Steelhead Swims to the Mainstream

Swims in to the Mainstream

In the Pacific Northwest, some rainbow trout move from rivers to theopen water--large lakes or even saltwater. At that point, they're no longerrainbow trout. They're called steelhead trout, Oncorhybchus Mykiss.They're still good eating, but they're a fight, and you have to watch for bones.

Microsoft's Routing and Remote Access Service (RRAS) is the newest versionof its Multi-Protocol Routing (MPR) software for Windows NT Server. Beforerelease in June, the product was code-named Steelhead, and it has a few thingsin common with the fish. For one thing, MPR software has moved from a very basicrouting system that Microsoft never intended for heavy-duty use--more suited tothe smaller tributaries and woodland streams of most intranets--to (Microsoftclaims) enough routing power to take on jobs dedicated routers currently do. (Orperhaps the ichthyological name shows that it scales well--sorry, couldn'tresist.)

With a new version of MPR, I decided to revisit a subject that I covered inseveral columns in 1996--using NT Server as a LAN/WAN Internet router for asmall C class or Classless Inter-Domain Routing (CIDR) network. But RRAS doesmore than make existing NT routing tasks easier; it adds new capabilities,including single-seat router administration, greater speed, support for OpenShortest Path First (OSPF) routing, integration with Point-to-Point TunnelingProtocol (PPTP), and packet filtering.

The Test Spawning Ground
I tested the Steelhead beta software, which Microsoft released as RRAS as Ifinished writing this article. The scenario I tested was basic, what Microsoftcalls "home-office LAN" in the Steelhead documentation.Figure 1 shows the configuration.

Suppose you have a small business (or a small part of a large business) andwant to connect your local LAN to the Internet over a dial-up connection. Youcould always do this with NT, but doing so was a bit of a pain. Steelhead makesit easier for the NT Server to act as your LAN/WAN Internet router. The solutionisn't perfect, but it's an improvement.

I started with a C network, or CIDR block of addresses, from my InternetService Provider (ISP). To set up a router with NT, I also needed a machine withat least 32MB of RAM, NT Server 4.0, Service Pack 2 (SP2), Steelhead beta 2, amodem, Integrated Services Digital Network (ISDN) or other Remote Access Service(RAS)-capable connection, and a network card. Other PCs on my local network havenetwork cards, and I had to configure them with IP addresses from the block myISP provided.

First, I set up all the PCs on the LAN with the ISP-provided IP addresses.This step is important: Each machine must have a separate and distinct,honest-to-goodness Internet address. Do not make up addresses, and do not usethe non-routable addresses. (A surprising number of people email me looking forhelp in setting up their routers, and the problem turns out to be that they justmade up some IP addresses.)

Then, I set up the NIC on the router PC and gave it an ISP-suppliedaddress. The router PC eventually ends up with two IP addresses, one for the NICand another for the RAS connection to the ISP. I installed a fresh copy of NTServer 4.0 on the router machine from the distribution CD-ROM. I did not installRAS, because Steelhead removes RAS before installing. I pointed all the PCs'default gateways to the IP address on the router PC's NIC. Then I made sure thatall the PCs on the LAN could ping each other. With that done, I knew the LANworked properly.

I installed SP2 on the router PC; yes, that's SP2, because SP3 didn't workwith Steelhead and my dial-up configuration. Microsoft fixed this problem forthe final release, and RRAS requires SP3. I then installed Steelhead. It arrivedas one EXE file but expanded to several files that install with the commandmprsetup where is the directory that thosefiles reside in. The setup program offers check boxes to let Steelhead handlenetwork connections, routing, and dial-up connections; I checked them all, andthe system restarted.

Next, I logged on at the server, opened up Dial-Up Networking (DUN), andfigured out how to connect to my ISP. I wasn't worried about routing yet; I justwanted to get the NT Server to successfully dial up the ISP and establish aPoint-to-Point Protocol (PPP) connection so that I could ping and run InternetExplorer and the like from the NT Server--I'll discuss routing to the other PCsa bit later. Mike Reilly covered using DUN to dial in to an ISP in "New toNT: Remote Access Service," May 1997, so I won't repeat how to do it here.You have to noodle around with the IP parameters to make a PPP connection withyour ISP work well. And when I say, "You have to noodle," I mean it.My ISP had a specific FAQ on connecting with RAS and DUN, and some recommendedsettings were wrong. If tech support from your ISP is like tech support frommost ISPs--that is, practically nonexistent--plan to spend a day or two messingwith the DUN parameters. If you use a full-time connection such as a Frame RelayAccess Device (FRAD) look to tech support for that device. In this case, don'tbuy the FRAD until you speak to both your ISP and the FRAD maker to be sure thatsomeone will be around to help get you up and running.

You'll also need to experiment to find out how to automate your dial-in.With ordinary DUN, you can just tell NT to pop up a terminal window that letsyou type in your username and password. But RRAS doesn't let you do that. YourISP has to support Password Authentication Protocol (PAP) or Challenge HandshakeAuthentication Protocol (CHAP), or you'll need to write a login script. Now isthe time to get the bugs out of this procedure, before you start worrying aboutrouting. My ISP supported PAP, so authentication wasn't a problem.

Once you figure out all that ISP configuration stuff, write it down andkeep the information in a safe place. Now you're ready to route.

If you've tried to make an NT Server act as a LAN and WAN IP router, youknow that at this point, you must typically make a handful of Registry changesand reboot. But with RRAS, this stage is easy downstream swimming.

RRAS has an administrative tool called Routing and RAS Administrator;you'll find it in the Administrative Tools group. In my example, Steelheaddoesn't yet know about the dial-in connection, so you'll see a screen similar toScreen 1, showing only the Ethernet connection. Steelhead doesn't know about themodem, so I had to build the WAN link. I right-clicked the Ethernet interface toget the Add Interface option. That action kicked off the Demand Dial InterfaceWizard, which looks a lot like the wizard that helps create new phone bookentries. A couple of clicks in, I found Screen 2, which tells Steelhead that I'musing this modem as a dial-up IP router. The next few screens are similar toordinary New Phonebook Entry wizard screens. The last screen let me set filters,which I'll get back to in a moment. Routing and RAS Admin then looked likeScreen 3; note the new interface, Clark Net. The Clark Net line type isdemand-dial, meaning that the interface senses when you need it. In my example,I haven't tried to route through it yet, so it's disconnected.

You must take one more step before routing. The router knows that anEthernet interface and a demand-dial interface exist, but it doesn't knowanything about the demand-dial interface--what IP addresses the router canaccess through this dial-up interface. RRAS needs a static route to get to theInternet. To add a static route, I clicked the plus sign next to IP Routing andright-clicked the Static Routes line. That step gave me an Add Static Routeoption, and I saw the dialog box in Screen 4.

I filled in the values: The first two are trivial because this connectionwill be a gateway to the Internet, and the Internet's network address is 0.0.0.0and subnet mask is 0.0.0.0. I also had to fill in a gateway address, the one anISP assigns to you when you dial in. Your router must have the same dial-in IPaddress as the gateway address, as near as I can tell. When you get a CIDR blockor C network from your ISP, make sure the ISP always assigns the same addresswhen you dial in. I filled in the metric of 2, because my connection has a hopacross the router to get to the Internet; If you set the metric to 1, you mightnot be able to route within your local network. The Interface lets me associatethis route with my dial-up connection, the Clark Net interface.

Next, you need to wake up the demand-dial connection. I went to a PC on mynetwork and tried to ping a location such as www.microsoft.com. Now the coolstuff happens. From across the Ethernet, my NT Server router got the clue thatit needed to dial up, and did. At this point, I was live on the Net using an NTServer as a router. The connection takes a couple of minutes to get set up, soyour first few pings might fail. I usually set a big timeout, like

ping www.microsoft.com -w 10000

What's the Catch?
Other than the two pitfalls I've mentioned so far--you must end up with thesame IP address all the time on the demand-dial interface, and you need to useeither PAP/CHAP or an authentication script--how does the rest of RRAS work? Forthe application I explored here, I give Steelhead a grade of C; sometimes itseemed more like a croaker. The modem connection sometimes dropped for noapparent reason in the middle of transferring data. Steelhead, my ISP, orperhaps line noise was at fault. Other times, the connection stayed up, but theSteelhead router stopped responding to external pings. I attempted to send thefour screenshot bitmaps that you see in this article over the connection asattachments to a mail message. But the connection never stayed up long enough toperform the operation, and I had to SneakerNet the files over in the end. Therouter was sometimes smart enough to reconnect, but not always. Sometimes theconnection dropped--the off-hook light on the modem turned off--but the Routingand RAS Admin program showed the connection still up. Other times, I had to dropthe connection manually and force it to reset before I could get packets toroute correctly.

All in all, Steelhead wasn't as hands-off as I'd like. But it was a bigimprovement over messing around with Registry parameters. And my old method ofmaking NT act as a LAN/WAN router wasn't kosher in the eyes of Microsoft techsupport, which meant that if you couldn't make it work, you were high and dry.Presumably that lack of support won't be true with RRAS.

I'd like to see a throughput measure built into the tool, but Perfmon's RAScounters let you watch those statistics. And the user interface is a bit clumsy.For example, I had to fumble around just to dump the IP routing table from theGUI, although the familiar route print command works just as well as it everdid. And best of all for us stodgy old command-line types: From the commandline, you can use routemon to do everything that you can do from the GUI.

To answer whether the problem was the router or the ISP, I re-implementedthe C network connection to the ISP with a dedicated router, the Micro Router900i (MR900i), from Compatible Systems. The MR900i is reasonably priced (about$850 discounted) and comes with an Ethernet connection and a serial port, a nicebasic LAN-to-WAN router. It does not do Open Shortest Path First (OSPF) or portfiltering (or at least the one I own doesn't; Compatible Systems' Web site showsthat later models do), but you can do single-seat management of multipleCompatible routers through a Windows program that comes with the router.Rebuilding the network with the Compatible router was a snap--no hitches--andthe PCs on the network were able to access the Internet for big and small jobswithout trouble. This result suggests that the instability lay in the Steelheadsoftware.

Trolling for More
Well, suppose you're concerned about security in your intranet. In thatcase, RRAS is quite a catch. Virtual Private Networks (VPNs) offer one approachto Internet security. They let you use the Internet as a big, private LAN. PPTPlets you do that trick, but for the best PPTP security, the router machine mustalso be the PPTP server. RRAS's higher performance means that you can use an NTmachine as your LAN/WAN router even on a T1 connection, and that machine canalso act as a PPTP server.

Or you might choose to open your network to the Internet but protect thenetwork from people using NetBIOS over TCP (NBT) to penetrate your network. Inthat case, filter TCP and UDP ports 135 through 139. Under IP Routing/Summary,right-click the WAN link and choose IP Configuration to get a dialog box thatlets you filter particular ports from particular locations. With such precisecontrol, you can, for example, filter out port 25 from a particular IP address,denying that address the ability to send Internet mail to mail servers insideyour network.

As the network gets bigger, walking around to all the NT Server machines toadminister the machines acting as routers will become tiresome. But the Routingand RAS Admin tool can control any Steelhead router from one location. Largenetworks can't handle the chatty nature of the Routing Information Protocol(RIP), so you'll welcome RRAS's OSPF protocol support. Both RIP and OSPF aredynamic routing algorithms that discover routes through your network rather thanrequiring static routing.

Test the Water
RRAS takes NT's routing capabilities and moves them forward considerably.First, it runs faster than the built-in IP routing software and might now begood enough to replace dedicated routers. Second, single-seat management makesRRAS more practical to manage. Third, taking NT's LAN/WAN routing capabilitiesout of the closet and making them officially supported tools is incrediblysignificant not only for Internet users but also for ISPs who want to move froma UNIX-based network to an NT-based network. Add the PPTP and packet filteringcapabilities, and RRAS is a neat tool.

That said, I must warn that prospective RRAS users must experiment withtheir IP environments to see whether RRAS does what they need. My experiencewith my ISP and the test C network would not have been sufficiently reliable toleave my intranet in the hands (fins?) of MPR. If you use the networkconstantly, stay with the compatible route. In fairness, remember I did thosetests with beta software. Try out the release version and see whether it's agood catch or you'll want to just throw it back.