Newer Networking Features - Virtual LANs

One of the shinest features in WiFi networking, this year, is routers with dual LANs. One LAN provides access to the Internet, and all computers to each other, like a normal router. The second LAN provides access only to the Internet.

You connect all of your personal computers to the first LAN. When you have guests, they can bring their personal computers, connect to the second LAN, and surf the Internet without having any access to your personal computers.

You can even lower the security level on the "Guest LAN" to accommodate your guests, without exposing your personal computers to abuse by possibly malicious neighbours. Or possibly, to your guests computers themselves - which may not be secured to satisfy your personal standards, and may have malware infestations.

Virtual LANs, or "VLANs", used to be features available only on advanced, enterprise grade networks. With computers being a common item in the home, simple VLANs (multiple LANs provided by a single router) are now available to Small Office / Home Office ("SOHO") networks.

Last year, if you wanted equivalent protection for your home computers, you'd be advised to buy 3 routers. You would connect one router directly to the modem, and connect the other 2 routers to the first router as peers. One of the secondary routers would provide your "Personal", secure LAN; the other, the "Guest", less secure LAN. This arrangement, while providing more security for your computers, will have disadvantages.

• Complexity. Three routers will require more cabling, and more physical space than one router.
• Cost. Three routers are going to cost more than one router.
• Networking side effects. Look up discussions about "double NATting", for more about this problem.

A modern, dual LAN router has none of the latter disadvantages, just improved security for you, and increased convenience for your guests.

>> Top

Windows Vista and Explicit Congestion Notification

With one of the most popular use for computers being Internet access, changes in Windows Vista, to support improved TCP networking, are significant. I've written about Scalable Networking, which contains 3 identified options - Receive-Side Scaling, TCP AutoTuning, and TCP Offload. Scalable Networking contains changes that are implemented from the client, and only require support from the client equipment.

There are more changes to the Vista TCP stack, though, and some of them require support from equipment outside the client network. Explicit Congestion Notification (ECN) is an option that reduces network problems caused by dropped packets, by letting the routers in the network (which drop packets, when overloaded) warn the client and server that they are approaching overload ("congestion").

Rather than experience packet drop (and require packet retransmission), the client and server can be warned before packet drop is necessary, and voluntarily reduce network use. If the endpoints (client and server) reduce network use, the routers in the network path between the endpoints become less overloaded, and are less likely to drop packets. This reduces network problems, and benefits all members of the network, including other endpoints and routers in other connections. By reducing packet retransmission, ECN can reduce Internet congestion in general.

Used inappropriately, however, ECN can actually increase Internet congestion. All Internet equipment is not ECN friendly, and WikiPedia mentions how enabling ECN might actually cause a problem, rather than preventing one.

Some outdated or buggy network equipment drops packets with the ECN bit set, rather than ignoring the bit[1].

ECN isn't granular - either you enable it, or you don't - and it potentially affects access to all web sites that you wish to visit. It may be more useful in specialised computers, that are intentionally used for high speed communication with specific web sites. It doesn't appear too useful for web surfing in general, right now.

For this reason, Vista is installed with ECN Disabled. If you try ECN Enabled, and you lose access to one web site, you'll have no choice but to Disable ECN, or face loss of access to the web site in question. As network hardware is upgraded, and becomes ECN friendly, enabling ECN will become a more practical option.

If you wish to use ECN, enter in a Vista command window (Run as Admin)

netsh interface tcp set global ecncapability=enabled

If you detect problems, such as lack of access to various web sites, enter similarly

netsh interface tcp set global ecncapability=disabled

>> Top

Windows Vista and Scalable Networking

Over a year ago, I explored an issue of Windows Vista and its problems with using default networking settings relevant to Windows Scaling. The first known problem with Windows Scaling was an exciting networking option called Receive Window AutoTuning, which became a problem when an older router was in use.

Besides AutoTuning, which is a problem with older routers, there are two additional networking options - TCP Offload ("Chimney") and Receive-side Scaling ("RSS"), which are a similar problem with older networking adapters. If your computer suffers from symptoms similar to the well known MTU setting problem, and you get no relief from disabling RWin AutoTuning, consider disabling TCP Offload and Receive-side Scaling.

In a Vista command window (Run as Admin), enter

netsh interface tcp set global chimney=disabled
netsh interface tcp set global rss=disabled

TCP Chimney Offload takes a portion of the TCP/IP network stack, currently run on your computer as part of the Windows operating system, and runs it in a dedicated processor on a TOE capable network adapter. Less work for the operating system + processing as part of the physical networking adapter = better performance.

Receive-side Scaling allows processing of incoming network traffic to be properly run on a multi-processor computer, by ensuring that all packets from a single TCP network connection are consistently processed by the same processor. All incoming packets for each TCP connection processed by the same processor = packets never getting out of sequence, which can be a problem otherwise with multiple processors. Obviously, you'll need a multiple processor system, to get any benefit here.

Try Internet access with TCP Offload and Receive-side Scaling disabled, and see if network performance improves. If it does, see if you can upgrade or replace your network card with one that is TOE capable, which was stated to cost $25 - $50 earlier this year. Once you have the right network hardware, or if the above change doesn't provide any relief from your symptoms, you can re enable TCP Offload and Receive-side Scaling

netsh interface tcp set global chimney=enable
netsh interface tcp set global rss=enable

If you do see a bandwidth improvement and / or network utilisation drop after enabling chimney and / or rss, restart the system. You may see still more improvement after restarting. Use of proper tools for objective measurement of bandwidth and network utilisation, access to high speed Internet service, and use of high bandwidth network applications like streaming video, will make the success of this change a bit easier to assess.

Besides Scalable Networking, look at other possible problems with Windows Vista Networking Innovations, in Windows Vista and Explicit Congestion Notification.

For more details about this issue, see

• Dana Epps Find your bandwidth in Vista really slow?
• Microsoft The Cable Guy Microsoft Windows Server 2003 Scalable Networking Pack Overview
• Microsoft TechNet New Networking Features in Windows Server 2008 and Windows Vista
• Smallvoid NDIS 6 hardware features that increases network performance

Ad-Hoc Networking

Microsoft Windows is called a Network Operating System. Computers running an operating system like Microsoft Windows (any of the many versions) were designed to be networked. As I've said elsewhere, if you have one computer, you have the beginning of a network.

The minimum complement of equipment, that you need for a computer network, is 2 computers and the appropriate networking components. The simplest networking component set would be two Ethernet adapters (one in each computer), connected by a bit of Ethernet cable, generally (but not always) a cross-over cable.

That's an ad-hoc Ethernet network. It's similar to hub (router / switch) based Ethernet networking, but without a hub (router / switch).

You can also have a network without any Ethernet cable, if you replace the Ethernet adapters with WiFi adapters. That's called an ad-hoc WiFi network.

An Ethernet based ad-hoc network is frequently limited to 2 computers. An Ethernet cable has just 2 ends - to get any more, you need a hub (router / switch). With a WiFi based ad-hoc network, you can have any number of computers connected, with minimal effort.

But there are several disadvantages to ad-hoc WiFi networking.

• One of the biggest is security. The minimum acceptable standard for WiFi security is WPA. Unfortunately, WPA requires a WiFi Access Point, to manage authentication / encryption. With no WAP, you're limited to using WEP to protect yourself, and WEP just isn't adequate security.
• With a router "in charge" of the network, you'll generally get more throughput. Client - server (with the server in charge) is more efficient than peer - peer (with no one in charge).
• Most WiFi equipment, in ad-hoc mode, will only operate in 802.11b mode, and get up to 11M of bandwidth total.
• Without a router, and a DHCP server built-in, you'll have to use ICS (if you're sharing Internet service), or pre-assign fixed IP addresses to each computer.
• You'll have to pre-assign channel number and SSID on each computer, as the normal WiFi Client won't find your ad-hoc network by scanning. Nor will it give you a signal strength indicator.
• You won't be able to disable SSID broadcast (not that this is a bad thing). In ad-hoc mode, SSID broadcast is forceably enabled.

Remaining aware of the limitations of ad-hoc WiFi, see specific details of the setup process

• About.Com How To Set Up an Ad Hoc (Peer) WiFi Network
• Microsoft Experts: Making the Wireless Home Network Connection in Windows XP Without a Router
• Microsoft Windows Vista Help: Set up a computer-to-computer (ad hoc) network
• Microsoft Windows XP Help: Set up a wireless network without a router

For a quick LAN, ad-hoc WiFi is OK. In an otherwise secure environment (maybe a single conference room deep within your office complex) it's perfect for a quick conference, and application sharing. For long term, really secure networking, though, you can't beat a properly setup, router (WAP) based network.

>> Top

Windows Vista And Routers

As I've written separately, the networking stack in Windows Vista is significantly different from the networking stack in previous versions of Windows. These differences are discussed, in detail, by experts like Joe Davies of Microsoft.

Like any improvements, the many improvements in networking, in Vista, use more resources - memory and processor - on the host computer. Resources on any peripherally connected computer - or router - will likewise be used more intensively. In testing Vista, Microsoft engineers found out that older routers won't perform as well when used with computers running Vista, as with computers running earlier versions of Windows.

As you integrate your computer running Windows Vista with the rest of your network, you'll find a few challenges with the various computers running other operating systems. Those differences you'll have to work around, with configuration changes.

If you get a new computer running Vista, and your router is a few years old, it's time to replace the router too. Or at least upgrade the firmware - if any is available - obtained from the vendor.

For more discusssion:

• CompatDB.org Forums: Problem with Wireless causing Router Resets


• Mike Salsbury: The Windows Vista Experience


• MSDN: Weird one - Router Death by Vista


• PChuck's Network: AutoTuning In Vista Maybe Not Ready For Prime Time

>> Top

AutoTuning In Vista Maybe Not Ready For Prime Time

As you surf the web, you will be in conversation with dozens of web servers, and each conversation might have different latency and stability issues. On a less stable (or low bandwidth) connection, a small Receive Window would be a good idea; on a more stable (or high bandwidth) connection, a larger window gives much better performance. With Windows XP and previous, you were limited to a single Receive Window setting, which would apply to all Internet connections, all of the time.

One of the long awaited features in Windows Vista was the ability for it to dynamically determine the Receive Window size, by individual connection. Receive Window Auto-Tuning is one of the many significant improvements in Windows Vista, in my opinion.

For a few owners of computers running Windows Vista, connectivity to the local network, or the Internet, may be problematic. Symptoms are very like the well known MTU Setting problem - some servers, some of the time, can't be contacted, or give poor performance. Copying files locally, from one computer to another, may be fast in one direction, and agonizingly slow in another.

But we know that your local network isn't running through a router, so how would an MTU setting affect your local connection?

The MTU isn't always the culprit in this case. If you have an older firewall or router, that doesn't support Windows Scaling (an essential component in Receive Window Auto-Tuning), you may have this problem. Apparently the lack of Windows Scaling can affect local performance too.

If you are faced by symptoms like an MTU setting problem, that involve a computer running Windows Vista, first try disabling Auto-Tuning. In a Vista command window (Run as Admin), enter

netsh interface tcp set global autotuning=disabled

or

netsh interface tcp set global autotuninglevel=disabled

Then shutdown and restart.

Try Internet access with Auto-Tuning shut off, and see if things stabilise. If they do, see if you can upgrade or replace your router. Check with the vendor, and see if a firmware update is available; if not, consider replacing the router. If your router is incapable of supporting Windows Scaling, it may lack other features that you will also enjoy.

Besides RWin AutoTuning, look at other possible problems with Windows Scaling, in Windows Vista and Scalable Networking.

If you see no improvement in your symptoms, turn Auto-Tuning back on before making other changes. Layered Troubleshooting principles suggest one change at a time.

netsh interface tcp set global autotuning=normal

or

netsh interface tcp set global autotuninglevel=normal

Note the lexicographical variations expressed, above. Some experts state that the relevant keyword is "autotuning", others state "autotuninglevel". There is also a confusion about the value for "autotuning" / "autotuninglevel", which may be either "enabled" or "normal". I suspect that there are two possibilities, "autotuning=enabled" and "autotuninglevel=normal", but I haven't found an authoritative reference, discussing the possibilities.

For more information, see

• Microsoft: (KB934430): Network connectivity may fail...
• MSDN Windows Core Networking: Receive Window Auto-Tuning on Vista

>> Top

Electrical Issues In Ethernet Networking

If you wire your house with Ethernet, you'll have a houseful of computers, all connected to the power system, and all connected to each other through the Ethernet network, and through the electrical system ("mains"). This is an obvious, but not trivial, issue.

With all computers connected within the same building, it's not a major issue. All computers are connected to the same main power supply, fed through the same power feed from the electric company, and grounded at the power distribution panel (electric meter et al). All computers, on properly maintained electrical and Ethernet networks, should have the same ground potential.

If you're lucky enough to have a large property, maybe you have a garage or shed out back of your house, with a separate electrical feed. If you decide to install a computer out there, networking that computer won't be a trivial issue. Getting past the issue of running cable between the two buildings (bury it, and risk underground problems), or string it through the air (and risk birds and other wildlife damage), you have a major code and safety issue.

Two separate buildings will have different ground potentials, amplifying the damage from lightning strikes. To fulfill electrical code requirements, you must ground electrical feeds, to separate buildings, separately. If you run Ethernet cable between your buildings, and lightning were to strike one building, the lightning would possibly travel from one computer to the other, through the Ethernet cable, and eventually to ground at the other building.

If you were unlucky enough to be working at either computer when this happened, you'd probably not live to worry about it. If you were lucky enough to not be in front of a computer, you could at least kiss the computers goodbye.

Even ignoring the possible damage from a lightning strike, a computer network with different computers connected at different ground potential won't do much for network stability. A properly functioning network depends upon ground at every network point having the same (identical) voltage level. Any variances, as can happen between any two separately grounded objects, will cause chronic and intermittent packet loss.

The bottom line? If you can't ground both ends of the Ethernet cable very securely, fiber or WiFi is a much better choice for connecting two separate buildings. Fiber-Optic cable doesn't conduct electricity, just light. And WiFi isn't a physical media at all.

If you have 2 buildings, limit the dangers of lightning to each building alone. Don't tie the two together, inadvertently.

For more discussion:

• Cabling Installation & Maintenance: Ground potentials and damage to LAN equipment
• Citel: Overview of Transient Overvoltages
• SelfHelp Forums: Cat 5 between buildings

>> Top

NAS Has Its Own Limitations

I needed a larger hard drive to store my movie collection. My server was maxed out, and I didn't feel like buying a new computer, so I bought a computer in a box, aka Network Attached Storage.

But what makes NAS so attractive is also a limitation. Since NAS is, by design, accessible to all operating systems, you'll find that it's not predictable, like NTFS, and Windows Networking.

• An NAS server might not show up in My Network Places / Network Neighbourhood / Network (Vista) as easily.
• A server that does show up, in My Network Places / Network Neighbourhood / Network (Vista), might not be as configurable as a regular server. If it's visible, it may be running the browser service, but its' browser service may not be configurable. Its' browser service may cause a master browser conflict, with the other computers.
• You might not experience the same transparent caching of account name / password, as you're accustomed to under Windows Networking.
• An NAS server, using FTP or SMBs, uses a simple, clear text exchange of account name / password. This isn't as secure as Kerberos. Computers running Windows 2000 and XP will probably support this, though insecurely. A computer running Windows Vista, however, will require additional work.
• NAS devices which don't use NTFS may not support anything better than Simple File Sharing.

So NAS is a great solution, if you need a quick, inexpensive storage boost. But know the limitations, and choose your NAS solution carefully.

>> Top

What Is A CrossOver Cable, and Why Do I Need One

In any conversation between two people or computers, you speak and the other listens. Or it speaks, and your computer listens. This means that your mouth has to connect to the ear on the other end. This is called cross-over.

If you look at any hub / switch / router 10 years ago, you would probably see the various ports labeled "X-1", "X-2", "X-3"... This meant those were cross-over ports. Your computer would speak (transmit) thru a pair of wires in the Ethernet cable. When the connection went into the router port at the other end, the cross-over function connected the transmit wire pair from your computer to the receive port at the other end, and the receive pair from your computer to the transmit pair at the other end.

If you had to connect a pair of routers directly to each other, you would have a cross-over port at one end connecting to a cross-over port at the other end. This would cause a cancellation of the cross-over function, so you would use a cross-over cable.

If you connected a pair of computers directly, you would similarly need a cross-over cable.

This meant that everybody with a computer network had to have cross-over cables handy.

To eliminate the need for using cross-over cables, router manufacturers developed Auto-MDIX. A router port with Auto-MDIX will listen to see if it is connected to another cross-over port, and switch itself to non-cross-over mode if necessary. Some computers, likewise, have Auto-MDIX. If you connect a pair of computers directly, and one (or both) have Auto-MDIX, you can use a straight-thru (aka patch) cable, and they will connect just fine.

Auto-MDIX is a significant development, in the networking world. Having said that, I don't believe that Auto-MDIX can be relied upon, as a complete solution. I will still advise you to have a cross-over cable, or connector, handy for diagnosing network problems.

>> Top

Re Install Your Network Hardware

Sometimes, even after repairing the network connection, repairing the LSP / Winsock stack, and / or re setting / re installing the network protocols, your problems continue. The next step is to fix a problem which may be in the bindings between the protocols and the network hardware.

First, always check with the hardware vendor, and find out if there's any driver updates available. Your problem may be something just resolved by the vendor, so download and install any driver updates, from the vendor.

If driver updates aren't available, or if installing them didn't fix the problem, then it's time to re install the hardware. Make sure that you have a good copy of the drivers, in an available location, before starting this procedure. If this is your only computer, back up any network resources, maybe print key articles in this blog, before taking your computer offline.

1. Un install the drivers for the network hardware.
   
2. Restart the computer, with the new drivers easily available.
   
   
   
   • Let the system discover the hardware again, or
     
   • Restart Device Manager yourself, and re install the drivers.
     
   
   
3. Restart the computer once more.
   

>> Top

Connecting Two Computers With A Crossover Cable

Most of my articles in this website are about Windows Networking / File Sharing, or about Internet Connectivity, and start by assuming that you have several computers, and a hub (router / switch) connecting them. But what if you have just 2 computers, and just want to quickly move files between the two? Or maybe you want to setup Internet service, for the 2 computers, without using a router to share the service?

You don't always require a hub (router / switch) to connect just 2 computers.

• Make The Right Decision
• Use The Proper Equipment
• Setup The Network - No Internet
• Setup The Network - With Internet
• Verify The Network
• Troubleshoot The Network, If Necessary

>> Top


Make The Right Decision
Start by asking yourself - what do you want to do - both now, and in the future? If you just want to immediately connect just these two computers, and quickly move files between the two, without Internet service, then this is the right start.

If your future might include Internet service, or if you might end up with a third computer, then you would really be better off using a hub (router / switch).

If you want to connect the two computers, and share Internet service, you can do that using a crossover cable. But know the issues before you start.

• If the computer with Internet service has it thru a dedicated modem, either:
  • Internally installed.
  • Connected externally, but thru a serial cable.
  • Connected externally, but thru a USB cable.
then using a crossover cable is a valid solution.
• If the computer with Internet service has it thru an Ethernet connection, or thru WiFi, then this is not a valid solution. If the Ethernet or WiFi connection is on subnet 192.168.0/24, this will not work at all. In the latter case, you will have to connect both computers directly to the LAN with subnet 192.168.0/24. If the Ethernet or WiFi connection has a private LAN address (10.0.0.0/8, 172.16.0.0/12, or 192.168.0.0/24), you're behind a NAT router, and you should setup a bridge, rather than use ICS.

>> Top


Use The Proper Equipment
The simplest solution, for networking just 2 computers, is to get an Ethernet crossover cable, and connect the two directly. A single crossover cable is the equivalent to getting a hub (router / switch), and a pair of straight-thru patch cables.

Please use Ethernet, not Firewire or USB, for connecting your computers. Firewire / USB networking requires extra drivers, and extra work. Ethernet drivers are native in all modern operating systems.

Please use a Cross-over Ethernet cable. A Straight-Thru, aka Patch, cable may work for some newer systems, which can automatically sense the need for a cross-over. But a cross-over cable will work all of the time, when you need to connect two computers directly.

Patch cables may come in many colours and lengths; some computer stores will have dozens of choices to suit your cabling needs. Cross-Over cables, when you find them in the store, will be explicitly labeled "Crossover", and will come in one colour (probably orange), and one length (probably 3 or 5 foot).

Please buy a properly made cross-over cable. If you're a masochist, or extremely desperate, you may make your own from a pair of patch cables, properly spliced. But Ethernet cables, that support modern high speed networks, require precision in their construction. I'm a fan of do-it-yourself activity (as in the reason for this website), when it's properly planned. I don't recommend do-it-yourself Ethernet cabling, when you're setting up a network. Buy a cable, unless you're very experienced with networking and can easily recognise the possible problems.

If you replace the two Ethernet adapters, one on each computer, with two WiFi adapters, you may be able to eliminate the Ethernet cable and setup an ad-hoc WiFi network. A WiFi based ad-hoc network isn't terribly different from an Ethernet based ad-hoc network, once you get the WiFi connectivity working.

Use the Device Manager in Windows, and test the network adapter in each computer. Connect your cross-over cable to the two network adapters. Observe the lights on the network adapters, and / or the status indicated by the Local Area Connection icon in the tooltray - do both computers indicate successful electrical connection?

Now, will you be setting up your network to Share Internet Service? Or just to share files, with No Internet Service?


>> Top


Setup The Network - No Internet
If you just have two computers, and no Internet service to either, run the Network Setup Wizard on each computer. Select the last option

This computer belongs to a network that does not have an Internet connection.

Having connected the two computers physically, and checked that you have no physical problems, you need to make the logical (TCP/IP) settings. If you have Windows XP / Vista, or other current operating systems on your computers, you're in luck. Modern operating systems use a system called APIPA, and should be able to provide ip settings automatically, so the two computers will connect to each other. If you allow the two computers to dynamically assign addresses, APIPA should take care of this for you.

Be prepared to get an error message - Limited Or No Connectivity - if you use APIPA configuration.

NOTE: if any of your computers are NOT running Windows XP / Vista, you'll have to set the IP address and subnet mask manually, on those computers. Remember IP addresses have to be unique for IP addressing to work.

• Run "ipconfig /all", from a command window, on each APIPA compliant computer first.
• Make a list of which addresses are automatically assigned.
• Manually configure each non-APIPA compliant computer.
  • Set each computer up with a unique IP address, in the 169.254.x.x subnet (written as 169.254/16 in many cases).
  • Each computer gets a subnet mask of "255.255.0.0".
  • Each computer gets an IP address of "169.254.x.x", where the "x.x" MUST be different for each computer. Check your list of addresses assigned by APIPA!
    
  • Each value of "x" must fall between 1 and 255 (not including either 1 or 255).
  • You assign IP addresses using the TCP/IP Properties wizard. Select "Use the following IP address". Only worry about IP address and Subnet mask - the other settings are only useful if you have an outside connection. With locally connected computers, just IP address and Subnet mask are essential, and should be assigned as described above.

Having connected the two computers physically, and checked that you have no physical problems, next Verify The Network - make sure that it works properly.


>> Top


Setup The Network - With Internet
If you have two or more computers, with Internet service to one, and wish to share the service to the others, run the Network Setup Wizard, first, on the computer that has Internet service. Select the first option

This computer connects directly to the Internet. The other computers on my network connect to the Internet through this computer.

You'll probably be running ICS on this computer. Note the disadvantages and requirements of ICS, and a possible alternative. You'll have to have two separate network connections (one might be a modem, directly or internally connected). You'll indicate which connection provides the Internet service, and then which connection(s) are to be used for sharing the Internet service.

If, per the ICS alternative, you decide to use a bridge, remember that both of the network adapters, on the bridged computer, will have the same IP address. Plan your testing accordingly.

If you decide to use ICS, run the Network Setup Wizard on the other computers, and select the second option

This computer connects to the Internet through another computer on my network or through a residential gateway.

If you can't run the Network Setup Wizard on any computers, use the TCP/IP Properties wizard, and select automatic configuration.

If the second computer will be running as a server, and providing data to the Internet, remember that the ICS server will have to be online constantly. Having dealt with that requirement, setup the ICS server to (KB231162): forward the right ports to the Internet server.

Having connected the two computers physically, and checked that you have no physical problems, verify that the network works properly.


>> Top


Verify The Network
Please verify that you have connectivity between the computers first.

• Run "ipconfig /all" on each computer, from a command window. Note the IP address and subnet mask for each network connection.
• Make sure that you don't have a bridge, on any computer, unintentionally.
• Verify that all computers are on the same subnet, and that each has a unique address.
  • If this is two computers without Internet service, each computer should have an address of 169.254.n.n, and a subnet mask of 255.255.0.0. This will indicate that each is on subnet 169.254/16.
  • If this is two, or more, computers sharing Internet service, the first computer (thru which the others will be getting Internet service) must have an address of 192.168.0.1, and a subnet mask of 255.255.255.0 (on the connection used for sharing the Internet service). All of the computers getting Internet service thru the first computer must have an address of 192.168.n.n, and a subnet mask of 255.255.255.0, and show both DHCP and Autoconfiguration Enabled = Yes.
• From each computer, again in a command window, ping the other. If, for instance, the address on Computer B is "169.254.1.2", open a command window on Computer A, and enter:
  

  ping 169.254.1.2

  
  If you get back a series of responses like
  

  Reply from 169.254.1.2: bytes=32 time<1ms TTL=128
  Reply from 169.254.1.2: bytes=32 time<1ms TTL=128
  Reply from 169.254.1.2: bytes=32 time<1ms TTL=128
  Reply from 169.254.1.2: bytes=32 time<1ms TTL=128

  
  then you are ready.

When you open Windows Explorer on each computer, and look in Network Neighborhood, you should see both computers. And when you open (doubleclick on) one entry, you should see the folders and files.

And, if the computer directly connected to Internet service can access the Internet, the other computers should be able to do so also.


>> Top


Troubleshoot The Network, If Necessary
So what if it doesn't work, per the basic testing above? Well, now you start troubleshooting, and methodically, in the right sequence.

• Verify physical connectivity again.
• Troubleshoot Windows Networking.
• Troubleshoot File Sharing.
• And, having done ALL of the above, post in a forum where the experts give serious help, and Ask For Help, with details provided.

>> Top

Connecting Different Devices To Your Internet Service

Many Internet services do not want you to casually connect just any network device (computer or router) to their network. They will link your IP address, or network connection, to a specific MAC address entry in a database in their system, or in the memory of the modem connected to their network.

If you connect another device, with a different MAC address, to their network, they will deny service to the unknown device. Each different network device in the entire world, be it a modem, network card, or router, has a unique MAC address assigned when it is manufactured. Many broadband services will issue an IP address, and provide or deny service, based upon the MAC address.

If you connect a different computer, or a router, to your Internet service and get no connection, you will have several choices to force your service to accept the new computer or router.

• Reset the modem.
  
• Reset the service.
  
• Change the MAC address of the computer or router.
  

Reset the Modem
If you're lucky, your modem is easily reprogrammed.

• Have all devices connected and powered up.
• Look carefully for a small hole on the back or bottom of the modem, labeled "Reset". Generally it will be large enough for just a large paper clip.
• Insert a straightened paper clip into the hole, and press ever so gently, maybe 1/32".
• Hold for 10 - 15 seconds.
• Release.
• The lights on the modem will flash differently, indicating reset activity.

Reset the Broadband Service
If you can't reset the modem, you reset the ISPs equipment.

• Power everything down.
• Connect everything as you wish.
• Wait 5 - 10 minutes.
• Power only the modem on. Wait until the modem indicates service (the Line / Link / Service light is lit).
• Power the router on.
• Power the computer on.

If this procedure doesn't work, try again, but wait 1/2 hour or so. Some services reportably have a 4 hour retraining period, as the equipment behind the modem (at the broadband head-end) has to reset too. You may even have to involve your ISP, in extreme cases.

Change The MAC Address
If you can't reset the modem, or the service, you change the MAC address to match the computer that was previously connected to the service. Most network cards and routers will allow you to change their MAC address. This is called the Locally Administered Address, as opposed to the Universally Administered Address which is assigned at manufacture. The procedure for doing this, if available, will vary by vendor and by device.

Most network cards can be changed, in Windows NT systems, on the Network Adapter Settings wizard, which is accessible from the Connection Properties wizard. On the Advanced tab, in the Property window, you should find the Network Address. Change that to the appropriate value, and hit the Close button. Restart the system if necessary.

To find the MAC address for a network card, look in the output from "ipconfig /all".

Physical Address. . . . . . . . . : 00-04-76-D7-B7-6F

To change the MAC address of a router, you will probably use the router configuration web page. This process, called MAC address cloning or spoofing, will vary by router. You will have 2 possibilities here - either the router will allow you to manually change the MAC address of its WAN port (similar to the network card change above), or the router will automatically change its WAN port to match the MAC address of the computer that you are currently using to manage it (making the assumption that you are running the management program from the computer previously used for Internet access).

From the router configuration web page, find the MAC Address Clone (or Spoof) selection. Follow instructions - either type a MAC address, or select "Use this MAC address" (the address of the computer which you are on right now). The router will, most likely, restart, the modem will see a known and trusted MAC address, and will grant service.

>> Top

Sharing Your Dialup Internet Service Doesn't Have To Mean ICS

If your Internet service is configured under Dialup Networking / Remote Access Services, you have PPP compatible dialup Internet service. If this is true, you can still surf the internet with the convenience and safety of an NAT router. ICS is OK, but you can do better.

There are a number of NAT routers - both wired and wireless - that will provide a dialup Internet connection. Here's a list of examples, currently available.

• Netgear FVS338 (wired)
  
• Netgear FWG114P (wireless)
  
• SMC SMC7004ABR (wired)
  
• SMC SMC7004AWBR (wireless)
  
• USR USR8000A (wired)
  
• USR USR8022 (wireless)
  

You connect the router to a full featured, external, serial dialup modem of your choice. As some have discovered, neither a USB modem, nor a WinModem, will work with these routers.

The Creative Modem Blaster is one possible product, which you may be able to buy in either CompUSA or in Walmart (depending upon what you have available), that may work for you. Use this as an example - I'm sure the local computer store in your neighborhood has something just as good.

If you are, or are thinking about, using ICS to share your connection, you have to have an Ethernet card in the computer.

If you have a standalone computer, you still can, and you should, use a router for protection. You will have to install an Ethernet card, if you don't have one already, to connect your computer to the router. You can get a quality card for $15 at Walmart, for instance.

You connect the Ethernet card to the router (using an Ethernet patch cable), you connect the router to the modem (using a RS-232 serial cable), and you connect the modem to your phone service (using an RJ-11 phone cable). It's a 5 minute job, when you're used to it.

If you have broadband, and are setting up dialup service as a backup, you connect a second Ethernet patch cable from the router WAN port to the broadband modem. That's another 30 seconds.

And if you want a WiFi LAN, but don't care for the WiFi features of either of the 3 choices above, get one of the wired routers listed above, and get any standard (Ethernet WAN) WiFi router, or access point, that you like. You can setup any WiFi router as an access point, with either one of the three above wired routers providing the dial-up Internet service.

The bottom line? Whether you have one computer, two computers, or more, and you have PPP-compatible dialup Internet service, or Ethernet compatible broadband Internet service, you can (should) connect thru a router, for layered security.

>> Top

What Is A NAT Router?

A router is a very specialised computer, that connects two or more separate networks, and directs network traffic from one network to the other as necessary.

A normal (infrastructure) router has just one simple task - to route traffic from one network to another, simply by knowing what networks are connected to each interface on the router. This requires you to know what networks are connected, and to create and input rules defining those networks.

A Network Address Translation, or NAT, router has multiple jobs.

• DHCP Server (Assigns and passes network settings to computers on the LAN).
• Firewall Functionality (Protects the computers on the LAN, from computers on the Internet).
• Internet Client (Acts like a single computer to the Internet on the WAN).
• Internet Gateway (Provides internet service to the computers on the LAN).
• Network Address Translation.

• Basic Setup - Getting started.
• Functionality - What is NAT?
• Functionality Not - What is NAT Not?
• Extended Setup - Setting up more complicated use.

Basic Setup
With a NAT router, you only have to make settings regarding one network - the WAN side (which connects to the internet), to get started. You set that up according to what service your ISP provides.

• Fixed IP address.
• Dynamic IP address.
• Point to Point Over Ethernet, aka PPPoE.

And, you will need to setup the addresses of the DNS servers. Your ISP should provide you with those. They are essential.

The default settings on the LAN side (where all of your computers connect) should work OK to get you started. The DHCP server on the router, by default, provides all the necessary settings to each of your computers. Connecting each computer, one at a time, to a NAT router is relatively simple:

• Set the computer to automatically get settings (DHCP client).
• Restart the computer.

Assuming that all your computers are simply used for browsing, or similar client initiated internet activities (which is frequently the case), a NAT router needs no further configuration.

NAT Functionality
An infrastructure router has a relatively simple task - to simply pass packets from one computer to another. Computer A sends a request to Computer B. The router simply passes packets from Computer A (on router connection A) to Computer B (on router connection B). It's possible, but not certain, that the reply from Computer B to Computer A might return thru the same router.

A NAT router has a more complicated task:

1. Opens a port when requested by a local computer, identifying the local and remote computers.
2. Passes a series of packets thru that port to the remote computer.
3. Waits for the reply from that remote computer.
4. Identifies the port by the IP address of the remote computer.
5. Passes the reply from the remote computer, thru that port, back to the local computer.

With the infrastructure router, both Computers A and B know of each others existence, as both computers use public (routed) ip addresses. With a NAT router, the remote computer actually sends its reply back to the router. The router performs Network Address Translation, and relays each packet back to the local computer.

The benefit here is that, even if the router does not have a firewall feature, the computers on the LAN are still protected. Only requested traffic, from known computers on the Internet, gets routed to a computer on the LAN. Any traffic originating from any unknown computer, or directed to an unrequested port, simply gets dropped. No original request = no delivery.

What A NAT Router Is Not
With all of that, let's get straight about what a NAT router is not. A NAT router, which may or may not provide firewall functionality between the WAN and the LAN, is not a firewall. And not all NAT routers provide firewall protection between the computers on a LAN. All computers connected to the LAN, on most NAT routers, are simply connected to a switch. Some WiFi NAT routers may have a feature called "Isolation Mode", which blocks all network traffic between all computers connected to the LAN.

To put it simply - a NAT router is not a firewall.

And there is a major difference in hardware too, between a NAT (Consumer grade) and Infrastructure (Business grade) router. Besides quality of design and manufacture, the design itself has a major difference.

A NAT router has 2 distinct sides to it - the WAN (where you connect the Internet service), and the LAN (where you connect all computers). The ports on the LAN are connected by a switch - there is no routing functionality. Routing is simply between the WAN port, and the switch.

With an Infrastructure router, all ports are labeled, and routed, identically. If you have 2 LAN segments, each connected to a router port, and a WAN segment connected to a third port, all traffic between any 2 of the 3 will be routed symmetrically.

Some NAT routers will, upon option, let you disable NAT. This may be called "Infrastructure" or "Router" mode. This will not give you a true Infrastructure router, as the ports connected to the LAN will still go through a switch. A NAT router will, at best, be the equivalent of a 2 port Infrastructure router. Very few Infrastructure routers contain only 2 ports.

Extended Setup
Although the default settings on a NAT router are very simple, there are plenty of additional settings to allow for specific needs of each individual local network. With many functions that a NAT router provides to its clients, in addition to simple web surfing, they can be quite complex to setup.

Many security experts advise changing all default settings that deal with the LAN settings of a NAT network. In case a NAT related exploit ("hacking" technique) ever becomes reality (and that will happen one day), the exploit will not be quite so easy. Specifically, there are certain default LAN settings which vary by router manufacturer, but can be improved upon by the owner of the router. For a Linksys router, for instance, the LAN defaults to 192.168.0/24, with gateway 192.168.0.1. And the DHCP server defaults to issuing addresses in the range 192.168.0.100 - 192.168.0.150. All of those settings can, and should, be changed.

Other settings which are advisable:

• Change the administrative password. Use a non-trivial (non guessable) value. Change it regularly.
• Disable remote (WAN) management. There is no need for anybody to make changes to the router except from a computer connected to the LAN (ie in front of the router itself).
• Enable the security log. Review the log regularly, know what is normal, and take action when something abnormal happens.

Other configurations that you might need to make (not available on all routers):

• DMZ. To bypass NAT functionality for individual computers on your LAN.
• Isolation. Blocks all network traffic between all computers connected to the LAN. Provides shared Internet service, with no security risk, for WiFi clients, as in a WiFi Hotspot.
• Packet Filter. Block specific application traffic in and out of the LAN.
  
• Port Forwarding. To provide for Internet server applications.
• Port Triggering. To allow for Internet server applications, with special needs that can't be met by Port Forwarding.
• Stateful Packet Inspection. Complements packet filtering, and is another function provided by a full featured firewall.
• UPnP. Similar to port triggering, but more versatile. Allows applications on your computer to control the router.
• VPN Endpoint or Passthru. To allow for secured communications with remote networks.

All of these features may not be available on all NAT routers. Each feature requires memory, and processor time; both resources may be in short supply in a typical (inexpensive) NAT router. Some NAT routers may have these features, but disable them when excessive network traffic is experienced. When an excessive volume of network traffic is experienced, and the router can't keep up, there are only two possible actions which the router can take.

• Fail closed. Stop filtering, simply pass traffic, unexamined.
• Fail open. Drop traffic that exceeds a certain volume.

Obviously, neither possibility is desirable. Like any physical device, NAT routers are limited in feature set, by their components and design. When you're comparing NAT routers, compare carefully.

For additional configuration information, and endless hours of discussion about what I have summarised above, visit the Usenet discussion groups alt.computer.security, or comp.security.firewalls.

>> Top

Making Your Own Ethernet Cables Is Not A Casual Project

I'm a great fan of do-it-yourself. Setting up a computer network is a lot of fun, even if you're getting paid to do it. Making your own Ethernet cables is not fun, though.

An RJ-45 Ethernet cable contains 4 pairs of color coded wires, and each wire is not much more than the thickness of a really thick piece of hair. Ok, a really, really thick piece of hair - but one that won't bend like hair - and you'll wish it would too.

You have to identify each wire by color, untwist each pair of wires just enough so the individual wires will fit into the end of the plug (or jack if you're doing interior cabling), get each wire in the correct sequence side by side, insert the 8 wire set into the plug / socket simultaneously and squarely, and crimp everything perfectly. I say simultaneously because you won't be able to insert each one individually - those wires, as thin as they are, are not going to bend for you.

Oh yeah, I forgot, you have to strip the outer sheath enough - just enough - to separate the 4 pairs. Don't nick any of those wires when you strip the sheath. And you do know that all 4 pairs of wires don't go in perfect sequence - one sequence is "green / white-green / white-orange / white-blue / blue / orange / brown / white-brown". So you have to untwist the orange pair (orange and white-orange) just a little more, because its halves have to fit on either side of the blue pair (white-blue and blue).

There are four color sequences - two for straight-thru cables (connecting jacks and plugs), and two more for cross-over cables (jacks and plugs again). Each sequence has one pair separated by another pair (as the orange pair is separated by the blue pair above).

Make one mistake, and your cable is toast. Untwist one pair just one turn too much (the twists are critical to functionality - they are NOT decorative), or switch one pair of wires (a white-orange stripe looks a lot like white-brown in dim light), and it won't work. You have to cut the plug off, and start over from the beginning.

And just because it works today, don't expect it to work tomorrow. Move your computer, flex the cable or put pressure on the plug, and just one micro-disconnection could make the cable not work. Or worse, the cable might work just 90% of the time. You do want a 100M network, right? Not 50M (if the cable doen't work 100% of the time, you may get an effective rate of 50M). One day you'll want Giga-Bit too.

Add up the cost of cable, plus the plugs, plus the crimping tool (if you want a quality cable, prepare to spend quality money), plus the time you spend trying to figure out why it doesn't work, plus a second trip to the store, because you got stranded cable, but connectors (plugs or jacks) for solid cable (you can't mix solid and stranded components!). Then a third trip to the store because you ran out of connectors - once you crimp one, it's done. One mistake, cut the bad one off, and throw it away.

There is one, just one, situation where I would make my own cable ends. If I had an electrician pull cabling inside the walls, it may be cheaper to use bulk cable. When you have that done, by the way, have 2 or 3 times as many cables pulled as you need right now. Pulling 2 or 3 cables (tied together) is no more expensive than pulling 1.

If you decide to go the luxury route, and have the electrician attach the end connections (my preference), make sure he knows more about this than I do, make sure he's licensed, and make sure he tests each cable, and gives a written report for each one. And make sure he labels each cable, so you know which one goes to the master bedroom, or to the office!

Always terminate a cable inside the wall, with a jack, then run a patch cable between the jack and the computer. Please don't run end to end plugs, with cables running thru holes in the walls. If you're going to attach the cable ends yourself, attach the ends to secured points inside the walls (the back side of each jack), where they don't move, and make a strain relief to protect the connection from even the weight of the cable. Always, and I mean always, run pre made and tested patch cables, from the jacks, to the computers.

If you must terminate the cables yourselves, whether to save money or for convenience, or whatever reason, get the right equipment. LANShack sells Cat6 equipment including the Sentinel Cat6 Modular Plug Assembly, and the appropriate tools. If you're going to have reliable Gigabit Ethernet, or a large quantity of custom length cables, that's where I would start.

But for a single patch cable, go back to the store, and buy a tested, pre-made cable. You'll be glad you did in the long run.