# Firewall settings for 2 NIC's



## kamaradski (Mar 23, 2011)

Hi Everyone, after many years of reading this forum i finally decided to register and ask a question myself.  cheers!

Situation:


XP pro box with 2 network cards.
1 - WAN connection straight to internet (static) public ip: 78.95.x.x class-C
2 - LAN 10.0.0.x Class-C possible to reach internet via LAN & Router

Now purpose is that the WAN-NIC will ONLY handle the following traffic:
- FTP Server
- Shoutcast Server
- Real VNC
All other requests and traffic should be disallowed and therefore forced\routed to use the other NIC and have to pass the hardware firewall.

So far i tried Windows firewall and test-drived NOD32 Smart security and Zonealarm to do just this. However even after extensively searching their support KB's, no luck 

I would prefer to be able to use the native Windows FW, or otherwise NOD32, However i do understand not all firewalls might be able to handle this configuration, and i might have to purchase\install a specific product.

Can someone point me in the right direction on how to realize this setup ? 

Much appreciated !
Kamaradski


----------



## Wand3r3r (Sep 17, 2010)

So you have modem<>wan nic [pc] lan nic<>router<>lan????

If this is correct, how do you think lan traffic is going to travel to the wan if you have denied everything except for those three items?

The point of this exercise?


----------



## kamaradski (Mar 23, 2011)

Sorry for the lack of clarification:

My ISP is a citywide LAN network offering me 2 static IP's

- 1 IP is in use on the router
- 1 IP is in use for the WAN connection on the server

They deliver this in the form of a LAN cable to the door, from where i'm pretty much immediately into the cloud (only 1 additional hop) So no modems or any other devices involved.

KR
Kamaradski


----------



## Wand3r3r (Sep 17, 2010)

This can't work as you envision.

The intelligence to make the decision of which wan interface gets to do what would have to be done upstream from the two routers.

In other words there would have to be a router in front of these routers that decides which direction to send which traffic to router a or router b.

In your case you have a windows router and a regular router that know nothing of each other. The windows box can't deny traffic up front and then decide its going to sent it to the lan and router b. Doesn't work like that. Additionally a windows pc can't address two gateways which again would need intelligence to know which way to send what.

What could work is in the windows box you would use the windows firewall for forwarding those apps like ftp to a static ip assigned wkst/server doing those apps.


----------



## kamaradski (Mar 23, 2011)

thanks for your time so far Wand3r3r  much appriciated.

As Windows knows there is internet access on both interfaces my thinking was if i block for instance the browser from using NIC-1 (by denied in the firewall), it will automatically try and find internet access on NIC-2, correct ?

I agree i can not reroute incoming traffic to another IP, but i can Drop those packages on the FW. Such requests will be unsolicited anyway as i would not have send the outgoing request from that NIC. when i have outgoing requests, the reply will also end-up on the same NIC, any other traffic can be considered as random unsolicited.

Both IP's are on a different network, so ARP\DNS\etc... traffic will not be mixed up anyway.

I already have set NIC-2 as the preferred route in the advanced network settings, and bind some of the other programs to IP of NIC-1. And this is working at least to some extend, all tools i want to use NIC-1 have the bind\listen options so i fixed the
those already to the correct interface. Next step is to block all other traffic from this interface.

KR
Kamaradski


----------



## Wand3r3r (Sep 17, 2010)

windows doesn't understand two gateways. it defies the concept of gateway which is a single outlet of last resort for a subnet to shove a request out to hopefully get an answer.

so the answer to your first question is no, as far as I know.

my understanding of your question is that you want to filter the traffic on one internet connection and what traffic you don't want on that interface to go to the other interface.

Is that a fair summation?


----------



## kamaradski (Mar 23, 2011)

Thanks again Wand3r3r,

Yes your assumption is right indeed, that is exactly what i try to do here.

If your statement of Windows lacking to understand dual (or more) separate gateways is true, then indeed i can see this not going to work. Actually i naturally assumed the core network principles would function as same as on my Slackware box.

KR
Kamaradski


----------



## Wand3r3r (Sep 17, 2010)

Please take this with a grain of salt. I am no expert in routing. There is always some new way to apply or do something.

What you want can be achieved with a router with one wan port and two lan ports. You can route one particular traffic to one lan and what doesn't fit the rule to the other.

Problem is you want that logic on one nic so it has to have the ability to send packets to itself. That is a logic higher than "do I pass it or do I drop it?"

The issue is in the deny. You have deny but three. Then you want the rest of the denied traffic to go to the other nic. It has no route except thru the deny which by its nature doesn't allow it thru.

So the thought comes in, "How about three nics?"

You know, I never had enough time to try that. I read the writings of others that had. Some with success. Some not so.

This really is what Cisco excels at. One wan port and two nics. I am thinking a PIX would do you fine. Something to learn?


----------



## net_SA (Mar 29, 2011)

Hello,
I'm not sure why you would want to handle all this the way you describe. My one thought is to use static routes. 
HowTo: Add persistent Static Routes in Windows | ItsyourIP.com


----------



## Wand3r3r (Sep 17, 2010)

static routes have nothing to do with what services are allowed on a chosen interface.


----------



## net_SA (Mar 29, 2011)

Hello,
Agreed about routes not determining what services are allowed.
I was just trying to figure out why he wanted what was stated. It seemed to me that he wants FTP Shoutcast and RealVNC to use one interface and all the rest to use the other... but what is all the rest? I wasthinking maybe what he wants is for those incoming services to use the "WAN" interface and outgoing services to use the LAN interface.

With the idea that what he wants is for his web browsing go through the lan. 
A static route would seem to be able to provide this. For after all the FTP, Shoutcast and VNC WILL have to use the WAN interface because the connection is initiated from the outside IP. So his only issue is... to get his initiated web connections to use the LAN interface... Which I see a static route as solving...

I may not be correct on what the real motives of his requirement is.. I may very well be reading it all wrong.. But it is what I deciphered and so I suggested it.


----------



## Wand3r3r (Sep 17, 2010)

It comes down to you can't put a deny all except 3 services on and then expect to be able to then route what was denied thru the same nic the deny is on to the other inferface.


----------

