Logo
Applications of IPRoute
Multiport Serial to Ethernet Router with NAT   This experiment was unsuccesful. This page is included to show how we approached the problem and the configuration we used. We believe that the problem is caused by the way IPRoute handles COM ports.

IPRoute apparently manipulates the ports directly and needs to see an IRQ for each port that it will support. The XIRCOM multiport modem board we used in this experiment supplies only a single IRQ for all ports on the board and assumes that the software interface can determine which port requires service.

We believe that if this board were replaced with one or more serial multiport interface board(s) that provide an IRQ per port that this approach would probably work correctly. However, we did not have hardware available to test this hypothesis.--- Ed.


This router is intended to serve as a multiport Dial Access interface for our LAN, and if successful, will provide 8 or more dial in ports using NAT to provide access. This version makes use of the RADIUS authentication feature introduced in IPRoute V 1.18, operating in conjunction with Microsoft's RADIUS server running under Windows NT 4.0.

If this is successful, conceptually it could be extended with additional MPM cards to provide additional dial in interfaces. It should also be possible to combine this with other interfaces such as the Wireless LAN etc., to provide a general "miscellaneous" interface unit.

The common materials use were:

  • IPRoute v 1.18
  • MSDOS
  • a 1.44 floppy drive
  • a 486dx4-100 PC with 4MB memory
  • a 10MB Ethernet cards
  • a surplus XIRCOM (NetAccess) MPM-8 Multiport Modem Card

The XIRCOM MPM-8 normally uses a NDIS driver interface to Windows NT. However, it will operate in "Comm Port Emulation" mode where it appears to be 8 standard serial ports. In this mode, it provides 8 I/O addresses but only a single IRQ.

AUTOEXEC.BAT 

: Ethernet Card Packet Drivers
EXP16.COM 0x60 0x300

: now start the router
ipr dialin.ipr

Finally, the configuration file for IPRoute must reflect the desired routing information. This file assigns the Ethernet, sets up the Dial In Ports, establishes the routes and defines the filters.

DIALIN.IPR 

; 4:00 PM 7/17/98

	set trace on
	command
	
; Configure uplink parameters
	packet uplink 0x60 mmm.nnn.ooo.253/24
	route * uplink mmm.nnn.ooo.2
	rip uplink quiet

; Configure Dialin Ports
; To use an IRQ per Port change the "15" below to 
; the appropriate IRQ for each port
	async dialin1 0x1a0 15 115200 do_dialin1
	async dialin2 0x1a8 15 115200 do_dialin2
	async dialin3 0x1b0 15 115200 do_dialin3
	async dialin4 0x1b8 15 115200 do_dialin4
	async dialin5 0x1c0 15 115200 do_dialin5
	async dialin6 0x1c8 15 115200 do_dialin6
	async dialin7 0x1d0 15 115200 do_dialin7
	async dialin8 0x1d8 15 115200 do_dialin8

; General Setup
	set nat send-reset on
	set nat send-icmp on
	set log udp mmm.nnn.ooo.1
	radius mmm.nnn.ooo.3 my_secret	
	
;   NAT for outgoing client access
	nat uplink * * mmm.nnn.ooo.253	

	ftpd
	telnetd do_telnet

	exit

; Telnet login script
do_telnet:
	on cdloss drop_telnet
	wait .5
	on timeout drop_telnet
	send "\r\nlogin: "
	set echo on
	read 60 "\r\n" NAME
	send "\r\nPassword:"
	set echo off
	read 60 "\r\n" PASS
	authenticate NAME PASS *:21
	log "$NAME logged in from $IPADDR:$PORT"
	send "\r\n\n"
	command
drop_telnet:
	exit

; PPP script for dial-in ports using XIRCOM MPM-8
; All ports are configured with some common values
;	PAP authentication
;	900 second idle timeout
; 	modem init strings, etc.

do_dialin1:
	set ppp remote ip 192.168.16.1
	route 192.168.16.1/32 dialin1
	define myip "192.168.16.240/32"

	goto do_dialins

do_dialin2:
	set ppp remote ip 192.168.16.2
	route 192.168.16.2/32 dialin2
	define myip "192.168.16.239/32"

	goto do_dialins

do_dialin3:
	set ppp remote ip 192.168.16.3
	route 192.168.16.3/32 dialin3
	define myip "192.168.16.238/32"

	goto do_dialins

do_dialin4:
	set ppp remote ip 192.168.16.4
	route 192.168.16.4/32 dialin4
	define myip "192.168.16.237/32"

	goto do_dialins

do_dialin5:
	set ppp remote ip 192.168.16.5
	route 192.168.16.5/32 dialin5
	define myip "192.168.16.236/32"

	goto do_dialins

do_dialin6:
	set ppp remote ip 192.168.16.6
	route 192.168.16.6/32 dialin6
	define myip "192.168.16.235/32"

	goto do_dialins

do_dialin7:
	set ppp remote ip 192.168.16.7
	route 192.168.16.7/32 dialin7
	define myip "192.168.16.234/32"

	goto do_dialins

do_dialin8:
	set ppp remote ip 192.168.16.8
	route 192.168.16.8/32 dialin8
	define myip "192.168.16.233/32"

do_dialins:

	set trace on
	set log raw on
	set ppp trace on
	
; change as appropriate for chap authentication	
	set ppp authenticate pap
	
; sets dialin idle time to 15 minutes	
	define myidle "900"

; setup standard values for the modem(s) - these are
; for the XIRCOM MPM-8 modem - change as needed
	define mdm_answer "ATA\r"
	define mdm_reset "ATZ\r"
	define mdm_config "ATL0E0V1&C1&D2\r"
	define mdm_connect "CONNECT"
	define mdm_ring "RING"
	define mdm_ok "OK"

hangup_dialin:
	set interface dtr off
	wait 1
	set interface dtr on
	wait 1
	set interface rts flow
	wait .5
	send "$mdm_reset"
	wait 1 "$mdm_ok"
	send "$mdm_config"
	wait 1 "$mdm_ok"
	
; The XIRCOM apparently does not support autoanswer
; so the scripts sit waiting for "RING" - the board 
; does support the RI signal so it should work with 
; a "on RING answer_dialin" command instead. In any
; event the script sends the Answer command to the 
; modem when it gets a ringing indication. If it fails
; to get CONNECT in 30 seconds it hangs up. If it gets
; a CD signal then it proceeds to validate the user

; Wait for the "RING" message from the modem
	wait 0 "$mdm_ring"
	
; Alternate ringing indication with modem RI signal
;	on RING answer_dialin	

answer_dialin:
	send "$mdm_answer"
	on timeout hangup_dialin
	wait 30 "$mdm_connect"
	on cd continue
	wait 0

continue:
	on cdloss hangup_dialin
	on timeout hangup_dialin
	ppp $myidle $myip
	goto hangup_dialin
Project Status  

Serial Port Problems
Thus far we have found that in this configuration the system will answer only the last initialized port i.e. if configured for 8 ports then it works only with port 8, if configured for 2 ports then it works only on port 2, etc. We believe this to be due to the fact that the XIRCOM card provides 8 I/O addresses, but only a single IRQ.

It appears that IPRoute manages the hardware directly and, not surprisingly, does not resolve the shared interrupt. As a result, it does not "see" an incoming call on anything but the last address configured. We have reported this to Dave Mischler but he has not had time to address it as yet.

Dial Access Testing
We have tested dial in access to the single working port using both Windows 95 Dial Up Networking and Windows NT Workstation Remote Access Services. Access with Windows 95 was successful and so far we are able to access TCP/IP based functions such as EMAIL, Web, etc. We are still unable to access network files, etc., using NetBIOS over TCP/IP but continue testing to determine why. Windows NT access has failed consistently with the client reporting that "the PPP is not converging" on the dialup. We have been unable to remedy this as yet.

RADIUS Authentication Problems
Using the single active port we have managed to test the RADIUS authentication. The RADIUS server used is Microsoft's Internet Authentication Server for Windows NT from the recent NT Options Pack. We have found two problems, one of which is most certainly a Microsoft problem and the other appears to be an IPRoute problem.

First, Microsoft's RADIUS appears to accept any combination of invalid username and invalid password as authentic --- only when a valid user name and an invalid password are supplied does it reject the access. We have tried login through IPRoute with valid and invalid usernames and passwords and the RADIUS server logs show that they were all authenticated and granted access.

Using RADIUS, we are unable to FTP into IPRoute. The RADIUS logs reflect authentication and acceptance, but the FTP shows the login as rejected. This does not occur with the TELNET daemon in IPRoute, which is of course subject to the apparent problem with the Microsoft RADIUS as reported above.

Further Integration
We have successfully integrated the Wireless LAN interface into this router. The configuration file shown above does not reflect this configuration but it basically merges the appropriate sections from our earlier Wireless efforts into the file above. To the limited degree that the Serial Interface works in this case, routing and NAT occur properly for both interfaces to and from the Ethernet uplink.  


  

iproute6.html

Trademarks used herein are the property of their respective owners
"MSDOS" is a trademark of Microsoft Inc.

Copyright © 1998 information systems technology incorporated
Updated: Friday, August 07, 1998 8:49:39 PM

Feedback