Monday, December 31, 2007

Disabling SSID broadcasts and wireless MAC address filtering

With security I would always see the benefits in relations to the downsides. Some people think that you should "add" as much security as possible to gain the "highest" security. I kind of doubt that this simple math really applies to security and the actual level of security you have in a wireless network.

I think disabling SSID broadcasts just like the wireless MAC address filter list provides very little security and causes a lot of problems at best. Both are transmitted unencrypted. This means they are easily captured. Also remember even without the SSID broadcast the router will still send out the beacon signal which is used to measure the signal strength. The disabled broadcast will just change the SSID in the beacon to null. Depending on where you live this will still allow someone to quickly locate the presence of the router in your home.

Disabling SSID broadcasts is known to cause numerous problems with a variety of wireless cards. The wireless card must actively connect to the SSID to find out if it is there or not. On Windows XP with a longer list of preferred networks this can be power and time consuming task. On Vista you have to remember to configure the network correctly. Some cards have trouble connecting at all, loosing the connection at times, sometimes changing connections when another broadcast SSID in the list of preferred networks comes up.

The wireless MAC address filtering is quickly forgotten after the initial setup. Then, a year later people just did not remember that when they want to add another wireless device to their network.

In case you have two or more wireless access points/routers with which you could built a roaming wireless network that won't work with SSID broadcast disabled because wireless clients are not able to passively detect a stronger signal of the second access point. The current connection must get disconnected before the client can check for the presence of the other AP.

Thus disabling SSID broadcasts and the MAC filtering may prevent someone from accidentally connecting to your network but anyone who wants to attack your wireless network (or any teenager desperate to find wireless internet because parents try to limit internet access) will quickly find it. With WPA and a strong passphrase your network is well protected. Disabling the broadcast is like adding a tiny little fence in front of a huge wall protecting your home. It also "adds" security by adding another hurdle.

If someone tries to attack an WPA encrypted network this requires either a sophisticated attack which usually captures a lot of frames to analyze the encryption (that is how you can crack WEP) and sometimes even inject some frames. This kind of attack will immediately reveal the SSID and all you (active) wireless MAC addresses.

A dumber attack would be a simple brute-force or dictionary attack against the passphrase. But with a strong passphrase in place this will not succeed in any reasonable time.

On the other hand, with enabled SSID broadcasts anyone in your proximity can quickly scan the environment for other wireless networks which can give you an idea how much interference you have to expect when you set up a new access point. I think many tools for wireless also show the channel number of those wireless networks (Windows unfortunately does not do so) which will help you to choose a channel not so crowded even with a simple passive scan.

I think for disabling SSID broadcast and the wireless MAC address filter list the disadvantages by far outweigh the advantages. In particular the disabled SSID broadcast can cause all kinds of problems even if it may work well for many setups. And anyone who really wants to attack your network will find it anyway. If you have something to hide, disabling the SSID broadcast won't hide it from someone curious. But with WPA and a strong passphrase he won't succeed.

Wednesday, October 17, 2007

Securing your (wireless) router

If you have managed to configure your router successfully and know how to use the web interface of your router there are a few things you should always do to secure your router against intruders and others. Again: please do those changes only from a computer wired to the router and not through the wireless!

Change the default password of the router configuration
This password protects the web interface of the router. Anyone who knows this password and can get access to your router can make changes on the router configuration. Most routers use a fixed default password like "admin" or "password. Therefore it is usually a good idea to change this default password to a strong hard-to-guess password. You should also do this on a wired router even if you think no one will be able to (physically) access your router. One day you may run into some malware which is clever enough to configure some port forwarding on your router to be accessible from the internet. For this, the password is required. Thus, please change it!

The rest of this entry only applies to wireless routers (or access points in this respect).

Change the SSID (wireless network name) to something unique
Like the default password many wireless routers use a default wireless network name (SSID, e.g. "linksys" or "NETGEAR") and have no wireless security set up. You should change this to something unique, i.e. not used by any other wireless network in your proximity. Some routers use a part of their MAC address as SSID (e.g. "0DA53B4C". This would be O.K. as it is unique although certainly harder to remember and somewhat cryptic. The reason why it is important to have a unique SSID is to make sure that your computer will always connect to your wireless router and not to your neighbor's. This is always important even if you have wireless security enabled. Running the same SSID as somebody else may result in delays or disconnects on your wireless links because your laptop sometimes confuses the wireless router to which it is talking and gets disconnected until it finds back to your own router. Therefore: change the SSID to something unique. It is a good idea to scan your neighborhood with your laptop to see what SSIDs they use. Use a nickname or something like that for your SSID.

Enable wireless security.
Without wireless security all wireless transmissions are in plaintext. Anyone in your proximity can eavesdrop on you and find out which hosts you access, web sites you read and possibly even read your e-mails if you don't use an encrypted connection to your e-mail server. Without wireless security only connections using SSL (e.g. https websites, pop3s, or imaps mail servers) are secured. Nothing else. DNS host name resolution happens unencrypted thus anyone is able to see which hostnames you access and the IP addresses. Without wireless security it is extremely simple to setup a rogue wireless router with the same SSID as yours and with a little bit boosted transmitter your computers will connect to the rogue router giving full access to everything transferred. Your computer will simply connect to the best signal of an access point with your SSID.

Therefore: you have to enable wireless security. Anything else is not secure. In most new routers you have 4 basic choices: WPA2, WPA, WEP 104/128 bit, and WEP 40/64bit. WEP is considered insecure as it can be cracked within minutes and an attacker is able to find out your WEP keys quickly. WPA and the new (fully standardized) WPA2 are both considered secure at this time. Therefore, it is highly recommend to use WPA or WPA2 wireless security to protect your network. With WPA and WPA2 all your transmissions are strongly encrypted and also the access to your wireless network is well protected.

For each of those four choices you usually find at least two variants: one targeted for private and small networks and one targeted for enterprises. The latter require additional servers like RADIUS servers which you usually don't have in your home network. Enterprise variants allow user-based access control to the wireless network. Thus you usually have to stick with the easier variant for home networks which use predefined/fixed/pre-shared keys or passphrases. If you are unsure how the variants are labeled on your router simply try them and see what information you have to enter for each variant. If you have to enter some (RADIUS) server address it is probably a enterprise variant.

If it is WPA or WPA2 what you want to use you should look for the "Personal" or "PSK" variant. For WPA there is sometimes only the choice of the encryption algorithm used: TKIP or AES. TKIP is the encryption algorithm for WPA. AES is the (little bit stronger) encryption algorithm for WPA2. Thus WPA with AES is basically WPA2 and WPA with TKIP is normal WPA. WPA2 is backward compatible and can be configured to accept older WPA clients and newer WPA2 clients, i.e. clients that use either TKIP or AES. If you have some wireless clients which only know WPA with TKIP you should configure WPA2 with AES+TKIP. This will automatically select the strongest AES encryption with wireless clients which support it and will select the (not less secure) TKIP encryption for those which don't. As both encryption algorithms are considered very secure it does not affect your security of the wireless network.

The last thing to enter for WPA or WPA2 with pre-shared key/passphrase is the passphrase. The passphrase must be between 8-63 characters long. The overall security of your wireless network depends on the quality of your passphrase. Potential attacks against your network basically have to try different passphrases hoping to find the correct one in reasonable time. Thus if your passphrase is just a simple word like "password" it is more vulnerable to brute-force dictionary attacks. Thus a wireless network should be protected with a longer, strong, hard-to-guess passphrase. In general, you only have to enter the passphrase once on your wireless devices and then the device will remember it for future connections. This makes it easier to employ 63 character long random generated passphrases in a wireless network. You can either simply copy the key from the router interface while the computer is still wired to the router or you use a USB stick to copy the key to the laptop.

Again: you should not use WEP anymore. It is considered insecure and quickly cracked. If you use WEP, make sure that you do not use the passphrase/password on the computers to connect to your wireless router. The passphrase is only used to generate the real encryption keys (usually four of them). The algorithm how to derive the keys from the passphrase it not standardized (unlike WPA/WPA2 where it is standardized) thus different manufacturers do it differently. You better copy the WEP key to your computer. Use the first key in the list of four and make sure that the first key is selected as transmit key on the router if it allows this setting. The easiest way to copy the key is to use the hexadecimal representation. Hexdigits consists of numbers 0-9 and letters A-F. A WEP key in hexdigits is either 10 or 26 characters long. WEP 40/64bit keys have 10 hexdigits. WEP 104/128bit keys have 26 hexdigits. Hexdigits are the easiest way to enter the key correctly.

Manual initial configuration of a router (Part 3)

Connecting the modem with the router
You have made it so far. The router is prepped. If necessary you have changed the LAN IP address of the router to avoid conflicts. You know the default IP address of the router and you know how to connect to the web interface. Great. Power down the modem and the router. Now wire the internet/WAN port of your router to the ethernet port on your modem. Please make sure that no other computer is connected to the modem, in particular if your modem also has an USB port. In most modems you cannot use the USB port and the ethernet port at the same time. Connect the modem to your phone/cable line. Power up the modem first. Wait until it is fully up and running. Next power up the router. Wait until the router is up.

On the computer wired to the router, open the web interface of the router again. You now have to configure or check the internet connection settings. Depending on your router you may find those settings on a separate category like "WAN settings". With Linksys it is on the first setup tab the first few settings.

First thing you have to do is to choose the correct type of connection. You have found out before what your ISP uses, i.e. DHCP, PPPoE, PPPoA, or similar. Find this setting in your router and change it for your ISP. Most routers will probably have DHCP by default. If you need DHCP only for your internet connection you probably won't have to change this.

DHCP: there should be nothing else to configure on your router if you need only DHCP (unless your ISP specifically told you otherwise).

PPPoE/PPPoA: choose the right type and the web site should change and show you fields where you can enter the username and password for your ISP internet connection.

Static IP: choose Static (or manual) IP address on the router and enter all the IP addresses and values you have found in step 1 into the respective fields. You have to enter IP address, subnet mask, default gateway and DNS server(s).

That's all. If you chose the correct type and entered the correct values or passwords your router is prepared for your internet connection. Save the changes on the page and wait until the router has rebooted.

Check the internet connection on the router
Most routers have a status page where you can see the current connection status of the router. Now is a good time to have a look at this page. If the status page is O.K. then you should see at least the WAN/internet IP address of the router with all the other numbers which you have found in part 1 on your computer when it was directly connected to the internet. The IP address does not have to be identical but it will probably be similar. If the status page looks good you should have a working internet connection now. Open a URL in the internet, e.g. http://www.google.com/ and see if it works.

If the status shows that it is not connected (e.g. you have an IP address 0.0.0.0) you have to check a few things. First thing is to use any renew/connect button or similar if your status page has this. If the status page shows an error message or you'll see an error message if you press the button please note the exact error message. If it is something like "The PPP server refused your username or password" check for the correct username and password in the PPPoE configuration.

The MAC address clone "problem"
If you only need DHCP on your internet connection but your router gets no IP address and only shows 0.0.0.0 or an error message that the DHCP server did not respond or assign an IP address (you probably have a cable TV ISP) you probably run into a common problem: ISPs which use DHCP usually try to limit the number of public IP addresses you can use at a time. This limit is usually 1. Thus, you cannot connect multiple computers directly to the modem at the same time. Only one will get the IP address and have internet.

ISPs usually do this by remembering the MAC address of the device which connects through their modem and line and block any other traffic with a different MAC address. The MAC address it the hardware address of any ethernet card/adapter. It should be unique worldwide,in particular your router and your computer have different ones. As you have connected your computer directly to the modem before and had internet this may mean that your ISP has now reserved the line for your computer. (You could call your ISP to check if they really do this and how to reset this).

Usually, to reset this "lock" it is enough to either reset the modem, power down the modem for a few minutes, a few hours, a night maybe. Either they notice the turned off modem or they have a simple timer when the lock expires. What your ISP uses exactly you have to ask your ISP for that. If you are patient, sleep a night over it and next day power everything up again. Remember that you have the router connected to the modem when you power up the modem! Some ISPs actually don't expire the lock ever unless you call them.

If you are not so patient you can try the MAC address clone function of your router. Most routers have this. Basically, you can change the MAC address of your router to anything you like. This allows you to set the MAC address of your router to the MAC address of the ethernet card of your computer which you used before directly on the modem. Again, you have to search the web interface or the documentation of your router to find the place where they have hidden this function. With many routers it is quite easy to clone/use the MAC address of the computer in question if you connect to the web interface on the computer from which you want to clone the MAC address. In that case the router is able to detect the MAC address automatically. Linksys and Netgear routers have a button like "Clone this PCs MAC address" and it fills the fields automatically. (The MAC address is also as "Physical Address" in the "ipconfig /all" output on your Local Area Connection). Remember to save the change of the MAC address.

Afterwards check the status page again to see if there is any difference now.

Still not working?
This gets more difficult. I'll expand this section with the time with common problems and their solutions. Until then you should contact support or ask for help in one of the support forums. By now, you should have learned the basics of your setup and you should know where to find the relevant information (mostly on the status page of the router and with "ipconfig /all"). Post a precise problem description. If you get any error messages at any time, post the exact text of the error message. If you have made some non-standard changes (e.g. changed the LAN IP address) post the details why you did this. It helps to understand your current situation faster. Posting the status page and the full output of "ipconfig /all" usually helps a lot to get a detailed view of your configuration.

Manual initial configuration of a router (Part 2)

Connecting the router
O.K. Now that we have collected all information which may be helpful it is time to connect to the router. Please always do the initial configuration of a router with a wired connection. Although it is possible in theory to configure the router completely from a wireless computer it is highly advisable not to do so simply because otherwise you'll never know if it is really your wireless router which you configure or your neighbor's.

Thus, use a ethernet cable for the initial configuration! O.K. Set up the router. Plug in the power cord and connect it to power. Do not connect anything else yet to the router. Wait until the router booted up and the lights stop flashing/blinking or whatever they do during booting. Now wire a computer to one of the LAN ports on the router. If possible, use the computer which you have used before to connect to the internet directly through the modem. Again do not connect the router yet to the modem. All you want at this moment is a wired connection from the router to the computer.

Now run "ipconfig /all" again. This now shows the settings on your computer when connected to the router. This time all information should be in the local area connection. The default gateway IP address and the dhcp server ip address should be identical. It is the IP address of your router. Please write it down. You'll need it in a second. For Linksys routers this is usually 192.168.1.1. For Netgear it is usually 192.168.0.1. Take a note of the subnet mask, too. You should also find this default IP address of the router in the documentation which came with the router.

Avoiding address conflicts
This only applies if you had two different IP addresses in the modem check before: you have to make sure that your router which you configure now does not create an ip address/subnet conflict with the modem or whatever router there is on your path to the internet. This requires some math. But most of the time the situation is very simple. Anyway, what you have to make sure is that the IP subnet used when the computer was not connected to your new router does not overlap with the IP subnet used in the LAN of your new router. If it overlaps the router cannot work properly.

In most cases the subnet mask is 255.255.255.0 which makes this much easier to find out: if you found with "ipconfig /all" above that your router has IP address 192.168.1.1 and subnet mask 255.255.255.0 then all IP addresses 192.168.1.* belong to the LAN IP subnet. With subnet mask 255.255.255.0 the first three numbers are fixed and only the fourth number can vary.

Now, you will have a problem if your new router uses the same IP subnet as the modem/router to which you will connect it. Again, if you found the subnet mask 255.255.255.0 before in the modem check in part 1 it is simple. You have a conflict if the IP address found in the modem check in part 1 uses the same first three numbers as you just found connected to your new router. For instance if you found that your computer had an IP address of 192.168.1.123 with subnet mask 255.255.255.0 when it was directly connected to the modem and now you find that your computer has an IP address of 192.168.1.100 with subnet mask 255.255.255.0 when connected to the router this means you will have an IP address/subnet conflict if you connected the modem and the router without any further changes.

To fix this problem the easiest way is to change the default IP address of your new router. If you move the IP address of your new router outside the IP subnet used by your modem then you have resolved the conflict. Again, with subnet mask 255.255.255.0 this is fairly simple by changing the third number of the ip address. For instance, change the IP address of your new router from 192.168.1.1 to 192.168.2.1. Please remain inside 192.168.*.* as those addresses are for private use. We'll change the LAN IP address in a moment...

Accessing the router web configuration interface
Now it is time to make changes to the router settings. For this you have to connect to the web interface of the router. You open a browser and enter the IP address of your router which you have written down before. For instance, for a Linksys router you should have found 192.168.1.1 above and thus you enter 192.168.1.1 or http://192.168.1.1/ if you like into your browser.

I would recommend to have a look in the manual to find out how exactly you connect to the web interface of your router and in particular what the default username and password is to connect to it. With some routers like Netgear's you don't have to enter the IP address but you can also enter the URL http://www.routerlogin.net or similar instead. That makes it sometimes easier.

Moreover, you'll need the default username and password for your router. For Linksys you usually don't have to enter any username. The default password is "admin". For Netgear the default is usually username "admin" and password "password". But please check the documentation of your router (which either came in the box, is maybe on the CD or available for download from the web site of the router manufacturer).

Anyway, enter the URL or the IP address of your router into your browser, enter the default username and default password and you should see the first setup page of your router. Some router's make heavy use of JavaScript. If the first setup page does not load correctly but only partially make sure that JavaScript is enabled in your browser and that your software firewall is not filtering JavaScript (e.g. for pop-up blocking).

For the initial setup you'll have to find where you do the basic settings for the WAN and LAN. On Linksys routers you usually find all this on the very first setup page you'll see when you connect to the web interface. Other routers show a status page instead and you have to select some category like basic settings, WAN settings, LAN settings or similar. Again, the documentation may help you to find your way around.

Change the LAN IP address of the router
Now that you have managed to get into the web interface of your router you can start with the initial configuration. The router is still not connected to the modem! If you have found before that you have an IP address/subnet conflict and you have to change the LAN IP address of your router this should be the first thing to do. If you did not found a conflict or the modem check showed a direct connection to the internet you can skip this step.

Find the LAN settings of your router. Find where the IP address of the router is set at the moment. You know the IP address which you have found above thus you know what you are looking for. For Linksys it is usually somewhere in the middle of the first setup page. The address you have found was probably 192.168.1.1 and that is the address you should see there at the moment. Change the address to something else, e.g. 192.168.2.1. Save the changes on this page. The router will now reboot and you'll loose the connection. That's O.K.

After the router resumes normal operation try to connect to the new IP address of your router, e.g. http://192.168.2.1/ If it does not work, unplug the ethernet cable for 30 seconds, then plug it back in, or reboot the computer. Your computer needs a new IP address from the router inside the new IP subnet 192.168.2.*. Once the computer got the new IP address from the router you should be able to connect to the web interface on the new IP address. Please write down the new IP address for reference. If you router does not use a nice URL like Netgear with www.routerlogin.net you'll need the new IP address in the future and in particular for all following steps.

O.K. With this change the router is prepped to be connected to the modem now. That was a lot of preparation but the remaining steps should be much easier now...

Manual initial configuration of a router (Part 1)

Many routers in the consumer and SOHO price range come with little documentation and a CD which you are supposed to use for the installation of the router: you simply insert the CD and the software on the CD will automatically guide you through the whole installation process.

Sometimes this does not work, though. For instance, you only have a Mac and the software on the CD is usually only for Windows. Sometimes the software is just not intelligent enough to figure out why it is not working and never succeeds.

However, there is no need to use this CD or the software on the CD to configure a standard router. Most routers (I think even all except Apple Airport Express/Extreme) have a web based configuration interface through which you can make all necessary adjustments to get the router running on your internet connection. You can access this interface with a normal browser like Firefox or Internet Explorer which has JavaScript enabled. (Please note that some software firewalls tend to block the JavaScript making the interface inoperable.)

The initial configuration of a router is fairly simple, in fact, with some pitfalls on the way (into which the CD software likes too fall, too, I think) which you can get around quickly if you properly guided. As quite often people need at some point access to the web interface anyway to make more advanced setting there is no reason why you should not start with that right from the beginning and configure your router yourself. That way, you know what you did, learn more about your router and its workings and thus may get full "control" of your router instead of relying on some software on some CD which does all those initial settings hidden from you in the background.

Thus, let's start now to do the basic configuration of your router. You'll check first what kind of modem you have and a few settings on your computer and how it establishes its internet connection at the moment. Then you'll set up the internet connection on the router and check if it is working. If not, you can make a few tests and changes to find out why it is not working and how to fix it. Next, some basic security configurations of the router which are highly advisable during the initial setup in particular if you have a wireless router.

The modem connection
O.K. You have your router in the box. Before you hook it up, let's do some checks on your current internet connection and your modem. Connect your computer to the modem and make sure you have a working internet connection. Please note that you have to connect the computer with an ethernet cable and use the ethernet port on the modem. You cannot and should not test this with an USB connection if your modem has a USB port as well. Moreover, if your modem only has a USB port then this procedure will most likely not work for you. Most routers only connect with ethernet to the modem. You won't get your router running together with a USB modem. At least not the way it is supposed to be used and how the following procedure requires.

The ISP internet connection
To configure the internet connection correctly you should know the following things which you usually find in the documentation from your ISP. You may also call them to ask what of this applies to your internet connection. Later we'll double check most of these things thus it is not absolute necessary that you have this information at hand. However, it would help a lot if you did.
  • Internet connection type: Usually DHCP or PPPoE. Some providers use PPPoA instead of PPPoE. If it is PPPoA please make sure that your router does really support PPPoA. Many routers do not support PPPoA. An other rare option is a static IP address. If you have a static IP address please check with your ISP if this is really a simple static IP address to be used or if it is PPPoE with static IP address. Both are different. For the latter you still have to configure PPPoE as connection type. Be warned: some routers (most Linksys routers for instance) do not support PPPoE with a static IP address supplied on your side. You can only configure normal PPPoE and the ISP should assign your connection the static IP address automatically. But you cannot configure the static IP address with PPPoE connection on your router then. (The "Static IP" option as internet connection type is something different as it does not use PPPoE.)
  • If it is DHCP there is usually no further information needed to connect.
  • If it is PPPoE you usually need a user name and password. This may be the standard user name and password you use to access other resources at your ISP. Some ISPs require a special form for the username to be used on the internet connection. Check the documentation or ask your ISP.
  • PPPoA is similar to PPPoE.
  • Static IP (i.e. the option static IP without PPPoE) requires an IP address, subnet mask, default gateway IP address and one or more DNS server IP addresses.
  • PPPoE with static IP requires the same information as the previous static IP plus a user name and password.
Modem check
Now make the modem check. The first thing to take note of is whether those two IP addresses mentioned in the check are in fact identical or not. There is another router with network address translation (NAT) somewhere in the path between your computer and the internet. Most often, this is the modem itself which also has a router component built-in. If you live in an apartment building and use the internet connection supplied in the building it is probably somewhere in the building. If you use some other shared internet connection with others they probably already have a router somewhere.

If both addresses are not identical please take a note of the IP address and subnet mask. You must later know that to avoid IP address conflicts in case your router uses the same IP addresses you found on your computer now. If they are not equal you usually see IP addresses like 192.168.0.*, or 192.168.1.*, etc. with a subnet mask of 255.255.255.0. If it is your modem which has those router functions as well you should consider putting the modem into "bridge" mode, i.e. turning off those router functions. That way your router will have a direct internet connection which is usually easier to use. But this is not covered in this blog entry. In the following configuration we leave the modem/router device you have just like it is.

If both are addresses are identical then your computer is directly connected to the internet. There are a few rare instances (I think some satellite modems) where this is not true but it should not matter here.

Some more information from ipconfig /all
If you have a printer you may consider to print out the full output of the "ipconfig /all" from the modem check before. There are a few things you can check to verify that the information collected above for your internet connection are in fact correct. First, take a look which ethernet adapter is the one which has the IP address on the computer. If it is the PPP adapter you use PPPoE or PPPoA on your internet connection (many DSL providers use PPPoE or PPPoA). You have entered the username and password when you have created the connection in Windows.

If it is the Local Area Connection or similar then you have a normal connection, i.e. without PPPoE or PPPoA. ipconfig shows whether you have DHCP enabled or not. If it is enabled then you have a normal DHCP internet connection (e.g. many cable TV ISPs use this). If DHCP is disabled you seem to have a static IP address on your computer.

Also take a note of the default gateway and DHCP server IP address. If you found two different IP addresses in the previous modem check then the default gateway IP address is the IP address of the next router on your path to the internet. In that case you will see identical IP addresses for the DHCP server and default gateway which means that the next router is also running a DHCP server.

Disconnect the internet connection
If you use PPPoE or PPPoA on the internet connection please disconnect the connection now. You can usually click on the network connection in the network connections control panel and click disconnect or choose disconnect from the right-click context menu. Disconnect the the network connection and once it shows that the disconnected state unplug the cable from the modem. Please also make sure that your computer does not automatically reconnect. Check in the internet options control panel. On the Connections tab you should have the choice whether or not to "dial" a connection. Please make sure you have "Never dial a connection" selected here.

For DHCP connections you may use the ipconfig command in a command prompt window like before. Enter "ipconfig /release *" to release all DHCP IP addresses. You have to be administrator on the computer to do this.

For static IP address connections (without PPPoE) you have to reconfigure the network adapter for DHCP as you need DHCP behind the router. You have to change that in the properties of the local area connection in the network connections control panel in the properties for the IP protocol element. Set IP address and DNS servers to be received automatically.

Now you have cleaned up your the internet connection.

Sunday, August 19, 2007

Two router setups

If you have two routers there are several ways how to hook them up and configure them. You have basically three options. All three concern the configuration of the second "internal" router. They all require a wired connection between the two routers. (A wireless link between the two routers is not covered here as many routers do not support this.) The first router is the one which connects to the internet.
  1. Configure the second router in gateway/NAT mode and connect the internet/WAN port of the router to a LAN port of the first router. In this case it is important to use a different subnet on the second router then the first router. If the first router uses addresses 192.168.1.* with subnet mask 255.255.255.0 the second router must be outside of this subnet, e.g. it could be 192.168.2.1 with subnet mask 255.255.255.0. Make sure to enable the DHCP server on the second router unless you only want to use static IP addresses in your LAN. If you need port forwarding from the internet to the LAN of the second router, you have to configure the same forwardings on the first router as well. You forward first from the first router to the second and then from the second into the LAN.
  2. Connect a LAN port of the second router to a LAN port of the first router. In this case you have to turn off the DHCP server on the second router to prevent incorrect IP assignments. You may/should also change the LAN IP address of the second router to avoid conflicts. Choose an IP address inside the subnet of the first router but not conflicting with any static IP addresses used in your LAN nor overlapping the IP address pool which the DHCP server on the first router uses. If your first router has an IP address 192.168.1.1 with subnet mask 255.255.255.0 and the DHCP server uses the address pool 192.168.1.100-149 (the Linksys defaults) you can assign any address 192.168.1.2-99 and 150-254 to the second router, e.g. 192.168.1.2. This way the web configuration interface of the second router is easily accessible from your LAN.
  3. A "real" two router setup. Configure the second router in router/non-NAT mode and assign a LAN IP address in a separate subnet from the first router (i.e. like in the first option). In router mode you have to configure routes on the first router to make the second subnet accessible. If you use NAT on the first router you must also make sure that your first router does support NAT for addresses which are not in the first router's subnet. Some router are limited to do NAT only for its own LAN subnet and not for other addresses. If you have such a router the third option will not work for you.
For most home setups the best way to configure the second router is probably option 2. This creates a single LAN which makes file and printer sharing and other things easy to use. See here for some details how to set it up and a more extensive list of reasons why it is preferable.

If the second router is a wireless router and you use option 2 you basically set this router up as access point only.

If both routers are wireless routers option 2 is also preferable as it allows you to create a roaming wireless network in which wireless clients can move between access points without loosing the connection in between. If you would use option 1 clients would need a new IP address if they move between the two routers. To create a roaming wireless network both routers must have identical wireless and wireless security settings. They should only differ in the channel they use to avoid collisions.

Friday, August 17, 2007

The port forwarding checklist

O.K. So you have to forward a port to a computer in your LAN because you want to run an internet server. You configure the router but it does not work. This checklist goes through some of the major points what may be wrong:

Find out the correct port numbers and protocols: Check the documentation of the software or search the internet for the ports you have to forward. Port numbers are from 1-65535. The normal protocol choices are TCP or UDP.

Verify the server uses those ports: Make sure the server is running on the computer. Now open a command prompt window and enter netstat -an. Look at the TCP lines with "LISTENING" state and also at the UDP lines. In those lines look for the entries which have your port number in the local address column after the ":". If you look for port 12345 the local address could be 0.0.0.0:12345 or 127.0.0.1:12345. Be sure to find all lines for your port number and protocol.

If you find your port with local address 0.0.0.0 or the IP address of the computer in front (e.g. 192.168.1.50:12345) then a server is listening correctly. If you only find 127.0.0.1:12345 then the server is only listening on the local "loopback interface". This interface is only accessible on the computer. The forwarding will not work. In that case find out how to change the interface on which your software is listening.

If you don't find the port at all it is either not listening at all or it is listening on a different port. Find your running server entering "tasklist" into the command prompt window. Find the server checking the image name in the first column. Make a note of the PID in the second column from that line. Now enter "netstat -ano" and search for this PID in the last column of the netstat output. The lines with this PID in the last columns are those ports on which your server is currently listening.

Check the firewall: Make sure you have opened the ports in the firewall on the computer. You have to open it for all computers (i.e. the whole internet) and not only for the local subnet or similar.

Check the IP address of the server: The destination IP address of the port forwarding is the IP address of the server inside your LAN. Enter ipconfig /all to find out. It is highly recommended to use a static IP address on that computer because otherwise the IP address may change over reboots and each time you have to adjust the forwarding in the router. If the entry for your network connection in ipconfig /all shows DHCP enabled then you don't have a static IP address on the computer. Take a note of the IP address of the computer, e.g. 192.168.1.50.

Make sure the server is operational: Try to connect to the server from inside your LAN using the IP address you have found in the previous step. E.g. point your client software to 192.168.1.50 and port 12345. Make sure it works. Otherwise your server may not be operational.

Enter and enable the forwardings: Be sure to enter the correct information into the port forwarding form on the router. Choose the correct protocol, i.e. TCP oder UDP. If you have the option to forward both at the same time, you may choose that option. Forward all the ports that you need as target IP address for the forwarding enter the IP address you have found before of the server, e.g. 192.168.1.50. Don't forget to enable the forwarding if the router has the option to enable/disable specific entries and don't forget to save the settings on that page.

Do not enable port triggering or smiliar: You want to forward some specific ports. Port triggering does dynamically forward some ports based on some traffic on some other ports. Thus configuring port forwarding and port triggering for the same ports may or may not work. The port triggering function may influence the effect of the port forwarding.

Access the server from inside your LAN: find the IP address of the router on the internet port. Usually you find it somewhere on the status page of the router configuration. (It is not the LAN IP address of the router, which usually is a private IP address and ends in .1, e.g. 192.168.1.1). Point your client software to the IP address on the status page and make sure it works.

Make sure the router has a direct connection to the internet: Open the website http://whatismyipaddress.com/ . It shows you the public IP address from which the request came. This IP address must be the IP address you have found before in the status page of your router on the internet port. If it is different, your router is not directly connected to the internet but there is another router in front of the router which also does network address translation (NAT). You have to configure port forwarding on this other router as well. Most of the time, this other router is embedded into your modem. If you connect through an apartment building connection there is another router inside your building. Some ISPs also use NAT. In the two latter cases there is probably little or nothing you can do to get the server into the internet.

Access the server from the internet: You have to access the public IP address of your router which you saw in the status page of the router and which you could also find with whatismyipaddress.com in the previous step. You cannot access the server on its private IP address 192.168.1.50 or similar. If your ISP frequently changes the public IP address on your internet connection you may consider to configure the "DDNS" function in your router if it has one. With DDNS the router registers its IP address with a service like dyndns.org. You can then access your server using a simple hostname instead of the IP address.

Still not working? If everything so far is correct and the way it should be but you cannot access the server it may be that your ISP blocks it. Some ISPs don't allow clients to run internet servers on the connections. Some other ISPs block specific ports which are known to cause problems or are well-known to spread malware. You may ask your ISP about whether they block the port you are trying to use.