Sunday, August 19, 2007

Two router setups

If you have two routers there are several ways how to hook them up and configure them. You have basically three options. All three concern the configuration of the second "internal" router. They all require a wired connection between the two routers. (A wireless link between the two routers is not covered here as many routers do not support this.) The first router is the one which connects to the internet.
  1. Configure the second router in gateway/NAT mode and connect the internet/WAN port of the router to a LAN port of the first router. In this case it is important to use a different subnet on the second router then the first router. If the first router uses addresses 192.168.1.* with subnet mask 255.255.255.0 the second router must be outside of this subnet, e.g. it could be 192.168.2.1 with subnet mask 255.255.255.0. Make sure to enable the DHCP server on the second router unless you only want to use static IP addresses in your LAN. If you need port forwarding from the internet to the LAN of the second router, you have to configure the same forwardings on the first router as well. You forward first from the first router to the second and then from the second into the LAN.
  2. Connect a LAN port of the second router to a LAN port of the first router. In this case you have to turn off the DHCP server on the second router to prevent incorrect IP assignments. You may/should also change the LAN IP address of the second router to avoid conflicts. Choose an IP address inside the subnet of the first router but not conflicting with any static IP addresses used in your LAN nor overlapping the IP address pool which the DHCP server on the first router uses. If your first router has an IP address 192.168.1.1 with subnet mask 255.255.255.0 and the DHCP server uses the address pool 192.168.1.100-149 (the Linksys defaults) you can assign any address 192.168.1.2-99 and 150-254 to the second router, e.g. 192.168.1.2. This way the web configuration interface of the second router is easily accessible from your LAN.
  3. A "real" two router setup. Configure the second router in router/non-NAT mode and assign a LAN IP address in a separate subnet from the first router (i.e. like in the first option). In router mode you have to configure routes on the first router to make the second subnet accessible. If you use NAT on the first router you must also make sure that your first router does support NAT for addresses which are not in the first router's subnet. Some router are limited to do NAT only for its own LAN subnet and not for other addresses. If you have such a router the third option will not work for you.
For most home setups the best way to configure the second router is probably option 2. This creates a single LAN which makes file and printer sharing and other things easy to use. See here for some details how to set it up and a more extensive list of reasons why it is preferable.

If the second router is a wireless router and you use option 2 you basically set this router up as access point only.

If both routers are wireless routers option 2 is also preferable as it allows you to create a roaming wireless network in which wireless clients can move between access points without loosing the connection in between. If you would use option 1 clients would need a new IP address if they move between the two routers. To create a roaming wireless network both routers must have identical wireless and wireless security settings. They should only differ in the channel they use to avoid collisions.

Friday, August 17, 2007

The port forwarding checklist

O.K. So you have to forward a port to a computer in your LAN because you want to run an internet server. You configure the router but it does not work. This checklist goes through some of the major points what may be wrong:

Find out the correct port numbers and protocols: Check the documentation of the software or search the internet for the ports you have to forward. Port numbers are from 1-65535. The normal protocol choices are TCP or UDP.

Verify the server uses those ports: Make sure the server is running on the computer. Now open a command prompt window and enter netstat -an. Look at the TCP lines with "LISTENING" state and also at the UDP lines. In those lines look for the entries which have your port number in the local address column after the ":". If you look for port 12345 the local address could be 0.0.0.0:12345 or 127.0.0.1:12345. Be sure to find all lines for your port number and protocol.

If you find your port with local address 0.0.0.0 or the IP address of the computer in front (e.g. 192.168.1.50:12345) then a server is listening correctly. If you only find 127.0.0.1:12345 then the server is only listening on the local "loopback interface". This interface is only accessible on the computer. The forwarding will not work. In that case find out how to change the interface on which your software is listening.

If you don't find the port at all it is either not listening at all or it is listening on a different port. Find your running server entering "tasklist" into the command prompt window. Find the server checking the image name in the first column. Make a note of the PID in the second column from that line. Now enter "netstat -ano" and search for this PID in the last column of the netstat output. The lines with this PID in the last columns are those ports on which your server is currently listening.

Check the firewall: Make sure you have opened the ports in the firewall on the computer. You have to open it for all computers (i.e. the whole internet) and not only for the local subnet or similar.

Check the IP address of the server: The destination IP address of the port forwarding is the IP address of the server inside your LAN. Enter ipconfig /all to find out. It is highly recommended to use a static IP address on that computer because otherwise the IP address may change over reboots and each time you have to adjust the forwarding in the router. If the entry for your network connection in ipconfig /all shows DHCP enabled then you don't have a static IP address on the computer. Take a note of the IP address of the computer, e.g. 192.168.1.50.

Make sure the server is operational: Try to connect to the server from inside your LAN using the IP address you have found in the previous step. E.g. point your client software to 192.168.1.50 and port 12345. Make sure it works. Otherwise your server may not be operational.

Enter and enable the forwardings: Be sure to enter the correct information into the port forwarding form on the router. Choose the correct protocol, i.e. TCP oder UDP. If you have the option to forward both at the same time, you may choose that option. Forward all the ports that you need as target IP address for the forwarding enter the IP address you have found before of the server, e.g. 192.168.1.50. Don't forget to enable the forwarding if the router has the option to enable/disable specific entries and don't forget to save the settings on that page.

Do not enable port triggering or smiliar: You want to forward some specific ports. Port triggering does dynamically forward some ports based on some traffic on some other ports. Thus configuring port forwarding and port triggering for the same ports may or may not work. The port triggering function may influence the effect of the port forwarding.

Access the server from inside your LAN: find the IP address of the router on the internet port. Usually you find it somewhere on the status page of the router configuration. (It is not the LAN IP address of the router, which usually is a private IP address and ends in .1, e.g. 192.168.1.1). Point your client software to the IP address on the status page and make sure it works.

Make sure the router has a direct connection to the internet: Open the website http://whatismyipaddress.com/ . It shows you the public IP address from which the request came. This IP address must be the IP address you have found before in the status page of your router on the internet port. If it is different, your router is not directly connected to the internet but there is another router in front of the router which also does network address translation (NAT). You have to configure port forwarding on this other router as well. Most of the time, this other router is embedded into your modem. If you connect through an apartment building connection there is another router inside your building. Some ISPs also use NAT. In the two latter cases there is probably little or nothing you can do to get the server into the internet.

Access the server from the internet: You have to access the public IP address of your router which you saw in the status page of the router and which you could also find with whatismyipaddress.com in the previous step. You cannot access the server on its private IP address 192.168.1.50 or similar. If your ISP frequently changes the public IP address on your internet connection you may consider to configure the "DDNS" function in your router if it has one. With DDNS the router registers its IP address with a service like dyndns.org. You can then access your server using a simple hostname instead of the IP address.

Still not working? If everything so far is correct and the way it should be but you cannot access the server it may be that your ISP blocks it. Some ISPs don't allow clients to run internet servers on the connections. Some other ISPs block specific ports which are known to cause problems or are well-known to spread malware. You may ask your ISP about whether they block the port you are trying to use.

Wednesday, August 15, 2007

Necessary steps to secure a wireless router

If you setup a wireless router there are a few things you should configure on the router to make it secure. Unfortunately many routers come with a very insecure wireless setup which basically allows anyone in your proximity to use your internet connection, to access your LAN and your computers. It is important to make the following changes or verify them:

  1. Change the wireless network name (SSID) from the default to something unique. Linksys routers come with SSID "linksys". Netgear comes with SSID "NETGEAR". It is important to change it to something unique. This allows you to easier identify your wireless network and it prevents your wireless computers from accidentally connecting to your neighbor's router if he runs the same brand router with the default SSID.
  2. Enable wireless security/encryption. Use WPA2 or WPA whenever possible. Usually there are several variants of WPA2 and WPA available. Some are for enterprise setups which include a RADIUS server. What you usually want is an easier personal setup with a pre-shared key (PSK). Choose WPA2 over WPA if possible. Choose encryption AES and TKIP if you can. This allows you to accept connections from WPA2 and WPA compatible clients. TKIP is used for WPA and AES for WPA2. Do not choose WEP for security unless you have to do this because you must connect a wireless device which only supports WEP. WEP can be cracked within a few minutes!
  3. For WPA2 and WPA enter a strong pre-shared key/passphrase. The security of your wireless network depends on the quality of your pre-shared key. It can be up to 63 characters long. Usually, you only have to enter it once on the computers and you can copy it from the router through a wired connection if necessary.
  4. Change the default router configuration password (don't confuse this with the passphrase for the wireless connection). The router comes with a default password which is published in the manual and elsewhere. Anyone who knows the password for the router configuration can make changes to the router including stealing your wireless key. Therefore you must change the password!
  5. Make sure the firewall on the router is enabled. The router firewall protects the router from attacks. Never turn it off. It will most likely expose the router web interface to the internet and you don't want that to happen.

Friday, August 10, 2007

How to open a command prompt window?

The command prompt window is the terminal window where you can enter commands and see responses. You'll find a link to the command prompt window somewhere in the Start menu in the Accessories folder. You can directly access the command prompt window running "cmd". For this click on "Start" and "Run...". Windows prompts you for the program to open. Enter "cmd". This opens a new command prompt window with the white letters and the black background. You see the prompt which shows the current directory in which you are at the moment.

Sometimes it is helpful to post the output of some command in the internet or a forum. You can redirect the output of any command to a file. The biggest obstacle is usually to find the file where you have saved it afterwards. When I open a command prompt window, the prompt shows that I am in the top directory of my windows profile folder which is C:\Documents and Settings\gv. If you enter "cd Desktop" into the command prompt window you'll change into the folder which contains everything which is on your desktop. This is a good place to save the output of a command to as you can quickly find it on the desktop.

To redirect the output of a command, e.g. of ipconfig /all you enter:

C:\Doc...\gv\Desktop> ipconfig /all > ipconfig1.txt

This writes the output of ipconfig into the file ipconfig1.txt on your desktop. There you can open it with notepad to copy the contents into your web browser. You could also enter "notepad ipconfig1.txt" to open the file with notepad. If you need several outputs from different commands just vary the filename.

The modem check

For a successful router setup it is often good to know what kind of modem you have. Many ISPs provide you with a modem through which you can connect to the internet. Some of those modems are not simple modems but are in fact full routers. Cascading routers, however, is not without pitfalls and for the initial setup of the router it is important to understand how the modem operates. You can do a simple check to find out:

  1. Connect your computer directly to the modem.
  2. Verify you have a working internet connection.
  3. Open a command prompt window.
  4. Enter "ipconfig /all"
  5. Open your browser and go to http://whatismyipaddress.com and take a note of your IP address as seen from the internet.

Now compare the IP address shown in the "ipconfig" with the IP address shown in the internet. If both are equal your modem is (most likely) set up as a simple modem. Your computer has a direct connection to the internet through the modem.

If the IP addresses differ your modem (or wherever you have connected your computer to get the internet connection) is a router with address translation, too. Most often, you'll see a IP address like 192.168.*.* in the ipconfig. Your computer is not directly connected to the internet but another device is establishing the connection for you. For a successful router setup you should take a note of the default gatway address which you can see in the "ipconfig /all" output.

Connecting two routers wired to create a single LAN

You have one router running in your network. This router connects to the internet. Now you want to hook up a second router (e.g. a wireless router to have wireless access) in your network connecting both with an ethernet cable. The following is in most cases the best approach for home networks. You'll find similar answers with some screenshots in the Linksys Easy Answers, e.g. 4579

The setup:

1. Unplug the second router from anything. Connect a single computer to the router. Do not connect the second router to the first at the moment!

2. Configure the router at http://192.168.1.1/

3. Change the LAN IP address of the second router from 192.168.1.1 to a free address in your LAN (e.g. 192.168.1.2 should be O.K. if the first router is also a Linksys router). The address you change to (192.168.1.2) must not be used by any other device with static IP address in your network nor should be assigned by the DHCP server your network. A default Linksys router uses 192.168.1.1 itself and the DHCP server assigns 192.168.1.100-149.

4. Turn off the DHCP server on the second router.

5. Save the setting.

6. Unplug the computer from the second router.

7. Connect an ethernet cable from a numbered LAN port of the first router to a numbered LAN port of the second router. Do not use the Internet/WAN port on the second router!

8. That's it! If you don't know or don't want to know more about networking you don't have to read the rest here.

What do you have now?

The second router is connected through a LAN port to your existing network. This basically means that the router part of the device is actually not used. So you have a router device that you don't operate as router in your network. Whatever you connect to the second router either through one of the remaining LAN ports or through a wireless if it has one, is directly connected to your LAN. Devices connected to the second router use the DHCP server of the first router to get an IP address. They use the first router directly for internet access. Everything is connected to a single larger ethernet network. Everything is in a single "broadcast" domain.

If the second router is not a wireless one, you basically have a few more ports in your network. In that case it might have been cheaper to get a simple switch/hub instead to extend your network.

Please remember: as the second router is not connected through the Internet/WAN port many configurations and functions of the second router won't work simply because they require an internet connection on the router itself. Some examples are: access restrictions, dynamic DNS service, port forwardings, MAC address clone, the firewall... All these things must be configured on the first router and only there.

Why is this better than connecting the second router with the Internet port?

A router is a separating network element. It separates two networks and allows certain traffic to cross. Sometimes this is necessary in a network setup but for most home networks it only creates a lot of obstacles.

1. In default Gateway mode the second router does network address translation (NAT). This means computers connected to the second router can connect to computers connected to the first router but not in the opposite direction.

2. If you use Router mode on the second router: you have to configure "routes" on the first router and possibly your computer connected to the first router so that IP packets find their way into the subnet of the second router.

3. You have two separate ethernet networks and thus two "broadcast" domains. A broadcast in the first router's subnet reaches all computers connected there. The same applies to the second router. A broadcast will never cross the second router, though. This is an obstacle for applications that depend on broadcasting to locate other computers and services. Windows file and printer sharing is one example here. With the second router in between, computers on one side do not know about computers on the other side. You cannot search your workgroup for the computer on the other side even when they use the identical workgroup name. You will be able to access the other computer using the IP address directly (e.g. \\192.168.1.100\share) but that's usually a hassle and the IP address may change if it is assigned by the DHCP server to the computer. There are ways to deal with some of these issues (e.g. save the host names in lmhosts files...) but all this requires more effort and attention to keep everything up-to-date.

4. Port forwardings become more complicated. If you need a port forwarding (i.e. you want a port on a computer in your network to be accessible from the internet) on a computer connected to the second router you have to setup two forwardings: one on the first router to the second router and one on the second router to the computer.

5. If you have two wireless routers: you cannot roam between both routers without loosing the connection. This is simply because if a wireless computers moves from one router to the other it needs a different IP address.

6. The whole configuration becomes more complicated: you always have to think about where to configure what, e.g. dynamic DNS service, access restrictions, ...

Bottom line: unless you have good reasons why you must have some computers separated from the other computers in your network, there is no good reason to in a home network to do so. For normal home networking with simple to use file and printer sharing it is better to connect the second router as suggested in this post...

Router Setup

A blog which collects hints and tips for successful router setup for your home LAN. I have written many of them before in the Linksys Community Forums. Although I often use Linksys defaults (e.g. 192.168.1.1 for the router address) they apply to many other brand consumer routers as well.