Fog Creek Software
Discussion Board

IP Routing

My pc has two network cards: one that I use to connect to my LAN (and internet) and another that I use to connect to another private WAN.  Security issues mean that my connection to the WAN can' t be through my local network - so I have to disable my lan connection and enable the WAN connection and vice versa every time I change between them.  My question is: can I automate this to ensure that all connections to certain IPs go through one network connection and all others go through the other connection?  Not very clued up on this stuff, so I don't know if it is even possible.  XP machine.

Thursday, June 03, 2004

There may be a way to set a routing table similar to the Unix "route" command, but fundamentally this really has no bearing on running a segregated network.

Assuming that your LAN uses an reserved IP domain (like 10.xxxx) or even your own class C address space perhaps, then IP routing to hosts on the WAN (internet) will only go through the WAN interface because they would not be reachable via the LAN.  Same is true vice-versa, LAN addresses won't be reachable via the WAN.

The real questions then is are you running software that would bridge packets across the WAN to LAN interface?  I suppose that the reason that you're not allowed to run both LAN/WAN simultaneously is that your admin cannot be sure that you're not running a bridge of some sort.  And if not you, then who?

You are compromising network security by running a computer that sometimes connects to the WAN on the LAN - namely beause you may be leaking information back and forth between the 2 - either intentionally or unintentionally.  The reason for disallowing simultaneous connections really just has to do with "leak rate".  You won't allow for real-time transfer of data from LAN to WAN if you're not allowed to connect to both at the same time.

Thursday, June 03, 2004

The route command exists in XP and can be used set up just this, don't ask me how, once upon a time I understood it all but I've blissfully forgotten now.

Peter Ibbotson
Thursday, June 03, 2004

Try doing an ipconfig command in a dos box.
Look at the IP address and the netmask for each interface. The addresses must be different. The netmask is how your PC determines what packets go where. If you and the netmask with the IP address, and compare the answer to the destination IP address and the netmask, the PC will try and send the packet on that subnet.
If there is not a match, the packet will be sent to the default router. (The default router or gateway is how you get to the rest of the universe from the local subnet).
So, you should only have one default router on the WAN.
If the IP AND the netmask on both interfaces are equal, the subnet of the LAN will probably need to be changed to be different than the WAN.
If the IP AND netmask of each interface is different, the PC can determine LAN is subnet 1, WAN is subnet 2, and everything else goes to the default router.
This is too short an explaination.
Do not allow your XP machine to be a router between the two subnets (LAN and WAN). I have no idea if it can or if it is turned on by default.

Doug Withau
Thursday, June 03, 2004

If you are really worried about security I wouldn't put two lan cards box.  That's pretty weak security.  You could basically turn your box into a router. 

On linux it would be something like this:

route add -net gw eth0

christopher baus (
Thursday, June 03, 2004


> route ADD MASK METRIC 3 IF 2
        destination^      ^mask      ^gateway    metric^    ^
  If IF is not given, it tries to find the best interface for a given

christopher baus (
Thursday, June 03, 2004

Try Seeing netsh on windows 2000 and Windows XP HTH.


Abrar Kazi
Saturday, June 05, 2004

*  Recent Topics

*  Fog Creek Home