I have a problem, I want a second internet source in my apartment for work purposes. My new company monitors your internet traffic so I want to keep work and personal separate, can't have them knowing how much time I spend on CP! lol
Does not sound like a big problem, but its a harder problem than expected. Spectrum owns rights as a provider in my zip code, does not allow multiple router + modem options meaning you can't have 2 internet sources for a single apartment. No major wireless carrier (att, sprint, Verizon) can offer a truly unlimited plan for mifi device (none-phone hot spot box) that would allow me to work from home 5 days a week with multiple hours of video conferences per day. Verizon offers unlimited but only 20g of high speed before crawling to the slowest pace on the market, att only offers 35g then they charge you $10 per 2g above, forget t-mobile.
What to do? How to get reasonable, reliable, unlimited, worry-free, quality 2nd internet? [Reply]
Originally Posted by htismaqe:
Most places don't allow split tunneling anymore unless they're a small mom-and-pop and don't want to pay for the additional bandwidth.
And quite frankly if they're so cheap or setup so simple that they do allow split tunneling, I highly doubt their IT practices are sophisticated enough to actually spy on him like he thinks.
I've seen the number of places that have started using it increase as WFH increased. [Reply]
Originally Posted by BryanBusby:
I've seen the number of places that have started using it increase as WFH increased.
Yeah, it's all about what's driving the decision - control/security or cost. If a company simply can't afford the cost of the infrastructure they'll opt for split tunneling. I mostly work with government and financial institutions and they just can't give up their control, no matter how much it costs. [Reply]
Originally Posted by htismaqe:
Yeah, it's all about what's driving the decision - control/security or cost. If a company simply can't afford the cost of the infrastructure they'll opt for split tunneling. I mostly work with government and financial institutions and they just can't give up their control, no matter how much it costs.
We implement it for services like Webex, Zoom, Teams - to reduce latency. Other than that, tunnel everything. [Reply]
Originally Posted by Saulbadguy:
We implement it for services like Webex, Zoom, Teams - to reduce latency. Other than that, tunnel everything.
That makes sense but then you're probably whitelisting at the application (or at least the protocol/port) level, right? So your VPN clients still wouldn't have blanket access to the local network or anything. [Reply]
Not sure if this would be a solution for the OP, as he seems to want completely separate WAN providers, but for academia purposes, it seems a device like this could provide robust physical LAN seperatation: https://shop.netgate.com/products/5100-pfsense
From my understanding, you would setup IGB0 as WAN, IGB1 as management LAN, and could then setup ports IX0 to IX3 (presenting as OPT1-OPT4 in pfSense), each capable of having their own IP subnet, firewall rules, and DHCP scope. In this way, ALL traffic would be completely isolated from each LAN segment on the OPT interfaces. You'd have to explicitly create a 'bridge rule' to allow traffic to pass between each IX port, if desired (which in his case, is not).
Am I understanding this correctly? So using the OP's situation:
IGB0 -> Internet provider
IGB1 -> Personal computer (IP subnet preset to 192.168.1.x)
IX0 -> Work computer (own IP network determined by DHCP settings in pfSense)
IGB0 would of course be the default gateway for IGB1 and IX0.
Originally Posted by TwistedChief:
Have you gotten the covid vaccine? If so, that's probably how they're monitoring your internet activity (i.e., the vaccine links to any device running a Microsoft OS). It sounds like you work for a reputable corporation given their overarching monitoring, so presumably you have really solid healthcare. If that's the case, you could consider cutting off your arm and replacing it with a prosthesis to sever (no pun intended) the monitoring link. Should be covered under healthcare and that altogether might be a cheaper option than trying to establish a new ISP.
Originally Posted by htismaqe:
That makes sense but then you're probably whitelisting at the application (or at least the protocol/port) level, right? So your VPN clients still wouldn't have blanket access to the local network or anything.
Kind of - the client downloads a list of IP addresses , and those connections route through the local adapter rather than the VPN adapter. [Reply]