Any computer networking geeks in the house?

Is there a way to tell Windows XP to make certain programs use one network connection and other programs use another? Or to be more specific make network drive and database connections go through the wired connection and all other activity go through the wireless?

The firm I work for is beta testing these little boxes that when installed between your computer and any wired internet connection on earth will immediately connect you to your office network, just as though you were at your desk.

In theory this seems great, indeed it is a great improvement as the old VPN setup just caused blue screens of death - this thing doesn't even interact with Windows. Unfortunately it also makes using the internet painfully slow as everything goes from your present location to California, through the company internet connection and back to you. This also has interesting implications for printing...

Our worthless IT department says disconnect the VPN box when you need to use your local connection and get a very long USB cable and run it from the printer to the computer instead of printing over the network.

I hsve full admin access to my notebook and can ignore IT with impunity.

for destinations that you already know about. That will force all connections to that destination {specific address or even a entire class of networks} to use the specified interface.

Your company may have other motives in mind for "forcing" the black box connection to be used for all internet access (i.e. it allows them to monitor all sites that you visit, even when using your own computer at home).

Also, use "ipconfig" and look at what the configuration is for the Ethernet interface which connects to this special "VPN" box. You'll need to take note of the subnet mask and default gateway as that is what you'll use for the host-specific (or network) routes you'll be adding.

so please forgive me covering ground that you already know.

First, let's remove the magic box from the picture for the moment.

So, you have a computer at home (notebook) and it has at least 2 network interfaces.

One you wish to connect to "the internet" (and your work place) and the other you wish to connect to other computers inside your home. (this may NOT be what you want to end up with, but let's go with it for the moment).

IPv4 network addresses (let's ignore IPv6 for the moment as well) are made up of 4 groups of 8 bits (32 bits total).
Each group can contain 256 numbers, from 0 to 255. So the total address range looks like 0.0.0.0 to 255.255.255.255 (4 billion addresses). Class "A" networks fix the first tuple to a particular number, say 61. and allow all of the rest to range from 0 to 255, i.e. 61.0.0.0 to 61.255.255.255, class "B" fix the first TWO tuples, and class "C" fix the first three. All addresses in the internet are assigned this way. Large internet backbone providers have the larger class "A" nets, and the government and the military and so on. regional ISPs have the class B networks (as part of someone else's class A, and some companies (especially those that were around 15 to 20 years ago) have their own class "C" networks.

When you look up, oh say CNN (run the command "ping www.cnn.com" in your command prompt window), have addresses like 157.166.226.26 and so on. These are called "real space addresses. They are what is used to route traffic between your house and your company. You almost never see these on any individual computer today... and the reason is that there are WAY more than 256 devices (routers, computers, smart switches, VPN boxes, hell - refrigerators and car engines, that need or could use an IP (Internet Protocol) address.

IPv6 fixes things, and it's used a great deal by larger companies and backbone ISPs, but not yet (even all these years later) by home computers and routers. We got around the limitations of IPv4 by using "fake space" addresses. These are addresses that by convention, are NEVER EVER assigned to any given internet associated device or computer. There are three "fake space" ranges, 192.168.X.X, 172.16.X.X and 10.X.X.X, and we developed two other protocols to go with this convention, namely IPNAT and DHCP. IPNAT is Internet Protocol Network address translation and DHCP is Dynamic Host Configuration Protocol. The IPNAT will translate from one IP address to some other, using an extra field in the IP protocol in case of duplications. DHCP allows a network device (router) to assign Dynamic IP addresses from a pool so that devices that aren't connected all the time don't need a fixed (non-changing) IP address.

Here is how it all fits together.

Your computer (DHCP) connects to an ISP somewhere (cable company, whatever). Usually that company HAS a real IP address or group of addresses assigned to it. Your computer connects to the router at the ISP and requests a Dynamic address for itself. The router will assign it a "fake space" address, say 192.168.1.143 (you are the 143st customer to make a connection in the last hour or so). It then uses IPNAT to map that address (along with all 142 other customers) to a single IP address assigned to that ISP. Now we have 143 devices masquerading as a single IP address, but every packet sent from each of those 143 has some magic bits of information stored in it, so that when the receiving computer (web server) wants to send something back, it simply sends to the single IP address but includes the magic bits somewhere... your ISP router then decodes that and figures out that the packet is meant for YOU and sends it along.

So, that's how almost the entire internet hangs together at this point, along with another important bit of protocol, namely one that translates names into numbers, DNS (thanks to Jon Postel, may he rest in peace).

Oh, there are lots of other things to be sure, but that's the gist of it.

Now, how does all of this apply to your problem.

You have two interfaces, one of which connects to a black box (more on this later), and the other... well you could connect it to the internet, or you could connect it to a LAN (Local Area Network) and use it to get at your printer, for example.
Or vice versa (more on this option in a minute).

Here is what my system looks like (I have a solution like what I just described).


C:\Documents and Settings\Administrator>ipconfig

Windows IP Configuration


Ethernet adapter Local Area Connection 8:

Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 192.168.0.1
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :

Ethernet adapter Wireless Network Connection 3:

Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 192.168.1.130
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1


C:\Documents and Settings\Administrator>route print
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 1e 2a 4a 85 d7 ...... NETGEAR GA311 Gigabit Adapter - Packet Scheduler
Miniport
0x3 ...00 12 17 aa ae 01 ...... Wireless-G PCI Adapter with SRX - Packet Schedul
er Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.130 25
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.0.0 255.255.255.0 192.168.0.1 192.168.0.1 10
192.168.0.1 255.255.255.255 127.0.0.1 127.0.0.1 10
192.168.0.255 255.255.255.255 192.168.0.1 192.168.0.1 10
192.168.1.0 255.255.255.0 192.168.1.130 192.168.1.130 25
192.168.1.130 255.255.255.255 127.0.0.1 127.0.0.1 25
192.168.1.255 255.255.255.255 192.168.1.130 192.168.1.130 25
224.0.0.0 240.0.0.0 192.168.0.1 192.168.0.1 10
224.0.0.0 240.0.0.0 192.168.1.130 192.168.1.130 25
255.255.255.255 255.255.255.255 192.168.0.1 192.168.0.1 1
255.255.255.255 255.255.255.255 192.168.1.130 192.168.1.130 1
Default Gateway: 192.168.1.1
===========================================================================
Persistent Routes:
None

C:\Documents and Settings\Administrator>


Now, I have defined two fake space class "C" networks, one (192.168.0.X) is used to communicate with my other home computers and printer, and the other (192.168.1.130) is a DHCP assigned IPNATed address that connects to the internet through a local router and ISP. Note that in the routing table that I printed, it shows Destination 0.0.0.0 using gateway 192.168.1.1 and interface 192.168.1.130, the "internal" address of my router is 192.168.1.1 and the interface I use to communicate with it is 192.168.1.130 (the DHCP assigned address). Note also that the netmask for both is 255.255.255.0 (wherever there is a "1" bit in the mask, the IP address of the destination MUST match that of the IP address of the interface. The 0.0.0.0 address is special and is used to indicate a default route for any address that DOESN'T match the netmask rules in the routing table. So, let's say I want to remote login to one of my other home computers, I use a program called ttcp to establish a connection to 192.168.0.11 (a FreeBSD machine). When ttcp tries to make a connection, the Windows routing software looks at the 192.168.0 part of the destination, finds a MATCH in the routing table when the address in only compared in the upper 24 bits (255.255.255.0 mask) with my interface 192.168.0.1. It then sends the packets to that interface, when then sends it to my Gigabit Ethernet switch, and then to my FreeBSD box.

If I send this message to DU, my computer firsts asks a name server to resolve www.democraticunderground.com, which it does and it finds that it is 216.158.54.197. That doesn't match any specific route in the routing table so the windows routing software sends it to the "default" route of 0.0.0.0 using the 192.168.1.130 interface and the "gateway" (intermediate first stop) of 192.168.1.1. When that packet arrives at my router, it wraps the packet inside another and adds the IPNAT magic bits, and then sends it to my ISP (my router's gateway), the ISP sends it to IT'S ISP and so on till it arrives at DU.

You can SEE this by using the command tracert (trace route) that will show the name (if there is one) and the real IP address of every intermediate "hop" in the packet's travel from your computer to some random web site or destination computer (this can come in handy later).

OK, so all I did to set this up was assign a fixed fake space address to my LAN connection (the 192.168.0.1) address, and make sure I have the netmask set and the gateway address set. For the other address, I let DHCP do the magic. And windows USUALLY does the right thing and sets up the route table all by itself on boot. USUALLY.

If not, you can create a script to "route delete 0.0.0.0" and "route add 0.0.0.0 mask 0.0.0.0 192.168.1.1" and run it at start up to force the correct routes. So long as my internet connection router sets up MY interface through DHCP to BE on the 192.168.1.X network, this works.

So... you COULD do things just like this.

What that means is that traffic to the web will go over your "default" connection to the black box and then to your company and then to the internet. But your local traffic (your printer in your house, other computers in your house, etc) would NOT go over the internet. In fact, with just a bit more magic, you could have your windows box act as the ISP router for all of your other home computers.

OR you could do the following.

Set up your SECOND (non-black box) interface as the "default route" and ONLY use the black box for communicating with your company HQ. Both the black box AND your second interface could share the same "WAN" connection, but only traffic destined for your office would actually go to your office computers and routers... all of your local traffic (your printer) would stay inside your house, and you web traffic would go to the web. Here is how we pull this off.

First you need to find out what the address ranges are used internally at your company. You can ping them with the set up you have now and find out... or you could ask you IT guys. You then set the interface for the black box to ONLY handle that range of address (let's guess and say it's a full class "B" subnet in the fake space of, say, 10.12.X.X). So, you add a specific route for that... "route add 10.12.0.0 mask 255.255.0.0 192.168.10.1" (where 192.168.10.1 is the address of your black box and, say, 192.168.10.103 is the assigned address of the interface that connects to it).

Then you add a default route for the second interface that bypasses the black box and connects directly to your internet WAN router (to your ISP). Make sure this on is the default or 0.0.0.0 route.

Now, so long as all of your other local devices are NOT 10.12.X.X, and traffic to them will ALSO choose the default route, and head for your router inside your house (but on the interface not connected to the black box). If that router has (as most do) a set of ports, and everything inside the house connects to one of those ports, the router will immediately route the printer traffic to the printer without you having to do anything else... no more cross country trips.

Hope this helps. If I've rambled too long here, sorry...

in a separate file.

thanks so much for helping the rest of us serendipitously!

:hi:

:)

glad I don't need to write all of that now :) The one thing I'd add is that some VPN clients insist on being the default and won't let you change routes.

has all the VPN magic contained within.

So his Windows machine should be isolated from knowing anything about it.

Probably it does it's own DHCP for the client (his notebook), it's own encryption and establishes a VPN tunnel though his ISP to his company, penetrates the firewall, and makes his laptop look like its now "inside the fence" (i.e. the VPN endpoint inside the firewall is like he took his notebook to the office and used the local internal router to get a DHCP address assigned, most likely from the internal "fakespace" address range).

Now, anything he does (normally) from inside his house, other than bandwidth and latency, it appears that he is local to the office. Kinda annoying sometimes, the last office I worked at had the same sort of setup, and we used an IBM app called "sametime" to do real time chat (since this was AT IBM, not surprising to pick that app). Anyway, when you were working remote, you appeared (to people at work) that you were "in"... and I constantly had people saying "hey, I'll drop by in 10 min and we can whiteboard..." and I had type back "nah, I'm at home and VPN'd in so this will have to wait till tomorrow" or whatever. I always wondered why they didn't assign the VPN endpoints to a specific address range of the internal "fakespace" and then used that fact to tell "sametime" that you are not "at your desk" (visible as an icon in the chat app).

Anyway, his black box probably hides all of the VPN magic from his notebook, so there should be no TECHNICAL reason to have the black box VPN interface as the "default" route out of his notebook. As I suggested in another post, there may always be "policy" reasons having to do with recording the websites you visit and snoop on him. It's an increasing problem with our corporate masters these days.

Unfortunately I have to be very vague because the device in question is an unreleased prototype - the device isn't entirely invisible to the computer, there is a utility for configuring it and a status monitor - but from a networking perspective the VPN connection appears to just be an ethernet connection.

The company doesn't monitor internet use, I have thirty people under me and I would know about it if we did.

The VPN push came out of an episode in which one of our lawyers had their laptop confiscated by US Customs. When overseas we are to use these boxes to establish a secure connection back to the office where we can access the company databases and file servers and before our return we have bootable USB sticks that use Norton Ghost to reload Windows etc and make it look really, really mundane.

If we had a European client data breach because of a US Customs inspection the EU would sodomize us.

This however is little more than a pain to me because these days I am just camping out at a very small Canadian satellite office that is too small to even have a receptionist and they want us to use these to seemlessly call home. The only problem is it is really, really slow and when I press print, it prints in Costa Mesa!

I will see if I can sort it out tommorow, just knowing it is possible is a step in the right direction.

Thanks!

Or at least cross post it there. There may be other network experts that want to chime in with their ideas.

I haven't heard back from OP with either more questions or more specific information that would be needed in order to be very specific as to a solution.

Leave it here in GD a while longer so it can get the recs it deserves.

And ... perhaps more people would see it here and just maybe more would benefit from it.


:thumbsup: :thumbsup:


Excellent advice.

yours to tinker with (i.e. you have the source and can modify it at will.)

If you don't have the source, the answer would depend on the software involved as to whether it could be done at all.

Your only real option is to disable the broadband connection if it is too slow /unreliable.

You could upgrade your wireless to N class 300 Mbit but even this may not be fast enough for your needs - certainly still much slower than high end wired connectiong (10GBit).

Doug D.