Installing a Home Network: Part 3
by Jonathan Gennick01/05/2001
In my two previous articles, I wrote about how cable Internet service was brought to my house, and how I ran CAT5 twisted-pair cable to my various computers. In my second article, I also showed how easy it was to configure my client PCs to use DHCP, so that they could make use of my newly established Internet connection. My final task, and the subject of this article, was to configure my two servers with fixed IP addresses, one of which I wanted to run a web server visible to the outside world.
Securing My New Connection
My UGate-3200 acts as a simple router. The cable company assigns me an IP address using DHCP every two days or every time I restart the router. The UGate-3200 also acts as a DHCP client, and it picks up whatever address the cable company assigns. That address stays with the UGate-3200. The machines on my internal network have their own set of addresses that aren't visible to the outside world. I configure the UGate-3200 using a web browser such as Internet Explorer. The following is a screenshot of the status screen that shows the different network settings in effect:
The WAN section contains the wide area network settings. This is how my local network looks to the outside world. My external IP address is currently 24.213.39.54. Whenever I load a web page from any of my computers, it will appear as if the request is coming from that address. The LAN section shows some of my local area network settings. The LAN IP address in this case is the address of the UGate-3200 on my local network. My computers all have addresses in the 192.168.0.x range. These addresses are meaningful only on my internal network. They are not visible from the outside.
In its out-of-the-box configuration, the UGate-3200 blocks all connection requests from the outside world. That's good because it allows me to "see out" and look at Web pages, but hackers are prevented from connecting to my computer from outside the firewall. The process of translating between my many internal addresses and my one external address is referred to as network address translation (NAT). NAT, combined with a block to inbound, provides the security that I need.
Configuring My Servers
The UGate-3200 can act as a DHCP server to my computers, automatically assigning them addresses on my internal network. The following screenshot is of the DHCP Setting screen for the UGate-3200. The DHCP server feature is enabled, and the starting IP address is specified at 192.168.0.2. A total of 50 DHCP users is allowed, so the UGate-3200 will hand out addresses in the range 192.168.0.2 through 192.168.0.51. Two of my computers are configured as DHCP clients, and take full advantage of this feature. My other two machines are servers, and must have fixed IP addresses on my internal network.
One of my servers runs Windows NT 4.0. In order to configure it, I had to go the TCP/IP Properties window, click on the IP Address tab, and type in an IP address. For example:
Notice that the fixed IP address that I assigned is well above the range that the UGate-3200 will use for DHCP clients. The network mask matches what is shown for the LAN settings on the UGate-3200 Status screen. The gateway address is the address of the UGate-3200 itself, because the UGate-3200 acts as the gateway for my network.
In addition to specifying an IP address, I had to specify my ISP's DNS server addresses. I did this from the DNS tab of the TCP/IP Properties window, as shown in the screenshot that follows. I was able to obtain my ISP's DNS server addresses from the UGate-3200 Status screen. It obtained them automatically because it acts as a DHCP client to my ISP.
With these settings in place, I rebooted my machine and was able to browse the Internet. Next up was my Linux server which was a little more difficult to configure because I had to find and edit some configuration files that I don't normally touch. The /etc/sysconfig/network file contains the gateway IP address. I edited the file, set the gateway address to the address of the UGate-3200 on my local network, and the file now appears as follows:
NETWORKING=yes HOSTNAME=donna.gennick.org GATEWAY=192.168.0.1
The rest of my IP settings were in the file /etc/sysconfig/network-scripts/ifcfg-eth0. I edited that file and plugged in the following values:
DEVICE=eth0 BROADCAST=192.168.0.255 IPADDR=192.168.0.101 NETMASK=255.255.255.0 NETWORK=192.168.0.0 ONBOOT=yes
The IPADDR value is the IP address that I want my Linux server to recognize. The NETMASK setting is the same as on my Windows NT server. I set the values for BROADCAST and NETWORK to those recommended in the book Running Linux. The first three numbers in the network address match the IP address because the first three values in the network mask are 255. The fourth network mask value is 0, so the fourth network address value is also 0. The BROADCAST setting is the network address, but with the fourth number set to 255. With these settings in place, my Linux server was up and running on the network.
Inviting the Outside World In
One of my reasons for installing a broadband connection was to run a low-volume web server out of my house. It would give me a way to experiment with technologies such as Oracle Portal, which allows you to develop content-driven, user-maintained Web sites. Of course, I could experiment with Oracle Portal on my internal network, but it's more fun in an environment where other people can look at what I'm doing.
To run a Web server, I had to expose at least one of my machines to the outside world. The UGate-3200 supports two ways of doing that. One approach is to designate one of my computers as an "exposed host." This effectively moves that machine outside my firewall, and places it naked on the Internet. I refer to this as the shotgun approach. It solves the problem, but not in a very precise manner. The second approach, and the one I chose to use, is to open up a specific port in the firewall, and specify a computer on my network to handle any inbound connections to that port. In the UGate world, this is referred to as defining a "virtual server." The default port used by Web browsers is port 80, so that's the one I opened first. The following figure shows port 88 associated with the internal address 192.168.0.101, something I'll explain in just a moment.
Any inbound requests to my outside IP address that specify port 80 will automatically get routed to address 192.168.0.101 on my internal network. That happens to be the address on my Linux server, which is currently running the Apache Web server software. I should mention here that the virtual server and exposed host features only work with fixed IP addresses. That's why I didn't use DHCP to obtain IP addresses for my servers.
After I configured the virtual server shown in the previous figure, I dialed into O'Reilly's internal network in order to test connectivity to my Web server from the outside world. I was in for a rude surprise. It didn't work. After some experimenting and detective work, I discovered that my ISP blocks port 80. Bummer! To get around that, I had to configure my Web server to use a different port. I chose port 88 because that's easy to remember. I'm both disappointed and offended by this. I'm disappointed because I feel the real power of the Internet comes from two-way communication. I believe the cable companies, and probably the DSL companies as well, are missing a big opportunity by denying me, and people like me, the service that we want. I'm offended because I feel patronized. How dare the cable company assume that I only want to receive, and not to transmit. It makes my blood boil to see that some corporation thinks that I should sit passively and watch the Internet, but not actively participate in it.
A very interesting feature of the UGate-3200 is that it supports dynamic DNS. Dynamic DNS is a service whereby my UGate unit keeps a third-party apprised of my current outside IP address at all times. MaxGate currently contracts with Tzolkin Corporation to provide this service, and I've been given the host name gennick.ugate.net. Any requests to gennick.ugate.net go first to Tzolkin's servers where they get redirected to whatever IP address my cable company has currently assigned to me. That allows you to hit my web server using the following URL:
http://gennick.ugate.net:88
Configuring this URL took me about 30 seconds. I went to the appropriate UGate-3200 configuration screen, typed in the host name that I wanted, typed in my email address, clicked Register, and I was set. The URL that I got is the free URL that I get for one year as a result of purchasing a UGate-3200. Before that year is up, I hope to get a static IP address from my cable company.
Conclusions and the Future
Was it worth all the trouble and expense to get the cable modem installed and my house wired? Absolutely. The convenience of an always-on connection really does affect the way I surf. No longer do I need to batch all my Web browsing for those short periods of time when I dialed into my ISP. Now if I need to look something up, I just do it. And then there's the speed. How did I ever survive with my 46kbps dial-up connections? The speed is truly addictive. I hope I never have to go back to dial-up.
What's in store for the future? One of my immediate goals is to configure an instance of the Oracle Internet Directory (an LDAP server sold by Oracle), and I'll probably expose that to the outside world. I also have plans to install Oracle Portal software, and build a web site with it. And my 12-year old daughter wants an Internet connection in her bedroom. That I'm not so sure about.
Jonathan Gennick is a writer and an editor at O'Reilly & Associates. His writing career began in 1997, when he coauthored Teach Yourself PL/SQL in 21 Days (Sams). Since then, he has written Oracle SQL*Plus: The Definitive Guide (1998) and Oracle SQL*Plus Pocket Reference (2000), both for O'Reilly & Associates. In his previous life, Jonathan was a manager and a database administrator in KPMG Consulting's Public Services practice. He has more than a decade of experience with relational databases.
