NT Glosario G

GATEWAY

If you have two Local Area Networks that need to communicate with one another, or a small TCP/IP LAN that you would like to connect to the Internet, or some incoming modems you want to pass thru to the net, it is possible to do this just using Windows NT without a dedicated router. People who use dedicated routing equipment will tell you that using NT as a router is a relatively slower and less efficient way to do routing when compared to equipment such as Cisco routers, Ascend Pipelines, etc. They are correct. But, if you already have the NT system or cannot afford dedicated routing equipment, or only have a small LAN or a dozen or so modems, it is an inexpensive solution that is satisfactory in many situations.

The instructions on these pages will walk you through setting up a Microsoft Windows NT Workstation or Server system to act as a Router or as a Gateway to the Internet via a directly connected Ethernet link. For information on setting up this type of connection using Remote Access Service (RAS) and Dial-Up Networking (DUN), see the article Setting up a Windows NT system as an Internet Gateway and Router using RAS and DUN. For additional information on using NT and RAS to service modems as a dial-in server, see the article Building an Windows NT Internet Dial-In Server with RAS.

[Top of Document]

--------------------------------------------------------------------------------

Routing
For Windows NT to route from one LAN segment to another there must be at least two network interfaces on the system. An interface can be an Ethernet Network Interface Card (NIC), an ISDN interface card, an X.25 connection, a modem using RAS, or any other connection on the NT system over which network communications can be established.

For NT to route from one interface to another it is important that the routing software be able to tell that they reside on different physical network segments. The software determines this by comparing the IP Addresses and Net Masks. One of the most common errors encoutered in setting up NT as a router is not properly setting the addresses and net masks.

Routing software uses net masks to determine the physical segment on which a given address resides. For example, with an interface that has an address of 234.56.78.90 and a netmask of 255.255.255.0, routing software will determine that the interface resides on the physical segment 234.56.78.0. This is done by using a logical AND operation and isolating the part of the address matching that part of the mask that is all binary ones. If a packet of data comes to the router software across that interface with any address in the 234.56.78.1 through 234.56.78.254 range, the software will assume that the destination is on the same physical segment as the interface and will not route it.

If you have a single network of IP, for example a single Class C network, and you need to segment your LAN into two physical segments and route through NT, then you must use sub-netting to establish that the two segments are physically seperated. For more information on sub-netting, the the article "How does IP Subnetting work?".

[Top of Document]

--------------------------------------------------------------------------------

Default Gateways
When setting up routing it is not only important to identify which physical segment is attached to which interface, it is also important to establish where the "rest of the world" can be found. The routing software will examine the destination address of a packet to determine where it should be sent. If it is addressed to a segment that is directly attached to the router system, then the software will route it to the interface attached to that segment. If it is addressed to a segment that falls within a specific route in the routing table, again it will be routed to the proper interface. If the destination of the packet is not specifically determined by the routing table, then the routing software will send it to the default gateway for handling.

In most common NT router situations you will have one Isolated Network connected through an NT router system to a Connected Network which has another router that is in turn connected to the rest of the world (commonly the Internet). The router connected to the rest of the world is referred to as the External Router. The default gateway for all systems connected to the Isolated Network would be the interface of the NT router system that is on the Isolated Network. The default gateway of the NT router system would be the interface of the External Router that is on the Connected Network.

In this way, a packet originating from a system on the Isolated Network that is addressed to a system out on the Internet will first go to the NT router. From there it will be passed to the External Router, and from there on out to the Internet.

[Top of Document]

--------------------------------------------------------------------------------

The Internet Gateway
To build your NT Router system as an Internet Gateway, begin by contacting your Internet Service Provider and explaining what you are trying to do. Most experienced service providers will understand what you are doing and will know the information to give you. They may be more familiar with setting up routers, or Unix servers, but the principles are the same and the setups are very similar.

First request a single IP Address and Net Mask for the Internet side of your Gateway/Router system, and the address of the Default Gateway that should be used on that network. This establishes the Connected Network discussed in the Default Gateways section above. If you are conected via a leased line, the Connected Network should be just your system and the router or server at the other end of the line, and the Default Gateway will be the IP address of the router or server at the ISP end of the line. If you are simply being added to an existing LAN, then you will use an address in that network, the same net mask as the other systems on the network, and the same default gateway that is used on that net. These addresses will be used to set up your Gateway/Router system on the ISP's network and will allow it to see and communicate with the Internet.

Next ask for an IP Class C Address, or sub-net of IP, routed to your Gateway/Router system's Internet side IP address. This will define the addresses you will use on your Isolated Network. Also ask for the net mask you should use on this network. Most commonly you will get a Class C network of 254 IP addresses and your net mask will be 255.255.255.0.

It should be no problem for you to get these two sets of IP addresses from your ISP if you are directly connected through them to the Internet.

If you are not going to host your own DNS, get the IP address of your ISPs DNS server and give your ISP the IP addresses and names of your systems.

You will need an Internet Domain Name. Register it through the ISP that is hosting your DNS. The InterNIC will charge you $100 for the first 2 years to register the name. Your ISP will probably charge you to register and host it.

[Top of Document]

--------------------------------------------------------------------------------

Setting Up NT
Install the NT operating system and the most recent Service Pack. The service packs are generally available on the Microsoft FTP site. If you are routing a LAN, or just one inbound modem, you can get away with using just NT Workstation. To act as an ISP with multiple inbound modems on RAS you need NT Server.

Go to Control Panel / Network and add both of your NIC cards, or your single NIC adapter and Remote Access Service (RAS). If you will be having modems on this system used to allow dial-in access to the Internet, see the article Building a Windows NT Internet Dial-In Server with RAS.

Go to Control Panel / Network and load the TCP/IP Protocol software and related components. Connectivity Utilities and Simple TCP/IP Services can be useful. If you do not know how to administer FTP then do NOT load the FTP Server Service under NT version 3.5 or 3.51 - it could be a potential security risk if not managed correctly.

Go into the TCP/IP Protocol setup ("Configure" under 3.51, "Properties" under 4.0) and select the adapter that is connected to the Connected Network. Set the IP address of this adapter to the IP address on the Connected Network. Set the net mask and default gateway to the values for that network. Configure TCP/IP to enable IP routing. If this option is grayed out this is because the TCP/IP software does not recognize that there is more than one TCP/IP interface on the system. To manually enable the IP routing, go to REGEDT32.EXE and set the following value to 0x1:

HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ Tcpip \ Parameters \ IPEnableRouter

In TCP/IP Configuration / DNS, set your machine name, set the domain name to your Domain Name, and add the DNS server IP address.

Next, go back to TCP/IP Protocol configuration and select the NIC that is connected to your Isolated Network. Set the IP address of this adapter to an address within YOUR network (usually 254 or 1). NOTE: You cannot use the first and last IP address from a sub-network because these are reserved for special purposes - If you have a full class C address, you cannot use 0 or 255 as a device address. Set the Subnet Mask to the net mask that you will be using for your Isolated Network. In the main TCP/IP Configuration, set the Default Gateway for this adapter to blanks (not zeroes).

Finish out of the Network setup in Control Panel. These changes will not all take effect until the system has been reset.

For workstations on the Isolated Network to have access to the Connected Network, and through it to the Internet, they must install TCP/IP software. This comes with Win ‘95 and can be downloaded for free from Microsoft for WFW 3.11 (you need Win32s and TCP/IP32 for WFW). On each workstation on your LAN, set the IP address of the individual system to an IP address in your Isolated Network. Set the Default Gateway to the IP address of the NIC on the Isolated Network side of the NT router/gateway system. Set the DNS to the IP address of the DNS server. Set the Subnet Mask to the net mask that you are using on your Isolated Network. After resetting you should be able to use communicate from the Isolated Network to the Connected Network, and if this is a Gateway system you should be able to use standard WinSock programs (Netscape, Eudora, MS-Internet Explorer, etc.) to talk directly out to the Internet.

To troubleshoot your connection, use the Command prompt programs TRACERT and PING from an individual workstation on the Isolated Network. To use PING, give it the name or IP address of a computer somewhere on the Conected Network side on on the Internet (e.g. PING WWW.WHITEHOUSE.GOV or PING 198.137.240.92). It will send a special message to that computer, which will echo it back to you. If it doesn’t work then try another computer ID, most net sites are off the air from time to time. To use TRACERT give it the name or IP address of a computer somewhere out on the Internet (e.g. TRACERT WWW.WHITEHOUSE.GOV or TRACERT 198.137.240.92). It will trace the route and list each routing point between your workstation and the other computer. This way you can see how far you get before the communications break down, if you are having problems.

I have used this configuration to connect systems with small to medium sized LANs (up to 48 PC systems) to the Internet. The configuration has not only allowed the users on the local LAN to have access to the Internet, it has adequately supported DNS, SMTP/POP E-Mail servers, Web servers, FTP servers, and a wide variety of other Internet services.

For more detailed information on Windows NT IP Routing setups go to the Microsoft Knowledge Base and look up article Q140859.
**************
Introduction
If you have a small TCP/IP LAN that you would like to connect to the Internet, or some incoming modems you want to pass thru to the net, it is possible to do this just using Windows NT without a dedicated router. People who use dedicated routing equipment will tell you that using NT as a router is a relatively slower and less efficient way to do routing when compared to equipment such as Cisco routers, Ascend Pipelines, etc. They are correct. But, if you already have the NT system or cannot afford dedicated routing equipment, or only have a small LAN or a dozen or so modems, it is an inexpensive solution that is satisfactory in many situations.

The instructions on these pages will walk you through setting up a Microsoft Windows NT Workstation or Server system to act as a Router and Gateway to the Internet via the Remote Access Service (RAS) and Dial-Up Networking (DUN) systems. For information on setting up this type of connection a direct LAN connection see the article Using Windows NT as a Gateway and Router. For additional information on using NT and RAS to service modems as a dial-in server, see the article Building a Windows NT Internet Dial-In Server with RAS.

[Top of Document]

--------------------------------------------------------------------------------

For NT to route from one interface to another it is important that the routing software be able to tell that they reside on different physical network segments. The software determines this by comparing the IP Addresses and Net Masks. One of the most common errors encoutered in setting up NT as a Dial-In router is not using the proper addresses and net masks.

If you have a single network of IP, for example a single Class C network, and you are dialing into an Internet Service Provider (ISP) who is routing IP to you, the address that you use to connect to the ISP must be in a different network than your internal network. If you are receiving less than a full Class C of IP, then the sub-net you are using must be in a different Class C than the address you are connecting to at the ISP. Even though Microsoft NT RAS and DUN allow the user to request a specific IP address when connecting to an ISP, it does not allow the user to set the Net Mask on the connection. The netmask on the dial-up connection normally defaults to 255.255.255.0, which identifies that interface as belonging to a full class C sized sub-net.

Many ISPs who are not familiar with the limitations of Microsoft NT routing will assign a single sub-net or class C of IP to a customer and will ask that you dial in and request a single address from within that sub-net. This will not work correctly with NT. Make sure that the ISP understands they must allow you to dial in and request a specific static IP address that is not in the same Class C sub-net range as the sub-net that they will be routing to your network.

For more information on sub-netting, see the article "How does IP Subnetting work?".

[Top of Document]

--------------------------------------------------------------------------------

In a Dial-Up NT Gateway/Router system, your local LAN is referred to as an Isolated Network which is connected via RAS or DUN to a Connected Network at the ISP. This Connected Network has another router that is in turn connected to the Internet. The router connected to the Internet is referred to as the External Router.

The default gateway for all systems connected to the Isolated Network would be the interface of the NT router system that is on the Isolated Network. The default gateway of the NT RAS/DUN router system would be the interface of the External Router that is on the Connected Network.

For the systems hosted by most ISPs the Default Gateway will be provided via the protocol negotiation when the connection to the ISP is established. To have NT use this the Default Gateway address in the TCP/IP configuration of the NIC card is set to blanks (not zeroes), and the "Use Default Gateway on Remote Network" option is selected in RAS/DUN. If the ISPs system does not provide a Default Gateway at the time the connection is established then it can be hard coded in the RAS/DUN dial settings.

When the default gateways are set up properly, a packet originating from a system on the Isolated Network that is addressed to a system out on the Internet will first go to the NT router. From there it will be passed to the External Router, and from there on out to the Internet.

[Top of Document]

--------------------------------------------------------------------------------

The Internet Gateway
To build your Dial-Up NT Gateway/Router system, begin by contacting your Internet Service Provider (ISP) and explaining what you are trying to do. Most experienced service providers will understand what you are doing and will know the information to give you. They may be more familiar with setting up routers, or Unix servers, but the principles are the same and the setups are very similar. If they are not experienced with the limitations on NT routing, make sure that you make them aware of the routing issues described in the Routing section above.

Start by requesting a single Static IP Address and an IP Class C Address, or sub-net of IP, routed to that static IP address. The Static IP address must be in the ISP’s network, and must be in a different Class C range than the sub-net routed to it (as explained in the Routing section above). The Class C or sub-net will be YOUR network. The ISP will also give you a net mask for your network (most commonly you will get a Class C network, 254 IP addresses, and your net mask will be 255.255.255.0). This should be no problem for you to get from your provider if you are also getting a 24-by-7 (all day, every day) connection thru your ISP to the net. Many ISPs do not want to bother routing IP to a dial-up user who is only on some of the time.

If you are not going to host your own DNS, get the IP address of your ISPs DNS server and give them the IP addresses and names of your systems.

[Top of Document]

--------------------------------------------------------------------------------

Go to Control Panel / Network and add your NIC adapter and the Remote Access Service (RAS) software. If you will be having modems on this system used to allow dial-in access to the Internet, see the article Building a Windows NT Internet Dial-In Server with RAS.

Go into the TCP/IP Protocol setup ("Configure" under 3.51, "Properties" under 4.0) and select the adapter that is connected to the Isolated Network. Set the IP address of this adapter to an address within YOUR network (usually 254 or 1). NOTE: You cannot use the first and last IP address from a sub-network because these are reserved for special purposes - If you have a full class C of IP addresses you cannot use 0 or 255 as a device address. Set the Subnet Mask to the net mask that you will be using for your Isolated Network. In the main TCP/IP configuration, set the Default Gateway for this adapter to blanks (not zeroes). Configure TCP/IP to enable IP routing. If this option is grayed out this is because the TCP/IP software does not recognize that there is more than one TCP/IP interface on the system. To manually enable the IP routing, go to REGEDT32.EXE and set the following value to 0x1:

HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ Tcpip \ Parameters \ IPEnableRouter

In TCP/IP Configuration / DNS, set your machine name, set the domain name to your Domain Name, and add the DNS server IP address.

Finish out of the Network setup in Control Panel. These changes will not all take effect until the system has been reset.

In REGEDT32.EXE, go to the following key:

HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ RasArp \ Parameters

Add the value DisableOtherSrcPackets as a REG_DWORD with a value of 0x0.

If your ISP gave you less than a full Class C address then you are routing a sub-net of IP addresses. If this is the case, then you need to add another entry to the registry. In REGEDT32.EXE, go to the following key:

HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ RasMan \ PPP \ IPCP

Add the value PriorityBasedOnSubNetwork as a REG_DWORD with a value of 0x1.

For workstations on the Isolated Network to have access to the Internet, they must install TCP/IP software. This comes with Win ‘95 and can be downloaded for free from Microsoft for WFW 3.11 (you need Win32s and TCP/IP32 for WFW). On each workstation on your LAN, set the IP address of the individual system to an IP address in your Isolated Network. Set the Default Gateway to the IP address of the NIC on the Isolated Network side of the NT router/gateway system. Set the DNS to the IP address of the DNS server. Set the Subnet Mask to the net mask that you are using on your Isolated Network. After resetting you should be able to use standard WinSock programs (Netscape, Eudora, MS-Internet Explorer, etc.) to talk directly out to the Internet.

To troubleshoot your connection, use the Command prompt programs TRACERT and PING from an individual workstation on the Isolated Network. To use PING, give it the name or IP address of a computer somewhere on the Conected Network side on on the Internet (e.g. PING WWW.WHITEHOUSE.GOV or PING 198.137.240.92). It will send a special message to that computer, which will echo it back to you. If it doesn’t work then try another computer ID, most net sites are off the air from time to time. To use TRACERT (an NT-only program) give it the name or IP address of a computer somewhere out on the Internet (e.g. TRACERT WWW.WHITEHOUSE.GOV or TRACERT 198.137.240.92). It will trace the route and list each routing point between your workstation and the other computer. This way you can see how far you get before the communications break down, if you are having problems.

[Top of Document]

--------------------------------------------------------------------------------

The Dial Up Connection In NT 3.51 using RAS
To set up the dial-up connection in NT 3.51, go to Remote Access Services / Remote Access and Add a new entry. Give it a name (INTERNET is good), enter the phone number of your ISP’s dial-in, and select the COM port for the modem set up as a RAS dial-out. In the Network configuration select PPP, TCP/IP, Require Specific IP Address, and set the IP Address to the Static IP from your ISP. Also select Use Default Gateway on Remote Network. Under the Security configuration select Accept Any Authentication Including Clear Text.

In the Options / Redial Settings... set RAS to Re-Dial on Link Failure, set the Number of Attempts to 9999, and set the Seconds Between Attempts to 10.

You should now be able to dial in to your ISP and get to the Internet as a router.

[Top of Document]

--------------------------------------------------------------------------------

The Dial Up Connection In NT 4.0 using DUN
To set up the dial-up connection in NT 4.0, go to Dial-Up Networking / New and Add a new entry. Give it a name (INTERNET is good), select "I am calling the Internet", and enter the phone number of your ISP’s dial-in. Next select More / Edit Entry and Modem Properties. Under the Server tab, select the Dial-up server type "PPP, WinNT, Win95, Internet". In Network protocols checkmark TCP/IP and click on TCP/IP Settings. Select Specify an IP address and set the IP Address to the Static IP from your ISP. Also select Use Default Gateway on Remote Network. Under the Security tab select Accept Any Authentication Including Clear Text. Close the setup dialog box.

You should now be able to dial in to your ISP and get to the Internet as a router.

[Top of Document]

--------------------------------------------------------------------------------

For More Information on TCP/IP
For more in-depth information on TCP/IP, you might want to look into TCP/IP For Internet Administrators, an on-line technical reference document.

Hosted by www.Geocities.ws