WinRoute manual.qxd 10.3.

1998 20:41 StrÆnka 1

User’s
Manual
WinRoute manual.qxd 10.3.1998 20:41 StrÆnka 1

WinRoute Pro 3.0 Content

B R I E F OV E R V I E W
1 Product Overview . . . . . . . . . . . . . . . . . . . . . . . . . .5

Q U I C K S TA R T
2 Installation
Choosing the computer for installation . . . . . . . . . . . . . . . . . . . 10
System requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Installation program . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Installed files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12
Uninstallation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12

3 Configuration
Quick configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14
Product features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16
Network interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17
RAS interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Configuration examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

REFERENCE GUIDE
4 Security
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .22
Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23
Network address translator (NAT) . . . . . . . . . . . . . . . . . . . . . . . .24
How does NAT work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
NAT parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
NAT configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25
An example configuration of advanced NAT . . . . . . . . . . . . . . . . . . .27
Port mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .28
How does port mapping work . . . . . . . . . . . . . . . . . . . . . . . . . . . .28
Port mapping configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . .28

1
WinRoute manual.qxd 10.3.1998 20:41 StrÆnka 2

Content WinRoute Pro 3.0

Packet filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .29

What does a packet look like . . . . . . . . . . . . . . . . . . . . . . . . . . . .29
Applications and port numbers . . . . . . . . . . . . . . . . . . . . . . . . . . .31
Security policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .32
Restricting user access to certain internet services . . . . . . . . . . . . . .34
Packet filtering configuration . . . . . . . . . . . . . . . . . . . . . . . . . . .34
Anti-spoofing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .36
Anti-spoofing configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . .37
Anti-spoofing configuration example . . . . . . . . . . . . . . . . . . . . . . .37
Assigning names for address groups and time intervals . . . . . . . .39
Address groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .39
Time intervals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .39

5 DNS Server
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .42
DNS server in WinRoute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .42
DNS server configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .42

6 DHCP Server
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .46
DHCP server in WinRoute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .46
DHCP server configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . .46
Configuration in multi-segment network environment . . . . . . . .50
Example configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .50

7 Proxy Server
Proxy overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .54
Proxy server setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .54
Configuring proxy clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .57
Access control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .58
Access control - examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .58
Cache improvements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .59

2
WinRoute manual.qxd 10.3.1998 20:41 StrÆnka 3

WinRoute Pro 3.0 Content

8 Mail Server
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .62
Receiving mail from the Internet . . . . . . . . . . . . . . . . . . . . . . . .62
Download from individual remote POP3 accounts . . . . . . . . . . . . . . .62
Download from domain mailbox . . . . . . . . . . . . . . . . . . . . . . . . . .62
SMTP domain mailing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .62
Sending mail to the Internet . . . . . . . . . . . . . . . . . . . . . . . . . . .63
Sending email locally . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .63
Configuring email clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .63
Scheduling email exchange . . . . . . . . . . . . . . . . . . . . . . . . . . . . .63
Aliases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .64
Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .64

9 Appendices
Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .70
Routing in Networks with Multiple Segments . . . . . . . . . . . . . . . . .70
Routing in the Windows Environment . . . . . . . . . . . . . . . . . . . . . .71
Port mapping examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .72
WWW . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .72
SMTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .73
PPTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .73
CU-SeeMe . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .73
ICQ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .74
Using WinRoute with DirecPC . . . . . . . . . . . . . . . . . . . . . . . . . . .74
Example Setting 1 .............. . . . . . . . . . . . . . . . . . . . . .75
Example Setting 2 .............. . . . . . . . . . . . . . . . . . . . . .76
Example Setting 3 .............. . . . . . . . . . . . . . . . . . . . . .77
Configuring TCP to Increase Throughput . . . . . . . . . . . . . . . . . . . . .78
Dividing network into multiple segments . . . . . . . . . . . . . . . . . .78
Keyboard Shortcuts in WinRoute . . . . . . . . . . . . . . . . . . . . . . . . .79

3
WinRoute manual.qxd 10.3.1998 20:41 StrÆnka 4

4
WinRoute manual.qxd 10.3.1998 20:41 StrÆnka 5

Product
overview
5
WinRoute manual.qxd 10.3.1998 20:41 StrÆnka 6

6
WinRoute manual.qxd 10.3.1998 20:41 StrÆnka 7

WinRoute Pro 3.0 Product overview

WinRoute is a 32-bit internet access application for Windows 95/98 and Windows NT
1
operating systems.
WinRoute is the simple and secure way to connect your local computer network to the
Internet.
Connection to the Internet may be through a dial-up line, leased line or another net-
work adapter. The local network is routed through, or hidden behind, a single IP address
(either static or dynamic). In summary, all computers in the local network gain full,
secure and transparent access to the Internet.

Built-in DHCP
Network management is not a nightmare anymore! WinRoute’s built-in DHCP server take
you out of the problems with internal IP addresses management.

MailServer
You could hardly find mailserver of such a versatility and flexibility like WinRoute has.
Fully SMTP/POP3 compatible with virtually unlimited aliasing oportunities WinRoute’s
mail server is the right choice for all small/medium businesses.

Network Management
Diverting of IP traffic, creating of public and private zones, running several web or email
servers behind a single IP and many more network services are available and so easy to
do like never before.

Phone Over The Internet!

Enjoy low cost Internet telephony within the entire company! WinRoute is the world
first Internet Sharing solution that allows multiple users to place a phone call over the
Internet at THE SAME TIME!

Secure and Transparent Shared Internet Access

Network Address Translation (NAT) is the new standard in LAN-to-Internet connectivity.
WinRoute includes the best NAT ever supporting virtually any Internet protocol inclu-
ding multimedia and telephony.
Unlike Proxy Servers WinRoute allows to connect your LAN to Internet WITHOUT the
need for additional configuration of your applications, so painfull with proxy servers.

Firewall
WinRoute includes the best firewall protection you could imagine. WinRoute’ s advan-
ced technology will give you the protection you would expect from much higher priced
solutions.

URL Filter!
Even though the freedom is one of the very basic human rigts WinRoute includes a
powerfull tool how to control a user access to the Internet. You may do it via Firewall
or built-in URL filter.

7
WinRoute manual.qxd 10.3.1998 20:41 StrÆnka 8

8
WinRoute manual.qxd 10.3.1998 20:41 StrÆnka 9

Installation
9
WinRoute manual.qxd 10.3.1998 20:41 StrÆnka 10

Installation WinRoute Pro 3.0

Choosing the Computer for Installation

WinRoute should be installed on a computer which will facilitate the connection of the
local area network (or of several local area networks) with the Internet. The computer
should have a network card for local area network connection and a device for Internet
connection: a modem, an ISDN adapter, another network card, etc.

System Requirements
Operating System
WinRoute may be installed on computers with the following operating systems:
V Windows NT 4.0 Workstation
V Windows NT 4.0 Server
V Windows 95
V Windows 98
Windows NT 4.0 should have the Service Pack 3 applied.

Hardware
V PC with 486/66 processor or higher
V Memory:
8 MB (16 MB recommended) with Windows 95/98
16 MB (24 MB recommended) with Windows NT
V Ample disk space for proxy-cache
The hardware requirements grow as the number of users grows.

System Software
V TCP/IP protocol
V Telephone connection (RAS) if you use a modem or an ISDN card

10
WinRoute manual.qxd 10.3.1998 20:41 StrÆnka 11

WinRoute Pro 3.0 Installation

Installation Program
To install WinRoute, launch the installation program. You will find the program on the
distribution medium. You may also download it from Internet.

After you start the installation program, you may choose the following:
V ”Destination Directory”
The directory in which WinRoute will be installed.
V ”Install WinRoute as”
This option controls whether the program should be installed as a common appli-
cation or as an application with service support. If you choose the latter, you
will be able to launch WinRoute either as a common application or as a service.
The latter option is only available in Windows NT.
V ”Start service automatically at system startup”
If you install WinRoute as a service, you may have it started automatically
during operating system startup.
V ”Create Program Group”
This option controls whether a program group will be created in Start j Prog-
rams
After the installation is finished, you will be prompted to restart the computer.

11
WinRoute manual.qxd 10.3.1998 20:41 StrÆnka 12

Installation WinRoute Pro 3.0

Installed Files
The installation creates the following executable files:
In the destination directory:
V WinRoute.exe
V Server.exe
In the system directory:
V wrdrv.sys (if the operating system is Windows NT)
V wrdrv.vxd (if the operating system is Windows 95/98)

Uninstallation
To uninstall the product, use the uninstall program solely. The uninstall program may be
started from the WinRoute group in the menu Start j Programs, or from Control Panels
j Add or Remove programs.
After the uninstallation is over restart the computer in order to deactivate the WinRou-
te network driver.

12
WinRoute manual.qxd 10.3.1998 20:41 StrÆnka 13

Configuration
13
WinRoute manual.qxd 10.3.1998 20:41 StrÆnka 14

Configuration WinRoute Pro 3.0

Quick Configuration Guide

This section describes the quick configuration of WinRoute and the computers within
the local area network.

The Assumed Network

Let us assume the most common local area network configuration. Several computers
connect to a single network segment.
WinRoute is installed on the computer that facilitates the Internet connection. The
whole network looks like a single computer (from the outside Internet) as it uses a sing-
le registered IP address to connect the Internet. This address could be either static or
dynamic. This depends on a service you subscribe fom your ISP.

Requirements
V The Remote Access Service (RAS) is installed on the WinRoute computer.
V All the computers within the local area network have TCP/IP installed.

STEP 1 - Configuring WinRoute

The assumed network configuration is the default one, so after WinRoute is installed it
is not needed to alter its configuration. Only if you have more than one RAS telephone
connection entries it is necessary to choose the entry to be used by WinRoute. To do
that, go to the "Settings" menu, choose "Interfaces", and select "RAS line0" in the list.
In the "Properties" dialog, select the "RAS Settings" tab and set the connection entry.

STEP2 - Configuring TCP/IP on the computers within your LAN

1.Using WinRoute's built-in DHCP server
We strongly recommend to use WinRoute's built-in DHCP sever to assign computes wit-
hin you LAN with IP addess. It makes the configuration and further administration easy.
Then you will have to perform the single setting - set each wokstation to get IP address
from DHCP server and leave all other settings blank.

2.Using other DHCP server (for example the one in Windows NT)
If you use othe DHCP server to assign workstations with their IP address you will have
to pefomr following setting at each computer: set the deafault gateway to the compu-
ter where WinRoute is running.

3.You do not use DHCP server

3.1 IP addresses
First of all, it is necessary to assign IP addresses to individual computers in your local
area network. We recommend to use addresses from the private address blocks. For
example, it is possible to use the addresses 192.168.1.x. You may assign the address
192.168.1.1 to the LAN interface of the WinRoute computer, while the addresses
192.168.1.2, 192.168.1.3, 192.168.1.4, etc. will be used for the remaining computers.
The correct network mask to be used with these addresses is 255.255.255.0.

14
WinRoute manual.qxd 10.3.1998 20:41 StrÆnka 15

WinRoute Pro 3.0 Configuration

3.2 Gateway (Router) Address
The computers in the LAN need to use the address of the WinRoute computer as their
Internet gateway address. In case of the addresses proposed in the previous paragraph,
the gateway address is 192.168.1.1. Enter this address in the "Gateway" field of the
TCP/IP configuration dialog.
Please note: Do not enter the gateway address on the computer where WinRoute is
installed.

3. DNS Server Address

Your Internet Service Provider will tell you the address of the DNS server you should use.
Enter this address in TCP/IP configuration dialog on your LAN computers.
Please note: The DNS address has to be entered on all computers in your LAN, inclu-
3
ding the WinRoute Computer.

An Example Setting
The figure bellow summarizes the information on configuring TCP/IP in your LAN. The
addresses used in the figure are the ones proposed in the previous paragraphs. The value
"A.B.C.D" is the DNS Server address supplied to you by your ISP. "EL90X1" is the name
of the network interface card of the WinRoute computer.

Testing the Configuration

To test the configuration, simply launch WinRoute, click on the "Commands" menu item
and select the "Dial" command. After the connection is established, all workstations in
the local area network should be able to access the Internet.

15
WinRoute manual.qxd 10.3.1998 20:41 StrÆnka 16

Configuration WinRoute Pro 3.0

Product Features
WinRoute has the following features:
V NAT (Network Address Translation)
Allows for accessing the network to the Internet using a single IP address. It also
provides automatic network protection.
V Port mapping
Port mapping provides the access to services which run in the network protected by
NAT.
V Packet filtering
Firewalling based on packet filtering together with NAT provides an ultimate net-
work protection.
V DHCP Server
Provides automatic configuration of the network (IP addresses, network masks, and
others).
V HTTP proxy cache
Provides fast access to web pages visited in the past. WinRoute’s cache includes
revolutionary technology speeding up the access, saving the disk space up to 10x
and preventing the disk from fragmenting.
V Mail server
Features-rich mail server provides the whole network to send and receive email. Rich
aliasing and email-downloading options.
V Simple DNS Server
Serves as a simple DNS server for the local network. It is also capable of DNS query
forwarding and it contains a DNS cache.

Architecture
The figure bellow shows the architecture of WinRoute:

16
WinRoute manual.qxd 10.3.1998 20:41 StrÆnka 17

WinRoute Pro 3.0 Configuration

Network Interfaces
In WinRoute, the network interfaces identify the networks that are connected to the
computer which runs WinRoute. Each network interface bears a unique name.
WinRoute works with the following three types of interfaces (categorized according to
the type of network equipment):
V Ethernet (local area network cards)
V RAS (modems, ISDN adapters)
V DirecPC (satellite data delivery card)

To obtain a list of network interfaces which are available on your computer use the follo-
3
wing menu command:
Settings j Interfaces
If you select an interface and push the “Settings” button, a dialog window opens
with pads containing the interface configuration. The following pads may appear:
V ”Nat”

Network address translation setup. Refer to the chapter on network security for
more information.
V ”Ras”

The configuration of remote access lines (RAS type interfaces). The configuration
is described in the next chapter.
V ”DirecPC”

The satellite data delivery interface setup. The configuration of this interface is
described in the appendix.

RAS Interface
RAS (Remote Access Service) interface allows you to connect to the Internet using a
modem or an ISDN adapter. A record from the Telephone network connection must be
associated with each RAS interface. The record describes the connection to your Inter-
net service provider.

17
WinRoute manual.qxd 10.3.1998 20:41 StrÆnka 18

Configuration WinRoute Pro 3.0

You may set up the RAS interface in the following menu:

Settings j Interfaces j Settings j “RAS” pad

V ”RAS Entry”
Denotes the Telephone connection record to be used by the interface.
V ”Username”, “Password”
Username and password for the connection. If you do not enter username and
password, they will be taken from the Telephone connection (provided that you
allowed them to be stored there).
V ”Connection”
Determines the connection method. The following variants are available:
V Manual
The user creates the connection manually from the menu.
V On Demand
The connection is created automatically when WinRoute detects that an appli-
cation attempts to communicate with the Internet. This happens, for example,
when a user enters a page to be opened in her/his browser.
V Persistent
The line is kept in the connected state for all the time. This option is used for
leased lines, for example.
V Custom
Allows a combination of previous options using time intervals. For example, it
is possible to allow the connection on demand only in a certain period of day.
V ”Options”
V Hangup if idle for...
Hangs up the line if no data were sent through it for a specified period of time.
V Redial when busy
If an attempt to connect is not successful (the line is busy, for example), the
attempt is repeated.
V Reconnect on line failure
If a connection is lost because of telephone line errors, the connection is rec-
reated.

Several RAS Interfaces

In case you connect to several internet service providers, it is possible to create seve-
ral RAS lines (ie. RAS-type interfaces). RAS lines may be added and/or deleted in menu
Settings j Advanced j RAS Lines.
You cannot use several RAS lines simultaneously to increase connection speed. If seve-
ral RAS lines are connected at a time, data are sent only through one of them, accor-
ding to the routing table. To increase the connection speed, you may group several devi-

18
WinRoute manual.qxd 10.3.1998 20:41 StrÆnka 19

WinRoute Pro 3.0 Configuration

ces under a single Telephone connection entry (a so-called Multilink). It is possible to
configure this in the settings of the particular Telephone connection entry.

Configuration Examples
The following examples show how to set up WinRoute and the computers in the local
area network in the most usual situations.
IP addresses and interface names (EL90X1, NE2000) used in the examples are only illust-
rative. Your actual values will probably be different.
The IP address of DNS server is in the examples substituted with the string “A.B.C.D”.
Replace this string with an actual address using one of these two methods: 3
V Use the IP address of the DNS server of your Internet service provider. DNS queries
will go directly to the DNS server of your ISP.
V Use the IP address of the computer with WinRoute (in our examples, this is
192.168.1.1). In WinRoute, activate its built-in DNS server using the menu “Settings”
j “DNS Server” and enter the IP address of your Internet service provider's DNS ser-
ver in the field “Forward DNS queries to”. The DNS queries will go to computer with
WinRoute which will forward them to the DNS server of your ISP.

Example 1
A local area network connected to the Internet using a telephone line (a modem,
an ISDN adapter).

Example 2
A local area network connected to the Internet through the second network card on
the computer running WinRoute.

19
WinRoute manual.qxd 10.3.1998 20:41 StrÆnka 20

Configuration WinRoute Pro 3.0

Example 3
A local area network connected to the Internet using a cable modem.

Example 4
This example is similar to example 1. The DHCP server is used additionally for setting
network parameters of workstations.

The DHCP server is configured as follows:

The DHCP server configured in this way assigns the following parameters to the work-
stations:
V IP addresses in the range 192.168.1.10 through 192.168.1.20
V Network mask 255.255.255.0
V Router (gateway) address 192.168.1.1
V DNS server A.B.C.D

The IP address is assigned for the period of 4 days.

DHCP may be used in a similar way in Examples 2 and 3.

20
WinRoute manual.qxd 10.3.1998 20:41 StrÆnka 21

Security
21
WinRoute manual.qxd 10.3.1998 20:41 StrÆnka 22

Security WinRoute Pro 3.0

Overview
WinRoute provides the following techniques of packet manipulation: (in the network
layer of the OSI model) :
V Network address translation (NAT)
V Port mapping
V Packet filtering
V Anti-spoofing

These techniques may be used to safeguard a local area network against attacks from
the Internet. The Network address translation also allows for connecting a network to
the Internet even if the available number of registered addresses is otherwise insuffici-
ent. An entire network may be for example connected using a single IP address.
The network address translation is a technique which modifies packets sent from the
entire local area network or from its defined part (the requests) so that they look as if
sent from the computer which runs WinRoute (the computer replaces the address in the
packet with its own one). The incoming packets (the answers), are sent back to the com-
puters in the local area network.
Port mapping provides access to selected services protected by NAT.
Packet filtering is a basic security module of each firewall. Using data in packets (like
source and target IP address, the type of network protocol, source and target port, etc.)
it either allows packets to pass trough or blocks them. If a filtering rule applies (depen-
ding on the meaning of the rule), information about the packet is recorded.
Anti-spoofing is an add-on to packet filtering, which protects the local area network
against an attack during which an intruder falsifies source IP addresses.
In order to achieve a high level of security, WinRoute contains an inspection module. It
is a special driver which works between the line and network layers of the OSI model.
The driver uses an original technology which ensures that WinRoute receives packets
directly from the network card driver, that is before any other component of the opera-
ting system.
The location of the WinRoute's inspection module (which checks the contents of packets)
in the network architecture of Windows operating systems is shown in the figure bellow.

22
WinRoute manual.qxd 10.3.1998 20:41 StrÆnka 23

WinRoute Pro 3.0 Security

Terminology
It would be usefull to get more familiar with some of the terms used in this manual and
in the product especially if you are going to configure packet filtering. It is a must to
know what exactly mean the information contained in packet headers.

TCP/IP protocols
WinRoute is a product which works with TCP/IP networks. The TCP/IP protocols are
designed to work in layers. Speaking about TCP/IP protocols we mean the following pro-
tocols: IP, TCP, UDP, ICMP, and others based on IP.

Network interface
A network interface is a device which connects the computer with other computers by
means of a communication medium. A network interface may be an ethernet card,
modem, ISDN card, etc. The computer sends and receives packets by means of the net-
work interface.

IP address
4
An IP address is a unique 32-bit number, which identifies the computer in IP networks.
The unique IP address is assigned to each computer in the Internet. Each packet pas-
sing across the Internet contains an information about from which address it was sent
(the source IP address) and to which address it should be delivered (the target IP
address).

Network mask
Network mask is used to group IP addresses together. There is a group of addresses
assigned to each network segment. For example, the mask 255.255.255.0 groups toget-
her 254 IP addresses. If we have, for example, a sub-network 194.196.16.0 with mask
255.255.255.0, the addresses we may assign to computers on the sub-network are
194.196.16.1 through 194.196.16.254

Port
A port is a 16-bit number (the allowed range being 1 through 65535) used by the pro-
tocols of the transport layer - the TCP and UDP protocols. Ports are used to address
applications (services) which run on a computer. If there was only a single network
application running on the computer, there would be no need for port numbers and the
IP address only would suffice for addressing services. However, several applications may
run at once on a particular computer and we need to differentiate among them. This is
what port numbers are used for. Thus, a port number may be seemed as an address of
an application within the computer.

Packet
A packet is a basic communication data unit used when transmitting data from one com-
puter to another. Each packet contains a certain amount of data. The maximum length
of a packet depends on the communication medium. As an example, in ethernet net-

23
WinRoute manual.qxd 10.3.1998 20:41 StrÆnka 24

Security WinRoute Pro 3.0

works the maximum length is 1500 bytes. In each layer, we may divide the contents of
the packet into two parts: the header part and the data part. The header contains con-
trol information of the particular layer, the data part contains data that belong to the
upper layer. More detailed information on the structure of the packet may be found bel-
low in the section on packet filtering.

Network Address Translation

Network address translation (NAT) may be used to achieve the following:
V automatic local area network protection
V a transparent connection of the network (or its part) to the Internet using a single
registered IP address

When NAT is employed, the local area network does not use registered IP addresses.
Because of this, the internal structure of the network is hidden and not directly acces-
sible from the Internet. An intermediary is needed to access the LAN from the outside
networks. The NAT module is responsible for that. NAT only allows the packets which are
an answer to the initiated communication to enter the protected network since it
remembers all communication initiated from the protected network. Other packets are
blocked.
The connection of an entire network using a single registered IP address is made pos-
sible since the NAT module rewrites the source address in the packets sent from compu-
ters in the local area network with the address of the computer WinRoute is running on.
The connection to the Internet is transparent, which means that the computers in the
local network use WinRoute as their gateway (router). From the point of view of the
local computers it looks as if they were connected to the Internet using registered
addresses. Thus, most applications work with the NAT without the need to setup anyt-
hing on the application's or server's side. This is the main feature which diferentiate NAT
significantly from various proxy servers and application-level gateways. These applicati-
ons - in principle - will never be able to support some protocols.

How does NAT work

The NAT module maintains a small database, which records information about each con-
nection. The main pieces of information are: source IP address and port, target IP
address and port, IP address and port used to modify packets.
The following is an example of how does NAT work:
Let us consider a computer in a protected network. The IP address of the computer is
192.168.1.22. The computer decides to communicate from port 7658 with a WWW ser-
ver in the Internet, the IP address of which is 194.196.16.43 and its port number is
80. The communication passes through WinRoute, which uses the address
195.75.16.75 on its outer interface.

24
WinRoute manual.qxd 10.3.1998 20:41 StrÆnka 25

WinRoute Pro 3.0 Security

First, the computer 192.168.1.22 sends a packet from port 7358 to computer 194.196.
16.43, port 80. The packet passes through WinRoute, which checks its table to see if it
contains an appropriate entry. If so, the existing entry is used, otherwise WinRoute crea-
tes a new one. Then it modifies the packet so that it replaces the source address to its
own address. It also changes the source port. Thus the source address will be
195.75.16.65, and the port number will for example be 61001. After the changes the
packet is sent on. When an answer arrives, it contains 195.75.16.65 as the target
address and 61001 as the target port. WinRoute searches its table by the port number
61001 and finds the entry for the connection. According to the entry, it changes the
target address and port, back to 192.168.1.22 and 7658, respectively.

NAT parameters
Normally applications work with NAT without any problems as long as the communica-
tion is initiated from the protected network. This is the case with most applications.
However, there are applications which are not designed correctly and do not comply with
the client-server model entirely. Such applications may not work through NAT, or some
of their functions may be restricted. The reason is that these applications use more than
one connection and the additional connections are initiated by the server (located
somewhere in the Internet). Naturally enough, NAT blocks such connections.

NAT Configuration
Basic Configuration
In WinRoute, NAT is simply switched on and off using a single option is the network
interface properties. The interface should the outer one, the one which connects the
local area network to the Internet.
NAT may be configured using the menu:
Settings j Interface Table j NAT
V ”Perform NAT with the IP address of this interface on all communication passing
through”
This switches NAT on for the interface. When NAT is on, it is applied to all packets
passing through the interface.

25
WinRoute manual.qxd 10.3.1998 20:41 StrÆnka 26

Security WinRoute Pro 3.0

V ”Exclude this computer from NAT”

If you switch this option on, NAT will not be applied and the computer will not be
protected. Generally, we do not recommend to set this option on. Use it only if you
have a server application that has to be accessible from the Internet and that is
unable to work inside the protected network using port mapping.

Advanced Settings
NAT advanced settings may be used in case you need to apply NAT to some parts (seg-
ments) of your network and not to the rest of it. You may need this if registered addres-
ses are used in a part of your network and this part is accessible from the Internet, while
the rest of the network uses unregistered (internal) addresses and should not be acces-
sible from the Internet. The advanced NAT is also suitable for creating demilitarized
zones (DMZs) in which the servers accessible from the Internet run.
You may set other IP address that would be used when performing NAT on selected
Interfaces. Then all packets leaving this interface will be assigned that address for
return (this address will be used in “From” field in the header of outgoing packets).
Using this feature your network would look like it would have a different IP address.
The NAT advanced settings are defined with a table of rules. The table is always sear-
ched from its top to bottom. The search ends after a first applicable rule is found. The
rule is applicable if source and target addresses comply with the data set in the rule.
The NAT advanced settings are configured in the menu:

Settings j Advanced j NAT pad j Add/Edit button

V ”Packet Description”
This defines, to which packets the rule should be applied. The packet is specified
by source and/or target address. There may be a single address or a group of
addresses specified by a network mask, an interval of addresses, or a named group
of addresses. The condition “Only when outgoing interface is” says that the rule is
applicable only if the packet is sent out through the specified interface.

26
WinRoute manual.qxd 10.3.1998 20:41 StrÆnka 27

WinRoute Pro 3.0 Security

V ”NAT”
This defines what to do with a packet when the rule is applicable to it. There are
the following possibilities:
V “Do not do NAT”

V “Do NAT with specified IP address”

V ”Log Packet”
If the rule is applicable to a packet, packet information is recorded. Logging is sui-
table especially for testing the configuration or finding problems in it.

An Example Configuration of Advanced NAT

The figure bellow shows three networks:
192.168.1.0 with mask 255.255.255.0
192.168.2.0 with mask 255.255.255.0
194.196.16.0 with mask 255.255.255.0
4

The first two networks use private IP addresses, so in order to access the Internet, NAT
must be used. The third network uses registered IP addresses. It is directly accessible
from the Internet.
To configure NAT for this situation, first switch NAT on for the interface that leads to
the Internet (line 0). Then, in the Advanced Settings, configure NAT not to be done for
the third network.

27
WinRoute manual.qxd 10.3.1998 20:41 StrÆnka 28

Security WinRoute Pro 3.0

The Advanced Settings are shown in this figure:

Port Mapping
WinRoute performs NAT, which makes the protected network inaccessible from outside.
Using port mapping, it is possible to create communication channels through which ser-
vices inside the network may be accessed. Subsequently it is possible to create public
services like a WWW server or an FTP server, and others.

How does port mapping works

Each packet received from the outside network (from the Internet) is checked whether
its attributes (that is the protocol, target port, and target IP address) comply with an
entry in the port mapping table (Protocol, Listen Port, Listen IP). If an entry is found
for which all the three attributes are equal to the packet attributes, the packet is modi-
fied and sent to the protected network to the address defined as “Destination IP” in the
table's entry and to port defined as “Destination port”.

Port Mapping Configuration

Mapped ports may be configured in the menu:
Settings j Advanced j Port Mapping j Add/Edit button
V ”Protocol”
The protocol to be used for the communication through the mapped port.
V ”Listen IP”
If an IP address is entered in this field (this is an optional field), the target address
of the incoming packets is compared with it. The packet is only allowed to pass
through if the two addresses are equal.
V ”Listen Port”
It gives the port number or an interval of port numbers for which the entry is valid.
V ”Destination IP”
The IP address of the computer to which the packets that comply with the previous
conditions should be routed.

28
WinRoute manual.qxd 10.3.1998 20:41 StrÆnka 29

WinRoute Pro 3.0 Security

V ”Destination Port”
The port number on the computer to which the packets are routed. In most occa-
sions, this number is equal to the Listen Port.

Several useful configurations of port mapping are shown in Appendix.

Packet Filtering
Setting up filtering rules to protect the local area network is important especially if the
local area network uses registered IP addresses and if it is directly accessible from the
Internet. If you use NAT for your entire network, you do not need packet filtering.

What a Packet Looks Like

In order to be able to configure packet filtering, it is important to understand how pac-
kets are manipulated in the layers of the TCP/IP protocol.
In each layer, the contents of a packet might be divided into two parts: the header and
data. The header contains control information of the given layer. The data part conta-
4
ins data that belong to the upper layer. Each layer adds its own header, so in the result
the packet looks as shown bellow:

The following information is used when setting up the filtering rules for headers of par-
ticular protocols (layers):

Internet Protocol (Internet layer)

Internet Protocol is a basic protocol used for (unreliable) delivery of upper layers' data.
The following information may be used for filtering:
V source IP address
V destination IP address
V the type of upper layer protocol, eg. TCP, UDP, ICMP
V IP options field
The format of an IP packet is shown on the next page. The gray fields are those which
may be used with packet filtering.

29
WinRoute manual.qxd 10.3.1998 20:41 StrÆnka 30

Security WinRoute Pro 3.0

ICMP protocol (Internet layer)

Internet Control Message Protocol is used for sending error and control messages among
computers.
The following information may be used for filtering:
V ICMP message type
The format of an ICMP packet is shown bellow. The gray fields are those which may be
used with packet filtering.

TCP protocol (transport layer)

The Transmission Control Protocol is used for reliable transmission of data between two
computers. The computers communicate using a “connection”. The creation of the con-
nection, data transmission and closing the connection is controlled by special flags in
TCP header of the packet. The flag which controls the creation of a connection is of
importance for packet filtering, since data can only be transmitted after a connection
is created.
The following information may be used for filtering:
V source port
V destination port
V flags
The format of a TCP packet is shown bellow. The gray fields are those which may be used
with packet filtering.

30
WinRoute manual.qxd 10.3.1998 20:41 StrÆnka 31

WinRoute Pro 3.0 Security

UDP protocol (transport layer)
The User Datagram Protocol offers the application layer an unreliable datagram-based
transmission of data. In contrast to TCP, the UDP does not create a connection betwe-
en the two computers and packets may be sent to any IP address and any port number.
The following information may be used for filtering:
V source port
V destination port
The format of an UDP packet is shown bellow. The gray fields are those which may be
used with packet filtering.

Applications and port numbers 4

Generally, there exist two kinds of applications in the Internet environment: the client
applications and server applications. A WWW browser is an example of a client applica-
tion, while a WWW server is - naturally enough - a server application. In order to com-
municate, the client applications create a connection with the server ones. The server
applications wait for connections on given fixed port numbers. Usually, these port num-
bers are less than 1024. At the other hand, the client application usually does not need
any specific port number, so the port number is assigned dynamically to it (the appli-
cation asks the operating system for an unused port number). The port numbers used
for dynamic assignment are grater than 1024.
The example communication of a browser and a WWW server is shown in the figure:

31
WinRoute manual.qxd 10.3.1998 20:41 StrÆnka 32

Security WinRoute Pro 3.0

Security Policies
The choice of filtering rules depends strongly on the Internet services you wish to make
available for your users. It also depends upon the services in your network that you want
to make accessible from the Internet.
More restrictive rules may cause some Internet services to be inaccessible for your users.
This is the case with applications which need an additional connection to be created
from the Internet, or UDP-based applications. On the other hand, when the rules are
more benevolent, more applications will be functional but the network will get less
secure.
The basic principle for setting up the filtering rules is that you block the access from
the Internet to your network, while you keep the other direction open (the direction
from your network to Internet). Then, according to the services you want to access out-
side and the services you want to offer to the outside world, you tune the the rules.
The most important is the protection of vital services in your network. These services
(eg. file servers, intranet WWW servers, SQL servers) usually listen for connections on
ports with numbers less than 1024. Services with port numbers less than 1024 might
not run on servers only, even user workstation may run such services. This is the case
with file sharing. On the other hand, the port numbers used by client applications are
greater than 1024. Thus the number 1024 is very significant for security policies setup.
Each reasonable policy blocks access from the Internet to ports less than 1024 for both
the TCP and UDP. After that, you may allow services that you want to make accessible
from the Internet. For example, for WWW you allow TCP on port 80.
The more restrictive policy also forbids all incoming UDP packets and also TCP packets
that try to establish a connection from Internet to port numbers greater than 1024. So,
this policy entirely forbids a connection to be established with the protected network
from the Internet, but it allows any communication to be initiated from the protected
network. When this policy is applied, some application may cease to function (entirely
or in part, this depends upon the application). The applications that will have problems
are those which expect that their party will connect from the Internet to port number
greater than 1024. Also applications which use UDP will not work.

Example policies:
When setting up the filtering rules it is important to remember that the rules are sear-
ched in the order they appear in the table and once an applicable rule is found, the
search is stopped.
The following examples show both the more and less restrictive policies you may use
when setting up the rules:
The less restrictive policy:
For incoming packets on the interface connected to Internet we do the following:
V individually allow packets with port number smaller than 1024 for the services that
you want to offer to the outside world

32
WinRoute manual.qxd 10.3.1998 20:41 StrÆnka 33

WinRoute Pro 3.0 Security

V allow UDP packets from DNS servers, that is packets having both the source and tar-
get ports equal to 53.
V forbid TCP packets with target port number smaller than 1024
V forbid UDP packets with target port number smaller than 1024
The figure shows the configuration of the policy in the packet filter:

The more restrictive policy:

For incoming packets on the interface connected to Internet we do the following:
V individually allow packets with port number smaller than 1024 for the services that
you want to offer to the outside world
V allow UDP packets from DNS servers, that is packets having the source port equal to
53 and the target source greater than 1024.
V allow UDP packets from DNS servers, that is packets having both the source and tar-
get ports equal to 53
V forbid TCP packets with target port number less than 1024
V forbid TCP packets establishing a connection for all port numbers
V forbid UDP packets for all ports

Example:
to allow access to your WWW server, allow TCP packets with target address equal to the
address of your WWW server and target port equal to 80.

33
WinRoute manual.qxd 10.3.1998 20:41 StrÆnka 34

Security WinRoute Pro 3.0

The figure shows the configuration of the policy in the packet filter:

Restricting User Access to Certain Internet Services

Packet filtering may also be used to restrict the access to some Internet services from
your network. It is possible to restrict only some computers, based on source IP addres-
ses. The type of service that you wish to restrict is specified by the target port number
of the service.
For example, to restrict access to FTP (File Transfer Protocol), do the following:
V forbid outgoing TCP packets with target port number 21 on the interface connected
to Internet

If you run a proxy server which does filtering according to URL and you want to make
your users use the proxy instead of a direct connection, use the following:
For outgoing packets on the interface connected to Internet:
V Allow packets from the address of the proxy server with target port equal to 80
V Forbid TCP packets with target port equal to 80.

Packet Filtering Configuration

It is possible to set rules on the input and output of each interface. The rules define
which packets should be let through and which should be blocked. The rules are defi-
ned in terms of IP addresses, ports, and protocols.
The security rules are processed using the following method:
The rules are searched in the order in which they are displayed in the configuration dia-
log. Upon arrival or departure of a packet, first the rules for the interface from which
the packet arrived are searched. Then rules valid for any interface are searched. After an
applicable rule is found, no other rules are searched and an appropriate action is taken:

34
WinRoute manual.qxd 10.3.1998 20:41 StrÆnka 35

WinRoute Pro 3.0 Security

the packet is either allowed to pass through, discarded or denied. Optionally, an infor-
mation about the packet is written to a file or to WinRoute window.
The rule defines a source address or an interval of source addresses, target address or
an interval of source addresses. For TCP packets it is also possible to define whether the
rule applies to packets which either establish or do not establish a connection.

The packet filtering may be configured in the menu:

Settings j Advanced j Packet Filter j Add/Edit
V ”Protocol”
The network protocol. The possibilities are: IP, TCP, UDP, ICMP, PPTP.
V ”Source”, “Destination”
The definition of source and target addresses. It is possible to enter either a sing-
le address or a group of addresses specified by a network mask or an address inter-
val. A named group of addresses may also be used.
It is also possible to specify target and source ports for the TCP and UDP protocols.
V ”ICMP type” (with ICMP only)
Used to specify a particular type of ICMP message.
V ”TCP flags” (with TCP only)
It is possible to specify the following:
V ”Only established TCP connections” : the rule applies if a packet does not create
a new TCP connection, ie. its SYN flag is not set on.

35
WinRoute manual.qxd 10.3.1998 20:41 StrÆnka 36

Security WinRoute Pro 3.0

V ”Only establishing TCP connections” : the rule applies if a packet attempts to cre-
ate a new TCP connection, ie. its SYN flag is on.
V ”Action”
If the rule is applicable to a packet, an action is performed:
Permit - the packet is allowed to enter the protected network
Drop - the packet is discarded
Deny - packet is denied
If the packet is denied, a deny message is sent to the sender of the packet (ie. TCP
reset, or ICMP port unreachable messages).
V ”Log Packet”
If the rule applies to a packet, the information about it is recorded. The recording
is done either to the WinRoute window or to a file
V ”Valid at”
Defines the time interval in which the rule is valid. You may set the rule to be
always valid.

Anti-spoofing
Some network services (e.g. rlogin and NFS) use a security mechanism based on the IP
address of a client. An attacker might beguile this security mechanism using IP spoo-
fing, a technique based on falsification of source IP address. This attack is usually com-
bined with TCP SYN flooding or with source routing. The attacker might endanger the
correct function of the service or even gain unauthorized access to it.
The anti-spoofing test is performed upon the arrival of a packet. It it possible to defi-
ne what IP addresses may appear in packets received by each interface. Packets with
source addresses other than the allowed ones are discarded and optionally information
about the packet is logged.
The method of anti-spoofing setup in WinRoute is as follows:
We define for each interface that the source address of the incoming packets must
belong to the interval of addresses of the directly connected sub-network. If there are
other network segments behind a router, it is necessary to create a named group of
addresses for these segments. Then we may define that only packets from the directly
connected network or from the named address group are allowed.
It is evident that it is impossible to name all addresses that may appear in packets
incoming to the interface connected to the Internet. A packet is allowed to pass
through if its source address does not fall among the addresses allowed for the inter-
faces which lead to the protected network. So any address other than the addresses
accepted by the local area network interfaces is allowed. This ensures that no packets
with a falsified source address (packets which look as if sent from a computer inside
the protected network) are allowed to pass through.

36
WinRoute manual.qxd 10.3.1998 20:41 StrÆnka 37

WinRoute Pro 3.0 Security

Anti-spoofing Configuration
Settings j Advanced j Anti-Spoofing j Edit button
V ”Any”
No tests are performed. Packets with any address are allowed on the interface. This
is the initial setup after installation.
V ”From the network connected to this interface”
Only packets with source IP address belonging to the directly connected sub-network
are allowed on the interface. This option is usually used for the local area network
interfaces.
V ”Only those that are not permitted on other interfaces”
Only packets with source address other then addresses allowed on other interfaces
may pass through. This option is usually used for the interface connected to the
Internet.
V ”or additionally from...”
The allowed source addresses are specified by selecting a named address group. 4
This option may be used in combination with the previous two options. It is needed
if the protected network has some segments not directly connected to computer
which runs WinRoute.
V ”Log Packet”
Each violation of the rule is recorded to the WinRoute window or to a file.

Anti-spoofing Configuration Example

The example bellow shows three networks:
192.168.1.0 with mask 255.255.255.0
192.168.2.0 with mask 255.255.255.0
194.196.16.0 with mask 255.255.255.0
The anti-spoofing is configured according to the following figure:

37
WinRoute manual.qxd 10.3.1998 20:41 StrÆnka 38

Security WinRoute Pro 3.0

The configuration rules are:

V The interface NE20002 accepts packets with source addresses from the networks 1
and 2.
V Interface EL90X1 accepts packets with source addresses from the network 3.
V Interface line0 accepts packets with any source address with the exception of
addresses from networks 1, 2, and 3.

The configuration dialogs are as follows:

38
WinRoute manual.qxd 10.3.1998 20:41 StrÆnka 39

WinRoute Pro 3.0 Security

Assigning Names to Address Groups

and Time Intervals
It is often usefull to assign specific groups of computers or time intervals a name. This
facilitates the administrator to apply or modify a new security rules without entering
a full list of IP address or time intervals each time.

Example:
Group “Sales” does not have access to the “Games” sites during “Business hours”.

Address Groups
Address groups are used when target addresses have to be specified, for example in con-
figuring of packet filtering, advanced NAT configuration, etc.
The advantages of named address groups are:
V One name may represent several networks so it is not necessary to specify each net-
work separately when source/target addresses are entered.
4
V When the configuration of the network is changed (new network segment added,
IP addresses changed, etc.), it suffices to the named group only.
V With complex networks, named groups simplify the setup.

The named address groups are configured in the menu:

Settings j Advanced j Address Groups
Each named group may contain any number of entries. An entry is either a single
address, a group a addresses specified by a network mask, or a group of addresses
specified by interval of addresses.

Time Intervals
Time intervals may be used for example to make a filtering rule valid only in certain
periods of time. The interval's name is used to refer to it.

Time interval are configured in the menu:

Settings j Advanced j Time Intervals
Any number of entries may be created under one name which allows for a very flexible
time setup.

39
WinRoute manual.qxd 10.3.1998 20:41 StrÆnka 40

40
WinRoute manual.qxd 10.3.1998 20:41 StrÆnka 41

DNS Server
41
WinRoute manual.qxd 10.3.1998 20:41 StrÆnka 42

DNS Server WinRoute Pro 3.0

Introduction
Each computer connected to the Internet is identified by unique numeric IP address. In
order to connect to a computer in the Internet, its address must be known to the com-
puter which is creating the connection. Since IP addresses are difficult to remember,
Domain Name Service was created. The DNS is a database of descriptive names which are
easy to remember. Thus the user does not have to know the IP address of the server
she/he wants to communicate with. It suffices to enter the appropriate name (e.g.
www.yahoo.com) and DNS will find the actual IP address.

DNS Server in WinRoute

WinRoute is equipped with a DNS module that is able to forward DNS queries to a cho-
sen DNS server on the Internet. The DNS module stores the results of the queries in its
internal cache where they are kept for a certain time. Subsequent repeated queries are
then answered using the cached data without the need to wait until an answer from the
Internet arrives. The DNS server in WinRoute is also able to answer DNS queries accor-
ding to the user-defined HOSTS file.

DNS Server Configuration

When configuring the TCP/IP on a workstation using WinRoute as DNS server, it is neces-
sary to enter the address of the computer running WinRoute as the DNS server address.
The DNS server is configured using the menu: Settings j DNS Server.

The configuration dialog is shown in the figure bellow:

V ”DNS Server enabled”

This option controls whether the DNS server is switched On or Off.
V ”Enable lookup in HOST file”
With this option checked, the DNS server is allowed to use data from the HOSTS
file when answering the queries.

42
WinRoute manual.qxd 10.3.1998 20:41 StrÆnka 43

WinRoute Pro 3.0 DNS Server

V ”Edit HOSTS file...”
This button launches an external text editor in which you may edit the HOSTS file.
V ”Enable lookup in DHCP lease table”
This allows the DNS server to answer queries using the Host name fields in data
used by DHCP server. This option may only be used if your use the DHCP server
contained in WinRoute. See the DHCP server manual.
V ”DNS domain”
Enter your domain name (e.g. “acme.com”) here. When answering DNS queries, the
domain name is appended to host name obtained from the HOSTS file or from the
DHCP lease table.
V ”Forward DNS queries to”
Enter the numeric IP address of the DNS server to which you want to forward the
DNS queries. Choose an address of your ISP's DNS server or of a server to which you
have a quick access.
V ”Enable DNS cache”
This allows answers to DNS queries to be stored in internal cache. Subsequent que-
ries are then processed using the contents of the cache, without waiting for an
answer from the DNS server outside your network.

Note: the cache only stores the answers which are of the “Name j IP address” type.
The answers are stored until they expire. The expiration time is supplied by the DNS ser-
vers together with each answer.
5

43
WinRoute manual.qxd 10.3.1998 20:41 StrÆnka 44

44
WinRoute manual.qxd 10.3.1998 20:41 StrÆnka 45

DHCP Server
45
WinRoute manual.qxd 10.3.1998 20:41 StrÆnka 46

DHCP Server WinRoute Pro 3.0

Introduction
In a network, each computer has to have its TCP/IP protocol properly configured. This
means that IP address, network mask, default gateway address, DNS server address, etc.
must be configured on each computer. If the maintainer has to set the parameters
manually on a larger number of workstations, it is difficult to avoid mistakes, eg. using
an address twice - which may cause collisions and consequently also an incorrect func-
tion of the entire network.
To simplify the task, Dynamic Host Configuration Protocol has been created. DHCP is
used for a dynamic configuration of the TCP/IP protocol on computers. During start-up,
the DHCP client computer sends a request. When the DHCP server receives the request,
it chooses TCP/IP configuration parameters for the client. The parameters are IP address,
network mask, default gateway, DNS server address, client's domain name, etc. Using the
parameters, the server creates an answer and sends it to the client. The server may
assign a configuration to the client for a limited time only (lease time). The server
always assigns the IP address so that it does not collide with any other address assig-
ned through DHCP to another client.
With a DHCP server available, it suffices to enable the “Obtain IP address from DHCP server”
option and the DHCP server takes over the responsibility for proper configuration of
TCP/IP on workstations. This may help to significantly lower the network maintenance
and management costs.

DHCP Server in WinRoute

WinRoute contains a DHCP server module, a full-featured DHCP server which is able to
dynamically assign TCP/IP configuration parameters to DHCP clients. If you want to use
the WinRoute DHCP server, you must configure it properly (see bellow) and switch on
the “Obtain IP address from DHCP server” option in the TCP/IP configuration of the cli-
ent computers. If some computers in your network will not be configured dynamically
by DHCP, but will have a fixed configuration instead, you must make sure the parame-
ters used by DHCP will not collide with the ones used in fixed configurations.

DHCP Server Configuration

You may configure DHCP server using a dialog window opened by menu command:

Settings j DHCP server

V ”DHCP server enabled”
This switches the WinRoute's DHCP server on. If you switch it off again, you will
not loose its settings, WinRoute will just stop functioning as a DHCP server.

46
WinRoute manual.qxd 10.3.1998 20:41 StrÆnka 47

WinRoute Pro 3.0 DHCP Server

The dialog window contains two major areas: Scopes and Options.

In “Scopes”, the ranges of IP addresses to be assigned to clients are displayed. The dia-
log shows the range network addresses and the first and the last address within the
range.
Additional parameters may be configured for each scope. These parameters are shown in
the “Options” area.
The Scopes area always contains “Default Options” - a list of parameters which are assig-
ned to clients if no specific parameter is defined in the scope. To identify whether or
not a parameter is a global one (taken from “Default Options”), an icon is displayed next
to it:
the parameter is specific for the scope
the parameter is taken from “Default Options”
6
The lower part of the dialog windows contains the following buttons:
V “New Scope...”
On pressing this button a new dialog appears in which you may define parameters
of a new scope.
V “Edit...”
Used to edit an existing scope.
V “Remove”
Removes the scope.

47
WinRoute manual.qxd 10.3.1998 20:41 StrÆnka 48

DHCP Server WinRoute Pro 3.0

The scope definition dialog is shown in the figure bellow:

V “Address Scope”
Enter the range of IP addresses to be assigned to clients (the fields “From” and
“To”) together with network mask (the field “Mask”). The IP addresses of the range
must belong to the same sub-network.
V “Options”
This shows a list of other configuration parameters to be assigned to stations wit-
hin the particular scope. If a parameter is not entered (the “Specify option” box is
not checked), a value from Default Options is used instead. The following parame-
ters may be used:
V “Default Gateway”
The default gateway address. The gateway facilitates communication with stations
in other sub-networks.
V “DNS Server”
IP address of DNS server.
V “Domain Name”
You may enter the name of your domain (if you have a registered domain).
V “Lease Time”
The time for which the client may use the configuration data. After this interval,
the configuration expires and the client must request new TCP/IP parameters from
the DHCP server.
V “WINS Server”
The address of WINS server, which is used to distribute information about shared
network resources in Microsoft networks.

In each scope, you may reserve particular IP addresses for some computers using the
“Add Lease...” button.

48
WinRoute manual.qxd 10.3.1998 20:41 StrÆnka 49

WinRoute Pro 3.0 DHCP Server

The reservation ensures that the particular computer will always have the same IP
address (this is useful if you run a service on the computer, e.g. a print server).

The address reservation dialog is shown in the following figure:

V “IP address”
The IP address you want to reserve.
V “Reserved for”
Here you may choose how to identify the computer for which the address is reser-
ved:
V “Hardware address”
The computer is identified by its ethernet hardware address. The address should be
entered in the “Value” field as six bytes with a dash in between each two of them.
(e.g. 00-60-08-5f-75-b9)
V “Computer name”
The computer is identified by its name, which is set in MS Windows network con-
figuration.
6
“Advanced...” button
This is used to configure the DHCP server to also answer the requests sent using the
BOOTP protocol. BOOTP is an older protocol used for TCP/IP configuration. You should
switch this function on if you have some client computers which use BOOTP.
A list of addresses assigned to particular clients by DHCP may be obtained by right-click-
ing in the WinRoute main logging window and choosing Show j Leased IPs from the
menu. Alternatively, you may press the CTRL+SHIFT+L key combination.

49
WinRoute manual.qxd 10.3.1998 20:41 StrÆnka 50

DHCP Server WinRoute Pro 3.0

Configuration in Multi-segment
Network Environment
To use the DHCP server in a network with multiple segments you need to configure your
network gateways so that they forward DHCP requests to the segment to which the DHCP
server is connected. Sample configurations for several types of routers are shown bellow:

Windows NT
If you use a Windows NT server as a router (gateway), you need to install “DHCP Relay
Agent” service on it. Then, go to the TCP/IP configuration of the server, switch to the
DHCP Relay pad and fill in the IP address of the DHCP server to which the DHCP requ-
ests should be forwarded (that is, you should enter the IP address of the computer on
which WinRoute runs).

Novell Netware
If you use a Netware server as a router, you need to load the BOOTPFWD.NLM module on
it. The module will take care of forwarding both the DHCP and BOOTP requests. The com-
mand to be used is:
load bootpfwd.nlm <DHCP server address>
Again, the IP address of the DHCP server is the IP address of the computer which runs
WinRoute.

Example Configuration
The following figure shows an example configuration of the DHCP server:

In the example, two scopes are defined. The first in defined for network 192.168.1.0,
the second for network 192.168.2.0. The first scope assigns addresses 192.168.1.10
through 192.168.1.20, the second one assigns addresses 192.168.2.80 through
192.168.2.90.

50
WinRoute manual.qxd 10.3.1998 20:41 StrÆnka 51

WinRoute Pro 3.0 DHCP Server

You can also see that within the scope for the network 192.168.1.0, the following
addresses have already been assigned to clients: 192.168.1.23, 192.168.1.20,
192.168.1.21, 192.168.1.22 and 192.168.1.25. No address has been assigned yet within
the scope for the network 192.168.2.0.
In the “Scopes” area, the address 192.168.1.23 is selected and information related to it
is displayed. For example, the the time for which the configuration parameters are assig-
ned to the computer is shown. You can also see that the hardware address of the com-
puter is 00-60-08-51-8e-eb and that its name is “TEREZIE”.

51
WinRoute manual.qxd 10.3.1998 20:41 StrÆnka 52

52
WinRoute manual.qxd 10.3.1998 20:41 StrÆnka 53

Proxy Server
53
WinRoute manual.qxd 10.3.1998 20:41 StrÆnka 54

Proxy Server WinRoute Pro 3.0

Proxy Overview
Proxy Cache
WWW Internet Proxy service functions: The proxy server collects data from the Internet
and passes it to the requesting browsers on the local network. This data is also stored
in a cache. If the same information is required again, the information is retrieved from
the cache. Since the cache is on the local network the retrieval is performed at local
network rates, much more quickly than re-accessing the Internet.
Generally, the cache speeds Internet access because it temporarily stores the pages
already visited and allows the fast local access to them. Then the Internet access is nee-
ded to retrieve only unvisited data. The effect is an increased performance with no
change in communication resources.

Access Control
The Proxy server may be used to control access to WWW Service resources. For example,
you may limit access of specific users to particular Internet web sites.
Restrictions may be applied to individual users, groups of users or particular URL's.

Proxy Server Setup

General Properties

54
WinRoute manual.qxd 10.3.1998 20:41 StrÆnka 55

WinRoute Pro 3.0 Proxy Server

The Proxy server is configured using menu: Settings j Proxy server.
V Port
Port number used by browsers to communicate with proxy server. The default value
is 3128. Generally, the default is appropriate.
V Enable Logging
Enable logging of Web Page URLs visited by proxied browsers.
V Cache Enabled
Enable proxy cache functions. When disabled, web pages are retrieved directly from
the Internet.
V Cache Directory
Directory path of proxy cache data.
V Cache Size
The maximum cache size, in mega-bytes. When the cache exceeds this limit, cache
pruning is performed until the extent is reduced to 85% of the limit. The least
recently visited data is discarded.
V Continue Aborted
When a user selects either the browser's stop button or a new page link before the
current page has been completely loaded, the proxy server can continue loading the
current page into the cache. Then if the user returns to this page later, it will be pre-
sented from the cache. With this option enabled, it is quicker to explore a web site.
The back pages will be quickly and completely loaded for review. The first perusal
caches the “skipped over” pages; then when back tracking (using the [Back Button])
V Keep Aborted
Enable storing of incomplete objects (html pages, images,...). Incomplete objects
may occur when an Internet browser session is disrupted for some reason: lost con-
nection, power loss, sever when off-line, etc. Caching partial pages provides at
least some of the desired data for perusal.
V Cache FTP directory only
When enabled, only FTP directory listings will be cached. File transfer will not be
cached.
V Time-To-Live
This value determines the number of days that objects (web pages, images, ...) are
7
retained in the cache. Any requests for objects in the cache older than this are
reloaded from the Internet.
V TTL Advanced
You can set the number of days any object is retained in the cache based on the
object's URL. URL specifications may include wild-card characters (denoted by
asterisk) to specify related URL groups.
Examples: *www*, ftp://*.zip
V Max. Object Size
Maximum object size in kilobytes that may be cached. Any single object larger than
this limit will be passed to the requesting browser without being copied into the cache.

55
WinRoute manual.qxd 10.3.1998 20:41 StrÆnka 56

Proxy Server WinRoute Pro 3.0

Access

The “Access” tab is described in section Access Control

Advanced Properties

V Parent Proxy
DNS name or IP address and port number of a parent proxy server, if one exists.
When set, all requests will be forwarded.

56
WinRoute manual.qxd 10.3.1998 20:41 StrÆnka 57

WinRoute Pro 3.0 Proxy Server

V Autoconfig File
A location of proxy-autoconfiguration file. This file may be used to configure cli-
ents' browser proxy settings. This feature is supported by Netscape Navigator and
higher versions of MS Internet Explorer. The file must be edited to insert the com-
puter name and port of the computer running WinRoute proxy server.
In browser, you must enter the URL location of the file. The location is as follows:
http://<host>:3129/autoconfig where <host> is the name of the computer running
WinRoute.
V Idle Timeout
A TCP connection will close when it has been inactive for this period of time.
V Connect Retry
Determinates the number of attempts to establish a connection.
V Enable Reverse DNS
Enables Reverse DNS resolution for logging purposes.

Here are some sample configurations

for popular browsers:
To use a proxy server, you must set the browser's Proxy IP address and port number fields.

Netscape Navigator 2.0, 3.0

Select the menu item: Options j Network Configuration j Proxies
Choose Manual Proxy Configuration
Push the [View] button
Enter the WinRoute IP address and port number for the HTTP, FTP and GOPHER fields.
The default port number is 3128.

Netscape Communicator
Select the menu items: Edit j Preferences j Advanced j Proxies
Choose Manual Proxy Configuration
Push [View...] button
Enter the WinRoute IP address and port number for the HTTP, FTP and GOPHER fields.
The default port number is 3128.
7
MS Internet Explorer 3.0
Select the menu items: View j Options j Connections
For the Windows 95 version, press the Proxy button
Enable the check box for Use the same proxy for all protocols.
Enter the WinRoute IP address and port number in the provided fields.

57
WinRoute manual.qxd 10.3.1998 20:41 StrÆnka 58

Proxy Server WinRoute Pro 3.0

Access Control
Access Control allows you to limit a user's WWW Server access rights.

Access Properties Sheet

The Access List contains URLs that are to be restricted to specific users and groups. Each
URL entry is format as: scheme://host/path -- asterisks may be used to denote arbitra-
ry strings. Each restricted URL has an associated list of users and groups that may access
the URL, provided they enter a user name and password when prompted by their browser.
Note: Restricted URLs may always be accessed by members of the Admins group.

WinRoute's Web Interface Access Restriction

Access restrictions may also apply to the WinRoute's administrator web interface.
To restrict the web interface add the following line to the Access List: http://WinRoute
/admin/* Enter the URL exactly as shown. WinRoute will recognize it's own name; there
is no need to enter the actual host name. Before restricting the WinRoute's web inter-
face, confirm that you, as an administrator, are a member of the Admins group. Other-
wise you will be blocked from accessing the web interface. However, you may always
access the WinRoute configuration setting using the WinRoute GUI application.

Browser Notice:
Some browsers do not support the authentication function required for restricted URL
access. These browsers will not be able to access any restricted URL; however, other
URLs will not be affected. The Proxy Authentication function is supported by Netscape
Navigator 3.0, MSIE 3.0 and all later versions.
Please be advised: A user will be prompted for authentication only once during each
browser session. Thereafter, the browser will automatically provide the user name and
password when required. This is known as authentication caching. To clear the authen-
tication cache the user must terminate the browser session.

Access Control – Examples

1. We want to restrict members of [users] group to the following domains: domain.com,
work.com, while the user boss should have access anywhere. Set the Access List and
user/group list as illustrated:
Access List . users/groups
* boss
*.domain.com/* [users]
*.work.com/* [users]

2. To block all accesses to domain bad.com:

Access List . users/groups
*.bad.com/ *
Note: Members of [Admins] group may not be blocked from any domain.

58
WinRoute manual.qxd 10.3.1998 20:41 StrÆnka 59

WinRoute Pro 3.0 Proxy Server

Cache Improvements
This section describes improvements of HTTP-Cache in WinRoute. The main difference is
the method of storing data in the disk cache. Unlike the other proxy servers with
caching functionality (including Microsoft Proxy and Netscape Proxy server) the new ver-
sion stores cached data in one fixed-length file instead of using a single file for each
object. The cache file is organized in a FAT-like fashion with allocation unit of 1024
bytes. This significantly saves the disk space occupied by the cache. For better under-
standing, see the following table which shows a typical distribution of objects in the
cache:
size number % of
in kB of objects ..total objects..
1 5738 17.57
2 5626 17.23
3 4804 14.71
4 3254 9.96
5 2615 8.01
6 1975 6.05
7 1303 3.99
8 962 2.95
9 877 2.69
10 660 2.02
11 596 1.83
12 485 1.49
13 417 1.28
14 298 0.91 Cache size: 150 MB

You may see from the table that 50% of all objects in the cache are smaller than 6 kB.
The reason for this is that WWW usually consists of many small objects (html pages, inli-
ne images, ...). Storing each object in a single file significantly wastes the disk space
on nearly every filesystem.
The following calculation assumes the worst case: large disc formatted with 16-bit FAT
table. In this case, the size of allocation unit (cluster) is 32kB.
The actual size allocated on disk by file-oriented cache is: 7
32 * (5738 + 5626 + 4804 + 3254 + 2615 + 1975 + 1303) = 32 * 25315 = 810080 kB = 791 MB
The actual size allocated in WinRoute cache is:
5738 + 2*5626 + 3*4804 + 4*3254 + 5*2615 + 6*1975 + 7*1303 = 78464 kB = 76 MB
The WinRoute cache needs 10.4 times smaller disk space for storing the cached objects.

59
WinRoute manual.qxd 10.3.1998 20:41 StrÆnka 60

60
WinRoute manual.qxd 10.3.1998 20:41 StrÆnka 61

Mail Server
61
WinRoute manual.qxd 10.3.1998 20:41 StrÆnka 62

Mail Server WinRoute Pro 3.0

Overview
WinRoute Mail server may be used as a mail gateway between a local network and the
Internet. It collects mail sent by the users in the local network and incoming mail from
the Internet. Then, mail intended for the Internet is sent to the Internet and mail for
local users is delivered to their mailboxes.
If the local network is connected to the Internet through a dial-up line, it is possible
to schedule send and receive time for Internet mail.
Users in the local network may use any SMTP/POP3 capable client (MS Internet Mail,
Netscape Mail client, MS Exchange, Eudora, Pegasus mail, et.al..) to connect to Win-
Route Mail server.
Mail server is configured through “Mail Server” dialog box from menu “Settings, Mail Server”.

Receiving mail from the Internet

There are several ways how WinRoute Mail Server may receive mail from the Internet:

Download from individual remote POP3 accounts

WinRoute Mail server allows to download email from individual POP3 accounts which are
placed at Internet service provider or somewhere else in the Internet. Downloaded email
is delivered to users' mailboxes.
Remote POP3 accounts are managed in “Remote POP3” sheet.

Download from domain mailbox

Some Internet providers allow to store email for whole domain into a single (remote)
POP3 account. E.g. if you own a domain yourcompany.com then all email addressed to
the domain @yourcompany.com is stored into a single mailbox at your Internet provider.
WinRoute Mail server allows after download from a remote POP3 account to sort and
deliver each email to appropriate WinRoute mailbox according to To: email header.
In order to perform sorting on a remote account, you must select <Sorting Rules> opti-
on in “Deliver to:” field in "Remote POP3" sheet.
Then select “Sorting Rules” button and set sorting rules. In sheet “General” select
“I have Internet domain” and into field “Local Domain(s)” enter your domain (e.g. your-
company.com). Option “Use ETRN command” is not selected.

SMTP domain mailing

If your network is permanently connected to the Internet you may benefit from recei-
ving email for your domain directly through SMTP protocol. This is also possible on dial-
up lines but you would need a fixed IP address and connection must be created in regu-
lar intervals. MX record for your domain must point to the IP address where is running
WinRoute Mail server. If you are using NAT you need to create mapped port for SMTP
protocol.
In sheet “General” select “I have Internet domain” and into field “Local Domain(s)”

62
WinRoute manual.qxd 10.3.1998 20:41 StrÆnka 63

WinRoute Pro 3.0 Mail Server

enter your domain (e.g. yourcompany.com). Option “Use ETRN command” should be ena-
bled if your network is connected through a dial-up line and Relay SMTP server supports
ETRN command. ETRN command may be used to start sending queued messages for your
domain.

Sending mail to the Internet

All email for the Internet (outgoing mail) is sent to Relay SMTP server.
“Relay SMTP server” may be set in “General” sheet.

Delivering email in locally

In order WinRoute Mail server could immediately deliver email sent from a local user
addressed to remote mailbox which is present in the Remote POP3 accounts, you need
to add associted entry in the “Alias” sheet. As “Alias” you should enter the email address
of remote POP3 account and “Deliver To” field set to the same user as in accociated POP3
entry. See examples for specific settings.

Configuring email clients

Each user who will use Mail server needs a user account on WinRoute. Users' accounts
may be created in dialog box “Accounts”, menu “Settings j Accounts”.
Each email client has it's own particular configuration procedure; as such, you should
consult the specific client's documentation. Generally, you need to provide the IP
address or host name of the SMTP and POP3 server. Set these IP addresses or host names
to the location where WinRoute is installed. The client's POP3 Username (account) and
the Password fields should be set to match user's WinRoute user name and password.

Scheduling email exchange

Internet email exchange (sending and receiving) is controlled by the Scheduler ("General"
sheet, "Schedulling" button). The Scheduler provides two types of email actions:
1. Send/Receive Mail
2. Send Mail (if any)

For each action you may select from the following conditions:
V “Allow to dial”
8
Allow demand dialing if needed to establish an Internet connection.
V “Every – At”
The periodic rate or specific time to execute the action.

63
WinRoute manual.qxd 10.3.1998 20:41 StrÆnka 64

Mail Server WinRoute Pro 3.0

V “Valid on”
The weekdays on which the action may execute.
V “Valid at time interval”
You can choose time interval defined in menu ”Settings j Advanced-Time” intervals.
For example, it is possible to valid e-mail exchange only in working hours.
Note: You may manually invoke the Mail Server exchange via the Web Interface. Brow-
se the Manual page, then click on the [Send and Receive] button.

Aliases
Aliases may be used to create users' aliases and to redirect/forward email.
Aliases are processed when following situations occur:
V email is received through SMTP (from user's mail client or from the Internet)
V before email downloaded from remote POP3 account is delivered to a mailbox
Aliases may be set in “Aliases” sheet.

Examples
Download from individual remote POP3 accounts
Each user has an account at ISP. For outgoing mail is used ISP's mail server mailserver.
provider.com.

In this case, users' e-mail addresses should be entered into Aliases, as shown bellow.
This is useful when local users send emails to each other. Without appropriate alias set-
tings, WinRoute mail server would not recognize that the email is for local user and
would send it to the Internet to be downloaded back from remote POP3 acccount.

64
WinRoute manual.qxd 10.3.1998 20:41 StrÆnka 65

WinRoute Pro 3.0 Mail Server

Download from domain mailbox

Let's consider a company with 5 employees. Each has an account on WinRoute. User
accounts are followings: alice, george, jane, martin and tom.
Company has a registered email domain company.com and their ISP stores all email for
domain company.com into a single mailbox company on his mail server mailserver. pro-
vider.com. The same mail server is used for outgoing mail.

65
WinRoute manual.qxd 10.3.1998 20:41 StrÆnka 66

Mail Server WinRoute Pro 3.0

Company wants to use general addresses info@company.com and sales@company.com.

Email sent to info@company.com should be delivered to george, email sent to
sales@company.com should be delivered to users in group sales.
In sheet “General” select “I have Internet domain” and into field “Local Domain(s)”
enter company.com.

SMTP domain mailing

Let's consider the same company as in previous example: a company with 5 users. Each
has an account on WinRoute. User accounts are the followings: alice, george, jane, mar-
tin and tom.
Company has a registered domain company.com and email for this somain is received
through SMTP protocol. In this case on dial-up connections is required fixed IP address.
MX record for the domain company.com must point to this IP address. Address of ISP's
mail server is mailserver.provider.com.

66
WinRoute manual.qxd 10.3.1998 20:41 StrÆnka 67

WinRoute Pro 3.0 Mail Server

Company wants to use general addresses info@company.com and sales@company.com.
Email sent to address info@company.com should be delivered to user george, email sent
to address sales@company.com should be delivered to users in groupsales.

In case the local network is using NAT (Network Address Translation) it in necessary to
create a port mapping for SMTP protocol. (menu Settings j Advanced j Mapped ports).

192.168.1.1 is address of computer running WinRoute.

67
WinRoute manual.qxd 10.3.1998 20:41 StrÆnka 68

68
WinRoute manual.qxd 10.3.1998 20:41 StrÆnka 69

Appendices 9
69
WinRoute manual.qxd 10.3.1998 20:41 StrÆnka 70

Appendices WinRoute Pro 3.0

Routing
Routing is a process that instructs the packet of the route it must take on its way from
sender to receiver.
For the purposes of routing, computers may be divided into two groups.
V Workstations

Workstations usually have a single network adapter and they do not forward packets
from one interface to another. They keep a routing table, but they only use it when sen-
ding their own packets. The routing table usually contains a default router (gateway)
entry. There is a direct route from the workstation to the default router.
V Routers (Gateways)

Gateways have more than one network adapter (interface). By means of the interfaces,
the gateway is connected to two or more networks. When a packet arrives at an inter-
face, the gateway must decide to which of the remaining interfaces the packet should
be sent. The appropriate interface is chosen according to the packet's target IP address
and the gateway's routing table.

The computer with WinRoute runs acts as a router.

In simple networks (e.g. in a single-segment local area network connected to the Inter-
net using a modem) it is not necessary to modify the routing table on the computer
that runs WinRoute. On the other hand, you will most probably have to modify the rou-
ting table if you have a network with multiple segments.

Routing in Networks with Multiple Segments

In networks with multiple segments located behind other gateways it might be neces-
sary to enter the routes to individual segments by hand (unless your network uses
some routing protocol).
The figure bellow shows a network with two segments connected by a router.
In this case, the routing is configured as follows:

70
WinRoute manual.qxd 10.3.1998 20:41 StrÆnka 71

WinRoute Pro 3.0 Appendices

V On the computer with WinRoute, route to segment 192.168.2.0 must be entered.
This can be done from the command prompt by issuing the command:
c:\route -p add 192.168.2.0 mask 255.255.255.0 192.168.1.100

V On the router 192.168.1.100, the default route must lead to the computer with Win-
Route, i.e. 192.168.1.1.

Routing in the Windows Environment

This section describes in more detail the routing in the environment of the Windows
operating systems.
Routing Table
WinRoute uses the routing table maintained by the operating system. You may obtain
the contents of the routing table by right-clicking in the WinRoute's window and choosing
“Show” j “Routing Table”.
To work with the routing table, use the system command “route”, entered at the com-
mand prompt.
You may use the “route” command in the following ways:
V route print (to print the contents of the routing table)
V route add (to add a route)
V route delete (to remove a route)
As mentioned above, a gateway uses the routing table to determine to which interface
a packet should be sent. The main items in the routing table are:
V network/network mask
V metric
V interface
V gateway

When deciding to which interface a packet should be sent, the following algorithm
applies:
The records in the routing table are searched for a record in which the network field
matches with the target IP address in the packet (with the network mask applied). If
several matching records are found, the record with the most selective mask is chosen.
If there are two or more such records, we choose the one with the smallest metric.
The packet is sent to the interface indicated in the record. If the target computer is not
in the network directly connected to the interface, the packet is sent to the gateway
named in the record.
The record with zero network address and zero mask has a special meaning. It denotes
the default route. The record indicates where to send a packet if no other appropriate
record has been found.

9
71
WinRoute manual.qxd 10.3.1998 20:41 StrÆnka 72

Appendices WinRoute Pro 3.0

We may categorize the records in the routing table according to their origin:
V Direct
Direct routes are added to the table using the IP address and mask assigned to indi-
vidual interfaces on the router. They identify a directly accessible networks.
V Persistent
Persistent routes identify networks which are not directly connected to the interfaces
of the router. These routes are configured by router's maintainer and are set during
operating system start-up.
V Temporary
Temporary routes are entered by the user or are learned by means of a routing proto-
col. They are lost if the system is switched off.

During start-up, the Windows routing table is created as follows:

Direct routes are created, and the permanent routes are read from the Windows registry
(permanent routes may only be configured in Windows NT). Also, the default route is
added (in Windows TCP/IP configuration of individual interfaces, default route is deno-
ted as default gateway). You may set default routes on several interfaces, it is however
reasonable to set it on one interface only - on the one which connects the computer to
the external network (the Internet).
During run-time, the routing table is modified as follows:
The table may be modified by user or by a routing protocol (e.g. RIP), if it is used. If
you create a telephone connection, Windows adds a default route (according to the set-
tings of the particular telephone connection). If the routing table contains a default
route already, its metric is increased and thus the telephone connection obtains a higher
priority. When the telephone connection is closed, its route is removed.

Port mapping examples

The examples bellow represent a typical use of port mapping. You may however create
many other mapped ports. When doing that, you should always bear in mind the secu-
rity of your network. By creating a mapped port you allow the particular service in your
network to be accessed from the entire Internet. Use packet filtering if you want to
make the port accessible from certain internet addresses only.

WWW
Let us suppose you run a WEB server in your private network (the address of the server
being 192.168.1.10) and you wish to allow the users in the Internet to access the server.
You have to create a mapped port in the following manner:
Protocol: TCP
Listen IP: <unspecified>
Listen Port: 80
Destination IP: enter the IP address of the WEB server (192.168.1.10 in our case)
Destination Port: 80

72
WinRoute manual.qxd 10.3.1998 20:41 StrÆnka 73

WinRoute Pro 3.0 Appendices

SMTP
If you have a mail server in your local area network and want to receive e-mail from the
Internet by means of the SMTP protocol, add the following entry to the mapped ports
table:
Protocol: TCP
Listen IP: <unspecified>
Listen Port: 25
Destination IP: enter the IP address of your mail server
Destination Port: 25

PPTP
If you run a Point to Point Tunneling Protocol server in your LAN and want to allow users
from Internet to connect to your server via PPTP, you have to create two mapped ports:
1. For the control connection:
Protocol: TCP
Listen IP: <unspecified>
Listen Port: 1723
Destination IP: IP address of your PPTP server
Destination Port: 1723
2. For the GRE (PPTP) packets:
Protocol: PPTP
Listen IP: <unspecified>
Destination IP: again, the IP address of your PPTP server

CU-SeeMe
If you only call other users by means of CU-SeeMe, you should have no problems. If also
want to receive CU-SeeMe calls from users outside your network, you must create the
following mapped ports:
Protocol: UDP
Listen IP: <unspecified>
Listen Port: 7648
Destination IP: the IP address of the workstation that runs the CU-SeeMe client
Destination Port: 7648
Protocol: UDP
Listen IP: <unspecified>
Listen Port: 7649
Destination IP: the IP address of the workstation that runs the CU-SeeMe client
Destination Port: 7649

Limitations:
At present, it is not possible to run more that one CU-SeeMe client on one local area
network (naturally, this is not true if you use routing)
it is not possible to connect to a “reflector” protected by password.
9
73
WinRoute manual.qxd 10.3.1998 20:41 StrÆnka 74

Appendices WinRoute Pro 3.0

ICQ
You may connect to ICQ server and communicate with other ICQ users (ie. send messa-
ges, create a chat connection, or send files) without having to create mapped ports. If
you wish to receive calls from other ICQ users, you have to create the following entry
in the table of mapped ports:
Protocol: TCP
Listen IP: <unspecified>
Listen Port: 5000 – 5011
Destination IP: IP address of the workstation that runs the ICQ client
Destination Port: 5000 – 5011
Then do the following: In ICQ “Preferences” choose “Connection”, “I'm using a perma-
nent internet connection (LAN)”, “I'm behind a firewall or proxy”. In “Firewall Settings”
choose “I don't use a SOCKS Proxy server...”, press the “Next” button, choose “Use the
following TCP listen ports for incoming event” and enter the range 5000 through 5011. If
you wish to run several ICQ clients in your LAN (and these clients need to accept calls
from other ICQ users), you have to create an entry in the mapped ports table for each
additional client and assign a port range to it (e.g. 5012 - 5023). You also have to con-
figure each ICQ client accordingly.

Using WinRoute with DirecPC

This description assumes that you are already well termed with DirecPC and you have
the appropriate software modules installed and functional.
WinRoute may cooperate with DirecPC in two ways, depending on how the outgoing pac-
kets are sent to Internet.
V Packets are sent by DirecPC software (DirecPC Navigator).
V Packets are sent by WinRoute via a chosen interface.
In both cases, the DirecPC Navigator should be running.
If you decide to use the second method, you must select the interface for sending out-
going packets. This may be done in the menu:
Settings j Interfaces j interface Settings j DirecPC
V ”Send outgoing packets through”
This select the method of sending outgoing packets. Select “Through interface”
and choose an interface.
V ”GW”
If you choose an ethernet-type interface, it is necessary to enter here the IP
address of the router/gateway on the network connected to the ethernet inter-
face.
V ”DirecPC Gateway”
IP address of DirecPC Gateway. The address is the same as the one used in the
settings of DirecPC software. If you do not know this address, contact your
DirecPC provider.

74
WinRoute manual.qxd 10.3.1998 20:41 StrÆnka 75

WinRoute Pro 3.0 Appendices

If you select a RAS interface, then in the TCP/IP settings of the RAS entry, the “Use
default gateway of remote network” must not be checked.

Example Setting 1
The figure bellow shows a network configuration when the first method is used (outgo-
ing packets are sent to the Internet using the DirecPC Navigator).

9
75
WinRoute manual.qxd 10.3.1998 20:41 StrÆnka 76

Appendices WinRoute Pro 3.0

Example Setting 2
The figure bellow shows a network configuration when the second method is used. The
outgoing packets are sent via RAS interface (the device is a modem or an ISDN adapter).
In the TCP/IP settings of the RAS entry, the “Use default gateway of remote network”
must not be selected, otherwise all traffic will be routed to the RAS interface and
DirecPC will not be used!

76
WinRoute manual.qxd 10.3.1998 20:41 StrÆnka 77

WinRoute Pro 3.0 Appendices

Example Setting 3
The figure bellow shows a network configuration when the second method is used and
the outgoing packets are sent via an Ethernet interface.

9
77
WinRoute manual.qxd 10.3.1998 20:41 StrÆnka 78

Appendices WinRoute Pro 3.0

Configuring TCP to Increase Throughput

The obtain the highest possible data throughput when connected to the Internet by
means of DirecPC, set the size of TCP receive window on all computers that will use
DirecPC in the following manner:

In Windows NT:
Add (if it exists, edit it) an entry named “TcpWindowSize” (it is of type DWORD) in
registry HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters.
Set its value to 0xBB80.

In Windows 95:
Add (if it exists, edit it) an entry named “DefaultRcvWindow” (it is of type string) in
registry HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\VxD\MSTCP.
Set its value to “0xBB80”.

Dividing Network into Multiple Segments

When using a firewall to protect a local area network, it is in some situations necessa-
ry to change the network's configuration.
The first example shows what are the possibilities when the local area network is con-
nected to the Internet via a router and uses registered IP addresses. This is the net-
work's configuration:

Without NAT
The network still uses registered IP addresses, but is divided into segments with the
mask 255.255.255.224. The router is connected to segment 194.196.16.32, while the
local area network is segment 194.196.16.0. The computer which runs WinRoute uses
two network cards and is connected to both segments.

With NAT
The network is divided into two segments. One of them is public and uses registered IP
addresses, while the other one uses address out of a private address block. NAT is used
when accessing Internet from the private segment. The computer which runs WinRoute
uses two network cards and is connected to both segments.

78
WinRoute manual.qxd 10.3.1998 20:41 StrÆnka 79

WinRoute Pro 3.0 Appendices

Keyboard Shortcuts in WinRoute

Ctrl I - Interfaces/NAT
Ctrl D - Simple DNS Server
Ctrl H - DHCP Server
Ctrl F - Packet Filter
Ctrl A - Interfaces/Anti-Spoofing
Ctrl M - Port Mapping
Ctrl N - Advanced NAT
Ctrl G - Network Address Group
Ctrl T - Time intervals
Ctrl L - RAS Lines
Ctrl S - Configuration dump
Ctrl + Shift + I - Interface table
Ctrl + Shift + R - Routing table
Ctrl + Shift + Q - Queue table
Ctrl + Shift + N - NAT table
Ctrl + Shift + L - Leased table
Ctrl + Shift + C - DNS Cache
Ctrl + Shift + S - Statistic

Literature
Windows NT Server Resource Kit, Microsoft Press,
TCP/IP Network Administration, Graig Hunt, O´Reilly, 1992
Building Internet Firewalls, D. Brent Chapman, Elizabeth D. Zwiky, O´Reilly, 1995.

9
79
WinRoute manual.qxd 10.3.1998 20:41 StrÆnka 80

Copyright 1999, Tiny Software Inc.

www.tinysoftware.com