Unlock Your Gateway to the Internet

Using an NT machine as a LAN-to-WAN Internet router

In recent columns, I've talked about IP routing and Windows NT, especiallyhow to use an NT machine as an Internet gateway, a LAN-to-WAN router. Inprevious columns, I advised you not to do so because my experiments withNT 3.5 and 3.51 as an Internet gateway didn't show impressive speed. But NT4.0's beta 1 seems to work as fast as a dedicated router, so I'll show you anInternet gateway method that works well on workstations and servers. (Microsofthas documented how to do a procedure like this, but I've never been able to makeit work. So don't be surprised that my method is different from the one in theWindows NT Resource Kit.)

Setup for this method isn't hard, except that each Internet Service Provider(ISP) has a different way for you to provide a username and password and set anIP address. To get your username and password, some ISPs need a simplecharacter-oriented terminal login, some want you to use the PasswordAuthentication Protocol (PAP), and some ask for the Challenge HandshakeAuthentication Protocol (CHAP). Most services use the terminal login, so I'vebuilt my example with that assumption. To set the IP address on your dialup orframe-relay connection, some services require you to hard wire an IP address onthe modem, and others automatically give you an IP address when you log on. Thelatter approach is prevalent, so I'll assume it's your ISP's method. You'll alsoneed your ISP's guidance in successfully using NT's Remote Access Service (RAS)to dial in to your ISP. If the ISP can't help you, my instructions here willprobably work.

In this example, I'll connect my C-class network, 199.34.57.0, to theInternet through my ISP, Digital Express--or Digex, as its customers know it. Ineed Digex's phone number, which is 301-555-1212 in this example. My Digexaccount number is xyzabc123, and my password is xyzzy.

For this discussion, I'll call the computer that will become an NT Internetgateway the gateway machine (and I'm not referring to computersfrom South Dakota). My gateway machine is running NT Workstation 4.0 and has anEthernet card and a 28.8Kbits-per-second (Kbps) modem.

Creating an Internet Router
With all the preparation done, let's step through creating an NT 4.0Internet router. If you're setting up NT 3.51, the procedure is similar, butyou'll have to get the Multivendor Protocol Router (MPR) from Microsoft's ftpsite (ftp://ftp.microsoft.com).

On the gateway machine, install IP with static addressing for the networkcard. Set the network card's IP address to something (I'll use 199.34.57.1),with whatever subnet mask makes sense for your network (255.255.255.0 for basicC-class networks). When you set the IP address on the network card, leave thedefault gateway address blank (for why you leave it blank, see "NTWorkstations Using an IP Router," Windows NT Magazine, May1996).

Next, install RAS and tell it what kind of modem you have and what portit's on. Reboot the system to complete RAS installation.

Now, no good NT twiddling is complete without some Registry work, so openregedt32 and go toHKEY_LOCAL_MACHINESystemCurrentControlSetServicesRasArpParameters. Create anew value entry, DisableOther SrcPackets of type DWORD, and set the value to 0.You will have to create this new value entry because this one isn't in that keyby default, and you need this entry to make this machine a router. This commandsays, "When you forward an IP packet, don't change the 'source' IP address."Otherwise, if machine B forwards a packet to machine C for machine A, thenmachine B changes the "From" part of the IP packet to B's own IPaddress. So, C thinks that the message originated with B instead of A. Settingthis Registry entry to 0 prevents that problem.

Warning: The Resource Kit setup tells you to make anothermodification to the Registry. Don't do it.

You can start RAS. It will point out that you have no phone book entriesand prompt you for a first entry. Let's make that entry the dialup instructionsfor your ISP. If you already have RAS entries, select Add to create anotherphone book entry with a descriptive name and phone number. For this example,Digex is the name.

Uncheck the Authenticate using current username and password box. This stepis necessary because my ISP does not use PAP or CHAP to authenticatelogins, but uses a terminal login. If your ISP requires PAP or CHAP, don'tuncheck the box. The Add Phone Book Entry dialog will look like screen 1.

Next, set up the specific options to get an IP address from the ISP and todo terminal logins. Select Advanced, and the dialog will open, as you see inscreen 2.

Choose Network, and you get a choice of protocols. As far as I can tell,you have to use Point-to-Point Protocol (PPP) to make this work, so click PPP.Then check only TCP/IP; uncheck NetBEUI and IPX (Internet Packet eXchange), andignore the advertisement for NetBEUI. Now, select TCP Settings. You will seescreen 3.

For my ISP, I choose Server assigned IP address. This choice is can bedifferent for your ISP, so ask the ISP for advice if this step doesn't work.

You can check Use VJ header compression to enable Van Jacobson headercompression. For connections slower than 28.8Kbps, you want to turn on VJcompression. For faster systems, turn VJ compression off. One way to decidewhether you need VJ header compression on or off is to find a few big files onan ftp site and download them. Try it with and without the header compression,and you'll see which setting is better.

Uncheck the Use default gateway on remote network option, close the dialog,and then select Security. Check the option, Use clear text terminal login.Again, this option is ISP-specific, but most ISPs use terminal logins.

Now you have to make your system forward IP packets. Remember the check boxEnable IP Routing? It's grayed out unless two or more network cards are on theControl Panel. The problem is that NT sees only one Ethernet card, so it graysout the routing option. This situation kind of makes sense because you need atleast two IP addresses in order to route. What makes no sense is thatthe IP addresses must be on network cards. NT ought to be smart enoughto enable forwarding when one IP address is a network card and the other is aRAS/PPP-derived IP address, but no such luck: NT must see two networkcards before it'll enable IP routing.

Or must it? You can pull one sneaky trick to enable the Enable IPRouting box. Select Control Panel, Networks, TCP/IP Protocol, Configure, andAdvanced. You'll get the Advanced TCP/IP Configuration window, and you canactually attach more than one IP address to a network card. So here's the trickto turn on IP routing: Go to your one network card and add a bogus IP address.The Enable IP Routing box will become enabled. Check it. Then remove the bogusIP address. The Enable IP Routing box will gray out, but it will staychecked!

I need to point out that in NT 4.0, you don't need any of that nonsense.You can go to Control Panel, Networks, Protocols, TCP/IP, Forwarding, and checkEnable IP Forwarding. You'll have to reboot.

Then you can start RAS and dial up your ISP. When the terminal screenappears, enter your username and password. When you get a message that yoursession has started, select Done.

Now that your system can forward IP packets, you need to find out what IPaddress your RAS connection is using. Type ipconfig, and look for Ethernetadapter NdisWan6:, or something like that. The IP address below it is the IPaddress connected to the outside world. For my example, it's 199.34.57.2.

Your system now knows how to find the outside world. Open a command promptand type routeadd 0.0.0.0 mask 0.0.0.0 x.y.z.a, where x.y.z.a is the IP addressyou just found for your RAS connection. In this example, I type routeprint0.0.0.0 mask 0.0.0.0 199.34.57.2

If you're a RAS expert, you're wondering why I told you to uncheck the Usedefault gateway on remote system option. All it does is automatically insert theline routeadd0.0.0.0mask 0.0.0.0199.34.57.2 in the routing table. So, why do allthe extra work? My answer is "Try it both ways." I have no idea why,but a RAS box won't route with Use default gateway on remote system. It willroute if you uncheck this box and manually enter the routeadd 0.0.0.0. How do Iknow? If I didn't know, this article couldn't have reached you: When I emailedit to Windows NT Magazine, a laptop running NT 3.51 was mytemporary Internet router.

Finally, make sure that all the PCs on your subnet point to the static IPaddress attached to the network card, not to the RAS connection. In thisexample, all the machines point to default gateway 199.34.57.1, the address ofthe Ethernet card in my router PC.

That's all there is to it. The machines on your subnet can now PING theoutside world, and you'll be connected to the Internet.

If you are not satisfied with your present ISP, or you just want to knowwhat else is available, you can get a list of ISPs on the Web athttp://www.commerce.net/directories/products/isp.You can search for an ISP by name and capabilities, or by its geographiclocation. You can also find information on what to look for in an ISP.