Print
If you’ve read the previous section you now know routers make excellent hardware firewalls, and do a great job of blocking incoming connections. But what if you want to accept unsolicited incoming connections? This is the case whenever a friend tries to call you on Skype, or you attempt to download the latest World of Warcraft patch or Linux distro on BitTorrent. In the case of Skype, the software will try to work around the fact that you are behind an un-configured router by using “super nodes” to link the two callers together. These “super nodes” are in reality not paid for by Skype, but rather they are simply other Skype users who have configured their routers properly, or aren’t behind any type of Firewall. Think of them as an intermediary that introduces two computers that otherwise would ignore any incoming calls. In the case of BitTorrent, an un-configured router primarily causes low transfer speeds.
Setting up your router properly in both scenarios is not as hard as you might think, but it does involve introducing you to a concept known as port forwarding. Port Forwarding can typically be accessed through your routers advanced preferences pane, and generally looks like the screen shot shown below.
IP Address
This is the network IP address of the computer that requires the forwarded port. In most modern routers, you will be able to select your computers network name rather than specifying an IP address. If it doesn’t allow this, you will need to access your Network Setup preferences pane, and tie the MAC address of your computer to a permanent IP. For those that have never heard of a MAC address before, simply think of it as a unique serial number that identifies your computer. Our goal is to tell the router to bind an IP address to your connections unique MAC, thereby allowing you to use the IP address as a permanent pointer within your network. Make sure the IP address looks something like this 192.168.0.x (where x is anything between 2-255). Going forward, this will be the IP address of your computer on the LAN.
Before you finish and return to the Port Forwarding configuration, it is important that you make sure if your machine has both wired, and wireless networking capabilities, that you connect with each one separately, and assign the IP address for each network connection method. You will need to bind both to fully cover off your machine. The router should tell you what the MAC address of your computer is, but if you can’t find it, click Start then find and launch Command Prompt. Once you see the cursor type ipconfig /all and look for the “physical address”. It is generally a string of six digits (i.e. 48-3F-0A-91-00-BC).
TCP & UDP Ports
Here you will list which port, or which range of ports) you wish to open. In the case of Skype, and most BitTorrent clients one for each is more than enough, but in some cases you might need to open a range of them. An example would be 6159, or 6159-6180. You should always open ports above 6000 to avoid accidentally opening up a port that is assigned to another service. If you accidentally opened port 80 for example (which is used for HTTP traffic), you would be exposing services that are vulnerable to attack.
Inbound Filter
This is generally used to limited access to a group of systems on your network. Its unlikely you will ever need to chance this setting from “Allow All”.
Universal Plug & Play
UPnP was designed for one purpose, to make port forwarding so easy that applications could do it for you, no consent required. If you’re the type of person who is security minded, this explanation should raise a few red flags, if your not, here is why you should be concerned. If any application can request your router to open a port, then malware can do it too.
UPnP offers unparalleled convenience by ensuring you never have to look at your port forwarding options, but is one of the most dangerous settings in the router. If port forwarding isn’t your cup of tea, this might be your only option, but don’t say we didn’t warn you!
Fill in the IP Address or the Computer Name of the machine you will be using the software on, pick a port (preferably one that doesn’t conflict with another service), and click Apply or Save. If your having trouble deciding what port number to use, you can read ahead to see where you enter the values in both Skype and uTorrent. You can simply write down and use the default ports that are shown in each application to make selecting a port easier.
Now that you have opened a port on your router, all you need to do is point Skype in the right direction. This can be done by opening up your Options menu, and then selecting the Connection tab. Now simply type in your open port, then click Save to make your changes permanent. You will find it amazing how drastically this will improve the sound quality and performance of your calls. You can also take comfort in the knowledge that because you opened a port that only Skype will access, your network is still secure.
When it comes to BitTorrent clients, you have literally hundreds of choices available, all of which should allow you to set the port for incoming connections. The screen shot shown above is specific to uTorrent, but simply located the Preferences menu, then look for the Connections tab. Once here, simply fill in the box for “port used for incoming connections”.
The two examples shown above are for Skype a VOIP application, and uTorrent for P2P file transfer, but you may need to open ports for all sorts of purposes. The World of Warcraft patch downloader for example requires ports 3724, 6112, & 6881-6999 to be opened for proper operation. As long as you understand the important terms, and how to apply those into opening a port, you should be able to adapt the steps above to open any port you need.
As a rule of thumb, only open up ports you are actually going to use. Don’t simply open up 6000-8000 to make your life easier. When you do this you are opening up a large hole in your network that could become a potential security concern.
Comments are closed on this article
nduanetesh
November 30, 2009 at 8:52pm
So, say I want to use another wireless router to expand the range of my current wireless network. Basically, I want to use a router as a repeater or range expander. The two routers will be too far apart to connect via an ethernet cable. Can this be done with a regular router? How would I set that up? Or do I need to buy a real "wireless range extender" (which, ironically, is more expensive than a router)?
Thanks for the help!
IFLATLINEI
October 06, 2009 at 2:53pm
As already stated this is nice for the novice but even still these guides are a dime a dozen. Maybe the article writer should have done a google search. He would have seen them all over the place. Not to mention most of this stuff can be found right at the manufacturers site.
The Ultimate router guide would have included so much more that you cant get anywhere else. Like actual test results for a number of different brands and models. It would cover things like how many consumer grade routers fail to follow your port forwarding instructions 100% of the time or that you can DMZ a PC or Console and still have ports blocked. Or how quickly these things are overloaded.
Funny how testers will tests the living crap out of a Processor, HDD, Ram, but put out junk like this for a router guide. Isnt it time to expose these router companies for what they really are? Show the consumer how and why wireless really isnt for what they think its for. Like gaming.
pfjaco
October 06, 2009 at 11:00am
Come on Guy's the easiest way to add more RJ45 ports is with a network switch you can get them up to 1 Ghz with 4,8,or12 ports, or more if you go with an enterprise unit; plug the uplink from the router into port 1 of the switch (or the link port if one is specified) and and you're good to go with no IP address hassels; you can even stick a WAP into the switch if you need another wireless point.
Justin.Kerr
October 07, 2009 at 9:25am
This is a "router guide" not switch guide, but yes using a switch would be easier.
I would however qualify that by saying going with a new switch won't save you any money, and is less versatile in the long run. Not only that, but your more likely to have a spare router kicking around from a previous upgrade than a spare switch.
thefuzz4
October 06, 2009 at 10:41am
Of cours in windows if your wondering what networks are around you for finding a clear channel you can use net stumbler.
But for us linux users out there I recently discovered a very awesome tool called kismet. Kismet will not only sniff out all of the wireless networks out there but through packet sniffing will also find out the names of your networks that are not broadcasting. I found a neighboor who was not broadcasting and also had their network wide open I couldn't believe they went the step of turning off the broadcast but didn't lock it down that was about useless. If your a linux user try out kismet it's a little tricky to get setup but one it is, it's awesome.
mrvander
October 06, 2009 at 9:37am
First off, good article. Articles like these are the reason I come to MaxPC.
You write contradictory statements though early on. You write,
"...but the trick to security is to always keep your attackers guessing. Many routers give you the ability to make the wireless network
invisible, but don’t bother with this feature. Setting your network to
invisible might keep people from accidentally latching on to your
connection, but anyone using the right tools can find it easily."So you say to always keep attackers guessing then in the very next breath, say to ignore a feature that adds yet another layer of "guessing. That's just silly. Of course, if you're securing your router and don't need to broadcast it, why not turn off broadcasting? You know the SSID and as you say, the trick is to keep the attackers guessing and each layer helps.
Turn off that broadcast and maybe your neighbors more visible router will be attacked and not yours.
Justin.Kerr
October 07, 2009 at 9:30am
My point was simply that it dosn't offer (any) security beneift, and isn't worth the hassle.
Keep them guessing at your password, not your SSID which is being broadcast in the clear even if you turn it off.
WarCrime342
October 06, 2009 at 3:22pm
If I may say I think the point he's trying to get at is that it's not worth the headache or the effort to make it invisible if an intruder just side-steps with a click of the mouse. I've had my fair share of devices that have issues connecting to invisible Wi-Fi networks and it's not very practical to put into use in order keep out a hacker. Having a password and MAC Authentication list would be enough to keep unwanted roamers from connecting.
UndeniablyPC
October 06, 2009 at 4:54am
This article is pretty much useless in regards to security IMO.
Yea, it does tell you to change the default password and does tell you that essentially that WPA2 is the only way to properly encrypt a wireless signal without compromising security, but it really doesn't provide ample coverage in regards to the actual firewall settings in order to lock the router down.
In the matters of the router firewall it fails in my opinion to talk about stateful packet inspection, and how to properly configure your ports to allow only specific types of traffic through. Yes, port forwarding and QoS are important features, but they do nothing when it comes to the actual security of the network.
Also, in the area of security they should have mentioned the fact that users should only have a certain number of IPs allocated to their internal network, i.e. if you are using only 3 computers, only give your network a grand total of three IPs. Also those IPs should be associated with the specific MAC addresses of those machines. This way if someone does happen to find the network, they are unable to obtain an IP on the network. These steps are prudent when you are dealing with both a DHCP and static IP architecture. IMO.
But, I will digress and give you guys credit where it is due, as this guide will help the novice get a little better understanding in regards to the settings of their router.
Saltboy
October 06, 2009 at 5:34am
Spoofing a MAC address is a cake walk. It really is a waste of time as that is the first thing a person that knows what they are doing tries. Right now, WPA2 is about all that is useful for keeping folks off your network.
Justin.Kerr
October 07, 2009 at 9:37am
If Mac address filtering is your only means of security, it's not enough, and is easily defeated. On the other hand if you have a strong WPA2 implementation, this is an unnecessary step. To each their own.
ironorr
October 06, 2009 at 12:17am
A really easy way to find out what WiFi channels your neighbors are using is to use this command in Windows:
cmd /k netsh wlan show networks mode=bssid
It's not as pretty as the GUI example you showed, but it gets the job done quickly.
whr4usa
October 05, 2009 at 10:30pm
potentially extremely useful article as per usual MaxPC!
noticed a couple errors on terms and grammar (I agree with first poster Lolz)
W-LAN, WiFiLan OR WLAN but not just WAN
wireless networks are still Local Area Networks but a WAN is a Wide Area Network is owned and maintained by a single ISP (usually) even if its resources (bandwidth, server clusters etc.) are shared or contracted out
you won't find any accurate home wireless networking information by googling (...or Binging) 'WAN'
also a router having a DHCP server has little to do with sharing an Internet connection (ICS or NAT ring a bell..?) 192.168.0.x & 192.168.1.x are Class C Private IP addresses which esidential routers won't route, they just get looped/broadcast back across the network from which the original signal came which can eat up bandwidth at regular intervals, hence the reason for including a DHCP server for efficiency and better management but not in any way enabling the sharing of that priceless Internet connection
one more 'also' lol to implement that router stacking solution you must or rather 'should' (network appliances keep getting smarter so what do I know anyways?) set the gateway in each of the stacked routers to the static IP of the router closer to the Internet than them in terms of wiring or physical connections so that the Internet connection is directly processed instead of adding overhead to the routing firmware (this assumed you plugged the more distant routers into each closer router's main port labeled "Internet" (usually, aka physical residential gateway port)
confuse anybody yet?
ironorr
October 06, 2009 at 12:37am
Yeah, I'm guessing you will confuse many people with that garbled mess. Jesus. Did you even read that before you posted it? Do you not feel like a total hypocrite for commenting on the author's grammar?
whr4usa
September 09, 2010 at 1:04pm
I apologize for my poor spelling & typing
grammar is fine though!!
DBsantos77
October 05, 2009 at 10:04pm
I'm actually very surprised to see so many networks using WEP.I'm also surprised that devices like the Nintendo DS Lite vI require a WEP password for online play..
-Santos
lunchbox73
October 06, 2009 at 7:18am
That was a good reminder for me. I had to downgrade to WEP a couple of years ago when I bought a DS for my kid's xmas gift. Now that they don't use it any more I can ratchet back up to WPA2.
