Connecting a LAN to the Internet

Keywords: IPRoute, ISPA, ISDN, proxy server, sharing a connection to the Internet, modem sharing, IP Masquerading, Network Address Translation, software router, DOS

This page contains some background information on how you can connect a LAN (running Ethernet, for instance) to the Internet, using a standard (personal) account. The connection to the Internet can be an analog modem, ISDN or even a cable or ADSL modem.

Most of this information is severely outdated. Nowadays it's more cost effective to buy an inexpensive hardware based firewall/router such as those from Linksys or Draytek. This webpage mainly covers IPRoute, a DOS software router. This program does not seem to be sold anymore. Alternatives are mentioned below. Linux based solutions such as Astaro are probably a much better solution nowadays. Plus, they are free! People also use the Internet Connection Sharing option included with recent versions of Windows.

IPRoute is a DOS software router for TCP/IP.  ISPA is an emulator which lets an ISDN card appear like an Ethernet card to DOS. The focus of this webpage will be mainly on using IPRoute with ISDN plug-in cards through the ISPA driver. The software also works with analog modems, ISDN modems and cable modems (in that case, just skip the parts where ISPA is mentioned because ISPA is only needed when you use an ISDN plug-in card).

The latest version for registered users of IPRoute is now V1.10.


Back to my ISDN page
Back to my homepage


A (personal) Internet account isn't that expensive anymore. Let's say you have a whole (Ethernet) network of computers at home. One for yourself, one for the kids, one on the toilet, you get the idea... Preferably, you want to access the Internet from each of those machines. One machine, which has the modem, will be the "middle-man" for the other machines. You want all connected machines to share the link to the Internet. If you have a couple of "workstations", a 28K8 modem will probably not be enough. ISDN may be a good option in that case. If you use a "proxy" or a feature called "IP Masquerading", you will be able use a standard (read: inexpensive) personal account to connect the LAN to your Internet Service Provider (ISP). All this is explained in the following.

Back to top

Examples of application

Here are some examples of connecting a LAN to the Internet. I already mentioned the "homebrew" LAN. In most cases people use a coax Ethernet cable so they can do without a "hub" (central interconnection device). Another application is a school which has a couple of computers and wants to connect to the Internet at low cost. Or you can think of a small office. I myself used IPRoute in combination with ISPA (described later on) to connect the LAN of a user group to the Internet during meetings (HCC Amsterdam).

Back to top

IP addresses

But first, a little bit of theory. Every computer connected to the Internet must have a unique "licence plate", called an IP address. Unfortunately there is only a limited number of IP addresses available. As with any scarce goods, if you need more IP addresses you will have to pay!

Internet developers have devised workarounds which help to limit the number of needed IP addresses. For instance, an ISP has a certain number of customers but they can't possibly be all logged in at exactly the same moment. So the ISP buys a smaller block of IP addresses. When you call in to your ISP, you receive one of the IP addresses out of this block from your ISP during the connection setup negotiation process. So you don't know your IP address in advance. This is called a dynamic IP address.

However, some ISPs also offer fixed addresses, i.e. every time you dial-in you get the same IP address. This is of course advantageous if you are connected to the net for long periods (e.g. if you have an ADSL or cable modem) or if you want to run servers. The problem is that most ISPs charge extra for static IP address if they are used for dial-up connections.

Back to top

Different approaches to sharing a connection

So you want to connect your LAN to the Internet. This means that there is one machine which has the link to the Internet (modem, ISDN card). Let's call that one the gateway computer, for simplicity. The gateway computer receives packets from the other machines (let's call those the workstation computers) and then passes them to your ISP. And vice versa.

There are several options that can be used to connect a LAN to the Internet. Invariably, they all work with one machine forwarding the packets it receives from the other machines to the Internet. 

I will discuss each of them in the next paragraphs. Tony Rall of IBM Almaden has also written an excellent article on this, with special attention to OS/2.

Back to top

Back to top

Routing vs proxy servers vs IP Masquerading

One of the major problems with using the SOCKS protocol is that it requires that clients be able to perform name lookups for external addresses, usually via DNS. This means that as well as implementing a SOCKs server, the proxy server must also provide a full DNS service to it's clients. Additionally, some protocols do not lend themselves to transport via SOCKs. The FTP protocol, in non-passive mode, can be particularly difficult. It is also possible to use a socket relay server without access to a DNS server, but this is not always the case.

If you have several workstation machines who all hit the same webpage at the same time, a caching proxy server may be provide better performance than a system with IP Masquerading. That is because the webpages can be served from the cache (local harddisk) instead of getting each of them over the modem/ ISDN link. On the other hand, a caching proxy may require a more powerful machine with a big harddisk, i.e. you will probably not get away with a lowly 286, as you can with IPRoute...

Back to top

Specific products (IPRoute, WinGate etc.)

This list is in no particular order. See also TUCOWS for lots of other Win32 proxy servers.

Most Webservers as Apache, Netscape, Microsoft IIS or IBM ICS also provide (caching) proxy services.

Back to top

Understanding NAT

Both IPRoute and ISPA use the word 'NAT' (Network Address Translation) for more or less different purposes. I will try to explain the differences.

In ISPA, NAT is used for handling the dynamic IP address you get from your ISP. And it works like this. When ISPA gets the dynamic IP address from the ISP, there is no mechanism which allows the application running on top of ISPA (IPRoute, NCSA Telnet, etc.) to get that IP address! So ISPA uses a trick. In both the application and ISPA you specify the same dummy IP address (I use, but anything is allowed). You need to specify these in advance! This allows both to communicate with each other. Now, when ISPA dials out and receives the real dynamic IP address, it changes the address in that packet on the fly to the dummy IP address. This way, ISPA uses a dynamic IP address it gets from the ISP, while the application (IPRoute) thinks it has a static IP address!

IPRoute also has a NAT, but it's used for a different purpose. It allows multiple machines connected to a LAN access the Internet through only 1 IP address. This is what I earlier called IP Masquerading.

Back to top

Setting up IPRoute + ISPA

Here is a typical setup for IPRoute and ISPA, acting as an Internet router for the workstations.
           your gateway                           your workstations
 |   IPRoute  (   |
 |       $50 shareware        |
 |   running DOS, 286+, 1 Mb+ |     
        |                |
 +-------------+     +-----------------+                 +-------------+
 |  ISPA shim  |     | packet driver   |                 |  OS/2 Warp  |
 |  shareware  |     | e.g. for NE2000 |                 |(|
 |     $30     |     |   (freeware)    |                 +-------------+
 +-------------+     +-----------------+                     ||
        |                     |                              ||  and others 
 +----------------+  +-----------------+     +-------------+ ||  running Linux,
 | CAPI driver    |  |  network card   |     | Windows 9x  | ||  NT, Mac, etc.:
 | (supplied with |  |  (e.g. NE2000)  |     |(| ||,
 |  ISDN card)    |  +-----------------+     +-------------+ ||,
 +----------------+           ||              ||             ||  etc.
        |                #===============================================#
 +-------------+            Ethernet cable (coax or UTP with hub/switch)
 | ISDN card   |
   NT1 connector                                |
        |                                       |  The workstations think they
 ***********************************            |  are connected directly to
 * The Internet (through your ISP) *        <---+  the Internet...
As you can see, I use the "dummy" Class C subnet 192.168.0.x for the local network with the workstations. This is a "private" block of addresses, especially reserved for exactly these kind of setups. These addresses are not intended to be used on the Internet (the IP Masquerading of IPRoute makes sure of that). See also RFC1918.

Here are the configuration scripts I am using for such a setup. Hopefully they are a good enough example. Of course you have to remove the comments at the right hand side of ISP.BAT. By the way, ISP stands for Internet Service Provider in the following.

ISP.BAT (located in root directory)

@echo off
\network\ne2000 0x61 10 0x300  <- Load packet driver for Ethernet card (in
cd \online-i                      this case an NE2000 on IRQ 10, port 300)
call starts0.bat               <- Load the CAPI driver for your ISDN card
cd \network\ispa                  (in this case a Teles S0/16.3)
ispap ? 0x60 isp.ini           <- If/when you have registered ISPA,
cd \network\iproute               replace '?' with your registration key!
ipr isp.ipr                       (with '?' it will only work for 15 minutes).
ISP.INI (located in \NETWORK\ISPA)
# call with ISPAP.EXE
# global options:
#-u                             # Uncomment if you want only one active channel 
-w                              # DOS activity display: on
-d                              # Disconnect on release: on
-m               # Dummy IP address for comm. with IPRoute
# because no IP-address is specified all packets (unicast and
# broadcast) are forwarded to the peer.
# for all other options the defaults are used
# REPLACE isphonenumber, myloginid, mypassword WITH YOUR INTERNET ACCOUNT INFO!
# Add -c for CHAP authorization, otherwise PAP is used.
# -p means: synchronous PPP over HDLC (which seems to be the 
#           most used protocol)  ispphonenumber -p -n myloginid,mypassword -o -r -t 240
set log file out.txt
set log raw on
set log monitor on

; ISPA packet driver on 0x60. Use the dummy IP address for comm. with ISPA.
packet isdn0 0x60
; Route all packets to remote side of ISDN line (your ISP). The IP address
; used here doesn't seem to matter. You might just as well leave it this way.
route * isdn0

; Allow the following incoming connections
nat isdn0 tcp
nat isdn0 tcp
nat isdn0 tcp
nat isdn0 tcp
nat isdn0 udp

; Allow all outgoing connections
nat isdn0 *   *      
;   Configure ethernet interface on network
packet en0 0x61
;   Broadcast RIP routes on the ethernet
;   Start a command interpreter on the console
You can get packet drivers for Ethernet cards from this site. If your Ethernet card does not have a DOS packet driver, but only an ODI driver, you can download a shim ("interface") from Dan Lanciani's site.

Don't be alarmed if the software router stops running after about 15 minutes. That's ISPA's shareware limitation if you haven't registered it yet.

In ISP.IPR, you find several nat isdn0 lines. With this I tell IPRoute to route incoming sessions of port types 80 (WWW), 1376 (OS/2 Person-2-Person), 2213 (Kali games), and 20/21 (FTP) etc. to one particular machine (mine :-). However, Dave Mischler told me that you can route all incoming sessions (any port) to one machine (in my case if you use the following line instead of the 5 tcp/udp NAT lines:
nat isdn0 *
So what I am doing is a bit of a hassle.

When you start the ISP.BAT batch file, make sure that both IPRoute and ISPA start with no warning messages. The first test is to ping a workstation machine on the Ethernet network using the PING command at the console prompt of IPRoute, for instance: PING If the ping test fails, verify that the packet driver is installed correctly (IRQ, DMA, I/O port) and that IPRoute is able to see the packet driver for your Ethernet card.

Now ping a machine which is not located on your Ethernet LAN, a machine on the Internet, for instance PING or use the IP address of the Domain Name Server your ISP told you to use. The modem/ISDN card will dial and establish a connection with your ISP.

On every workstation machine, you will have to specify the IP number of the Domain Name Server (DNS) of your ISP. If you have multiple IPSs, you can specify more DNSes. I'd love to have IPRoute perform some kind of DNS proxy service (so you can specify as the DNS, which makes the workstation machines almost completely independent of the ISP used) but Dave says it's difficult to do (NAT32 supports it though). There might be a way to get around this and that is by installing your own DNS or DHCP server.

I haven't quite figured out how to use both ISDN B-channels at the same time, to get a bandwidth of 128 Kbps. However, I found the ADC Kentrox Pacesetter FAQ to be very informative on this subject.

Back to top

Notes on IPRoute

Back to top

IPRoute tricks

Back to top

Notes on ISPA

Back to top

Alternatives for ISPA

There is a freeware "CAPI-to-packet driver" available, called PAPI. But this one has much less functionality. And it has not been updated for a couple of years), for instance it doesn't support PPP so it will probably not be much use to you if you want to dial up to an ISP. It may work if you want to hook up two LANs of your own through ISDN, because what I understand from it PAPI's main use is to send whole Ethernet packets. I haven't quite figured out how they implement security (you don't want everyone to dial in to your Ethernet, do you? :-), perhaps with ISDN's Caller Identification...

cFos (older verions also here) is a piece of software that emulates a serial modem (with AT commands and all) using the CAPI driver of your ISDN card. It might be possible to use cFos and IPRoute together, but I have no idea if it works. In that case, you will be using IPRoute's PPP implementation. With the ISPA + IPRoute combination I described earlier, ISPA's PPP implementation is used. A disadvantage of cFos might be that it is less efficient than ISPA (cFos emulates a modem, and modems work with one character at a time, while ISPA emulates a network card, and network cards work with packets), but I'm not sure. The advantage of cFos over ISPA is that cFos can be used for other communication programs too.

Back to top

Notes on IPRoute + ISPA

Back to top

Which applications will/won't work?

Most apps will work fine with IPRoute, without having to configure proxies. However, the workstation machines will have to have private ("dummy") addresses (e.g. 192.168.0.x). The problem is that if an application asks the machine it is running on what its IP address is, it gets the dummy address. When this address is sent to a remote side (say, for Internet telephony), that machine gets confused because the packets it sends may not get back to you because of the fake address. Certain applications transfer IP addresses or port numbers as part of their data. This requires special treatment for address translation (packets must be examined and addresses changed on the fly). So, if an apps doesn't work, this could be the problem.

Most of the applications and their settings mentioned on the Linux Masq Apps page will work for IPRoute as well. You'll need to "translate" the ipfwadm/ipchains/iptables lines into corresponding IPRoute NAT lines, of course.

If you switch over from WinGate to IPRoute, make sure that you turn off the proxy settings in your apps.

Here's a list of TCP/IP applications which are known to work with IPRoute or WinGate, or not, or I just don't know because I haven't tried. More recent information on which apps are supported by WinGate can be found on the WinGate homepage.

If you have any additions/updates to this list, please mail me!

Back to top

Alternatives for IPRoute + ISPA

Of course, if you have the money you can always buy hardware such as an 3COM OfficeConnect ISDN LAN Modem, Ascend Pipeline or an ADC Kentrox Pacesetter. For instance, Bill Lutton writes:
I have a setup that I just put together for evaluation that seems
to work pretty well for me, here is the recipe:
 - old 486/66 w/8MB & 130MB  (overkill) ($0 personal surplus)
 - a TC200-S6 460K serial card ($29 from
 - an NE2000 LAN card ($30 from datacomm warehouse)
 - a Zyxel 2864iu external TA ($?)
 - IPRoute router software ($50 from this site)
This system does "dial on demand" and call dropping after a configuable
amount of time for my 3 PC network. The Zyxel TA does utilization sensitive
adding/dropping of the 2nd B channel.  Total time to bring up the link (call
establishment & ppp negotiation) is ~2.5 sec.  FTP downloads run at 15200+
KBytes/sec.  Ping times are about 40ms. I've only been running it for a few
days but it already compares very favorably to my ~$1000 Ascend P75. The P75
connects in ~2.0 sec and is configuable over the LAN, but doesn't do NAT.
The advantages of special hardware over IPRoute + ISPA are: If you are running OS/2, there's also InJoy. It is a replacement for the "Dial Other Internet Providers" program supplied with Warp. InJoy supports IP Masquerading, at the moment for 4 users but more than 4 are also possible (at a higher price). In combination with cFos (see paragraph above), you can also run InJoy over an ISDN line. Click here for information on that, including examples. InJoy also does Dial on Demand.

The advantage of InJoy + cFos over IPRoute + ISPA is that you don't need to sacrifice a dedicated machine. It is probably easier to configure too. The disadvantage is that it is higher in price. Also don't forget that the unregistered cFos doesn't support sync PPP over HDLC, which makes it impossible to test InJoy + cFos with most Internet providers.

Back to top

ISPA settings for Dutch ISPs (outdated!)

(This is all horribly old information. I'm keeping it here for old time's sake :-)

 First read the part on how to set up IPRoute + ISPA and use the sample configuration files included there. Now, let's say your login ID is aladdin and your password is sesame. And you're calling your ISP's Point Of Presence (inbelpunt) in Amsterdam. (If you live in another part of the country, just click on the name of the provider below, and you'll jump to that provider's list op POPs). Change this according to your own account info and location. I assume you want autodial and automatic disconnect after 240 idle seconds. Change ISP.BAT so that the correct settings for the Ethernet card and the ISDN card (CAPI drivers) are used. You should then only have to change one line in ISP.INI:

NLnet / UUNET: use synchronous PPP over HDLC with PAP. NLnet also wants the login ID to be specified in a rather strange way. Configure your workstation machines to use the Domain Name Server (DNS) 0206638251 -p,sesame -o -r -t 240

World Access: use synchronous PPP over HDLC with PAP/CHAP?. In most cases I could not reach servers running on my local network from the outside (Internet), perhaps this inbound traffic is blocked because of security reasons. Configure your workstation machines to use the Domain Name Server (DNS) 0206933004 -c -p -naladdin,sesame -o -r -t 240

XS4ALL: use synchronous PPP over HDLC with PAP. Seems to support B-channel bundling so you get 128Kbps? Configure your workstation machines to use the Domain Name Server (DNS) 0204229700 -p -naladdin,sesame -o -r -t 240

Euronet: use synchronous PPP over HDLC with PAP. Configure your workstation machines to use the Domain Name Server (DNS) 0204274330 -p -naladdin,sesame -o -r -t 240

Back to top

Revision history

send "AT&F1&C1&D2@B0=2\r"    ; for initialisation
send "ATDxxxxxxx&yyyyyyy\r"  ; for dialing out (2 B-channels,
                             ; 2 phone numbers xxxxxxx and yyyyyy)

Author and credits

Most of the information in this document comes from discussions with Dave Mischler and Herbert Hanewinkel. Some parts on routing and proxy servers were shamelessly stolen from the FireDoor FAQ.

I would like to thank Herbert Hanewinkel for generously providing me an ISPA registration key when the CIPA key turned out to be almost useless because of a buggy driver. In return, this document was written...

Jacco de Leeuw

Back to top