Internet Connection Sharing

LAN-to-WAN IP routing has been something of a theme for me for several years. In 1992, I decided to establish my company on the Web, so I went to an ISP and procured 256 IP addresses. I wanted the company to host its own Web and mail servers, so I needed a 24 * 7 Internet connection. Rather than buy a LAN-to-WAN router from Cisco Systems or some other router vendor, I chose to view the project as a learning experience and build a router. I built my first router to handle IBM's OS/2 2.0 and TCP/IP for OS/2. As soon as Windows NT began to support IP routing, I replaced the OS/2 box with an NT box. Then, I wrote a series of articles for Windows NT Magazine about how to make an NT box into a LAN-to-WAN router. Those articles still generate a fair amount of mail, all describing the same scenario and asking the same question: I have a computer in my house connected to the Internet with a Digital Subscriber Line (DSL)/cable modem/ISDN link. I also have several other machines in the house. How do I set up my Internet-connected PC to share its Internet link with the other machines?

After the initial set of articles, I revisited the question twice—first when Microsoft released improved routing code called RRAS (aka Steelhead), and again when Microsoft released Proxy Server 2.0. RRAS wasn't the answer for would-be home users because RRAS required that each machine have an IP address that the ISP provided; making up random addresses for home machines didn't work. Proxy Server circumvented this problem but created another problem because of the software's expense—in the $1000 range.

But if you have Windows 98 Second Edition (Win98SE) or Windows 2000 Professional (Win2K Pro), all you need to do is click your mouse a few times, reboot your home PCs, and enjoy routing with ease. Win98SE should be available by the time you read this column, and Win2K Pro and Windows 2000 Server (Win2K Server) will probably be available soon. Unfortunately, Microsoft won't offer Win98SE to just anyone—like Win95's OEM Service Release (OSR) versions, you can get Win98SE only with a new computer purchase. But if you can wait until Windows 2000 (Win2K) ships or you buy a new PC, easy routing is in your future.

You set up the Internet-connected PC much as you've done before, by creating a DUN entry. I haven't investigated how Win98SE sets up DUN entries, but the process is probably similar to that of Win95 and the first edition of Win98. Win2K has a different process, so you'll have to go to a different place in the user interface (UI) to set up your Internet connection. Right-click My Network Places, and select Properties. Double-click Make New Connection, and from there everything will look familiar—specify the kind of modem you use, what number to dial, and so on. (I've used this method to set up regular modems and ISDN. My cable and telephone companies don't offer cable modem or DSL service, so I can't tell you how to configure your system for those services.)

After you create the new dial-up object, right-click it and select Properties. Select the Shared Access tab, and select the Enable shared access for this connection check box. You'll get a dialog box that states When Shared Access is enabled, your LAN adapter will be set to use IP address 169.254.0.1... Are you sure you want to enable Shared Access?

This 169.254.0.1 address is where Internet connection sharing gets interesting. Built into the address is a Network Address Translation (NAT) router. If you don't work on infrastructure in a large firm, NAT routers might be unfamiliar to you. These routers provide a solution for companies that have several machines in an intranet that need access to the Internet. One way to get Internet access is to obtain IP addresses for every machine in the intranet. The intranet is then a subset of the Internet, so by definition the machines can access the Internet. But the relative scarcity of IP addresses, coupled with some valid security concerns, have led firms to instead build intranets with nonroutable IP addresses and connect those intranets to the Internet with NAT routers. The NAT routers give the machines Internet access without address visibility, thus offering a modicum of security.

Basically, Internet Connection Server (ICS) makes your system into a simple NAT router and DHCP server. After your dial-up connection is complete, the Ethernet card on the dialing machine reaches the 169.x.x.x address. Your ICS machine then acts as a DHCP server for your home network, handing out 169.x.x.x addresses to any machine requesting an address. The DHCP server also tells the requesting machine to look to the ICS machine to resolve DNS queries and to provide a default gateway for the other machines on your home network.

After you hook up your ICS machine to the Internet, you need to configure the other machines on your home network to look to DHCP for their IP addresses, then reboot the machines. As long as the machines can act as DHCP clients or you can set the machines' static addresses in the 169.254.x.x network, three things will be true: The ICS computer will give the machines IP addresses, the machines will have the ICS computer route their packets, and every machine in the house will be on the Internet. And those machines aren't restricted to Web (i.e., HTTP) access on the Internet. Although I haven't performed extensive testing, so far I've been able to retrieve POP3 mail, send SMTP mail, and ping locations without any trouble.

Furthermore, if you don't have a 24 * 7 connection, ICS offers the option to dial on demand. Thus, if you're sitting at a computer across the house from the ICS machine and you initiate some kind of Internet-based activity (e.g., retrieve mail, browse a Web site, ping a location), the ICS machine will sense that someone is trying to route packets to the Internet and will automatically dial your ISP to establish an Internet connection. As with RRAS's demand-dial capability, establishing the connection can take so long that whatever operation you're trying to perform can time out first. To avoid that possibility, I usually prime the pump by opening a command line and pinging somewhere. A standard ping will time out. By the time the fourth ping is finished, the connection is nearly ready, and the ICS machine is far enough along that you can usually open your Web browser or mail client and get through before it times out.

Microsoft clearly intends this routing solution for small office/home office (SOHO) use because the company doesn't provide much in the way of a management interface. You can't control the range of addresses that the ICS machine gives out, nor have I figured out how to query the ICS machine so that it will list the active DHCP leases. I'd like to have a situation in which ICS separates a small network from the Internet but connects to the Internet with an Ethernet card. However, ICS apparently won't let you share a LAN connection to the Internet—only a dial-up connection. (Anyone have a modem driver for a 3Com XL card?)

Perhaps the most significant consideration when you're thinking about setting up an ICS connection is whether your ISP will let you share your Internet connection among several machines. Some ISPs specifically do not let you run proxy servers, probably in reference to WinGate software. WinGate is a Windows-based proxy server program, popular because until recently it was about the only low-cost Internet connection-sharing technology you could get. But ICS isn't a proxy server, so you might not violate your ISP agreement by running it—at least until ISPs figure out that ICS exists.

• Inside Out: "Internet Connection Sharing" incorrectly states that you can get Microsoft Windows 98 Second Edition (Win98SE) only with a new computer purchase. You can buy Win98SE at any software store or Internet site that sells Microsoft OSs. We apologize for any inconvenience this error might have caused.