Block NIC from internet access but not local network

By Karmashock ยท 6 replies
Oct 21, 2008
  1. I have two network cards that connect to two different networks. The first network only should communicate with the computers on the local network and the second should be used to connect to the internet.

    How do I force the computer to use a given NIC for internet access and the other for local file sharing etc?
  2. LookinAround

    LookinAround Ex Tech Spotter Posts: 6,491   +184

    Instead of two nics for access to different networks and functions, would it be easier to have just one nic if you could find something that restricted all network traffic allowed in/.out of the NIC so it would only talk to networks you want and use remote services you want, etc.

    Would that fill the need? You need one NIC and a firewall.
  3. Karmashock

    Karmashock TS Rookie Topic Starter Posts: 223

    one nic is for the office network... the second is for dedicated bandwidth for some intensive tasks.

    The computer needs to access the other computers on the network to access shared files/printers... but it can't tie up the office internet or generate more traffic on the office network for it's other tasks. Ergo, it has a second dedicated connection for that purpose.

    Surely their has to be a way to do this... perhaps a firewall program?
  4. LookinAround

    LookinAround Ex Tech Spotter Posts: 6,491   +184

    yes, in your case (given the additional info on your requirements) the answer is still a firewall. Firewall allows you to define "networks" and which one or more networks are allowed traffic over an adapter.
  5. jobeard

    jobeard TS Ambassador Posts: 11,128   +982

    Each NIC has an IP address. (let's call them NIC#1 & NIC#2).

    Controlling the usage is done using the firewall (which says if you want to controll
    multiple systems, each firewall needs to be configured).

    For the LAN only usage, you need to allow only traffic to the LAN subnet(NIC#1)

    For the Internet only use, you need to disallow traffic on the LAN subnet(NIC#2)

    Depending upon which firewall you are using, you may be able to define an
    address group (ie the LAN) using a name (eg: lansubnet)

    So, here's the generic rules which must be in this order:
    1. allow in/out tcp/udp port 67,68 (this is the DHCP service)
    2. allow in/out port 53 (the DNS service)
    3. allow in/out tcp/udp src NIC#1dst lansubnet
    4. deny in/out tcp/udp src NIC#2 dst lansubnet

    You should consider other factors, such as where is the email coming from
    (Exchange server or ISP pop3 account).

    Additionally, the physical wiring can be a big factor here; can you feedback a simple diagram?
  6. Karmashock

    Karmashock TS Rookie Topic Starter Posts: 223

    this solution sounds more complicated then the problem.

    Sounds like the simplest way to deal with this is to just block that computer's IP at the router level from gaining access to the internet. Thus the computer will be forced to use the other nic.

    I was hoping for an elegant solution but if I have to brute force it... then I'll just tear it's legs off.
  7. jobeard

    jobeard TS Ambassador Posts: 11,128   +982

    There's another approach of altering the routing tables, but if you don't like the
    firewall approach, you'll hate the RT maintenance.

    Yes, it would be easier to use multiple routers and control traffic there.
Topic Status:
Not open for further replies.

Similar Topics

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...