Sharing a wireless internet connection through a server & router

[Andrew Smith]

Hey all.

Having a problem which I've been racking my brains over for a few days, trying to figure things out. As its a bit of a lengthy one to explain, I took the liberty of recording a video earlier to show in more detail the problem I'm having. It involves try to share a wireless internet connection through a server and then through a router.

Here's the YouTube link:

http://www.youtube.com/watch?v=S7gxnaO4A-c

As promised in the video, here are a few screen shots of some details.

ipconfig with ICS disabled: https://www.dropbox....icsdisabled.jpg

ipconfig with ICS enabled: https://www.dropbox..../icsenabled.jpg

LAN info pane: https://www.dropbox....cybtiwp/lan.jpg

Wireless info pane: https://www.dropbox....03/wireless.jpg

I forgot to take anything showing any settings of the router. If there's anything I haven't included which could help, please do let me know as I'm not entirely sure what information to include. Any help on this would be greatly appreciated.

Many thanks!

Andrew.

[xendrome]

Why don't you just use a wireless router? It there some specific reason, it's like you are trying to find a solution to a problem which doesn't exist...

[YouWhat]

after watching the video, you are trying to access 2 different networks through 1 connection using the subnet mask of 255.255.255.0, this limits the connections to say the routers range of 192.168.1.x and the other network wont be reached.

You need to change the subnet mask to 255.255.0.0 if memory serves me correctly so as it is shared between the 2 different ranges (it been a while since done anything like this so I might be wrong here, but I think that is all you need to change)

**Edit**

Upon watching video again, I think you need to do ICS through the other network connection so as the network you are trying to share to is able to access the internet through the server then, and the router it is connected to acts as a switch for the connections through the server.

[Andrew Smith]

Xendrome, the router there is a wireless one but to my knowledge, I can't connect to the wireless internet connection provided by the IT department AND allow computers to access our own little network for the likes of file sharing. What I don't want on the other client computers is to have to connect to the internet or our own private network. I want both of them to be available at the same time and have the internet run through the small network we have in place. I hope we're thinking along the same lines.

Thanks, YouWhat. So I think if I enable ICS on the wifi connection, I can no longer access the server from any of the other clients and the internet certainly doesn't get shared to any of them regardless if they're connected by wire or wirelessly. I can check in to this tomorrow though just to be sure.

Thanks so far :)

Andrew.

[YouWhat]

From the screen shots and the videos, what I saw was server to router was wired connection, and the wireless connection for internet on server, hence 2 seperate networks, but the subnet mask on server for the "shared" connection should be changed as I mentioned above to bridge the 2 networks as they on 2 different subnets.

[+PeterUK MVC]

You would use ICS if the WAN IP was on your PC NIC and by the looks of it you ICS the wireless to the NIC and not ICS on the NIC to the wireless (unless your wireless to the NAT) since you have a NAT in place you just need to bridge the NIC & wireless.

[TPreston]

So you have two networks your internal network for your lan and the external network for your wan which in your case happens to be a usb connection.

You need some kind of routing between the two and different subnets.

Since you have it connected to the server you can use routing and remote access to do nat (or TMG) then you can simply add the router on the internal lan and relay on the dhcp,dns etc you have in place already.

ie connect the router to the switch and give it a LAN ip.

ICS is best avoided on servers it only works on 192.168.1.x or you have to modify the registry or your ip addressing scheme.

[Andrew Smith]

OK thanks YouWhat. That's something I'll be sure to try! Do I change the routers subnet or the servers subnet under xp's tcp/ip settings? Also, do I not just change it to match the wireless connections subnet which ends in 252.0? I'm guessing the 0s in 255.255.0.0 correspond to xxx of the IP addresses? Confusing myself really now!

Andrew.

[+BudMan MVC]

"allow computers to access our own little network for the likes of file sharing."

How many computers/servers do you have in your little network? And where are they wired too to allow your file sharing?

You mention you "zero" out the gateway of your lan interface when you connect the wireless dongle - do you need that gateway to access anything. Where are you getting your wired IP from? Are you setting them static?

I don't understand why you don't just wire you machines to the wireless router and let it give you an IP and use it as you gateway.

If all you have is handful of computers, **** even if it was hundreds.. If they are just a isolated network, with no other networks to connect to.. I don't really understand the issue - why did your IT dept hand out those dongles, you mention you have quite a few of them? When they could just wire your existing boxes to that router.

edit: So this is a hospital radio station - so its not tied to the actual hospital network at ALL?? I sure hope not if your just using wireless without any encryption.

So just noticed your lan setting did get an IP from dhcp.. What is acting as your dhcp server, is that something you control, or IT dept and you have access when not connected to wireless to other computers, domain? etc.. Trying to understand who controls that your computers are on a 192.l68.1.0/24 network? And if you get to other networks like 192.168.2.0/24 when using the normal wired interface and its gateway?

[Andrew Smith]

There are 3 computers wired to the router, the server and 2 others. There are 3 more which are connected to the router wirelessly. The network is mainly used for file sharing really as the stations music collection is spread out a bit amongst a few of the computers (something we're working on sorting).

If I don't zero out the gateway on the routers settings page, only the wireless internet connection on the server will work and access to the LAN won't or visa versa depending on what adaptor you disable. I can't answer your question about if we need it to access anything as I'm not sure. As far as I'm concerned when I zero that out, both the Internet and LAN are accessible on the server.

The wired IP comes from DHCP on the router 192.168.1.100, 192.168.1.101, 192.168.1.102 and so on. I'd love it if I could just plug things in and have it all work! I wouldn't be having this issue to start with if it did. I can only wish.

We're all volunteers at the hospital radio station and our computers are not provided by the hospital trust or IT department. They've kindly provided us with the means of accessing the internet through wifi over a guest network for patients and clinical use. So really, we're on our own with it. They have no links or responsibility for us. I hope this helps clear up a few things.

Cheers!

Andrew.

[Andrew Smith]

Thanks for your feedback, Riva. So the IP address that we get given by the trust's wifi network is assigned by DHCP so we can't set a static IP as its out of our control (I think this right?). The server is always on and therefor should never go past its lease time. I'll try the other steps you suggested regarding the ethernet adaptor.

The problem with a switch is that there are other computers that we can't run network cable to. Its a PFI hospital as well which means we can go putting holes in walls or even securing cable with clips to walls etc. Running network cable to the other computers is sadly out of the question.

Andrew.

[+BudMan MVC]

There are 3 computers wired to the router"

What router??? That router you show in the video that gives you internet via wireless? Or that is your router that does not have internet?? You say you get internet via a tplink wireless, and then show a tplink router -- I assumed you got your internet from that router.. But that is not the case??

Draw out your network please -- your making this WAY too complicated!!! See that wireless network you on 192.168.216 /22 -- who in the world wold setup a /22 on a wireless network?? There is no freaking way that little tplink is going to be able to handle up to 1022 hosts.

So the wireless network that gives you internet is NOT the tplink in your video?

You mention some machine are wireless - so they are wireless to your router, and not the internet wireless?

What is the ssid of your wireless network, the one you show is uhguest and its not encrypted and has a /22 mask.

[+BudMan MVC]

Ok this is how I understand your network - is this correct. Once we are clear on your setup, then we can work out how to share that internet connection while allowing your computers to still share stuff

You might have switch connect to your router as well? Not clear on that - but in general this is your setup correct?

Here's the thing if you use ics on your server -- yes its going to change your lan network to 192.168.0.0/24 and give itself a 192.168.0.1 address. Your other computers would now either get dhcp from your router, or your ics dhcp server that gets turned on when you enable ics.

Quick easy thing if that is your correct setup. Is to just turn off dhcp on your router. Set its IP to be on the 192.168.0.0/24 network - say .254 so you can still manage its wireless. You would want to verify what the ics dhcp server uses as its scope so you don't conflict..

Now let all your boxes get dhcp from your ics box - and they will all be on the 192.168.0.0/24 network and use that ics box as their gateway to the internet.

Please verify this is your setup and we can walk you through setting this up.

[Andrew Smith]

Well I'm pleased to say that thanks to your help BudMan, everything is working as we wanted! This was achieved by disabling DCHP on the router and setting its IP address to 192.168.0.254. The subnet mask was left as 255.255.255.0.

On the server, under TCP/IP properties I used 192.168.0.1 as the IP address and the same subnet mask as above. I then enabled ICS on the wireless network and enabled the following services:

DHCP (67)

DHCP (68)

DNS

Do I actually even need to enable these?

Also BudMan, your diagram was correct and there is no switch connected to the router anywhere. I'm really impressed this all works seamlessly and we're able to access files stored across the network as well!

Thanks very much once again!

Andrew.

[+BudMan MVC]

This is one of the FEW scenarios that use of ICS actually makes sense to use ;)

Yes your going to need to allow dhcp to your ics box from your other boxes and dns as well if your going to use the dns forwarder feature of ICS.

Now one thing I would suggest is on your wireless network interface you unbind it from file and print sharing, windows network, etc. Your not going to want people on that guest network to access your servers file shares or even talk to it with windows networking from a security standpoint.

On your wireless card you connecting to the uhguest network with uncheck file and print sharing - I can't get a picture showing both since I have a few extra bindings. But there is also one called file and print sharing for microsoft networks - uncheck that as well.

I would also double check what the dhcp scope of ICS is -- make sure it doesn't have the ability to hand out 192.168.0.254... Now it shouldn't since there should be a check to make sure its not in use before it hands out a lease.. but I would double check what IPs by default ICS dhcp can hand out.. For all I know it can use the full .2 to .254 range?? Or maybe its just .100 to .150?? Your free to use any static IPs that fall outside this scope. Just point them to the 192.168.0.1 for gateway and dns with /24 as mask.

[+PeterUK MVC]

  On 27/02/2013 at 15:22, BudMan said:

I would also double check what the dhcp scope of ICS is -- make sure it doesn't have the ability to hand out 192.168.0.254...

That is what the OP has done ICS is handing out IP's with a gateway IP to ICS double NAT with wireless.

[+BudMan MVC]

I know exactly what the OP did ;) I told him what to do ;)

But my point is - it might be possible that the ICS dhcp server might hand out that 192.168.0.254 that he setup on his router as its lan IP falls inside the ICS dhcp server scope?

I don't know off the top what it defaults too it might be the whole subnet .2 to .254?? And since he is setting a static of .254 there COULD be a conflict at somepoint.

Here is article I dug up for windows 7, might be the same reg keys for 2k3

http://support.microsoft.com/kb/230148

How to Change the IP Range for the Internet Connection Sharing DHCP service

I suggest he look in the registry for what range of IP the ics dhcp server could hand out.. And if there is any STATICS (like he did on his routers lan IP) he wants to set to adjust the dhcp range to relect that and to not overlap.

[+PeterUK MVC]

  On 27/02/2013 at 19:40, BudMan said:

I know exactly what the OP did ;) I told him what to do ;)

Except in your diagram you use 192.168.1.0/24 the OP used 192.168.0.0/24 plus you list DHCP from your router in your diagram the OP disabled the DHCP on the router.

https://www.neowin.net/forum/topic/1138762-sharing-a-wireless-internet-connection-through-a-server-router/page__p__595547032#entry595547032

[+BudMan MVC]

Yeah I did use 192.168.1 -- because that is what HE WAS USING!! Look at the image he posted of icsdisabled

https://www.dropbox.com/s/fbia0vuswljaka8/icsdisabled.jpg

That drawing was his current setup, not a setup AFTER he setup ICS. Then I clearly stated

"yes its going to change your lan network to 192.168.0.0/24 and give itself a 192.168.0.1 address."

Then read what I told him to do.. Disable dhcp on his router NOT connected to the internet. And give it a 192.168.0.254 address.

I was very CLEAR that was his current setup BEFORE he did anything with ICS -- look at it again!

Do I really need to draw it how it is working now that he did what I told him.. Which by the way he stated is working and thanked me for.

[+PeterUK MVC]

  On 27/02/2013 at 20:27, BudMan said:

Yeah I did use 192.168.1 -- because that is what HE WAS USING!! Look at the image he posted of icsdisabled

https://www.dropbox....icsdisabled.jpg

Yes ICS was disabled guess where 192.168.1.x came from? The router when its DHCP was enabled.

[+BudMan MVC]

^ duh!!! no **** dude.. I clearly stated that in the drawing where I list the other machines as dhcp from "your" router. Again that drawing was before he enabled ICS.

What is the point your trying to make?

If he would of followed your advice

"since you have a NAT in place you just need to bridge the NIC & wireless. "

he would of placed all of his boxes on the 192.168.216 network that is shared with god knows who and is opened without any encryption.. That is NOT his wireless network that has internet, its the hospitals and is open to ANYONE at the hospital I would assume, if you notice the settings he posted about that network, there is no encryption being used.

Look at the drawing I did - there are 2 routers in use here.. One that was his that had nothing on the wan interface and just provided a lan and wlan for his boxes. And then the GUEST hospital network.

Why would he want to share all his files with a guest network?? So yes it is currently a double nat, but since he does not control that internet router, and he had an isolated network before - this double nat protects his network from the guests, and still allows all his machines to get internet.

Which is again why I brought up to unbind microsoft networks and file and print sharing from the wireless interface he has on his server he enabled ICS with.

[+PeterUK MVC]

  On 27/02/2013 at 20:37, BudMan said:

^ duh!!! no **** dude.. I clearly stated that in the drawing where I list the other machines as dhcp from "your" router. Again that drawing was before he enabled ICS.

What is the point your trying to make?

If he would of followed your advice

"since you have a NAT in place you just need to bridge the NIC & wireless. "

he would of placed all of his boxes on the 192.168.216 network that is shared with god knows who and is opened without any encryption.. That is NOT his wireless network that has internet, its the hospitals and is open to ANYONE at the hospital I would assume, if you notice the settings he posted about that network, there is no encryption being used.

Look at the drawing I did - there are 2 routers in use here.. One that was his that had nothing on the wan interface and just provided a lan and wlan for his boxes. And then the GUEST hospital network.

Why would he want to share all his files with a guest network?? So yes it is currently a double nat, but since he does not control that internet router, and he had an isolated network before - this double nat protects his network from the guests, and still allows all his machines to get internet.

Which is again why I brought up to unbind microsoft networks and file and print sharing from the wireless interface he has on his server he enabled ICS with.

Yes the wireless connection the OP has for Internet is a LAN IP which is NAT to a router for Internet so you ICS that you double NAT the connection which is why a bridge is better so you don't double NAT.

As for no encryption by wireless that pretty much makes using the internet unsafe anyway.

[+BudMan MVC]

"why a bridge is better so you don't double NAT."

Clearly your NOT getting it, I have clearly explained the setup so I am not sure how else to go about it - yes it is a DOUBLE NAT! Because he does not control that Wireless network he is using for internet, and there are OTHER users on it!! I would have to assume a LOT, if they setup a /22 mask.

He has file shares on his SERVER that before where only shared with his boxes connected to his isolated router be it wired or wireless. So now he is leveraging the OPEN guest wireless network for internet access.. Why in the world would he want to use that network as his own via a bridge??

I agree with you double nat is normally not something you want to do.. But in this CASE, it is the best option because there could be hostiles on that 192.168.216.x/22 network. Now if he controlled that 216 network, and the clients that connected to it, and was ok with them having access to his shares, then sure bridge would be an option.

Yes if he so desired he could just bridge and let all his boxes get IPs from the UHGuest router - and now his boxes would be open to all the other possible 1000 other clients on that network.. You would hope that they atleast have Wireless Isolation on.. But if they did, then his wireless clients would not be able to talk to his other wireless clients.

This maintains his previous isolated network, while leveraging the GUEST network as path to the internet.

[Andrew Smith]

Oh wow OK so potentially others connected to the UHGUEST network could see the computers in our own CHR Network? I've secured our own wireless network "CHR Network" with a password so only we can access that. I'll look for an option to deselect file and printer sharing. Off the top of my head I can only ever remember seeing it under the "Set up a home or small office network" wizard.

How would I go about finding what the DHCP range is for ICS as I'm not sure? I think I've observed computers being given random IP addresses rather than sequential ones. I'll check when I'm back in tomorrow though. Also, is there a DHCP client list I can view to see what computers are connected? Just in case we get an intruder that somehow finds the hidden wireless network and guesses the password. I'd also be interested in seeing the IPs of all the PCs on our small network.

Oh OK so I see from that KB article that I can use the registry to change or see what the IP range is for ICS then so I'll take a peek at that as well. I'm pretty sure that the UHGUEST network pretty much blankets the whole of the hospital and is used by a LOT of people and clinical use as well. In fact I think it's cause upset with the company that run the bedside entertainment units but that's a whole different thing altogether which I dare not get involved with.

There is a disclaimer before you start using the Internet as you have to log in through a hospital trust branded web page on 1.1.1.1 advising not to use credit card details etc. I'm just leaving the server logged in to that page to save others having to do it and I don't think they'd want everyone knowing the login details anyway.

I'll get back to you all tomorrow once I'm there again as this is quite interesting now really!

Andrew.

[+BudMan MVC]

Yeah your ICS setups up a nat, so unless a box on your now 192.168.0 network initiated a conversation with a IP on 192.168.216 they can not talk to your boxes.

But your server that is doing the NAT has an IP on the 192.168.216 network, and if he was sharing his files to that network - then yes it would be possible for someone to access them. Doesn't sound like you have any security setup on your shares, but even if you did - not something I would be comfortable with as the only security between your files and any of the 1000's of users on the guest network with many of them in the hospital with nothing to do but play on the network ;)

Just right click and go to properties on your wireless card and you will see how to unbind the files and print sharing from that interface.

I would be the first one to point out a double nat being a bad setup, but in this case it makes sense. Normally it is not something you want - but in this case you DO want it! Because it isolates your network from the guest. Just like in your home setup your NAT router isolates your boxes from the public internet where bad stuff happens ;) Unless you on purpose forward traffic inside, or start the conversation with the box on the internet.

In this case think of 192.168.216 as the internet, you don't want your boxes directly connected to it.