GRAND PRIX LEGENDS





3: NAT ROUTERS


prev     -1-     -2-     -3-     -4-     -5-     -6-     -7-     -8-     next


NAT ROUTING
NAT Routing is simply the process by which your router protects your internal network from unauthorised external access but still allows you to access the Internet from internal clients.

By default on a locked down router, if a data packet arrives at your WAN port unsolicited it is simply dropped by the router and will not gain access to your internal network. Essentially acting as a hardware Firewall, and they are often referred to as such.

If you try to access a web page from your PC the router logs this request for a web page and your PCs IP Address, then when the web page data arrives back at the WAN port, your router sees that it is a response to your internal request and allows it through, NAT Routing it to your PCs IP address.

There are occasions when you want to allow unsolicited data to access your internal network, and I will use the example of a web server that you may be running from home.

PORT FORWARDING
Web data accesses computers via port 80. Unlike your router's physical WAN and LAN ports think of this data port 80 as a logical port that you can't see but your computer can. Data can arrive at the physical WAN port aimed at a whole range of different logical data ports. Depending on which data port it is aimed at the recipient will handle it differently, i.e. data arriving at your computers port 80 will be treated as a request for a web page so if you are running a web server on your LAN you want unsolicited traffic arriving at your WAN port on port 80, i.e. via people's web browsers not to be dropped by the NAT Router but to be passed on to your web server. That process is called Port Forwarding.

An important security step to configure that a lot of people miss is to turn off the router's UPnP (Universal Plug and Play) feature. This "feature" is often exploited by viruses and malware to to enable ports that are needed by software without you having any control over it. For security reasons do all the port configuration yourself and disable UPnP.

Bear in mind also that data travels around the web using 1 of 2 protocols (languages) TCP/IP (Transmission Control Protocol) or UDP (Universal Datagram Protocol), and a port configured for forwarding data on port 80 TCP/IP will not forward data on port 80 UDP. It would need to be configured for both.

When running any kind of server on your LAN you should assign it a static IP Address that is outside of your DHCP scope. e.g. If the DHCP service on your router issues IP Addresses in the range of

192.168.1.30 to 192.168.1.100

then you can issue a static IP Address to your web server of anything between

192.168.1.2 and 192.168.1.29

or

192.168.1.101 to 192.168.1.254

As long as you use the same subnet mask that your DHCP scope uses, the clients will be able to communicate as they are on the same subnet.

Let's say that your web server has a static IP Address of 192.168.1.10, you need to use the configuration page of your NAT Router to turn on a Port Forward on Port 80 and direct it to 192.168.1.10. Now any "unsolicited" data that hits your WAN port on port 80 will be directed straight to your web server and people will be able to see your website.

Your web server is now effectively sat directly on the Internet but only via port 80. Anybody trying to access it via any other logical port number will not be able to access it as you have not turned on any other Port Forwards.

To test an internal web server set up like this you can access it internally using the address http://192.168.1.10 or by its external address which will be whatever you have been assigned by your ISP.

NOTE: You will not usually be able to test your own server externally as your router will generally not allow you to cross it once going out to the Internet and straight back in again to your web server. You will almost certainly have to get somebody outside of your own network to test it for you by giving them your current WAN IP Address.

To find out what your external IP Address is you can either look in the configuration pages of your router or use a site such as http://whatismyip.com.

You can now see the pitfalls of not having a static IP Address, if your IP Address changes, how will people be able to find your website or, more to the point, your GPL Server?

By using DNS (Domain Naming Service).

prev     -1-     -2-     -3-     -4-     -5-     -6-     -7-     -8-     next



back to top

Enjoy my articles? Please leave me feedback