Wired & Wireless connection on same box - Possible?

CyberRodent_X · 04-25-2007

Ok... here's the situation.

We have desktops running XP pro with wired connection to company domain.
We have a wireless router connected to a DSL line for guest connectivity.

We have a couple of contract employees who need to / have been configured to login to the corporate domain ... but also need to hit Gmail and MSN Messenger - both blocked by Websense on the corp. lan

Net Security wont unblock the sites, but has said they have no problem with them using the DSL for Gmail / MSN.

So we in the Service Desk have been tasked with finding a way that, either through internal wireless or usb wireless, we can get these guys to be able to access the wired network and get their internet connection from the wifi, with out them having to unplug / disconnect-reconnect / etc.

Any help would be greatly appreciated.

Thanks in advance.

CyberRodent_X / NetForce-TX

Thorn · 04-25-2007

It can be done by merely enabling both the wired and the wireless interfaces. However, if the users don't unplug/disconnect to switch, then you MUST make sure you don't -and the users can't- bridge the network connections, because otherwise you've got a back door from the outside direct into the corporate domain.

Also, figuring out the default routes can get pretty screwy if you don't know how the automatic metrics work. This will help:

Windows XP and Windows Server 2003 Behavior When Connected to Both Wired and Wireless Networks

CyberRodent_X · 04-25-2007

Thanks Thorn, thats what I was thinking ... that they would just enable both.
Its the routing that has me at a loss... and im affraid I understood nothing about the automatic metrics at the link you provided.

I don't suppose their is an easy way -- to tell say Firefox, and the IM messenger to just go out WiFi Connection 1 vs LAN Connection 1??

Hmm... maybe a small / portable proxy server running on the machine?
Setup to route out the wifi - and then point the browser and IM to the proxy?
Not sure ... and if its possible, any reccomendation on software?

Thanks again

CyberRodent_X / NetForce-TX

itsnotme · 04-25-2007

Quote:

Originally Posted by CyberRodent_X

Thanks Thorn, thats what I was thinking ... that they would just enable both.
Its the routing that has me at a loss... and im affraid I understood nothing about the automatic metrics at the link you provided.

I don't suppose their is an easy way -- to tell say Firefox, and the IM messenger to just go out WiFi Connection 1 vs LAN Connection 1??

Hmm... maybe a small / portable proxy server running on the machine?
Setup to route out the wifi - and then point the browser and IM to the proxy?
Not sure ... and if its possible, any reccomendation on software?

Thanks again

CyberRodent_X / NetForce-TX

Ask the Net Security department, that's what they're there for.

Thorn · 04-25-2007

Quote:

Originally Posted by CyberRodent_X

I don't suppose their is an easy way -- to tell say Firefox, and the IM messenger to just go out WiFi Connection 1 vs LAN Connection 1??

I don't think that's possible.

Quote:

Originally Posted by CyberRodent_X

Hmm... maybe a small / portable proxy server running on the machine?
Setup to route out the wifi - and then point the browser and IM to the proxy?
Not sure ... and if its possible, any reccomendation on software?

That may be possible, but I don't know. It may also be that IF a give port is blocked on one route, it MIGHT go to the other route, but I don't know.

Here's another MS article on Automatic Metrics that may help answer your question.

All-in-all, I'd think it would be easier and better to have a separate WLAN for the contract employees, have a VLAN for the that wireless, and allow only that VLAN to have access to MSM and Gmail. Assuming that you can do that kind of setup with Websense.

Dutch · 04-25-2007

Cypher, just a CYA advice here :
Be sure to get the IT admins and the net security guys involved.
Allowing people to be on an wireless connection to the internet, while at the same time being connected to the corporate lan, is a major security risk, and IMNSHO an accident waiting to happen.
Bridging between the two NICS is as easy as rightclicking and select on Windows, and whammo : you got a way in to the corporate lan from the outside.

I know of several companies where it is an automatic pink-slip and an rentacop escort off the premises if people have done that, and at other companies, wifi NICS has been disabled in laptops of the same reason.

Let them know the possible implications, and let them decide whether they want such a hole opened up, or prefer to enable another way of accessing MSN and GMAIL.

Dutch

wrzwaldo · 04-25-2007

I have neither tried or endorse this software.

beakmyn · 04-26-2007

Have you tried changing the binding order under the advanced menu item?

Open "Network Connections" from control panel and there should be Advanced > Advanced Settings.

Try playing around with the binding order and file/sharing on/off for lan/wlan

Then again you have now dual homed the machine and have bypassed the firewall, opening a whole new can of worms.

04-25-2007	#1 (permalink)
CyberRodent_X Registered Member Join Date: Apr 2003 Location: Houston, TX Posts: 22	Wired & Wireless connection on same box - Possible? Ok... here's the situation. We have desktops running XP pro with wired connection to company domain. We have a wireless router connected to a DSL line for guest connectivity. We have a couple of contract employees who need to / have been configured to login to the corporate domain ... but also need to hit Gmail and MSN Messenger - both blocked by Websense on the corp. lan Net Security wont unblock the sites, but has said they have no problem with them using the DSL for Gmail / MSN. So we in the Service Desk have been tasked with finding a way that, either through internal wireless or usb wireless, we can get these guys to be able to access the wired network and get their internet connection from the wifi, with out them having to unplug / disconnect-reconnect / etc. Any help would be greatly appreciated. Thanks in advance. CyberRodent_X / NetForce-TX

04-25-2007	#2 (permalink)
Thorn Did you do the math? Join Date: Apr 2002 Location: Villa Straylight Posts: 10,358	It can be done by merely enabling both the wired and the wireless interfaces. However, if the users don't unplug/disconnect to switch, then you MUST make sure you don't -and the users can't- bridge the network connections, because otherwise you've got a back door from the outside direct into the corporate domain. Also, figuring out the default routes can get pretty screwy if you don't know how the automatic metrics work. This will help: Windows XP and Windows Server 2003 Behavior When Connected to Both Wired and Wireless Networks __________________ Thorn "Read Altas Shrugged. Compare it to today. Repeat as necessary"

04-25-2007	#6 (permalink)
Dutch Humourless EuroMod. Join Date: Mar 2004 Location: City of Mermaids, Denmark Posts: 6,819	Cypher, just a CYA advice here : Be sure to get the IT admins and the net security guys involved. Allowing people to be on an wireless connection to the internet, while at the same time being connected to the corporate lan, is a major security risk, and IMNSHO an accident waiting to happen. Bridging between the two NICS is as easy as rightclicking and select on Windows, and whammo : you got a way in to the corporate lan from the outside. I know of several companies where it is an automatic pink-slip and an rentacop escort off the premises if people have done that, and at other companies, wifi NICS has been disabled in laptops of the same reason. Let them know the possible implications, and let them decide whether they want such a hole opened up, or prefer to enable another way of accessing MSN and GMAIL. Dutch __________________ All your answers are belong to Google. SEARCH DAMMIT! Warning. Warning. Low C8H10N4O2 level detected. Operator halted....

04-26-2007	#8 (permalink)
beakmyn Free Public Wifi Join Date: Aug 2003 Posts: 4,992	Have you tried changing the binding order under the advanced menu item? Open "Network Connections" from control panel and there should be Advanced > Advanced Settings. Try playing around with the binding order and file/sharing on/off for lan/wlan Then again you have now dual homed the machine and have bypassed the firewall, opening a whole new can of worms. __________________ ┌──────────────────────────────┐ ╞ NS Icons Explained\|et hoc genus omne ╡ └──────────────────────────────┘ Creating yesterday's future, Today!

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

04-25-2007	#3 (permalink)
CyberRodent_X Registered Member Join Date: Apr 2003 Location: Houston, TX Posts: 22	Thanks Thorn, thats what I was thinking ... that they would just enable both. Its the routing that has me at a loss... and im affraid I understood nothing about the automatic metrics at the link you provided. I don't suppose their is an easy way -- to tell say Firefox, and the IM messenger to just go out WiFi Connection 1 vs LAN Connection 1?? Hmm... maybe a small / portable proxy server running on the machine? Setup to route out the wifi - and then point the browser and IM to the proxy? Not sure ... and if its possible, any reccomendation on software? Thanks again CyberRodent_X / NetForce-TX

04-25-2007	#7 (permalink)
wrzwaldo I amuse you? Join Date: Dec 2003 Posts: 9,147	I have neither tried or endorse this software.