Bouncing Traffic through office

Posted on 2014-08-21
Last Modified: 2014-11-18

We have a customer who has 2 broadband lines in their office on the same network. They use a specific piece of software that needs to connect using "line 2" which is a dedicated line for their software. They use a route add on each machine to direct the traffic for the specific external IP range to that line.

What could we do for them to allow them to direct traffic through line 2 when outside the office - so they can use laptops.

Obviously a VPN was the first thought, but that would just route the traffic to the main line - it wouldn't route it back out again on line 2 i don't think.


Question by:stevie_dee
    LVL 31

    Accepted Solution

    I don't know exactly how your network is set up but I can take a guess. This sounds very similar to how a few of my clients are set up (they have a software provider that insists on a dedicated Internet connection for their services).

    Your software provider probably has a dedicated router onsite which uses the dedicated broadband Internet "Line 2" to esbalish a site-to-site VPN with their servers outside your network. Then they tell you to set up set up static routes on your PCs so that traffic destined for their particular subnet routes traffic through THEIR router, instead of yours.

    For your own network, you have your own router connecting to the "Line 1" broadband that does all of your own network's normal Internet routing, and it is configured as the default gateway for your PCs and they use it for normal Internet traffic.

    I've made a little diagram of what I think your network looks like. Obviously I made assumptions about what are the actual network addresses and subnets that you are using so you'll have to bear with me and translate what I put in the diagram in your head to what your actual network is using.

    Hypothetical diagram of your network
    Assuming this is pretty much correct, I think you should do a few things:

    1) First, instead of adding static routes to each PC, instead add the static route to "" network to ROUTER 1.

    Since Router 1 is the default gateway for your PCs, they will send all traffic that isn't on the local subnet there. ROUTER 1 will then send traffic for the subnet to ROUTER 2, which will then route it via whatever VPN / tunneling system it has using Broadband Line 2.

    This means that you do not need any special configuration on your PCs. As far as they are concerned, the subnet that your dedicated software is using is just another address out on the Internet somewhere. They do not need to know that it is in-fact being routed via ROUTER 2 over a different Internet connection.

    2) Set up a remote access VPN on ROUTER 1. I'm going to assume that you will use the Routing and Remote Access service of a typical Windows Server to set up PPTP VPN and do the necessary port forward of TCP Port 1723 and GRE Protocol 47 on ROUTER 1. But whatever you were planning on doing for a VPN, implement that.

    The critical step for your clients is to make they are configured to "use the default gateway of the remote connection". That is to say, when your clients are connected to the VPN, ALL Internet traffic passes through the VPN, not just traffic destined for the one local subnet.

    In a standard Windows 7 Native VPN Connection, this option is configured under Properties->Networking->TCP/IPv4->Properties->Advanced->"Use default gateway on remote network"

    When you do this, ALL Internet traffic (including traffic destined for from the VPN client will go through your VPN (via Broadband Line 1) to the default gateway (ROUTER 1). ROUTER 1 will direct the traffic for the subnet to ROUTER 2, which will route it to your software provider via Broadband Line 2, and you'll have connectivity.

    Your remote access clients would connect to the VPN on the WAN IP of Line 1, e.g.

    Of course this does mean that ALL Internet traffic for  your remote users will go over the VPN, which will impact the overall Internet speeds of your clients while they are connected to the VPN since their download speed would be limited to Broadband Line 1's upload speeds.

    If you'd rather have just the two subnets ( and go through the VPN connection and have all other Internet traffic bypass the VPN, you'd have to set up the static routes on thet VPN client for the subnet after they establish connectivity to your VPN so that traffic for is routed to ROUTER 1 via the VPN. You can do this manually with a "route add" command at the command prompt in Windows after VPN connectivity is established. Some VPN clients support adding the route for you automatically. I think OpenVPN and Cisco AnyConnect does support it, but the Native Windows PPTP VPN client doesn't really do it, at least not easily.

    Author Comment

    Frosty555 - thanks so much! for your details response!

    Your presumptions are pretty much spot on - just a few amends as per the updated diagram (Sorry for the Plagiarism)

    Network Diagram V2
    Router 1 runs DHCP as there is no server onsite currently. It gives the default GW as

    We set a static route on each machine to point all traffic for to go through

    The software package in question talks directly to an external IP  not internal - so i presume NO vpn is used - only a firewall locking down the incoming traffic on the remote end.

    Also, router 2 is locked down so we cant make any changes on it.

    Does that change your recommendations?


    LVL 31

    Expert Comment

    Nope that sounds just about right, I would not expect the software package to talk to any internal IP addresses. It simply tries to send packets to, the routing table on the computer tells it to send those packets to the gateway (Router 2), and Router 2 handles it from there. It might be a VPN, it might be a simple firewall, it doesn't really matter, as far as you are concerned the process is transparent.

    So yes, basically instead of setting the static route on every machine telling it to send traffic destined for to the gatway, put that static route on Router 1 instead.

    The flow of traffic will change from:
        PC->Router 2->
                       [via LINE 2]

    To this:
        PC->Router 1->Router 2->
                                       [via LINE 2]

    The extra "hop" should be unnoticeable provided that Router 1 and your Switch are decent quality pieces of equipment.

    And your VPN traffic will look like this:

        Remote PC->VPN Tunnel->Router1->Router 2->
                                  [via LINE 1]                      [via LINE 2]

    Hopefully Router 1 supports some kind of remote access VPN internally. If not, you might need to find other equipment to implement the remote access VPN, or replace the router. Most of my experience has been with Windows Server running RRAS, but there are plenty of other VPN products out there both in software and hardware form that will arguably do a better job.

    Author Comment

    Ok, all makes sense, thanks for explaining!

    The current router is just BT's own fire router, but I guess a Draytek 2860 or similar would do the job.

    Thanks for all your help!


    LVL 31

    Expert Comment

    ISP-provided routers are often quite "dumbed down". I'm not sure about BT's router, you'll have to check in the configuration options and see what is available.

    A Draytek 2860 definitely should be able to do it.

    Featured Post

    What Security Threats Are You Missing?

    Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

    Join & Write a Comment

    [b]Ok so now I will show you how to add a user name to the description at login. [/b] First connect to your DC (Domain Controller / Active Directory Server) SET PERMISSIONS FOR SCRIPT TO UPDATE COMPUTER DESCRIPTION TO USERNAME 1. Open Active …
    This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
    This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

    745 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    16 Experts available now in Live!

    Get 1:1 Help Now