Using NAT behind a static IP

swiss

Lo all..

I've moved into a house which has broadband \o/
Our DSL provider is EsatBT
Unfortunately, there is an 'ickle problem as EsatBT have only assigned one IP address to us. However there is a network of about 7 PC's in the house which would all like to theoretically connect to the internet at the same time.

We've got a network connection between all the PC's that allows filesharing etc. We've also tried using Wingate and Internet Connection Sharing to no avail. As far as I can tell the *only* solution to this (other than getting our ISP to give us more IP's - which we are in the process of doing) is to try to set up one PC as a proxy and connect the other PC's to that proxy using NAT.

Unfortunately, I'm not sure how to do this, or even if it will work. Has anyone else got any other experiences with this, or any ideas? Any handy URL's would also be appreciated.

Thanks in advance

spongebob

ethernet or usb connection to ESAT ?

also post in any ip addresses you have from ESAT such as

static = n.n.n.100
gateway = n.n.n.101

(in fact you should disguise them but they will help if people are giving you examples)

PM me if you wan me to ping something for ya ta see if I can see it

M

swiss

ethernet or usb connection to ESAT ?

Ethernet.

I'm not giving out our *actual* IP for obvious reasons (although I'm sure DeV and the admins/mods can get it )

however our IP block is
193.120.0.0 - 193.120.255.255

This is an IP block assigned to EsatBT by RIPE (or RAPE as we have started to call them )

I've also tried using WinProxy to set up a NAT connection connecting to the IP that we use for broadband. However, again I have had no success in doing this, mostly because I can't seem to find out how I can set up the PC in question as a cache server (of sorts).

If worst comes to worst I *could* try installing linux on some pretty crappy PC and use that as a server... don't want to go down that road because

a) It ties up hardware
b) I need some m4d LINUX skillz.

I'll ask around and see what solutions I can find... in the meantime I just wanted to see if anyone had any experience with this kind of thing. I might just take you up on that offer - when I finally have something you can ping .

Ardmore

Originally posted by swiss
Lo all..

I've moved into a house which has broadband \o/
Our DSL provider is EsatBT
Unfortunately, there is an 'ickle problem as EsatBT have only assigned one IP address to us. However there is a network of about 7 PC's in the house which would all like to theoretically connect to the internet at the same time.

The simplest solution will be to get an ADSL router - about €100-€150 but if you share that between the lot of you...

For example the DLink 500 is about €130 including delivery. You want one that supports PPPoA (as far as I know, that what's ESAT use), but that's what BT use in the UK, so you might also find some useful info here

spongebob

2 nics in 1 pc running w2k or winxp (pro) should do

Stage 1

configure 1 for outbound 193.n.n.n

get it working in and out...sound

Stage 2

configre t'other nic for inside with 192.168.0.1 subnet 255.266.255.0

other pcs are192.168.0., subnet 255.266.255.0 gateway 192.168.0.1 and finally

Stage 3

set up routes between 1 card and the other using the windoze Route Add command and Route Print

must have 2 nics, mus get stage one sorted u r self first and then stage 2. Stage 3 is straightforward once these are verifiably sorted.

Korg

If you have an old pentuim lying around gathering dust try Smoothwall. A number of boards users are using it to manage our little networks. I'm on eircom's offering, tho should work just as well with esat's (hopefully)

lynchie

If you just want a proxy for web browsing, install the win32 build of apache on the machine, and enable the proxy support on it. Then just get all client machines to set the proxy as the machine with the static ip.

yellum

Friend had this exact same problem. I was able to fiddle with it tonight. I assigned two ips to his network card. One was the Esat IP and one was an internal network ip. Was going to go with the two network cards idea first but tried this and it worked.

I then set up a proxy server on that pc and all the other comps go through it. ICS wouldn't work on his pc.

He had one IP from Esat, its an Ethernet Modem, he connects to it through a switch.

Right now all is working pretty well, although he did have some hiccups with Zonealarm.

swiss

Thanks for the replies everyone.

Yes, we've managed to setup a means of internet connection sharing between the PC's on the network. One PC has setup a proxy using a basic proxy server program. One NIC in that PC has the broadband connection, the other has the IP for the internal network.

What we *can* do is browse the intermet, using the cache server on the main PC. However, we cannot seem to get other programs that require a net connection to work, such as MIRC. Obviously this is due to the fact that it all goes through a proxy, but I was just wondering if there was any means of configuring all the programs one uses to go through this proxy?

We're also trying to do the same thing, this time using Wingate (as I think the problem could also be down to a lack of SOCKS support on the proxy server we are using), but are running into difficulties doing so. Is there any "Wingate for dummies" tutorials out there?

STaN

swiss, wingate should be able to do it no prob.

Run the wingate server on the pc that has the bb connection. Intall it on the client pc's as clients.

Assign them IP's 192.168.0.1 (for the server) and 192.168.0.2,3,4 etc.

Then go to internet options > connections > lan settings >

use a proxy server > advanced >

HTTP: 192.168.0.1 : 80
Secure: 192.168.0.1 : 80
FTP: 192.168.0.1 : 80
SOCKS: 192.168.0.1 : 1080

on all pc's even the server.

Setup the wingate clients to:

enable
launch on startup
hide after launch

===

U may find every few days that the sharing will go down... just clikc reset on the client control panel and restart

yellum

Originally posted by swiss
Is there any "Wingate for dummies" tutorials out there?

Wingate is for dummies ! Its one of the most simple things I've ever used.

De Rebel

Originally posted by Muck
2 nics in 1 pc running w2k or winxp (pro) should do

Stage 1

configure 1 for outbound 193.n.n.n

get it working in and out...sound

Stage 2

configre t'other nic for inside with 192.168.0.1 subnet 255.266.255.0

other pcs are192.168.0., subnet 255.266.255.0 gateway 192.168.0.1 and finally

Stage 3

set up routes between 1 card and the other using the windoze Route Add command and Route Print

must have 2 nics, mus get stage one sorted u r self first and then stage 2. Stage 3 is straightforward once these are verifiably sorted.

I've seen people take 8 hours to explain this and cause endless confusion in the process. Brilliant.

Typedef

swiss mate here is what you do.

Get an old pentium or 486, with a cdrom and two ethernet cards.

Then get a copy of IPCop Linux from the interweb... the cd image is about 30mb, so that shouldn't be too much of a problem.

Install IPCop, it is easy to administer (via a web interface) even if you have 'no' Linux experience, and if you run into difficulty just ask on the Unix board.

It saves you the price of a router and firewall.

STaN

there are lots of options.

Typedef's sounds interesting and i will probably try it when i get my hands on an old pc. Windows ICS ive tried but found that if you patched anything or added a new pc to the lan it b0rked. I then used WinRoute, but it was too limited... only allowing 1 pc to use a port at any one time was too limiting. Then i tried WinGate, a sinch to install and setup. I'd recommend it for ease of use & PnP

spongebob

Originally posted by De Rebel
I've seen people take 8 hours to explain this and cause endless confusion in the process. Brilliant.

The real objective is to cod the ISP into thinking that there is only 1 PC there as per the T&C's in their cheap offerings

ARPS do not cross static routes

Also remember that Linux based 2 NIC solutions are easily spotted by an ISP if the ipchains module is used as a router. ipchains operates on a limited number of well known and non configurable ports.

Also make sure you read .This really good guide to the vermin that will show up at the firewall..... don't say 'what firewall'.....

M

Korg

configure 1 for outbound 193.n.n.n

other pcs are192.168.0., subnet 255.266.255.0 gateway 192.168.0.1

set up routes between 1 card and the other using the windoze Route Add command and Route Print

I'm confused here, just because you set routes from one network (your private network, 192.168.0.*) to the internet doesn't mean that machines on the rest of the internet can reply to requests made from your machines. Your machines have private network addresses (192.168.0.*) & can't be routed across the internet (192.168.0.* could be anywhere on the internet, no router could know where to reply). That's why i thought you need some form of ip masquerading, whether it's ipchains, iptables under unix or internet connection sharing on 2000/xp, to mask all your private addresses behind the real internet ip address of the machine connected to the internet.

ipchains operates on a limited number of well known and non configurable ports.

Not sure what you mean here, ipchains can be configured to allow/block/drop traffic on any port. Or do you mean the ports it uses in masquerading ip addresses?

spongebob

yes. the latter

ipchains apparently leaves a footprint in terms of the return ports on the external NIC, these cannot be varied with a kernel hack ISTR

some of the smarter ISP's spot these 'unusual' open ports and presume correctly thet there is more than one pc behind the NIC.

Anyway its all a game of cat and mouse

M

quozl

ipchains is old. The current versions of smoothwall and ipcop use iptables (and have done for a while). Any isp will allow you to run a firewall, that's all that iptables/ipchains are. As far as I know, theres no way to tell how many machines are behind a iptables firewall.

I'd go with the smoothwall/ipcop option myself. It's probably easier than messing around with windows ICS.

Greg

STaN

Originally posted by quozl
no way to tell how many machines are behind a iptables firewall

mac addresses?

sutty

isn't the idea of a proxy that you send a request to it. Then it "forwards" on the request. Thus all IP traffic coming from the proxy will apper to only have come from the proxy... unless your the all mighty devore.


Now from what I can remember. if you get a static IP address from your ISP, then they alread asume your running a small company. With more than one PC on the network. The only problem I think they have is if you are charging for the use of said bandwidth....

I know that eircom allow this on there 1mg packages

Turner

After 8 calls i still dont have my static ip. Im on eircoms 1mb option.
Im waiting for them to call me back, its a good thing i am not holding my breath.

Chief.

Rambo

I have being using winproxy 4 very simple to use and setup just install it on the machine that has the internet access
you should have a network card installed that is working on you private network with a static ip address for you network.
then set IE connections to the ip address of the machine connected to the internet..
check out website

www.winproxy.com

quozl

Originally posted by STaN
mac addresses?

nope. All the traffic comes from the firewall machine, with the firewall machines mac address.
Greg

bricks

Originally posted by De Rebel
I've seen people take 8 hours to explain this and cause endless confusion in the process. Brilliant.

But it won't actually work.
There is no mention of any Network address translation in his solution. Anyone other techies wanna back me up on this.

quozl

you're right, it won't work. That sort of setup will work fine to connect two subnets that you control, as you can tell each subnet how to route packets back to the other subnet

If you just send 192.168.x.x packets out onto the net then the net will have no idea where to send replies. (Well actually, the packets will just be dropped by the first properly configured device they meet)

In that case you need to use windows ICS which does nat'ing for you.
Greg

mayhem#

http://www.janaserver.de/start.php?lang=en

puzl

I've got the same situation as you and I took the easy solution and bought a hardware solution.


The Netgear FR114P is a 10/100 router/firewall with built in dhcp server.

Put all of your private machines on one side, and your ethernet DSL modem on the wan port. The configuration for esat's setup is very easy - just punch in your ip details and surf away.

The device has some basic support for inbound and outbound filtering and forwarding, so it is possible to use multiple p2p clients behind the device.

It's not as flexible as a full software router/firewall, but I decided to go for it as I didn't want to have a machine always on so that other clients could access the internet.

Typedef

Originally posted by quozl
ipchains is old. The current versions of smoothwall and ipcop use iptables (and have done for a while). Any isp will allow you to run a firewall, that's all that iptables/ipchains are. As far as I know, theres no way to tell how many machines are behind a iptables firewall.

I'd go with the smoothwall/ipcop option myself. It's probably easier than messing around with windows ICS.

Greg

What quozl said.

If you choose to use a firewall in a jar solution, then you may end up using ipchains.
ipchains is secure, configurable and free, so .... lets not go there.

In any case, the ISP cannot stop you running ipchains or using NAT so, you run what you damn well please on hardware you own etc,etc.

Myself, I like to build my own iptables Slackware-Linux firewalls, but, if you aren't comfortable doing something like that, a firewall in a can like IPCop will do the job you need it to do and do 'most' of the configuration and installation as if by magic.

Which is why it's good if you aren't in fact used to installing drivers, messing with irq settings and generally tinkering with your underlying OS.

Viva la Revolution.

phoenix2181

guys just a quick question will these software solutions work while trying to connect to game servers on the net

Korg

I've joined ut, warcraft, kknd & a few other internet games through an old pc running smoothwall no problems.

If you want to host a game however (e.g, host a warcraft 3 game on battlenet) you need to forward whatever ports the game uses from your machine through the firewall. The hammer & chisel way of finding out what ports to forward (if it's not obvious from the games config pages or config files) is to set up a server locally, ask someone to try connect to your server (give them the public facing ip address of your firewall & not the internal ip address of your machine) & then have a look at the firewall log files & you should see incoming requests from the remote machine being blocked. Forward the ports that have been blocked & try again. The remote person may be able to connect straight away, or you may have to examine the log files again & see if the game was attempting connections of any more ports. I've done this for kknd2 & warcraft 3 & works eventually.

Don't forget to un-forward the ports when finished!, in case there's any malicious viruses out there exploiting vunerabilities through those ports.

phoenix2181

nice one cheers

Robbo

With regards no-one knowing what's behind a NAT system, read this research paper, it was on /. or something recently.

(PDF File, 640kb).

quozl

yeah, i saw that too. interesting. But it's still at the completely impractical stage where no isp would be able to implement it without investing large amounts of man-hours. And it only affects some implementations (including ipchains unfortunately), and it can only really guess based on statiscal analysis.

I wouldn't be worried about your isp ringing up and giving out to you for having multiple nat'd machines based on this

Greg
PS Any decent isp allows nat'ing, and eircom would never figure this out in a million years.