SOHO wireless routers may be the most common network devices in the world, so it’s important that you understand some of the more detailed configuration settings. In this video, you’ll learn about wireless channels, encryption, NAT, port forwarding, port triggering, IP addressing, DMZ ports, QoS, and more.
As we mentioned in an earlier video, the wireless encryption you’re using on your network is very important. You want to be sure the information sent across your wireless network is going to be protected from prying eyes. So you want to be sure to configure the proper encryption method for your wireless router. And these days it’s pretty easy because you choose one single encryption type, and that’s WPA2. This may be listed as WPA2-AES, which describes the encryption mechanism and use. It may say WPA2-PSK for pre-shared key, because everyone is using the same key on that network.
If you have the option between WPA2 and WPA, you should always choose WPA2. And obviously because of the cryptographic vulnerabilities associated with WEP, you should never use WEP as a wireless encryption type on your network. One consideration with setting the encryption type is that all of the devices that need to connect to this wireless network should be using this encryption type. If you have some older equipment, or equipment that doesn’t understand WPA2, then those devices would not be able to connect to the wireless network. You could change your wireless network encryption to use WPA instead of WPA2. But it’s usually best to upgrade those older devices so that everything on your network will be using WPA2 encryption.
These wireless networks, of course, are using a set of frequencies to communicate. And you can manually configure these frequencies so that other wireless access points or routers that are in your area are not sharing the same frequency and creating interference with each other. These days, the wireless routers and access points usually will automatically set their frequency settings, that way you’ll be sure that you’re not conflicting with anything else that’s around you.
One of the things you may have noticed on your wireless network is that all of the devices are getting IP addresses that are private IPs, and they’ve all been assigned by the DHCP server that’s inside of your wireless SOHO router. But of course, these internal IP addresses are not going to be able to communicate on the internet. So in order for your internal devices to communicate to the rest of the world, your wireless router is set up to do network address translation, NAT. In the case of the wireless router and everyone communicating out to the internet, this is a type of NAT called source NAT. You may see it also referred to as port address translation, or PAT.
All internal devices are going to have an internal IP address, but they’ll be able to communicate out to the rest of the world because your router is performing a translation. It’s translating your internal IP address to one external public IP address that can then communicate out to the internet. And of course, the reply to your traffic will be directed to the public IP address on your router. Your router will translate that back to your internal IP address. And you’re able to receive information from the internet.
As we’ve seen with the default configuration, all of your internal devices have private IP addresses, and the public IP addresses on the outside of your network. With this configuration, there’s no way for someone on the outside to directly communicate with the devices that are on the inside of your network. But you can make a change to the router configuration to allow this. And this is called port forwarding. This allows you to configure a service on the inside of your network and allow people on the outside to be able to easily access that service, all without changing any of your IP addresses.
We’re able to do this by configuring a wireless router to take the external IP address and a port number that you assign and automatically translate that to an internal IP address and a port number that you specify. This is called destination NAT. Some people might call this static NAT, because you’re setting up a static connection between an outside IP address and port number, and an internal IP address and port number. This port forwarding is set up permanently. Once you make the configuration change, anyone from the outside can access that particular service at any time of the day.
Here’s a graphical view of this communication. Let’s say that we’d like to configure 192.168.3.22 as a web server on our network. We’ll make a configuration change inside of the router, the says if anybody is connecting to 184.108.40.206, which is our external public IP address, and anybody who is trying to access a particular port number, let’s say port 80, then let’s send them automatically to our internal IP address. And let’s make sure they’re able to communicate to that web service. So that way if someone on the outside of my network is communicating through and they’re communicating to 220.127.116.11, this destination NAT, or port forwarding, is automatically going to send everything to the correct internal IP address.
Let’s say that you’d like the functionality of a port forward, but you don’t want to have this configured 24 hours a day and seven days a week. In that case, we might want to consider using a port trigger. This is similar to a port forward, but it’s only going to be active under a certain circumstance. For example, you may enable this configuration when you start up a game, or you perform a file transfer. And while that game is running, or while that file transfer is taking place, this port trigger will be in use. If that game is no longer operating, the port trigger is removed from your router and no one’s able to access your internal network.
This port triggering is a one to one relationship. There is a particular external IP address and port number that is mapped to an internal IP address and port number. So because of this, you can’t have multiple people trying to configure the exact same type of port triggering on the network. It can really only be done one at a time. So if you do want to set up multiple types of port triggers, you probably want to use port forwarding and specify different port numbers on the external part of your network to be mapped to different devices on the internal part of your network.
On your wireless router, you can configure exactly the way that IP addressing is handled on your network. And most people configure DHCP, or dynamic host configuration protocol. This is a way to automatically assign IP addresses, subnet masks, default gateways, and any other configuration settings for IP across all of the devices on your network. Of course, you don’t have to use DHCP. If you wanted to manually assign or statically assign the IP addresses on every single device on your network, you could certainly do that as well.
There’s usually no security issue associated with setting things automatically with DHCP, or manually with the static IP addressing configuration. If the network is unencrypted, then obviously you can see everything, including the IP addresses. Or if someone is able to break the encryption or they know the pass phrase for your encryption, then obviously they’ll be able to see IP addresses there as well. Some people incorrectly believe that disabling DHCP and setting IP addresses manually is somehow more secure. But if someone is on your wireless network, they can very easily see the IP addresses that you’re running on your network.
We consider this false type of security as security through obscurity, which in the end is no security at all. One nice capability of these small office home office routers is that they are also firewalls, so they help prevent anyone from accessing our internal network from the outside. This firewall functionality is not something that can commonly be disabled, and for good reason. One of the most important capabilities of these wireless routers is this firewall functionality.
Up to this point, we’ve described people accessing services on our network as either being on the outside of our network or the inside of our network. But there is a middle ground. And this is called a demilitarized zone, or a DMZ. Many wireless routers have this DMZ functionality where you could put servers and services on a network that isn’t on the outside and it’s not on the inside, but it is a protected network. These services on this third network are usually accessed by configuring port forwarding rules that send people into the DMZ network instead of our internal network.
On many networks, every application has exactly the same priority as every other application on the network. But as we’re aware, applications have different priorities to us. We may want to allow our voice over IP traffic to have a higher priority than our gaming traffic. And many wireless routers have a quality of service, or a QoS configuration setting, that allow us to determine what traffic gets a higher priority or a lower priority on our network.
This is often a function that you’ll see in a higher end SOHO wireless routers, but it does allow us to set quality of service based on the Mac address or IP address of a device, a port number, or the application that’s going over the network. This is something, also, that you’ll probably want to test before implementing it as a production configuration, because you could create settings that might slow down traffic that was unintended. You want to be sure that all of your traffic is going to run across your network exactly as intended.
If you look at the website for the SOHO wireless router that you’re using, there may be some updates to the firmware available that you could download and install on your wireless router. This is something you should think about, because installing an update might not have a positive impact on the traffic flow. In fact, you might run into a problem with that firmware that actually makes all of your traffic go even slower. If you are planning to install a new version of firmware, it’s often useful to also make sure that you have the old version of firmware available as well. That way if you perform the upgrade and things don’t go as planned, you can always revert back to the previous version.
In many cases though, the newer firmware is going to have some enhanced capabilities, and may provide additional compatibility with newer chipsets of wireless devices that may be connecting to your network. The idea behind universal plug and play is that devices can find each other, even through the network address translation that normally occurs on our wireless networks. You might also hear this referred to as a zero configuration.
When UPnP is configured, applications that are running on the inside of your network can change the configuration of your router to allow certain traffic to pass through your firewall. You don’t have to make any configuration changes to the firewall. There are no approvals needed. All that we need is an application to be able to communicate properly across the network to your router, and it will make that configuration change because you’ve configured UPnP.
If it sounds like to you that this might be a security issue, you’d be correct. Having a third party application make configuration changes to your firewall to allow traffic from the outside to traverse that firewall and come to the inside of your network is certainly of concern. So you may want to consider disabling universal plug and play, and instead manually configure these settings for the applications that are running on your network.
Category: CompTIA A+ 220-901