Skip navigation

NT Workstations Using an IP Router

Get Rid of Those Default Gateways!

A couple of months ago, I talked about how to make a Windows NT machine into an IP router, but I didn't cover the implications for workstations that use that router. This month, I want to look at this area so I'll have all the pieces in place to cover next month's topic, the grand finale: using an NT machine as a LAN-to-WAN router to the Internet.

An example of a workstation that uses an IP router is a simple three-subnet "internet" (the example includes only three subnets, so this is an "internet," not part of the "Internet"). Figure 1 shows this "internet."

First, you see three separate Ethernet segments, three separate subnets. They are all C-class networks (subnet mask, just to keep things clean. Ovals represent two of the networks. The left oval, containing, is shorthand for an Ethernet with up to 254 computers. Addresses range from through Notice I said 254, not 253, because these subnets have no default gateway.

The right oval represents a network whose addresses range from through number Between these ovals is a third subnet, with the address The PC in the middle contains only one Ethernet card, and its IP address is

The rectangles on the right and left sides are routers, computers with two Ethernet cards and thus two IP addresses apiece. Each has an address on the network, and each has an address on either the network or the network. These routers can be PCs running NT, or they can be dedicated routers from Cisco Systems, Bay Networks, Compatible Systems, or the like.

The plan is to set up the workstation at Notice that, from this workstation's point of view, it has two possible "gateways," and Which should be the default gateway?

The answer: neither. When you set up the .40 machine with a static IP address (that is, if you just punch in an IP address, subnet mask, and such, rather than letting the Dynamic Host Configuration Protocol (DHCP) automatically give it an IP address), you leave the Default Gateway field blank. You now need to tell the machine at how to route to anywhere on this network. The following are some facts this machine needs to know.

1) To get a message to the network, send it to the machine at

2) To get a message to the network, send it to the machine at

3) To get a message to the network, just use your own Ethernet card; send the message out on the segment, and it'll be heard.

You tell a workstation how to send packets with the route add command. It looks like this:

route add destination mask netmask gatewayaddress

In this command, destination is the address or set of addresses that you want to reach. Netmask defines how many addresses are there: Is it a C-class network with 250+ addresses, something subnetted smaller, or perhaps a supernet of several C-class networks? Gatewayaddress is just the IP address of the machine that will route your packets to destination.

The routeadd command for the network looks like this:

route add mask

It means, "to send a message anywhere on the network, send it to the machine at, which will take care of it."

Just a reminder on subnetting, for clarity's sake: Suppose the network on the left isn't a full C-class network, but a subnetted part of it; suppose instead that it is just the range of addresses from through The network number is, as always, the first address (, and the subnet mask is The routeadd command then looks like this:

route add mask

Next, you add a command for the network on the right. This command takes the form

route add mask

That command will get an NT system up and running. Now it can access all three subnets.

Suppose the workstation at .40 tries two PING commands: PING and PING Suppose also that no machine on the network has the IP address Now both PINGs will fail, because neither machine is on this network, but each will produce a different error message. PINGing will produce, "Request timed out," and PINGing will produce, "Destination host unreachable."

Why the different error messages? In the case of, the PING went out to the subnet, but no one responded, so PING timed out. In the case of, the workstation simply didn't know where to send the packet. If you send mail to a non-existent Ignatz Semmelweiss in Sydney, Australia, you just address a letter and drop it into the mailbox. A response may take awhile, but eventually you'll get a message that says, "The mail system hasn't gotten a response from Ignatz." But how can you send a letter to someone living on the fourth planet orbiting Proxima Centauri? You can't. You have no idea how to begin sending that message. That's a "destination host unreachable" message.

Clearly, then, to troubleshoot NT networks that use TCP/IP, you examine what a workstation knows about routing. You can find out by opening a command prompt and typing, ROUTE PRINT or netstat -rn. If you do that on the .40 workstation, you'll get a result like screen 1.

Notice that the format of ROUTE PRINT's output is similar to the way you format data in ROUTE ADD. Also notice that most of the routing information is generated automatically.

The first line is the loopback information. Send a message to any IP address from through, and the message will be echoed back to you. Note the general mask, The gateway address is the preprogrammed loopback address. The second and third lines are the ROUTE ADD statements that you manually entered. The fourth statement just says, "to talk to your own subnet, just shout out the message, and everyone will hear it."

The fifth statement says, "to send to, send to" Again, notice the mask, It means, "this routing rule applies only for this one IP address." The statement after that looks the same except for the last quad; is the address that your workstation would use to broadcast a message intended for every computer on its subnet.

The seventh line defines an "internet" multicast address. A multicast is a network communication to more than one machine, but not necessarily all machines; a multicast is a message received only by the machines that want to receive it. For example, all the PCs in a workgroup might want to receive browsing messages. However, PCs that are on the subnet but are not members of the workgroup wouldn't want the messages. So the PCs on the workgroup would all join a multicast group. Browser messages would then go to the "internet" multicast group. Some NT Internet software uses "internet" multicast groups, so you must define the multicast address. It is The last line is the limited broadcast address, a kind of generic broadcast address.

When does entering a value for Default Gateway make sense? A default gateway is the address of a catch-all router, usually one connecting your subnet to the Internet or to a large corporate intranet. I don't have one here. But if I did have a connection to the Internet (for example, a router at, how would I include that in my routing table? The ROUTEADD commands you've seen so far connect you to a particular network. Typing in thousands of ROUTEADD statements, all referring to, is one way to explain to your workstation that 210.50.
100.72 is how to get to the rest of the world. But an easier way is to type

route add mask

I've been using the Internet notation as shorthand for "the range from through"; zero acts as a wildcard for IP addresses. Extend that notion a bit, and you can see that means "everything." It is the Internet version of *.* in DOS. The mask includes no one-bits, which says, "when you're matching this pattern, don't worry about matching any of the bits--everything matches." That's the definition of a gateway address.

On any NT machine, you can leave the Default Gateway field blank, and you can enter a default gateway at runtime with the routeadd command. Why do that? Because then you can change the default gateway on the fly, without needing to reboot your machine--which is useful when you're experimenting with routing.

You can get ready for next month's column by doing a little homework. Get Microsoft's Multivendor Protocol Router (MPR) and Service Pack 3 for NT 3.51. MPR is on at /bussys/winnt/winnt-public/fixes/usa/NT351/ussp3/mpr, and Service Pack 3 is at /bussys/winnt/winnt-public/fixes/usa/NT351/ussp2. I'll use them and Remote Access Service (RAS) to make an NT machine into a LAN-to-WAN Internet router.

Thanks for the Mail--Keep It Coming!
I appreciate the large amount of positive mail that I'm getting about this column. If you drop me a line this month, please tell me whether this topic is what you want to see. I want to spend time on TCP/IP issues--routing, DHCP, Windows Internet Naming Service (WINS), Domain Name Service (DNS), and Internet mail for starters.

If that agenda sounds good, please let me know. If not, or if you want something else, let me know about that, also. And note my new mail address: [email protected]

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.