This information is obsolete as regards the current Somarsoft Internet site. However, some of the technical information regarding routing is still useful.

Current Site

The Somarsoft web pages you are viewing are hosted by PSI, which has a T1 or faster Internet connection. The Somarsoft LAN is connected to the Internet via a 28.8 Kbps modem connection. The main Somarsoft gateway machine provides the following services:

• Web services which require running scripts, using the Microsoft Web server. Previously, the EMWAC HTTP server was used. Plans are to start testing with the Netscape Web server.
• Mail, using Internet shopper SMTP server.

Previously, the web site was located on the gateway machine. But as traffic to the web site increased, this configuration proved to be unacceptably slow. Splitting services between a local gateway with a limited speed connection for mail and other low-bandwidth services and putting high traffic web servers on a remote host, currently provides the best price/performance/manageability trade-off for smaller sites.

The gateway machine also provides full internet access to users on an internal ethernet network, allowing them to use standard TCP/IP services such as:

• Web browsers
• FTP
• IRC
• NNTP to read USENET news
• POP3 mail readers to read mail from SMTP server on gateway machine
• Telnet

The gateway machine also has a Kbps dial in modem, which allows users to dial in using RAS from home and access either the internal ethernet network or the Internet, just as if they were connected locally.

The ISP provides the following services, in addition to Web hosting and dial-up connectivity:

• Routing for somarsoft.com class C domain.
• DNS name service (plans are to eventually run DNS locally on the NT gateway).
• NNTP server.

A configuration similar to this is suitable for providing a low-cost and easy-to-administer full-time Web server and internet connectivity for:

• Small businesses
• Large businesses wanting to set up an experimental Web server
• Non-profit organizations
• Schools
• Churches

Maintaining the PPP connection

The full-time PPP connection is maintained by the Somarsoft ReDial service, available here. ReDial does the following:

• Automatically establishes the PPP RAS connection when the system is booted.
• Restablishes the connection whenever it is lost due to line or modem problems.
• Stops and restarts user-specified services whenever the RAS connection is stopped and restarted (this is a workaround for a bug in some services, which causes them to hang if the TCP/IP connection drops).
• Limits redialing attempts to a user-specified number per hour, in case dialing costs extra and the provider's modems are down.
• Pings specified IP addresses at specified intervals, in case provider will drop connection is there is no activity for a specified length of time (such as 30 minutes).
• Drops the connection and redials in case pings fail after a specified number of attempts, to handle case where PPP connection hangs at provider's end.

TCP/IP client software

• Eudora POP3 mail client
• NetScape Web client
• Mosaic Web client
• LView GIF/JPeg viewer
• WinVN NNTP client (USENET News reader)
• Builtin NT Finger, Telnet and FTP clients
• Ashmount NSLOOKUP. Useful for diagnosing DNS problems.

Security considerations

• Only anonymous FTP access is allowed. FTP is limited to a single directory tree. One subdirectory of that tree is an inbox, with write only permission. Anonymous FTP users run in the context of FTPUSER account, which is a normal user account.

• SMB type services (native NT file and print sharing) are protected by binding to only the NetBeui transport protocol, as described below, so there is no possibility of outside users logging on over the Internet.

• The phone number for dial-in access is not published. If someone were to discover this phone number, they would be able to dial up and attempt to logon to the domain. For this reason, the guest account is disabled and all users are instructed to set strong passwords on their accounts. Also, accounts are disabled after 5 bad logon attempts and the account is then locked out for 30 minutes. This reduces the frequency of bad logon attempts to about 1 every 6 minutes or 240 per day. All passwords are sufficiently long and complex that it is unlikely they will be guessed at this rate. The user base is small enough that I can ensure that passwords are, in fact, long and complex. At larger sites, it may be difficult to ensure this and many users are known to pick simpleminded passwords no matter how often they are warned about doing so.

Using bindings to establish a pseudo-firewall

There are two types of networking services:

• SMB/NetBios protocol services, such as native NT file/print sharing.
• TCP/IP protocol services, such as FTP, World Wide Web, SMTP, IRC, Telnet.

The goal was to prevent outside users on the Internet from using the SMB protocol services. By running these services only over the unroutable NetBeui transport, there is no possibility of outside Internet users accessing these services. This provides an effective firewall, without the cost of a dedicated firewall machine.

Eventually, this scheme will be augmented or replaced by using an application proxy firewall running on the gateway machine (such as Microsoft's planned Catapult firewall). There is still the issue of how to prevent SMB type access to that gateway, and the protocol unbinding scheme described here may still be useful for that purpose.

The TCP/IP protocol services, on the other hand, are only used to communicate with the Internet. The internal nodes run TCP/IP client software but not services. The gateway machine runs TCP/IP services, but these are specifically intended for consumption by the outside world.

Therefore, bindings were enabled/disabled on ALL machines on the network (the modem binding, of course, only applies to the gateway), as follows (using the Bindings dialog of the Network applet of Control Panel):

   Enabled transport layer bindings
      NetBeui     -> Ethernet adapter (internal network)
      TCP/IP      -> Ethernet adapter (internal network)
      TCP/IP      -> Modem RAS connection (external Internet)

   Enabled session layer bindings
      NetBios     -> NetBeui
      Workstation -> NetBeui
      Server      -> NetBeui

   Disabled session bindings
      NetBios     -> TCP/IP
      Workstation -> TCP/IP
      Server      -> TCP/IP

There remains a risk due to trojan horses or backdoors in any program running on any machine on the network. Such a program might initiate a TCP/IP connection with a cooperating server somewhere on the Internet and give complete access to all local and network files available to the user running the program. Therefore, it is very important to verify that all programs running on the network are trustworthy, especially TCP/IP client software. (This is not a completely new issue - you should already be checking that all programs running on the network are virus-free.)

TCP/IP configuration of gateway

• Gateway PPP connection address is 198.68.222.1.
• Gateway internal ethernet address is 198.68.222.2.
• Gateway additional internal ethernet address is 198.68.222.3. This is mainly to testing multi-homing, where a single network card is associated with multiple IP addresses.
• Internal ethernet nodes use addresses in range 198.68.222.4 to 198.68.222.254.
• No default gateway is specified for the gateway machine.
• Internal ethernet nodes are configured with 198.68.222.3 as the default gateway.
• Persistent routes for internal ethernet nodes are established by running the following commands on the gateway:

  	ROUTE ADD -p 198.68.226.4 MASK 255.255.255.255 198.68.226.2
  	ROUTE ADD -p 198.68.226.5 MASK 255.255.255.255 198.68.226.2
  	ROUTE ADD -p 198.68.226.6 MASK 255.255.255.255 198.68.226.2
  	etc.
  

• Special registry settings to enable TCP/IP routing from internal network:

  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
     valuename = IpEnableRouter
     valuetype = REG_DWORD
     valuedata = 1
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasArp\Parameters
     valuename = DisableOtherSrcPackets
     valuetype = REG_DWORD
     valuedata = 0
  

• Route Print output resulting from above configuration:

  Network Address          Netmask  Gateway Address     Interface  Metric
          0.0.0.0          0.0.0.0     198.68.226.1  198.68.226.1     1
        127.0.0.0        255.0.0.0        127.0.0.1     127.0.0.1     1
     198.68.226.0    255.255.255.0     198.68.226.2  198.68.226.2     2
     198.68.226.0    255.255.255.0     198.68.226.1  198.68.226.1     1
     198.68.226.1  255.255.255.255        127.0.0.1     127.0.0.1     1
     198.68.226.2  255.255.255.255        127.0.0.1     127.0.0.1     1
     198.68.226.3  255.255.255.255        127.0.0.1     127.0.0.1     1
     198.68.226.4  255.255.255.255     198.68.226.2  198.68.226.2     1
     198.68.226.5  255.255.255.255     198.68.226.2  198.68.226.2     1
     198.68.226.6  255.255.255.255     198.68.226.2  198.68.226.2     1
     198.68.226.7  255.255.255.255     198.68.226.2  198.68.226.2     1
     198.68.226.8  255.255.255.255     198.68.226.2  198.68.226.2     1
     198.68.226.9  255.255.255.255     198.68.226.2  198.68.226.2     1
   198.68.226.255  255.255.255.255     198.68.226.2  198.68.226.2     1
        224.0.0.0        224.0.0.0     198.68.226.1  198.68.226.1     1
        224.0.0.0        224.0.0.0     198.68.226.2  198.68.226.2     1
  255.255.255.255  255.255.255.255     198.68.226.2  198.68.226.2     1
  

  This routing table means:

  • Packets destined for addresses 198.68.226.1, 198.68.226.2 and 198.68.226.3 are processed locally. Also, loopback packets (first octet is 127) are processed locally.
  • Packets with address 198.68.226.4 through 198.68.226.9 are sent to internal ethernet.
  • Broadcast packets (last octet is 255) are sent to internal ethernet.
  • All other packets are sent to external Internet via PPP connection.

• The NT 3.5 resource kit contains much useful information about TCP/IP configuration and is a must-have for anyone contemplating setting up a site such as this one.
• If you suspect you are having PPP or modem problems, you can try to debug the problem by enabling PPP and/or serial port logging with the following registry settings:

  PPP logging:
  	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\PPP
  	   valuename = Logging
  	   valuetype = REG_DWORD
  	   valuedata = 1
  	Log file is %SYSTEMROOT%\SYSTEM32\RAS\PPP.LOG
  
  Serial port logging:
  	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Parameters
  	   valuename = Logging
  	   valuetype = REG_DWORD
  	   valuedata = 1
  	Log file is %SYSTEMROOT%\SYSTEM32\RAS\DEVICE.LOG
  

  These settings are further discussed in the RAS online help.

  Another useful resource is the PPP RFC's, namely RFC's 1661, 1570, 1332, Available at the InterNIC. Some parts of these RFC's are extremely technical state diagrams, but other parts are readable explanations of how to interpret the PPP logs.