Internet via Cable Modem

This article deals with a particular problem that is typical for cable modem connections to the Internet but can occur in other situations as well. The problem is that the Internet Service Provider (ISP) gives you some IP (Internet Protocol) addresses that are in a genuine Internet subnet, but they are not contiguous and many other computers share this IP subnet.

This is also valid for certain DSL and other Internet connections.

If you try to connect your computers and the cable modem to a hub, this is tricky, partly because all information that goes through the hub is sent out on all connections. Hubs always work that way. (A switch is preferable—see Switch or Hub for details—but still doesn't solve the entire problem.)

This means that all your internal network traffic is sent out to the cable modem as well. If it uses the IP transport protocol it may even get sent out towards the open Internet. It won't get far there, but there are still security and performance issues, depending on what the cable modem does with this information. Some cable modems have a built-in router that would block such traffic, some don't. but even with such a router function, the additional traffic could still reduce performance by engaging the port and the router.

Another problem is that the IP addresses you get from the cable service provider may be on an open Internet subnet along with many other unknown computers. This makes it difficult to keep your internal network traffic off the Internet. On the other hand, it may also make it difficult to reach any other computer in that subnet if you attempt to block outgoing traffic to this subnet altogether.

There are a few options to solve this problem.

1. Buy a suitable router and use only one external IP address. They are sometimes called WAN routers and are inexpensive. Such routers use Network Address Translation (NAT) to make do with just one external IP address, they give your local computers private IP addresses through DHCP (Dynamic Host Configuration Protocol), and thereby protect all your computers from Internet attacks, because they can no longer be reached directly from the Internet. This option uses NAT and so does not allow Internet games that are not compatible with NAT and need separate IP addresses for each participating computer.
2. Put a second network adapter in one of your computers, connect it to the cable modem, activate ICS (Internet Connection Sharing) on that computer and safeguard it such that it defends effectively against outside attacks, because it is now open to the Internet. Essentially you are using one of your computers as a router. Obviously, this computer also needs to be running for any other of your computers to reach the Internet. This option also uses NAT and only one external IP address with the attendant limitations for Internet gaming.
3. Use a different transport protocol, i.e. IPX or NetBEUI, for your internal network traffic. Don't use a hub, use a router, to prevent that all data goes in all directions. Use TCP/IP only for the Internet connection and unbind this protocol from Windows networking like File and Printer Sharing. This method keeps your computers' Windows network and your internal data traffic away from the Internet. If each computer gets an external IP address, there are no limitations for Internet gaming.
4. Have your ISP provide a set of IP addresses to you that are all in the same subnet reserved for you. Set up your router appropriately, including a suitable firewall. This requires some knowledge. It also allows all kinds of Internet gaming, like all following proposals that also use IP addresses handed out by the ISP.
5. Use a physically separate network for local connectivity using two Ethernet adapters in each computer.
6. Set up two IP addresses for each adapter, one for Internet access and one for the local area network, i.e. run both networks through the same adapter. To separate the outgoing traffic from the internal one, you want to use switches and no hubs. Even so, broadcasts may slip out.
7. Widen the subnet mask enough to encompass all IP addresses handed out by the ISP. Internal traffic should mostly stay within the LAN if switches, not hubs, are used, but broadcasts would still get out, and formally there may be many other computers within the subnet, making this a so-called edgeless LAN. If the ISP gives you dynamic IP addresses, you cannot set the subnet mask and can only check whether it happens to be wide enough. If not, you cannot use this method. If the ISP gives you fixed IP addresses, you can set the subnet mask accordingly and you can also set the Windows XP Service Pack 2 firewall such that only these addresses and not any others in the subnet are allowed the Windows networking functions like File and Printer Sharing. Nonetheless, I cannot recommend this to users inexperienced in networking. To maintain security, each computer would have to be carefully safeguarded, i.e. firewall enabled and properly set up, anonymous and guest access prohibited or carefully restricted, long passwords, etc. Any oversight can render the LAN vulnerable.

For general problems with networking Windows XP, please see the Windows XP Small Network Troubleshooter.