Networking series Part5: Sharing an Internet connection
This time, we are going to look at something completely new. Suppose that you have more than one computer, yet only one Internet connection (e.g. traditional dial-up modem, cable modem or ADSL). Wouldn't it be handy to be able to seamlessly use that connection from either computer, or even both computers at the same time? For now, we will look at the theory behind two popular forms of Internet connection sharing.
Obviously, for Internet connection sharing between some computers to be possible, those computers must be connected on some kind of local area network. This could be Ethernet (10base2, 10base5, 10baseT etc.), or something fancy like Econet, Nexus or serial cables. A typical situation could be as shown in figure 1, where by default, only the Windows PC has access to the Internet.
Fig. 1 - A typical small/home network setup.
Note that the network must be configured correctly with TCP/IP. See the previous articles for more information on this.
By setting up your own "proxy server" on the computer that has the Internet connection, you can get access to some Internet services from the other computers, via the proxy server. A proxy server is a (server) application running, in this case, on the Windows PC. The other (client) computers must have their web browsers configured to use the Windows PC as a proxy (usually by specifying 192.168.0.4, or the equivalent hostname, in the browser"s proxy configuration dialogue).
When a client then requests a web page (e.g. http://www.riscworld.co.uk) it is passed to the proxy server application. The proxy server software will check to see if it has an up-to-date cached copy of the page, and if it doesn"t, it will use the local (to the Windows PC) Internet connection to fetch one. The fetched page will be stored in the proxy server"s cache, and then passed onto the requesting client computer. Figure 2 illustrates this process.
Fig. 2 - A simple proxy server situation.
Note that the interesting bit here is that only the Windows PC has "direct" access to the Internet. The A7000 doesn"t know anything about the Internet connection at all - it may not even exist as far as the A7000 is concerned. The A7000 can only talk to computers on the local area network.
Proxy server cacheing
Since many proxy servers cache their incoming data, re-requesting a static page will be much faster, since it will not need re-fetching over the (slow) 56k modem link. Similarly, if, say, six computers requested the same web site, the proxy server would only need to fetch it once, and serve the cached copy out to all six. This dramatically speeds up the performance on a shared connection, and would be useful in, for example, an educational environment. Now, since many web pages are dynamic and/or frequently updated (e.g. http://news.bbc.co.uk) then you may think the cacheing advantages all vanish. Not so! Even these kind of pages usually contain some static data (e.g. a company logo, background images etc.) and so the proxy server can continue to serve those from the cache, but fetch fresh text.
The quick thinkers out there may wonder why the cacheing is so special, when many browsers have a built-in disk cache. However, the proxy works between multiple computers (and hence also multiple browsers on the same computer), so it"s like having one giant disk cache. If a user on one computer fetches, for example, the BBCi logo, then a user on another computer will benefit from the cache if they need it.
It"s worth mentioning that some web browsers have no disk cache (Oregano, Browse), or even worse, a poor disk cache which may serve up "stale" (i.e. out of date) content (Fresco). The use of a good cacheing proxy server will dramatically improve the performance and effectiveness of these browsers.
If all web access has to go through the proxy, what about filtering? Some proxy applications are able to do this. Typically, you supply them with list of web sites ("allow" and "deny") and/or a list of words which cause sites to be added to the "deny" list if they are present in any of the fetched text. With a little imagination, such features could be very useful in an educational environment. This provides pretty good filtering, since all web requests must go via the proxy, which will be on the alert!
Drawbacks to proxy servers
Traditionally, proxy servers only support major protocols like HTTP and FTP. This means that the client computers (the A7000, A5000 and Risc PC) are restricted to HTTP (for web browsing) and FTP (for file transfer). Why is this a problem? Well, supposing that a user wanted to use HTTPS (for secure web browsing). The client computer would be unable to do this, since the proxy server won"t play ball, and the client cannot "see" through to the Internet (everything must go via the proxy).
However, later developments in proxy servers and Internet applications themselves mean that other protocols can now be "proxied", e.g. HTTPS, Real audio/video. If these extras are enabled on the server, and the client software (e.g. RealOne player) is appropriately configured, they will work.
Some things cannot be proxied at all, due to limitations in the practicality, the proxy server, or the client software. For example, it is not possible to use a telnet client (e.g. Nettle) on a client computer - this will only work on the Windows PC (which has the direct connection). With a proxy-only setup, these limitations have to be lived with. There is, however, another way...
Network address translation (NAT)
This is similar to a proxy server in that it allows requests from multiple computers to be dealt with by one, but it goes about it in a much lower level way. Since all network "traffic" is split into "packets", complete with sender and destination information (IP addresses), it is possible for these to be examined and modified slightly by some software. As these modifications are so low level, there is very little configuration required on each client, and the trick works with just about every Internet client application out there.
Fig. 3 - A simple NAT situation.
As with the proxy server setup, the A7000 cannot see beyond the local network. However, if it is configured to use the Windows PC as it"s "default route" (see article 2), it will fire off any non-local (i.e. non-192.168.x.y IP address range - remember, this is determined by the "netmask") packets to the Windows PC. The NAT software on the Windows PC will analyse these packets and send them out to their destination, but making them look like they originated from the Windows PC. The remote Internet server will eventually respond, and send packets back to the Windows PC. The Windows PC will have to work out which packets were for the A7000, and forward them on to it (similarly for the other clients).
The result of NAT is that each computer on the local network that does not have a direct connection to the Internet (the A7000, A5000 and Risc PC) actually appears to have one! From an application point of view, those computers are the same as the Windows PC.
It is perhaps worth mentioning that the "Internet Connection Sharing" software built into Windows 98SE, Me, 2000 and XP uses NAT.
For a home setup, where you may not want/need web page filtering, it makes sense to go for a NAT solution rather than a proxy server. However, what about both? Remember that the proxy server has some big plus points for web browsing (namely the page cacheing). Using both allows web browsing to be cached between all the computers, yet applications which cannot easily be proxied (e.g. telnet, email fetching).
As we know, the computers on the local network (apart from the Windows PC) are not directly connected to the Internet. A canny advantage of this is that any computers on the Internet cannot see them! To a web site or schoolboy-cracker, you have only one computer connected to the Internet, and that is the Windows PC. The other computers are effectively behind a "firewall".
There is also a slight disadvantage here. If, for example, you want to run a web server on the A7000, and have it accessible from anywhere on the Internet, you can"t. Anything which requires a connection that is initiated from the Internet (rather than the local network) won"t work. However, there is a solution to this problem. The NAT computer (which is directly connected to the Internet, remember) can often be configured to listen for, say, web requests, and if it gets any, pass them on to the A7000. It is therefore possible to use the NAT computer to gain access to a number of the computers on the local network, if this is explicitly configured.
Provided that the computer with the Internet connection is set up securely, you can confidently add more computers to the local network, without worrying about nasty attacks. It would perhaps be sensible to ensure that the computer with the Internet connection is not running Windows!
Next time, we will look at the practical side of things: what software and hardware may be appropriate, and how to set it up. As usual, please get in touch with The Editor or myself if you want to make suggestions or raise queries regarding this series. In particular for this article, the descriptions of proxying and NAT were rather high-level. If there is demand, they could be described at a much lower level.