two NICS, two networks - please help

i have two cards installed, one is hooked up to a cable modem/router (connection 2)
the other is our companies LAN (connection 1)

if i disable connection 1, i can surf the net through the cable connection
if i disable connection 2, i can surf the net through the LAN's proxy, and access all of the network drives

how can i set up my internet to go through connection 2 (cable modem) and not through the lan's proxy and still have access to the network drives?

please help

 

[bsobel]

First, is this kosher with your company? This type of setup opens them up for additonal attacks. That said, what you want is to setup routes so that connection 1 is the primary, but certain ip ranges get routed over connection 2. From the cmd prompt type 'route', that should get you started (it's hard to tell you the exact settings you need without knowing more about your network configuration)
Bill

 

well, it's not kosher with IT...but with my job, i NEED to have a constant internet connection - IT refused to help
i went over their heads, and got permission from upper management...so i'm safe

i typed 'route' in a cmd window...it displayed the help file - but i really have no clue what any of that means
my networking knowledge is minimal...i got the router and everything configured on one card.....but beyond that i don't know what i'm doing

what do i have to do with the routing tables?
can i back up my routing info before i change anything (i'd hate to have to have IT come up here and fix my machine hehe)

 

[spidey07]

You can set your default route to the cable modem NIC and then add a route with a mask of 255.0.0.0 or 255.255.0.0 for your internal networks.

You do realize the kind of trouble this WILL cause for your internal network? I'm not going to rant but for the love of god at least run a software firewall and keep your virus patterns completely up to date and running at all times.

As an aside - people have been fired for doing exactly what you are attempting.

 

how do i set the routes?

i'm not worried about getting fired, the publisher of the newspaper where i work gave the go-ahead with the plans

 

[spidey07]

Then I would fire the publisher. Seriously. It is THAT serious. Or at least demote his duties. I have indeed gotten a vice president demoted for abusing network resources and network security. no lie. He was later found searching for other opportunities as his career hit a dead end. Think of what you are doing as carrying a gun into work or bringing drunken unauthorized guests to work. Same thing - violating security policy.

At the command line you can type "route /?" for syntax.

 

why is it so serious?
i bet the cable connection our department got is more secure than the T1 that supplies the LAN....
our IT department had their chance...when we went to them for a backup connection, they said to do it ourselves

i see all the syntax for the route command....but i have no idea what to do, i'm not even sure exactly how this routing thing works

 

[JackMDS]

Well let say that you are in a Motel. It is a common knowledge that you have lot of money and jewelry in your room.

Your friend is in the next room and he is insisting that you keep the internal door between the two rooms always open.

Your friend is a nice guy, but he forgot to lock his room Oops. :Q

 

very nice analogy

the router we have is a linksys with advanced firewall...not sure how secure that will be, but in any case - the IT department has told us to do it on our own
they're liable

i've done some research on the route table and how to change stuff...but i'm still a bit lost

whats the METRIC stuff?
what gateway and subnet mask do i put for the NIC with the cable modem? Do i have to configure anything on the router?

 

[spidey07]

jntdesign,

If you can post a "ipconfig /all" from the machine and include any addresses for the linksys firewall maybe we can help.

 

[scorpioLP]

If your IT department told you to "do it on your own", then they should all be fired.

There is no point in having an IT department if they don't care about network security. If their main focus is to reboot your machine when windows locks up, then they need to hire someone with a sense of network management.

I would not attach an open cable modem machine to your network, you're asking for trouble. If you don't know how to do these setups, than I can pretty much assume your firewall password is "password". It's only a matter of time before something serious happens to the LAN and than they find out where the hole in the network comes from. No one will care who said what to whom when you have to restore a destroyed network from backup, or when your ISP disconnects you and tells you that you're running DoS attacks.

 

Windows IP Configuration

Host Name . . . . . . . . . . . . : ONLINE404
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Local Area Connection 3:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : IBM 10/100 EtherJet PCI Management A
dapter #3
Physical Address. . . . . . . . . : 00-06-29-99-65-23
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 10.14.251.9
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . : 10.14.253.2
DHCP Server . . . . . . . . . . . : 10.14.1.3
DNS Servers . . . . . . . . . . . : 10.14.3.1
10.1.120.2
Primary WINS Server . . . . . . . : 10.14.1.3
Lease Obtained. . . . . . . . . . : Wednesday, October 30, 2002 3:37:11PM
Lease Expires . . . . . . . . . . : Saturday, November 02, 2002 3:37:11PM

Ethernet adapter Local Area Connection 4:

Connection-specific DNS Suffix . : mycablemodemisp.com
Description . . . . . . . . . . . : Linksys LNE100TX Fast Ethernet Adapter(LNE100TX v4)
Physical Address. . . . . . . . . : 00-04-5A-6D-8F-D5
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 192.168.1.101
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1
DHCP Server . . . . . . . . . . . : 192.168.1.1
DNS Servers . . . . . . . . . . . : 208.212.76.4
76.127.5.3
Lease Obtained. . . . . . . . . . : Thursday, October 31, 2002 11:52:55AM
Lease Expires . . . . . . . . . . : Friday, November 01, 2002 11:52:55 AM


scorpio, i'm not a networking guru...but i'm not an idiot either
i'm doing my job, as told by my boss, and as told by his boss
i agree that its not a wise thing to do as far as network security goes...but our department needs to have better internet access then what our IT department can provide.

 

heres a little update...i experimented, and learned how to add a route

i added a route for the router (192.168.1.1)
after i did that, i could access the router (but not the internet) through a browser, and still surf (through the proxy on the big LAN)
very cool

then i rebooted, when i logged back on, that route that i had set up was gone
i'm assuming the log-on script that runs when i log on writes the route table?

once i figure out what routes i have to input, is it possible to have a little program that runs after the logon script to set up the NEW routes??

i've learned alot today!

 

[JustinLerner]

Why do you all lead this person on to help him as though you were going to help?

On the networks you admin'd or managed, would you like it if some independent at your local organization decided to bypass your LAN security with "upper management's approval"?

Sure upper management understands the 'complaints' of certain workers, but his management obviously has no idea about security.

Help this person if you don't care if stuff like this is done under your jurisdiction.

 

[bsobel]

Sure upper management understands the 'complaints' of certain workers, but his management obviously has no idea about security.

And that is there choice, it is there company, not IT's. I don't agree with him either, (see my original post), but I did tell him what he needed to do (well, what I said and a little reading on Google). I'm hoping as he works thru the configuration he realizes the issues he could be opening, and addresses them appropriately.

Bill

 

[Fatt]

Originally posted by: jntdesign...i went over their heads, and got permission from upper management...so i'm safe.

You believe in Santa too?

If you do this I would suggest that you start floating your resume NOW because you will be opening a huge hole into your comapny's network and when it comes time to blame someone for getting hacked, or worse, you're neck is going to start looking real good.

Don't believe me? OK, try it.

But if you're smart and constant internet access really IS mission critical for your job then get managment to make the IT dept do it.

The only safe way for YOU to do it is to hook up a separate computer with internet connection that isn't part of your LAN at all.

Almost forgot...
Edit out your ipconfig /all output.
And please... don't post stuff like that again. You have no idea how bad that is.

 

[JustinLerner]

Originally posted by: jntdesign
Windows IP Configuration
scorpio, i'm not a networking guru...but i'm not an idiot either
i'm doing my job, as told by my boss, and as told by his boss
i agree that its not a wise thing to do as far as network security goes...but our department needs to have better internet access then what our IT department can provide.

You sound like you have a basic understanding of the security issues and little networking experience. If your manager and his manager understand the issues and implications, surely someone can make a decision to fund a better/faster Internet connection for the entire company. If your approving managers don't understand the security implications or if they aren't the CEO or company owner(s), before you consider pursuing this matter you ought to inform them that such configurations potentially create significant network security issues. If they are at the very pinnacle of the company, informing them of potential risks may prevent them from approving something that may cause harm to the company.

If your company can afford greater and redundant bandwidth, this is the better way to go.

 

[JustinLerner]

Originally posted by: jntdesign
well, it's not kosher with IT...but with my job, i NEED to have a constant internet connection - IT refused to help
i went over their heads, and got permission from upper management...so i'm safe

Hmm, you say you're intelligent, but then if you bypassed IT approval, your aim should have been (and still should be) to increase the capabilities of the company while maintaining security for all. As such, your request to upper management should be to increase corporate bandwidth and speed through the main Internet connection (if one exists).

*ALL FORUM USERS: PLEASE DO NOT ASSIST THIS PERSON IN CIRCUMVENTING SECURITY*

 

we've been requesting a better internet connection from IT for the past 2 years, they claim theres nothing wrong with it
it goes down for 20-30 minutes at a time....10 times a day

we requested a backup connection through them, they said no
we went over their heads, they approved a backup connection
we went to IT for them to do it, they said we'd have to do it on our own

while i agree that what i'm doing could in fact put network security in jeopardy, it is necasary...and i'd be willing to bet i can make our cable connection more secure than IT's T1

but thank you, justin, for crapping in my legitimate request for help thread

 

and as for editing out the ipconfig list....theres only one external IP in there, and i changed it before i pasted it

 

[Santa]

Someone say my name??

For those non-belieavers.. I am real!

As for your security concerns. Doing it yourself when you specifically are told by the IT department (hope you got email/paper trails of it) isn't all bad. Apparently your somewhat thought out some security instead of just hooking up the cable line directly to a PC.

You should however just go the extra step and install a firewall and learn to configure one. If money is a concern there are plenty free linux based ones you can learn to configure and use.

Granted you are relying on your boss and the IT department to catch any sh&% that comes down the hill from above but unless you have worked in the business world for less than 2 weeks you understand that sh&% will always hit the lowest man at the bottom of the hill before it piles up to the top so doing your job is one thing but don't assume those higher on the hill are not going to pass blame down when they see the fingers pointing at them.

Good example is if a service is hacked and the person decides to delete all your files on your important server. IT will blame you. Your boss will blame you. And you will blame..? You?

There is no half-a$$ way at doing a secure line. Its already getting difficult enough to block intruders with a full-fledge firewall in place.

 

thanks for the insight santa
i've always believed in you

the router we have has an advanced firewall, should i still run a software firewall?
i still need to get the route table situation figured out...i got some books from the library about networking...but i haven't figured out what i need

i will, today, get in writing that the task i've been assigned can, and will jeopardized network security
i'll make sure i get it signed, it will say that i'm not responsible, and i'm just doing what i've been commanded to do

 

[Woodie]

I will, today, get in writing that the task i've been assigned can, and will jeopardized network security
i'll make sure i get it signed, it will say that i'm not responsible, and i'm just doing what i've been commanded to do

This I'd like to see! j/k. I wish you luck on your paperwork mission. I'd be very curious to hear what management did when presented with a paper document that says that they're holding the ball. I used to fight w/ IT all the time, and embarassed them in front of management more than once. I'd forgotten that some IT areas are *really* bad, and how much of a PITA it is to try and work with them (and around them!). Now, I'm PART of the IT org (different company!), and I still say this is a bad idea.

Providing backup internet access is a good idea, but it's so much easier to do it "right", at the network level, not at the "add a cable/DSL to my PC" level.

 

[Hoober]

Have you thought of asking IT to setup a VLAN for the cable modem? They should be able to route it through their security policies.

 

[piasabird]

The best way to do this is to get a dedicated IP (STATIC IP) from the cable modem people. They may have a business class Gigabit speed option. Then set up the router directly to the Cable modem IP Address. The Cable Modem guys may have a Gateway address buty they have to provide that to you. Set this up on a stand alone server and open the ports you need. You would need a special motherboard for a server than can handle 2 nic cards to connect the server to the network. The hard part is not connecting the server to the cable modem, but connecting the server to your network. Technically you sould have a firewall between them. NAT firewalls will not stop E-mail virus's and such. A server connected to the internet is open to virus attacks or whatever. The problem is most Cable modems want to use DHCP and your network probably does not use DHCP, in favor of Staic IP addresses.

Sounds like to me, you should fire your network people and spend enough money to hire a real network professional. You probably under estimated the cost and the connectivity involved. One option is to hire a networking consultant. Consultants cost more but they can help to fill in the blanks when a person is needed with more expertise than you have.