Jump to content



Photo

Sharing a wireless internet connection through a server & router

wireless router internet server

  • Please log in to reply
29 replies to this topic

#16 OP Andrew Smith

Andrew Smith

    Neowinian

  • Joined: 21-September 10

Posted 27 February 2013 - 15:14

Well I'm pleased to say that thanks to your help BudMan, everything is working as we wanted! This was achieved by disabling DCHP on the router and setting its IP address to 192.168.0.254. The subnet mask was left as 255.255.255.0.

On the server, under TCP/IP properties I used 192.168.0.1 as the IP address and the same subnet mask as above. I then enabled ICS on the wireless network and enabled the following services:

DHCP (67)
DHCP (68)
DNS

Do I actually even need to enable these?

Also BudMan, your diagram was correct and there is no switch connected to the router anywhere. I'm really impressed this all works seamlessly and we're able to access files stored across the network as well!

Thanks very much once again!

Andrew.


#17 +BudMan

BudMan

    Neowinian Senior

  • Tech Issues Solved: 90
  • Joined: 04-July 02
  • Location: Schaumburg, IL
  • OS: Win7, Vista, 2k3, 2k8, XP, Linux, FreeBSD, OSX, etc. etc.

Posted 27 February 2013 - 15:22

This is one of the FEW scenarios that use of ICS actually makes sense to use ;)

Yes your going to need to allow dhcp to your ics box from your other boxes and dns as well if your going to use the dns forwarder feature of ICS.

Now one thing I would suggest is on your wireless network interface you unbind it from file and print sharing, windows network, etc. Your not going to want people on that guest network to access your servers file shares or even talk to it with windows networking from a security standpoint.

On your wireless card you connecting to the uhguest network with uncheck file and print sharing - I can't get a picture showing both since I have a few extra bindings. But there is also one called file and print sharing for microsoft networks - uncheck that as well.

wirelessbindings.jpg

I would also double check what the dhcp scope of ICS is -- make sure it doesn't have the ability to hand out 192.168.0.254... Now it shouldn't since there should be a check to make sure its not in use before it hands out a lease.. but I would double check what IPs by default ICS dhcp can hand out.. For all I know it can use the full .2 to .254 range?? Or maybe its just .100 to .150?? Your free to use any static IPs that fall outside this scope. Just point them to the 192.168.0.1 for gateway and dns with /24 as mask.

#18 +PeterUK

PeterUK

    Neowinian Senior

  • Tech Issues Solved: 4
  • Joined: 26-March 07

Posted 27 February 2013 - 19:18

I would also double check what the dhcp scope of ICS is -- make sure it doesn't have the ability to hand out 192.168.0.254...

That is what the OP has done ICS is handing out IP's with a gateway IP to ICS double NAT with wireless.

#19 +BudMan

BudMan

    Neowinian Senior

  • Tech Issues Solved: 90
  • Joined: 04-July 02
  • Location: Schaumburg, IL
  • OS: Win7, Vista, 2k3, 2k8, XP, Linux, FreeBSD, OSX, etc. etc.

Posted 27 February 2013 - 19:40

I know exactly what the OP did ;) I told him what to do ;)

But my point is - it might be possible that the ICS dhcp server might hand out that 192.168.0.254 that he setup on his router as its lan IP falls inside the ICS dhcp server scope?

I don't know off the top what it defaults too it might be the whole subnet .2 to .254?? And since he is setting a static of .254 there COULD be a conflict at somepoint.

Here is article I dug up for windows 7, might be the same reg keys for 2k3

http://support.microsoft.com/kb/230148
How to Change the IP Range for the Internet Connection Sharing DHCP service

I suggest he look in the registry for what range of IP the ics dhcp server could hand out.. And if there is any STATICS (like he did on his routers lan IP) he wants to set to adjust the dhcp range to relect that and to not overlap.

#20 +PeterUK

PeterUK

    Neowinian Senior

  • Tech Issues Solved: 4
  • Joined: 26-March 07

Posted 27 February 2013 - 20:22

I know exactly what the OP did ;) I told him what to do ;)

Except in your diagram you use 192.168.1.0/24 the OP used 192.168.0.0/24 plus you list DHCP from your router in your diagram the OP disabled the DHCP on the router.
http://www.neowin.ne...#entry595547032

#21 +BudMan

BudMan

    Neowinian Senior

  • Tech Issues Solved: 90
  • Joined: 04-July 02
  • Location: Schaumburg, IL
  • OS: Win7, Vista, 2k3, 2k8, XP, Linux, FreeBSD, OSX, etc. etc.

Posted 27 February 2013 - 20:27

Yeah I did use 192.168.1 -- because that is what HE WAS USING!! Look at the image he posted of icsdisabled

https://www.dropbox....icsdisabled.jpg

That drawing was his current setup, not a setup AFTER he setup ICS. Then I clearly stated

"yes its going to change your lan network to 192.168.0.0/24 and give itself a 192.168.0.1 address."

Then read what I told him to do.. Disable dhcp on his router NOT connected to the internet. And give it a 192.168.0.254 address.

I was very CLEAR that was his current setup BEFORE he did anything with ICS -- look at it again!

Do I really need to draw it how it is working now that he did what I told him.. Which by the way he stated is working and thanked me for.

#22 +PeterUK

PeterUK

    Neowinian Senior

  • Tech Issues Solved: 4
  • Joined: 26-March 07

Posted 27 February 2013 - 20:35

Yeah I did use 192.168.1 -- because that is what HE WAS USING!! Look at the image he posted of icsdisabled

https://www.dropbox....icsdisabled.jpg

Yes ICS was disabled guess where 192.168.1.x came from? The router when its DHCP was enabled.

#23 +BudMan

BudMan

    Neowinian Senior

  • Tech Issues Solved: 90
  • Joined: 04-July 02
  • Location: Schaumburg, IL
  • OS: Win7, Vista, 2k3, 2k8, XP, Linux, FreeBSD, OSX, etc. etc.

Posted 27 February 2013 - 20:37

^ duh!!! no **** dude.. I clearly stated that in the drawing where I list the other machines as dhcp from "your" router. Again that drawing was before he enabled ICS.

What is the point your trying to make?

If he would of followed your advice

"since you have a NAT in place you just need to bridge the NIC & wireless. "

he would of placed all of his boxes on the 192.168.216 network that is shared with god knows who and is opened without any encryption.. That is NOT his wireless network that has internet, its the hospitals and is open to ANYONE at the hospital I would assume, if you notice the settings he posted about that network, there is no encryption being used.

Look at the drawing I did - there are 2 routers in use here.. One that was his that had nothing on the wan interface and just provided a lan and wlan for his boxes. And then the GUEST hospital network.

Why would he want to share all his files with a guest network?? So yes it is currently a double nat, but since he does not control that internet router, and he had an isolated network before - this double nat protects his network from the guests, and still allows all his machines to get internet.

Which is again why I brought up to unbind microsoft networks and file and print sharing from the wireless interface he has on his server he enabled ICS with.

#24 +PeterUK

PeterUK

    Neowinian Senior

  • Tech Issues Solved: 4
  • Joined: 26-March 07

Posted 27 February 2013 - 20:51

^ duh!!! no **** dude.. I clearly stated that in the drawing where I list the other machines as dhcp from "your" router. Again that drawing was before he enabled ICS.

What is the point your trying to make?

If he would of followed your advice

"since you have a NAT in place you just need to bridge the NIC & wireless. "

he would of placed all of his boxes on the 192.168.216 network that is shared with god knows who and is opened without any encryption.. That is NOT his wireless network that has internet, its the hospitals and is open to ANYONE at the hospital I would assume, if you notice the settings he posted about that network, there is no encryption being used.

Look at the drawing I did - there are 2 routers in use here.. One that was his that had nothing on the wan interface and just provided a lan and wlan for his boxes. And then the GUEST hospital network.

Why would he want to share all his files with a guest network?? So yes it is currently a double nat, but since he does not control that internet router, and he had an isolated network before - this double nat protects his network from the guests, and still allows all his machines to get internet.

Which is again why I brought up to unbind microsoft networks and file and print sharing from the wireless interface he has on his server he enabled ICS with.

Yes the wireless connection the OP has for Internet is a LAN IP which is NAT to a router for Internet so you ICS that you double NAT the connection which is why a bridge is better so you don't double NAT.

As for no encryption by wireless that pretty much makes using the internet unsafe anyway.

#25 +BudMan

BudMan

    Neowinian Senior

  • Tech Issues Solved: 90
  • Joined: 04-July 02
  • Location: Schaumburg, IL
  • OS: Win7, Vista, 2k3, 2k8, XP, Linux, FreeBSD, OSX, etc. etc.

Posted 27 February 2013 - 21:02

"why a bridge is better so you don't double NAT."

Clearly your NOT getting it, I have clearly explained the setup so I am not sure how else to go about it - yes it is a DOUBLE NAT! Because he does not control that Wireless network he is using for internet, and there are OTHER users on it!! I would have to assume a LOT, if they setup a /22 mask.

He has file shares on his SERVER that before where only shared with his boxes connected to his isolated router be it wired or wireless. So now he is leveraging the OPEN guest wireless network for internet access.. Why in the world would he want to use that network as his own via a bridge??

I agree with you double nat is normally not something you want to do.. But in this CASE, it is the best option because there could be hostiles on that 192.168.216.x/22 network. Now if he controlled that 216 network, and the clients that connected to it, and was ok with them having access to his shares, then sure bridge would be an option.

Yes if he so desired he could just bridge and let all his boxes get IPs from the UHGuest router - and now his boxes would be open to all the other possible 1000 other clients on that network.. You would hope that they atleast have Wireless Isolation on.. But if they did, then his wireless clients would not be able to talk to his other wireless clients.

This maintains his previous isolated network, while leveraging the GUEST network as path to the internet.

#26 OP Andrew Smith

Andrew Smith

    Neowinian

  • Joined: 21-September 10

Posted 27 February 2013 - 21:42


Oh wow OK so potentially others connected to the UHGUEST network could see the computers in our own CHR Network? I've secured our own wireless network "CHR Network" with a password so only we can access that. I'll look for an option to deselect file and printer sharing. Off the top of my head I can only ever remember seeing it under the "Set up a home or small office network" wizard.


How would I go about finding what the DHCP range is for ICS as I'm not sure? I think I've observed computers being given random IP addresses rather than sequential ones. I'll check when I'm back in tomorrow though. Also, is there a DHCP client list I can view to see what computers are connected? Just in case we get an intruder that somehow finds the hidden wireless network and guesses the password. I'd also be interested in seeing the IPs of all the PCs on our small network.


Oh OK so I see from that KB article that I can use the registry to change or see what the IP range is for ICS then so I'll take a peek at that as well. I'm pretty sure that the UHGUEST network pretty much blankets the whole of the hospital and is used by a LOT of people and clinical use as well. In fact I think it's cause upset with the company that run the bedside entertainment units but that's a whole different thing altogether which I dare not get involved with.


There is a disclaimer before you start using the Internet as you have to log in through a hospital trust branded web page on 1.1.1.1 advising not to use credit card details etc. I'm just leaving the server logged in to that page to save others having to do it and I don't think they'd want everyone knowing the login details anyway.


I'll get back to you all tomorrow once I'm there again as this is quite interesting now really!


Andrew.


#27 +BudMan

BudMan

    Neowinian Senior

  • Tech Issues Solved: 90
  • Joined: 04-July 02
  • Location: Schaumburg, IL
  • OS: Win7, Vista, 2k3, 2k8, XP, Linux, FreeBSD, OSX, etc. etc.

Posted 27 February 2013 - 22:05

Yeah your ICS setups up a nat, so unless a box on your now 192.168.0 network initiated a conversation with a IP on 192.168.216 they can not talk to your boxes.

But your server that is doing the NAT has an IP on the 192.168.216 network, and if he was sharing his files to that network - then yes it would be possible for someone to access them. Doesn't sound like you have any security setup on your shares, but even if you did - not something I would be comfortable with as the only security between your files and any of the 1000's of users on the guest network with many of them in the hospital with nothing to do but play on the network ;)

Just right click and go to properties on your wireless card and you will see how to unbind the files and print sharing from that interface.

I would be the first one to point out a double nat being a bad setup, but in this case it makes sense. Normally it is not something you want - but in this case you DO want it! Because it isolates your network from the guest. Just like in your home setup your NAT router isolates your boxes from the public internet where bad stuff happens ;) Unless you on purpose forward traffic inside, or start the conversation with the box on the internet.

In this case think of 192.168.216 as the internet, you don't want your boxes directly connected to it.

#28 OP Andrew Smith

Andrew Smith

    Neowinian

  • Joined: 21-September 10

Posted 27 February 2013 - 23:25

OK so no one is going to try and communicate with a computer on the outside network so that's one problem out of the way. I'm not sharing files on the server to the outside network so that's OK as well right? I'll be sure to look at those properties for the wireless adaptor. Hey I'm just chuffed that it all works myself, big time!

Now I'm really going to throw the boat out here with this next question. I'd like to enable remote desktop connection on one of the computers on our network so that I can access it from home. Can this be done? I found a guide but given that there's the Trusts network and then ours... ARGH!

Anyway this is the guide... http://www.datamatio...Connections.htm

Many thanks!

#29 +PeterUK

PeterUK

    Neowinian Senior

  • Tech Issues Solved: 4
  • Joined: 26-March 07

Posted 28 February 2013 - 00:28

Clearly your NOT getting it, I have clearly explained the setup so I am not sure how else to go about it - yes it is a DOUBLE NAT! Because he does not control that Wireless network he is using for internet, and there are OTHER users on it!! I would have to assume a LOT, if they setup a /22 mask.

He has file shares on his SERVER that before where only shared with his boxes connected to his isolated router be it wired or wireless. So now he is leveraging the OPEN guest wireless network for internet access.. Why in the world would he want to use that network as his own via a bridge??

I agree with you double nat is normally not something you want to do.. But in this CASE, it is the best option because there could be hostiles on that 192.168.216.x/22 network. Now if he controlled that 216 network, and the clients that connected to it, and was ok with them having access to his shares, then sure bridge would be an option.

Yes if he so desired he could just bridge and let all his boxes get IPs from the UHGuest router - and now his boxes would be open to all the other possible 1000 other clients on that network.. You would hope that they atleast have Wireless Isolation on.. But if they did, then his wireless clients would not be able to talk to his other wireless clients.

This maintains his previous isolated network, while leveraging the GUEST network as path to the internet.

So setup a VPN on the server for access to the file shares or use a firewall or get another box to do the wireless and NIC bridge with ACL switch to block access to file shares ports or get some more bad boys so that wireless for internet wired for file shares or add another NIC in the PC's and another switch for file shares and the other NIC for internet on the other switch with the server doing the bridge with one NIC and wireless and another NIC for the file shares.

But ICS double NAT is cheap so we leave it at that.

#30 +BudMan

BudMan

    Neowinian Senior

  • Tech Issues Solved: 90
  • Joined: 04-July 02
  • Location: Schaumburg, IL
  • OS: Win7, Vista, 2k3, 2k8, XP, Linux, FreeBSD, OSX, etc. etc.

Posted 28 February 2013 - 06:47

"I'm not sharing files on the server to the outside network"

So you undid the bindings on the wireless nic on your server?

"I'd like to enable remote desktop connection on one of the computers"

Not unless you had control of the hospital router at the NAT point to the internet, remote desktop not going to work. Your not going to be able to allow inbound unsolicited traffic in this sort of setup. You will have to use something like teamviewer or logmein -- they maintain a connection to the internet, and then you can remote in. I know teamviewer is free for noncommercial use - so don't see an issue with using it since your volunteer setup I thought that is what you said in the video.