[NTLUG:Discuss] pass all packets between two nics

Kenneth Loafman ken at lt.com
Thu Jun 5 12:49:20 CDT 2003 

Jack Snodgrass wrote:
> On Thu, 05 Jun 2003 08:17:58 -0500, Kenneth Loafman wrote:
> 
> 
>>Jack Snodgrass wrote:
>>
>>>On Wed, 04 Jun 2003 22:38:11 -0500, severia wrote:
>>>
>>>
>>>>>So... you make a VPN connection from your home to work and get a
>>>>>172.16.14.x address assigned to your home machine. You have a
>>>>>secure, encrypted tunnel set up.
>>>>
> 
>>One question about the above scenario.  When I worked at Sabre and used 
>>VPN to access their local network, all internet connections went via 
>>VPN, including browsing, ftp, and so on.  So when you went to some site 
>>and forgot about your VPN connection, the work systems were still 
>>logging your activity.  That's not good for separating your work and 
>>private lives.
>>
>>Is that problem still in VPN connections, or was there something we 
>>needed to unset to get the system to not use VPN for everything?
>>
>>It would be handy to use VPN (ssh is somewhat limited), but not at the 
>>cost of user privacy when at home.
>>
>> ...Ken
> 
> 
> 
> There is something called a 'default route' with TCP/IP. It's the 
> 0.0.0.0 netmask 0.0.0.0 route.  Any addresses that are not 
> specifically listed in your route table to go via a specific ip 
> address will go over your default route. 
> 
> i.e. 
> Destination  Gateway      Genmask         Flags Iface
> 192.168.0.0  10.3.0.1     255.255.255.0   UG    vpn1
> 0.0.0.0      209.225.8.1  0.0.0.0         UG    eth0
> 
> say anything that doesn't go to 192.168.0.0 - 192.168.255.255 
> goes via 209.225.8.1 ( eth0 - isp ). Anyything for 
> 192.168.0.0 - 192.168.255.255 goes via the vpn1 ( 10.3.0.1 ) 
> gateway. 
> 
> 
> some VPN setup scripts might try and do:
> Destination  Gateway      Genmask         Flags Iface
> 0.0.0.0      10.3.0.1     0.0.0.0         UG    vpn1
> 209.225.8.0  209.225.8.1  0.0.0.0         UG    eth0
> 
> so that everything but 209.225.8.0-209.225.8.255 goes
> via your VPN. This is what you were talking about. 
> 
> If you know the route commands for your OS, you can 
> manaully set ( or do your own script ) that will 
> change the default route so that it goes via your ISP
> and only work related stuff goes via the VPN. It's not 
> something that your local MIS people want to have to 
> explain to everyone, so they take the default... let 
> it go via the VPN and not worry about setting up 
> work routes only for the VPN stuff. 
> 
> 
> When I worked at compaq, I had 45 differnt subnets that 
> went via the compaq VPN. It was complex... but it let 
> me do my own private surfing even when I had the VPN
> active. 


Thats the info I needed.  I had stuck in my head that I needed a 2nd 
NIC, but I forgot that VPN provides its own connection and can be 
treated the same as having a 2nd NIC.

Sometimes the old brain gets stuck on one path...

Thanks for jogging it.

...Ken

More information about the Discuss mailing list