Using an NT machine as a LAN-to-WAN Internet router

In recent columns, I've talked about IP routing and Windows NT, especially how to use an NT machine as an Internet gateway, a LAN-to-WAN router. In previous columns, I advised you not to do so because my experiments with NT 3.5 and 3.51 as an Internet gateway didn't show impressive speed. But NT 4.0's beta 1 seems to work as fast as a dedicated router, so I'll show you an Internet gateway method that works well on workstations and servers. (Microsoft has documented how to do a procedure like this, but I've never been able to make it work. So don't be surprised that my method is different from the one in the Windows NT Resource Kit.)

Setup for this method isn't hard, except that each Internet Service Provider (ISP) has a different way for you to provide a username and password and set an IP address. To get your username and password, some ISPs need a simple character-oriented terminal login, some want you to use the Password Authentication Protocol (PAP), and some ask for the Challenge Handshake Authentication Protocol (CHAP). Most services use the terminal login, so I've built my example with that assumption. To set the IP address on your dialup or frame-relay connection, some services require you to hard wire an IP address on the modem, and others automatically give you an IP address when you log on. The latter approach is prevalent, so I'll assume it's your ISP's method. You'll also need your ISP's guidance in successfully using NT's Remote Access Service (RAS) to dial in to your ISP. If the ISP can't help you, my instructions here will probably work.

In this example, I'll connect my C-class network, 199.34.57.0, to the Internet through my ISP, Digital Express--or Digex, as its customers know it. I need Digex's phone number, which is 301-555-1212 in this example. My Digex account number is xyzabc123, and my password is xyzzy.

For this discussion, I'll call the computer that will become an NT Internet gateway the gateway machine (and I'm not referring to computers from South Dakota). My gateway machine is running NT Workstation 4.0 and has an Ethernet card and a 28.8Kbits-per-second (Kbps) modem.

Creating an Internet Router
With all the preparation done, let's step through creating an NT 4.0 Internet router. If you're setting up NT 3.51, the procedure is similar, but you'll have to get the Multivendor Protocol Router (MPR) from Microsoft's ftp site (ftp://ftp.microsoft.com).

On the gateway machine, install IP with static addressing for the network card. Set the network card's IP address to something (I'll use 199.34.57.1), with whatever subnet mask makes sense for your network (255.255.255.0 for basic C-class networks). When you set the IP address on the network card, leave the default gateway address blank (for why you leave it blank, see "NT Workstations Using an IP Router," Windows NT Magazine, May 1996).

Next, install RAS and tell it what kind of modem you have and what port it's on. Reboot the system to complete RAS installation.

Now, no good NT twiddling is complete without some Registry work, so open regedt32 and go to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RasArp\Parameters. Create a new value entry, DisableOther SrcPackets of type DWORD, and set the value to 0. You will have to create this new value entry because this one isn't in that key by default, and you need this entry to make this machine a router. This command says, "When you forward an IP packet, don't change the 'source' IP address." Otherwise, if machine B forwards a packet to machine C for machine A, then machine B changes the "From" part of the IP packet to B's own IP address. So, C thinks that the message originated with B instead of A. Setting this Registry entry to 0 prevents that problem.

Warning: The Resource Kit setup tells you to make another modification to the Registry. Don't do it.

You can start RAS. It will point out that you have no phone book entries and prompt you for a first entry. Let's make that entry the dialup instructions for your ISP. If you already have RAS entries, select Add to create another phone book entry with a descriptive name and phone number. For this example, Digex is the name.

Uncheck the Authenticate using current username and password box. This step is necessary because my ISP does not use PAP or CHAP to authenticate logins, but uses a terminal login. If your ISP requires PAP or CHAP, don't uncheck the box. The Add Phone Book Entry dialog will look like screen 1.

Next, set up the specific options to get an IP address from the ISP and to do terminal logins. Select Advanced, and the dialog will open, as you see in screen 2.

Choose Network, and you get a choice of protocols. As far as I can tell, you have to use Point-to-Point Protocol (PPP) to make this work, so click PPP. Then check only TCP/IP; uncheck NetBEUI and IPX (Internet Packet eXchange), and ignore the advertisement for NetBEUI. Now, select TCP Settings. You will see screen 3.

For my ISP, I choose Server assigned IP address. This choice is can be different for your ISP, so ask the ISP for advice if this step doesn't work.

You can check Use VJ header compression to enable Van Jacobson header compression. For connections slower than 28.8Kbps, you want to turn on VJ compression. For faster systems, turn VJ compression off. One way to decide whether you need VJ header compression on or off is to find a few big files on an ftp site and download them. Try it with and without the header compression, and you'll see which setting is better.

Uncheck the Use default gateway on remote network option, close the dialog, and then select Security. Check the option, Use clear text terminal login. Again, this option is ISP-specific, but most ISPs use terminal logins.

Now you have to make your system forward IP packets. Remember the check box Enable IP Routing? It's grayed out unless two or more network cards are on the Control Panel. The problem is that NT sees only one Ethernet card, so it grays out the routing option. This situation kind of makes sense because you need at least two IP addresses in order to route. What makes no sense is that the IP addresses must be on network cards. NT ought to be smart enough to enable forwarding when one IP address is a network card and the other is a RAS/PPP-derived IP address, but no such luck: NT must see two network cards before it'll enable IP routing.

Or must it? You can pull one sneaky trick to enable the Enable IP Routing box. Select Control Panel, Networks, TCP/IP Protocol, Configure, and Advanced. You'll get the Advanced TCP/IP Configuration window, and you can actually attach more than one IP address to a network card. So here's the trick to turn on IP routing: Go to your one network card and add a bogus IP address. The Enable IP Routing box will become enabled. Check it. Then remove the bogus IP address. The Enable IP Routing box will gray out, but it will stay checked!

I need to point out that in NT 4.0, you don't need any of that nonsense. You can go to Control Panel, Networks, Protocols, TCP/IP, Forwarding, and check Enable IP Forwarding. You'll have to reboot.

Then you can start RAS and dial up your ISP. When the terminal screen appears, enter your username and password. When you get a message that your session has started, select Done.

Now that your system can forward IP packets, you need to find out what IP address your RAS connection is using. Type ipconfig, and look for Ethernet adapter NdisWan6:, or something like that. The IP address below it is the IP address connected to the outside world. For my example, it's 199.34.57.2.

Your system now knows how to find the outside world. Open a command prompt and type routeadd 0.0.0.0 mask 0.0.0.0 x.y.z.a, where x.y.z.a is the IP address you just found for your RAS connection. In this example, I type routeprint 0.0.0.0 mask 0.0.0.0 199.34.57.2

If you're a RAS expert, you're wondering why I told you to uncheck the Use default gateway on remote system option. All it does is automatically insert the line routeadd0.0.0.0mask 0.0.0.0199.34.57.2 in the routing table. So, why do all the extra work? My answer is "Try it both ways." I have no idea why, but a RAS box won't route with Use default gateway on remote system. It will route if you uncheck this box and manually enter the routeadd 0.0.0.0. How do I know? If I didn't know, this article couldn't have reached you: When I emailed it to Windows NT Magazine, a laptop running NT 3.51 was my temporary Internet router.

Finally, make sure that all the PCs on your subnet point to the static IP address attached to the network card, not to the RAS connection. In this example, all the machines point to default gateway 199.34.57.1, the address of the Ethernet card in my router PC.

That's all there is to it. The machines on your subnet can now PING the outside world, and you'll be connected to the Internet.

If you are not satisfied with your present ISP, or you just want to know what else is available, you can get a list of ISPs on the Web at http://www.commerce.net/directories/products/isp. You can search for an ISP by name and capabilities, or by its geographic location. You can also find information on what to look for in an ISP.