Separate corporate network traffic and internet traffic using two network interface

Question

I would like to route any internet traffic to a VPN connection, but route corporate traffic to the ethernet card. I'm a newbie in context of routing. I've found a post very close to this topic How to route different traffic thru different network interfaces (in Windows).
In my case there is a vpn conn instead of the 3G card, and i guess i have more than one corporate routes (10.3.0., 10.3.4., 10.3.7.).
If i establish the vpn connection (and i check the option "Use default gateway for this adapter"), then all traffic (including the corporate) is routed to the vpn. That is not good, because i can not access fileshares/services ... in the corp.
I tried to manually set 10 as the metric for the vpn and 12 for the nic, but nothing changes.
Below is the routing table after the vpn connection was established, and after it was disconnected.
Can you help me, how to change the route to allow ONLY internet traffic thru the vpn? 172.16.36.105 is the vpn adapter and 178.162.193.233 is the ip i get from the vpn server.

This list is bad. In the other block is the corrected one.
After the VPN connection was established:
(default gateway option was enabled)
Network destination        Netmask         Gateway    Interface      Metric
          0.0.0.0          0.0.0.0         10.3.0.1       10.3.4.160   4235
          0.0.0.0          0.0.0.0         10.3.0.1    172.16.36.105   4258
         10.3.0.0    255.255.248.0         10.3.0.1       10.3.4.160   4245
       10.3.4.160  255.255.255.255         10.3.0.1       10.3.4.160   4245
       10.3.7.255  255.255.255.255         10.3.0.1       10.3.4.160   4245
        127.0.0.0        255.0.0.0          On-Link         127.0.0.1   4531
        127.0.0.1  255.255.255.255          On-Link         127.0.0.1   4531
  127.255.255.255  255.255.255.255          On-Link         127.0.0.1   4531
    172.16.36.105  255.255.255.255          On-Link     172.16.36.105    266
  178.162.193.233  255.255.255.255         10.3.0.1       10.3.4.160   4236
        224.0.0.0        240.0.0.0          On-Link         127.0.0.1   4531
        224.0.0.0        240.0.0.0          On-Link        10.3.4.160   4492
        224.0.0.0        240.0.0.0          On-Link     172.16.36.105     11
  255.255.255.255  255.255.255.255          On-Link         127.0.0.1   4531
  255.255.255.255  255.255.255.255          On-Link        10.3.4.160   4491
  255.255.255.255  255.255.255.255          On-Link     172.16.36.105    266





=========================================
After the VPN connection was disconnected:
Network destination        Netmask          Gateway    Interface     Metric
          0.0.0.0          0.0.0.0         10.3.0.1       10.3.4.160     10
         10.3.0.0    255.255.248.0         10.3.0.1       10.3.4.160     20
       10.3.4.160  255.255.255.255         10.3.0.1       10.3.4.160     20
       10.3.7.255  255.255.255.255         10.3.0.1       10.3.4.160     20
        127.0.0.0        255.0.0.0          On-Link         127.0.0.1    306
        127.0.0.1  255.255.255.255          On-Link         127.0.0.1    306
  127.255.255.255  255.255.255.255          On-Link         127.0.0.1    306
        224.0.0.0        240.0.0.0          On-Link         127.0.0.1    306
        224.0.0.0        240.0.0.0          On-Link        10.3.4.160    266
  255.255.255.255  255.255.255.255          On-Link         127.0.0.1    306
  255.255.255.255  255.255.255.255          On-Link        10.3.4.160    266

===============================CORRECTED===================================
===========================================================================
=============="Use default gateway on remote network" ticked===============
Interface list
 42...........................Test-connection
 24...00 09 0f fe 00 01 ......Fortinet virtual adapter
 23...00 ff e1 6f 17 03 ......TAP-Windows Adapter V9
 19...d0 53 49 68 95 62 ......Bluetooth-Device (PAN)
 11...34 e6 d7 60 b5 af ......Intel(R) Ethernet Connection I217-LM
  1...........................Software Loopback Interface 1
 17...00 00 00 00 00 00 00 e0 Microsoft-ISATAP-Adapter
 18...00 00 00 00 00 00 00 e0 Microsoft-ISATAP-Adapter #2
 16...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3
 21...00 00 00 00 00 00 00 e0 Microsoft-ISATAP-Adapter #3
 26...00 00 00 00 00 00 00 e0 Microsoft-ISATAP-Adapter #4
===========================================================================

IPv4-Route table
===========================================================================
Activ Routes:
     Network destination      Mask          Gateway        Interface  Metric
          0.0.0.0          0.0.0.0         10.3.0.1       10.3.4.160   4235
          0.0.0.0          0.0.0.0          On-Link     172.16.36.134     11
         10.3.0.0    255.255.248.0         10.3.0.1       10.3.4.160   4245
       10.3.4.160  255.255.255.255         10.3.0.1       10.3.4.160   4245
       10.3.7.255  255.255.255.255         10.3.0.1       10.3.4.160   4245
        127.0.0.0        255.0.0.0          On-Link         127.0.0.1   4531
        127.0.0.1  255.255.255.255          On-Link         127.0.0.1   4531
  127.255.255.255  255.255.255.255          On-Link         127.0.0.1   4531
    172.16.36.134  255.255.255.255          On-Link     172.16.36.134    266
  178.162.193.233  255.255.255.255         10.3.0.1       10.3.4.160   4236
        224.0.0.0        240.0.0.0          On-Link         127.0.0.1   4531
        224.0.0.0        240.0.0.0          On-Link        10.3.4.160   4492
        224.0.0.0        240.0.0.0          On-Link     172.16.36.134     11
  255.255.255.255  255.255.255.255          On-Link         127.0.0.1   4531
  255.255.255.255  255.255.255.255          On-Link        10.3.4.160   4491
  255.255.255.255  255.255.255.255          On-Link     172.16.36.134    266
===========================================================================
Persistent Routes:
  None

IPv6-Route table
===========================================================================
Activ Routes:
 If Metric Network destination              Gateway
  1    306 ::1/128                          On-Link
  1    306 ff00::/8                         On-Link
===========================================================================
Persistent Routes:
 If Metric Network destination                       Gateway
  0 4294967295 ::/0                     2001:470:1f1a:3b5::1
===========================================================================
===========================================================================





===========================================================================
=============="Use default gateway on remote network" UNticked=============
Interface list
 42...........................Test-Connection
 24...00 09 0f fe 00 01 ......Fortinet virtual adapter
 23...00 ff e1 6f 17 03 ......TAP-Windows Adapter V9
 19...d0 53 49 68 95 62 ......Bluetooth-Device (PAN)
 11...34 e6 d7 60 b5 af ......Intel(R) Ethernet Connection I217-LM
  1...........................Software Loopback Interface 1
 17...00 00 00 00 00 00 00 e0 Microsoft-ISATAP-Adapter
 18...00 00 00 00 00 00 00 e0 Microsoft-ISATAP-Adapter #2
 16...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3
 21...00 00 00 00 00 00 00 e0 Microsoft-ISATAP-Adapter #3
 26...00 00 00 00 00 00 00 e0 Microsoft-ISATAP-Adapter #4
===========================================================================

IPv4-Route table
===========================================================================
Activ Routes:
     Network destination      Mask          Gateway        Interface  Metric
          0.0.0.0          0.0.0.0         10.3.0.1       10.3.4.160     10
         10.3.0.0    255.255.248.0         10.3.0.1       10.3.4.160     20
       10.3.4.160  255.255.255.255         10.3.0.1       10.3.4.160     20
       10.3.7.255  255.255.255.255         10.3.0.1       10.3.4.160     20
        127.0.0.0        255.0.0.0          On-Link         127.0.0.1    306
        127.0.0.1  255.255.255.255          On-Link         127.0.0.1    306
  127.255.255.255  255.255.255.255          On-Link         127.0.0.1    306
       172.16.0.0      255.255.0.0      172.16.36.1     172.16.36.73     11
     172.16.36.73  255.255.255.255          On-Link      172.16.36.73    266
  178.162.193.233  255.255.255.255         10.3.0.1       10.3.4.160     11
        224.0.0.0        240.0.0.0          On-Link         127.0.0.1    306
        224.0.0.0        240.0.0.0          On-Link        10.3.4.160    266
        224.0.0.0        240.0.0.0          On-Link      172.16.36.73    266
  255.255.255.255  255.255.255.255          On-Link         127.0.0.1    306
  255.255.255.255  255.255.255.255          On-Link        10.3.4.160    266
  255.255.255.255  255.255.255.255          On-Link      172.16.36.73    266
===========================================================================
Persistent routes:
  None

IPv6-Route table
===========================================================================
Activ Routes:
 If Metric Net destination          Gateway
  1    306 ::1/128                  On-Link
  1    306 ff00::/8                 On-Link
===========================================================================
Persistent Routes:
 If Metric net destination                           Gateway
  0 4294967295 ::/0                     2001:470:1f1a:3b5::1
===========================================================================
===========================================================================






===========================================================================
===============================VPN Disconnected============================
Interface list
 24...00 09 0f fe 00 01 ......Fortinet virtual adapter
 23...00 ff e1 6f 17 03 ......TAP-Windows Adapter V9
 19...d0 53 49 68 95 62 ......Bluetooth-Device (PAN)
 11...34 e6 d7 60 b5 af ......Intel(R) Ethernet Connection I217-LM
  1...........................Software Loopback Interface 1
 17...00 00 00 00 00 00 00 e0 Microsoft-ISATAP-Adapter
 18...00 00 00 00 00 00 00 e0 Microsoft-ISATAP-Adapter #2
 16...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3
 21...00 00 00 00 00 00 00 e0 Microsoft-ISATAP-Adapter #3
===========================================================================

IPv4-Route table
===========================================================================
Activ Routes:
     Network destination      Mask          Gateway        Interface  Metric
          0.0.0.0          0.0.0.0         10.3.0.1       10.3.4.160     10
         10.3.0.0    255.255.248.0         10.3.0.1       10.3.4.160     20
       10.3.4.160  255.255.255.255         10.3.0.1       10.3.4.160     20
       10.3.7.255  255.255.255.255         10.3.0.1       10.3.4.160     20
        127.0.0.0        255.0.0.0          On-Link         127.0.0.1    306
        127.0.0.1  255.255.255.255          On-Link         127.0.0.1    306
  127.255.255.255  255.255.255.255          On-Link         127.0.0.1    306
        224.0.0.0        240.0.0.0          On-Link         127.0.0.1    306
        224.0.0.0        240.0.0.0          On-Link        10.3.4.160    266
  255.255.255.255  255.255.255.255          On-Link         127.0.0.1    306
  255.255.255.255  255.255.255.255          On-Link        10.3.4.160    266
===========================================================================
Persistent routes:
  None

IPv6-Route table
===========================================================================
Activ Routes:
 If Metric Network destination             Gateway
  1    306 ::1/128                          On-Link
  1    306 ff00::/8                         On-Link
===========================================================================
Persistent Routes:
 If Metric Network destination                      Gateway
  0 4294967295 ::/0                     2001:470:1f1a:3b5::1
===========================================================================
===========================================================================

Any advice is welcome :-)
Daniel

Thanx for the answers. I did the following: in the properties of the ethernet card and of the vpn-connection i unticked the option "Automatic metric". For ethernet i set a manual metric of 40, and 30 for the vpn. And for vpn unticked "Use default gateway on remote network". Connecting to vpn: internet is still going thru the corp. gateway and i have access to fileshares.

If i execute the command: "route delete 0.0.0.0 mask 0.0.0.0", then i have no access to the internet and no access to the fileshares. But in the table there are still routes: 10.3.0. (see BLOCK 1) Do i assume right, that i should access to the fileshares in this case? Or does this mean, that everything (even access to the lan-fileshares) is sent thru the internet?

If i do "route add 0.0.0.0 mask 0.0.0.0 10.3.0.1", then everything (internet and fileshare) are ok. Internet goes thru the corp. gateway. (BLOCK 2) Consequently the only difference between BLOCK 1 and 2 is the line: 0.0.0.0 0.0.0.0 10.3.0.1 10.3.4.160 41

If i do "route add 0.0.0.0 mask 0.0.0.0 172.16.36.56" (the vpn connection), then i have access to the internet thru the vpn, but no access to the fileshares.

What could be the correct way to set up the vpn connection in my case? Can you give me some step-by-step instructions :-)

Many thanx, Daniel

===========================================================================
=============================BLOCK 1=======================================
Interface list
 24...00 09 0f fe 00 01 ......Fortinet virtual adapter
 23...00 ff e1 6f 17 03 ......TAP-Windows Adapter V9
 19...d0 53 49 68 95 62 ......Bluetooth-Device (PAN)
 11...34 e6 d7 60 b5 af ......Intel(R) Ethernet Connection I217-LM
  1...........................Software Loopback Interface 1
 17...00 00 00 00 00 00 00 e0 Microsoft-ISATAP-Adapter
 18...00 00 00 00 00 00 00 e0 Microsoft-ISATAP-Adapter #2
 16...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3
 21...00 00 00 00 00 00 00 e0 Microsoft-ISATAP-Adapter #3
===========================================================================

IPv4-Routing table
===========================================================================
Activ Routes:
      Network destination      Mask          Gateway        Interface  Metric
         10.3.0.0    255.255.248.0          On-Link        10.3.4.160    296
       10.3.4.160  255.255.255.255          On-Link        10.3.4.160    296
       10.3.7.255  255.255.255.255          On-Link        10.3.4.160    296
        127.0.0.0        255.0.0.0          On-Link         127.0.0.1    306
        127.0.0.1  255.255.255.255          On-Link         127.0.0.1    306
  127.255.255.255  255.255.255.255          On-Link         127.0.0.1    306
        224.0.0.0        240.0.0.0          On-Link         127.0.0.1    306
        224.0.0.0        240.0.0.0          On-Link        10.3.4.160    297
  255.255.255.255  255.255.255.255          On-Link         127.0.0.1    306
  255.255.255.255  255.255.255.255          On-Link        10.3.4.160    296
===========================================================================
Persistent Routes:
  None

IPv6-Route table
===========================================================================
Activ Routes:
 If Metric Network destination      Gateway
  1    306 ::1/128                  On-Link
  1    306 ff00::/8                 On-Link
===========================================================================
Persistent Routes:
 If Metric Network destination             Gateway
  0 4294967295 ::/0                     2001:470:1f1a:3b5::1
===========================================================================
===========================================================================

===========================================================================
==============================BLOCK 2======================================
Interface
 24...00 09 0f fe 00 01 ......Fortinet virtual adapter
 23...00 ff e1 6f 17 03 ......TAP-Windows Adapter V9
 19...d0 53 49 68 95 62 ......Bluetooth-Device (PAN)
 11...34 e6 d7 60 b5 af ......Intel(R) Ethernet Connection I217-LM
  1...........................Software Loopback Interface 1
 17...00 00 00 00 00 00 00 e0 Microsoft-ISATAP-Adapter
 18...00 00 00 00 00 00 00 e0 Microsoft-ISATAP-Adapter #2
 16...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3
 21...00 00 00 00 00 00 00 e0 Microsoft-ISATAP-Adapter #3
===========================================================================

IPv4-Route table
===========================================================================
Activ Routes:
     Network destination      Mask          Gateway        Interface  Metric
  DIFFERENCE     0.0.0.0          0.0.0.0         10.3.0.1       10.3.4.160     41
         10.3.0.0    255.255.248.0          On-Link        10.3.4.160    296
       10.3.4.160  255.255.255.255          On-Link        10.3.4.160    296
       10.3.7.255  255.255.255.255          On-Link        10.3.4.160    296
        127.0.0.0        255.0.0.0          On-Link         127.0.0.1    306
        127.0.0.1  255.255.255.255          On-Link         127.0.0.1    306
  127.255.255.255  255.255.255.255          On-Link         127.0.0.1    306
        224.0.0.0        240.0.0.0          On-Link         127.0.0.1    306
        224.0.0.0        240.0.0.0          On-Link        10.3.4.160    297
  255.255.255.255  255.255.255.255          On-Link         127.0.0.1    306
  255.255.255.255  255.255.255.255          On-Link        10.3.4.160    296
===========================================================================
Persistent Routes:
  None

IPv6-Route table
===========================================================================
Activ Routes:
 If Metric Network destination             Gateway
  1    306 ::1/128                          On-Link
  1    306 ff00::/8                         On-Link
===========================================================================
Persistent Routes:
 If Metric Network destination             Gateway
  0 4294967295 ::/0                     2001:470:1f1a:3b5::1
===========================================================================
===========================================================================

What VPN software is being used here? The second default route is wrong, the interface IP is `172.16.36.105` and gateway is `10.3.0.1`, which are in completely different subnets. Which IP is the VPN interface and which one is the ethernet interface? — Tero Kilkanen, Aug 08 '16 at 17:44
The VPN is the Windows builtin vpn client. Yes the previous routing table was not 100% correct. I saved it again in 3 cases. The IP of VPN interface is: 172.16.36.134, and the IP of the ethernet: 10.3.4.160. The VPN service is www.vpnbook.com (more specifically de233.vpnbook.com). — deemon, Aug 09 '16 at 08:59

user37572 · Answer 1 · 2016-08-09T11:28:37.497

1

what you need to do is called a split tunnel. very often it is just a checkbox on the vpn client so if you enable it the LAN traffic is not affected. if it is a windows VPN you can find it in

Networking tab, "Internet Protocol (TCP/IP)" properties, Advanced, untick "Use default gateway on remote network"

otherwise you will need to add a specific route for your lan after the connection is made this can be done sometimes in the vpn client or manualy or by a script

you just need to do it the other way around - change the default gateway to be your LAN router IP and add a static route for the VPN connection afterwards

 route ADD 157.0.0.0 MASK 255.0.0.0  157.55.80.1 METRIC 3 IF 2
    destination^           ^mask      ^gateway    metric^    ^
                                                    Interface^

edited Aug 09 '16 at 11:28

answered Aug 08 '16 at 16:24

user37572

11
3

Thanx for the answer. If i untick the option "Use default gateway on remote network", then i have access to the LAN-fileshares, but no internet connection at all.
Can you help to write the "route add" command? Do i have to remove 10.3.0., 10.3.4., 10.3.7. and then add they manually with "route add"? I'm not really sure, what is the exact command... – deemon Aug 09 '16 at 08:00
ROUTE ADD 0.0.0.0 MASK 0.0.0.0 192.168.1.1 METRIC 25 where 192.168.1.1 is the IP of your LAN router – user37572 Aug 09 '16 at 11:30

Separate corporate network traffic and internet traffic using two network interface

1 Answers1