Monday, 4 May 2015

Better Know your Wireless Router

Almost everyone these days has a small box with antennae somewhere in their house. It may look innocent, but while it’s killing your babies it’s also applying multiple filters and rulesets to the thousands of packets coming in and out of your network every day.  Wireless routers are ubiquitous today, but there’s a lot of people (even those very competent with computers) that aren’t quite sure how their router should be set up. In this tall post, I’ll show you through the common options and settings on a home router and explain what each does and how you might want to set them, along with some tips for a fast and secure network.
Let’s start out by looking at the big feature you probably bought your router for: WiFi wireless networking.

WiFi

WiFi is a standard that allows for computers to form a local area network wirelessly. WiFi itself is defined by IEEE standard 802.11, and has been in development for some time and comes in several different “flavors.” The common versions are 802.11a, b, g, and n.

WiFi Versions

When you buy a router, you’ll be presented with different options for WiFi version and different supposed benefits for each. When you set up your router, you’ll probably also need to choose a “mixed” or “g-only” option, or choose from a whole different set of standards the router supports.

The WiFi versions were developed in alphabetical order, so ‘a’ is the oldest and ‘n’ is the newest. You’re probably aware of the speed difference (n is fastest, with g second, and b and then a coming up behind). There is another significant difference that most people are not aware of, which explains why the versions are often grouped with ‘a’ and ‘n’ together and ‘b’ and ‘g’ together: ‘b’ and ‘g’ operate in the 2.4GHz band, while ‘a’ operates in the 5GHz band. ‘n’ can operate in either bands, but 2.4GHz support is only for backward compatibility, 5GHz is preferred. “802.11bg” (supporting both ‘b’ and ‘g’ standards) equipment is common, because since the frequency is the same one physical radio can support both. 802.11a devices require a different physical radio.
In general, 5GHz is better. This is because the 5GHz band is wider, allowing for more wireless networks in a small area without interference (this is important, because interference between WiFi networks is increasingly becoming a problem in dense areas), and because WiFi shares the 5GHz band with fewer other devices (many non-WiFi devices operate at 2.4GHz as well, and will interfere with WiFi networks. Baby monitors and older cordless phones are a common example). N is a clear winner, then, because it’s fastest and 5GHz, right?
Unfortunately, the issue of bands and radios becomes somewhat confusing with 802.11n, because both bands are supported. Most 802.11n devices on the market right now are actually 2.4GHz only. Some devices are selectable band, meaning that they can operate at 2.4GHz or 5GHz. Some devices are simultaneous dual-band, so that they can operate on both bands at the same time. 
  • A 2.4GHz-only device will support G and N, but will not support N at 5GHz (this limits the benefit you well recieve from N).
  • A selectable band device forces you to make a choice: either have 802.11g support as well and be limited to 2.4GHz for n, or have 5GHz 802.11n and lose 802.11g compatibility.
  • A dual-band device is the best of both worlds, allowing for 802.11g and 802.11n 5GHz at the same time. They are the most expensive, though.
This can make choosing a new router tricky if price is an issue. Simultaneous dual-band is definitely the best, but such routers often run near $200, with 2.4GHz-only models costing half as much. It comes down to a personal decision. 2.4GHz will work fine, but 5GHz is better.
Of course, a bigger issue is if 802.11n is a concern at all: it’s new enough that existing devices may not support it, so you may just be sticking to 802.11g.
So, to sum it up: n is fastest, but many devices only support g right now. n will operate in two bands, 2.4GHz and 5GHz. 5GHz is best, but unless you buy a simultaneous dual-band device you’ll be giving up 802.11g support to use 5GHz. On cheaper devices, 5GHz may not be an option at all. Most routers will allow you to “mix” standards, allowing different devices supporting different standards to connect at the same time. There’s generally no reason not to do this.
Hopefully you understand the standards a little better now. Once you’ve set the WiFi standard to be used, you may be asked to set the channel. So let’s talk a little about channels.

Channels

Within the bands used by WiFi, there are different channels available. These channels specify the frequency that the router will operate on. For 2.4GHz routers, there are 14 channels spaced 5MHz apart. 802.11g ranges transmissions across 20MHz, so we’re effectively spacing 20MHz channels every 5MHz, resulting in overlap. The exception is channel 14, which is spaced farther away than the rest. Channels 1, 6, 11, and 14 do not overlap with each other, but that doesn’t mean that these are the “best” channels. In general, you just want to choose a channel that is as far away as possible from other nearby networks, preferably 5 channels away to prevent overlap. This may not always be possible; just look for the area with the fewest networks. A WiFi survey tool like NetStumbler will help you with this by showing all the networks in the area and the channels they operate on.
(Graphic from wikipedia)
For 5GHz networks, the numbers are different but the idea is the same. There are quite a few more channels in the 5GHz band, spaced again every 5MHz. Note that 802.11n uses a 40MHz range, though, so there is more overlap. Many routers show only non-overlapping channels by default, though. Once again, just choose a channel that doesn’t have too many other networks near it.

Encryption

Security is a big concern whenever we talk about sending our data through the air, and there are a few encryption technologies supported by most WiFi devices: WEP, WPA, and WPA2. The choice is simple: always use WPA2. It is by far the most secure, and very few devices today lack WPA2 support.
Your router may ask you whether to use TKIP or AES encryption with WPA2. It should actually say TKIP or AES/CCMP, and these refer to the “key management” protocols that will be used to negotiate the internally used encryption key. AES/CCMP is more secure, but some devices might not support it. Go ahead and give AES/CCMP (usually displayed as AES in error) a try. The worst that will happen is you’ll have to change it back to TKIP when something won’t connect.
WPA2 shared keys can be of arbitrary length and contain any keyboard character, and you should take advantage of that. Treat WPA2 shared keys like passwords, making them long and random, containing characters from all categories.

Beaconing

Your computer lists “available networks” by listening for beacons. A beacon is a small unencrypted packet your router regularly sends to advertise its presence. Most routers allow you to turn off beaconing. If you turn it off, you’ll have to enter all the information on your network manually, and recent Windows does not make this convenient. There’s really no reason to disable it; some advertise it as a security measure, but it provides no real security, as it’s trivial to detect unadvertised networks and determine their SSID by listening to packets sent by computers already connected.

Miscellaneous Options

Here’s a few other settings you might see and a brief explanation.
  • Group key renewal: WPA2 networks generate a random key that is actually used internally. This random key is only for temporary use, making it more difficult for attackers to use it if they do succesfully determine it. The renewal period sets how long each key will be used before a new one is generated. One hour is a sensible default. Setting this lower may improve security but will reduce performance, as the network becomes temporarily unavailable during key renewal.
  • Wireless Mode: If your router has such a setting (most don’t), you’ll want to set it to Access Point. The other options are primarily for using the router to bridge wired devices to a wireless network broadcast by a different router.
That about wraps up the WiFi connections. While we’re on the topic of security, though, let’s look at another security feature that most routers offer.

MAC Filtering

Each network interface manufactured has a unique MAC address. This is a hardware ID that generally never changes (although it is possible to change it). Most routers provide a MAC Filter that allows you to specify a list of MAC addresses that are allowed to connect. Computers with MAC addresses not on the list will be blocked. This is a good security precaution, because although MAC addresses can be faked, it would be difficult for an attacker to find a valid MAC address without physical access to an authorized computer. It is inconvenient, though, because each new computer that wishes to connect will need to manually be added to the list. Most people today do not use a MAC filter. It’s up to you whether or not you want the security at the cost of convenience.
Once a computer connects to the network, it needs a “name” by which other computers can refer to it. You are probably familiar with IP addresses and the fact that each computer on the network must have a unique one, but how does a computer find out what its IP address should be? IP addresses are usually assigned by the router using DHCP.

DHCP and Address Assignment

Whenever a computer connects to your network, it sends a DHCP request. Your router, which acts as a DHCP server, then responds, sending the computer an IP address that it should use, along with the IP address of the router itself (the Gateway), the range of addresses used on the internal network (the Netmask), and addresses for servers that should be referred to when the connecting computer needs to   find a domain name (the DNS servers). Your router will use an IANA “Private” address, an address in a range that has been specifically assigned for use inside of private networks (the 10.* range and the 192.168.* range, generally). This usually works transparently without you having to worry about it, but there are a few settings you should be aware of.
It may be desirable to have computers on your network always use the same IP address (for example, they might host game or media servers). You can set the operating system on those computers to always use the same IP rather than requesting one from the DHCP server. The DHCP server is not aware of these computers, though, so what if it reassigns their addresses? DHCP ranges avoid this problem. You can tell the DHCP server to assign addresses within a certain range, by default on most routers 192.168.1.100 and up. This way you can set your computers with static IPs to addresses below 100, and you know that the DHCP server will not interfere.
DHCP assignments are temporary, and computers must renew their address from time to time. The amount of time for which each address is assigned the DHCP Lease Time. It usually defaults to one day. You can set it longer if you want IPs to change less, but know that a long lease time can result in the router actually running out of IP to assign, since old leases will take up the available address space.
If you have a computer that you want to always have the same IP on your network but that you also connect to other networks (other networks will probably not work properly if you have a static IP set for your network), you may be able to take advantage of Static DHCP Assignment. In such a system you can tell your router the MAC address of the computer and what IP it should use. Whenever a computer with the MAC address you set sends a DHCP request, the router will assign it the IP you specify. It’s a great way to make sure you know the IPs of the computers on your network, but not all routers offer this feature.
As I mentioned, your router also specifies the netmask and DNS servers that a computer should use. The netmask is a binary mask that tells a computer which other addresses are in a local network with it. For most networks, the netmask will be 255.255.255.0, which includes all computers with the first three octets (sections) the same. You will virtually never use a different mask on a home network. The DNS servers that your router provide are how your computer turns a domain name (like www.google.com) in to an IP address (like 74.125.79.104). By default the DNS fields in your router’s configuration interface may be blank. This is because your router also uses DHCP to get some information from your ISP, and that includes the DNS servers. If you’d like, you can manually specify servers for a third-party service here, such as Google Public DNS (8.8.8.8 and 8.8.4.4) and OpenDNS(208.67.222.222 and 208.67.220.220).
In addition to the internal addresses used for computers inside a network to communicate amongst themselves, your router also has an external IP address that it uses to communicate with the internet. Computers inside the network cannot directly communicate with the internet, because they have the wrong kind of address and no direct connection. Instead, they must use the router as a “gateway”, which forwards requests from one network to another and then appropriately routes the responses.

Routing

Routing is perhaps the main function a router performs, thus its name. Computers connected to the router are not physically connected to the network, so they must follow a route through your router in order to connect. Your router has in its memory a “routing table”, which is a list of ranges and where to find them. It knows that 192.168.1.* addresses (or whatever range it uses) are inside the network, so packets asking for these addresses it will send back in. It knows that other addresses are outside of your network, so packets addressed to addresses outside of the 192.168.1.* range should be sent to the internet. Your router will probably have a section where it allows you to enter your own routing rules. This is outside the scope of this article, but know that you can use it to build more complex network configurations using multiple routers.
There’s a problem with routing as I’ve explained it, though: the “from” address on packets generated by computers inside the network going to the internet will be internal addresses. But computers on the internet don’t use your router as a gateway (a good thing, because it wouldn’t be able to handle that many requests), and besides that there are many different networks all using the same private IPs. So how do computers on the internet reply to computers inside your network?
Your router preforms Network Address Translation to resolve this problem.

Network Address Translation

(This section partially quoted from the community wiki answer on this topic.)
NAT is the process through which addresses inside your network (private addresses) are translated to the public (internet) IP of your router. As packets leave your network, the “from” address is changed to the internet address of your router, so that responses will come back to the router. The router then keeps a list of all connections that have been made so that it knows which computer a reply packet should go to. This works fine when a computer inside your network starts the connection, but what if a computer outside tries to start a connection? The router won’t know which internal computer to forward the packet to, so it will simply reject it. Your router will have a section that allows you to configure “port forwarding”, which is how your router chooses how to direct incoming packets. There are a few things you can set up here:
  • Faux-DMZ: a lot of routers have a feature called DMZ. This stands for Demilitarized Zone, which is a kind of network security configuration. The DMZ on home routers is often referred to as faux-DMZ because it lacks the features of an actual DMZ. What it does do is the simplest kind of incoming connection handling: all incoming connection requests will be sent to one specified inside your network. It’s dead simple – you type an IP address in to your routers configuration, and all incoming connections go there.
  • Port forwarding: All network connection requests include a “port”. The port is just a number, and its part of how a computer knows what the packet is. IANA has specified that Port 80 is used for HTTP. This means that an incoming packet that says port number 80 must be a request intended for a web server. Port forwarding on your router allows you to enter a port number (or possibly a range or combination of numbers, depending on the router) and an IP address. All incoming connections with a matching port number will be forwarded to the internal computer with that address.
  • UPnP port forwards: UPnP forwarding works the exact same way as port forwarding, but instead of you setting it up, software on a computer inside the network automatically sets the router to forward traffic on a given port to it. Your router will likely have an option to turn UPnP support on and off.
You will start out with an empty port forwarding table, and this is fine for a lot of people. Over time, you may need to add a few things. Here are some common applications of port forwarding:
  • Video game servers. If you wish to host multiplayer video games, outside players will need to be able to connect in.
  • P2P protocols. Outside peers will need to be able to connect to your computer for peer-to-peer file transfers. This will usually involve a large range of ports to facilitate multiple connections at once.
  • Home file/web servers. You’ll need to be able to connect from outside your network to get to your files, so you’ll need to forward the involved ports to your server.
To set up a port forward, you need to find out which ports you need. This should be in the documentation for the software you’re trying to set up, or it might be configurable. Go to your router’s interface and enter the port number (or possible a range), the protocol (TCP or UDP, this should also be specified where you found the port numbet), and the internal address that it should be sent to. You may also be able to specify an external address or range; this just limits forwarding to packets from a specific destination (which can be a good idea for security reasons). Finally, you might have an option to specify a different internal port. This would allow you to actually change the port number of a packet when it goes through the router, which might be useful if you have multiple computers inside the network running something on the same port and you would like to access them via different ports from the internet (not a common situation). Here’s an example of a port forwarding table:
You can see that TCP ports 80, 22, and 8080 will be forwarded to 192.168.1.5. TCP Port 3389 will be forwarded to 192.168.1.5 only if it comes from an address in the 129.138.* range (specified using CIDR notation, which you can read about here).
Some routers may also support Port Triggering. Port triggering is a less-used feature where a range of incoming ports will be forwarded to a computer after that computer initiates an outgoing connection in another range of ports. You can think of this as port forwarding that is automatically turned on and off. Let’s say we set up the ports 5000-6000 to trigger on the ports 4000-5000. If a computer inside your network opens a connection to a computer on the internet on a port between 4000 and 6000, then ports 5000-6000 will automatically be forwarded to that internal computer for a period of time. Port triggering is generally only used for peer-to-peer file transfer protocols, where the “trigger connection” is used to detect that a computer is running a P2P client, and the forwarded ports allow other computers in the cloud to connect in. By using this triggered technique, port forwarding will automatically be set up for client computers without having to create a rule for each one. Of course, only one computer can connect this way at a time.
If you’re setting up some kind of home server and need to be able to connect in, it might be annoying to remember your router’s internet IP address, especially since it will likely change from time to time. A Dynamic DNS Service can assign a domain name to your home router, even as its internet IP changes.

Dynamic DNS

A dynamic DNS service will assign a domain name to your router’s current IP address, and then will change the IP the domain points to each time your router’s IP changes. In order for this to work, your router will need to inform the dynamic DNS service each time it gets a new external address. Most routers have this functionality built-in. Exactly how it’s set up depends on the service provider, but usually you just need to create an account with a dynamic DNS service and then give your router the username and password for that account. DynDNS and dns.afraid.org are both popular dynamic DNS services.
Since your router (and, through port forwarding, devices behind it) is exposed to the internet, security is important. All routers have security features built in, and some have more advanced security controls available.

Firewall

By restricting incoming connections to just those that you have specifically authorized, NAT provides a level of built-in security, acting as an implicit static firewall. Only incoming connections matching the rules you specify will be permitted. Most routers also have a few other security settings.
  • ICMP Ping: you can set your router not to respond to ICMP Ping requests, often used to determine if there is a machine online at an address. Disabling this provides a bit of extra security but not much, since there are other ways to determine if a machine is online.
  • Allow Multicast: Multicast packets are packets that are set to be delivered to all computers in a network. Most routers will ignore multicast packets from the internet by default. This is a sensible setting to avoid attacks.
  • NAT loopback: If NAT loopback is enabled, NAT will be performed for internal connections as well (the source address will be changed to the router’s internal address). This is rarely necessary and should be left off.
These basic settings rarely need to be changed from their default. There is a firewall function of your router that, if you choose to enable it, requires quite a bit of configuration: Quality of Service.

Quality of Service (QoS)

Quality of Service systems prioritize traffic by type, moving some packets faster at the cost of moving less important packets more slowly. QoS is fairly complicated to set up, but I’ll explain the basic concept. First, you must “classify” your packets. This means setting up rules based on addresses, port numbers, and other header values that put packets into different classes (usually lettered as Class A, Class B, etc). You can then Prioritize these classes, specifying that certain classes should be given more bandwidth than others. A typical application of QoS is to prioritize VoIP or video game traffic over traffic that is not as latency-sensitive. Virtually all routers support QoS but ship with it disabled, and for most users it’s not worth the time involved in configuration.
Finally, most routers allow you to set up some simple restrictions on when and how your network can be used.

Access Restrictions

Your router may have either or both scheduled restrictions and content restrictions. Scheduled restrictions allow you to specify that certain computers (typically identified by their MAC addres) should only be able to access the internet during certain scheduled periods. Content restrictions allow you to specify that certain computers or all of the network should not be able to access certain websites, typically specified by domain. This functions as a very lightweight (and thus easy to circumvent) content filter. You can use these settings for rough parental control, if you’d like, but know that they’re easy to get around with common tools.
Hopefully you know more about your home router now. I tried to be pretty inclusive in this list, but I’m certain there are things I’ve left out. Most of those things would probably make good SuperUser questions, so feel free to ask away!
By at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

The Future of Remote Work, According to Startups

  The Future of Remote Work, According to Startups No matter where in the world you log in from—Silicon Valley, London, and beyond—COVID-19 ...