[Brando569]

I'm the IT guy at my job and I have dual NICs in my Dell 755. One NIC is connected to my company's corporate domain and is used to access internal sites and the file server (10.160.xx.xx subnet) and the other NIC is used to connect to the corporate network but bypasses the firewall/filtering software (10.1.xx.xx subnet). I'm using a program called ForceBindIP so that I can make specific programs use specific interfaces. The problem that I'm having is that when both interfaces are enabled Windows seems to get confused as to which DNS to use for which interface. Everything worked fine for a day or so until my co-worker disconnected one of my lines because other people in the office needed it, when I reconnected my line this problem started happening.

If both interfaces are enabled and have the correct IP addresses, web browsing on both browsers linked to their respective interfaces doesn't work because it says that it can't resolve domain names to IP addresses, yet if you use IP addresses everything works fine. As soon as one interface is disabled, everything works fine once again. The NICs are assigned the proper DNS addresses (domain NIC uses the doman's DNS server, the outside NIC uses Comcast's DNS).

I've tried reboots and ipconfig release and renew and it doesn't seem to fix the problem. Any other ideas?

This post has been edited by Brando569: 21 March 2013 - 10:42 AM

[uid0]

Can you run a VM with a 2nd IP address instead?

[jaclaz]

Brando569, on 21 March 2013 - 10:19 AM, said:

I've tried reboots and ipconfig release and renew and it doesn't seem to fix the problem. Any other ideas?

It would be logical to uninstall the TCP/IP stack and BOTH nic's and reinstall/reconfigure the whole lot.

A tool like this (example):
http://www.eusing.co...ip_switcher.htm
might be of use, however (to save and re-apply settings).

jaclaz

[Tripredacus]

You should maybe contact your network admin to see if you can get a static IP for use in the corporate network, but I suspect that they wouldn't like the idea of you doing this in the first place.

[Brando569]

@uid0 A VM wouldn't be ideal, it would just be easier to stick with my current solution of disabling one interface when I need access to the other.

@jaclaz I could try that. How would I go about removing and reinstalling the TCP/IP stack, in the 15 years of using Windows I've never once done that. That tool may be useful also but probably not considering the that IPs are different subnets depending on the which interface it is.

@Tripredacus Even though I've met him and talk to him occasionally, I'm pretty sure he wouldn't be too fond of this, neither would my boss. So a static IP is out of the question, I don't understand how this would help with DN resolution though. Are you confusing DHCP (serves out IP address) with DNS (correlates domain names to IP addresses)?


I actually just installed Arch Linux on one of the boxes here in my office (since I'm a Linux guy first and foremost, and my boss said that I could do it) and I know it would be easier to do in Linux but I've hit a roadblock since my domain admin account doesn't have the privileges to add computers to domains so I'm waiting on seeing if I can do that :-/

[jaclaz]

Brando569, on 22 March 2013 - 12:43 PM, said:

@jaclaz I could try that. How would I go about removing and reinstalling the TCP/IP stack, in the 15 years of using Windows I've never once done that. That tool may be useful also but probably not considering the that IPs are different subnets depending on the which interface it is.

My bad , I should have said "reset" TCP/IP:
http://support.micro...kb;en-us;299357

BUT , let me doubt the 15 years , on NT and 2K you could actually uninstall it allright:
http://www.ni.com/su...work/nt_tcp.htm
http://support.micro...kb/285034/en-us

The mentioned tool simply saves some settings to a file and then is able to restore them, it couldn't care less about the subnet on which the IP's are, but it represents only a possible way to save some re-typing of the settings.

jaclaz

[allen2]

You shouldn't be doing this in the first place : bypassing the firewall could be considered by your security officer as a fault and they have the right (depending on your contract) to fire you and even sue you.

[ihateusernames]

I've run into problems like this on a regular basis in various Windows versions. It seems like it can handle having both a LAN and a WAN connection, but there is no rhyme or reason as to which is which. I've gotten it to work before, but it's always a crapshoot. I can't imagine getting two separate internet connections to work at the same time.

[jaclaz]

allen2, on 22 March 2013 - 05:36 PM, said:

You shouldn't be doing this in the first place : bypassing the firewall could be considered by your security officer as a fault and they have the right (depending on your contract) to fire you and even sue you.

Sure, and depending on what sites you access from the non firewall filtered connection you may have the g-men break into your house at 4:00 AM , taking you to Gitmo, without the possibility of any legal assistance.

Come on .


jaclaz

[allen2]

jaclaz, on 24 March 2013 - 03:31 AM, said:

allen2, on 22 March 2013 - 05:36 PM, said:

You shouldn't be doing this in the first place : bypassing the firewall could be considered by your security officer as a fault and they have the right (depending on your contract) to fire you and even sue you.

Sure, and depending on what sites you access from the non firewall filtered connection you may have the g-men break into your house at 4:00 AM , taking you to Gitmo, without the possibility of any legal assistance.

Come on .


jaclaz

Just an example with stats and another.
Of course if you don't care to keep your work, you can do what ever pass by your mind (and get directly to prison depending which rule you broke).
People are usually fired for a smaller mistakes and i know at least an ex-coworker who got fired for using the network of the client company to transfer movies and tv series with another one. Our company could even sue him but decided not to as the matter needed to stay private and the client company "only requested that he wouldn't be allowed to enter its building".

Jaclaz, come one, real life isn't somewhere without rules. It is the exact opposite: there are rules everywhere and depending which one you break lead you to prison. Just try to walk outside nude (you are not harming anyone except yourself and might get a cold) but you could end up like Stephen Gough.
Of course i disagree with some rules and i agree with others just like many of us.

[Brando569]

jaclaz, on 22 March 2013 - 01:00 PM, said:

Brando569, on 22 March 2013 - 12:43 PM, said:

@jaclaz I could try that. How would I go about removing and reinstalling the TCP/IP stack, in the 15 years of using Windows I've never once done that. That tool may be useful also but probably not considering the that IPs are different subnets depending on the which interface it is.

My bad , I should have said "reset" TCP/IP:
http://support.micro...kb;en-us;299357

jaclaz

Thanks for the info, a TCP/IP stack reset seemed to fix the problem. I'm surprised that I never had to use that before, you learn something new every day The only problem now is that name resolution within the domain seems to be a little slow, but hell it's better than having to keep switching interfaces! Edit: I didn't really work actually, some pages were unblocked while others were still blocked :-/ As soon as I disabled the inside line, everything was accessible so it seems that it's still getting confused.

@Allen2 thanks for the concern but keep ethical issues out of here considering it doesn't help answer the problem at all and just clogs up the thread. Also I can use the "outside line" whenever I would like, I just have to walk into our MDF and connect it. This solution just saves me a few minutes of time whenever I need to access something outside of our network.

This post has been edited by Brando569: 25 March 2013 - 11:13 AM

[cluberti]

If you have two connections to the SAME major network and both have a gateway, Windows will indeed have issues with routing (and modifying binding via program adds an additional layer of complexity that furthers Windows being unaware of what you're doing). Windows isn't designed to route multiple network interfaces to the same major network - if you want internet access to work on one segment and not on another, you need to make sure only that interface has a default gateway set (although that will mean anything that needs to find a route outside the networks directly available will use the interface with the gateway set). There's a bit more to it than this, but that's the "in a nutshell" version - if you have two network interfaces to the same network, and both have gateways, Windows will eventually get confused. Only one interface can have a gateway, or you're going to need to set static routes for everything you want going over each interface - otherwise, you're going to have routing issues.

[jaclaz]

allen2, on 24 March 2013 - 04:06 AM, said:

Jaclaz, come one, real life isn't somewhere without rules. It is the exact opposite: there are rules everywhere and depending which one you break lead you to prison. Just try to walk outside nude (you are not harming anyone except yourself and might get a cold) but you could end up like Stephen Gough.
Of course i disagree with some rules and i agree with others just like many of us.

Sure, there are Rules (and personally I tend to comply with them) the whole point being that you have NO way to know WHICH specific Rules is Brando569 subject to.

If instead of the "scary tactic" implied in:

allen2, on 22 March 2013 - 05:36 PM, said:

You shouldn't be doing this in the first place : bypassing the firewall could be considered by your security officer as a fault and they have the right (depending on your contract) to fire you and even sue you.

you had used a plainer :

Quote

Please do consider whether bypassing the firewall with that connection is in compliance with the policies your company has set, as it is common that such a behaviour is prohibited.

I wouldn't have commented on it.


jaclaz

[Brando569]

Thanks for the info Cluberti, I'll look into setting static routes then!

Edit: I looked up how to do it and the process is simple but the idea behind it is confusing me. Using this page as a reference, should I define a route from the internal domain (10.66.160.xxx) to the external network (10.1.10.xxx) or vice versa? I'm trying to understand how this works since I'm a novice when it comes to routing and I have no idea how the routing tables for our network are setup since there are multiple domains and they span the entire USA. The only things I would like outside access for are web browsing and SSH (to my home computer) I need internal access for internal websites, remote desktop connections and SMB shares.

This post has been edited by Brando569: 26 March 2013 - 10:51 AM