On Mon, Jun 13, 2011 at 6:59 PM, Randy Carpenter <rcarpen@network1.net>wrote: This is precisely what we are doing on the main network. We just want to
keep the general browsing traffic separated.
If you're worried about browsing traffic and not worried about occasional other things slipping through, set up Squid and WPAD on your network. Direct all general internet stuff (via WPAD) out the cheap connection, the business-critical traffic through the other traffic. Now things that don't listen to the WPAD configuration (basically anything but PC and Mac browsers) will go out your expensive connection. But it sounds like a little bit of leakage wouldn't be a huge problem. You could get a bit fancier and run DNS on the proxy server, so that the proxy uses itself for DNS resolution rather than the corporate DNS. That would let you do basic browsing while the corporate WAN is down. The proxy would be the only box on the cable modem segment. It would also need an interface on some internal LAN segment. Default route on it would be via the cable modem, with routes to everything internal on the internal interface. Make sure you set the cable modem IP as Squid's outbound IP, and make sure your WPAD file doesn't use this proxy for anything internal. Everything else inside the network would have a default route pointing at the corporate WAN and wouldn't know anything about the cable segment. The nice thing about this setup is that you don't have any address translation going on and only one IP per host. You can replace Squid with the proxy of your choice, doing as much or as little caching as you want to do (and other things if desired, like virus scanning, deep packet inspection, or content filtering - if your policy requires it). Make sure you talk to your legal and/or HR about what logs should be kept or removed from the proxy. You may also want to repress X-Forwarded-For headers to keep your internal network addressing hidden while browsing. Also remember to make sure the proxy is secure enough to trust as a firewall for your corporation - or put it behind a firewall that is secure enough.