Friday 10 July 2015

What Do Router Settings Actually Mean?

Router Settings

Keir Thomas delves into his router’s configuration panels to provide a quick and simple guide to getting the most from your network hardware

Internet technology is designed to be as simple as possible to understand, but it’s simultaneously clogged up with confusing terminology. In this feature we will be going through the terms and technologies you’re likely to encounter while delving into your router’s settings screens; we use a BT Home Hub 5 for  the purposes of dissection, and BT still has the lion’s share of ADSL broadband customers in the UK, but what’s discussed is common across all kinds of wi-fi routers.


The Home Hub provides some elementary configuration options via the Settings tab, but we’re going to jump straight into the juicier options by clicking the Advanced Settings button. Click this if you want to play along at home and click the Wireless heading beneath to get started. If prompted for a username and/or password, look at the card that came with the Home Hub, or at the sticker on the bottom of it. Note that some mean ISPs essentially block access to the deeper settings of their routers by not sharing the username or password – although a quick Google may well reveal such forbidden fruit.

What Wi-fi?


As is common for recent models of ADSL routers, our Home Hub 5 transmits and receives on both the 2.4GHz and 5GHz wireless channel ranges, as is demonstrated by the separate 2.4GHz Wireless and 5GHz Wireless menu options. By default on the Home Hub both frequency ranges are synced with each other, which means they share the same wireless network name (SSID) and password, allowing computers and devices can choose which they want. However, on the Home Hub each frequency band can also be set to operate independently.

It’s a common misconception that wireless frequency has a direct correlation with speed. It’s true that the faster 802.11ac standard uses exclusively the 5GHz range, but then again so did the very first 802.11a wi-fi standard, cleared for use back in 1999.

However, none of this means a hill of beans if your computers and devices are not compatible with 5GHz. Support is increasingly common, but older or less expensive devices might support only 2.4GHz. To find out what your PC supports, open a command prompt (click the Start button and type cmd), and then type:

netsh wlan show drivers

If you see 802.11ac listed at the bottom of the output, then your computer supports 5GHz.

Because the 802.11b/g wi-fi standards uses 2.4GHz, and these were the standards that made wi-fi popular over the last decade, the 2.4GHz frequency range is typically very congested. In short, everybody’s using it. Wi-fi is built to cope, but at the price of data rate slowdowns or even lost connections.

This isn’t helped by the fact that, while the popular 2.4GHz range claims to offer 13 separate channels, in reality the signals occupying the range overlap and interfere with each other. In fact, only small groups of channels can be used without overlapping – typically one, six and 11 (or two, seven and 12, or three, eight and 13, or four and nine, or five and 10). This is why most routers default to channels one or six. It also means that manually selecting something like channel two if you’re experiencing wi-fi issues might not solve your problem because channel two overlaps with one, three, four, five and even six to some degree.

Choosing a wi-fi channel can be something akin to a black art, dependent entirely on local circumstances. However, like many routers, our Home Hub offers a ‘Smart’ toggle that aims to analyse radio traffic in the locality to choose the best option. This is wise because congestion isn’t the only issue: both wi-fi frequency ranges are unlicensed, which is to say anybody can transmit anything on them without governmental permission (unlike the frequencies used by mobile phones, for example, or those reserved for digital TV or armed forces use). Because of this the 2.4GHz range is also home to some DECT wireless phones and automated garage opening devices, and microwave ovens also generate noise at that frequency.

Switching to 5GHz isn’t a perfect solution. There’s still interference from some household devices (microwave ovens again, amongst other things) but the most damning issue is the distance a signal can travel decreases the higher its frequency. Thus, a 5GHz wi-fi signal might not struggle to get through the floors and walls of a house to a back bedroom, even through 2.4GHz might be received there without hindrance. Ergo, 5GHz is ideal – and only offers those fast 802.11ac data speeds – when you’re in the same as the router, or pretty nearby. (And you do know that the data rate you’re likely to get over wi-fi has no bearing on what the box says, don’t you?)

However, if you want to utilise the faster 802.11ac wi-fi standard then you’ve no choice but to use 5GHz. In most situations choosing the 5GHz frequency range does make sense, not only is it much less congested, it benefits from the fact that unlike 2.4GHz there’s more available channels to choose from and no channel overlap.

Broadband


Clicking the Broadband > Internet menu option on our Home Hub shows a dashboard display of wide area network (WAN) details – which is to say, our Internet IP address as well as the Internet gateway and DNS servers the router is using. Above this is the broadband signin username, which our Home Hub doesn’t let us change – although some routers from other ISPs do. Changing these details can be useful if you’re using a router provided by one ISP after switching to another provider. However, if you’re using a fibre connection, or your local exchange has local loop unbundling (LLU), then the username and password are ignored (although something must be typed into them). Unfortunately, there’s not space here to describe what LLU is, you’ll have to look that up for yourselves.

The Broadband > VPN heading of our Home Hub settings screen lets us clamp UDP port 500. This sounds painful, but means that any virtual private networking (VPN) software used by a computer or device on the network can initiate a connection via port 500, rather than via a constantly varying port number (which is considered more secure). Put simply, if you’re using a VPN, and are having trouble connecting then it’s worth setting this – and don’t forget that VPN connections aren’t just found in business environment nowadays, BitTorrent anonymisers use them, for example.

The Broadband > Dynamic DNS menu option lets us configure a hostname for the router. Essentially, this means we can set a name by which we’ll always be able to reach our router from elsewhere on the internet, rather than typing its IP address (which will change each time the router disconnects and reconnects). Dynamic DNS hostnames are typically a third-level domain name like johnsmith.dyndns.com and how they works is pretty simple – the router periodically contacts the dynamic DNS server that you’ve signed up to in order to give an update on its IP address. Therefore, if the router’s IP address changes (if the router reboots, or loses power for example) then the dynamic DNS will be aware within minutes.

Our Home Hub is compatible with the DyDNS, DynDNS, NoIP, changeip.com, tzo,com, easydns.com and zoneedit.com services although in actual fact the list is longer because services not listed emulate existing offerings like DynDNS. Whichever service you choose, you’ll have to provide the username and password details that you configured with that service, as well as the hostname you chose, which should be typed in the Host field. The Home Hub allows you to setup multiple dynamic DNS hosts, which can be useful if you want to create a handful of fall-back services in case one proves unreliable. Considering many services offer a free tier, this can be a good idea.

Home Network


Clicking the Home Network > Devices menu option of our Home Hub shows a nice diagram of what devices are connected, and via which method (wi-fi 2.4/5GHz, Ethernet etc) – along with their hostnames and MAC addresses (that is, the unique address of the networking hardware).

The Home Network > Smart Setup lets us turn off a somewhat irritating feature of the Home Hub, which is that it automatically directs any new device or computer that connects to a welcome page at the BT website.

The Home Network > IP Addresses option lets us configure the dynamic host control protocol (DHCP) server. All home Internet routers use network address translation (NAT), and it’s so commonplace that it’s not even mentioned in router specification lists any longer. NAT lets all the computers on a network use a single public (WAN) IP address. In other words, if your tablet requests a movie then NAT will request that data via the public IP address and – crucially – remember this request so that it can route the video back to the tablet’s private network address once it’s been received. NAT does hundreds of operations like this every second.

For NAT to work the router needs to create a private home network and Dynamic Host Configuration Protocol (DHCP) is the component that hands out private network IP addresses to each device or computer. The Home Hub lets us set the network address range we want to use – most routers default to the 192.168.1.* range, but our Home Hub also lets us choose the 172.16.*.* range, or even configure our own range. All these network IP address ranges are referred to as non-routable, which is to say any router on the Internet will not recognise them because they’ve been set aside solely for use on private networks, such as our home network.

When the DHCP component of the router hands out an IP address, it also gives the computer or device a lease time. This is just the same as if you lease a car or even a house – the computer is given the address for a certain time period and relinquishes it at the end. The default lease time for our Home Hub’s HDCP server is one day but, whatever the case, leasing is moot on most routers because the device is simply given the same IP address again when the lease expires.

IP Versions


Currently the Internet runs largely on the IPv4 addressing system and protocol, but IPv6 is waiting in the wings to take its place. Like many modern routers our Home Hub is future-proofed to some extent, and the Broadband > IPv6 Status menu option theoretically allows us to configure our IPv6 settings. At present, though, this reads Disabled because no ISP – including BT – has yet rolled out IPv6 support beyond very limited testing phases. This is no bad thing because not all websites or Internet services are compatible with IPv6, and it’s not yet clear whether it can ever really become a true default standard.

The Home Network > IPv6 Configuration screen lets you configure IPv6 for the local network too but, again, this is not currently in use on the Home Hub. However, you can switch on and off the Unique Local Address (ULA) component of the IPv6 system. Like NAT, this configures the local network to use non-routable IPv6 addresses, thereby creating a private local network. ULA is enabled by default, but we might consider disabling this if some devices or PCs have trouble connecting because some crazy operating systems and handhelds attempt to connect via IPv6 before dropping back to IPv4 – which can cause odd delays when visiting websites. Often disabling IPv6 on the computer is the best solution, but on handhelds this might not be possible, making router configuration the only option.

Firewall


With all our apps on each computer or device requesting data, it’s a miracle that data isn’t received by the wrong app. Well, actually it’s not a miracle. It’s all down to the port system. In the same way as their real-world analogues handle shipping, ports provide a unique landing spot for incoming data that software can use to ensure only it gets the data. There are 65,535 ports, in fact, and apps are free to use any of them (although there’s a semi-official list of “well known” ports that shouldn’t be used for other purposes – see goo.gl/9yVo9y).

The Firewall > Port Forwarding screen lets you force the router to send all data received on a particular Internet port to a particular computer or device on the network. This is necessary because a basic limitation of NAT is that it can only route data it has requested. To return to the earlier analogy, it can only pass the video to your tablet if your tablet has first requested it. That’s fine for YouTube, but what if you’ve a VoIP phone app through which you might answer incoming calls that are unpredictable and also not explicitly requested by the app? That’s where port forwarding comes into play – you can tell the router to simply pass through all data arriving at a certain port number to a computer or device on the local network of your choice.

The Home Hub comes with several preconfigured port forwarding rules for games and apps, but the Home Hub lets us create our own by clicking the Manage Games and Applications button, and then clicking Add New Game or Application. First, we tell the Home Hub what protocol to use: the Any option will forward both TCP and UDP, and is the best option, although you can specifically choose either. We also need to set the port range to forward, and can also opt to translate it to a different port on the network – incoming data on port 555 could be passed through to port 600 on a phone, for example. It’s rare we’d need to do this outside of a business environment, though.

The Home Hub anticipates us typing a range of ports (that is, ports 20-32, for example) but if we want to forward just a single port then e type it into both fields – to forward port 500, for example, we type 500 into both Port Range fields and also into both Translate To fields.

Another option for port forwarding is to put a particular computer or device into the demilitarised zone (DMZ). On the Home Hub this can be configured by clicking Firewall > DMZ. When a computer is placed in the DMZ, all data not specifically requested by the router will be passed straight through to the computer or device in the DMZ (and as such the DMZ can only contain one computer or device). It’s a bit like putting the computer or device straight into the Internet, just like in the old days when ADSL modems connected to a PC via USB. As such the DMZ is a good way of testing an app that refuses to work via port forwarding but because of the risk of hack attack it’s not an ideal full-time solution. If you’re running something like a public mail or web server you might place in the DMZ for basic convenience and to avoid configuration, although beware that most ISP terms and conditions don’t allow users to run their own Internet-facing servers.

Plug And Play


Also within the Firewall component of the Home Hub is an option to switch on and off Universal Plug and Play (UPnP), which lets devices communicate with each other without the user being aware. Thus, a media centre PC can make its files available to other devices without configuration, or a scanner can make itself available to all PCs on a network. Terrific, right? Of course not.

UPnP is blindsided by two issues. the first is a complete lack of authentication; no usernames or passwords are required for UPnP to work, meaning any computer on the local network is automatically trusted and considered secure. We all know that PCs and tablets/phones are under constant threat from malware and that even if we consider them to be secure, they may not be (if you have kids, abandon hope of anything like a secure network). The second issue is that most UPnP implementations include Internet Gateway Device (IGD) support, which lets devices on the Internet probe beyond the local network to discover the router’s IP address and also configure port forwarding.

Again, this happens without the user being aware and can be used by a Trojan to create an easy direct connection to your PC in order to add it to a botnet. Many people disable UPnP and even the US Department of Homeland Security consider it a wise step.

The Firewall > Configuration option allows access to the Home Hub’s only dedicated firewall tool outside of NAT. The Defaults allow you to deny all unsolicited incoming traffic except those configured in the port forwarding rules – but allow through everything otherwise. Some routers refer to this option as making the router invisible because it won’t respond to pings from elsewhere on the Internet, by which hackers can discover new targets.

The Disabled option in the firewall is like the Default option, except that it means the router will act like all good Internet hardware and let through outgoing traffic and incoming traffic that’s specifically requested or allowed via port forwarding. It also means the router responds to pings, which can be useful if you need technical support.

Block All essentially turns the router into a brick wall and cuts the Internet off for all computers and devices on the local network. This is a quick and effective emergency brake should a computer on the network become infected with a virus and start leaking data.

Interestingly, our Home Hub includes a IPv6 Pinholes option that lets us theoretically undertake the equivalent of port forwarding if IPv6 is use. Again, it is not enabled.