Sharing broadband on multiple NT/2k/XP PCs

[Curley_Boy 0]

I have 4 PCs at home set up as follows:

 

PC running XP Home (parent's one used for vid editing)

PC running XP Pro (mine used for everything under the sun).

PC running NT 4 Wks (used for backing up files and as a print server).

 

All the above machines are connected via a switched hub, and MS File/Print sharing is used via IPX.

 

The 4th PC is running 2k pro and is in my brother's room (we don't have a cable long enough to connect it to the other 3 PCs).

 

All machines currently use a dial up modem to connect to the net individually... but now ADSL is avaliable in our area, FINALLY!

 

Now with broadband comes a problem as there are only 2 ways of using it:

 

1. We use the server to share out the net connection to the other computers (goodness knows what we do about my brother's PC.. but I'm working on it).

 

2. Each PC has an individual ADSL modem.

 

Option one isn't even concivable really as the 'server' in question is an ancient Cyrix based job with only 40mb of RAM. (so upgrading to a later version of Windows is out of the question). NT based OSes are not secure enough in my opinion to be used for internet connection sharing (besides NT4 is not even supported anymore).

 

Another option would be to use Linux or some varient for the task. However since I've never used Linux in my life before this isn't really an option for the immediate future (I am snowed under with work atm and their are no Linux gurus in the area, this really isn't something I can learn remotely).

 

So option 2 seems the only solution (expensive I know!) with each user being left to look after the security of their own machine. The other advantage of course is energy conservation, since we don't need a machine turned on all the time for net access.

 

How have other people here approached the problem?

[Silver-Dagger 0]

Why not just get a broadband router? Would be cheaper then getting multiple DSL modems.

[Bursar 0]

The options are either a router to which the modem and all PCs are attached, or you have a gateway machine and share the connection out through that.

 

The gateway won't need to be a particularly powerful beast if you go this route, but it will need to be running in order for people to access the net.

 

What kind of security do you require on the gateway? For most home users, I really don't think that running an MS OS (such as 2K or XP) is really a problem.

 

If it is, you can always invest in a software firewall.

 

Using a hardware based setup and controlling access via the router really isn't going to be any different. If you don't know what you're doing with ACLs and which ports to block, it's going to be just as insecure.

 

You'd probably find it pretty difficult to convince your ISP to provide you with 4 or 5 ADSL modems. As you've mentioned, it's also 4 or 5 times the monthly outgoing, and really isn't worth it.

 

As for your brothers machine, drilling some holes through your walls and running a long cable is the easiest thing to do.

 

After that you're into the wireless realm, but the price starts to go up, and you have security issues that need to be resolved.

[Curley_Boy 0]

If I take the software firewall (which I use atm) approach and connect the modem to this machine and then share out the connections via XP's native ICS (to all machines bar the NT one, it doesn't need net access anyhow). That leaves me as stated with security issues.

 

The main problem with this is the client for MS networks software. I can protect my network shares by binding file/print sharing and IPX (with is the current LAN protocol) to my current net card. However Client for MS networks needs to be binded to both the lan card (for file/print access) and the adsl adapter (for ICS).

 

Correct me if I'm wrong (sorry its too late at night and Im REALLY not in the mood for thinking about this) but client for MS networks is still leathal without access to net shares. What can I do to protect my computers?

 

Bearing in mine I have alot of custom shares, accounts with remote and local admin access to my machines (plus a carefully customised security policy) and it seems boardband is really going to screw all of this up!

 

OMG what about netbios over TCP?!

 

Please somebody help! (I'm slowly having a breakdown trying to work this all out).

[duhmez 0]

Enable internet connection sharing on one machine (XP)

Boom finished. Easy peezy. (It iwll need 2 nics)

[Curley_Boy 0]

Ok can someone tell me the security implications of using a router (decided its the least hassle and most energy efficient way) to share out net access. But how do I solve the problem of applications that use dynamic port numbers?

 

apk I've read the netbios article... but atm I am confused by EVERYTHING

 

(tis the season for essay deadlines and I'm going to pieces)

 

can someone explain (preferably WITHOUT linking to external sites) step by step:

 

1. What the router does.

 

2. How it connects to the rest of the network (physical).

 

3. How the machines need to be configured (services, protocols, bindings).

 

Windows networking does not confuse me, as Duhmez says setting it up (using just about any method) is a peice of cake, it's potencial security issues that are stressing me out.

 

Bear in mind that at the moment all my machines are: NT based, connect to eachother via a switched hub, use IPX for file and print shares, each have their own dial up connection to the net and use a software firewall.

 

It's taken me the best part of a day to compose this, now I'm going for a very, very stiff drink.

[jmmijo 1]

Here's my home LAN/WAN config:

 

1) External WAN Cable Modem/Router(RCA) brand, connected to my coax cable inside my house.

 

2) Linksys BEFSR41 Cable/DSL/Router/Gateway comes next. Since this only comes with four 10/100 ports I needed to add a secondary 10/100 8 port SOHO switch.

 

3) Each box in my house is set for DHCP which is generated via a pool set aside by the Linksys box. It has a built-in NAT/Firewall/DHCP server that you can adjust. I left the DHCP at the default but you could set the available amount of IP addresses to pretty much any size you want. Of course these are non-routable or private IP addresses in the 192.168.xxx.xxx range(Class C). The default gateway/router address for the Linksys is 192.168.0.1 and of course it will automatically resolve your ISP's correct DNS for each box connected.

 

Now as for connection, just standard Cat5e cables will work fine, in fact I have a 100 foot connection between the second floor, where the cable modem and linksys router are down to the basement where another 8-port soho switch is and the rest of the machines. It was an upgrade from my old thin-net hub connection of yesteryor :x

 

I don't see any more packet collisions even with this extra length of cabling. I think however that the spec for each 100Mbit port is 100 meters but I'm sure somebody out there will know for sure on this one

 

The security aspect is great since you would be NAT'ting private IP's to a single WAN public IP. In fact my so called dynamic IP from Comcast has not changed in over a year, basically making it a virtual static IP address

 

Please explain the app or apps that use a changing or dynamic port number? What does this or these apps do ?!?

 

I don't see this as being a problem outbound unless they need a specific port open inbound then you can configure port forwarding inside the Linksys to the appropriate box or boxes.

[Curley_Boy 0]

Interesting.

 

The firewall and private IP ranges would keep your printers and shares safe from prying eyes. Is Netbios still an issue? (also could net shares be done over IPX without the need for a 2nd nic?)

 

WinMX is the application that has problems with fixed port ranges (tried everything with this one, it's a right bugger).

 

Thanks for putting my mind slightly at peace.

[jmmijo 1]

Yes, turn off every protocol except TCP/IP which should be bound to your NIC's.

 

The only way that you can share an internal resource like this is to place it in the DMZ or use an app like PC Anywhere.

[duhmez 0]

Using ICS is a seciroty risk, and using a router is a much better idea.

How the router will work:

1) plug in router.

2) Plug in all pc's to the router, plug the WAn (internet) cable into the wan port of router.

3)Turn on pc's.

You now have protected, safe internet access.

 

You then can configure your router via a web interface (something like http://192.168.1.1

The default password and actual ip of your router will be in the manul. Then you change the password and setup any port forwarding incase you want to serve internet games of ftp or anything.

[Curley_Boy 0]

In the interests of keeping things simple according to MS knowledge base I can use an edited hosts file instead of netbios.

 

I know where the lmhosts file is on each machine and how to edit it. What I don't know is what information is needed.

[Mr.Guvernment 0]

TRUST ME! use arouter - they are cheap and easy to set up - not to mention NAT / Firewall

 

 

if u use file sending on msn, icq - run game servers, you need NAT.

 

OH not to mention that computer using ICS has to be up all the time - with a router it doesnt.

[Curley_Boy 0]

I intend to use a router

 

But I wasn't sure where the router makes the need for netbios redundant... or solves the problem of having 2 different protocols (TCP for net, IPX for lan) but only one nic.

[duhmez 0]

Still you need netbios. Using lmhosts isn't necessary when behind a router like that. External netbios probes will fail, as thenrouter does not use netbios.

If you want to disabel netbios anyways, goto the wins tab of advanced tcpip properties then check "disable netbios over tcpip"

 

Then make a file called lmhosts with no extension

it goes into \windows\system32\drivers\etc

and it will look like this

 

192.168.0.2 main

192.168.0.3 gaming

192.168.0.4 server

 

then when you map \\server\share itll bind to 192.168.0.4 etc.

 

Also make sure "lmhosts lookup" is enabled in advanced tcpip properties>wins. (It will be by default anyways)

[ThC 129 0]

you might want to also look at a wireless solution if your having problems getting CAT5 cable to parts of your house.