Understanding Router - Short Guide

Status
Not open for further replies.
L

LabZero

Thread author
Hello everyone.

I decided to write this guide because that's the topic that I'm studying in these months and I hope that it is useful to understand this device that allows us to access the internet world.

This guide refers only to the home using routers. Many things were omitted, many topics taken lightly. All the solutions I share are for home use. About business infrastructure, the topic is different, although most of the things said here are also attributable to small business networks.

INTRODUCTION

The talk here is quite complex and would require extensive knowledge on certain aspects. However I will try to be as simple as possible what we can all understand.

The guide is intended only to routers. Modems works in a completely different way.

Finally the whole matter is just referring to the most common facilities that we use every day at home and not in the general case.

NAT, PAT: how it works.

The technique of natting/patting (Network Address Translation, Port Address Translation) comes from the fact that the current 32-bit ip address system (ipv4), has reached saturation, ip addresses are gone, or are finishing. The NAT technique allows entire LAN to "be seen" from the outside, then from the public internet, as a single host and then have assigned just one public ip address, instead of having a public address for each host.

Why the Internet package cannot work with the private lan ip?

This is one of those things that would require knowledge of the routing process. In fact, take it as good, in a network with one or more routers, all networks separated by router, cannot have ip addresses that are in the same address space, or on the same subnet, for example.

Lan1: host: 192.168.1.1 255.255.255.0
Lan2: host: 192.168.1.2 255.255.255.0

Separated by a router. This won't work

Difference between NAT and PAT

NAT change only the ip , PAT change the port package. In most cases we use routers at home, the process is hybrid NAT+ PAT.
NAT assumes that you have a public address pool to associate with the private address. Since the public address is unique and is supplied by the provider dynamically, if we have some connected PCs , one of only two in turn may connect to the internet.
The NAT + PAT associate more private lan addresses, maintaining a single public address and changing the port. So for example:

lan1pc1 192.168.1.1
192.168.1.2 lan1pc2
After the NAT/PAT:
wanpc1:212.1.1.1:1000
wanpc2:212.1.1.1:1001
then NAT (ip variation) and PAT (port variation).


How does that work?

The ip packet and/or port is modified , where reside the destination address and the source address. In theory can be modified both the addresses and port (destination and source), but we'll work only about source.
The process is accomplished by creating an association table (nat table) that match the outgoing requests from lan to a set of ports (chosen at random from the router from time to time) and a public ip address provided by ISP.

For ex:

Lanpc: 192.168.1.1
Wanrt: 212.1.1.1
Pc requires a web page that has address 151.1.1.1
-the pc sends the packet to the gateway (router), with source address 192.168.1.1 and 151.1.1.1 destination.
-the router stores the nat table that 192.168.1.1 has requested a page that has address 151.1.1.1
-the router replaces the source address in the packet and puts that router's public provider-assigned 212.1.1.1, and change the port: (for ex: 212.1.1.1 1000)
-everything is stored in the nat table.
-the package come back with the request information (web page)
-router check nat table if anyone within lan required packages from this ip.
-If there is a match, replaces the destination ip with private ip found in table.
-the packet arrives at the lan host

This is the operation of NAT/PAT.

DMZ

The fact that there is a NAT table, means that all unsolicited packets from the lan (the packages that have no match in the NAT table) will be dropped from the router and not forwarded within. But there is a working method, the DMZ (Demilitared Zone), which instructs the router to forward within the local network, to all hosts, all incoming packets from the public network. It is a system that is usually used for public servers, who though public address pool and still isolated from lan for obvious safety reasons.
Do not use it.

FIREWALLING

Firewalling is a technique to create rules and inspection of packages for security reasons.
I find that the fact that there are many software firewall has given rise to distorted ideas about what they are and how work these firewalls. A firewall is a system that works at ip package level, not at the data level.
Firewall software module is installed in all routers. NAT protects what it takes from the outside, the firewall on the consumer models block the outflow, but often create some problems if someone alter the working settings.

When I need to use a firewall?

-I have a public address pool (no NAT) and hosts are directly accessible from the public network.
-router is on DMZ
Packets are forwarded within lan only if there is a match on the nat table. Anything goes unless you require from an internal host.

PORTFORWARDING

I think this is the topic of most interest to all but dispel a myth:

-the portforwarding isn't firewalling.

When it set up a port forward rule (someone call them virtual router server ... or other strange names to make it even more confusing:D) do not create rules of firewalling. If someone would tell me: but iptables? It is a Linux hybrid module (some linux based router/firewall) and also includes NAT.
We said: the portforward is a manual that is NAT table. It's kind of a subset of the DMZ.
Why? Sometimes there is the need that the packets arriving from the outside should not be requested from inside (when you play online for example). In these cases it is sufficient to indicate to the router on which ports (PAT) and the internal lan ip address (NAT) send packets that arrive out of ports that we know. The rule:

allow source: any destination: any = DMZ.

The site Free Help Forwarding Ports indicates the correct configuration for any router on the portforwarding.

In most cases, there is an implicit source ip address (public): any. Otherwise you need to specify unless you're sure the public ip of your interest.

Firewall settings (in case you need it.)

Assuming you really need firewalling techniques are complicated to explain, but the MASTER rule exists for each administrator user :

-all ports closed and traffic disabled on all addresses.
from here on, you enable one-by-one to all necessary services to the lan.



ROUTING

The route is difficult and I don't intend to treat it because impractical and very, very theoretical : subnetting ...

DHCP

Dhcp allows you to dynamically assign to hosts that are configured to do so (by default if you have not touched anything ), ip addresses from a dhcp Scope (ip range).

When to use it?

Dhcp is a good idea to use it when there are no active forwarding rules. This why the forwarding rules are based on static ip. If dhcp decide to change ip to your pc in the lan and have active portforwarding rules then those rules don't apply anymore because they refer to static ip. So if you use portforwarding, use static ip

HYBRID SYSTEMS

Here the problem lies in the fact that if I have a dhcp network (all) and imposed some clients with static ip, it is possible that dhcp will assign to another client in dhcp the same address, resulting in conflict.

Why create it? Why, for example, if you want some networked PCs have static ip while others receive addresses automatically. These types of structures are usually used in big lan where core layer level usually have servers with static ip while the rest of the lan is in dhcp.

There are 3 methods:

-you set a range of addresses to assign more restricted while remaining on the same subnet. This lets you know that some addresses will never assigned automatically. These addresses will be our static ip for our server, or client.

-or if the work were done in the wrong way, we will address spaces already occupied and not contiguous to where it won't be possible to set the ip range. In this case you should try free ip. These ip may be "excluded" from the tasks of dhcp, and then will never be released.

-the other is diametrically opposed, but in fact has the same result. It causes the dhcp colleagues ip permanently to a MAC address, then to a certain network adapter will only and always the same ip. Dhcp should already do that, but it is not always so. It is a system that I think is interesting and very suitable for less experienced users. Someone has invented this system that travels parallel to the dhcp protocol and affects assignments. Not all routers support this apparently.

Well, I hope this tutorial will be useful to remove any doubt, as usual, sorry for my errors.:)
 

kev216

Level 21
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Aug 6, 2014
1,044
Very nice article, as always :)
 
  • Like
Reactions: LabZero
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top