Over the past year, I have used SyGate to
share the PUB II ADSL Internet connection with other
computers in my house. Although I was pretty satisfied
with the product, I had a couple of minor issues with
accessing an Exchange Server from my client machines. To
provide protection from the black hats on the Internet, I
used BlackICE Defender. It also seemed to do a good job,
although I found its flashing icon a little annoying
after a while.
Then I heard of a product that would do both
the above jobs and more, while permitting more extensive
customization - WinRoute Pro v4.1 from Tiny Software. It
is a NAT (Network Address Translation) gateway, allowing
multiple machines to share an Internet connection, a
packet-filter firewall to keep the wolves at bay, a DHCP
server to take care of TCP/IP configuration on machines
on the local LAN, a DNS forwarder to take care of name
resolution requests for all machines, a POP3 mail server
to provide mail services, and a proxy server to conserve
Installation and initial configuration
was very simple and clearly laid out in the 128-page PDF-format
manual downloaded from the Internet (an extra US$20 gets
a boxed copy with printed manual). My primary interest
was with the NAT gateway so my computers could share the
PUB II connection to the Internet. Since the computers
were already configured with appropriate network cards, I
was up and running in minutes.
NAT allows you to share a single valid,
Internet-routable IP address with all your computers that
are networked together. The nice thing about using NAT is
that software on your client machines does not need to be
reconfigured in order to access the Internet. In essence,
almost everything works as if the computer had its own
connection to the Internet. This is in sharp contrast to
proxy servers which only work with certain types of
software and require re-configuration on each client
machine. The manual has a wonderful section that clearly
explains how NAT works.
One potential problem with using a NAT
gateway is if you want people on the Internet to be able
to access computers behind your NAT gateway. Since these
machines have what is known as private IP addresses, it
is not possible to connect directly to them from the
Internet. There is simply no way that Internet routers
will pass on the packets to those private IP addresses.
WinRoute Pro gets around this problem through port
mapping. Basically, you tell WinRoute Pro that packets
coming into the WinRoute Pro computer (which has a valid
Internet-routable address) destined for a particular port
should be forwarded to a specific machine on your
internal network. For example, if you are running a Web
server on a computer behind the NAT gateway, you could
tell the port mapper that any packets sent to port 80 (the
default for Web servers) should be forwarded on to the
computer running the Web server, which then responds to
the web requests.
By default, WinRoute Pro closes all
inbound ports, effectively preventing anyone on the
Internet from connecting to your computer and doing bad
things. In cases like PUB II, you want to open some ports
to allow folks from the Internet to connect to your
computer. I needed to open port 21 for Telnet, 23 for
FTP, 25 for SMTP, 80 for HTTP (Web server), and 110 for
POP3. WinRoute Pro includes a packet filter firewall that
is easily configured to control access to any TCP or UDP
port. You can open ports for access from a specific IP
address or address range or allow access from any address.
You can even limit the period of time a port is
accessible. For example, you could make a web server
available only from 5:00 p.m. on Fridays until 8:00 a.m.
Not only can you limit inbound traffic,
but you can do the same for outbound. If you want to
ensure your 8-year old is not surfing the web from the
computer in his room all night, it is a simple matter to
limit outbound access to certain hours. You can also
block access to particular ports from a specific computer.
In the WinRoute Pro firewall, the action
to be performed on inbound packets may be set to permit,
drop, or deny, with the default being deny. This means
the port is visible, but the person can't connect to the
port. For the ultimate in security, you want to tell the
firewall to drop packets. That way, your computer does
not even appear to exist to others out on the Internet.
Very cool! Personally, I think drop should be the default
action. If you download build 20 or higher from the Tiny
Software web site, you can change the default to drop. I
discovered this almost by accident. I suggested to Tiny
Software that they add a history list to the Web site and
they have agreed to do so.
The mail server in WinRoute Pro appears
to be quite functional, allowing you to configure an e-mail
server that will function within your LAN. Connecting to
the outside world is a bit more complex. While you can
easily send e- mail to the Internet, receiving is a
little harder. To do this right, you need to register a
DNS name. Given that you need two DNS servers in order to
register a name, plus the fact that you probably only
have one valid Internet-routable IP address, suffice it
to say that you are going to need some assistance here.
However, there are free DNS hosting services (http://granitecanyon.com)
that enable you to run your own Internet mail services
for all the folks on your network, whether that is your
family or the employees of a company.
If you want to conserve bandwidth,
WinRoute Pro includes a proxy server. A proxy server
receives requests for HTML elements such as pages and
graphics. If the cache in the proxy server already has
the information from a previous request, it returns the
information directly, saving the fetch across the
Internet. If it does not have the information already,
the proxy server fetches it over the Internet, returns
the information to the requesting machine and stores a
copy in the cache in case someone else requests it. I am
not a fan of proxy servers, but it is there for those who
want to use it.
WinRoute Pro has excellent logging
capabilities that can help when it comes to trouble-shooting.
I was able to analyse log files to discover the root of
my problems with Exchange Server. When I connect to the
Exchange Server, it picks two completely random UDP ports
above 1024 for use in pushing new mail notifications to
the client. I first attempted to use the port mapper to
map all accesses from the IP address of my Exchange
Server on ports above 1024 and send them to my client
machine. So far no luck, but I have not given up yet.
WinRoute Pro v4.1 requires a Pentium
class PC with 32MB RAM, 1MB disk space, and Windows 9x/NT4/Win2K.
Cost ranges from US$199 for 5 users to US$699 for
unlimited. For those with somewhat less demanding
requirements, WinRoute Lite and WinRoute Home drop some
of the more advanced features for prices as low as US$49.
See the Web site at http://www.winroute.com
WinRoute Pro v4.1 (Proprietary)
As of February 1st, 2002, WinRoute Pro is sold by Kerio Technologies, Inc., and is thus
called Kerio WinRoute Pro (v. 4.2.4).
Originally published: September, 2000