25.5  Internet links dialed on demand

If an on-demand dial-up link is used (see chapter 6.2  Connection with a single leased link - dial on demand), consider specific behavior of this connection type. If the network and/or the firewall are not configured correctly, the link may stay hung-up even if the local network sends requests for Internet connection or it may be dialed unintentionally.

Information provided in this chapter should help you understand the principle and behavior of on-demand dial-ups and avoid such problems.

How demand dial works

First, the function of demand dial must be activated within the appropriate line (either permanently or during a defined time period — see chapter 6.2  Connection with a single leased link - dial on demand).

Second, there must be no default gateway in the operating system (no default gateway must be defined for any network adapter). This condition does not apply to the dial-up line which is used for the Internet connection — this line will be configured in accordance with information provided by the ISP.

If WinRoute receives a packet from the local network, it will compare it with the system routing table. If the packets goes out to the Internet, no record will be found, since there is no default route in the routing table. Under usual circumstances, the packet would be dropped and a control message informing about unavailability of the target would be sent to the sender. If no default route is available, WinRoute holds the packet in the cache and dials the appropriate line if the demand dial function is enabled. This creates an outgoing route in the routing table via which the packet will be sent.

To avoid undesired dialing of the line, line dialing is allowed by certain packet types only. The line can be dialed only by UDP or TCP packets with the SYN flag (connection attempts). Demand dialing is disabled for Microsoft Networks services (sharing of files and printers, etc.).

Since this moment, the default route exists and other packets directed to the Internet will be routed via a corresponding line. The line may be either disconnected manually or automatically if idle for a certain time period. When the line is hung-up, the default route is removed from the routing table. Any other packet directed to the Internet redials the line.

Note:

  1. To ensure correct functionality of demand dialing there must be no default gateway set at network adapters. If there is a default gateway at any interface, packets to the Internet would be routed via this interface (no matter where it is actually connected to) and WinRoute would not dial the line.

  2. Only one link can be set for on-demand dialing in WinRoute. WinRoute does not enable automatic selection of a line to be dialed.

  3. Lines can be also dialed if this is defined by a static route in the routing table (refer to chapter 18.1  Routing table). If a static route via the dial-up is defined, the packet matching this route will dial the line. This line will not be used as the default route — the Use default gateway on remote network option in the dial-up definition will be ignored.

  4. According to the factors that affect total time since receiving the request until the line is dialed (i.e. line speed, time needed to dial the line, etc.) the client might consider the destination server unavailable (if the timeout expires) before a successful connection attempt. However, WinRoute always finishes dial attempts. In such cases, simply repeat the request, i.e. with the Refresh button in your browser.

Technical Peculiarities and Limitations

Demand dialing has its peculiarities and limitations. The limitations should be considered especially within designing and configuration of the network that will use WinRoute for connection and of the dial-up connected to the Internet.

  1. Demand dial cannot be performed directly from the host where WinRoute is installed because it is initiated by WinRoute low-lever driver. This driver holds packets and decides whether the line should be dialed or not. If the line is disconnected and a packet is sent from the local host to the Internet, the packet will be dropped by the operating system before the WinRoute driver is able to capture it.

  2. Typically the server is represented by the DNS name within traffic between clients and an Internet server. Therefore, the first packet sent by a client is represented by the DNS query that is intended to resolve a host name to an IP address.

    In this example, the DNS server is the WinRoute host (this is very common) and the Internet line is disconnected. A client's request on this DNS server is traffic within the local network and, therefore, it will not result in dialing the line. If the DNS server does not have the appropriate entry in the cache , it must forward the request to another server on the Internet. The packet is forwarded to the Internet by the local DNS client that is run at the WinRoute host. This packet cannot be held and it will not cause dialing of the line. Therefore, the DNS request cannot be answered and the traffic cannot continue.

    For these reasons, the WinRoute's DNS module enables automatic dialing (if the DNS server cannot respond to the request itself). This feature is bound to on-demand dialing.

    Note: If the DNS server is located on another host within the local network or clients within the local network use an Internet DNS server, then the limitation is irrelevant and the dialing will be available. If clients' DNS server is located on the Internet, the line will be dialed upon a client's DNS query. If a local DNS server is used, the line will be dialed upon a query sent by this server to the Internet (the default gateway of the host where the DNS server is running must be set to the IP address of the WinRoute host).

  3. It can be easily understood through the last point that if the DNS server is to be running at the WinRoute host, it must be represented by the DNS module because it can dial the line if necessary.

    If there is a domain based on Active Directory in the LAN (domain server with Windows Server 2000/2003/2008), it is necessary to use Microsoft DNS server, because communication with Active Directory uses special types of DNS request. Microsoft DNS server does not support automatic dialing. Moreover, it cannot be used at the same host as the DNS module as it would cause collision of ports.

    As understood from the facts above, if the Internet connection is to be available via dial-up, WinRoute cannot be used at the same host where Windows Server with Active Directory and Microsoft DNS are running.

  4. If the DNS module is used, WinRoute can dial as a response to a client's request if the following conditions are met:

    • Destination server must be defined by DNS name so that the application can create a DNS query.

    • In the operating system, set the primary DNS server to the IP address of the firewall). In Windows, go to TCP/IP properties in interfaces connected to the LAN and set the IP address of this interface as the primary DNS server.

  5. The Proxy server in WinRoute (see chapter 8.4  Proxy server) also provides direct dial-up connections. A special page providing information on the connection process is opened (the page is refreshed in short periods). Upon a successful connection, the browser is redirected to the specified Website.

Unintentionally dialed link — application of on-demand dial rules

Demand dial functions may cause unintentional dialing. It's usually caused by DNS requests which cannot be responded by the DNS module and so it dials the line instead to forward them to another DNS server. The following causes apply:

  • User host generates a DNS query in the absence of the user. This traffic attempt may be an active object at a local HTML page or automatic update of an installed application.

  • The DNS module performs dialing in response to requests of names of local hosts. Define DNS for the local domain properly (use the hosts system file of the WinRoute host — for details, see chapter 8.1  DNS module).

Note: Undesirable traffic causing unintentional dialing of a link can be blocked by WinRoute traffic rules (see chapter 7.3  Definition of Custom Traffic Rules). However, the best remedy for any pain is always removal of its cause (e.g. perform antivirus check on the corresponding workstation, etc.).

To avoid unintentional dialing based on DNS requests, WinRoute allows definition of rules where DNS names are specified for which the line can be dialed or not. To define these rules, click on Advanced in Configuration→ Interfaces (in the A Single Internet Link — Dial on Demand mode).

Dial on demand rules (for dialing based on DNS queries)

Figure 25.5. Dial on demand rules (for dialing based on DNS queries)


Either full DNS name or only its end or beginning completed by an asterisk (*) can be specified in the rule. An asterisk may stand for any number of characters.

Rules are ordered in a list which is processed from the top downwards (rules order can be modified with the arrow buttons at the right side of the window). When the system detects the first rule that meets all requirements, the desired action is executed and the search is stopped. All DNS names missing a suitable rule will be dialed automatically by the DNS module when demanded.

In Actions for DNS name, you can select either the Dial or the Ignore option. Use the second option to block dialing of the line in response to a request for this DNS name. The Dial action can be used to create complex rule combinations. For example, dial can be permitted for one name within the domain and denied for the others (see figure 25.5  Dial on demand rules (for dialing based on DNS queries)).

Dial of local DNS names

Local DNS names are names of hosts within the domain (names that do not include a domain).

Example:

The local domain's name is company.com. The host is called pc1. The full name of the host is pc1.company.com whereas local name in this domain is pc1.

Local names are usually stored in the database of the local DNS server (in this example, the names are stored in the hosts file at the WinRoute host that uses the DNS module). Set by default, the DNS module does not dial these names as names are considered non-existent unless they can be found in the local DNS database.

If the primary server of the local domain is located outside of the local network, it is necessary that the DNS module also dials the line if requests come from these names. Activate the Enable dialing for local DNS names option in the Other settings tab to enable this (at the top of the Dial On Demand dialog window). In other cases, it is recommended to leave the option disabled (again, the line can be dialed undesirably).