This document describes my own experiences setting up a small home network attached to the internet via a Windows PC. It covers
I mention a few products here, but I don't have any connections with any of their respective authors or owners. They may not necessarily be the best of their kind, but they are what I chose to use. One of the software packages I chose to use costs money, but there is a free version of this package available that will probably do all that most people need.
I assume throughout this document that you know your way around Windows, and I will not be providing click-by-click instructions. All of the software packages I describe have straightforward user interfaces, but I will try to mention anything which didn't appear obvious to me.
You may well also find that you can achieve most of what I describe here using Microsoft Windows "Internet Connection Sharing". However, I'm a bit of a skeptic about that, so I haven't used it at all. If you want to learn more about it, I strongly suggest you read the Microsoft Press book "The Wired Home" of which there is a copy in the teaching labs.
You may notice that I have not mentioned Linux. There are all sorts of other documents describing how to get home networks attached to the Internet using Linux, but that is not how I have done it. If you know someone who can configure dial-up networking, routing and firewalling under Linux faster than I can install WinRoute Pro, I would like to meet them. Taking the route I have chosen has cost me a bit more, but has saved me a lot of time and hassle. Also, as my primary PC runs Windows anyway, it saves me an entire PC that would otherwise be sat there running Linux just acting as a router.
The first step is to get one lone Windows PC working successfully. I assume by this time that you have installed a modem and a network card in the PC, and have TCP/IP installed. For the rest of this document, I will assume that the TCP/IP settings for your network card are:
I connect to the Internet using ADSL, which gives me a nice fast permanent connection, but this is all going to be pretty much the same whether you use a normal modem or a permanent connection such as that provided by ADSL or a cable modem.
Get dial-up networking going, manually dialling the connection and prove you can get a web page. Set it to not automatically dial when Internet Explorer needs to make a connection, as very shortly we will be using another piece of software to handle the connection anyway.
You can achieve this step just be telling Windows to dial the connection whenever it is needed. However, please don't do that as it defeats the point of this step and will land you in trouble later on.
To achieve this, I used a package called "WinRoute Pro" from Tiny Software. This package handles the following functions for you:
You may want to use "WinRoute Lite" instead, as it is free, compared to WinRoute Pro which costs $150 after the free 30 day evaluation period). This can provide most of the facilities you need, except for firewalling which you can do using Tiny Software's "Tiny Firewall" product, which is also free for home use.
If you are running Windows 2000 or Windows NT, you should run WinRoute Pro as a service, so that it is always running whenever the PC is switched on. In the Interfaces setting dialog, you can configure the phone number, username and password for your dial-up connection. You should enter whatever values have been provided to you by your ISP. You can also configure the length of time after which a connection is considered idle and hung up (around 5 minutes is a good value if you pay for the time the call is connected).
If you enable the DNS forwarding, but disable all the other services and proxies that WinRoute Pro can provide, you should now find that it will automatically dial your internet connection when you run Internet Explorer and request a web page. It should also automatically hang up the connection after your preset period of inactivity.
Configuring the ADSL Dialup Connection
Configuring the Ethernet Card Connection
Configuring the DNS Forwarder.
Switch off all other proxies and forwarders in the Settings menu
A couple of Address Groups I have defined
The Anti-Spoofing dialog
The Remote Administration dialog
The Security Options dialog
The Port Mapping dialog
The port mapping settings for my FTP server
The port mapping settings for my telnet server
Connect a network hub to the network card of the Windows PC you have been working on above, and plug the other computers into this hub. Configure the TCP/IP settings of all the other PC's as follows:
Once these are all setup, you should be able to ping each of the IP addresses you have used from any of the computers you have connected. Don't ping the names at this point, ping the numeric addresses. If it doesn't work, check the IP settings for each of the faulty computers.
As well as providing simple routing facilities, WinRoute Pro and Lite also allow you to use private network addresses (such as the 192.168 addresses above) for the computers on your home network. As packets to/from these computers pass through WinRoute, it rewrites the addresses of the packets so they all appear to be coming from one PC, the one running WinRoute. This facility is called NAT (Network Address Translation) and is fundamental to how your internet service provider thinks it is talking to just one PC, when in fact it is talking to your entire home network.
Configure WinRoute Pro so that it is forwarding DNS requests to its dial-up connection. ping ping.symantec.com get a web page on a computer attached to your home network.
This is a vital step, particularly if you have a permanent connection such as ADSL or a cable modem. Without doing this, your entire network is vulnerable to attack; and believe me, it will be attacked or probed regularly by other people, even if you don't consider there to be anything valuable on it.
The golden rule when setting up a firewall is to only allow services you want to offer and only to those people to whom you want to offer them, and deny everything else. My firewall, described below, offers access to a telnet and FTP server run on my Windows 2000 PC. It also offers unrestricted outbound access so I can get at the everything else on the Internet. It denies all other incoming traffic.
Note: I do not advise you offer Windows Networking (Windows file sharing) through your firewall. Though you might think this would be a handy facility, allowing this access opens up so many security problems it just isn't worth it. The vast majority of known Windows security problems can be simply solved by denying Windows Networking at your firewall. Instead of this, I run a free Windows FTP server (described below) and use that to provide me with remote access to my files.
There are only rules present in the inbound dial-up (ADSL) connection
There are no restrictions on outbound network traffic
Allow packets in that just belong to connections already made with other servers
Allow incoming Telnet connections from hosts within ECS.
Log the first packet of each such connection.
Allow incoming Telnet connections from hosts within ECS.
Don't log anything except the first packet.
Allow incoming FTP connections from hosts within ECS.
Log the first packet of each such connection.
Allow incoming FTP connections from hosts within ECS.
Don't log anything except the first packet.
Allow incoming FTP data connections from hosts within ECS.
Deny all other IP packets.
Deny all ICMP packets.
These can be used to probe your network and can be used as part of a denial-of-service attack.
One of the most obvious applications for a home network if you have a permanent connection is to provide remote access to your files so you can stop carrying floppy disks or Zip disks to and from work, and not being left in the position of not having your home PC data available when you are at work.
As mentioned above, you could use Windows Networking to provide this service. However, I must stress again that enabling Windows Networking (TCP and UDP ports 135-139 cover all of it) through your firewall will open your systems up to all manner of remote attacks. A much better way of providing the same service is to run an FTP server instead.
The server I have used is the WarFTP Server, which I happened to find on www.winfiles.com, a favourite shareware site. It is quite a comprehensive package, and the configuration of it can be quite detailed. However, for simple purposes, it is quite easy to get up and running. There are plenty of other simpler packages available, but I found that WarFTP did everything I needed. If, for example, you want to be able to remotely run X Windows packages on the Linux compute servers provided in the labs, you will want to install an X Windows server such as Vista Exceed. This also includes an FTP server, which will save you the bother of installing WarFTP.
Once you have an FTP server configured, you will need to allow access to it through your firewall. You need to allow inbound connections on TCP port 21, and this should be further restricted to only allow incoming connections from places you are likely to be, such as the dept network.
It is most likely that your internet service provider will give you a different IP address every time you make a connection, and sometimes it may even change your IP address while you have a connection open (BT Openworld certainly appears to do this). This creates a problem: if you are going to access your network remotely, how do you know what IP address to connect to?
To solve this problem, and also to give your home network a name, you can use any one of a number of free Dynamic DNS service providers. I used Hammernode as they were recommended in an article I happened to be reading.
What happens is this: they give you a small program which you always leave running on the PC acting as your router and firewall. They also provide you with a username and password which you enter into the program. Every 10 minutes the program reads your current IP address and sends it to the Hammernode DNS servers. These servers then update the IP address for the hostname you have been assigned.
For example, say my username at Hammernode is tharg. The program I downloaded from them knows about this, and my corresponding password, and the fact that my assigned hostname is tharg.hn.org. It reads my IP address every 10 minutes, and so the name tharg.hn.org always points to my home PC from anywhere on the internet. So now I can "ftp tharg.hn.org" to connect to my FTP server and retrieve files directly off my home PC.
