Running another operating system on a Mac

Posted on By Mark Wilson
This content is 19 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

Since Apple switched to using Intel processors for certain Macintosh models, I’ve been excited by the possibility of running Windows on a Mac. Some say its sacrilege. I say it’s sensible. I love the Apple hardware, but am not a fan of the software, which (in my opinion) is proprietary and expensive. I also know Windows very well (including how to keep it secure). Ideally, I’d have a Mac Mini, dual-booting a major Linux distribution and Windows XP.

There have been various reports of people who have managed to write an EFI boot loader for Windows on a “MacIntel”, as well as reports of those who have turned their systems into an unbootable and unsupported heap of PC components in the process; but Apple provided me with a nice birthday present earlier this month by announcing Boot Camp – software to allow dual-booting of OS X and Windows XP, including driver support.

I’m not quite ready to switch yet – Boot Camp is still a beta and the final release will be included in the next version of OS X (meaning I’ll have to shell out another wad of cash to upgrade to OS X Leopard before I can use a release version of the Boot Camp technology). I’m also wary of first generation MacIntel hardware and would like to see support for Windows XP Media Center Edition, so guess I’ll be watching this space for a little longer.

In the meantime, these links provide really useful information on the progress of Windows on a Mac:

For Mac users who fancy using Linux, there are some PowerPC Linux distros (like Yellow Dog Linux) and if you’re not convinced as to why you might want to use them (after all, isn’t OS X just another Unix operating system anyway?) I recommend Giles Turnbull’s article entitled why install Linux on your Mac? Then there’s the Mactel-Linux project to adapt Linux to MacIntel hardware as well as reports that Red Hat plan to include Intel-based Mac support in Fedora and a variety of sites claiming to have other distros working too. Whilst it sounds a bit of a mess (chain-loading LILO via NTLDR), there’s also a triple-boot solution (OS X/XP/Linux) using Boot Camp (from the OnMac guys).

Finally, for those who want to play this the other way around and run OS X on a PC, there’s the OSx86 project.

Deleting files with CRC errors in Windows XP

Posted on By Mark Wilson
This content is 19 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

I just fixed a little problem on my Windows XP laptop… I had a file which I could not delete (even after a reboot) and each time I tried, the error returned was:

Cannot delete filename: Data Error (Cyclic Redundancy Check)

Various Internet sites suggested rebooting in safe mode and removing the file – that didn’t work but chkdsk /r located the bad disk sectors and recovered the data. Once this was complete, I successfully removed the file.

If you have to do this, be ready for the chkdsk process to take a while.

Restoring the Windows XP master boot record after removing Linux

Posted on By Mark Wilson
This content is 19 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

A few weeks back, I blogged about my problems installing Linux on an IBM ThinkPad. Because I’d like to get the Access IBM predesktop area back (and then install Linux so the system will dual-boot with Windows XP), I used the recovery CDs that IBM sent me (free of charge as the system is under warranty).

Initially, recovery failed due to a lack of free space, so I deleted the existing partition (using an MS-DOS boot disk and fdisk) before attempting recovery once more. This time the files were copied to the hard disk but after rebooting, I was greeted with a GRUB error:

GRUB Loading stage1.5…

GRUB loading, please wait…
Error 22

GRUB error 22 means “no such partition” – basically I needed to restore the Windows XP master boot record.

To access this, I booted the system from a Windows XP CD, waited for files to be loaded into memory, then selected R for recovery console, selected my Windows XP installation and entered the administrator password.

Once inside the Windows XP recovery console, I tried the fixboot command. This didn’t seem to make any difference on reboot, so I tried again with fixmbr. After another reboot, Windows XP was up and running (some Internet sites suggest fdisk /mbr but that’s not a recovery console command under Windows XP).

Unfortunately I still haven’t managed to restore the Access IBM predesktop area (all IBM say is “it should have been restored by the restore CDs”) – if I ever manage to resolve that one, I’ll post the results here.

How to (radically) change the Windows XP graphical user interface

Posted on By Mark Wilson
This content is 19 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

Earlier today, I saw one of my colleagues running what looked like the new Windows Vista graphical user interface on his Windows XP PC and it turned out to be one of the many visual enhancements available from CrystalXP.Net. I haven’t installed any of them yet, but may well give them a go soon as it looks like there’s some really impressive Windows interface customisation available, along with artwork based on Tux the Linux penguin and other mascots.

Windows XP service pack 3 delayed until after Windows Vista

Posted on By Mark Wilson
This content is 19 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

We all know that Microsoft will have to pull out all the stops if they are going to meet their target of shipping the much hyped and severely delayed Windows Vista this calendar year. Well, it seems that desire to get a new version of Windows out is at the expense of existing Windows XP customers and Windows XP service pack 3 will not be here until late 2007 – that’s a full 3 years after service pack 2 was released.

As reported by Paul Thurrott in his Windows IT Pro magazine network WinInfo Daily Update, Microsoft’s Windows service pack roadmap states that service pack 3 for Windows XP Home/Professional Editions is currently planned for the second half of 2007 (preliminary date). Service pack 2 for Windows Server 2003 is still shown for the second half of this year (maybe Microsoft views server customers as more critical to it’s continued growth?).

That means that, based on the current published schedules (which I will concede are not always the most reliable source of information), Windows Vista will be here before the next Windows XP service pack! I know that Microsoft is disappointed at Windows XP service pack 2 adoption rates but for those of us who did get with the program, what happened to regular service pack releases? The fully-patched Windows XP machine on which I’m writing this post already has no less than 50 post-SP2 hotfixes, updates and security updates for Windows XP installed so how many more do I have to install before they get rolled up into a service pack?!!

Securing your Windows computer with syskey

Posted on By Mark Wilson
This content is 19 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

At an event a few weeks back, Steve Lamb mentioned using the syskey utility to secure a Windows system. Even though it’s a standard Windows utility, I’d never heard of it before and Steve has now written about syskey on his blog, along with a follow up post on storing the keys on a USB token (think of it as a kind of ignition key for a Windows computer).

Wireless security and secure remote access

Posted on By Mark Wilson
This content is 19 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

Last night, I attended Steve Lamb‘s Microsoft TechNet UK briefing on wireless security and secure remote access. I won’t repeat the entire content here, because Steve has an article in the November/December issue of Microsoft TechNet magazine, entitled improve your web security with encryption and firewall technologies, which, when combined with Kathryn Tewson and Steve Riley’s security watch: a guide to wireless security article, just about covers the content of the event. Having said that, there were a few more snippets that came out during the presentation, which I’ve plagiarised (and extended) in the rest of this post…

Wireless Security

Anyone who needs to secure a Wireless network at home should check out Steve Lamb’s blogcast on securing a wireless router and Windows XP and, although I’ve already linked it above, I’ll repeat that Kathryn Tewson and Steve Riley’s security watch: a guide to wireless security article is also worth a read. Further information is also available on the Microsoft website.

Some additional notes that I took during Steve’s presentation were that:

  • Wireless network keys can be stored on a USB token.
  • Wired equivalent privacy (WEP) is often considered insecure but consider the name – the equivalency part indicates that it offers the same level of security as a wired network. Yes, it can be broken into, but so can a wired network with public access to the building). Wi-Fi Protected Access (WPA) (or preferably WPA2) is better and dynamic WEP is a half-way house, but whatever security is employed, the wireless network still needs to be easy to use.
  • There are sites on the ‘net that will show you how to break a wireless (or other) connection (if you think it’s irresponsible of me to link that site, you could also find it using a search engine, so I figure that it’s better that the methods are well known, than only being known by the bad guys).
  • Contrary to popular belief, there is no point in securing the SSID for a network as it is transmitted unencrypted (even on a network secured with WPA or WPA2). Ditto for media access control (MAC) addresses, which are easily spoofed.
  • Even WPA doesn’t do anything to prevent a denial of service (DoS) attack and WPA2 (802.11i) doesn’t stop all DoS attacks.
  • 802.1x is port-based authentication and applies equally to both wired and wireless networks. It does have weaknesses, including that it will only authenticate the initial connection. In a wireless configuration, man-in-the-middle (MitM) attacks can be guarded against by requiring the WAP to identify itself using certificates (using a group policy object).
  • WEP requires Windows XP. WPA requires Windows XP SP1, WPA2 requires Windows XP SP2 and a hotfix (see Microsoft knowledge base article 893357).
  • The Windows 2000 Internet authentication service (IAS) can be used as the RADIUS server component in a secure wireless deployment; however Windows Server 2003 supports auto-enrolment (which when used for computer and user certificates will make life much easier).
  • Windows XP will (by default) allow access to its nearest access point, even if it is not secure.

Very importantly – if (like I did), you think that your wireless network (e.g. at home) doesn’t need to be secured because there’s no data of value to be had and anyway, you have bandwidth to spare which you don’t mind your neighbours using, consider the implications of someone using your wireless network to access the Internet and perform illegal activities, which your ISP can trace back to you via your IP address. Having thought about that, I’ll be buying a new wireless access point very soon.

Secure Remote Access

Microsoft are positioning virtual private networking (VPN) technology as no longer the best solution for providing corporate remote access and I tend to agree. The idea of giving an untrusted computer an IP address from the internal network fills me with fear (unless some quarantining is in place). VPNs “blur” the network edge and anyway, do remote users need full network access? I’ve often accidentally printed a document in the office whilst working at home and then had to ask a colleague to retrieve and dispose of it for me (wasting paper, printer resources and somebody else’s time). Some solutions will use VLAN technology to limit the network access for VPN users – there are other methods too, especially when considering that 90% of VPN users only really want to read their e-mail. For example, Outlook Web Access, whilst having improved it’s interface capabilities dramatically with each new release, is still not really a great solution for access from outside the corporate firewall (it’s good for allowing users to access mail without setting up a MAPI profile, but is heavily reliant on ActiveX controls, which may not be allowed in an Internet cafe, and is also a risk if the remote client has a keylogger installed) – full client Outlook using HTTPS over RPC on a notebook/tablet PC is a far better option – totally transparent from an end user perspective (although still a problem if access is required if an e-mail links back to internal resources to retrieve a document).

Steve Lamb’s TechNet magazine article (and my previous post on securing the network using Microsoft ISA Server 2004) elaborate on the need for application layer firewalling rather than blindly allowing HTTP and HTTPS traffic through the firewalls. Other measures employed include pre-authentication and URL scanning.

SSL VPNs are another method of providing remote access (even though they are not really VPNs, but are actually just remote desktops in a browser). Windows Terminal Services can provide basic SSL VPN functionality, which can also be extended with products from Citrix.

Operating over the remote desktop protocol (RDP), which is based on the International Telecommunications Union (ITU) T.120 protocol family and is therefore independent of network and transport protocols, these solutions use compression and caching to reduce bandwidth requirements and support network load balancing. Windows Server 2003 brings a number of terminal services enhancements (over Windows 2000) including:

  • Connection to the console session (in remote administration mode).
  • Control of RDP options via group policy.
  • WMI provider for scripted terminal services configuration.
  • ADSI provider for access to per-user terminal services profiles.
  • Improvements to the terminal server manager MMC snap-in (reduced automatic server enumeration).
  • Ability to limit users to a single session.
  • Improved security:
    • Remote Desktop Users security group (which can be used in place of the Everyone group to fine tune access control.
    • 128-bit RC4 encryption.

Securing terminal services comes back to the well-known principle of defence in depth:

  • A physically secure terminal services server.
  • A secure operating system configuration.
  • A secure terminal services configuration.
  • Network path security.
  • Using the registry to fine-tune control over terminal server sessions (probably overkill, but using group policy to control access is a similar principle).

Using the remote desktop web connection ActiveX control, terminal services can be provided across the web (and optionally secured using HTTPS). The initial client contact is to http(s)://servername/tsweb/ and the ActiveX control is downloaded over HTTP (TCP port 80) or HTTPS (TCP port 443). Once the browser has the ActiveX control installed, the user can connect to the terminal server over TCP port 3389.

If full VPN access is still required (and hopefully the methods above will avoid the requirement for this), then VPN server placement must be carefully considered. Running an encrypted PPTP or L2TP+IPSec VPN connection through a standard packet filtering firewall effectively bypasses the firewall as the VPN port will be open on internal and external firewalls and the traffic inside the connection will not be inspected.

Most network administrators will be alarmed if you propose the installation of ISA Server as the corporate firewall even though ISA Server 2004 has now achieved common criteria evaluation assurance level 4+. ISA Server 2004 is a perfectly good firewall (assuming that the underlying Windows platform is also well-managed), but it will probably be easier to justify to network administrators by using ISA as an additional server in the DMZ, or as the inner firewall (between the DMZ and the internal network). This way, the encrypted connection can be terminated at the ISA server and the firewall can inspect the inbound traffic.

Finally, if a VPN connection must be used to extend the corporate network to remote clients, then network quarantine controls should also be put in place. Full network access protection (NAP) is expected with the next version of Windows Server (codenamed Longhorn) but even now, Windows Server 2003 SP1 routing and remote access service (RRAS) allows for the provision of network access quarantine control for remote clients. The current Microsoft implementation involves using the connection manager administration kit (CMAK) to construct a custom RRAS client which includes a number of post-connection actions. Until these are passed, then vendor-specific options remain in place which prevent the remote VPN client from accessing the network. Unfortunately it is also possible for a technically able user to spoof the message which allows the vendor-specific attributes to be removed, but in reality this is a small risk. Microsoft’s NAP and Cisco’s network access control (NAC) will make this far more effective, extending the scope of control to include wired and wireless clients (as well as VPN clients).

Using ADS to deploy Windows XP

Posted on By Mark Wilson
This content is 19 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

One of the main reasons for needing to SysPrep my Windows XP installation was that I wanted to see if it is possible to use Microsoft Automated Deployment Services (ADS) to deploy Windows XP.

Microsoft has a plethora of deployment solutions and the main one for workstation deployment is the solution accelerator for business desktop deployment (BDD); however the enterprise edition of this relies on the use of Microsoft Systems Management Server (SMS) and the standard edition requires third-party imaging tools.

Microsoft Remote Installation Services (RIS) is a perfectly good PXE boot server included within Windows 2000 Server and Windows Server 2003 but what I like about ADS is that it uses PXE to boot a miniature version of Windows Server 2003 (not Windows PE) called the ADS deployment agent (DA), which allows control from the server end. Using this technology, sequences can be built up to powerful jobs that control most aspects of a server build and I wanted to do this with a Windows XP workstation build.

The official line from Microsoft is that ADS is not supported for Windows 2000 Professional or Windows XP. Microsoft states that it is not possible to use ADS to deploy Windows XP or Windows 2000 Professional because:

“In addition to licensing constraints, the design of ADS is limited to servers as follows:

  • There is no ability to migrate user state, thus all user information is lost when a new image is applied.
  • ADS is designed to run on server-class hardware and cannot handle the diversity of client hardware.
  • ADS deploys images using a ‘push’ method and does not allow users or staff to initiate a deployment from the client computer.
  • Clients often exist behind slow links and ADS is designed to operate over a well-connected network.”

But ADS works with Windows 2000 Server and Windows Server 2003 (which is very similar to Windows XP in many ways) so I thought it must be possible. In addition, Windows Vista deployment will use Windows Deployment Services (WDS), and although I haven’t looked at WDS, the Windows Automated Installation Kit (WAIK) User’s Guide for Windows Code named “Longhorn” says that:

“WDS enables companies to remotely administer and deploy the latest operating system, using Windows PE and WDS Server. This deployment scenario can be fully unattended, and is customizable and scalable. [WDS] replaces the existing Remote Installation Services (RIS) deployment technology.”

(that sounds like a development of ADS to me!)

One of my ex-colleagues at Conchango pointed me to Paul Edlund’s blog post on using ADS with Windows XP.

This gives advice on SysPrepping the source machine to dump all of the plug and play IDs into the sysprep.inf file (thus avoiding issues with the variety of client hardware).

Quoting from Paul’s article (with minor edits for flow and grammar):

“This allows you to take an image from one machine and use it on a different desktop (assuming the HAL is the same). To perform this step, create a blank sysprep.inf file in the same directory as sysprep.exe. Now open the sysprep.inf file and add the following text to the first line of the file:

[SysprepMassStorage]

Without this tag in the file, SysPrep will run but it won’t put anything in the file (so you can’t forget this). Now save and close sysprep.inf and run sysprep -bmsd. This will dump all of the plug and play IDs from the driver.cab file into the sysprep.inf file. These IDs are used to populate the critical devices database in the registry.

Now copy the contents of the [SysprepMassStorage] section and paste it into the actual sysprep.inf file you want to use from the ADS sysprep.inf templates. The problem is that you will now have populated a huge number of entries in the critical devices database which means that every time your XP machine tries to start, it will try to load each of these drivers, resulting in a very long startup time. So to stop this from happening, add the -clean switch when running SysPrep.”

The SysPrep syntax which Paul gives for the next step didn’t work for me, but I ran sysprep -clean followed by sysprep -reseal -mini -pnp -reboot (although I think the last switch should have been -noreboot as my source computer booted into the mini-setup wizard after SysPrep had completed and I really wanted it to shut down).

There’s some more information in Paul’s article about the various SysPrep switches and the need for a blank administrator password on the source PC (Microsoft knowledge base article 302577 details the usage of SysPrep including the various command line switches).

Screen shot with the ADS deployment in progress

Using Paul’s article, combined with the information in the ADS quick start guide (part of the ADS installation), I was able to successfully capture and deploy a Windows XP image in a Virtual Server environment although there were a couple of gotchas (two of which are related to my use of a virtual environment):

  • Because I’d already SysPrepped the source PC, I couldn’t use the supplied capture-image.xml sequence without editing it to drop the first step (actually I just used the boot-to-da.xml sequence and a one-time job to run the /imaging/imgbmdeploy.exe command with the imagename \device\harddisk0\partition1 "description" -c -client parameters).
  • Also, my use of dynamically expanding virtual disks in Virtual Server meant that the volume size was recorded by ADS as 17166127104 bytes and so I had to use the ADS sequence editor to edit the parameters in the da-deploy-image-wg.xml sequence to use /C:16371 before the deployment was successful.
  • Finally, as the current version of Virtual Server doesn’t include PXE boot capabilities, I needed to use a virtual floppy disk with the contents of the RIS boot floppy (for details, see my earlier post on trials and tribulations with RIS, although Roudy Bob’s virtual RIS boot disk has moved so the link in my original post seems to be broken).

It’s also worth noting that because I was using Virtual Server, all of my hardware was standard. I’d be interested to hear how anybody gets on with this using a variety of physical workstations, but I didn’t have the time or resources to take the experiment that far.

To summarise, capturing and deploying Windows XP using ADS works, but it is not supported by Microsoft. It’s still something to think about if you’re willing to take that risk (I’m not prepared to risk an unsupported solution on my current project with 16,000 workstations spread across hundreds of sites) but if nothing else it’s a good way to spend some time familiarising yourself with SysPrep and ADS.

SysPrep fails on a Windows XP SP2 installation without file and printer sharing enabled

Posted on By Mark Wilson
This content is 19 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

I’m trying out some workstation deployment scenarios right now and need to use the Microsoft System Preparation Tool (SysPrep) to prepare my Windows XP SP2 build for imaging. The trouble is, that SysPrep was refusing to play ball reporting the following error message:

There is an incompatibility between this tool and the current operating system. Unable to continue.

Although there are other tools available for changing workstation SIDs, like Sysinternals NewSID, SysPrep is the only one supported by Microsoft.

I was using the version from the deploy.cab file on the Windows XP SP2 CD (dated 4 August 2004, 13:00), so I thought that a later version may be available but Microsoft knowledge base article 838080 links to an identical set of deployment tools and even indicates that the version on the SP2 CD is current.

It turns out that because the latest version of SysPrep can be used for either Windows XP or Windows Server 2003, it asks the Server service which operating system it is running on. If the server service is not running (e.g. if the File and Print Sharing for Microsoft Networks service is not installed), this fails.

The workaround is to install the File and Print Sharing for Microsoft Networks service, start SysPrep, and then uninstall the File and Print Sharing for Microsoft Networks service whilst SysPrep is working. I found the answer on the Microsoft Software Forum Network Unattended Windows board, but I’m amazed there is not a Microsoft knowledge base article on this.

Setting up IP forwarding on a Windows network

Posted on By Mark Wilson
This content is 19 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

My network at home has two subnets joined by a wireless link (note that the IP addresses have been changed to protect the innocent):

IP forwarding

You might wonder why it doesn’t all sit under my desk (after all we’re not talking about a multinational corporation here) but the simple fact is that most of my kit has been procured from an eclectic mix of sources over the years (so it is hardly what you might call standard) and the server (on which I do a lot of testing) is a noisy beast, as is the 24-port switch that it’s plugged into – hence the reason they are stored away in the basement.

The trouble with this configuration is that the dual-homed PC which acts as a bridge between the wired and wireless segments in the basement is exactly that – dual-homed – i.e. it needs the 802.3 adapter to be on one subnet and the 802.11b adapter to be on another (otherwise this could all have been on one flat subnet). That means that it also needs to be able to route traffic to and from each subnet, otherwise the server is invisible to the rest of the network (and vice versa).

That’s where IP forwarding comes in (aka IP masquerading in Linux-speak).

Disabled by default in Windows 2000, XP and Server 2003, IP forwarding basically allows a dual-homed host to act as a network bridge. Microsoft knowledge base article 323339 details the registry setting to enable this on Windows Server 2003 – there are other articles for Windows 2000 and XP but they are pretty much identical.

There are, however, a couple of important points to note:

  • Only one interface should have a default gateway. In my case, the default gateway for the bridge’s wired connection is blank.
  • I also had to put a static route to 192.168.2.0/24 on my ADSL router using the IP address of the bridge’s wireless connection as a gateway (so that outbound traffic to the Internet from the 192.168.2.x network has a return path).

For comparison purposes, the routing table on my bridge (192.168.1.50/192.168.2.50) looks like this:

IPv4 Route Table
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x10003 ...00 08 02 xx xx xx ...... Intel(R) PRO/100 VM Network Connection
0x10004 ...00 80 c8 xx xx xx ...... D-Link AirPlus DWL-520+ Wireless PCI Adapter
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.50 25
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.1.0 255.255.255.0 192.168.1.50 192.168.1.50 25
192.168.1.50 255.255.255.255 127.0.0.1 127.0.0.1 25
192.168.1.255 255.255.255.255 192.168.1.50 192.168.1.50 25
192.168.2.0 255.255.255.0 192.168.2.50 192.168.2.50 20
192.168.2.50 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.2.255 255.255.255.255 192.168.2.50 192.168.2.50 20
224.0.0.0 240.0.0.0 192.168.1.50 192.168.1.50 25
224.0.0.0 240.0.0.0 192.168.2.50 192.168.2.50 20
255.255.255.255 255.255.255.255 192.168.1.50 192.168.1.50 1
255.255.255.255 255.255.255.255 192.168.2.50 192.168.2.50 1
Default Gateway: 192.168.1.1
===========================================================================
Persistent Routes:
None

Whilst on the ADSL router it looks like this:

Network Destination Netmask NextHop IF Type Origin
0.0.0.0 0.0.0.0 isprouter ppp-0 Indirect Dynamic
127.0.0.0 255.0.0.0 127.0.0.1 lo-0 Direct Dynamic
192.168.1.0 255.255.255.0 192.168.1.1 eth-0 Direct Dynamic
192.168.1.1 255.255.255.255 127.0.0.1 lo-0 Direct Dynamic
192.168.2.0 255.255.255.0 192.168.1.50 eth-0 Indirect Local
isprouter 255.255.255.255 mypublicipaddress ppp-0 Direct Dynamic
mypublicipaddress 255.255.255.255 127.0.0.1 lo-0 Direct Dynamic
btrouter1 255.255.255.255 btrouter2 ppp-0 Direct Dynamic

For the other LAN-connected devices, the important details are that for LAN 1 the default gateway is 192.168.1.1 and for LAN 2 the default gateway is 192.168.2.50.