logo

Practical Computing Advice and Tutorials

Sun: 26 May 2019


Site Content

Programming
&
Development


Technical Knowhow


Command Line Interface


Security

NAT Router & Wi-Fi Configuration

The 'Router' that you get from your ISP is a multifunctional device and combines several technologies into one small unit.

It may even have other features, it may have less features, but those are the most common.

Briefly, you need an ADSL modem: 'DSL', because it's used to connect computer networks together over a telephone line which provides the Digital Subscriber Line service, and 'A' because it's Asymmetric, that is you get a faster connection in one direction than you do in the other.

A 'NAT' (Network Address Translation) Router translates the IP Addresses between the two (or more) Networks to which it's connected. You'll be connected to at least two Networks: One is called a Wide Area Network (WAN) and the other is your Local Area Network (LAN).

I've written a small introduction to computer networks and the NAT technology, which you may find of interest.

The port into which you can connect an Ethernet Cable is a Switch Port. You'll maybe have more than one, and these can be used to provide you with a sub-set of LANs, but by default, all the Switch Ports will be a part of the same LAN.

The term 'port' can get a little confusing, as there are a couple of different kinds of ports:

The truth is, your Router is quite a secure device in and of its self, especially if you've taken the steps needed to secured the 'WAP' part of it, a WAP being a Wireless Access Point; Wi-Fi.

Unless you grant access to your LAN through your Router from the Internet (this is a service called 'Port Forwarding', where you tell your Router on which port to expect an inbound connection and to which IP address on your LAN to forward the traffic to), your Router will simply block any incoming connections, by default. That said, there are a few setting that you should check on, because the manufacture may have enable a couple of things that make it less secure than it would otherwise be. One example of this is Universal Plug and Play (UPnP). You should disable UPnP on your Router unless you have good reason not to do so. That setting may be in the same place as your LAN settings, or it may be in the same place as your Firewall settings, or it could be somewhere else; you'll simply have to look for it.

Also, if you've added an additional WAP for casual use, that could be a security issue when it's being used or if you've forgotten to turn it off. But, later I'll explain how you can have such a device on its own segment of your LAN, and as such it'll be less of a risk to your regular LAN, when it's up and running. Some NAT Routers have a so-called 'Guest Network' on the WAP. Use this with caution, as it may allow full access to your LAN, rather than simple Internet access.

Your NAT Router, by default, should block any and all unsolicited incoming connections (traffic) from the Internet. That is, only traffic that has been requested by the devices on your LAN, which includes your Wi-Fi connections, will be able to be get past your NAT Router.

The acronym NAT stands for Network Address Translation. What this means is that you can have many devices, all of which need there own IP Address (we'll also get to what that is in a later post), sharing the one IP Address that has been assigned to you by your ISP. The NAT Router 'Translates' the LAN traffic into WAN traffic and vice versa. The only way that your NAT Router can translate incoming traffic, from the Internet, is if it has a LAN IP Address with which to associate that traffic. If there's no LAN IP Address waiting for the traffic, the NAT Router simply discards it.

Your Router has many different so-called 'Ports' (these are virtual, internal ports, not the external ones) on which to accept connections. All of these are controlled by its Firewall, and should be 'closed', by default. When a device that you're using requests a connection to a web site, your NAT Router will open one of these Ports so that it can accept the return connection and Route any traffic between the device on your LAN and a Server on the Internet. You'll see that the lights on the front of your Router will flicker when traffic is flowing; the faster the flicker, the more the traffic.

Steve Gibson offers many useful services. One of the ones that you can use to check that the ports on your Router are, at the very least, closed, is ShieldsUP!. Just go to https://grc.com and read what Mr. Gibson has written before you use his service.

If you find that you have open ports that you're not aware of, that is, you're not running some service that requires said port to be open, check the 'Firewall Rules' on your Router.


Your NAT Router is a Hardware Firewall

NAT technology monitors outbound IP Packets by creating a table that maps Host IP Addresses to Server IP addresses. The Host IP Addresses are "Inside", or behind the NAT Router, while the Server IP Addresses are "Outside", or in front of the NAT Router.

NAT technology has allowed us to extend the use of IPv4 Addresses; without NAT we would have run out of IPv4 Address allocation long ago.

On the LAN (Inside) we have (at least) one IP Address for each of the devices that are connected to the network; any device with more than one way to connect to the LAN will have more than one IP Address. These are your so-called "Privet" IP Addresses and have specific ranges specified in RFC 1918.

10 /8       prefix:(010.000.000.000 — 010.255.255.255)
172.16 /12  prefix:(172.016.000.000 — 172.031.255.255)
192.168 /16 prefix:(192.168.000.000 — 192.168.255.255)

Note that (in pre-CIDR notation) the first block is nothing but a single class A network number, while the second block is a set of 16 contiguous class B network numbers, and third block is a set of 256 contiguous class C network numbers.

On the WAN (Outside) we have one IP Address that connects to the Internet and that all the nodes on the LAN side will share; your so-called "Public" IP Address.

All IP Packets have a Source IP Address; the IP Address of the Host machine. Before your NAT Router forwards a Packet to its destination, it swaps out the Inside IP Address, replacing it with the Outside IP Address, which becomes the new Source IP Address to which the next Router along will reply. Typically that "Next Hop" will be a Router located with your ISP which could also be using NAT technology. Each Router along the route to the Server will do the same. Eventually the Packet will get to the Server, which will return a Packet that, when it gets to your NAT Router, it will look up the IP mapping so that it can forward the Packet to the correct Host machine.

The practical upshot of this is that if your NAT Router receives a Packet that it does not have a mapping for, it will disregard (drop) it. This mean that any unexpected inbound network traffic will be blocked by your NAT Router, so, it's essentially a simple "Hardware Firewall"; your first line of defence against any malicious network traffic.


Setting Up A Secure Home Wi-Fi Network

One of the ways with which your information can be stolen is by someone gaining access to your Wi-Fi Network. Most people are now using a Wi-Fi connection at home by default, because it's quick and convenient. If you didn't bother to reconfigure the Wi-Fi settings of your device when you got it, then it's probably not as secure as it could or should be.

I'm not a fan of Wi-Fi enabled Routers simply working as is, direct from an ISP. It's natural for people to take the path of least resistance, which results in a kind of 'if it works, leave it alone' attitude.

The issue is that the default settings of these devices can be easily obtained and the default Wi-Fi passphrase can be attacked using a 'word list'. Please read my post on passwords so that you'll better understand what that attack is and how you can easily generate a very secure passphrase for your Wi-Fi connection. You should really use a 63 character passphrase, but don't use anything less than 12. A WAP is a Wireless Access Point: It's a radio transceiver that is used to connect the Wi-Fi Network to your Ethernet LAN and may be part of your NAT Router, or it may be a separate unit.

You can configure all of this via your Web Browser, which is why the 'Router' needs a Web Server. The instructions for doing this will have been supplied by your ISP. If you've lost them, it's no big deal, as most of the options should be easy to find and the default settings may even be labelled on the bottom or the back of the Router. Make sure that the Wi-Fi security settings are WPA2-PSK and that the Encryption is AES, then use a password (A.K.A passphrase) length of the maximum allowed, 63 characters.

Now, that should be enough to keep just about any intruder off of your Wi-Fi Network, but if you want an extra layer of security, you could also set up an Access Control List (ACL) in which you list only the MAC Addresses of the devices that you want to grant access to. It's not too complicated to do and it can be circumvented, but it's another layer that I use; it's there, so why not use it.

Another measure that is worth taking is to change the SSID to something that does not identify the manufacturer of the device, or you could block the SSID from being broadcast. Again, these measures can be circumvented, but why make it easy for an attacker; the more work that's involved for an attacker, the more likely that they'll simply give up and move on to a softer target.

Be safe!