dacs.doc electric

In the previous installment, I introduced the topic of the router and its functionality. This installment will embellish upon the router and firewall.

As previously described, the primary function of the router is to determine whether a connection request is local to the Local Area Network (and thus should be ignored) or a request for an off-site host—in which case the router should field the request and pass it on to the other end of the broadband connection.

For home (or small office) broadband connections (cable or DSL, doesn’t matter) the router also provides functionality which permits several computers to be connected on the local side of the connection, and independently make use of the shared circuit to the ISP. This is a good trick because as far as the ISP at the other end of the circuit is concerned, there is only one computer at the home (or small office) end of the circuit.

The router performs this function via the mechanism of Network Address Translation. The router assigns a distinct IP address to each computer device on your local area network (LAN) and takes ownership of the IP address provided by the ISP at the other end of the broadband connection. This primary IP address may be either static or dynamic. The LAN IP addresses may also be either static or dynamic. If dynamic, they must be from a pool of addresses managed by the router, and the router must be configured to act as a DHCP server.

DHCP server address pool: The designers of the internet reserved several blocks of IP addresses for use by local area networks. These blocks are: 10.0.0.0 through 10.255.255.255, 172.16.0.0 through 172.31.255.255, and 192.168.0.0 through 192.168.255.255. By definition, these are non-routable addresses, and thus may be freely used for private networks without fear of collision with other users on other networks. If you have enabled DHCP in your router, and your computer is set up to ‘acquire IP address automatically’— your computer will get an address from the IP address pool assigned to it by the router, as well as the gateway address (the router’s address) and the subnet mask. If your router has DNS entries and your computer has ‘acquire DNS address automatically’ then your computer will also get DNS addresses loaded at boot time.

Here is an example of how Network Address Translation works: Let’s suppose that your router has the LAN-side address of 192.168.0.1 and your computer has the private network address of 192.168.0.100. Further, let us assume that your ISP has assigned your router’s wide area network (WAN) side address of 66.123.23.12.

When your computer makes a request for, say, Google, it addresses the request as being TO: 64.233.161.104:80 and FROM: 192.168.0.100. The router sees that the TO address is not local, so it intercepts the request and sets up to forward it to the router at the other end of your broadband circuit. However, as part of this process, it substitutes its own address ( 66.123.23.12 ) within the FROM field of the request. Simultaneously, when the connection is established, it records the “socket number” ( similar to a connection number ) in memory and associates with that socket number the IP address of the originator ( in our example, 192.168.0.100.)

A few milliseconds later, Google responds on that particular connection (socket) with the search results and sends them to 66.123.23.12—your router, on the same socket as the original request. The router sees the socket number, does a lookup in its tables, and substitutes in the TO: field of the packet the IP address of the original requestor: 192.168.0.100. It then delivers the ‘translated’ packet back to the requesting machine. Since the Google response was a web page, Google is finished responding, so it drops the socket connection. The router sees that the connection has been dropped, so it deletes the NAT entry for the socket as well. If you as a user click on a link on the page, another request is made (probably to a different site) and the router creates a new socket for that site, etc. with another NAT entry.

There is an additional benefit to the NAT mechanism—all connections must be originated from within the LAN-side of the router, as only they create sockets/connections to outside hosts. If a site on the internet side of the broadband connection tries to establish a connection, the router will not respond to it because it does not have an entry in its translation table, and thus can’t deliver the packet to any of the local machines. This is a simplistic firewall—nothing that originates on the outside can get through (unless explicitly permitted, as in the next section.)

Port Forwarding: Suppose that on one of your machines within your LAN you have a machine that is functioning as a web page server. You would like to give people outside the ability to see your web pages, but nothing else. You can do this by implementing Port Forwarding. You may remember that certain services are associated with ports. For example, web page services (HTML) is associated with port 80. So if someone on the outside creates a connection request for port 80 at your public IP address (the address associated with the WAN side of your router) then you know that they want to connect to your web server. Let’s say that your web server is located at the private IP address of 192.168.0.110. In that case, you may enter a port forwarding request in your router’s tables—the rule being that any incoming packet addressed to your WAN IP address with port 80 is to be ‘forwarded’ to 192.168.0.110 port 80. The router will perform the NAT translation and deliver the request. Note that the request has a ‘from’ associated with it, which is not touched. When your web server has generated the requested page, it sends it back to that calling address over the same socket, and then closes the socket.

Stateful Packet Inspection: Inside a TCP/IP packet is information as to what kind of data is contained. A firewall that makes use of SPI will examine the data within the packet and determine if it is consistent with the request. A simplistic example: if the packet is addressed to a web server; it will not permit a TelNet command (remote terminal command) to be passed through.

Setting Up Your Router

Most routers make use of a web-browser interface for configuration management. You get into the router’s management console by connecting a computer to the LAN side of the router and then setting your browser’s address to the router’s LAN-side IP address. You will be presented with a login screen which requests a login name and password. More often than not this will be some variant of no logon name with a password of admin, or a logon name of admin with no password. One of the first things you should do is assign a logon name and password. Note that the router is smart enough that it will only respond to configuration console requests from the LAN side, so you you physical access security—only users with internal access to the LAN can get at the router. You may, however, elect to permit remote configuration access, but this is never available by default.

Once you have the management console, you usually have separate pages for various sections of the router’s management. For example, one page may be to control the configuration of the WAN side. It usually includes the selection of static or dynamic IP address for the WAN connection, the protocol selection (such as straight TCP/IP pass through versus the use of PPPoE), logon name and password for a PPPoE connection, etc.

Another page may be used to activate DHCP, and if so, to specify the address pool to be use.

Yet another page may be used to specify port forwarding. This may be indicated in several ways - Port Forwarding, Virtual Server, Special Applications, etc.

Some routers may be set to restrict access to only machines that have hardware addresses (MAC addresses) that have been entered into a table within the router.

There is usually also a page in the configuration management console that permits loading of new ‘firmware’ into the router. Firmware is the software within the router that is ‘burned into’ memory. In this way, if the router vendor needs to make a change to the operational capabilities of the router, it may be done via a firmware update. For example, about a year ago my router’s firmware was modified to permit 25 port forwarding entries, where prior to that it only permitted 10.

Next time: WiFi.