Bouncing Traffic through office


We have a customer who has 2 broadband lines in their office on the same network. They use a specific piece of software that needs to connect using "line 2" which is a dedicated line for their software. They use a route add on each machine to direct the traffic for the specific external IP range to that line.

What could we do for them to allow them to direct traffic through line 2 when outside the office - so they can use laptops.

Obviously a VPN was the first thought, but that would just route the traffic to the main line - it wouldn't route it back out again on line 2 i don't think.


Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

I don't know exactly how your network is set up but I can take a guess. This sounds very similar to how a few of my clients are set up (they have a software provider that insists on a dedicated Internet connection for their services).

Your software provider probably has a dedicated router onsite which uses the dedicated broadband Internet "Line 2" to esbalish a site-to-site VPN with their servers outside your network. Then they tell you to set up set up static routes on your PCs so that traffic destined for their particular subnet routes traffic through THEIR router, instead of yours.

For your own network, you have your own router connecting to the "Line 1" broadband that does all of your own network's normal Internet routing, and it is configured as the default gateway for your PCs and they use it for normal Internet traffic.

I've made a little diagram of what I think your network looks like. Obviously I made assumptions about what are the actual network addresses and subnets that you are using so you'll have to bear with me and translate what I put in the diagram in your head to what your actual network is using.

Hypothetical diagram of your network
Assuming this is pretty much correct, I think you should do a few things:

1) First, instead of adding static routes to each PC, instead add the static route to "" network to ROUTER 1.

Since Router 1 is the default gateway for your PCs, they will send all traffic that isn't on the local subnet there. ROUTER 1 will then send traffic for the subnet to ROUTER 2, which will then route it via whatever VPN / tunneling system it has using Broadband Line 2.

This means that you do not need any special configuration on your PCs. As far as they are concerned, the subnet that your dedicated software is using is just another address out on the Internet somewhere. They do not need to know that it is in-fact being routed via ROUTER 2 over a different Internet connection.

2) Set up a remote access VPN on ROUTER 1. I'm going to assume that you will use the Routing and Remote Access service of a typical Windows Server to set up PPTP VPN and do the necessary port forward of TCP Port 1723 and GRE Protocol 47 on ROUTER 1. But whatever you were planning on doing for a VPN, implement that.

The critical step for your clients is to make they are configured to "use the default gateway of the remote connection". That is to say, when your clients are connected to the VPN, ALL Internet traffic passes through the VPN, not just traffic destined for the one local subnet.

In a standard Windows 7 Native VPN Connection, this option is configured under Properties->Networking->TCP/IPv4->Properties->Advanced->"Use default gateway on remote network"

When you do this, ALL Internet traffic (including traffic destined for from the VPN client will go through your VPN (via Broadband Line 1) to the default gateway (ROUTER 1). ROUTER 1 will direct the traffic for the subnet to ROUTER 2, which will route it to your software provider via Broadband Line 2, and you'll have connectivity.

Your remote access clients would connect to the VPN on the WAN IP of Line 1, e.g.

Of course this does mean that ALL Internet traffic for  your remote users will go over the VPN, which will impact the overall Internet speeds of your clients while they are connected to the VPN since their download speed would be limited to Broadband Line 1's upload speeds.

If you'd rather have just the two subnets ( and go through the VPN connection and have all other Internet traffic bypass the VPN, you'd have to set up the static routes on thet VPN client for the subnet after they establish connectivity to your VPN so that traffic for is routed to ROUTER 1 via the VPN. You can do this manually with a "route add" command at the command prompt in Windows after VPN connectivity is established. Some VPN clients support adding the route for you automatically. I think OpenVPN and Cisco AnyConnect does support it, but the Native Windows PPTP VPN client doesn't really do it, at least not easily.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
stevie_deeAuthor Commented:
Frosty555 - thanks so much! for your details response!

Your presumptions are pretty much spot on - just a few amends as per the updated diagram (Sorry for the Plagiarism)

Network Diagram V2
Router 1 runs DHCP as there is no server onsite currently. It gives the default GW as

We set a static route on each machine to point all traffic for to go through

The software package in question talks directly to an external IP  not internal - so i presume NO vpn is used - only a firewall locking down the incoming traffic on the remote end.

Also, router 2 is locked down so we cant make any changes on it.

Does that change your recommendations?


Nope that sounds just about right, I would not expect the software package to talk to any internal IP addresses. It simply tries to send packets to, the routing table on the computer tells it to send those packets to the gateway (Router 2), and Router 2 handles it from there. It might be a VPN, it might be a simple firewall, it doesn't really matter, as far as you are concerned the process is transparent.

So yes, basically instead of setting the static route on every machine telling it to send traffic destined for to the gatway, put that static route on Router 1 instead.

The flow of traffic will change from:
    PC->Router 2->
                   [via LINE 2]

To this:
    PC->Router 1->Router 2->
                                   [via LINE 2]

The extra "hop" should be unnoticeable provided that Router 1 and your Switch are decent quality pieces of equipment.

And your VPN traffic will look like this:

    Remote PC->VPN Tunnel->Router1->Router 2->
                              [via LINE 1]                      [via LINE 2]

Hopefully Router 1 supports some kind of remote access VPN internally. If not, you might need to find other equipment to implement the remote access VPN, or replace the router. Most of my experience has been with Windows Server running RRAS, but there are plenty of other VPN products out there both in software and hardware form that will arguably do a better job.
stevie_deeAuthor Commented:
Ok, all makes sense, thanks for explaining!

The current router is just BT's own fire router, but I guess a Draytek 2860 or similar would do the job.

Thanks for all your help!


ISP-provided routers are often quite "dumbed down". I'm not sure about BT's router, you'll have to check in the configuration options and see what is available.

A Draytek 2860 definitely should be able to do it.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.