This document describes the use of a network router in conjunction with Mailtraq. Many local area network installations make use of routers to provide upstream connectivity to their ISP and this document details how to configure Mailtraq to make use of such a link.
Note that routers are available which can operate with many different networking protocols, but, for the purposes of this discussion, we are solely concerned with TCP/IP.
The first few sections describe the basic properties and operation of routers before detailing their use with Mailtraq. If you are familiar with the operation of routers, you may wish to skip these initial sections.
WHAT IS A ROUTER?
A router is a device which routes data between two separate networks. The device itself has two network interfaces, one for each of the networks involved. It accepts data from either network, destined for the other, and moves that data between the two transparently.
HOW DOES IT WORK?
You may be wondering how the router knows what data from one network is actually intended for a machine on the other. This is actually determined by the machines on the network, and configured using a combination of the TCP/IP address, subnet mask and default gateway addresses.
Put simply, the subnet mask is used in conjunction with the TCP/IP address to determine if the address is within the local network, or external to it. If external, the data is sent to the gateway address to be routed out of the network.
As an example, many private networks use IP addresses in the 192.168.x.y range. These addresses are reserved for private use and are guaranteed never to be routed on the Internet. Such a network might consist of a number of workstations, with the addresses 192.168.0.10, 192.168.0.11 and 192.168.0.12. If the subnet mask is set to 255.255.255.0, this dictates that the first three numbers of the address constitute the network, whereas the final number dictates the machine, or host, on that network.
Therefore, if data was directed from one of these workstations to address 192.168.0.20, this would indicate a machine on the local network, so the data can be sent to its destination directly. If the data was directed at 192.168.1.20, this would indicate a machine on an external network, in which case the data will be sent to the address specified as the gateway.
The router works by becoming the gateway on both networks. Each network interface in the router is given a valid address for the network to which it is connected, so its address for the first network might be 192.168.0.1, and for the second network, 192.168.1.1. Each machine on both networks has its gateway address set to the appropriate address on the router, so that any data which is not directed at a machine on the local network will be sent to the router, which will then forward the data to the correct machine on the other network.
USING A ROUTER TO CONNECT TO THE INTERNET
Since the Internet is just another network, albeit a rather large one, a router can be used to bridge a LAN with the Internet in exactly the same manner as described above.
Unfortunately, it's not quite that simple, as there are two key problems which need to be overcome which I will deal with in turn. The first of these is the issue of dial-up links, the second is one of addressing.
A Dial-on-Demand (DOD) router functions in the same way as a standard router, except that whilst one of the two network interfaces is of the standard Ethernet variety (i.e. a network card in a PC), the other consists of a dial-up connection.
The router is configured with the details of the remote network, so that it knows what number it must dial and what authentication to provide to the remote network. When the router receives some data which needs to be forwarded to the remote network, it will automatically dial up and make the connection before forwarding the data as normal. The router can be configured to drop the line after a certain period of inactivity.
Using this system, a DOD router will do exactly what it's name suggests, and dial the remote network when the demand for it is there. This system provides a totally transparent connection to the machines on the network, as they simply access the remote network, and the router takes care of establishing the connection and resolving the request.
The dial-up interface is most commonly an ISDN line, although some manufacturers do provide DOD routers with a standard modem interface. ISDN is vastly preferable in this scenario, since it typically takes only a couple of seconds to establish the remote link, so the users will hardly notice the delay. In contrast, a modem interface can take substantially longer to establish the connection.
As you can see, this type of device provides a perfect solution for connecting a network to the Internet. The router is configured with the appropriate dial-up details for the ISP, and it will take care of connecting and disconnecting when required. The other major benefit is that, as well as providing access to any computer on the local network once the link has been established, any number of machines may utilise the link concurrently. This does, however, bring us onto the second problem, addressing.
NETWORK ADDRESS TRANSLATION
When the router establishes its connection with the ISP, it will typically be assigned an IP address by the provider, in the same way as a standalone machine using a modem. This address is a valid Internet host address which identifies your computer on the Internet for the duration of the connection.
The problem with the above scenario is that when data is forwarded from a machine on the network out to the Internet, the receiving machine will see the data as coming from address 192.168.x.y, which is not a valid Internet address. The only address you have which is valid on the Internet is the single address assigned to you by the ISP.
One solution to this is to get the ISP to provide you with a range of valid addresses, rather than a single one. You can then use these addresses for each workstation on the network, so that when they transmit data to the Internet, each machine has a valid address that the receiving machine can communicate with. When the Internet host sends data back to your network, the router can easily see which machine the data is intended for. Many ISPs provide such services for their business network accounts, but they typically cost a lot of money. What we need is a method of connecting a network to the Internet but using only the single IP address supplied with a typical low-cost dial-up account intended for a single user.
This is what Network Address Translation (NAT) does. NAT is a system whereby the local network addresses remain in the private 192.168.x.y range, and the router translates the addresses as data flows through it.
When a machine on your network communicates with a host on the Internet, the router doesn't simply forward the data, it changes the source address of the data from the invalid address of the machine on your network to the valid address assigned to the router during the dial-up process. When the remote host sends data back to this address, it is actually addressing the router, which then works out which machine on your network it is for, substitutes the correct local address, and sends the data on.
In a nutshell, NAT allows you to hide an entire network of machines behind the router. As far as the ISP is concerned, you have a single machine connected to their system, but they don't know that this is actually a router. Most ISPs will allow this type of connection, but some don't. Whilst it is very hard for the ISP to determine that you have a network hidden behind a NAT router, if they explicitly prohibit this type of connection, then you are violating your agreement with them.
CAN'T I DO THE SAME THING WITH A PROXY SERVER?
A proxy server is another method of providing Internet access to a network of computers. The proxy software receives requests for data from the local machines, connects to the Internet to fulfil the requests, then passes that data back to the local machine.
In this scenario, a single machine will have a connection to the Internet of some variety, and will be running the proxy software. Typically, the proxy server software can be configured to provide services of specific types, such as HTTP for web access, or FTP for file downloading.
Where a basic proxy server differs from a full NAT router is that it works at a much higher level. The proxy does not route individual packets of TCP/IP data between the networks, instead it fetches data on the clients behalf. Each proxy service the server provides works in conjunction with a local server to provide access to the local machines.
For example, to provide web access to the network, an HTTP proxy would be set-up on the server. The server would also be running it's own local web server, which is accessible by the machines on the network. When a user attempts to access a website, the proxy server will connect to the internet, and then fetch the pages on the users behalf. These pages are then provided to the user via the local web server.
The key difference here is that the user is only ever accessing the web server on the proxy machine, which is in turn fetching the pages from the Internet. With a router, the user is connecting directly to the website on the Internet.
SO WHICH IS THE BETTER SOLUTION?
Each solution has it's advantages and disadvantages, and if you currently have neither and are deciding which to use, then there are a number of factors to consider.
A simple proxy server may provide services for web or ftp access, and maybe some other standard services like news. These will provide access to your users, but they have no direct access to the Internet. This means that they will be unable to use programs which require this direct access, such as NetMeeting or ICQ. Whereas this is an obvious disadvantage if your users require access to such services, it may well be an advantage if you wish to control what users are able to do over the Internet link.
It should be noted that some proxy servers will also provide a full TCP/IP proxy service, sometimes called a Winsock proxy, which will allow the users to run any software they desire. In this case, the proxy can offer many of the features that a NAT router would, but if you need full TCP/IP Internet access from each machine on the network, a NAT router will often offer a more complete solution.
A proxy server can potentially offer increased performance by use of its cache. If one user browses some pages on a website, then a short while later another user accesses the same site, much of the material will still be present in the cache of the web server on the proxy machine, so it can be supplied to the user directly from there, increasing speed and reducing bandwidth usage to the ISP.
Of course, you may well be adding a Mailtraq server to a network which is already using a NAT router for Internet access, in which case you will probably want to configure Mailtraq to use this connection.
When installing Mailtraq, and deciding whether to use a router, or to use a dial-up connection on the Mailtraq machine, in conjunction with its proxy services, a key consideration is how much control you will have over the Internet link.
When the dial-up link is installed on the Mailtraq machine, via either a modem or ISDN terminal adapter, Mailtraq itself is responsible for the connection. In addition to connecting when required, it can also monitor the dial-up networking connection, so that if the link is raised for another reason, such as a proxy request or a separate program altogether, it can make use of the open link.
With a DOD router, the responsibility for establishing and disconnecting the link to the ISP is removed from Mailtraq completely. This is not a problem for scheduled connections, as the router will establish the link to the ISP automatically. If the router raises the line for another reason, however, such as a user browsing a website, there is no way that Mailtraq can see that the connection is active, since there is no dial-up networking connection for it to monitor. In these cases, Mailtraq will be unable to avail itself of the link.
CONFIGURING THE MAILTRAQ MACHINE
Ok, you've got your router installed and configured. The first step is to ensure that Internet access through the router is working correctly on the machine onto which Mailtraq is installed. The instructions which came with the router should have detailed how to configure the local machines, but the basic rule is that both the gateway address and primary DNS server address should point to the local address of the router. Try some basic Internet access tests on the machine, such as accessing http://www.mailtraq.co.uk, to ensure this is working.
How you configure Mailtraq to use the router depends on whether you have a standard router using a permanent connection to the Internet, or a DOD router using a dial-up link, and is configured in the Online tab of Server Properties, available from the Options menu of the Mailtraq Console.
If you have a permanent connection, then simply select the Direct / Permanent Network Connection option. This tells Mailtraq that you are always connected to the Internet, and no further configuration should be required. Try selecting an item from the Actions menu to check that the connection is working correctly.
If you are using a DOD router, then select the Virtual Network option. This tells Mailtraq that you have a transient dial-up connection to the Internet, but that it isn't responsible for it. Mailtraq will simply attempt to access the Internet at the scheduled times, and expect the connection to be there, the router will handle the connection.
You can test the connection by selecting Schedule a Connection Now item from the Actions menu. Mailtraq will attempt to connect to the Internet, and the router should bring the line up automatically. Mailtraq should then proceed with its communications, and once it has finished, the router should drop the line after the configured idle timeout. If Mailtraq fails to connect, or the router fails to connect, check the troubleshooting section at the end of this document.
You should now have Mailtraq set-up to connect to your ISP via the router. When a schedule is initiated, Mailtraq should be able to establish connections to any Internet servers you have configured. There remains, however, the issue of inbound communications.
Whilst the majority of connections will be established by Mailtraq itself, such as those to POP3 accounts and news servers, some connections are not established by Mailtraq, but by the Internet server. The primary example of this is SMTP.
If you receive your mail via SMTP, then the mail server at your ISP will attempt to establish a connection to you shortly after the router connects. The question is, where does this data go?
When a connection is initiated from a machine on the local network, the router can intelligently route responses back to the machine that initiated the connection. When a connection is initiated from outside the network, the router doesn't know which machine to send it to, so you need to tell it. This configuration will obviously differ from router to router, so consult your documentation.
Basically, the router will allow you to direct incoming data to a specific machine or machines. This configuration can either take the form of a default machine, which receives all incoming data, or may allow you to specify which machine to direct the data to depending on the port to which it was addressed.
If your router only supports the former, default machine, option, then you will have to set this to direct incoming data to the Mailtraq computer. If you can configure on a port by port basis, then this is a much better option. You need to configure the router to forward data that is directed to port 25 (the SMTP port) to the Mailtraq server. Any data which is directed at another port will go nowhere (unless you direct it at a specific machine), but your mail should flow in correctly.
Whilst SMTP delivery is a common use of inbound communications, there may well be others. You may want to allow other users on the Internet access to the news or web servers in Mailtraq, for example, or your router may be capable of receiving direct incoming calls, which may be used to provide remote access by your users. If this is the case, and you are directing data on a port by port basis, then you will need to direct the appropriate port for each service to the Mailtraq machine, which in the case of news or web access are 119 and 80 respectively.
The configuration of inbound data redirection leads us onto the next section, security.
It is very possible that, whilst you are connected to the Internet, someone will attempt to break into your network. As this data will be inbound, it will be routed onto your network according to how you have the router configured, as previously described.
The simplest step you can take to protect yourself is to only configure routing for the ports that you require, if your router supports this level of control. For example, if the only inbound communication your require is SMTP delivery from your ISP, then you should only route port 25 to the Mailtraq machine, and inbound data directed at any other port will not be routed onto your network at all. If your router only supports the default machine method of routing, then you will be unable to selectively route data by port, and all inbound data will be forwarded to the Mailtraq machine.
The next step is to ensure that any data which is directed at the Mailtraq machine is correctly handled by the installed services. Services which are only ever accessed from inside the LAN can be effectively firewalled by configuring Mailtraq to only allow access from machines on the local network. Services which are to be accessed by users outside of the local network, such as POP3, should be protected by password authentication, where possible.
Where inbound connectivity is required, but password protection is not possible, such as with the SMTP service, it may still be possible to restrict access to the service. If you have the IP addresses of the mail servers at your ISP that connect to you, and you are confident that these will not change, then you can restrict access to these addresses, in addition to the local network, thus preventing any unauthorised access to the service.
For the best possible security, consider installing a dedicated firewall. This is a machine running specialist software whose job it is to examine and filter incoming data and forward it onto your network. In this scenario, the router should be configured to route all inbound data to the firewall machine. This machine will then forward the data onto the Mailtraq computer once its security checks have been satisfied.
An alternative to a separate computer running firewall software is to use a dedicated hardware firewall. These are small Ethernet devices which sit between the router and your network, and perform the same task. They are often available from the same manufacturers who produce the routers, and depending on your situation, may provide a simpler solution.
There are a few caveats to watch out for when using Mailtraq with a DOD router in this fashion.
As mentioned previously, Mailtraq has no control over the connection to your ISP, and so cannot take advantage of it when opened by other means. In addition to this, it should be noted that Mailtraq cannot terminate the connection itself. This has an effect on the operation of the Disconnect after options in the schedules.
When the Disconnect after timeout expires, Mailtraq will go offline and not attempt any further connections to your ISP. When the Disconnect unconditionally after timeout expires, Mailtraq will force the dial-up networking to disconnect, which will in turn terminate any communications currently in progress.
The catch here is that Mailtraq does not explicitly terminate any currently communicating processes, it relies on the dial-up link disconnecting to stop communications. Since Mailtraq has no dial-up connection to close, if there are currently active processes communicating with your ISP, these will continue past the unconditional timeout until they complete, which could extend your online period beyond that determined by this setting.
Another point to note is that the SMTP service will accept incoming connections even if Mailtraq is offline. Although it cannot sense the presence of an active link to your ISP, if your ISPs mail server attempts to deliver mail, the SMTP service will accept it, just as it would accept inbound mail from a local workstation whilst offline. Mailtraq remains offline during such communications, so it will not initiate any connections itself, but inbound mail will be delivered whenever you connect to your ISP.
The following items assume that the computer running Mailtraq is connected properly to the local network, and that you can see the Mailtraq machine from other workstations.
Generally, each machine on the network, and the router itself, should have a valid TCP/IP address and the correct subnet mask. Each machine should be able to ping any other machine, including the router itself.
Problem: When Mailtraq attempts to connect, the router does not raise the line
Raise the line by accessing the Internet manually from a workstation. Now try forcing Mailtraq to go online by using the Schedule a Connection Now option from the Actions menu.
If Mailtraq works in this instance, then check the configuration of the router. Some routers allow you to determine if a machine may initiate a connection, or only use an existing one raised by another machine. Make sure the Mailtraq machine is allowed to initiate a connection.
If Mailtraq still doesn't work when the router is already online, then check that the router is not configured to deny all access to the Mailtraq machine. Most routers allow you to specify which machines may access the Internet. Also check that the default gateway and primary DNS server addresses on the Mailtraq machine are pointing to the routers address.
When Mailtraq attempts to connect, the router raises the line immediately, but all of the connections fail
Check that the default gateway address is set correctly. If the DNS server is set correctly, then when Mailtraq tries to resolve the host names it needs, the router will bring the line up to resolve them, but without the default gateway set correctly, no data will flow.
When Mailtraq attempts to connect, the router takes a while to raise the line, and the connections timeout
This is a common problem. ISDN connections will usually establish themselves in a couple of seconds, which is more than quick enough. Sometimes, however, they can take a while longer, during which time Mailtraq may timeout. By the time the connection is established, Mailtraq has given up on most of its connections. A common cause of this type of delay is the negotiation of ISDN compression protocols, so you may want to try disabling this feature on the router to see if it helps reduce the connect time. If you are using a modem based router, then the connection will never establish quickly enough for Mailtraq.
What you need to do is introduce a delay to give the router time to raise the line before Mailtraq attempts to use the connection. The simplest method of provoking the router into raising the line is to either finger an account or initiate a time sync, both of which can be done with a simple script.
Create a simple script, which consists of one of the following commands. If you want to use finger, then enter:
ConsoleMenuCommand("Finger all Automatic accounts")
or if you want to use a time sync, enter:
Using the Run Script... option from the File menu, execute the script to check that it does indeed force the router to raise the line. Obviously you must have a finger account or time server configured, depending on the option you're using. Now, using the Scripts and Templates dialog, schedule the script to execute one minute before each of your scheduled connections.
The last thing to check is that the idle timeout on the router is set to more than one minute.
Now, at each scheduled connect time, the script will execute, which will force the finger or time sync, causing the router to raise the line. If the router takes a while to complete the connection, then the finger or time sync may fail, but this doesn't matter. One minute later, the main schedule will execute, and the Mailtraq services will attempt to connect to your ISP. This gives the router a full minute to establish the connection, which not only allows for prolonged ISDN negotiations, but would also allow the use of a modem router.
Author: Toby Groves