Internet Connection Sharing Registry Settings (Compact 2013)

3/26/2014

The following table shows the named values for the HKEY_LOCAL_MACHINE\Comm\ConnectionSharing registry key that you can use to configure ICS.

A device on the network might sometimes require complete and unblocked access to the network. Granting this access can be accomplished by designating that particular device as an internal exposed IPv4 host, effectively routing all unknown traffic to the device. This capability is important for handling new and unknown scenarios, and also allows a number of multiplayer gaming scenarios.

To support applications that do not work through NAT because of unsolicited IPv4 traffic from the public network, this setting allows one host on the internal network to forward all traffic that does not correlate to an existing address mapping.

Ee495137.note(en-us,WinEmbedded.80).gifNote:
The internal exposed host does not guarantee correct functionality of all classes of applications through the NAT. For example, if an application embeds addressing information in the data stream, the application may not work correctly through translation, because only protocol headers are translated.
Ee495137.note(en-us,WinEmbedded.80).gifNote:
Also, you should use an internal exposed host with caution, because designating an internal exposed host removes the security provided by the NAT for the specified host.

As the IPv4 gateway device receives packets that are destined for devices on the network, NAT consults the existing port mappings and replaces the IPv4 address and port information for the public network with the corresponding IPv4 address and port information for the network. This process allows a packet to pass through the NAT from the Internet to the network only if a mapping is already established, unless you have designated an internal exposed host.

You can easily configure the gateway to prevent applications on the gateway device that runs NAT from receiving unknown traffic, thus providing minimal packet filtering capabilities. This Internet packet filter provides the gateway device with the same protection from many types of Internet network security threats that NAT provides to devices on the network, while providing users a rich browsing, collaboration, and game-playing experience.

Users that take advantage of the packet filter have some protection from hackers who try to scan their systems or connect to their resources. In exchange, users that take advantage of the packet filter trade away the capability to easily configure their systems as servers to others across the Internet.

Ee495137.note(en-us,WinEmbedded.80).gifNote:
Unlike IPv4, IPv6 does not use the network address translation (NAT) functionality to connect to the external network.
Ee495137.note(en-us,WinEmbedded.80).gifNote:
To avoid exposing internal devices directly on the external public network, you must configure the IP firewall on the gateway

Ee495137.note(en-us,WinEmbedded.80).gifNote:
The default registry values vary depending on which Catalog items are included in your OS design

Value : type

Description

DHCPLeaseTime : REG_DWORD

Default setting is 0xA. The valid range for this value is 0x1 to 0xFFFFFFFF.

Specifies the lease time in minutes offered by the DHCP allocator.

DhcpAllocationStartRange : DWORD

Indicates the lowest IP address in a range of addresses that the DHCP Allocator will assign. This value should not contain subnet information. It should contain only the least-significant bits in the IP address range.

If no value is specified, the DHCP Allocator assigns IP addresses across the entire subnet range of the private interface.

DhcpAllocationEndRange : DWORD

Indicates the highest IP address in a specified range of addresses that the DHCP Allocator will assign. This value should not contain subnet information. It should contain only the least-significant bits in the IP address range.

In this example, a gateway has a private interface address 192.168.0.1 and a subnet mask of 255.255.255.0. For the allocator to assign addresses in a range from 192.168.0.100 to 192.168.0.200, you would set the DhcpAllocationStartRange to equal 100 and DhcpAllocationEndRange to equal 200. Because the subnet is not used, if the IP address of the private interface changes to 169.254.1.2, you would not need to change these values.

If no value is specified, the DHCP Allocator assigns IP addresses across the entire subnet range of the private interface.

EnableAddressTranslation : REG_DWORD

Default setting is zero (0), or FALSE.

Specifies whether NAT is enabled. The valid range for this value is 0 to 0xFFFFFFFF. A non-zero value enables NAT on the public interface specified in the PublicInterface subkey. A value of 0 specifies that NAT is not enabled.

To use NAT, the HKEY_LOCAL_MACHINE\Comm\Tcpip\Parms\IpEnableRouter registry value must also be non-zero.

EnableDhcpAllocator : REG_DWORD

Default setting is zero (0), or FALSE.

Specifies whether the DHCP allocator is enabled. The valid range for this value is 0 to 0xFFFFFFFF. A non-zero value enables the DHCP allocator on the private interface specified in the PrivateInterface subkey. A value of 0 specifies that the DHCP allocator is not enabled.

EnableDnsProxy : REG_DWORD

Default setting is zero (0), or FALSE.

Specifies whether DNS proxy is enabled. A non-zero value enables DNS proxy on the private interface specified in the PrivateInterface subkey. A value of 0 specifies that DNS proxy is not enabled.

EnablePacketFiltering : REG_DWORD

Specifies whether the packet filter is enabled. The valid range for this value is 0 to 0xFFFFFFFF. A non-zero value enables the packet filter. A value of 0 specifies that the packet filter is not enabled.

Ee495137.security(en-us,WinEmbedded.80).gifSecurity Note:
This subkey enables filtering in the NAT driver to help block unsolicited connections over the public network interface. Connections originating on the local network and connections mapped through the Network Address Translator are unaffected by this subkey.
Ee495137.note(en-us,WinEmbedded.80).gifNote:
IPv6 routing does not apply a packet filter in a gateway device. Instead, all traffic is routed directly to the target device. To avoid exposing internal devices directly on the external public network, you must configure the IP firewall on the gateway.

InternalExposedHost : REG_SZ

Specifies the IP address of the device on the network that you want to expose to the Internet.

Ee495137.security(en-us,WinEmbedded.80).gifSecurity Note:
Setting this value routes unknown traffic to the device. This value can be any valid IP address. This allows you to configure a gateway device to transfer unsolicited traffic to a certain IP address on the other side of the network.

PrivateInterface : REG_MULTI_SZ

Specifies a list of names of the NDIS adapter instances for the private interfaces, for example, Ne20002. This value can be a list of names either of valid NDIS adapters or of valid dial-up networking connectoids.

If the list contains multiple private interfaces, those interfaces must all have the same subnet value in their IP addresses. For example, if PrivateInterface equals "Ne20001";"Ne20002" and the Ne20001 interface has an IP address of 169.254.0.1, the Ne20002 interface can have an IP address of 169.254.0.2, but not 192.168.0.1.

PublicInterface : REG_MULTI_SZ

Specifies the name of the NDIS adapter instance for each public network interface. The following list shows the possible values:

  • The name of a valid NDIS adapter for the public network interface, for example, NE20001.
  • The name of a valid dial-up networking connection. For dial-up connections, use the name of the RAS connection.

PublicInterface : REG_SZ

(optional) If this value is not present, the port mapping is applied to the primary public interface only.

If this value is present, the port mapping is restricted to the specified public interface. The following list shows the possible values:

  • The name of a valid NDIS adapter for the public network interface, for example, NE20001.
  • The name of a valid dial-up networking connection. For dial-up connections, use the name of the RAS connection.
Show: