Connecting a LAN to the Internet

Keywords: IPRoute, ISPA, ISDN, proxy server, sharing a connection to the Internet, modem sharing, IP Masquerading, Network Address Translation

This page contains information on how you can connect a LAN (Ethernet for instance) to the Internet, using a standard (personal) account. The focus will be mainly on using ISDN with IPRoute + ISPA. (IPRoute is, well, a software router for the TCP/IP protocol used by the Internet, and ISPA is an emulator which lets an ISDN card appear like an Ethernet card).

Index


Introduction

A (personal) Internet account isn't that expensive anymore. Let's say you have a whole (Ethernet) network of computers at home. One for yourself, one for the kids, one on the toilet, you get the idea... Preferably, you want to access the Internet from each of those machines. One machine, which has the modem, will be the "middle-man" for the other machines. You want all connected machines to share the link to the Internet. If you have a couple of those "workstations", a 28K8 modem will probably not be enough. ISDN may be a good option in that case. If you use a feature called "IP Masquerading", you will be able use a standard (i.e. cheap!) personal account to connect the LAN to your Internet Service Provider (ISP).

Back to top


Examples of application

Here are some examples of connecting a LAN to the Internet. I already mentioned the "homebrew" LAN. In most cases people use a coax Ethernet cable so they can do without a "hub" (central interconnection device). Another application is a school which has a couple of computers and wants to connect to the Internet at low cost. Or you can think of a small office. I myself used IPRoute + ISPA (described later on) to connect the LAN of a user group to the Internet during meetings (de HCC Amsterdam). If you have more than modest requirements (such as hooking up your webserver to the Internet 24 hour a day) then this webpage is probably not what you are looking for.

Back to top


IP addresses

But first, a little bit of theory. Every computer connected to the Electronic Superhighway (the Internet) must have a unique "licence plate", called an IP address. But because of the growth of the Internet, it is running out of IP addresses. As with any scarce goods, if you need more IP addresses you will have to pay!

Internet developers have devised schemes which help to limit the number of needed IP addresses. For instance, an ISP has a certain number of customers but they can't possibly be all logged in at exactly the same moment. So the ISP buys a smaller block of IP addresses. When you call in to your ISP, you receive one of the IP addresses out of this block from your ISP during the connection setup negotiation process. So you don't know your IP address in advance. This is called a dynamic IP address. Some ISPs also offer fixed addresses but you will have to pay extra for such a static IP address.

Back to top


Different approaches to sharing a connection

So you want to connect your LAN to the Internet. This means that there is one machine which has the link to the Internet (modem, ISDN card). Let's call that one the gateway computer, for simplicity. The gateway computer receives packets from the other machines (let's call those the workstation computers) and then passes them to your ISP. And vice versa.

I can think of four different strategies how a LAN can be connected to the Internet. Invariably, all four work with one machine which forwards the packets it receives from the other machines.

I will discuss each of them in the next paragraphs.

Back to top


Serial port sharing

As you probably know, you can share disk drives and printers under Windows for Workgroups, Windows 95, Warp 4 and Warp Connect. But it is even possible to share a serial port. A modem can then be attached to it. However, only Warp Connect and Warp 4 support serial port sharing out of the box. For DOS/Windows you need to buy additional software, such as Lantastic, Shiva, SpartaCom SAPS or Stomper. In most business setups, a special modem server is used which has multiple serial ports with modems. Workstation computers which connect to this server then get a virtual serial port, say COM6. The disadvantage is that only one user can gain access to a modem at the same time, if he uses it or not. He has to release the remote modem out of the goodness of his heart, once he's finished. The advantage is that the user has the full bandwidth of the modem at his disposal.

Back to top


Routing

This is what most businesses use. They get a block of static IP addresses from their ISP and give each of their machines an IP address. In most cases, what I call the "gateway computer" is in fact a router, a special hardware device which forwards the packets. Some operatings systems (Unix, NT, OS/2, etc. but not Windows 95) can route IP packets too. The disadvantage of routing that it is more expensive because you will have to 'buy' static IP addresses from your ISP. Not only that, the ISP will have to define a "route" to your own little subnet on their systems. That means they'll have to do some work and thus they want to be paid for it. It also means that intervention by your ISP is required, i.e. you can't do it all on your own. This is in contrast with the next two strategies.

Back to top


Proxy servers

Routing works great for businesses which are connected to the Internet 24 hours a day. But what if you're not, and you still want to hook up a whole LAN to the Internet once in a while. One solution would be if somehow a workstation computer could ask the gateway computer to send and receive data on it's behalf. The software which does the trick is called a proxy server. As far as the operating system is concerned, the proxy server is a normal TCP/IP application. A workstation computer send a request to the gateway asking it to send data to the Internet. The data is sent using the gateway's IP address, and any response comes back the same way. Any number of computers on your LAN can use the connection in this way at the same time, as long as the data for separate requests is kept separate. The gateway computer can be a 'normal' PC with a standard Internet connection. There are several different way to do proxying: using the SOCKS protocol, socket relays and application proxies.

The SOCKS protocol is defined by an official standard. TCP/IP application have got to support SOCKS (in other words: must be SOCKSified) in order to connect to a SOCKS proxy server. Some do, but many of them do not. Some operatings systems, such as Warp 4, have special support in their TCP/IP stack so that non-SOCKS aware programs can be used with SOCKS servers.

With socket relay, the proxy server mirrors ports from the remote machine on the Internet and make them available as though it was providing the services. In this case, when a workstation on the internal network connects to for instance the SMTP port on the proxy server, the proxy server opens a matching socket on the connection to the Internet and then just ferries data between the two connections. Unlike SOCKS, a socket relay does not require any special support on behalf of the client program, so it can be used with most applications. The disadvantage of socket relays is that not all protocols can be handled. For instance, using the FTP protocol in non-passive mode is very problematical, and is not normally possible with a socket relay system.

An application proxy is a special TCP/IP program that knows about a particular application protocol, and will accept requests using this protocol. A common example of this is the HTTP proxy provided by many internet server providers. This program accepts HTTP requests from clients using the HTTP protocol and converts them to requests to other HTTP servers. The resultant data is then copied back to the client computer. This approach has the advantage of allowing the proxy server to make use of it's special knowledge about the application protocol in order to make the request more efficient. For example, most HTTP proxies will cache requests and can respond without requiring any further network access if the requested page is already in the cache.

Back to top


IP Masquerading

Some operating systems, most notably Linux, have the capability to perform IP routing with the addition of changing the IP address in the packets on the fly, i.e. as the data is passed through from the LAN to the Internet. In IPRoute this feature is called Network Address Translation (NAT) but I decided to use Linux' notion "IP Masquerading" because it is better known and confusingly, ISPA also has a feature called NAT (used for a different purpose).

IP Masquerading is a feature of the TCP/IP stack. The TCP/IP stacks in most commercial operating systems (Warp, Windows etc.) don't support IP Masquerading. At the moment only "independent" TCP/IP programmers feature IP Masquerading. Linux comes with full source code, so that made it a bit easier to implement IP Masquerading. The shareware DOS application IPRoute is another example. It comes with its own custom TCP/IP stack supporting IP Masquerading.

Let's say in the following example that you use IPRoute for IP Masquerading. IPRoute changes the addresses in the packets it receives from the workstation machines to the address it is using itself. For example, 2 workstation machines can each run a webbrowser. IPRoute changes the addresses so the ISP thinks both webbrowsers are running on one and the same machine! There's nothing strange with that, it has always been possible to run multiple webbrowsers on one machine.

Running servers (say, webservers) on multiple workstation machines is a bit less transparent. Most servers listen to a "well-known" port number. For a webserver this is port 80. But only 1 server can listen to a port at the same time. That means that the gateway machine can remap a port to only one workstation machine. So, if you want to run more than one webserver on your internal network which must all be reachable from the outside, there is a problem. Fortunately, there is also a solution. Let's say you have webservers on each port 80 of the workstation machines 192.168.0.2, 192.168.0.3 and 192.168.0.4. You can remap port 80 on the gateway machine to port 80 on 192.168.0.2, port 81 to port 80 on 192.168.0.3 and port 82 to port 80 on 192.168.0.4. People on the outside will have to specify URLs with "non-standard" ports for the last two workstation machines, say http://www.fwi.uva.nl:81/ and http://www.fwi.uva.nl:82/
It works but it isn't very elegant...

Back to top


Routing vs proxy servers vs IP Masquerading

One of the major problems with using the SOCKS protocol is that it requires that clients be able to perform name lookups for external addresses, usually via DNS. This means that as well as implementing a SOCKs server, the proxy server must also provide a full DNS service to it's clients. Additionally, some protocols do not lend themselves to transport via SOCKs. The FTP protocol, in non-passive mode, can be particularly difficult. It is also possible to use a socket relay server without access to a DNS server, but this is not always the case.

If you have several workstation machines who all hit the same webpage at the same time, a caching proxy server may be provide better performance than a system with IP Masquerading. That is because the webpages can be served from the cache (local harddisk) instead of getting each of them over the modem/ ISDN link. On the other hand, a caching proxy may require a more powerful machine with a big harddisk, i.e. you will probably not get away with a lowly 286, as you can with IPRoute...

(More to come...)

Back to top


Specific products (IPRoute, WinGate etc.)

This list is incomplete, I agree...

Most Webservers as Apache, Netscape, Microsoft IIS or IBM ICS also provide (caching) proxy services.

Back to top


IPRoute vs WinGate

Advantages of IPRoute over WinGate:

Advantages of WinGate over IPRoute:

Back to top


Understanding NAT

Both IPRoute and ISPA use the word 'NAT' (Network Address Translation) for more or less different purposes. I will try to explain the differences.

In ISPA, NAT is used for handling the dynamic IP address you get from your ISP. And it works like this. When ISPA gets the dynamic IP address from the ISP, there is no mechanism which allows the application running on top of ISPA (IPRoute, NCSA Telnet, etc.) to get that IP address! So ISPA uses a trick. In both the application and ISPA you specify the same dummy IP address (I use 145.220.128.13, but anything is allowed). In advance! This allows both to communicate with each other. Now, when ISPA dials out and receives the real dynamic IP address, it changes the address in that packet on the fly to the dummy IP address. This way, ISPA uses a dynamic IP address it gets from the ISP, but the application (IPRoute) thinks it has a static IP address!

IPRoute also has a NAT, but it's used for a different purpose. It allows multiple machines connected to a LAN access the Internet through only 1 IP address. This is what I earlier called IP Masquerading.

Back to top


Setting up IPRoute + ISPA

Here are the configuration scripts I am using. Hopefully they are a good enough example. Of course you have to remove the comments at the right hand side of ISP.BAT. By the way, ISP stands for Internet Service Provider in the following. Because we have two service providers, I made two different sets of batch/configuration files.

ISP.BAT (located in root directory)

@echo off
\network\ne2000 0x61 10 0x300  <- Load packet driver for Ethernet card (in
cd \online-i                      this case an NE2000 on IRQ 10, port 300)
call starts0.bat               <- Load the CAPI driver for your ISDN card
cd \network\ispa                  (in this case a Teles S0/16.3)
ispap ? 0x60 isp.ini           <- If/when you have registered ISPA,
cd \network\iproute               replace '?' with your registration key!
ipr isp.ipr                       (with '?' it will only work for 20 minutes).
ISP.INI (located in \NETWORK\ISPA)
# call with ISPAP.EXE
#
# global options:
#-u                             # Uncomment if you want only one active channel 
-w                              # DOS activity display: on
-d                              # Disconnect on release: on
-m 145.220.128.13               # Dummy IP address for comm. with IPRoute
#
# because no IP-address is specified all packets (unicast and
# broadcast) are forwarded to the peer.
#
# for all other options the defaults are used
#
# REPLACE isphonenumber, myloginid, mypassword WITH YOUR INTERNET ACCOUNT INFO!
# -c is used here for CHAP authorization. Delete the -c if you need PAP.
# -p means: synchronous PPP over HDLC (which seems to be the 
#           most used protocol)
0.0.0.0  ispphonenumber -c -p -n myloginid,mypassword -o -r -t 240
ISP.IPR (located in \NETWORK\IPROUTE)
set log file out.txt
set log raw on
set log monitor on

; ISPA packet driver on 0x60. Use the dummy IP address for comm. with ISPA.
packet isdn0 0x60 145.220.128.13/24
; Route all packets to remote side of ISDN line (your ISP). The IP address
; used here doesn't seem to matter. You might just as well leave it this way.
route * isdn0 145.220.128.1

; Allow the following incoming connections
nat isdn0 tcp 192.168.0.2:80   145.220.128.13:80
nat isdn0 tcp 192.168.0.2:1376 145.220.128.13:1376
nat isdn0 tcp 192.168.0.2:21   145.220.128.13:21
nat isdn0 tcp 192.168.0.2:20   145.220.128.13:20
nat isdn0 udp 192.168.0.2:2213 145.220.128.13:2213

; Allow all outgoing connections
nat isdn0 *   *                145.220.128.13
;   Configure ethernet interface on network 192.168.0.0/2
packet en0 0x61 192.168.0.1/24
;   Broadcast RIP routes on the ethernet
;   Start a command interpreter on the console
command
exit

You can get packet drivers for Ethernet cards from this site. Please don't be alarmed if the system stops running after about 20 minutes. That's the shareware limitation if you haven't (yet) registered ISPA.

In ISP.IPR, you find several nat isdn0 lines. With this I tell IPRoute to route incoming sessions of port types 80 (WWW), 1376 (OS/2 Person-2-Person), 2213 (Kali games), and 20/21 (FTP) etc. to one particular machine (mine :-). However, Dave Mischler told me that you can route all incoming sessions (any port) to one machine (in my case 192.168.0.2) if you use the following line instead of the 5 tcp/udp NAT lines:
nat isdn0 * 192.168.0.2 145.220.128.13
So what I am doing is a bit of a hassle.

When you start the ISP.BAT batch file, make sure that both IPRoute and ISPA start with no warning messages. The first test is to ping a workstation machine on the Ethernet network using the PING command at the console prompt of IPRoute, for instance: PING 192.168.0.2 If the ping test fails, verify that the packet driver installed correctly (IRQ, DMA, I/O port) and that IPRoute could access the packet driver for your Ethernet card.

Now ping a machine which is not located on your Ethernet LAN, a machine on the Internet, for instance PING 165.113.58.253 or use the IP address of the Domain Name Server your ISP told you to use. The modem/ISDN card will dial and establish a connection with your ISP.

On every workstation machine, you will have to specify the IP number of the Domain Name Server (DNS) of your ISP. If you have multiple IPSs, you can specify more DNSes. I'd love to have IPRoute perform some kind of DNS proxy service (so you can specify 192.168.0.1 as the DNS, which makes the workstation machines almost completely independent of the ISP used) but Dave says it's difficult to do. There might be a way to get around this and that is by installing your own DNS or DHCP server. I guess Warp Server, NT, Linux or perhaps even Warp with extra stuff could do the trick.

I haven't quite figured out how to use both ISDN B-channels at the same time, to get a bandwidth of 128 Kbps. Probably because no ISP in the Netherlands support it at the moment. However, I found the ADC Kentrox Pacesetter FAQ to be very informative on this subject.

Back to top


Notes on IPRoute

Back to top


Notes on ISPA

Back to top


Alternatives for ISPA

There is a freeware "CAPI-to-packet driver" available, called PAPI. But this one has much less functionality (has not been updated for a couple of years), for instance it doesn't support PPP so it will probably not be much use to you if you want to dial up to an ISP. It may work if you want to hook up two LANs of your own through ISDN, because what I understand from it PAPI's main use is to send whole Ethernet packets. I haven't quite figured out how they implement security (you don't want everyone to dial in to your Ethernet, do you? :-), perhaps with ISDN's Caller Identification...

CFOS (also here) is a piece of software that emulates a serial modem (with AT commands and all) using the CAPI driver of your ISDN card. It might be possible to use CFOS and IPRoute together, but I have no idea if it works. In that case, you will be using IPRoute's PPP implementation. With the ISPA + IPRoute combination I described earlier, ISPA's PPP implementation is used. A disadvantage of CFOS might be that it is less efficient than ISPA (CFOS emulates a modem, and modems work with one character at a time, while ISPA emulates a network card, and network cards work with packets), but I'm not sure. The advantage of CFOS over ISPA is that CFOS can be used for other communication programs too.

Back to top


Notes on IPRoute + ISPA

Back to top


Which applications will/won't work?

Most apps will work fine with IPRoute, without having to configure proxies. However, the workstation machines have dummy addresses (192.168.0.x) with both WinGate and IPRoute. If an application asks the machine it is running on what its IP address is, it gets the dummy address. When this address is sent to a remote side (say, for Internet telephony), that machine gets confused because the packets it sends may not get back to you because of the fake address. So, if an apps doesn't work, this could be the problem.

If you switch over from WinGate to IPRoute, make sure that you turn off the proxy settings in your apps! :-) (For instance in Netscape, in Network Preferences / Proxies, click on "No Proxies").

Here's a list of TCP/IP applications which are known to work with IPRoute or WinGate, or not, or I just don't know because I haven't tried. More recent information on which apps are supported by WinGate can be found on the WinGate homepage.

If you have any additions/updates to this list, please mail me!

Back to top


Alternatives for IPRoute + ISPA

Of course, if you have the money you can always buy hardware such as an Ascend Pipeline or an ADC Kentrox Pacesetter. For instance, Bill Lutton writes:

I have a setup that I just put together for evaluation that seems
to work pretty well for me, here is the recipe:
 - old 486/66 w/8MB & 130MB  (overkill) ($0 personal surplus)
 - a TC200-S6 460K serial card ($29 from www.byterunner.com)
 - an NE2000 LAN card ($30 from datacomm warehouse)
 - a Zyxel 2864iu external TA ($?)
 - IPRoute router software ($50 from www.mischler.com)
This system does "dial on demand" and call dropping after a configuable
amount of time for my 3 PC network. The Zyxel TA does utilization sensitive
adding/dropping of the 2nd B channel.  Total time to bring up the link (call
establishment & ppp negotiation) is ~2.5 sec.  FTP downloads run at 15200+
KBytes/sec.  Ping times are about 40ms. I've only been running it for a few
days but it already compares very favorably to my ~$1000 Ascend P75. The P75
connects in ~2.0 sec and is configuable over the LAN, but doesn't do NAT.

The advantages of special hardware over IPRoute + ISPA are:

The disadvantages of special hardware over IPRoute + ISPA are:

If you are running OS/2, there's also InJoy. It is a replacement for the "Dial Other Internet Providers" program supplied with Warp. InJoy supports IP Masquerading, at the moment for 4 users but more than 4 are also possible (at a higher price). In combination with cFos (see paragraph above), you can also run InJoy over an ISDN line. InJoy also does Dial on Demand.

The advantage of InJoy + cFos over IPRoute + ISPA is that you don't need to sacrifice a dedicated machine. It is probably easier to configure too. The disadvantage is that it is higher in price. Also don't forget that the unregistered cFos doesn't support sync PPP over HDLC, which makes it impossible to test InJoy + cFos with most Internet providers.

Back to top


ISPA settings for Dutch ISPs

First read the part on how to set up IPRoute + ISPA and use the sample configuration files included there. Now, let's say your login ID is aladdin and your password is sesame. And you're calling your ISP's Point Of Presence (inbelpunt) in Amsterdam. Change this according to your own account info and location. I assume you want autodial and automatic disconnect after 240 idle seconds. Change ISP.BAT so that the correct settings for the Ethernet card and the ISDN card (CAPI drivers) are used. You should then only have to change one line in ISP.INI:

NLnet: use synchronous PPP over HDLC with PAP. NLnet also wants the login ID to be specified in a rather strange way. Configure your workstation machines to use the Domain Name Server (DNS) 193.67.237.6
0.0.0.0 0206638251 -p -naladdin@inter.nl.net,sesame -o -r -t 240

Planet Internet: use synchronous PPP over HDLC with CHAP. Planet Internet says they do not support VDOLive and Cuseeme. I don't know if that means they will block such traffic. Also, in most cases I could not reach servers running on my local network from the outside (Internet), perhaps this inbound traffic is blocked because of security reasons. Configure your workstation machines to use the Domain Name Server (DNS) 145.220.1.7
0.0.0.0 0206933004 -c -p -naladdin,sesame -o -r -t 240

XS4ALL: use synchronous PPP over HDLC with PAP. Seems to support B-channel bundling so you get 128Kbps? Configure your workstation machines to use the Domain Name Server (DNS) 194.109.6.66
0.0.0.0 0204229700 -p -naladdin,sesame -o -r -t 240

Euronet: use synchronous PPP over HDLC with PAP. Configure your workstation machines to use the Domain Name Server (DNS) 194.134.5.5
0.0.0.0 0204274330 -p -naladdin,sesame -o -r -t 240

Back to top


Author and credits

Most of the information in this document comes from discussions with Dave Mischler and Herbert Hanewinkel. Some parts on routing and proxy servers were shamelessly stolen from the FireDoor FAQ. It seems to be copyrighted and I haven't asked permission to use it so don't tell them anything :-). On the other hand, if you do, ask them to correct the crap about security holes with IP Masquerading at the same time...

I would like to thank Herbert Hanewinkel for generously providing me an ISPA registration key when the CIPA key turned out to be almost useless because of a buggy driver. In return, this document was written...

I'm a Computer Science student at the University of Amsterdam. If you want to contact me:

Jacco de Leeuw
J.C. van Wessemstraat 54
1501 VM  Zaandam
The Netherlands
Internet:   leeuw@fwi.uva.nl
WWW homepage:   http://carol.fwi.uva.nl/~leeuw/
Fidonet:

If you email me and you get an "Unknown User" email message back, it could be that my account has been cancelled because I graduaded (especially if you are reading this months after the creation date of this document). Use Alta Vista to find my new email address. A couple of times I received email from people who hadn't entered their return email address correctly, so I couldn't email them back with help. Please check your return address (especially if you're using a PC email client) or better yet, include it in the body of your email message.

Back to top

Labels: network.