Configuring Windows XP Personal Firewall

[Scott]

Hi,

I have the following home office setup:

External IP address 123.123.123.123
Netgear firewall/router/hub (FM114P)
Machine1 192.168.0.2
Machine2 192.168.0.3
Machine3 192.168.0.4

So, three machines on an internal network

I've got a VMWare image running on Machine1, IP address 10.255.3.1. If
you're not familiar with VMWare, just consider it another machine on the
network.

What I want is:
If a user connects to my external IP address on port 80, I want that
request to be serviced by IIS running on Machine1.
If a user connects to my external IP address on port 8080, I want that
request to be serviced by IIS running on port 80 in the VMWare image.

What I've done:
Added a custom service on my firewall to open port 8080 to external
users. The firewall rule forwards that to 192.168.0.2.
For the physical adapter on Machine1, enabled Internet Connection
Firewall (Adapter Properties, Advanced, click the checkbox).
Clicked Settings.
Enabled HTTP service
Created a new service "VMWare". Configured that as IP Address
10.255.3.1, external port number 8080, internal port number 80.

To test, I launched a browser from another machine, connected to the
external IP address, on port 80. So far so good.
But, when I connect to 8080, it never gets forwarded to the VMWare machine.
The request gets served by port 80 on Machine1, not port 80 on 10.255.3.1.

I've also pointed the personal firewall configuration at other local IP
addresses (such as IIS on 192.168.0.4). Same result, so it's not an issue
with VMWare.

Am I misunderstanding how the custom service should work? The way I think
it should work is:

* browser connects to 123.123.123.123:8080
* Netgear firewall forwards to 192.168.0.2:8080
* adapter bound to 192.168.0.2 reads the firewall rules above, sees the
connection on port 8080 (so it knows which rule applies), and forwards to
10.255.3.1:80

Thanks,
Scott

 

[Scott]

OK, I can (sort of) answer my own problem.

See this MS KB article:
http://support.microsoft.com/default.aspx?scid=kb;en-us;297942

Well, gee, you'd think MS could figure out how to grey out the IP address
field if ICS was not enabled. User Interface 101. The big question I have
is WHY do I have to enable ICS to get ICF to forward my request to another
IP address? I don't want or need ICS, and firewall rules (I think)
typically allow you to forward requests to a specified IP address.

Oh well, in trying to work around this issue, I tried to enable ICS on my
adapter listening to external requests. When I try to enable ICS on that
adapter, I have to select another adapter in the pulldown list under Home
networking connection. The only adapters listed are my VMWare virtual
adapters. If I select either one of them I get the error dialog:

An error occurred while Internet Connection Sharing was being enabled.

Internet Connection Sharing cannot be enabled.
A LAN connection is already configured with the IP address
that is required for authmatic IP addressing.

Can someone translate this error msg?

I think I'm coming to the conclusion that I need to walk away from ICF
altogether, and configure my router to forward router port 80 -> virtual
machine port 80, instead of router port 8080 -> physical machine port
8080 -> virtual machine port 80. I preferred the second scenario.

Scott

 

[Steve Winograd [MVP]]

OK, I can (sort of) answer my own problem.

See this MS KB article:
http://support.microsoft.com/default.aspx?scid=kb;en-us;297942

Well, gee, you'd think MS could figure out how to grey out the IP address
field if ICS was not enabled. User Interface 101. The big question I have
is WHY do I have to enable ICS to get ICF to forward my request to another
IP address? I don't want or need ICS, and firewall rules (I think)
typically allow you to forward requests to a specified IP address.

Oh well, in trying to work around this issue, I tried to enable ICS on my
adapter listening to external requests. When I try to enable ICS on that
adapter, I have to select another adapter in the pulldown list under Home
networking connection. The only adapters listed are my VMWare virtual
adapters. If I select either one of them I get the error dialog:

An error occurred while Internet Connection Sharing was being enabled.

Internet Connection Sharing cannot be enabled.
A LAN connection is already configured with the IP address
that is required for authmatic IP addressing.

Can someone translate this error msg?

I think I'm coming to the conclusion that I need to walk away from ICF
altogether, and configure my router to forward router port 80 -> virtual
machine port 80, instead of router port 8080 -> physical machine port
8080 -> virtual machine port 80. I preferred the second scenario.

Scott

The ICS error message means that another network connection already
has the 192.168.0.1 IP address that ICS assigns to the connection that
you specify as the Home networking connection.

I'd certainly disable XP's built-in firewall and use a more
configurable one. In my opinion, XP's firewall was designed for use
by people who don't know that they need a firewall. Your needs are
much more sophisticated.
--
Best Wishes,
Steve Winograd, MS-MVP (Windows Networking)

Please post any reply as a follow-up message in the news group
for everyone to see. I'm sorry, but I don't answer questions
addressed directly to me in E-mail or news groups.

Microsoft Most Valuable Professional Program
http://mvp.support.microsoft.com

 

[Scott]

Thanks Steve, much appreciated.

The 192.168.0.1 IP address is the address of my Netgear router/hub/firewall
and is hard coded. So it would appear that my firewall and ICF conflict
with each other.

Unfortunately the Netgear firewall does not do port reassignment (external
port, internal port) like the ICF. If it did, I would open two holes: port
80, forward to IP xxx on port 80, and port 8080, forwarding to IP yyy on
port 80. Instead, for the second scenario, it will route to IP yyy on port
8080.

I think the easiest kludge will be to add an additional internal IP address
to the web server that will answer port 8080 requests. So, that server will
answer requests on IP xxx:80 and IP yyy:8080.

I'm aware of proxy servers that would also handle this more elegantly, but
this is really only for sales demos and remote co-worker collaboration, so
the above should suffice.

Thanks again Steve

 

[Scott]

Hi,

I'm re-visiting using ICS to solve this issue. What I've done:

* changed my router IP address from 192.168.0.1 to 192.168.0.254
* rebooted the router
* rebooted all machines on the internal network
* ping 192.168.0.1 on the machine on which I want to activate ICS - the
request times out
* read MS KB article
http://support.microsoft.com/default.aspx?scid=kb;en-us;241769
* read this:
http://www.informit.com/isapi/product_id~{3BD59E20-8ADA-4E5A-891E-7D9C76E2
E628%7D/content/index.asp

But, I still get the error msg listed below. Are there other IP addresses
(like 192.168.0.254?) that are used by ICS?

Alternatively, is there any simple port forwarding software/daemons "out
there" that will do what I want? I don't want a full-blown firewall - just
a simple way to forward requests from xxx.xxx.xxx.xxx:8080 to
yyy.yyy.yyy.yyy:80.

Thanks,
Scott

 

[Scott]

I've got this working now:

Router port forwards 80 to 192.168.0.4
Router port forwards 8080 to 192.168.0.2
From W2K: Start --> Programs --> VMware --> Manage Virtual Networks
NAT tab --> Edit button --> Port Forwarding
Forward host port 8080 to 10.255.3.1:80

The key was digging around VMware and discovering its port forwarding
capability for the virtual network. The VMnet8 adapter (NAT) is described
as "Used to share the host's IP address", which caused the "light bulb to
light" .

Thanks to all for your help, and sorry to waste bandwidth for those not
interested.

I *still* would like to know why I can't activate ICS, but it's now moot for
my immediate needs.

Regards,
Scott

OK, the topology is:

ADSL phone line
ADSL modem
Router/hub/firewall/DHCP - internal IP: 192.168.0.254 external IP:
123.123.123.123
Machine1: 192.168.0.2
Machine2: 192.168.0.3
Machine3: 192.168.0.4
all have subnet mask 255.255.255.0

VMware image running inside Machine1: 10.255.3.1
subnet mask 255.255.0.0 (needed for networking with other co-worker's VMWare
images)

I want an external user to be able to:

http://123.123.123.123:80 and connect to IIS running on Machine3 (port 80)
http://123.123.123.123:8080 and connect to IIS running inside the VMWare
image inside Machine1 (port 80)

Sooooo, I configure my router to port forward 8080 (VMWare custom service)
to 192.168.0.2.
I now want the 192.168.0.2 NIC on Machine1 to port forward to
10.255.3.1:***80***.

I think I could get this to work by activating ICS and forwarding traffic
from the external NIC to VMware Network Adapter VMnet8, which is a software
based, virtual adapter configured for NAT.

Which leads me back to my original question: anyone know why I still get
the error dialog when I try to activate ICS? It sure would be nice if the
error dialog actually offered useful information.

Cheers,
Scott

You don't describe your topology, but if it looks like this

Router -- ICS host -- ICS client then you can't use192.168.0.x with a subnet
mask of 255.255.255.0 on both sides of the ICS host.

Why aren't you just connecting both machines to your router?

--

Ken Wickes [MSFT]
This posting is provided "AS IS" with no warranties, and confers no rights.

Hi,

I'm re-visiting using ICS to solve this issue. What I've done:

* changed my router IP address from 192.168.0.1 to 192.168.0.254
* rebooted the router
* rebooted all machines on the internal network
* ping 192.168.0.1 on the machine on which I want to activate ICS - the
request times out
* read MS KB article
http://support.microsoft.com/default.aspx?scid=kb;en-us;241769
* read this:

http://www.informit.com/isapi/product_id~{3BD59E20-8ADA-4E5A-891E-7D9C76E2

on on
that under
Home

 

[Ken Wickes [MSFT]]

You couldn't enable ICS because the network you had set up was unroutable.
You solved it by using an address on a different subnet (10.255.3.1).

--

Ken Wickes [MSFT]
This posting is provided "AS IS" with no warranties, and confers no rights.

I've got this working now:

Router port forwards 80 to 192.168.0.4
Router port forwards 8080 to 192.168.0.2
From W2K: Start --> Programs --> VMware --> Manage Virtual Networks
NAT tab --> Edit button --> Port Forwarding
Forward host port 8080 to 10.255.3.1:80

The key was digging around VMware and discovering its port forwarding
capability for the virtual network. The VMnet8 adapter (NAT) is described
as "Used to share the host's IP address", which caused the "light bulb to
light" .

Thanks to all for your help, and sorry to waste bandwidth for those not
interested.

I *still* would like to know why I can't activate ICS, but it's now moot for
my immediate needs.

Regards,
Scott

OK, the topology is:

ADSL phone line
ADSL modem
Router/hub/firewall/DHCP - internal IP: 192.168.0.254 external IP:
123.123.123.123
Machine1: 192.168.0.2
Machine2: 192.168.0.3
Machine3: 192.168.0.4
all have subnet mask 255.255.255.0

VMware image running inside Machine1: 10.255.3.1
subnet mask 255.255.0.0 (needed for networking with other co-worker's VMWare
images)

I want an external user to be able to:

http://123.123.123.123:80 and connect to IIS running on Machine3 (port 80)
http://123.123.123.123:8080 and connect to IIS running inside the VMWare
image inside Machine1 (port 80)

Sooooo, I configure my router to port forward 8080 (VMWare custom service)
to 192.168.0.2.
I now want the 192.168.0.2 NIC on Machine1 to port forward to
10.255.3.1:***80***.

I think I could get this to work by activating ICS and forwarding traffic
from the external NIC to VMware Network Adapter VMnet8, which is a software
based, virtual adapter configured for NAT.

Which leads me back to my original question: anyone know why I still get
the error dialog when I try to activate ICS? It sure would be nice if the
error dialog actually offered useful information.

Cheers,
Scott

You don't describe your topology, but if it looks like this

Router -- ICS host -- ICS client then you can't use192.168.0.x with a subnet
mask of 255.255.255.0 on both sides of the ICS host.

Why aren't you just connecting both machines to your router?

--

Ken Wickes [MSFT]
This posting is provided "AS IS" with no warranties, and confers no rights.


Hi,

I'm re-visiting using ICS to solve this issue. What I've done:

* changed my router IP address from 192.168.0.1 to 192.168.0.254
* rebooted the router
* rebooted all machines on the internal network
* ping 192.168.0.1 on the machine on which I want to activate ICS - the
request times out
* read MS KB article
http://support.microsoft.com/default.aspx?scid=kb;en-us;241769
* read this:

http://www.informit.com/isapi/product_id~{3BD59E20-8ADA-4E5A-891E-7D9C76E2

ICS
on

 

[Scott]

Sorry I don't understand your cryptic response:

* I solved the problem by abandoning ICS in favour of the functionality in
VMWare
* I was attempting to route my physical NIC 192.168.0.2 to my virtual NIC
10.255.3.1.
* It worked with VMWare and didn't with ICS
* Is there a *detailed* MS KB article that explains what would cause the
error noted below? The KB below only states that 192.168.0.1 is reserved.

You couldn't enable ICS because the network you had set up was unroutable.
You solved it by using an address on a different subnet (10.255.3.1).

--

Ken Wickes [MSFT]
This posting is provided "AS IS" with no warranties, and confers no rights.

I've got this working now:

Router port forwards 80 to 192.168.0.4
Router port forwards 8080 to 192.168.0.2
From W2K: Start --> Programs --> VMware --> Manage Virtual Networks
NAT tab --> Edit button --> Port Forwarding
Forward host port 8080 to 10.255.3.1:80

The key was digging around VMware and discovering its port forwarding
capability for the virtual network. The VMnet8 adapter (NAT) is described
as "Used to share the host's IP address", which caused the "light bulb to
light" .

Thanks to all for your help, and sorry to waste bandwidth for those not
interested.

I *still* would like to know why I can't activate ICS, but it's now moot for
my immediate needs.

Regards,
Scott

OK, the topology is:

ADSL phone line
ADSL modem
Router/hub/firewall/DHCP - internal IP: 192.168.0.254 external IP:
123.123.123.123
Machine1: 192.168.0.2
Machine2: 192.168.0.3
Machine3: 192.168.0.4
all have subnet mask 255.255.255.0

VMware image running inside Machine1: 10.255.3.1
subnet mask 255.255.0.0 (needed for networking with other co-worker's VMWare
images)

I want an external user to be able to:

http://123.123.123.123:80 and connect to IIS running on Machine3 (port 80)
http://123.123.123.123:8080 and connect to IIS running inside the VMWare
image inside Machine1 (port 80)

Sooooo, I configure my router to port forward 8080 (VMWare custom service)
to 192.168.0.2.
I now want the 192.168.0.2 NIC on Machine1 to port forward to
10.255.3.1:***80***.

I think I could get this to work by activating ICS and forwarding traffic
from the external NIC to VMware Network Adapter VMnet8, which is a software
based, virtual adapter configured for NAT.

Which leads me back to my original question: anyone know why I still get
the error dialog when I try to activate ICS? It sure would be nice if the
error dialog actually offered useful information.

Cheers,
Scott

You don't describe your topology, but if it looks like this

Router -- ICS host -- ICS client then you can't use192.168.0.x with a
subnet
mask of 255.255.255.0 on both sides of the ICS host.

Why aren't you just connecting both machines to your router?

--

Ken Wickes [MSFT]
This posting is provided "AS IS" with no warranties, and confers no
rights.


Hi,

I'm re-visiting using ICS to solve this issue. What I've done:

* changed my router IP address from 192.168.0.1 to 192.168.0.254
* rebooted the router
* rebooted all machines on the internal network
* ping 192.168.0.1 on the machine on which I want to activate

ICS -
the

request times out
* read MS KB article
http://support.microsoft.com/default.aspx?scid=kb;en-us;241769
* read this:

http://www.informit.com/isapi/product_id~{3BD59E20-8ADA-4E5A-891E-7D9C76E2

software/daemons
"out ICS
on connection
that

 

[Ken Wickes [MSFT]]

It's a problem with outbound traffic. If the ICS host wanted to send
traffic to 192.168.0.7 which adapter would the traffic go out? 192.168.0.2
or 192.168.0.1?

I'm not the greatest expert on routing, maybe someone else can give a better
explanation.

--

Ken Wickes [MSFT]
This posting is provided "AS IS" with no warranties, and confers no rights.

Can you go into more detail about this conflict? If I have:

router 192.168.0.254
machine1 192.168.0.2
machine2 192.168.0.3
machine3 192.168.0.4

where is the conflict with 192.168.0.1? OK...ICS wants 192.168.0.1 - IT'S
AVAILABLE!

VMWare probably works because it doesn't require the use of 192.168.0.1 for
it's private side like ICS does. With ICS on, it wants 192.168.0.1 for it's
private side which conflicts with the 192.168.0.2 on the public side.
That's probably the source of the error message.

--

Ken Wickes [MSFT]
This posting is provided "AS IS" with no warranties, and confers no rights.

Sorry I don't understand your cryptic response:

* I solved the problem by abandoning ICS in favour of the

functionality

in

VMWare
* I was attempting to route my physical NIC 192.168.0.2 to my virtual NIC
10.255.3.1.
* It worked with VMWare and didn't with ICS
* Is there a *detailed* MS KB article that explains what would cause the
error noted below? The KB below only states that 192.168.0.1 is reserved.

You couldn't enable ICS because the network you had set up was unroutable.
You solved it by using an address on a different subnet (10.255.3.1).

--

Ken Wickes [MSFT]
This posting is provided "AS IS" with no warranties, and confers no
rights.


I've got this working now:

Router port forwards 80 to 192.168.0.4
Router port forwards 8080 to 192.168.0.2
From W2K: Start --> Programs --> VMware --> Manage Virtual Networks
NAT tab --> Edit button --> Port Forwarding
Forward host port 8080 to 10.255.3.1:80

The key was digging around VMware and discovering its port forwarding
capability for the virtual network. The VMnet8 adapter (NAT) is
described
as "Used to share the host's IP address", which caused the "light bulb
to
light" .

Thanks to all for your help, and sorry to waste bandwidth for

those
not

interested.

I *still* would like to know why I can't activate ICS, but it's

now
moot

for
my immediate needs.

Regards,
Scott

OK, the topology is:

ADSL phone line
ADSL modem
Router/hub/firewall/DHCP - internal IP: 192.168.0.254 external IP:
123.123.123.123
Machine1: 192.168.0.2
Machine2: 192.168.0.3
Machine3: 192.168.0.4
all have subnet mask 255.255.255.0

VMware image running inside Machine1: 10.255.3.1
subnet mask 255.255.0.0 (needed for networking with other co-worker's
VMWare
images)

I want an external user to be able to:

http://123.123.123.123:80 and connect to IIS running on Machine3 (port
80)
http://123.123.123.123:8080 and connect to IIS running inside the
VMWare
image inside Machine1 (port 80)

Sooooo, I configure my router to port forward 8080 (VMWare custom
service)
to 192.168.0.2.
I now want the 192.168.0.2 NIC on Machine1 to port forward to
10.255.3.1:***80***.

I think I could get this to work by activating ICS and forwarding
traffic
from the external NIC to VMware Network Adapter VMnet8, which is a
software
based, virtual adapter configured for NAT.

Which leads me back to my original question: anyone know why I still
get
the error dialog when I try to activate ICS? It sure would be

nice

if
the
error dialog actually offered useful information.

Cheers,
Scott

You don't describe your topology, but if it looks like this

Router -- ICS host -- ICS client then you can't use192.168.0.x with
a
subnet
mask of 255.255.255.0 on both sides of the ICS host.

Why aren't you just connecting both machines to your router?

confers
no

rights.


message
Hi,

I'm re-visiting using ICS to solve this issue. What I've done:

* changed my router IP address from 192.168.0.1 to 192.168.0.254
* rebooted the router
* rebooted all machines on the internal network
* ping 192.168.0.1 on the machine on which I want to activate
ICS -
the
request times out
* read MS KB article
http://support.microsoft.com/default.aspx?scid=kb;en-us;241769
* read this:

http://www.informit.com/isapi/product_id~{3BD59E20-8ADA-4E5A-891E-7D9C76E2 other

IP

addresses
(like 192.168.0.254?) that are used by ICS?

Alternatively, is there any simple port forwarding
software/daemons
"out
there" that will do what I want? I don't want a full-blown
firewall -
just
a simple way to forward requests from xxx.xxx.xxx.xxx:8080 to
yyy.yyy.yyy.yyy:80.

Thanks,
Scott