ALL of my internet traffic through our VPN and out through our data center where we pay pro-rated bandwidth. This adds quite a bit of load time to every web request I make, and costs us for the bandwidth usage. Our data center is located half-way across the country.
What I'm wondering is if I am able to bind the VPN to one NIC, and my normal Internet connection to another NIC? I have a laptop with wireless - that I would like to send my normal web traffic through, and then use my LAN port (a different NIC) to be dedicated to the VPN connection? Is this possible?
Would I need to setup a local proxy or possibly modify the routing tables somehow? Changing the settings of our company VPN is unfortunately not an option.
Any ideas on this?
What I'm wondering is if I am able to bind the VPN to one NIC, and my normal Internet connection to another NIC? I have a laptop with wireless - that I would like to send my normal web traffic through, and then use my LAN port (a different NIC) to be dedicated to the VPN connection? Is this possible?
Would I need to setup a local proxy or possibly modify the routing tables somehow? Changing the settings of our company VPN is unfortunately not an option.
Any ideas on this?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
bbao,
disregard the last comment... I figured it out - thank you so much!
-qumpus
disregard the last comment... I figured it out - thank you so much!
-qumpus
glad to help. :)
FYI:
> these routing tables are machine specific, and would not affect the rest of our LAN users?
yes. no worries about other LAN users.
> My internet gateway is 2.1
> VPN gateway is 17.21
> but the VPN mask is 255.255.255.255
> Once connected to the VPN, the IP's I would access are 18.x & 19.x
it seems your VPN is dial-up based, right? i suppose the related ROUTE commands would look like the followings:
ROUTE ADD 0.0.0.0 MASK 0.0.0.0 192.168.2.1
ROUTE ADD 192.168.16.0 MASK 255.255.252.0 192.168.17.21
FYI:
> these routing tables are machine specific, and would not affect the rest of our LAN users?
yes. no worries about other LAN users.
> My internet gateway is 2.1
> VPN gateway is 17.21
> but the VPN mask is 255.255.255.255
> Once connected to the VPN, the IP's I would access are 18.x & 19.x
it seems your VPN is dial-up based, right? i suppose the related ROUTE commands would look like the followings:
ROUTE ADD 0.0.0.0 MASK 0.0.0.0 192.168.2.1
ROUTE ADD 192.168.16.0 MASK 255.255.252.0 192.168.17.21
ASKER
bbao,
Although I really did like this routing table solution, our network admin informed me that this was extremely insecure and will not allow me to use this method. It opens up a security hole allowing others to 'piggyback' on the connection allowing them into our private network.
This is the article he forwarded me which explains why this method does not work.
http://www.isaserver.org/tutorials/2004fixipsectunnel.html
Are there any other solutions that would be more safe and seucre?
Although I really did like this routing table solution, our network admin informed me that this was extremely insecure and will not allow me to use this method. It opens up a security hole allowing others to 'piggyback' on the connection allowing them into our private network.
This is the article he forwarded me which explains why this method does not work.
http://www.isaserver.org/tutorials/2004fixipsectunnel.html
Are there any other solutions that would be more safe and seucre?
yes. it is possible that a malicious user may indirectly access your VPN based extranet through your computer which connects the internet and the VPN at the same time, ONLY IF your computer has been stoned/controlled by the user's trojan program or similar software.
please note the condition that ONLY IF introduced. the risk is not caused by this routing table solution, it is cause by the vulnerability of your computer. in other words, you may have the exact same problem if you access the internet through the VPN via the internet gateway at the remote site, though the overall performance is not what you expected. even so, it is NOT secure too, because you are connected.
e.g. your IE's configuration is weak, so accessing a dangerous web site may lead your IE to be stoned by a malicious agent program which can unknowingly gather sensitive information from the network your computer/it can access, including your LAN and the VPN, and securely send them out to a specific external site. this might happen even you access the internet through your VPN, same thing, except that the lower performance which might cause the infection process going a bit slower, hehe.
as for the ICS and routing issue that article mentioned, it is NOT related to your scenario. you have NO ICS enabled. you use DUN (Dail-UP Network) based VPN, which is not routable, and additionally, your XP's routing is NOT enabled by default.
so what i recommend is: if your data is really sensitive and you must keep away from any possibility of privacy issue, do NOT connect the internet and internal network at the SAME time. otherwise, just keep your computer fully patched and not accessing untrusted sites, and enjoy working and surfing at the same time. :)
hope it helps,
bbao
please note the condition that ONLY IF introduced. the risk is not caused by this routing table solution, it is cause by the vulnerability of your computer. in other words, you may have the exact same problem if you access the internet through the VPN via the internet gateway at the remote site, though the overall performance is not what you expected. even so, it is NOT secure too, because you are connected.
e.g. your IE's configuration is weak, so accessing a dangerous web site may lead your IE to be stoned by a malicious agent program which can unknowingly gather sensitive information from the network your computer/it can access, including your LAN and the VPN, and securely send them out to a specific external site. this might happen even you access the internet through your VPN, same thing, except that the lower performance which might cause the infection process going a bit slower, hehe.
as for the ICS and routing issue that article mentioned, it is NOT related to your scenario. you have NO ICS enabled. you use DUN (Dail-UP Network) based VPN, which is not routable, and additionally, your XP's routing is NOT enabled by default.
so what i recommend is: if your data is really sensitive and you must keep away from any possibility of privacy issue, do NOT connect the internet and internal network at the SAME time. otherwise, just keep your computer fully patched and not accessing untrusted sites, and enjoy working and surfing at the same time. :)
hope it helps,
bbao
ASKER
Thanks for the comments, this is really great news! I am on a small network in the office here, so to be sure - these routing tables are machine specific, and would not affect the rest of our LAN users?
My internet gateway is 2.1
VPN gateway is 17.21
but the VPN mask is 255.255.255.255
so my route cmds would look like this, right?
// '0' mask would tell it to send all traffic through normal internet?
ROUTE ADD 0.0.0.0 MASK 0.0.0.0 192.168.2.1
// 255.0 mask would ???
ROUTE ADD 192.168.17.21 MASK 255.255.255.0 192.168.2.1
Once connected to the VPN, the IP's I would access are 18.x & 19.x
Thanks bbao!!!