Windows XP, ICS, two LANs

[Brian Steele]

Hi Everyone:

I've got two LANs that require access to the Internet. I'd like to set up a
WinXP box with ICS so each LAN can access the Internet through the box.
However, the trick is that PCs on one LAN should not be able to see the PCs
on the other, and vice-versa. Any ideas?

Brian

 

[Steve Winograd [MVP]]

Hi Everyone:

I've got two LANs that require access to the Internet. I'd like to set up a
WinXP box with ICS so each LAN can access the Internet through the box.
However, the trick is that PCs on one LAN should not be able to see the PCs
on the other, and vice-versa. Any ideas?

Brian

This should do what you want, Brian:

1. Buy two broadband routers. They're often available for $20-$40
(after rebates) at computer and office supply stores.

2. Connect each LAN to the LAN ports of its own broadband router.

3. Configure all of the computers on both LANs to obtain an IP address
automatically. Each router will configure its own LAN.

4. Check the documentation for each router to see what the router's
LAN IP address is. If it's in the 192.168.0.x range (which ICS uses),
change it to a different range, such as 192.168.1.x, and release/renew
the IP lease on all attached computers. It's OK to use the same range
on both routers.

4. Install two network cards in the WinXP box.

5. Connect the WAN (Internet) port of each router to a network card in
the WinXP box.

6. Create a network bridge between the LAN connections for the two
network cards. I've written a web page with details:

XP ICS - Network Bridge
http://www.practicallynetworked.com/sharing/xp_ics/networkbridge.htm

7. Enable ICS on the WinXP box's Internet connection. If it asks what
to use for the local area network, tell it to use the network bridge.

If your Internet connection uses an external cable modem or external
DSL modem, you could replace the ICS host computer with a third
inexpensive broadband router, which would eliminate the need for dual
NICs, network bridge, and ICS in that computer.
--
Best Wishes,
Steve Winograd, MS-MVP (Windows Networking)

Please post any reply as a follow-up message in the news group
for everyone to see. I'm sorry, but I don't answer questions
addressed directly to me in E-mail or news groups.

Microsoft Most Valuable Professional Program
http://mvp.support.microsoft.com

 

[Brian Steele]

Those "routers" are actually glorified NAT boxes, but I see how your idea
works!

In fact, if we can get away with a serial NAT configuration like that, we
might be able to use just one broadband router:

1. Configure the WinXP box with two cards.

2. Connect one LAN to one card on the WinXP box (range 192.168.0.x)

3. Connect the other LAN directly to the broadband router (range
192.168.1.x)

4. Connect the other LAN card on the WinXP box to the router (range
192.168.1.x)

5. Configure ICS on the WinXP box, and enable ICF.


Brian

 

[Steve Winograd [MVP]]

Those "routers" are actually glorified NAT boxes, but I see how your idea
works!

In fact, if we can get away with a serial NAT configuration like that, we
might be able to use just one broadband router:

1. Configure the WinXP box with two cards.

2. Connect one LAN to one card on the WinXP box (range 192.168.0.x)

3. Connect the other LAN directly to the broadband router (range
192.168.1.x)

4. Connect the other LAN card on the WinXP box to the router (range
192.168.1.x)

5. Configure ICS on the WinXP box, and enable ICF.

If I understand your proposed setup, you want to use just the WinXP
box and one broadband router. I don't think that would give you the
desired isolation between the two networks. The broadband router's
WAN interface would be in the same 192.168.0.x network as the
computers connected directly to the WinXP box. That would allow the
computers connected to the broadband router to access the computers
that are connected directly to the WinXP box.

WinXP won't let you enable ICF on a LAN connection if that connection
is being used by ICS. It will only let you enable ICF on the Internet
connection.
--
Best Wishes,
Steve Winograd, MS-MVP (Windows Networking)

Please post any reply as a follow-up message in the news group
for everyone to see. I'm sorry, but I don't answer questions
addressed directly to me in E-mail or news groups.

Microsoft Most Valuable Professional Program
http://mvp.support.microsoft.com

 

[Brian Steele]

If I understand your proposed setup, you want to use just the WinXP
box and one broadband router. I don't think that would give you the
desired isolation between the two networks. The broadband router's
WAN interface would be in the same 192.168.0.x network as the
computers connected directly to the WinXP box.

The broadband router's LAN interface would be 192.168.1.x, not the same as
the LAN behind the WinXP box (192.168.0.x). The WAN interface would be
whatever Internet public address is assigned to it .

WinXP won't let you enable ICF on a LAN connection if that connection
is being used by ICS. It will only let you enable ICF on the Internet
connection.

ICF will be enabled on the LAN card that's connected to the broadband
router, not the LAN card connected to one of the LANs..

Regards,
Brian

 

[Steve Winograd [MVP]]

The broadband router's LAN interface would be 192.168.1.x, not the same as
the LAN behind the WinXP box (192.168.0.x). The WAN interface would be
whatever Internet public address is assigned to it .


ICF will be enabled on the LAN card that's connected to the broadband
router, not the LAN card connected to one of the LANs..

I'm sorry, Brian, but I must have misunderstood your proposed setup.
Let me try again. If I understand correctly:

1. LAN #1 connects to the broadband router's LAN ports.

2. NIC #1 on the WinXP Box connects to LAN #1 through a LAN port on
the broadband router

3. NIC #2 on the WinXP box connects to LAN #2.

4. ICS is enabled on the WinXP box, with NIC #1 being the shared
Internet connection and NIC #2 being the LAN connection.

5. ICF is enabled on the WinXP box's NIC #1 connection. WinXP won't
let you enable ICF on the NIC #2 connection.

If that's right, I still don't think that the setup will do what you
want. NIC #1 on the WinXP box is in the same 192.168.1.x network as
the computers of LAN #1. Therefore, computers on LAN #2 will be able
to access computers on LAN #1 through the WinXP box.

Let's say that a LAN #2 computer (192.168.0.2) pings a LAN #1 computer
(192.168.1.2), and that the WinXP box's NIC #1 has an IP address of
192.168.1.1. The ping would succeed, returning a reply to the LAN #2
computer. Here's how it would work:

1. 192.168.0.2 pings 192.168.1.2.

2. The destination address isn't in a local subnet, so the LAN #2
computer sends the ping to its default gateway address, which is
192.168.0.1.

3. The WinXP box receives the ping on NIC #2. Because ICS is a NAT
program, the WinXP box records the source address (192.168.0.2) in its
NAT table, substitutes its own WAN address (192.168.1.1) as the source
address in the command, and sends it out through NIC #1 to 192.168.1.2
via the router.

4. The LAN #1 computer (192.168.1.2) sees a ping from 192.168.1.1,
which is in its local subnet, and replies to it via the router.

5. The WinXP box receives the reply on NIC #1. Because ICS is a NAT
program, the WinXP box finds the original request in its NAT table,
determines that it came from 192.168.0.2, sends it to that computer
through NIC #2, and removes the entry form its NAT table.

Enabling ICF on the WinXP box's NIC #1 connection isn't relevant to
this process. ICF prevents un-requested traffic from coming in, but
the ping reply was requested, appears in the NAT table, and is
allowed.

I've never been able to devise a two-router (e.g. broadband router and
ICS host) solution that isolates two networks like you want. That's
why I suggested three routers (two broadband routers and ICS host) in
my first reply.
--
Best Wishes,
Steve Winograd, MS-MVP (Windows Networking)

Please post any reply as a follow-up message in the news group
for everyone to see. I'm sorry, but I don't answer questions
addressed directly to me in E-mail or news groups.

Microsoft Most Valuable Professional Program
http://mvp.support.microsoft.com

 

[Brian Steele]

I'm sorry, Brian, but I must have misunderstood your proposed setup.
Let me try again. If I understand correctly:

1. LAN #1 connects to the broadband router's LAN ports.

2. NIC #1 on the WinXP Box connects to LAN #1 through a LAN port on
the broadband router

3. NIC #2 on the WinXP box connects to LAN #2.

4. ICS is enabled on the WinXP box, with NIC #1 being the shared
Internet connection and NIC #2 being the LAN connection.

5. ICF is enabled on the WinXP box's NIC #1 connection. WinXP won't
let you enable ICF on the NIC #2 connection.

If that's right, I still don't think that the setup will do what you
want. NIC #1 on the WinXP box is in the same 192.168.1.x network as
the computers of LAN #1. Therefore, computers on LAN #2 will be able
to access computers on LAN #1 through the WinXP box.

Let's say that a LAN #2 computer (192.168.0.2) pings a LAN #1 computer
(192.168.1.2), and that the WinXP box's NIC #1 has an IP address of
192.168.1.1. The ping would succeed, returning a reply to the LAN #2
computer. Here's how it would work:

1. 192.168.0.2 pings 192.168.1.2.

2. The destination address isn't in a local subnet, so the LAN #2
computer sends the ping to its default gateway address, which is
192.168.0.1.

3. The WinXP box receives the ping on NIC #2. Because ICS is a NAT
program, the WinXP box records the source address (192.168.0.2) in its
NAT table, substitutes its own WAN address (192.168.1.1) as the source
address in the command, and sends it out through NIC #1 to 192.168.1.2
via the router.

4. The LAN #1 computer (192.168.1.2) sees a ping from 192.168.1.1,
which is in its local subnet, and replies to it via the router.

5. The WinXP box receives the reply on NIC #1. Because ICS is a NAT
program, the WinXP box finds the original request in its NAT table,
determines that it came from 192.168.0.2, sends it to that computer
through NIC #2, and removes the entry form its NAT table.

Enabling ICF on the WinXP box's NIC #1 connection isn't relevant to
this process. ICF prevents un-requested traffic from coming in, but
the ping reply was requested, appears in the NAT table, and is
allowed.

I've never been able to devise a two-router (e.g. broadband router and
ICS host) solution that isolates two networks like you want. That's
why I suggested three routers (two broadband routers and ICS host) in
my first reply.

OK, I see what you mean. My fault - I should've phrased my original
question a bit better. LAN #1 is going to be the "secure" LAN, so it's OK if
PCs on that LAN can communicate with those on LAN #2, but not vice-versa.

But theoretically, could I possibly get around the problem you detailed
above by defining static routes for the private address spaces on the WinXP
box so that the WinXP box thinks that all 192.168.1.x addresses, except for
the router's address, reside on LAN #2? This would require of course that a
static address be defined on the WinXP LAN #1 interface instead of it
obtaining one via DHCP from the NAT/Router box.


Brian

 

[Steve Winograd [MVP]]

[snip] If I understand correctly:

1. LAN #1 connects to the broadband router's LAN ports.

2. NIC #1 on the WinXP Box connects to LAN #1 through a LAN port on
the broadband router

3. NIC #2 on the WinXP box connects to LAN #2.

4. ICS is enabled on the WinXP box, with NIC #1 being the shared
Internet connection and NIC #2 being the LAN connection.

5. ICF is enabled on the WinXP box's NIC #1 connection. WinXP won't
let you enable ICF on the NIC #2 connection.

If that's right, I still don't think that the setup will do what you
want. NIC #1 on the WinXP box is in the same 192.168.1.x network as
the computers of LAN #1. Therefore, computers on LAN #2 will be able
to access computers on LAN #1 through the WinXP box.

Let's say that a LAN #2 computer (192.168.0.2) pings a LAN #1 computer
(192.168.1.2), and that the WinXP box's NIC #1 has an IP address of
192.168.1.1. The ping would succeed, returning a reply to the LAN #2
computer. Here's how it would work:

1. 192.168.0.2 pings 192.168.1.2.

2. The destination address isn't in a local subnet, so the LAN #2
computer sends the ping to its default gateway address, which is
192.168.0.1.

3. The WinXP box receives the ping on NIC #2. Because ICS is a NAT
program, the WinXP box records the source address (192.168.0.2) in its
NAT table, substitutes its own WAN address (192.168.1.1) as the source
address in the command, and sends it out through NIC #1 to 192.168.1.2
via the router.

4. The LAN #1 computer (192.168.1.2) sees a ping from 192.168.1.1,
which is in its local subnet, and replies to it via the router.

5. The WinXP box receives the reply on NIC #1. Because ICS is a NAT
program, the WinXP box finds the original request in its NAT table,
determines that it came from 192.168.0.2, sends it to that computer
through NIC #2, and removes the entry form its NAT table.

Enabling ICF on the WinXP box's NIC #1 connection isn't relevant to
this process. ICF prevents un-requested traffic from coming in, but
the ping reply was requested, appears in the NAT table, and is
allowed.

I've never been able to devise a two-router (e.g. broadband router and
ICS host) solution that isolates two networks like you want. That's
why I suggested three routers (two broadband routers and ICS host) in
my first reply.

OK, I see what you mean. My fault - I should've phrased my original
question a bit better. LAN #1 is going to be the "secure" LAN, so it's OK if
PCs on that LAN can communicate with those on LAN #2, but not vice-versa.

But theoretically, could I possibly get around the problem you detailed
above by defining static routes for the private address spaces on the WinXP
box so that the WinXP box thinks that all 192.168.1.x addresses, except for
the router's address, reside on LAN #2? This would require of course that a
static address be defined on the WinXP LAN #1 interface instead of it
obtaining one via DHCP from the NAT/Router box.

Interesting possibility. The 192.168.1.x computers don't reside on
LAN #2, so why would you want the WinXP box to think that they do? If
that's just a ruse to prevent it from sending data to them, I
understand. If not, please explain.

If the WinXP box doesn't need to be able to send any data to the LAN
#1 computers, this might do what you want. I haven't tested it. If
you try it, please post a reply with the results:

1. Configure the broadband router's DHCP server to give out addresses
in the range 192.168.1.128 - 192.168.1.254.

2. Assign the router's LAN interface an IP address in the range
192.168.1.1 - 192.168.1.127

3. Create this static route on the WinXP box, which would send traffic
for the LAN #1 computers to LAN #2, which would discard it:

route add 192.168.1.128 mask 255.255.255.128 192.168.0.1

Sending that traffic to the loopback address instead of 192.168.0.1
might work:

route add 192.168.1.128 mask 255.255.255.128 127.0.0.1

4. There's no need to assign a static IP address to the WinXP box's
LAN #1 connection -- it could be assigned by DHCP. The system will
automatically create a host route for it, and a host route (because it
has a longer subnet mask) always overrides all other routes.
--
Best Wishes,
Steve Winograd, MS-MVP (Windows Networking)

Please post any reply as a follow-up message in the news group
for everyone to see. I'm sorry, but I don't answer questions
addressed directly to me in E-mail or news groups.

Microsoft Most Valuable Professional Program
http://mvp.support.microsoft.com

 

[Brian Steele]

Interesting possibility. The 192.168.1.x computers don't reside on
LAN #2, so why would you want the WinXP box to think that they do? If
that's just a ruse to prevent it from sending data to them, I
understand. If not, please explain.

Yep - it's a ruse . With that static route in place, theoretically the
PCs will not be able to communicate with any systems within that IP range,
as they'll be looking for them on their own LAN, not the other one.

If the WinXP box doesn't need to be able to send any data to the LAN
#1 computers, this might do what you want.

Unfortunately it will need to do so.


Brian