Policy based routing on Windows with freeware tools

Sometimes you might need to configure routing based not only on destination IP address, but also on a combination of destination IP address (or hostname) and destination port number. I will describe a method how to accomplish this with free tools.

The situation when you might need it is very rare, especially on Windows machines, but still it might happen. For example your user might be connected to external VPN and IP addresses of DNS servers will change. Also there might be some resource that is accessible from the Internet and from corporate network.

From the Internet, it is accessible from external IP and from a corporate network it is accessible from IP (for example). So while connected to VPN name of this site will always resolve to external IP. Also there might be some resource that is accessible only from corporate network and is accessible on the same DNS name, but on a different port.

So you might want to forward all traffic destined to this port to internal IP and all traffic destined to default port to external IP. Forwarding of traffic to different IPs based on destination IP and port number is called policy based routing. It is easily implemented on Linux/ Unix systems and on Cisco routers, but is unavailable on Windows systems. Here I want to tell you about the trick that can implement policy based routing on Windows and this solution is completely free.

First you need to install Microsoft loopback Adapter (reboot will be required).
Steps on Windows XP will be:

Go to Control Panel
Choose “add hardware”
Chose “Yes, I have already connected the hardware”
From the list chose “Add a new hardware device”
Chose “Install the hardware that I manually select from a list (Advanced)
Chose “Network adapters”
from Manufacturer column chose “Microsoft”, from Network Adapter column chose “Microsoft Loopback Adapter”
Click next and install will start
click finish and restart your system

Then you need to assign any IP to Microsoft loopback adapter. This IP will not be discoverable on your local area network, because Microsoft loopback adapter is connected only to host machine. For example, assign to adapter IP.

Next you need to associate a DNS name that you want policy based routing to apply to with IP address of your loopback adapter. For this you need to edit the hosts file and flush DNS cache:

Open notepad by clicking start>run>type ‘notepad’ (without quotes)>hit enter
Click File>open and in the “Files of type” drop down list chose “All Files”
While Open dialog box is open navigate to c:\windows\system32\drivers\etc and chose hosts file.
Navigate to the end of the file and type in the new line: “” then hit Tab and type the DNS name of the site that you want policy based routing to be enabled to (for example testsite1.com)
Save the file
Next you need to flush the DNS cache so that entries from hosts file will be loaded to it:

Click start>run>type cmd and hit enter
Type ‘ipconfig /flushdns’ (without quotes) and hit enter
Type exit
Next you need to download and install some port forwarding software, for example http://sourceforge.net/projects/pjs-passport/. This utility will install as a Service and configure itself to automatic start up.

The last thing that you need to do is define forwarding rules. For instance, if you need that all traffic that is assigned to testsite1.com:80 will be forwarded to and all traffic that is assigned to testsite1.com:8080 has to be forwarded to you need to configure rules as follows:

Source port: port:80 	Target port port 80
                      Source port: port:8080	Target port port 8080

Open in new window

You can choose whatever combination of source ports and destination IP addresses and ports. If you need traffic forwarding to more than one IP address, all you need to do is install another Microsoft loopback adapter, assign it another IP and associate destination dns name with this IP.

However this method has a serious limitation.  If you need to make policy routing based not on DNS name, but on IP address – you need to substitute another IP address instead of destination. You cannot assign destination IP address to loopback adapter. This configuration will not work. I assume that in most software you can substitute some other IP, instead of destination or you can use dns name. But if you cannot unfortunately this method is not for you.  

I hope this helps someone and I'm looking forward to any feedback from readers.

Comments (1)


Of course this this very rear situation and I just want to describe technology, because I have seen a lot of questions on the web on how to do it, but there was no solution.

I invented this, because I have such rear situation:
user connected to customer VPN, while physically connected to corporate network, therefore addresses of DNS servers changed. We have one local intranet site for example car.com. It is available from intranet through IP (for example) and from Internet from IP (for example). While connected to customer VPN site car.com is resolving to external IP (which is also available from corporate network). Now there is another service on site car.com, that works on port 7070. So the address is car.com:7070. But this service is unavailable from Internet, only from corporate network. So I need that user can go to car.com:7070, while connected to customer VPN (with external DNS servers). I could modify hosts file so that car.com will always resolve to intranet IP But then site car.com will be unavailable from Internet. This is laptop and user wants to have site car.com available from Internet. Also I could go to site car.com:7070 by IP address, for example, but it is even more complecated. When user click on link that leads to car.com:7070 it is actually redirected to car.com:7070 site. The link is car.com:8080 and it returns http 302 response (temporarily moved) with address car.com:7070 and in address bar there is some hash (I think from Active directory), without which authentication on site car.com:7070 fails. So the the response http 302 from link car.com:8080 is like this car.com:7070/hash=jhtyt5vy6%V%^VI^&%VI&^%VI&^%. Without this hash, if user just go to car.com:7070 or authentication fails. User of-course can catch 302 response with some software, for example Fiddler and substitute IP, instead of words car.com and paste it to browser, but it is not convenient to do every time. So I developed this solution, based on this situation, because it needed to be automatic and transparent to user. This is not often situation, but it seems that this solution was absent on the web. At lease I couldn't find it, while working in the issue.

Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.