Follow Us

We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message

Building a Windows firewall/gateway

How to create a dual-homed router/firewall using Windows 2000.

Article comments

In a previous How To we looked at how you set up Linux as a basic gateway with some simple firewall rules. In this article, we'll describe how you achieve something similar using Windows 2000.

Basic equipment
The first requirement is for a PC with a pair of Ethernet cards for which Windows 2000 drivers are available. One of our "staple" lab machines is a Pentium-III with 512MB RAM, a 20GB hard disk and two network adaptors – one NetGear, one SMC (the adaptors don't have to be identical). Next, you need a copy of Windows 2000 Server; we used the standard release, which has everything you need.

When installing Windows, there are two things to remember. First is to ensure that the Routing and Remote Access feature is chosen, should you decide to do a custom install instead of going with the defaults. Second, ensure that instead of allowing the network adaptors to obtain their addresses automatically, allocate their addresses by hand either in the installation process or after installation, via the Network and Dial-up Connections control panel. Here's how to do it.

The addresses
Let's assume we want to run our Windows PC as the gateway between two networks – 192.168.1.x and 192.168.2.x. The 192.168.1.x network has a connection to the Internet via a DSL router, whose address is 192.168.1.1. The 192.168.2.x network will route through the 192.168.1.x network to get to the Internet.

On our test machine, the SMC NIC is the 192.168.1.x world, so we'll tell it the following:

IP address 192.168.1.220
Network mask 255.255.255.0 (a Class C subnet)
Default route 192.168.1.1 (the Internet router)

The NetGear NIC drives the 192.168.2.x world, and we tell it:
IP address 192.168.2.220
Network mask 255.255.255.0
No default route – we've already defined it on the other adaptor

All the machines in the 192.168.2.x world should be told that their default gateway is 192.168.2.220 – this way, they'll send anything destined for somewhere outside the subnet to our new router.

Routing and remote access
Once the addresses are set up correctly, we tell the machine to become a router. In the Start menu, select Programs->Administrative Tools->Routing and Remote Access. The RRAS window opens, and it should notice that there's just one server, flagged as "local". Setting up routing is dead easy, as there's a handy wizard that does everything for us, so right-click on the server icon and select "Configure and Enable Routing and Remote Access".

The first question asks us what type of device we're setting up. We're going for the last option but one, "Network router". Hit Next, and it'll tell us that the only protocol it knows about is TCP/IP; we could add others, but we only care about TCP/IP, so we can safely hit Next. Now we're asked whether we want to use dial-on-demand networking (i.e. modem or ISDN) to connect to remote networks; as we're building an Ethernet router, we leave the default "No" selected, and hit Next. On the final screen, hit "Finish" and the job's done – it fires up the routing service and we're ready to go.

The WAN router
Actually, we're not quite ready to go, as there's one more thing we need to do – namely tell the existing WAN router that the 192.168.2.x network exists, as it doesn't know already. Although routers use information protocols such as RIP and OSPF to exchange this kind of information automatically, you generally find that these features aren't turned on with most devices, so the simplest way to go is to add an entry to the Static Routes screen on your router. Give it an entry for network 192.168.2.0, netmask 255.255.255.0, gateway 192.168.1.220, and now you really are ready to go.

You can test the router by running up a client on the 192.168.2.x network and attempting to ping something in the 192.168.1.x network. If you get a response, everything's OK; if you don't, you probably typed an address in wrongly somewhere in the setup process, so go back to the Network and Dial-up Connections control panel and double-check everything.

Forwarding policies
Like Linux, Windows includes some basic packet filtering that you can use as a basic firewall function. You enable filtering by double-clicking on an interface in the RRAS configuration screen and clicking the "Input Filters" button. As we did with our Linux machine, you can now define permissions based on IP address and port number. So if we wanted to allow "ping" traffic, we'd define a rule as follows:

Source address: any
Destination address: any
Protocol: ICMP
Type: any
Code: any

An "allow HTTP" rule would be:
Source address: any
Destination address: any
Protocol: TCP
Source port: any
Destination port: any

Note that it's normal to select the "Drop all packets except those that meet the criteria below" button – a "deny by default" policy. This means that anything we don't specifically define will be dropped by the router.

As with the Linux installation we looked before, packet filtering gives only the most rudimentary firewalling capabilities. But it's a start, and if you need to go further, that's what third-party firewall software is for.


Share:

More from Techworld

More relevant IT news

Comments

engin said: 3433




Send to a friend

Email this article to a friend or colleague:

PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.

Techworld White Papers

Choose – and Choose Wisely – the Right MSP for Your SMB

End users need a technology partner that provides transparency, enables productivity, delivers...

Download Whitepaper

10 Effective Habits of Indispensable IT Departments

It’s no secret that responsibilities are growing while budgets continue to shrink. Download this...

Download Whitepaper

Gartner Magic Quadrant for Enterprise Information Archiving

Enterprise information archiving is contributing to organisational needs for e-discovery and...

Download Whitepaper

Advancing the state of virtualised backups

Dell Software’s vRanger is a veteran of the virtualisation specific backup market. It was the...

Download Whitepaper

Techworld UK - Technology - Business

Innovation, productivity, agility and profit

Watch this on demand webinar which explores IT innovation, managed print services and business agility.

Techworld Mobile Site

Access Techworld's content on the move

Get the latest news, product reviews and downloads on your mobile device with Techworld's mobile site.

Find out more...

From Wow to How : Making mobile and cloud work for you

On demand Biztech Briefing - Learn how to effectively deliver mobile work styles and cloud services together.

Watch now...

Site Map

* *