ray5450 Posted May 6, 2023 Share Posted May 6, 2023 Background: Note: I am capable of making these modifications and understand the results, but not exactly how it works. I often, and am currently staying in a place with public internet and prefer to use a VPN. Description of issue: I am trying to use a manual cut off for a VPN when using wired ethernet. By some instructions I found, I know I need to delete the default gateway from the route table and I know how, and I did so. I know I need to add the VPN server to the route table, and I know how and did so. To test it: If I leave VPN connected about 10-15 minutes there is internet through VPN, and then when I disconnect from VPN, there is no internet connection, which is what I want and what I expect by way of the foregoing settings. However, if I leave VPN connected for some hours, and then disconnect it, I find it immediately connects to internet without VPN. Additional observation: After VPN is connected for 10-15 minutes, just before disconnecting VPN, I check the route table and the default gateway that I deleted is indeed deleted, which is why there is no internet after disconnecting from VPN. However, after VPN is connected for some hours, when I check route table just before disconnecting VPN, I find that the default gateway has been added back in somehow, which is why it then connects to internet without VPN. Question: As to the default gateway somehow being added back in route table, how do I stop that from happening? Link to comment Share on other sites More sharing options...
jaclaz Posted May 7, 2023 Share Posted May 7, 2023 It is likely that the issue lies in the renewing of the DHCP lease. See if you can use any of these suggestions: https://serverfault.com/questions/648603/prevent-windows-server-2012-from-using-dhcp-provided-default-gateway Or otherwise (cannot say if you can do this in your setup/OS) set static IP (disable DHCP). jaclaz Link to comment Share on other sites More sharing options...
ray5450 Posted May 7, 2023 Author Share Posted May 7, 2023 (edited) Thank-you, for your response. Yes, that is what I did, the "add" and "delete" I mention under "Description of Issue" (route delete.... route add). The problem is, some hours after my making this deletion of the default gateway from the route table, somehow it gets added back in, and there are no reboots happening. (?) If the idea of your post is to make it static with the p switch, it appears that permanent changes using the p switch are only allowed with adds and not deletes. It seems to me with various sources I have read, that this mysterious re-adding should not be happening. Edited May 7, 2023 by ray5450 Link to comment Share on other sites More sharing options...
jaclaz Posted May 7, 2023 Share Posted May 7, 2023 If that doesn't work (the idea is to add with -p switch a route to a non existing or not connected gateway address), the only way out you have, I believe, is to assign a static IP and net mask (and no gateway) to the interface and disable DHCP or increase the DHCP lease time (if you have access to the DHCP server). Very basically the DHCP server is hosted by some device on your network, usually the router or terminal adapter. When a device with dynamic IP address connects to the network it doesn't know anything about the network and sends a DHCP request, the DHCP server replies assigning a timed lease with the IP address assigned to the device, the net mask and the gateway. The lease can be anything from a couple hours to 24 hours or so, it depends on the settings in the DHCP server, usually it is renewed at half the lease time, the device asks the server to renew the lease, this is probably what happens in your setup: https://www.serverbrain.org/network-services-2003/how-the-dhcp-lease-renewal-process-works-1.html You could also try to put a higher metric manually to that gateway, but cannot say if it will work as when you kill the VPN it will remain the only gateway. jaclaz Link to comment Share on other sites More sharing options...
ray5450 Posted May 8, 2023 Author Share Posted May 8, 2023 Thanks. This is getting a little beyond my knowledge, but maybe this will help. The VPN is Softether. I believe that it does have its own adapter. It does set up a DHCP server. According to some information I found on its site, when the lease renews, the VPN should not disconnect. I have tried getting an answer there about this issue for some seeks, but no one responds. Link to comment Share on other sites More sharing options...
jaclaz Posted May 8, 2023 Share Posted May 8, 2023 I am not familiar with that software (Softether) but what you reported as an issue seems like being something that happens before and outside the VPN. Let's see if I can detail what I imagine is happening. You connect your PC to the ethernet (wired or wireless), it is set as DHCP, so it knows nothing about: 1) the IP it should have 2) the network mask it should have 3) the gateway it should use to get internet so it issues a DHCP request on the network and soon the DHCP server on the network replies with these data that are attributed to the interface. Then, you start your VPN software and (either automatically or manually) you add a route to the new, VPN gateway (thus overwriting the setting for the previous, local, gateway). Then, when you close your VPN you have no internet access as the gateway is still the VPN one. But after some times passes, the DHCP (50% of) lease time expires and a new DHCP request is issued and the gateway is restored to the original, local IP, so internet connection (outside the VPN) is re-established. Now, if the issue is that you do not want internet connection (if not through the VPN) what you can try doing is to add a route pointing the gateway to another address (localhost?). Example: DHCP assigned IP: 192.168.1.200 DHCP netmask: 255.255.255.0 DHCP gateway: 192.168.1.1 Now if you add a route: route ADD 192.168.1.1 MASK 255.255.255.255 192.168.1.200 What happens? (this may depend on the OS you are running and possibly on a number of other variables). jaclaz Link to comment Share on other sites More sharing options...
ray5450 Posted May 8, 2023 Author Share Posted May 8, 2023 (edited) Thank-you, for your response. Just in case there are some differences in each of our understanding, I will try to help you to help me. In other words, (lol)--even if I don't know what I'm saying, you probably will. I will do similar to what you have done and present (to my ability) what I think is happening. Maybe some parts are the same as what you think, but just to be sure.... I connect my (Windows) PC to wired ethernet. I'm not sure whether it is set as DHCP (as I'm not quite sure what that does/is...I make a guess below.) I then delete the default gateway from the route table. I then add the VPN server to the route table. I then start VPN. It might be important for you to know that this VPN has installed and uses its own virtual adapter. As I limitedly understand it, when using automatic connection, Softether establishes its own arrangement of DHCP. I think I read that somewhere on the Softether site. (A guess would be that the above VPN server that I manually add is the DHCP...or, at least has something to do with that?) While VPN is connected, I have checked route table after 10-15 minutes, and the default gateway that I deleted is still deleted, AND, if I disconnect VPN at this point, there is no internet connected (desired), and when checking route table after disconnect, default gateway is still deleted. If I do not disconnect VPN at this point......... While VPN is still connected, I have checked after several hours, and the default gateway that I had deleted, is back in the table, but the connection is still through VPN, AND, if I disconnect VPN at this point, there is internet connected (not desired). According to information on Softether site, when DHCP lease renews, the VPN should not disconnect. --------------------- If it would help, I can post a copy of the route table at each above step. As far as your add suggestion/example, I am not sure at what above point I should try that, or maybe, the additional information above might affect that. Edited May 8, 2023 by ray5450 Link to comment Share on other sites More sharing options...
jaclaz Posted May 9, 2023 Share Posted May 9, 2023 Most computers are usually set to use DHCP network settings, there are only two possibilities: 1) DHCP assigned IP and network parameters 2) Statically (manually assigned) IP and network parameters As I tried to explain earlier, what happens in your case is that when you boot (with the wired connection active) or anyway when you connect the network cable, your computer makes a DHCP request on the network and a DHCP server on the network replies setting (among other things) the IP address of your network card, the net mask to be used, the gateway IP. So, initially, you have not any IP address, network mask or gateway (as a matter of fact in windows OS if these parameters cannot be determined because they are not set manually or received from the network a "default" address of 169.254.x.x, a so-called APIPA address): https://superuser.com/questions/238625/why-is-windows-default-ip-address-169-xx-xx-xx https://learn.microsoft.com/en-us/windows-server/troubleshoot/how-to-use-automatic-tcpip-addressing-without-a-dh If (which is what happening to you) a DHCP request is made and answered correctly, your network interface gets the addresses/data from the network. When you delete the gateway from the route table, you are (indirectly) modifying the data that the network sets. When the (50% usually of) lease time has elapsed a new DHCP request is made on the network and the network DHCP re-sends all the info, the IP address (usually the same as before), the net mask and the gateway are re-sent and (in order to allow you the "normal" connection) the gateway is re-added to the routing table. There is no way you can permanently delete the gateway from the routing table, because it is periodically re-added to it automatically. What you can do is: 1) disable DHCP and manually set the IP address, net mask and gateway (so-called static IP addressing[1]) <- in your case you don't need to enter the gateway address at all, or enter it to test and then delete it from the interface 2) route the gateway address to *something else* <- this has to be tested, it may or may not work There is another possibility (more complex and that will need to be tested as well) to make some automatic periodical re-deleting of the gateway I hope the above helps in let you understand how it works. jaclaz [1] In Windows 7: https://www.pluralsight.com/blog/it-ops/windows-7-ip-addressing Link to comment Share on other sites More sharing options...
ray5450 Posted May 19, 2023 Author Share Posted May 19, 2023 I have a couple questions about your last post, but before I ask that, I have been trial and error-ing and to get some real data to show you so that you do not need to "imagine", as you said, what is happening. Below is data from the route table with my descriptions. Your response might be the same as your last post, or it may assist you to give more information. If your response would be just the same as your previous post, or in other words, this data is exactly as you expected, you can just say something like, "okay, I saw the data...go ahead with your questions". Otherwise, please, point out any other findings. Here is the route table, connected as normally connected to internet: Active Routes: Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 10.204.0.1 10.204.1.182 20 10.204.0.0 255.255.248.0 On-link 10.204.1.182 276 10.204.1.182 255.255.255.255 On-link 10.204.1.182 276 10.204.7.255 255.255.255.255 On-link 10.204.1.182 276 127.0.0.0 255.0.0.0 On-link 127.0.0.1 306 127.0.0.1 255.255.255.255 On-link 127.0.0.1 306 127.255.255.255 255.255.255.255 On-link 127.0.0.1 306 192.168.56.0 255.255.255.0 On-link 192.168.56.1 266 192.168.56.1 255.255.255.255 On-link 192.168.56.1 266 192.168.56.255 255.255.255.255 On-link 192.168.56.1 266 224.0.0.0 240.0.0.0 On-link 127.0.0.1 306 224.0.0.0 240.0.0.0 On-link 10.204.1.182 276 224.0.0.0 240.0.0.0 On-link 192.168.56.1 266 255.255.255.255 255.255.255.255 On-link 127.0.0.1 306 255.255.255.255 255.255.255.255 On-link 10.204.1.182 276 255.255.255.255 255.255.255.255 On-link 192.168.56.1 266 Next, is after deleting the default gateway and adding the VPN server (route delete 0.0.0.0, and, route add 219.100.37.86 mask 255.255.255.255 10.204.0.1): Active Routes: Network Destination Netmask Gateway Interface Metric 10.204.0.0 255.255.248.0 On-link 10.204.1.182 276 10.204.1.182 255.255.255.255 On-link 10.204.1.182 276 10.204.7.255 255.255.255.255 On-link 10.204.1.182 276 127.0.0.0 255.0.0.0 On-link 127.0.0.1 306 127.0.0.1 255.255.255.255 On-link 127.0.0.1 306 127.255.255.255 255.255.255.255 On-link 127.0.0.1 306 192.168.56.0 255.255.255.0 On-link 192.168.56.1 266 192.168.56.1 255.255.255.255 On-link 192.168.56.1 266 192.168.56.255 255.255.255.255 On-link 192.168.56.1 266 219.100.37.86 255.255.255.255 10.204.0.1 10.204.1.182 21 224.0.0.0 240.0.0.0 On-link 127.0.0.1 306 224.0.0.0 240.0.0.0 On-link 10.204.1.182 276 224.0.0.0 240.0.0.0 On-link 192.168.56.1 266 255.255.255.255 255.255.255.255 On-link 127.0.0.1 306 255.255.255.255 255.255.255.255 On-link 10.204.1.182 276 255.255.255.255 255.255.255.255 On-link 192.168.56.1 266 Next, after connecting vpn (Note: when vpn connects, vpn software says: "Requsting an IP address To the DHCP server in the VPN") Active Routes: Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 10.238.254.254 10.238.118.29 20 10.204.0.0 255.255.248.0 On-link 10.204.1.182 276 10.204.0.1 255.255.255.255 On-link 10.204.1.182 276 10.204.1.182 255.255.255.255 On-link 10.204.1.182 276 10.204.7.255 255.255.255.255 On-link 10.204.1.182 276 10.238.0.0 255.255.0.0 On-link 10.238.118.29 276 10.238.118.29 255.255.255.255 On-link 10.238.118.29 276 10.238.255.255 255.255.255.255 On-link 10.238.118.29 276 127.0.0.0 255.0.0.0 On-link 127.0.0.1 306 127.0.0.1 255.255.255.255 On-link 127.0.0.1 306 127.255.255.255 255.255.255.255 On-link 127.0.0.1 306 192.168.56.0 255.255.255.0 On-link 192.168.56.1 266 192.168.56.1 255.255.255.255 On-link 192.168.56.1 266 192.168.56.255 255.255.255.255 On-link 192.168.56.1 266 219.100.37.86 255.255.255.255 10.204.0.1 10.204.1.182 21 224.0.0.0 240.0.0.0 On-link 127.0.0.1 306 224.0.0.0 240.0.0.0 On-link 10.204.1.182 276 224.0.0.0 240.0.0.0 On-link 192.168.56.1 266 224.0.0.0 240.0.0.0 On-link 10.238.118.29 276 255.255.255.255 255.255.255.255 On-link 127.0.0.1 306 255.255.255.255 255.255.255.255 On-link 10.204.1.182 276 255.255.255.255 255.255.255.255 On-link 192.168.56.1 266 255.255.255.255 255.255.255.255 On-link 10.238.118.29 276 (After 15-20 minutes, nothing changes.) After several hours, still connected to VPN, the default gateway appears. There are also 2 entries with the same metric value, which I did not think was possible (?), Active Routes: Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 10.238.254.254 10.238.118.29 20 0.0.0.0 0.0.0.0 10.204.0.1 10.204.4.59 20 10.204.0.0 255.255.248.0 On-link 10.204.4.59 276 10.204.4.59 255.255.255.255 On-link 10.204.4.59 276 10.204.7.255 255.255.255.255 On-link 10.204.4.59 276 10.238.0.0 255.255.0.0 On-link 10.238.118.29 276 10.238.118.29 255.255.255.255 On-link 10.238.118.29 276 10.238.255.255 255.255.255.255 On-link 10.238.118.29 276 127.0.0.0 255.0.0.0 On-link 127.0.0.1 306 127.0.0.1 255.255.255.255 On-link 127.0.0.1 306 127.255.255.255 255.255.255.255 On-link 127.0.0.1 306 192.168.56.0 255.255.255.0 On-link 192.168.56.1 266 192.168.56.1 255.255.255.255 On-link 192.168.56.1 266 192.168.56.255 255.255.255.255 On-link 192.168.56.1 266 219.100.37.86 255.255.255.255 10.204.0.1 10.204.4.59 21 224.0.0.0 240.0.0.0 On-link 127.0.0.1 306 224.0.0.0 240.0.0.0 On-link 192.168.56.1 266 224.0.0.0 240.0.0.0 On-link 10.238.118.29 276 224.0.0.0 240.0.0.0 On-link 10.204.4.59 276 255.255.255.255 255.255.255.255 On-link 127.0.0.1 306 255.255.255.255 255.255.255.255 On-link 192.168.56.1 266 255.255.255.255 255.255.255.255 On-link 10.238.118.29 276 255.255.255.255 255.255.255.255 On-link 10.204.4.59 276 (When VPN is disconnected, internet is connected.) Link to comment Share on other sites More sharing options...
jaclaz Posted May 20, 2023 Share Posted May 20, 2023 (edited) The data you posted is coherent with the hypothesis, though there are a few entries that are not common, it seems like (before starting the VPN) you are using several networks, and there is a "non common" netmask. From what I can understand from the data you posted: your interface is assigned 10.204.1.182 with netmask 255.255.248.0 <- this is uncommon, usually the netmask is 255.255.255.0, so it must be a largish local network But it seems like you have also a connection as 192.168.56.1 with netmask 255.255.255.0 The VPN uses 10.238.118.29 (since this is definitely DHCP it may change) with netmask 255.255.0.0 In the last set of data your IP has changed, it is now 10.204.4.59 with netmask 255.255.248.0, this confirms that you are getting your IP address via DHCP, usually when a DHCP lease is renewed the same address as before is leased, but this may depend on a number of factors. You could run ipconfig /all to check. So, what are the questions? jaclaz P.S.:The "On-link" seems like something a corporate VPN / protection may offer. Edited May 20, 2023 by jaclaz Link to comment Share on other sites More sharing options...
ray5450 Posted May 20, 2023 Author Share Posted May 20, 2023 Thanks, for confirming. !st question: When you said, "What you can do is:", there are 2 items. Are you saying both are required, or either one? Link to comment Share on other sites More sharing options...
ray5450 Posted May 22, 2023 Author Share Posted May 22, 2023 On 5/9/2023 at 5:11 AM, jaclaz said: What you can do is: 1) disable DHCP and manually set the IP address, net mask and gateway (so-called static IP addressing[1]) <- in your case you don't need to enter the gateway address at all, or enter it to test and then delete it from the interface 2) route the gateway address to *something else* <- this has to be tested, it may or may not work Is this 2 steps to one possible solution? or Are these 2 different possible solutions? Thanks. Link to comment Share on other sites More sharing options...
jaclaz Posted May 23, 2023 Share Posted May 23, 2023 Either one (2 - actually 3 - different possible workarounds, not solutions). But if you don't "own" the network you cannot (shouldn't) change the way the IP is assigned (i.e. #1 is not suitable). The risk is that the manually assigned IP on your machine may be re-assigned to another machine on the network, causing a conflict. The #2 may or may not work but trying should cost nothing, if it works, it is the simplest one. The #3 implies writing a script to be launched periodically, cannot say how it could be triggered,probably it would be possible to run it a little sooner than the DHCP leasing time automated renewal (usually 50% of lease time, but has to be seen), sending first a new DHCP request (ipconfig /release + ipconfig /renew): https://computing.cs.cmu.edu/desktop/ip-renew and then, as soon as the new IP (and gateway) are re-assigned, delete the route. jaclaz Link to comment Share on other sites More sharing options...
ray5450 Posted May 23, 2023 Author Share Posted May 23, 2023 Question: The 2nd route table copy above represents when the default gateway is deleted out of the table. I would think that the network would then do one of 2 things: 1. Automatically try to connect using a 2nd option as displayed in the route table, which fails. 2. Does not at all try to connect to anything. Is this correct, and if so, which does it do? Thanks. Link to comment Share on other sites More sharing options...
ray5450 Posted May 25, 2023 Author Share Posted May 25, 2023 Is it also correct when vpn software says: "Requsting an IP address To the DHCP server in the VPN", that "0.0.0.0 0.0.0.0 10.238.254.254 10.238.118.29 20" is the address from the DHCP sever from the VPN? Thanks. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now