If one person has internet access, the whole village will be at ease! Two ways to break through LAN blockade

Hey! Dear friends, long time no see. Today I bring you an article about how to use an Internet-connected computer to break through the LAN blockade. Let's take a look!

Common network architecture

The above picture shows a common company and school network environment, which includes main router, layer 3 switch, layer 2 switch, point-and-shoot switch, wireless router, PC and other devices. In order to facilitate network management, the information department will also purchase behavior management router. This device is usually installed between the main router and the layer 3, using bypass or bridge mode. In a small network, the behavior management router can directly use the routing mode to replace the main router, behavior management, and layer 3 switch.

In this typical network topology, each device has a clear and simple purpose. The main router is used to connect to the external network through NAT and provide external network services. Behavior management is to monitor, detect and control the internal network traffic. Layer 3 switching plays the role of VLAN division and inter-VLAN routing, because the routing efficiency of Layer 3 switching far exceeds that of routers. Layer 2 switching is used for VLAN expansion and network expansion in physical distribution, while the fool switch is used for port expansion in a single space in the actual environment.

In order to implement external network control, behavior management is generally implemented as a whitelist strategy, that is, IP+MAC address binding. The usual breakthrough idea for this situation is to forcibly set the IP address and modify it to the MAC address of the whitelist user. This has obvious disadvantages. The other party will prompt an IP conflict. At the same time, the MAC address conflict will cause the switch's MAC address table to be continuously updated, causing the network to be slow.

To this end, we need a method that does not affect network operation in the true sense while allowing Internet access.

Here I will introduce two methods with the same essential meaning, but it should be noted that the prerequisite is that there must be a computer that can be used and access the Internet in the network, as shown in the figure.

1. Routing and forwarding mode

In routing forwarding mode, what we do on the whitelisted computer is very simple, we just need to turn on the forwarding mode.

LINUX system enables IPV4 forwarding function

 echo "1" > /proc/sys/net/ipv4/ip_forward

Enable IPV4 forwarding in Windows

In Registry Editor, locate the following registry key:

 HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/Tcpip/Parameters

Select an item below:

 IPEnableRouter:REG_DWORD:0x0
 To enable IP forwarding for all network connections installed and used by this computer, specify a value of 1.
 To turn off IP forwarding for all network connections installed and used by this computer, specify a value of 0.

Note that Windows requires a reboot after modifying the registry, but Linux does not.

In the client, we only need to set the gateway to the IP of the whitelisted PC. At this time, the whitelisted PC is in routing mode, which is equivalent to a router.

Test before modifying the gateway

 tracert 114.114.114.114
 Tracing route to public1.114dns.com [114.114.114.114]
 over a maximum of 30 hops:
 1 <1 ms <1 ms <1 ms 192.168.136.2
 ping 114.114.114.114
 Pinging 114.114.114.114 with 32 bytes of data:
 Reply from 114.114.114.114: bytes=32 time =10ms TTL=128

Test after modifying the gateway

 tracert 114.114.114.114
 Tracing route to public1.114dns.com [114.114.114.114]
 over a maximum of 30 hops:
 1 * * 1 ms 192.168.136.129
 2 <1 ms <1 ms <1 ms 192.168.136.2
 ping 114.114.114.114
 Pinging 114.114.114.114 with 32 bytes of data:
 Reply from 114.114.114.114: bytes=32 time =11ms TTL=128

At this point we will find that there is an additional route 192.168.136.129 before our route 192.168.136.2, and all our network traffic will be connected through the whitelist PC.

At the same time, our network structure has not changed at all, and we can still access resources within the LAN normally.

2. Proxy Server Mode

The proxy server mode is as its name suggests. We use a whitelisted PC to build a proxy server to access the Internet. We need to use the following two software

CCProxy proxy server software Proxifier global traffic proxy software

If you are a Linux user, you can use $$ (reference) to build the server and client, and the effect is the same.

Our network mode is no different from the above method and will not affect access within the LAN.

Server Setup

Install CCProxy on the whitelisted PC. This software is free for up to three users.

We only need to make some simple settings on the software and our proxy server is ready.

Check the auto-start and auto-hide options to enable silent startup of the software. Of course, we can also check the NT service to achieve a higher level of silent random startup.

Client Settings

Simple web proxy settings, Internet Options - Connections - Local Area Network (LAN) Settings - Proxy Server

Set the address and proxy port of the whitelisted PC, and check the option to skip the proxy server for local addresses, then you can browse the web.

Then there is a small problem here. Many software will not load the settings of Internet options. Isn’t it embarrassing that the software cannot access the Internet?

Here we need Proxifier global traffic proxy software

Install Proxifier on the client, the main configuration is in the configuration file options

The proxy server only needs to be configured as a SOCKS5 proxy for the whitelisted PC to complete the default proxy global Internet access.

Use other software to test the Internet and access the Internet normally.

At this point, you may be thinking, this is so simple, how can it be difficult? The difficulty mainly comes from the following two problems. First, the speed of SOCKS5 proxy is not as fast as HTTP proxy, which affects the Internet speed. Second, local LAN software such as Fei Ge and other software will also cause problems due to the proxy, which requires the use of Proxifier rules.

In the configuration file-proxy rules, we can see two default rules

 Localhost Any 127.0.0.1 Any Direct Direct connection
 Default Any Any Any Proxy connection

If we want to use http proxy for web pages, direct connection for Feiqiu, direct connection for LAN, and proxy for all others, we need the following configuration.

The effect achieved at this time is that IE and Feiqiu are directly connected without going through the proxy, the communication within the 192.168.136.0 network segment is directly connected without going through the proxy, and all other applications go through the proxy, perfectly achieving our goal.