Hack 49 Optimize Your Residential Gateway

Residential gateways let you share broadband Internet access and build a home network. Here's how to get the most out of your residential gateway .

Encrypting File SystemIt's quite easy to set up inexpensive hubs/routers, usually called residential gateways , for setting up a network at home and sharing Internet access. But the default settings aren't always optimal, because no network is one-size-fits-all. And, frequently, the documentation for the gateways is so poor that it's hard to tell even what the settings are and what options you have.

Residential gateway options differ somewhat from model to model. Here's advice for how to customize the most common and most important settings:

Connect on Demand and Maximum Idle Time settings: Depending on your Internet service provider (ISP), you may become disconnected from the Net after a certain amount of time of not using the Internet. To solve the problem, if your residential gateway has a Connect on Demand setting, enable it; that will automatically re-establish your Internet connection when you use an Internet service, even if your ISP has cut you off. If there is a Maximum Idle Time setting, set it to 0 so that your gateway will always maintain an Internet connection, no matter how long you haven't used the Internet. As a practical matter, you should need to use only one of these two settings; either one will maintain a constant Internet connection for you.
Keep Alive setting: Use this setting to maintain a constant Internet connection, even if your PC is idle. It's similar to Connect on Demand and Maximum Idle Time settings, except that it doesn't let your connection disconnect, so it is an even better setting to enable, if your gateway has it.
Router Password: Your router requires a password for you to use its administrator account. It comes with a default password. For example, Linksys routers come with a default password of admin . Change the password for maximum security.
Enable Logging: For security reasons, it's a good idea to enable logging so that you can view logs of all outgoing and incoming traffic. Depending on your gateway, it may save permanent logs to your hard disk or allow only the viewing of temporary logs. You may also be able to download extra software from the manufacturer to help keep logs. For example, Linksys routers use temporary logs, but if you want to save permanent logs, you can download the Linksys Logviewer software from http://www.linksys.com. You can view logs using a text editor, like Notepad, or a log analysis program, such as the free AWStats (http://awstats. sourceforge .net).

5.9.1 Special Hub/Router Settings for DSL Access

If you have DSL access, you may need to customize your gateway's settings in order to provide your network with Internet access; sometimes the gateway's settings block Internet access. Here are the settings you'll need to change so you can get onto the Internet:

PPPoE (Point to Point Protocol over Ethernet): Some DSL ISPs use this protocol when offering Internet access. By default, this protocol is disabled on gateways, because it's normally not required for Internet access. However, if you have DSL access, you may need to enable it in your gateway.
Keep Alive setting: Some DSL ISPs will automatically disconnect your connection if you haven't used it for a certain amount of time. If your gateway has a Keep Alive setting, enable it by clicking on the radio button next to it; this will ensure that you are never disconnected.
MTU (Maximum Transmission Unit): As a general rule, DSL users should use a value of 1492 for their MTU. The MTU sets the maximum size of packets that a network can transmit. Any packets larger than the MTU setting will be broken into smaller packets. DSL ISPs often set the MTU to 1492, so if you set a packet size larger or smaller than that, you may slow down Internet access.

You should also check with your DSL provider, because these settings may vary somewhat from provider to provider.

5.9.2 Settings for Using a VPN

If you use a Virtual Private Network (VPN) [Hack #62] to connect to your corporate network from home and you use a residential gateway, you may run into difficulties and not be able to connect to the VPN. Some gateways, such as those from Linksys, are specifically designed to work with VPNs and have specific setup screens for them; if you have one of those, you shouldn't have any problems. Make sure to get the proper encryption, authentication, and similar information about the VPN from your network administrator, and then use those settings for the VPN setup screen in your gateway.

However, you may run into problems running a VPN with a gateway that doesn't have specific VPN settings, even if the device claims that it will work with VPNs. In particular, one default setting, hidden fairly deeply in most gateway setup screens, may disable VPN access; some gateways, such as those made by Linksys, include an option called Block WAN Request . By default, this option is enabled and blocks requests into the network from the Internet; for example, it stops ping requests into the network. However, enabling this option also blocks VPN access. VPN access requires that requests get into the network from the Internet, so if you block those requests the VPN won't work. If you have a Linksys router, disable this setting by logging into your administrator's screen, choosing Advanced Filters, selecting Disable Block WAN Request, and clicking Apply. For other routers, check the documentation.

VPNs use a variety of protocols for tunneling through the Internet, such as IPSec and the Point-to-Point Tunneling Protocol (PPTP). Make sure that these settings are enabled on your gateway if you want to use it in concert with a VPN.

5.9.3 Enable Specific Internet Services: Port Forwarding

Residential gateways often use Network Address Translation (NAT), in which the gateway's single, external IP address is shared among all the computers on the network, but each computer has its own internal IP address, invisible to the Internet. For example, to the Internet each computer looks as if it has the address of 66.32.43.98, but internally they have different addresses, such as 192.168.1.100, 192.168.1.101, and so on. The gateways have built-in DHCP servers that assign the internal IP address. These internal IP addresses allow each PC to communicate with each other and to connect to the Internet, and they also offer protection to PCs on the network. To the rest of the Internet, each PC has the IP address of the gateway, so each PC's resources can't be attacked or hijackedthey're invisible. The gateway itself doesn't have resources that can be used to attack you PCs, so you're safe.

But if you have servers on your network that need to provide Internet- related services (perhaps you have an FTP or web server), or if you need to allow certain PCs to be connected to from the Internet for specific purposes (such as for playing multiplayer games ), you'll run into trouble because they don't have IP addresses that can be seen by the rest of the Internet.

However, with this trick, you can use your router to forward incoming requests to the right device on your network. For example, if you have a web server, FTP server, or mail server and want people to be able to connect to them, you'll be able to route incoming requests directly to those servers. PCs on the Internet will use your gateway's IP address, and your gateway will then route the requests to the proper device on your network. Normally, the devices would not be able to be connected to, because the IP addresses they are assigned by the gateway are internal LAN addresses, unreachable from the Internet.

Not all gateways include this capability. To use this feature in a Linksys gateway, log into to your administrator's screen and choose Advanced Forwarding to get to the screen shown in Figure 5-17.

Figure 5-17. Forwarding incoming requests to the proper server or device

When this feature is enabled, the gateway examines incoming requests, sees what port they're directed to (for example, port 80 for HTTP), and then routes the request to the proper device.

Fill in each device's IP address, the protocol used to connect to it, and the port or port range that you want forwarded to it. It's also a good idea to disable DHCP (Dynamic Host Configuration Protocol) on each device to which you want to forward requests, and instead give them static internal IP addresses. If you continue to use DHCP instead of assigning them a static IP address, the IP addresses of the servers or devices may change and would therefore become unreachable. Check your gateway's documentation on how to force it to assign static IP addresses to specific devices.

Table 5-2 lists port addresses for common Internet services. For a complete list of ports, go to http://www.iana.org/assignments/port- numbers .

Table 5-2. Common Internet TCP ports

Port number	Service
7	Echo
21	FTP
22	PCAnywhere
23	Telnet
25	SMTP
42	Nameserv, WINS
43	Whois, nickname
53	DNS
70	Gopher
79	Finger
80	HTTP
81	Kerberos
101	HOSTNAME
110	POP3
119	NNTP
143	IMAP
161	SNMP
162	SNMP trap
1352	Lotus Notes
3389	XP's Remote Desktop
5010	Yahoo! Messenger
5190	America Online Instant Messenger (AIM)
5631	PCAnywhere data
5632	PCAnywhere
7648	CU-SeeMe
7649	CU-SeeMe

5.9.4 Cloning a MAC Address for Your Gateway

This hack can help you avoid an extra charge from the cable company for your broadband service, or at least avoid having to call them with new information. Many broadband ISPscable modem ISPs in particularrequire that you provide them with the MAC (Media Access Control) address of your network adapter in order for your connection to work. If when you began your broadband service you had a single PC, but you've since installed a gateway at home in order to set up a network and share Internet access among several PCs, you'll have to provide the ISP with your new gateway's MAC address.

Some ISPs might charge you a higher rate for cable access if you're sharing several PCs in this way. (Because of increasing competition among broadband providers, though, this has become far less common than it was previously.) There is a way, however, to use your existing MAC address with your new gateway by cloning the address. To your ISP, it looks as if your MAC address hasn't changed. You might want to do this even if your cable provider doesn't charge extra for several PCs, because it will save you having to call up the cable company's tech support line to provide a new MAC address.

Note that not all gateways have this capability, so yours may not be able to do it. Most Linksys gateways let you do this, so if you have a Linksys, do the following to clone your MAC address. Depending on your model, the exact steps may vary:

Find out your current network adapter's MAC address (the MAC address your broadband provider already has) by opening a command prompt, typing ipconfig /all , and looking under the entry for Ethernet adapter Local Area Connection. You'll see an entry like this:
```
 Physical Address. . . . . . . . . : 00-08-A1-00-9F-32 
```
That's your MAC address.
Log into your administrator's screen for the Linksys router and choose Advanced MAC Addr. Clone. A screen similar to Figure 5-18 appears.

Figure 5-18. Cloning an existing MAC address
Type in the name of the MAC address you've obtained from your network adapter and click Apply. Your gateway will now be recognized by your ISP. Note that you may have to power down and power back up your cable modem in order for the gateway to be recognized.

If your ISP requires a MAC address and you don't clone an existing one, you'll have to provide your ISP with your gateway's address. Make sure that you give them the right one. Your gateway typically has two MAC addresses, a LAN MAC address and a WAN MAC address. The LAN address is used only for the internal network, so make sure to provide your ISP with the device's WAN MAC address. If you give the LAN address, you won't be able to access the Internet.