Search code examples
cmdproxyroutesipwindows-server-2012

How can I force outgoing ip for specific applications? ForceBindIp doesn't seem to work

I have a dedicated windows 2012 server with 12 dedicated IPs.

I want to be able to make connections simultaneously from two different ips that I choose.

This will be used for two different browser applications.

I have tried the following: 

ForceBindIP %IP_ADDRESS% %APP_EXE%

But the IP doesn't change, the browser always displays the lowest IP from my added range.

I have also experimented with a script that removes all the ips, and then just adds one.

netsh interface ipv4 delete address "Ethernet" 104.251.111.110
netsh interface ipv4 delete address "Ethernet" 104.251.111.111
netsh interface ipv4 delete address "Ethernet" 104.251.111.112
netsh interface ipv4 delete address "Ethernet" 104.251.111.114
....
netsh interface ipv4 add address "Ethernet" 104.251.111.115 255.255.255.0

This changes the address BUT I end up having only one IP for both applications.

Solution

  • If the applications you intend to use doesn't support binding to interfaces/ip (true, it's uncommon), you can use SOCKS or Proxy software (which is a lot more common, especially browsers).

    For instance you could install WinGate or Squid http://www.squid-cache.org (which is the one I know most).

    Squid-Cache have the ability to bind to different outgoing addresses based on rules (http://www.squid-cache.org/Doc/config/tcp_outgoing_address/ ).

    Basically what you need to do is:

    • install Squid
    • add ACL for loopback IP mapping, such as:
          acl IP110 src 127.0.0.1/32
      acl IP111 src 127.0.0.2/32
  [...]

      tcp_outgoing_address 104.251.111.110 IP110
      tcp_outgoing_address 104.251.111.111 IP111
  [...]
    • And the default, which is just formally needed:
      tcp_outgoing_address 104.251.111.110

    Each application will then need to be configured with a Proxy (or SOCKS, if you go that way), which is a configuration option most commonly available. On the proxy configuration set the corresponding local IP:

    • for outgoing connection using IP .111, use proxy on 127.0.0.2
    • for outgoing connection using IP .110, use proxy on 127.0.0.1
    • .. and so on.

    Make sure Squid (or WinGate) bind to localhost 127.0.0.1/24, so you shouldn't have big security concerns, but if this is exposed on internet you may want to proceed to security assessment anyway.

    This way if you decide to offload some application remotely, to other server, you can still manage to use the same outgoing IP(s), you just need to change squid configuration to allow external connection, which could be a big plus for scaling.