Sharing a cable internet connection in Australia

Welcome to the wonderful world of shared cable modem access! The aim of this tutorial is to explain, in so much detail that somebody with virtually no knowledge of computers can do it, how to share an Optus@Home or Bigpond Advance cable internet connection over a home network. If anything is unclear, please email me (cablesharing@bukharin.net) and I will try to modify this tutorial to explain things more clearly (but please read the FAQ first and check for the latest version of this guide at http://www.wpool.com/cablesharing/cablesharing.htm)! I'm always happy to receive comments or suggestions, alerts as to factual errors etc. If you're having trouble and would prefer to pay for someone experienced to set up your network for you, check out http://www.ozcomputerguys.com

Other resources Frequently Asked Questions Some useful links Acknowledgments

This guide is Copyright 2002 Philip Clayton Last modified 26 October 2002

Frequently Asked Questions Networking computers can be very frustrating, particularly when using Windows 95/98/ME. Take heart - it can be done! This FAQ covers most of the reasons that your network might not be working properly. It also answers some other, general questions that may arise from this guide.

The computers in the network can't see each other! Before trying anything else, make sure you're not using a firewall. The incorrect use of firewalls, especially ZoneAlarm, is nearly guaranteed to cause problems. I strongly recommend that you do not run any firewall on any of the computers until your network is up and running smoothly. In addition, if Windows asks for any passwords when you boot up the computer, make sure you enter them in correctly. It's tempting to press "Enter" or "Escape" without typing in the password - which gets you into Windows more quickly - but this can cause problems with file sharing later on. "The computers in the network can't see each other" is a common problem, but not very specific. Try to work out where the problem lies - can the computers ping each other? Can they see one another in Network Neighborhood? Can the client computers access the internet at all? If pinging doesn't work, and you aren't using any firewall software, then you either have a problem with your hardware or, much more likely, your TCP/IP settings. Make sure your TCP/IP settings are exactly the same as in my guide, and that the computers have different names. You should also ensure that Windows is truly seeing your network card (or network cards, for the server) - do this by running winipcfg (Windows 95/98/ME) or ipconfig (Windows 2000/XP), as described at the end of section 4.1, and checking that Windows displays information for the correct number of network cards. If pinging does work, but file sharing doesn't, then check that File and Printer Sharing is set up properly on each computer (see section 4). Also, make sure that the computers have different names but are in the same workgroup.

The client computers can't access the internet! If pinging and file sharing work, but the internet doesn't, then try pinging an internet site from one of the client computers. It doesn't matter which site you choose to ping, but keep in mind that some sites don't respond to pings. Therefore it would be wise to try pinging your chosen site from the server computer first, just to make sure it responds. For example, open up an MS-DOS prompt (or Command Prompt) on the server computer and type "ping www.optushome.com.au". If it responds, do the same on a client computer.

If pinging the internet site from the client computer doesn't work, check the DNS configuration of your client computer/s (section 4). If your DNS settings are right, then the software installed on the server computer to share the connection isn't working properly. Check that all of the internet sharing software's settings are correct, make sure you're not running a firewall, make sure that no other internet sharing software is installed at the same time, and remember that Microsoft Internet Connection Sharing for Windows 98 doesn't like USB ethernet adaptors. If you still can't get it to work, try a different internet sharing program - but make sure you uninstall the other one first! If pinging the internet site from the client computer works, but you still can't access the "internet", then you probably need to look at the connection settings of your client computer's web browser. Typically this problem occurs because you have the wrong proxy settings in your browser. To test this, tell your browser to connect to the internet directly (ie don't use a proxy), and then quit and restart your browser. If that fixes the problem, then you can now enter the correct proxy settings in the browser, or just leave it blank. If it doesn't fix the problem, then the software installed on the server computer to share the connection isn't working properly - see the previous paragraph.

The client computer(s) can't access "www" (or e-mail, or "news" etc) but the server can! Your "intranet domain name" (see section 4) is not set up properly on the client computer(s).

Since I installed the software to share my connection, my Telstra connection is dropping out every few minutes. Why? Telstra's computers send out a so-called "heartbeat" network signal every few minutes that attempts to open a connection on your server computer; if the heartbeat can't open this connection then Telstra assumes that you've disconnected from the internet and shuts down your connection. Some software can interfere with this heartbeat, causing dropouts. See section 7 for more information.

Do I need to install the Telstra (or Optus) software on the client computer(s)? No. The Optus software doesn't even need to be installed on the server computer, let alone the client(s). The Telstra software only needs to be installed on the server computer. However, there's a 3rd-party Telstra login client called BPALogin that I recommend to all users of Telstra cable - it's reputed to be faster, more reliable, use less memory and so on, and works much better with internet sharing software.

Can computers running different operating systems share a connection? Absolutely! TCP/IP networking (which is all that internet sharing needs) is supported by every network-ready operating system, including all versions of Windows, Linux, Macintosh OS, BeOS, you name it.

What about Windows NT? For the purposes of home networking, Windows NT is virtually identical to Windows 95. Thus, to set it up as the server computer, follow the Windows 95 server instructions, and to set it up as a client computer, follow the Windows 95 client instructions.

When using Windows 2000/XP and Windows 95/98/ME in the same network, I'm having trouble sharing files - when I click on the Windows 2000/XP's computer name, it asks for a password. Find out the user name of the Windows 95/98/ME computer. If you have multiple users on the computer, you should already know this (it's the name you use to log in). Otherwise, right-click on "My Computer" and choose "Properties", look at where it says "Licensed to:" - that's the user name for that computer. Now on the Windows 2000/XP computer you need to create a user of that name, and give that user access to the shared file(s). That user must have a password, which then needs to be entered into Windows 95/98/ME when accessing the shared folder.

If I don't take a tea break at section 6, will that really have an effect on my network? You'd better believe it!

This page was very helpful, how can I thank you? or... This page needs work, here's some constructive criticism Email me! I always reply to my emails, so if I don't reply to yours, I either lost the email or I'm away from my computer - it might be worth trying again. 4

Outline of what you'll be doing There are 10 steps you will be taking: 1. Buying the hardware 2. Setting up the hardware 3. Configuring Windows to recognise the network cards 4. Configuring your home network 5. Testing your home network 6. Taking a break 7. Setting up software to share your internet connection 8. Securing your network 9. Patting yourself on the back 10. Advanced NAT configuration (optional)

Preface There are a couple of things that you should know before using this guide... Firstly, sharing your cable connection is not officially supported by Telstra or Optus. This doesn't necessarily mean that you can't do it; but if you do, they won't help you. Furthermore, some of the Telstra plans even ban sharing your connection (which I think is a bit cheeky), so it's up to you to ensure that you're allowed to do this. Secondly, this guide covers cable modem sharing in Windows only. Despite this, you should realise that the internet is operating-system independent, so a Windows PC will happily share a cable modem connection with a Mac and a Linux box - it's just that I don't explain how to do it! Some time in the future I will add a section on configuring Macs as client computers, and may eventually add a section on using a Mac as a server. I don't cover Linux, because if you've managed to get your Linux computer to connect to the internet, you probably already know enough to share your connection. But I'm happy to help via email if you need it. OK, let's get to it!

1. Buying the hardware Before you buy anything, let me explain a little about how sharing a cable internet connection actually works. This will help you to buy the right equipment in the first place. In essence, you always need a device to connect to the cable modem, and hence to the internet. This device is usually a computer (eg the computer that you've already hooked up to the cable modem), but can also be a specialised piece of hardware. Once connected to the internet, the device then shares its connection with the computers in the home network. The device is said to "route" the internet information to the different computers on the network, and is therefore labelled a "router".

Your task is to set up a router. There are 3 fundamental ways of doing this, as follows: 1. Use the computer that's already connected to the cable modem, and install special software on it to make it become a "router". The advantages of this approach are that it's the cheapest and is not too difficult. The main disadvantage is that the computer which is the "router" must always be switched on in order for the other computers to access the internet. 2. Find an old 486 or Pentium, install software to make it into a "router", hide it in a corner somewhere and forget about it. You can install Windows, Linux, whatever you like on this "router". This is basically the same as the first option, but costs a little more (for the old computer, and for the extra electricity). Its advantage over the first option is that each of the "real" computers can connect to the internet without needing any of the other "real" computers to be switched on. This avoids problems such as, eg, a child having to turn on his/her parent's computer in order to play internet games on 7

his/her own computer - at 3am! (not that I'm speaking from personal experience, ahem) 3. Buy a "hardware router". This is a special piece of hardware that can connect to the cable modem and then share that connection ("route") with the computers in the house. It comes with a built-in hub (hubs are explained below), so all you need to buy is the hardware router and some cables. Its advantages are that it's easy to set up and that each computer can connect independently of one another (see above). Its main disadvantage is that it's expensive - around $350-$400 for a Netgear RT314, which is (deservedly) the most popular hardware router for home use. So which is the best choice? It depends on your priorities! The first option is cheaper than the second, which is in turn cheaper than the third. The third option is easier than the first or the second. The first option is hopeless if you need each computer to be able to connect independently (ie computer 2 needs to connect when computer 1 is switched off, and vice versa). For the majority of people, the first option is the best. It's far cheaper than buying a hardware router, and not much more difficult to set up. However, if you need the computers to be able to connect independently, then you should investigate one of the other options. Your choice between those will be guided by cost, and also by interest (it's fun, and very flexible, to set up a Linux computer to act as a router (option 2), whereas a hardware router is pretty boring, truth be told). Since I believe that the first option is the best for most people, that's what this guide covers. For the second option, you could simply follow this guide, although I suspect you'd be using an illegal copy of Windows to do it - for that and other reasons (stability, flexibility, cost etc) I'd encourage you to investigate using Linux on your old 486/Pentium. This guide does not cover Linux, but if you're interested in that solution, feel free to email me for further advice. For the third option, the instructions that come with the hardware router should be sufficient to see you up and running. If not, use section 4.2 of this guide to set up the computers in the network.

From this point on, the information in this guide describes how to set up the first option above. The hardware needed You'll need to buy some network cards, some cabling, and perhaps a hub. The specifics will be determined by which type of network you set up... What type of network should I set up? There are essentially 2 types of networks you need to be aware of, distinguished by the types of cables they use. The older, slower type of network uses coaxial cables to connect each computer. This type of network is perfectly adequate for internet sharing, and has the following advantages: (1) it is usually cheaper than UTP networks; (2) it doesn't require a hub 8

for more than 2 users; (3) it is easy to add computers to the network later. On the other hand, coaxial networks have these disadvantages: (1) they're slower than UTP networks (that doesn't matter for internet sharing but may be important if you want to share big files across your home network); (2) if one computer "goes down" then the whole network goes down (note that the computer can be off, and even unplugged from the network, and the rest of the network will still function; so this problem is unlikely to be important in the home network setting); (3) the cables are a bit more unsightly than UTP cables. The modern type of network uses UTP cables (UTP stands for Unshielded Twisted Pair). These look like big fat telephone cables. The advantages of a UTP network are (1) slightly easier to set up if there's only 2 computers; (2) faster than a coaxial network; (3) more standard nowadays; (4) the cables look better and can be longer (up to a hundred metres - how big's your home?). The only real disadvantage of a UTP network is that if you have more than 2 computers you need to buy a hub, which is expensive.

Here's what the connectors look like on the netword card:

I personally use a coaxial network and it works fine, but these days I would recommend getting a UTP network because it's far more common and therefore easier to buy cables, easier to connect to friend's computers etc. There are 2 common speeds that home networks run at - 10Mbps and 100Mbps. 10Mbps means 10 million bits per second, which is roughly 1.2 megabytes per second. This is way more than a cable modem can sustain, and is therefore ample for sharing an internet connection. 100Mbps connections are, as you'd expect, 10 times as fast as this. These networks are much better for transferring large files (eg if one of the computers in the network has a CD burner and you want to burn a full CD of backup stuff, it takes 2 minutes instead of 20 to transfer the files across the network). The speed of your home network depends on the speed of your network cards 10

basically the transfer rate between any 2 computers will be the speed of the slowest network card out of those 2 computers. For example, 2 computers with 10/100Mbps cards will transfer data at 100Mbps, but if one of the computers has a 10Mbps card, the transfer rate will be 10Mbps. Most (all?) network cards that are capable of running at 100Mbps can also run at 10Mbps - hence the designation "10/100Mbps". Network cards: You'll need to buy 1 network card for each computer in the network. Optus or Telstra have already given you either a network card or a USB ethernet adaptor for the server (that is, the computer that is connected to the cable modem), but you still need to buy another network card for it. So what type of cards should you get? The cable modem is not capable of running at even 10Mbps, so 100Mbps cards will give you no more performance for internet use. So if you're really trying to save money you should get 10Mbps cards, which are 100% as good as 100Mbps cards for the internet; but in just about any other circumstance you should get 10/100Mbps cards since the increase in speed for file transfers is dramatic. The only problem is, if you want to set up a coaxial network, most 10/100Mbps cards don't even have coaxial connectors any more! The most flexible card you can buy is a 10/100Mbps card with both coaxial and UTP connectors, but these cards are hard to find. I would recommend getting 10/100Mbps cards, and if you can find ones with coaxial connectors, get those, but don't worry if you can't. You're looking at about $20-$30 for a standard, PCI, 10/100Mbps card. It's a good idea to use a different brand of network card from the one given to you by Optus/Telstra for your server, since this simplifies network configuration (otherwise you're left with 2 network cards which look identical in Windows, trying to guess which one is which). For those who are interested, the network cards provided by Optus/Telstra are 10/100Mbps cards with UTP ports... Cabling: What type of cabling you need depends, of course, on what type of network you are setting up. There are 3 scenarios: 1. You're using a coaxial cable type network. In this case you need a coaxial cable between each computer, a T-piece for each computer, and 2 BNC terminators. All of these components can be found relatively easily in your local computer shop. Each cable will cost around $15-$20; the T-pieces should only cost 50c or so each, and the terminators should cost around $2 each.

11

2. You're using UTP cables and only have 2 computers. In this case the only cabling you need is a "crossover" UTP cable. This is a special UTP cable that connects computers directly (ie there's no need for a hub). It's called a crossover cable because the "outgoing" wires of one end are "crossed over" to become the "incoming" wires at the other end, and vice versa. This is in contrast to a standard UTP cable, in which the wires are NOT crossed. This means that it's really important to get the right kind of cable, or your network cards won't be able to see one another. Crossover cables are usually marked specially, eg by being blue or by having coloured connectors at each end. They usually cost $20-$30. 3. You're using UTP cables and have more than 2 computers. In this case you have to get a hub to connect all the computers. These cost anything from about $50 to $heaps. There are a few different options; basically you want one with enough ports to fit all of your computers (ie a 4-port hub if you have 4 computers or less, otherwise an 8-port hub or higher). Also, some hubs can act as "switches", which means that they speed up network transfers by automatically detecting which computer a network signal is intended for. You should get a hub with this feature (usually marked as "autoswitching"; sometimes the whole thing will just be called a switch, eg "8-port ethernet switch"). It's a good idea to get a hub with more ports than you currently need, for future expandability. Once you have your hub, you need a standard UTP cable to run from each computer to the hub; each one should cost around $1015. Note for those who are interested: a fourth possiblity involves connecting the cable modem to the uplink port of your hub, but this is a little more complicated to set up and may potentially provide the client computers direct access to the internet (that is, allow them to bypass the server's firewall - this is a bad thing!). It does have the advantage of making internet connection sharing possible with only one network card in the server, but this is certainly more complicated, only supported by Sygate and NAT32 (as far as I know), and a speed penalty will probably occur. It is not possible to connect the cable modem to the uplink port of your hub and have each computer connect independently - there is always the need for one computer to act as a "router", as described earlier, and that computer must always be switched on in order for the other computers to access the internet. I do not recommend such a setup for anybody; however, very rarely it is necessary because the "server" computer is physically unable to support a 2nd network card.

12

2. Setting up the the hardware Installing the cards: This should be a straightforward affair - simply open your computer case, stick the network card in anywhere it looks like it might fit, and close the case again! :-) Seriously, if you've never installed a card before then you might want an experienced friend over to help; but it's actually pretty basic and you shouldn't be afraid to try. Connecting the cables: Depending on what kind of network you're setting up... A coaxial cable network: Connect a T-piece to the BNC connector (the coaxial connector) on each network card. Then, hook up a coaxial cable between each computer, connecting each end of cable to a T-piece. You should now have all your computers connected in a line (albeit a short line if there's only 2 computers!) At each end of the "line" there should be a free connector on a Tpiece - to these 2 free connectors you should connect the BNC terminators. That's it - all the hardware is connected! Note: I read recently that one of the BNC terminators (not both) should be grounded by being connected to the metal casing of the computer it's near via a piece of wire or chain. Apparently this increases the speed and stability of the network. I had never heard of this before, but I'm going to give it a try and see what happens!

UTP crossover cable with 2 computers: This one is simple - plug each end of the cable into the computers' UTP ports, just like plugging in a telephone cable. Done!

13

UTP cables and a hub: Connect each UTP cable to a computer at one end and one of the ports of the hub at the other end. Most hubs have an "uplink" port, separate from the others (usually at the right). Don't connect any of the computers to this port! The hub also needs to be connected to a power source.

14

3. Configuring Windows to recognise the network cards (I'm sorry but I don't have any experience with Macintosh networking, and Linux networking is completely dependent on your distribution; feel free to email me for general tips, but for anything complex you'll need to ask someone with specific experience) Now that you've installed the hardware, you need to configure Windows to recognise and use the network card properly. This means Windows needs a "device driver" for the card, which is basically a piece of software that tells Windows how to control your hardware (that is, how to "control" your "device", hence the name). With any modern network card this should be simple - when you start up your computer, Windows should recognise that there's new hardware and look for drivers for it. Insert the driver disk that came with your card (it did come with one, right?!) and install the device drivers. If there's anything unusual about your card, eg the drivers are in an obscure directory on the disk, the card will (hopefully) have come with instructions on how to install the drivers. If your card didn't come with drivers, the chances are that it will be compatible with an older card that Windows has device drivers for. Let Windows "search for the best driver for this device", and it'll probably come up with something like "RealTek..." or "3Com...". Whatever it says, just try it out - it will probably work! If Windows didn't display any message about detecting new hardware, don't worry. You just need to go into the Windows Control Panel and choose "Add New Hardware" and follow the prompts. Let Windows search for new hardware.

With any luck it should now find your card and ask you for a driver disk - if you have 15

one, use it, otherwise let Windows use whatever driver it comes up with (as above). If Windows still can't find your card, you're probably in trouble - the card may be faulty. Ask the vendor for help. Checking that the card is there: Now go into Windows Control Panel and choose "System". In Windows 95/98/ME, go to the "Device Manager" tab; in Windows 2000/XP, go to the "Hardware" tab and click on "Device Manager...". Look for the "Network adaptors" section. In this section you should find the network card that you just installed (and on the computer that's acting as the server you should also see the network card that came with the cable modem). Make sure the card is working properly - click on the card and then click on the "properties" button. Windows should tell you "this device is working properly". If not, you'll need to work out why not there may be a hardware conflict, or you may need to restart your computer, or you may be using the wrong device driver, or the card may be faulty. In any case, you need to have the card working properly (ie getting the message "this device is working properly") before you proceed to the next step. The following pictures are from the Windows 98 device manager; but it's very similar for all versions of Windows.

16

4. Configuring your home network OK, this is the nitty-gritty stuff. The configuration is a little different for the server and the client/s, so we'll take them one at a time...

4.1 Configuring the server Windows 95/98/ME Windows 2000/XP

4.2 Configuring the client computer/s

Windows 95/98/ME Windows 2000/XP

17

4.1 Configuring the server (Windows 95/98/ME) Go into the Windows Control Panel and choose "Network". You'll see 3 tabs Configuration, Identification and Access Control. This may be slightly different in different versions of Windows (I'm using Win98), but should be essentially the same. Well do the Identification tab first. For computer name, enter anything you want (eg "Phil" if the owner of the computer is Phil). If you're using Optus@Home, the name must be the name given to you by Optus (ie coXXXXXXX-a). For workgroup, put whatever you like, but each computer should be the same. I use "WORKGROUP"! For computer description, put whatever you like.

18

Under "Access Control", make sure you've selected "Share-level access control".

19

Now for the configuration tab. The first thing to do is add Microsoft Family Logon. This isn't required for internet connection sharing, but if you don't install it, every time Windows starts you'll get asked to enter your networking password even if you haven't got one! Therefore I highly recommend it. Installation of Microsoft Family Logon is achieved by clicking "Add", choosing "Client" then clicking "Add", choosing "Microsoft" on the left and "Microsoft Family Logon" on the right and clicking "OK". After this is completed (you'll need your Windows CD here) you'll be back to the basic network control panel screen. Now change your Primary Network Logon to "Microsoft Family Logon".

20

Next you'll want to enable file and printer sharing. This also isn't required for internet connection sharing, but is really useful and it'd be a strange home network that didn't have this set up. To do this, click on "File and Print Sharing", check the boxes to enable these services, then click "OK".

Now you need to add the TCP/IP network protocol - "the" internet protocol. It's probably already there since you already have the cable modem connected to this computer, but you'll need to add it again so that it works with the second network card in the server. Click "Add", choose "Protocol" then click "Add", then choose "Microsoft" on the left and "TCP/IP" on the right and click "OK".

21

At this point you'll have lots of stuff in the little box that says "The following network components are installed:" The box will be a little cluttered and should look like this: Client for Microsoft Networks; Microsoft Family Login; [name of network card that you installed]; [name of network card from cable modem provider, probably something like "SMC EZ Card 10/100 (SMC1211TX"]; TCP/IP -> [name of network card]; TCP/IP -> [name of other network card]; File and printer sharing for Microsoft Networks.

22

If there are any other network components present, they can and generally should be removed by clicking on each component and then clicking "Remove"; however if you have any dial-up adapters installed (they'll say "Dial-Up Adaptor") then you may want to keep "Dial-Up Adapter" and "TCP/IP -> Dial-Up Adapter" so that you can still use your modem to dial in to the internet. If you just want to send faxes you only need "Dial-Up Adapter". Now you should configure TCP/IP for your 2 network cards. For "TCP/IP -> [name of netword card from cable modem provider]" you should leave most of it as is, since Optus/Telstra have already set it up for you. If you've accidentally removed this entry, just add TCP/IP again (as described above) - that's nearly all you have to do! (easy for their technicians, eh?) But there is one thing you MUST do - click on "TCP/IP -> [name of netword card from cable modem provider]", click on "Properties", go to the "Bindings" tab and make sure that "File and printer sharing for Microsoft Networks" is NOT checked. If you don't do this, everyone on the internet can access your files!!! There's no need for "Client for Microsoft Networks" or "Microsoft Family Logon" to be bound either, so you chould uncheck these boxes. When Windows asks if you would like to select a protocol to bind, say "No".

23

24

You should also set this to be the "default protocol", that is, the default method for the server to connect to the internet. This is done by clicking on the "Advanced" tab and making sure the "Set this protocol to be the default protocol" box is checked.

You're done configuring "TCP/IP -> [name of netword card from cable modem provider]", so click "OK".

25

Now configure "TCP/IP -> [name of network card you bought]" for the server. Click on it and then click "Properties". In the "IP Address" tab, select "Specify an IP address" and enter 192.168.0.1 as the IP address and 255.255.255.0 for the subnet mask. In "WINS Configuration" click "Disable WINS Resolution". Make sure "Gateway" is all blank. In "DNS Configuration", click "Disable DNS". In "Bindings", make sure "Client for Microsoft Networks", "File and Printer Sharing for Microsoft Networks" and "Microsoft Family Login" are all checked. Don't change anything in "NetBIOS" unless you know what you're doing.

26

Lastly, click on the "Advanced" tab. You may want to enable full duplex mode on the network card. This makes the card transfer data a little faster. You can do this if the computers are connected directly or via a switch (ie a hub with switching capabilities, as described in part 1), but not if the computers are connected to a non-switching hub, or via coaxial cables. To enable full duplex, change the appropriate setting in this section - I know this sounds a bit vague, but the exact way to do it is different for different cards. It's generally pretty self-explanatory, as you can see it is for my card:

You've now finished configuring the server computer! Click "OK" to exit the TCP/IP section, "OK" again to exit the Network Control Panel, and restart your computer when Windows asks you to.

27

Before you move on to configuring the client computers, you should take note of which Optus or Telstra "intranet domain" your server is connected to. To do this, select "Run" from the Start Menu and type "winipcfg" (without the quotes) and press "OK". Select the network card that's connected to the cable modem (the SMC network card may show up as "NDIS 4.0 driver" or something similar). Click on "More Info >>". You should see something like this:

The very first item, "Host Name", is what you're interested in. The beginning and end will probably be cut off, but it should be easy to guess the rest. The "Host Name" displayed consists of two components: your server's computer name (that you specified at the beginning of this section) and your intranet domain. In the example above, my intranet domain is "randw1.nsw.optushome.com.au". Optus domains always look something like this. Telstra domains are typically something like "nsw.bigpond.net.au". Remember this intranet domain, because you'll need it when configuring your client computer/s.

28

4.1 Configuring the server (Windows 2000/XP) Go into the Windows Control Panel and choose "System". Go to the "Network Identification" tab and click on "Properties". For computer name, enter anything you want (eg "Phil" if the owner of the computer is Phil). If you're using Optus@Home, the name must be the name given to you by Optus (ie coXXXXXXX-a). Choose to be a member of a workgroup, and put whatever you like as your workgroup name. Note that every computer in your home network should be in the same workgroup. I simply call mine "WORKGROUP"!

Now we'll configure the network cards. Go back to the Control Panel and choose "Network and Dial-Up connections". You should see 3 icons - "Make new connection", and an icon representing each of your 2 network cards. These latter icons can be renamed for readability - you can see that I've named mine according to their function.

29

Next we'll configure the network card that's connected to your cable modem. Rightclick on this network card and choose "Properties". You should see a dialog box similar to this one:

If you're missing "Client for Microsoft Networks", click on "Install...", choose "Client" and click "Add...", then choose "Client for Microsoft Networks" and click "OK". Similarly, if you're missing "File and Printer Sharing for Microsoft Networks", do the same but choose "Service" instead of "Client"; and if you're missing "Internet Protocol (TCP/IP)" do the same but choose "Protocol". Make sure that only "Internet Protocol (TCP/IP)" is ticked; in particular, make sure that "File and Printer Sharing for Microsoft Networks" is not ticked, as this would share your files over the internet!

30

Now select "Internet Protocol (TCP/IP)" and click "Properties". Make sure that "Obtain an IP address automatically" and "Obtain DNS server address automatically" are chosen.

You've finished configuring the network card that connects to the cable modem. Click "OK" to exit the TCP/IP properties, and "OK" again to exit the network card properties.

31

Now we're going to configure the network card that's connected to the other computer/s. Right-click on this network card and choose "Properties". Make sure that "Client for Microsoft Networks", "File and Printer Sharing for Microsoft Networks" and "Internet Protocol (TCP/IP)" are all ticked.

32

Now select "Internet Protocol (TCP/IP)" and click "Properties". Choose "Use the following IP address" and type in 192.168.0.1 for the IP address and 255.255.255.0 for the subnet mask.

33

Click "OK" to exit the TCP/IP configuration and get back to network card properties. Now, click the "Configure" button and then the "Advanced" tab. You may want to enable full duplex mode on the network card. This makes the card transfer data a little faster. You can do this if the computers are connected directly or via a switch (ie a hub with switching capabilities, as described in part 1), but not if the computers are connected to a non-switching hub, or via coaxial cable. To enable full duplex, change the appropriate setting in this section - I know this sounds a bit vague, but the exact way to do it is different for different cards. It's generally pretty self-explanatory, as you can see it is for my card:

You've now finished configuring the home network card! Click "OK" to exit the network card advanced settings and "OK" again to exit the network card properties.

34

Before you move on to configuring the client computers, you should take note of which Optus or Telstra "intranet domain" your server is connected to. To do this, open the Windows 2000/XP Command Prompt (in the Start Menu under Accessories) and type "ipconfig" (without the quotes). You should see something like this:

Look at the section for the network card that connects to your cable modem (in my case, "Optus"). Your intranet domain is listed as the "Connection-specific DNS Suffix". In the example above, my intranet domain is "randw1.nsw.optushome.com.au". Optus domains always look something like this. Telstra domains are typically something like "nsw.bigpond.net.au". Remember this intranet domain, because you'll need it when configuring your client computer/s.

35

4.2 Configuring the client computer/ (Windows 95/98/ME) This is very similar to configuring the server, but easier! Go into the Network control panel as you did on the server. Firstly, go into the Identification tab. For computer name, enter anything you want - but note that each computer in your network must have a unique name. For workgroup, put the same workgroup name that you used for the server. For computer description, put whatever you like. Now for the configuration tab. If you decided to add Microsoft Family Logon on the server, you should do the same for each client computer. As with the server, you can install this by clicking "Add...", choosing "Client" then clicking "Add...", choosing "Microsoft" on the left and "Microsoft Family Logon" on the right and clicking "OK". Back in the basic network control panel screen, change your Primary Network Logon to "Microsoft Family Logon". Next, you enabled file and printer sharing on the server you should do the same on each client. As with the server, you do this by clicking on "File and Print Sharing...", checking the boxes to enable these services, then clicking "OK". Now you need to add TCP/IP. Click "Add...", choose "Protocol" then click "Add?", then choose "Microsoft" on the left and "TCP/IP" on the right and click "OK".

36

At this point you'll once more have lots of stuff in the little box that says "The following network components are installed:" The box will be a little less cluttered than for the server and should look like this: Client for Microsoft Networks; Microsoft Family Login; [name of network card]; TCP/IP; File and printer sharing for Microsoft Networks. It will be considerably more cluttered if you have any other network components installed.

If there are any other network components present, they can and generally should be removed by clicking on each component and then clicking "Remove"; however if you have any dial-up adapters installed (they'll say "Dial-Up Adaptor") then you may want to keep "Dial-Up Adapter" and "TCP/IP -> Dial-Up Adapter" so that you can still use your modem to dial in to the internet. If you just want to send faxes you only need "Dial-Up Adapter". Now configure TCP/IP for the network card. If there are no other network components (in which case your network control panel should look like mine above), click on "TCP/IP" and then click "Properties". Otherwise you'll need to click on "TCP/IP -> [name of network card you bought]" and then click "Properties".

37

In the "IP Address" tab, select "Specify an IP address" and enter 192.168.0.2 as the IP address for the first client, 192.168.0.3 for the second client and so on. It is important that every computer has a different IP address. Enter 255.255.255.0 for the subnet mask for each client.

In "WINS Configuration" click "Disable WINS Resolution".

38

In the "Gateway" tab, enter 192.168.0.1 as a "New gateway" and click "Add".

39

In "DNS Configuration", click on "Enable DNS". For Host, enter the computer's name (the name you specified in the "Identification" tab of the Network control panel). For Domain, enter the intranet domain that you identified at the end of section 4.1. In DNS Server Search Order, type 192.168.0.1 and click "Add".

In "Bindings", make sure "Client for Microsoft Networks", "File and Printer Sharing for Microsoft Networks" and "Microsoft Family Login" are all checked. Click on the "Advanced" tab and make sure the "Set this protocol to be the default protocol" box is checked.

40

As with the server computer, you may want to enable full duplex mode on the network card (but see the explanation of this in section 4.1 before you decide to do this). The way to enable full duplex mode is slightly different for different cards, but is generally pretty self-explanatory. Don't change any other settings in the "Advanced" or "NetBIOS" tabs unless you know what you're doing.

You've now finished configuring the server computer/s. Click "OK" to exit the TCP/IP section, "OK" again to exit the Network Control Panel, and restart your computer when Windows asks you to. Congratulations, you've set up your home network!

41

4.2 Configuring the client computer/s (Windows 2000/XP) This is very similar to configuring the server, but easier! As before, go into the Windows Control Panel and choose "System". Go to the "Network Identification" tab and click on "Properties". For computer name, enter anything you want - but note that each computer in your network must have a unique name. Choose to be a member of a workgroup, and put the same workgroup name that you used for the server. Now to configure the network card. Go back to the Control Panel and choose "Network and Dial-Up connections". Right-click on the network card and choose "Properties". You should see a dialog box similar to this one:

If you're missing "Client for Microsoft Networks", click on "Install...", choose "Client" and click "Add...", then choose "Client for Microsoft Networks" and click "OK". Similarly, if you're missing "File and Printer Sharing for Microsoft Networks", do the same but choose "Service" instead of "Client"; and if you're missing "Internet Protocol (TCP/IP)" do the same but choose "Protocol".

42

Make sure that "Client for Microsoft Networks", "File and Printer Sharing for Microsoft Networks" and "Internet Protocol (TCP/IP)" are all ticked.

43

Now select "Internet Protocol (TCP/IP)" and click "Properties". Choose "Use the following IP address" and type 192.168.0.2 as the IP address for the first client, 192.168.0.3 for the second client and so on. It is important that every computer has a different IP address. Type 255.255.255.0 for the subnet mask. Make sure that "Use the following DNS server addresses" is checked and type in 192.168.0.1. You should see something like this:

44

Now click "Advanced...". In the "Default gateways" section, click "Add..." and type in 192.168.0.1 and leave the Metric as 1. Click "Add". You should see this:

45

Click on the "DNS" tab, and in the "DNS suffix for this connection" section, type in the intranet domain that you identified at the end of section 4.1.

46

Click "OK" to exit the advanced TCP/IP settings, and "OK" again to exit the TCP/IP configuration and get back to the main network card properties dialog box. Now, click the "Configure" button and then the "Advanced" tab. As with the server computer, you may want to enable full duplex mode on the network card (but see the explanation of this in section 4.1 before you decide to do this). To enable full duplex, change the appropriate setting in this section:

You've now finished configuring the client computer/s. Click "OK" to exit the network card advanced settings and "OK" again to exit the network card properties. Congratulations, you've set up your home network!

47

5. Testing your home network There's no way you'll get internet sharing if your home network isn't configured properly. A good way of testing the network is to try and "ping" each computer from another one. A "ping" in computer terms is a little piece of information sent over a network that basically says "hello? are you there?" If the target computer is there, it will respond saying "yep, here I am". To ping a computer, open up an MS-DOS prompt (in Windows 95/98/ME) or a Command Prompt (in Windows 2000/XP) and simply type "ping (target computer's IP address)". For example, if you wanted to ping your server computer (192.168.0.1) from your first client computer (192.168.0.2), you would open up an MS-DOS prompt (or Command Prompt) on the client computer and type "ping 192.168.0.1". If everything's working, you should get something like this:

48

If your network is not configured properly, the ping will go unanswered. An example of an unsuccessful ping is this:

Another way of testing your home network is to share a folder on one computer and try to access it from another. Note: the rest of this page refers to Windows 95/98/ME only; Windows 2000/XP information will be added soon (it's very similar). An example of sharing folders: on the server, choose a folder that you'd like to share with other users. On my computer I simply have a folder "C:\Phil Share". Right-click on this folder and choose "Sharing".

49

Click on "Shared As" and select the options you want. I have "C:\Phil Share" shared as "PHIL SHARE" with full access and no password.

50

Now put something in this folder. Now go to another computer and go into Network Neighborhood. You should see the names of all the computers in your network (if you don't, something is wrong - do all the computers have the same Workgroup? If they do, you should see them there. Try pressing F5 to refresh the view. If they still don't appear, and don't appear after 10 or so seconds and a new Refresh, then your network is not configured properly. Go over all the steps in section 4 and see if you've made a simple mistake somewhere). Now you should be able to double click on the computer with the shared directory, open that directory and copy the file.

Cool eh?! If this all worked, you're in business - it's time to set up your internet sharing. If it didn't work, you'll need to go over the steps above and make sure you did everything right - it's very easy to make a simple mistake, and such mistakes can easily prevent your network from functioning. See the FAQ for some specific problem-solving suggestions. Please don't try to install any internet connection sharing or firewall software until you can at least ping every computer from the others - keep it simple! By the way you can easily share a printer using roughly the same technique - go into the Printer Control Panel on the computer connected to the printer, right-click on the printer name and choose "Sharing" and then click on "Shared As:" and then "OK". Then go into the Printer Control Panel on a client computer, double-click on "Add Printer", click "Next", choose "Network Printer", click "Browse" to find the printer etc - it's not very hard and it's beyond the scope this tutorial so I won't explain it all here.

51

6. Taking a break At this point you should take a break - make a nice cup of English Breakfast Tea and drink it outside in the fresh air. Please note that I won't answer any email queries from readers who don't take a break at this point... :-)

52

7. Setting up software to share your internet connection 7.1 Fixing your login client (Telstra users only)

If you're using Telstra you should change your login client software. This is because the current "official" login client is hopeless when it comes to internet sharing, and seems to be explicitly designed to conflict with some sharing software. BPALogin (http://bpalogin.sourceforge.net) is a 3rd-party Telstra login client that connects faster than the official client, is more stable, uses less memory and works fine with all sharing software. It's also available for more operating systems than the official client. During installation, if you're running Windows 2000/XP it's a good idea to install BPALogin as a service. After installation, run BPALogin to connect to the internet (of course, make sure that you've disconnected with the official client first). You'll need to enter some basic settings - your username and password that Telstra gave you, the local port number (make this 5050, as recommended), and your "default domain". This is the "intranet domain name" that you determined at the end of section 4.1.

Once you've connected using BPALogin, uninstall the official Telstra software - you won't need it again.

53

7.2 Choosing the internet sharing software

Again, it's time to make a choice. There are many different ways of doing this, and they all have their pros and cons. Luckily every way can be tested (with free downloadable demos and so on) so you can find a solution that's right for you. The first thing to do is choose whether you want your server to be a proxy server or a NAT router. If you've ever configured your web browser to use a proxy you'll have an idea what a proxy server is - basically the server computer sets up a "pretend" web server, email server etc which the client computers connect to, and thus they indirectly connect to the internet. On the other hand a NAT (network address translation) router forwards network packets to and from clients, creating the illusion that each client is connected directly to the internet. This simplifies configuration for the clients - as far as they're concerned they're connected directly to the net! To be honest I can't think of any advantage of a proxy server over a NAT router, but I can think of many disadvantages - it's harder to set up on the server, it's harder to set up on the clients, less internet applications will work on the clients... Therefore I unreservedly recommend you choose a NAT router over a proxy server. There are 4 NAT routers that you should consider, each with their good and bad points. The only free one is Microsoft's Internet Connection Sharing, which comes with Windows 98 Second Edition and above. The most popular program is probably Sygate, but other good ones are NAT32 (a little harder to set up but the cheapest I know of) and WinRoute (excellent because it has built-in firewall capabilities, but more expensive). You should probably try each one to find what's right for you - they can all be trialled for free, so there's not really any reason not to try them all before deciding what to stick with. Be sure you only have one installed at a time! Setting up a NAT router has 2 components - (1) installing the NAT routing software on the server, and (2) configuring the internet applications on the client computer/s.

54

7.1 Installing the NAT routing software

Microsoft Internet Connection Sharing for Windows 98SE and Windows ME This software is good because it is free and very easy to install. Its disadvantages are that it's not very powerful (eg it doesn't allow port mapping, which all of the other programs do - port mapping is something that you'll probably want to do later on when you get the hang of networking) and that it's said to be technically inferior in terms of speed, reliability and so on. A lot of people can't get Internet Connection Sharing to work with a USB ethernet adaptor. Overall, it's great for beginners, but if you have a USB ethernet adaptor you might need to use another program - or buy yourself another PCI network card. Microsoft Internet Connection Sharing is very simple to install. On the server, go into the Windows Control Panel and open "Add/Remove Programs". Click on the "Windows Setup" tab, double click on "Internet Tools" and tick the box labelled "Internet Connection Sharing".

55

Click OK then OK again to exit out of the "Add/Remove Programs" control panel. You'll need your Windows CD. The Internet Connection Sharing Wizard will now take you through a couple of simple steps to set up sharing. Don't worry about the floppy disk the Wizard asks you for - put one in just to keep it happy, but you won't need it. When the Wizard is finished you will be prompted to restart your computer. If you're with Telstra there's one more thing you need to do. Telstra's computers send out a so-called "heartbeat" network signal every few minutes that attempts to open a connection on your server computer; if the heartbeat can't open this connection then Telstra assumes that you've disconnected from the internet and shuts down your connection. Unfortunately, Microsoft's Internet Connection Sharing interferes with this heartbeat signal, causing your internet connection to drop out every few minutes! Luckily there's a simple fix - download this registry patch and double-click on it to modify your Internet Connection Sharing settings to allow the heartbeat through. You only need to do this on the server computer. Now all you need to do is configure the software on the client machines (see below) and you're done!

56

Microsoft Internet Connection Sharing for Windows 2000/XP This is very easy to set up - even easier than Internet Connection Sharing for Windows 98! As with ICS for Windows 98, it is not very powerful, and is thus most suited to beginners or those with a tight budget. To set up Internet Connection Sharing for Windows 2000/XP, open the Control Panel on the server computer and choose "Network and Dial-up connections". Right-click on the network card that's connected to the cable modem and choose "Properties". Click on the "Sharing" tab and tick "Enable Internet Connection Sharing for this connection". Now click "OK" and - drumroll - that's it!!

The Telstra heartbeat issue (see above) does not affect Internet Connection Sharing for Windows 2000/XP, so you don't need to worry about it. Therefore, all you need to do now is configure the software on the client machines (see below) and you're done!

57

Sygate Home Network This software is very popular because it's easy to use, powerful and reasonably priced. Installation is easy. Download the software from http://www.sygate.com. Install Sygate on the server computer by running sygate.exe. When the installer aks you which mode to install as, choose server mode and click "OK". For now, just click "I am a trial user" when prompted. The "trial key" was displayed at the Sygate website when you downloaded the demo; if you can't remember it you can go back to the link (it doesn't change very often). You don't need to enter a user name; just enter then trial key and click "OK". Restart the computer when prompted That's it! Once your server's restarted, your client machines should be able to access the internet! Tip: You'll probably want to go into the Sygate Manager (which loads at startup) and tell it NOT to load at startup, since it's quite annoying. You do this by clicking on the "Tools" menu and unticking Load Manager at startup. Note that the Manager and the Engine are 2 different things - it is the Engine that actually does the NAT routing; the Manager is only for configuring things. So you probably want the Engine to start when Windows does, but not the Manager...

58

NAT32 NAT32 is quite poweful, yet it's the cheapest of the commercial NAT routers. Its main advantage is its price; its disadvantages include that it's much harder to set up and that the client computer/s seem to get a slower connection than the server does. To install, download the software from http://www.nat32.com. Unzip the file you downloaded to C:\Nat32 on the server. Open your by-now familiar Network Control Panel, and click on "Add...", choose "Protocol" then click "Have Disk...". Under "Copy manufacturer's files from:" type in "C:\Nat32" and then click "OK". Select the correct version of the NDIS3PKT driver depending on your operating system and click "OK". Click "OK" to exit the Network Control Panel. You'll need your Windows CD and then you'll need to restart your computer. Run C:\Nat32\Setup.exe to install NAT32 proper. The installation program is ultrafast and for once you won't have to re-start you computer. Now run "Configure NAT32" from your start menu. When asked to select which Interfaces you would like NAT32 to use, make sure that both your network cards are selected (if you have no other network devices you can just click "Select all"). Make sure "Create a shortcut" is ticked - this is useful for starting NAT32 later. Click "Continue..."

59

Next you need to configure your Interfaces. In my installation of NAT32 everything was already correct and I didn't need to change any settings. The main thing to be sure of is that the network card connected to your home network has "Secondary" ticked and "Share" unticked, whereas the network card connected to your cable modem has "Primary" and "Share" ticked.

60

Click through the remaining dialog boxes until you get to the console window:

Now, unfortunately, you'll need to change a couple of the TCP/IP settings that I told you to put in earlier (sorry!). Basically, on each client computer you need to open the Network Control Panel, click on "TCP/IP" (or "TCP/IP -> [name of network card]" if that's what you used before) and click on "Properties". In the "Gateway" and "DNS" sections, you need to change the "192.168.0.1" entries to "192.168.0.100" - you do this by clicking the old entry and then clicking "Remove", and then adding the new entry (ie 192.168.0.100) in the same way as you originally added 192.168.0.1. Click "OK" twice to exit the Network Control Panel and suffer yet another Windows restart. Now you need to do configure the software on the client machines (see below) and you're done!

61

WinRoute Lite WinRoute is great because it is easy to install, has excellent NAT routing, and (this feature's awesome) it features a powerful built-in firewall. I would recommend it to everyone - in fact, I guess I do - but it is by far the most expensive program of the ones on this page! To install WinRoute Lite, download the software from http://www.kerio.com. Install the software on the server by simply running the installation program you downloaded. You will be prompted to restart your computer. Once back into Windows, double-click on the WinRoute icon in your system tray (at the bottom right of your screen). Click on the "Settings" tab. Under "Select the adapter used for Internet connection", click on "2nd network adapter..." and choose the network card that is connected to your cable modem.

If you're using Telstra, the firewall in WinRoute will interfere with the heartbeat from Telstra's computers (see above, in the Internet Connection Sharing for Windows 98SE/ME section). To get around this, you need to map some ports. In the "Advanced Settings" section, click on "Settings..." and set up these port mappings: Protocol UDP, Listen port range 1024-5055, Destination port range 1024-5055, Destination IP 192.168.0.1. Now all you need to do is configure the software on the client machines (see below) and you're done!

62

7.2 Configuring the software on the client computer/s This is so easy that it hardly merits a place on this page! All you have to do is a little bit of mucking around with the setup of each of your programs - and in fact, most programs don't need any changes at all, and therefore most of them should already work! If they don't, they simply need to be told to access the internet through a LAN (local area network - your home network!) rather than a traditional modem. For example, in Internet Explorer, go to the Tools menu and select "Internet Options". Click on the "Connections" tab and select "Never dial a connection". Simple eh? :-) (For best performance you should also click on "LAN Settings..." and make all these settings the same as they are on your server computer.)

63

8. Securing your network Unfortunately, a high-speed internet connection comes with a price - your system is exposed to the world. It is critical that you protect yourself from an attack by a hacker; this section will describe how. Understanding internet connections Before discussing the types of attacks and how to stop them, it is necessary to understand a little about how internet connections are made... For 2 computers on the internet talk to one another, a TCP/IP connection must first be established. To establish a connection, one computer sends a message to the other computer, requesting a connection. It's like one computer is making a phone call to the other. Also like a phone call, the initial request for a connection is one-way; but once the connection is established, each computer can send and receive information. For a connection to be established, the computer that receives the connection request must have a program running that is "listening" for requests (waiting for a phone call) and is willing to make TCP/IP connections (pick up the phone and talk) - such a program is called a "server" (nb different from the "server PC" in a home network), and examples would be webservers and FTP servers. An example of a TCP/IP connection request is when you request a webpage - your computer sends a request to the webserver to establish a TCP/IP connection and share information. Think of this as an "outgoing" connection request, since the request goes out from your computer (inside your home network) to the internet (outside your home network). Conversely, if you were running your own FTP server at home, then when other computers on the internet tried to connect to it, they'd be sending "incoming" requests for TCP/IP connections. (For more detailed information about TCP/IP connections, see section 10) Attacks against your network Attacks against your network can be via a malicious TCP/IP connection or via a virus. There are therefore 3 major, discrete types of attacks that you need to protect against: 1. "Incoming" attacks 2. "Outgoing" attacks 3. Viruses 1. An "incoming" attack is when a computer somwehere on the internet tries to get into your computer by compromising any "servers" that you may be running (webserver, FTP server, mail server etc). "Servers" listen for connection requests, and are thus potentially vulnerable to malicious connections initiated by an incoming connection request. You might think "but I don't run a webserver, or a mail server, or anything like that!", but you'd be surprised how many "servers" you can accumulate without realising it - ICQ for example acts as a server when somebody sends you a 64

file. Also, some versions of Windows come with "Personal Web Server" pre-installed, a gross security risk that most users are unaware of. The only way to be sure that you haven't accidentally got any servers open to the world, waiting to be compromised, is to block all incoming connection requests with a firewall. A firewall is (essentially) something that selectively blocks TCP/IP communication. You can then specifically tell the firewall to allow certain applications (eg ICQ) to act as "servers". (Side note: generally only the "server computer" in your home network is vulnerable to this kind of attack, because NAT routing works in such a way that the client computers are unable to run "servers") 2. An "outgoing" attack may occur if you've accidentally downloaded a trojan (a special type of virus) that wasn't picked up by your anti-virus software. The trojan can "dial home", ie send an outgoing connection request to a hacker's computer. Once established, the connection could be used for pretty much anything - forcing your computer to attack a web site, deleting all of your files, stealing your credit card details etc. Every computer in your home network is vulnerable to this type of attack. Since the trojan runs on your computer and sends out connection requests to hacker's computers, a firewall is necessary to block all outgoing connection requests. However, outgoing connection requests are necessary for the normal use of the internet - if you did block them all, none of your normal internet programs, such as web browsers and email clients, would be able to use the internet! Therefore you need a firewall capable of "allowing" certain, approved applications to send "outgoing" connection requests, while preventing all other applications from doing the same. 3. You need to have an up-to-date, properly configured anti-virus program. How to protect yourself There are various options for firewalling, ranging from free software firewalls (often worth every cent!) to dedicated, physically separate hardware firewalls for the paranoid. The problem with most firewalls, however, is that while they're all quite good at blocking incoming attacks (number 1 above), most of them are completely unable to deal with outgoing attacks (number 2 above). For example, the firewall in WinRoute Lite, whilst excellent at preventing incoming attacks, can not prevent outgoing attacks without completely disrupting internet usage - this is because it's unable to distinguish whether the outgoing connection requests come from an "approved" application or from something else.

65

Therefore I recommend to all Windows users that they use ZoneAlarm (http://www.zonelabs.com), which is free for personal use and has an excellent reputation for protecting against both incoming (1) and outgoing (2) attacks. It should be installed on every computer in the network, because every computer is vulnerable to (2). The old adage is that "it's impossible to make Windows secure", and that's probably true. However in my opinion, ZoneAlarm is as close as you can get to securing your network without being silly. A reasonable alternative is Tiny Personal Firewall (http://www.tinysoftware.com). Sygate Personal Firewall (http://www.sygate.com) is also quite good, but (at least until recently) it's been plagued by inadequate identification of programs - for example, if you downloaded a trojan which renamed itself to "iexplore.exe" then Sygate would let it send an outgoing connection request, thinking that it was Internet Explorer. I believe that's been fixed now, but ZoneAlarm was never vulnerable in that way and is still the firewall of choice. In terms of anti-virus software, you should already have an anti-virus program installed (!), but if not, I recommend Norton Anti-Virus (http://www.symantec.com) it seems to catch more viruses than any other software, and its interface is quite good (eg automatic updating of virus definition files, which is a total breeze on broadband).

66

Installing ZoneAlarm ZoneAlarm is FREE for personal use, but don't let that put you off - it's excellent software. For the reasons outline above, I strongly recommend that you install it on every computer in the home network, not just the server computer. Here's how: 1. Download the free personal edition of ZoneAlarm from http://www.zonelabs.com 2. Run the zonalarm.exe installer. Installation is fairly straightforward - you shouldn't have any problems here 3. You'll need to play around with the settings to get everything working smoothly. I found that changing the security settings to Low for "Local" and Medium for "Internet" did the trick.

4. Repeat steps 2-3 for every computer in your home network.

67

Testing your firewall There's no good having a firewall if it's not working properly! No matter what firewall program you're using, you should test it to make sure it's protecting you the way it ought to. Probably the easiest way to do this is go to the Gibson Research Corporation (http://grc.com), follow the links to "ShieldsUp!" (you have to follow 2 links), and click "Probe my Ports". You should aim to have all of your ports as "stealth". If you're on Optus, don't worry about the results for ports 25, 39 and 80 - these ports are blocked by Optus, so whatever the results of the scan are, they're nothing to do with your firewall. Similarly, Telstra blocks port 39. Other precations Use good anti-virus software, and keep it up to date! Similarly, be sensible when using the internet - never open email attachments unless you know who sent them to you and what they are; never run programs from the internet unless you trust the source, and even then make sure you've scanned the program for viruses. Windows users should think very seriously about abandoning Internet Explorer and Outlook/Outlook Express, which have been the greatest spreaders of viruses (including trojans) for years. There are better alternatives! For much safer web browsing, with more features than Internet Explorer, try Mozilla (http://www.mozilla.org) or Opera (http://www.opera.com). For a safe and powerful alternative to Outlook/Outlook Express try Mozilla Mail (part of Mozilla) or Eudora (http://www.eudora.com).

68

9. Patting yourself on the back Congratulations! You've just set up a home network that allows the secure sharing of an internet connection, files and printers! Now you're an expert and can do it for a friend! Now you may want to try your hand at advanced NAT configuration, read the FAQ, or check out the links at the end of the guide for further information relating to shared cable modem access.

69

10. Advanced NAT configuration The following pages contain instructions for advanced NAT configuration using port mapping. Port mapping is required for some specific things, such as client computers receiving files via ICQ. It is not necessary to read any further unless you wish to enhance your network with this kind of functionality. Read below to find out more about port mapping; or you can just follow these quick links: 10.1 Mapping ports on the server 10.2 Configuring server programs on the client

What is a port, anyway? For 2 computers on the internet talk to one another, a connection must first be established. To establish a connection, one computer (the client - NOT the same definition as was used for the local network you've already set up!!!) sends a message to the other computer (the server), requesting a connection. It's like one computer is making a phone call to the other. Also like a phone call, the initial request for a connection is one-way; but once the connection is established, each computer can send and receive information. Now extend the phone call analogy to imagine that instead of 2 people talking on the phone, a person from one large company calls a person from another large company. Each company has heaps of phones, but the caller uses just one of their company's phones to call out, and the person receiving the call uses just one of their company's phones to answer. All of the phones in one company share the first few digits of their phone number, but they each have a different extension. In an internet connection, a similar process occurs. Each computer has many "ports", and when a computer sends a connection request, it sends it from a particular "outgoing" port on that computer (ie the client) to a particular "incoming" port on the server. Thus the first part of the "phone number" is equivalent to the IP address of the relevant computer, and the "extension" is equivalent to the port number. For example, let's say you surf to www.optushome.com.au, which has an IP address of 203.164.1.237. Your computer (the client) sends a connection request from a particular port on your computer (it doesn't matter which) to 203.164.1.237, port 80. Port 80 is the standard port number used for web browsing. The webserver accepts the connection, and sends you the webpage. Now you have a connection established with that computer (203.164.1.237) and you can request webpages, files etc and it can send them to you. Your computers can continue to talk until one of the computers closes this connection. All of this is handled by your web browser, so you don't need to know what's going on underneath the shiny surface.

70

Everything you do on the internet is based on this simple premise - communication between 2 computers is established after one computer requests a connection from the other. Note that the outgoing port is generally unimportant, whereas the incoming port (which is specified by the computer requesting a connection) is very important, as different services are assigned to different ports (eg port 80 for WWW). So the client computer could request a connection on a weird port such as 8754, and the server may accept it; but more likely the server will think "8754? What on earth is that for?" and reject the request. Some more examples of connections include: - FTP - Your computer (the client) sends a request from any port to port 21 on the server - Sending email - Your computer (the client) sends a request from any port to port 25 on the server (the SMTP server) - Receiving email - Your computer (the client) sends a request from any port to port 110 on the server (the POP server) - Sharing files with Napster - (1) If you are downloading from another user, your computer is the client. Thus your computer sends a request from any port to port 6699 on the computer with the song you're downloading. This incoming port doesn't need to be 6699; it can be anything, and is specified by the Napster preferences on the other computer. However, 6699 is the default. (2) If, on the other hand, another user wants to download a song from you, their computer sends a request from any port to port 6699 (or whichever you've specified in your Napster preferences) on your computer. - Sharing files with ICQ - This is similar to Napster, but ICQ likes to use multiple ports. So (1) If you are sending a file to another user, your computer is the client - it sends a request from any port to "a port" on the computer that you're sending the file to. I say "a port" because it depends on the ICQ configuration of the person you're sending the file to; it generally has to be within a range, eg between 20000 and 20009. (2) If, on the other hand, another user is sending a file to you, their computer sends a request from any port to "a port" (specified in your ICQ preferences) on your computer. Did you get all that? :-) You may need to read over it a couple of times to understand exactly what I mean. Anyway, the important thing is this - any computer in your network that is receiving its internet connection via NAT (basically your client computers, and I'm going back to the definition of client that we were using in the rest of the guide) can send connection requests, but can not receive them. The ramifications of this are easy to determine if you look at the above examples of connections. WWW, FTP, sending email and receiving email work fine; as do downloading in Napster and sending files in ICQ. However, allowing others to download from you in Napster, and receiving files in ICQ, require that your computer can receive a connection request. Thus, none of your client computers can upload in 71

Napster or receive files in ICQ.

Port mapping Port mapping is a feature of a NAT program that gets around this problem. Normally, any incoming connection requests go straight to the server computer. The server computer has no way of knowing which computer on the home network the connection request was intended for, so by default it takes all such requests. Port mapping is a process whereby you can tell the server computer "please forward any requests for a connection on port x to computer 192.168.0.y". For example, let's say you had a client computer, 192.168.0.2, running Napster; and that you wanted people to be able to download your shared songs. Let's say Napster was configured to accept connections on port 6699, the default. You could configure your server to allow this by saying "please forward any requests for a connection on port 6699 to computer 192.168.0.2". If you had another computer, 192.168.0.3, also running Napster, you could configure its version of Napster to accept connections on port 6700. Then you could configure the server to "please forward any requests for a connection on port 6700 to computer 192.168.0.3". Port mapping thus allows your client computers to accept connections from other computers on the internet, which they would have been otherwise unable to do. The most common applications of this are Napster and ICQ, but it is equally applicable to any program that needs the computer to accept connections. To learn how to set up port mapping on your home network, continue...

72

10.1 Mapping ports on the server For each NAT routing program I'll show you how to set up port mapping by way of 2 examples - Napster (a program that requires a single port) and ICQ (requiring multiple ports).

Windows 2000/XP Internet Connection Sharing To map ports in Windows 2000/XP ICS, open your "Network and Dial-up connections" Control Panel. Right-click on the network card that's connected to the internet and choose "Properties". Click on the "Sharing" tab. Click on "Settings". Click on the "Services" tab. Here you can add port mappings. The first example is Napster - let's say you want the computer 192.168.0.2 to receive connections on port 6699 so that it can share files. You would click "Add...". Call this port map "Napster6699", choose service port number 6699, TCP, and enter 192.168.0.2 as the IP address. Click "OK" to add this port mapping to Windows ICS. If you wanted 192.168.0.3 to receive Napster connections as well, you could do the same thing but with port 7000, and so on.

73

Now for ICQ. Later you'll need to configure the ICQ program on the client computer and tell it exactly which ports it should use to accept connections. I recommend using ports 20000-20009 for the first computer running ICQ, 20010-20019 for the second one and so on. Thus, to enable ICQ to receive files on the computer 192.168.0.2, add port maps for ports 20000-20009. Click "Add...". Call this port map "ICQ20000", choose service port number 20000, TCP, and enter 192.168.0.2 as the IP address.

74

Now do the same for ports 20001 to 20009. You should see something like this:

You now know how to add port mappings for applications that need to accept connections on 1, or multiple, ports. You should now be able to add port mappings for any other applications that need to accept connections. Good luck! However, these port mappings won't work unless the relevant applications on the client computer/s are set up properly. To learn how to do this, continue...

Sygate Home Network Coming soon!

NAT32 Coming soon!

75

WinRoute Lite Coming soon!

76

10.2 Configuring server programs on the client Napster The default port for Napster to accept connections on is 6699. It's fine to leave it as 6699 for the first computer running Napster, but for each subsequent computer you should add 1 to the port number. To tell Napster which port to accept connections on, open the File menu and choose "Preferences...". Click on the "Transfer" tab. The bit you're interested in is "Share files with Napster users on TCP port".

77

ICQ Open ICQ on the client computer. Click on the "ICQ" button and choose "Preferences". Open the "Connections" section. Tell ICQ that you have a permanent connection, and to determine your IP address automatically.

78

Now click on the "Server" tab and tell ICQ that you're using a firewall, but not using a proxy.

79

You shouldn't need to change anything in the "Firewall" tab; it should look like this:

80

Now, finally, you get to tell ICQ which port numbers to accept connections on. Click on the "User" tab and choose "Not using Proxy", click "Use the following TCP listen port for incoming event", and enter a port range. ICQ needs to be able to accept connections on several ports to work properly; I recommend using ports 20000-20009 for the first client, 20010-20019 for the second client and so on.

Other applications that need to accept connections As you can see, the exact configuration of each program is different, but the general principles are the same. For each program on each client computer, you need to (1) configure the server computer to map a port or port range to that client computer, and (2) configure the program on the client computer to accept connections on that port or port range.

81

Some useful links

General AusForum (http://www.ausforum.com) - This forum is a great starting-point for Aussies who either have a cable modem or are considering getting one Whirlpool (http://www.whirlpool.net.au) - Whirlpool is an Australian broadband news and discussion portal, which also has some very useful information including an Australian Broadband FAQ AUSBUG (http://www.ausbug.org) - The Australian Broadband Users Group whatis.com (http://www.whatis.com) - A useful glossary of technical terms

Cable modem providers Optus@Home (http://www.optushome.com.au) - The better of the 2 cable modem providers, because it's much faster, much more reliable and doesn't have a login client Telstra Bigpond Broadband (http://www.bigpond.com/broadband) - The other cable modem provider in Australia

Networking Practically networked (http://www.practicallynetworked.com) - Lots of good information on home networking, including information for Macintosh users

Internet connection sharing software Sygate (http://www.sygate.com) - The most popular software WinRoute (http://www.kerio.com) - The most powerful software that I've seen for home use NAT32 (http://www.nat32.com) - The cheapest software I've seen

82

Security ZoneAlarm (http://www.zonelabs.com) - The free personal firewall that I recommend TINY software (http://www.tinysoftware.com) - The homepage of TINY Personal Firewall, another free firewall Gibson Research Corporation (http://grc.com) - Steve Gibson provides a port scanner to test your firewall, a program to rid your computer of spyware and various other useful things

ADSL Greystom's page (http://users.bigpond.net.au/storm/) - Greystorm has a nice page explaining how to share a Telstra ADSL connection

83

Acknowledgments

My grateful thanks go to all those who have assisted with this web page by commenting, correcting, suggesting and encouraging me. These people include:

Cable Users Australia Whirlpool Greystorm Michael McNeill Brad del-Munns Gennady Kotliar The Chengster Anarcy Ajay Iyengar Chris Jones

84