Firewall Wizards mailing list archives

Re: Firewalls, PC static routes, gateways

From: Rodney van den Oever <RvdOever () chello nl>
Date: Tue, 04 Jan 2000 02:06:38 +0100

Randy Witlicki wrote:


   I'm wondering if anybody has come up with a reasonable
solution to static routes for Windows 95/98/NT laptop users
in networks with a firewall and *another* gateway.
   If we have a setup where:
    - The default route points to the firewall on the local
network, and;
    - You need an additional route to point to a gateway for
some private network (either via VPN or a private (leased line
or frame relay) link).
    (e.g.: the route to 0.0.0.0 is 10.0.0.1 and the route to
172.16.0.0/16 is 10.0.0.2)


Either:

1. set the default route to the internal router and make sure that one
has a default route pointing to the inside interface of the firewall and
has knowledge of other networks within the VPN.

2. Use DHCP anyway and add a batchfile to add a static route. Be aware
that you can't add static routes via DHCP (at least Windows won't accept
any). 

Just add some batchfile to the startup-group e.g.:

bash$ cat routeadd.bat

@echo off
rem DHCP:
ipconfig /release 0
ipconfig /renew 0

rem @Work
route delete 0.0.0.0 mask 0.0.0.0       x.x.x.x
route add    0.0.0.0 mask 0.0.0.0       10.0.0.1
route add 172.16.0.0 mask 255.255.0.0   10.0.0.2  

3. If you add a default route to 10.0.0.1 on the VPN-router and you
enable ICMP-redirects (probably by default enabled), this router will
send an ICMP-redirect to the clients telling them there's a better path
to the outside world via 10.0.0.1. This oughta work with Windows.

   - If you have a "route add" in a startup .BAT file on a 95 or
98 PC or a "route add -p" on an NT PC, if it is a laptop and that
laptop travels to the remote network the "route add" is pointing
at, then you need a .BAT file to reverse the startup .BAT file.
I assume you might have similar problems with a *nix laptop.
    Is there a way to get one of these systems to listen to
RIP or something similar ?


In case the user connects to another network, the batchfile just won't
work because of the different interface address, but's that no probem.

--
Rodney van den Oever / PGP Key ID 0x0A6CCE53
'Hit any user to continue.' - Erich Meijer

Current thread:

Firewalls, PC static routes, gateways Randy Witlicki (Jan 03)
- Re: Firewalls, PC static routes, gateways Csiri (Jan 03)
- Re: Firewalls, PC static routes, gateways Bill Pennington (Jan 03)
- Re: Firewalls, PC static routes, gateways Rodney van den Oever (Jan 03)
- <Possible follow-ups>
- RE: Firewalls, PC static routes, gateways Ben Nagy (Jan 03)
- RE: Firewalls, PC static routes, gateways John F. Appel (Jan 03)
- FW: Firewalls, PC static routes, gateways dave . goldsmith (Jan 04)