Understanding Router Terminology
Even though you have our general recommendations, you should still understand the features you’re likely to find in your router, and what they do.
One of the first questions you may be faced with is whether to buy a "Stateful Inspection" or "Stateful Packet Inspection" (SPI) based router. To answer this question, you’ll need to know a little more about how a router works its magic.
All consumer grade routers are based on Network Address Translation. This is the technology that lets you have multiple computers on your LAN (which each have their own IP address) communicate with the Internet through the single IP address that your Internet Service Provider / Broadband Service Provider (ISP / BSP) assigns to you. NAT also provides a basic firewall, since it only allows data from the Internet through it if that data is the result of a request that originated on a computer on your LAN. Since NAT requires that the router look at (or inspect) part of each data packet that passes through it, why isn’t that considered SPI ?
Turns out that the answer to this question is the subject of some amount of debate in the industry, partially due to the term’s misuse by some companies to describe early NAT-based products. It’s also difficult for the average purchaser of a router to verify actual SPI operation. On a practical basis, however, it’s not so much a matter of NAT vs. SPI, but a question of the feature set you desire. "SPI" based consumer routers can usually be differentiated from their plain-vanilla cousins by the presence of features like emailed attack alerts and reports, although exceptions can be found to this rule. In the end, SPI is being mainly used as a way to charge more for a product that has rapidly moved down the price curve to become a commodity.
Recommendation : If the only difference in features between the products that you’re considering is that one has SPI and the other doesn’t, choose the SPI product if you tend to use a lot of mapped ports, or you’re hosting some sort of server behind your router. Otherwise, plain ol’ NAT should do just fine.
WAN Port Features
With the NAT vs. SPI question out of the way, we can turn our attention to more practical matters... like how you get this puppy connected to the Internet !
NOTE : We use "broadband modem" to refer to the device that is used to connect your computer to whatever method of broadband delivery you subscribe to. This can be cable modem, DSL (whatever flavor), satellite, fixed wireless, etc.
Most routers provide a 10BaseT Ethernet port to connect to your broadband modem. Why not 10/100 ? Simply because most broadband connections run at about 1-2Mbps at best, and the manufacturer can save some cost by using the 10BaseT only chip. Some products also provide a serial port for the WAN connection, so that they can be used with an external dialup modem or ISDN Terminal Adapter. A few even provide an "auto-failover" feature that switches to the dialup connection if the Ethernet (broadband) connection goes down, and back again when the broadband comes back up.
What you won’t find, however, are routers that connect to broadband modems that have a USB output... with one exception ! If you have an Alcatel Speedtouch or Fujitsu FDX310 ADSL modem, you could check out the Draytek Vigor2200USB Router.
The unfortunate folks who are stuck with a different USB output modem from those listed above as their only choice, will have to go the software sharing route.
Obtaining your IP address information
Once you have a router with the correct physical connection, you’ll need to make sure that it can handle the various methods of obtaining IP address information and connection authentication that ISPs use. Let’s first run down the two methods for setting up your router’s IP address information that all routers provide, then review authentication methods.
In this method, which is sometimes referred to as "DHCP client", your router is set to obtain its IP, Gateway, and DNS server addresses automatically. It’s a common method because is gives your ISP a lot of flexibility in configuring their network. The downside is that since your IP address can change, any application that is looking for a server or application at a specific IP address will not find you when your IP address changes. Fortunately there are Dynamic DNS providers, such as TZO, who can make sure that folks can reach you no matter what your IP address is.
This is the method of choice for folks who want to run servers and don’t want to bother with using Dynamic DNS providers. It requires that you manually enter the IP, Gateway, and DNS address information that your ISP gives you. This choice is not always available, and if it is, you may have to pay extra for it.
Your ISP uses a number of methods to make sure that only valid users connect to their systems. We’ll next review the common ones.
Dialup and ISDN
Folks using these flavors of ISP will find that routers which provide a serial port for connection of a modem or ISDN-TA, also provide a place to enter the ISP’s phone number(s), and your user name and password.
Anything that has an IP address will have a MAC (Media Access Control) address. MAC addresses are unique to each piece of networking equipment (at least they’re supposed to be... more below) and are used in the IP address assignment process. The MAC address (also known as an "Adapter" or "Ethernet" address) is composed of twelve hexadecimal characters. To avoid address duplication, ranges of addresses are assigned to network equipment manufacturers, who are charged with setting up the proper systems to ensure that address assignments are not duplicated.
NOTE : MAC addresses are represented in three common ways. Here’s how you would write the same MAC address in those three ways :
00fe3c812eab 00-fe-3c-81-2e-ab 00 :fe:3c:81:2e :ab.
MAC addresses are not case sensitive, so the letters that are used (A-F) can be either upper or lower case.
Cable modem BSPs most frequently use this authentication method, but you may not know that they’re using it. That is, until you try to either move your cable modem connection to a different computer than was connected when the service was installed, or try to install a hardware router. If your connection either doesn’t work with the new equipment, or stops working shortly after you install it, your BSP is probably using MAC address authentication.
This used to be a hassle when installing a hardware router, involving a call to your BSP and usually a long wait to give the Support person your new MAC address info. Router-unfriendly BSP’s also have been known to have the MAC address ranges of popular routers programmed into their authentication system, and refuse to allow use of a MAC address that they know belongs to a router. (These BSP’s also frequently monitor the MAC addresses of equipment on their network, and disconnect routers that they detect without warning or explanation.)
Fortunately, router design engineers came to the rescue, and virtually all products now allow you to either automatically "clone" the MAC address of a computer that’s attached to it, or manually enter the MAC address of your previously used network adapter as the router’s WAN port MAC address. This both eliminates the call to your BSP, but also makes sure that you don’t get abruptly disconnected.
Point-to-Point Protocol over Ethernet, or PPPoE is the newest method of authentication, and was driven into the market by DSL BSP’s. It requires a user name and password, but uses a protocol that allows the authentication, monitoring, and control of multiple virtual connections. This means that it if your BSP uses this protocol, they could eventually keep track of and charge separately for multiple users. But since they could do this only if you purchased multiple IP addresses from them, this charge-per-user option hasn’t been widely implemented, since most users install a router when they want to share the connection.
PPPoE is now pretty much standard on all routers, but the quality of implementation, i.e. how well it works, varies greatly. Some of the PPPoE related problems are due to buggy router firmware, and some are due to the wide variety of PPPoE implementations used by BSPs. If your BSP uses PPPoE, look for routers that support it, and also that have these other features :
These include a number of different features, intended to give you control over how long a connection is maintained when there is no network activity and what is done if you are disconnected. Most routers default to automatically connecting when Internet related network activity is detected, but the Linksys routers put this under the control of a "Connect on Demand" setting. "Maximum Idle Time" settings control the time that the router waits to drop the connection when there is no Internet related network activity. An "Auto-Reconnect" feature automatically tries to restore the connection when it’s dropped.
One of the very common problems with PPPoE connections is that the connection is frequently dropped. Some BSPs do this intentionally, much as a dialup ISP will drop your connection after a certain period of inactivity, but others just don’t have their PPPoE servers set up properly. A "Keep Alive" feature will try to keep the connection up by forcing a short burst of Internet activity after a programmable period of time.
Other Authentication needs
Depending on your BSP, your Router’s PPPoE client may have to provide a Static IP address, and/or Service Name. Make sure your router has these controls if you need them.
The Host Name method was used primarily by @Home... at least it was until they went under. It requires that the Host Name (Windows calls this the "Computer Name") of the connected computer be set to a specific, long name. Since @Home was one of the "big dog" BSP’s, most routers now include the ability to set the name of the router and send it to the BSP when they ask for the Host Name.
We’ve included this mostly for completeness, but it’s unlikely that you’ll encounter this authentication protocol unless your BSP is a Time-Warner RoadRunner affiliate who hasn’t phased it out. TAS stands for "Toshiba Authentication Service" and is commonly known as the "RR login". It’s a user name / password system that uses a little client program that’s intended to run on the computer connected to the cable modem. Most routers don’t support this protocol (ZyXEL’s products and some of their Netgear OEM versions are an exception), so if your BSP uses it, either find a router that supports it, or check Google to see if you can find a workaround.
All routers include this capability, which can automatically provide your LAN clients with the TCP/IP information they need to successfully establish an Internet connection. The TCP/IP information will also allow File and Print Sharing to work, but you’ll usually need to take some extra steps to get those services working. Not all router DHCP servers have the same feature set, so here’s what to look for :
Address Range control
This lets you control the range of addresses that the server hands out. Some routers allow you to only set the starting address of the range. Others allow you to directly set the starting and ending addresses of the range. This feature is handy for making sure that the DHCP server issued addresses don’t collide with any fixed IP addresses that you may need to assign to LAN clients.
This allows you to assign a given IP address to a specific LAN client, or prevent blocks of addresses from being handed out.
The DHCP server always hands out the IP addresses of your ISP’s DNS servers, but this feature allows you to set a domain name that will also be handed out. If your ISP does not use Fully Qualified Domain Names (FQDN) for its servers (@Home was notorious for this), you may need this feature to allow your LAN clients to successfully receive and send email and browse newsgroups.
NOTE :FQDNs contain host, domain, and top-level domain information, i.e. www.home.com, or mail.home.com. Non-FQDNs typically just have a host name, i.e. mail, news, POP3.
This lets you shut off the DHCP server. Can be a useful feature for wireless routers, or if you already have a DHCP server on your network.
Sometimes it’s handy to see what’s connected to your LAN. This feature at minimum shows you the IP address and MAC address of clients that have a DHCP "lease" (assignment). Some products also let you see the Host name of the client, force a lease renewal, or disconnect a client.
Port Mapping (Forwarding, Virtual Server)
This feature goes by many names, but what it does is allow you to open holes (ports) in your firewall. You’ll need to do this for most any Internet applications that depend on the ability of someone on the WAN (Internet) side of your router to send a data request to a computer on your LAN.
There are a few ways that manufacturers implement port mapping, and what you need will depend on what sort of applications you use. Let’s take a look at the different types of port mapping features.
Static Single Ports
This is the simplest form of port mapping. You must map each port used by an application to the IP address of the computer that the application is running on. Some routers allow you to specify either the protocol used for the mapping (TCP or UDP). Others automatically map the port for both protocols.
NOTE : You can statically map a specific port to only one IP address. This means that if you have multiple users who want to use the same application, or multiple servers of the same type, each copy of the application or server would need to use a different port. Some applications allow this to be done, and others don’t.
If you have only a few applications and they use only one or two ports each (i.e. running a web or FTP server) this method should be fine. Although the number of single port maps vary from manufacturer to manufacturer, you’ll typically get somewhere around ten mappings.
Static Port Ranges
Similar to Single port mapping, this option lets you map a range of ports in each mapping. Each mapping still applies to only one IP address, however. This option gives you the ability to handle applications that use a lot of ports such as games and audio/video conferencing. Again, the number of mappings varies from product to product, with ten or so being typically offered.
DMZ ("Exposed Server")
This is the ability to virtually place one computer outside your router’s firewall. Note that we say "virtually" because the target machine is still physically connected to the LAN side of your router. What this option actually does is map ALL ports through to the IP address that you specify. Because it depends on the router’s firmware to do the job, you can have problems with some routers that have buggy implementations of this feature and still not be able to use a desired application even if you place the target computer in "DMZ".
Dynamic ("Triggered") Mapping
Sometimes called "Special Applications", this feature attempts to bypass the "one map per IP" limitation of static port mapping. You typically set up a port mapping as you would for a static mapping, but then specify a "trigger" port (and sometimes, protocol). The router then watches the outbound, i.e. data from computers on your LAN headed to the Internet, data stream for the trigger criteria. When it sees the trigger, it remembers the IP address of the computer that sent the trigger data. When data that matches the trigger request tries to come back into your LAN, the mapping that the trigger is tied to is enabled, and the data is allowed through the firewall. The router then disables the mapping as soon as the transfer is finished so that another computer can use the same mapping. This gives the illusion of multiple computers simultaneously using the same mapping, but, of course, only one computer can use the mapping at a time.
NOTE : Since the trigger event must come from a computer on the LAN, triggered maps can’t be used to allow access to multiple servers on your LAN that use the same port. So if you’re running two webservers, you’ll still need to set up static mappings for two different ports, and configure the webservers accordingly.
NOTE : Triggered maps are best used for quick data requests / transfers because it depends on the mapping being available when another computer triggers it. If you have an application that uses a continuous data stream (i.e. streaming audio or video, Internet phones, etc.), that ties up a port for a long time, a triggered map isn’t going to help you.
Mapped Server "Loopback"
If you have forwarded or mapped servers on your router’s LAN side, you would normally reach them by using the private IP address assigned to the computer that the server is running on if your computer were also on the LAN side of the router. On the other hand, users on the WAN side of the router would reach the server via the router’s WAN IP address.
"Loopback" is the ability for LAN-side users to reach a forwarded server via the router’s WAN IP address (or assigned Domain Name if it has one and the proper DNS services are in place). This is a desirable feature that allows users on the same LAN subnet as the server don’t have to hassle with remembering special addresses and can reach a server just like anyone else does.
Access Control (Port filtering)
Some folks may need to control which users can access Internet services, or restrict access to only specific things like email and web browsing. For this, most all routers provide some sort of Access Control. It works by having you first create groups of users (you actually make groups of IP addresses). For each group, you select specific Internet services (using their port numbers) that you want to control for that group.
Different routers allow different degrees of control, but you’ll usually be able to limit Internet access to a programmed group of services (ports) only, or allow access to all services except a named group. When a user tries to use a filtered service, say AOL Instant Messenger, in most cases the service just won’t work. This can be frustrating for the user and prompt unnecessary calls to tech support (or Mom or Dad) if the router administrator hasn’t told the users about the filters. A growing number of routers, however, display a message telling the user that their access is being blocked when they trigger a filter.
The average number of port filtering groupings is about four, and the number of ports that can be filtered per grouping varies. Some routers allow you to mix single ports and port ranges in the filter, while others allow only lists of single ports.
In most cases, the filters are either on or off, but some routers allow you to program a schedule for enabling and disabling the filters. The programming allowed is usually not very flexible, usually limited to one time period and the ability to control the days of the week that the time period is used.
Content Control (Content filtering)
Content Controls basically are intended to control which websites your LAN users can access. This feature is similar in function to programs like Cybersitter, NetNanny, CyberPatrol, etc., but is usually much more limited in function. Some products just allow you to enter the URLs or IP addresses of websites and allow you to restrict access to just those sites, or block the sites. Other routers implement list based filtering and allow you to purchase a subscription to a filter list maintained by a third party. You also might or might not get Time of Day controls for the filtering.
VPN (Virtual Private Networking)
With the increased focus on network security, this feature is becoming more important to people who need to connect to their office from home or while traveling. Many businesses are allowing connection to their internal networks only through these encrypted connections, and the router makers are responding by improving the VPN features of their offerings. Router VPN features do vary, however, so it’s important to know what type of VPN support you need.
The two most commonly used VPN protocols are PPTP and IPsec. PPTP (used by Microsoft’s Virtual Private Networking feature) is the most commonly supported, although most routers now also support IPsec as well. A third protocol, L2TP, is not very widely supported, so if your VPN uses it, check your prospective router’s specs carefully.
The simplest form of VPN support is pass-thru. A router supporting this mode will simply allow VPN data packets to pass through its firewall unmolested. It’s then up to the client computers on the LAN to run appropriate VPN client software in order to complete the VPN "tunnel" and successfully connect to the remote VPN server. Most router manufacturers say their products support VPN pass-thru, but your actual experience may be different. Problems are sometimes due to buggy router firmware, but can also be due to the fact that some VPN configurations won’t work through a NAT router.
Tip : The following VPN configurations will not work through a router’s NAT firewall :
• IPsec using Header Authentication
• IPsec and unencapsulated FMZ encryption
Routers also differ in the number of pass-through connections they handle. Although not important for a lone telecommuter, this spec is important to small businesses trying to run VPN connections among multiple locations. Some products handle only one pass-through client at a time, while others will handle multiple clients. However, some routers require that all the pass-thru sessions go to the same VPN server. In the small business example above, this limitation would not let two users at the same location each connect to a different remote location. You won’t be able to find this level of detail in any manufacturer’s spec, but fortunately, we do include this information in our Router Product Guide listings.
One more potential "gotcha" is the ability of the router to support VPN servers behind it. You’ll of course have to map the appropriate ports, or put the VPN server in DMZ, but unless the router knows how to handle the specially constructed VPN data packets, your VPN clients won’t be able to connect. So if you need to have a VPN server behind your router, make sure it supports PPTP or IPsec server pass-thru.
This VPN feature is also called "VPN Edge", and it’s the ability of the router to either originate or terminate a VPN tunnel. This allows the router to handle the VPN chores, and free LAN clients from having to run VPN client software. It also allows you to use two similarly-equipped routers to set up a VPN tunnel between two locations, without using any other VPN software or hardware.
This feature used to be available only in products >$500, but new products such as the MultiTech RF550VPN, and SnapGear Lite are pushing the price below $150 !
If you’re shopping for routers with this feature, make sure you check whether PPTP is supported if you need it (some products support just IPsec in the End-point and pass-thru only for PPTP). And if you’re planning to access your network while traveling, see if they either bundle in VPN client software, or offer a discount toward the purchase of a suitable client.
Logging is your router’s way of telling you what it’s been up to, and more importantly what the folks using it have been doing. Most consumer-class routers have fairly simple logging features and little or no way to "drill down" into the data to look at a particular user’s activity.
The three main types of data that are logged are administrative, "hack attempts", and user traffic. Administrative activity includes things like router startup, shutdown, and reboots. You’ll also find admin interface logins, too. "Hack attempt" logs usually include any attempt to access your router from a machine on the WAN or Internet side of the router. These attempts are usually not aimed at your router specifically, but result from broad network (or subnet) wide port scans from any number of sources. Routers with SPI based firewalls can also interpret and log more potentially damaging attacks such as Denial of Service (DoS), fragmented packet, and other nasty stuff. Finally, user traffic logs keep track of the website, FTP, and other data requests that users make for Internet services.
As mentioned earlier, many routers provide a simple log interface, usually consisting of a page in the admin interface where you can just view a raw list of the logged activities. Some routers allow you to clear and/or save the list to a file, while others just keep a certain number of logged events, discarding the oldest ones as new events are added. Another kind of simple log is a URL or web traffic log, which may just show the number of visits to a specific web domain, without keeping track of the specific pages visited. If you’re interested in keeping track of what a specific user is doing, or need other cuts at the logged data, you should look for products that support external logging.
There are two methods used for external logging. Syslog support lets you specify the IP address of a machine on your LAN that runs a syslog daemon or server. This handy service originated in the unix community and can be added to a Windows or MacOS systems by installing one of the number of programs available to receive the logging information sent via this method.
Finally, some routers (usually those with SPI based firewalls) support Email alerts and reports. These features allow the router to send an email when it detects certain access ("hack") attempts from the router’s Internet side, or email a copy of selected log reports on a scheduled basis. Nice features to have if, like most of us, you don’t have the discipline to regularly check your logs !
Some routers have non-NAT routing features. This means that instead of manipulating data so that many computers can share a single IP address, the router can properly direct traffic among all computers on networks that use more than one range of IP addresses. One of the key functions that’s performed is making sure that all computers know the IP addresses of the various network gateways and DNS servers and where to send data that’s intended for computers that are on different subnets. Note that this feature does not solve the problem of getting Microsoft File and Printer sharing to work so that all machines on all subnets can see and communicate with each other. That requires a Domain controller, which you get by either adding a Microsoft-based server or ’nix machine running SAMBA.
There are two kinds of additional routing features. Static routing requires that you manually enter subnet information into the router. Dynamic routing uses RIP (Routing Information Protocol) to allow RIP-aware devices to share network routing information automatically.
If this explanation isn’t that clear to you, don’t worry too much. If your network were complicated enough to require these functions, you probably already know more about them than we do !
This final section will attempt to capture all the rest of the features that you’re likely to find in NAT routers that don’t really fit neatly into any of the previous headings. Here we go...
Discard WAN ping / "Stealth" mode - One of the basic things that any port scanning program does is to ping your IP address and see if any answer comes back. This feature makes sure that your router doesn’t make a peep if it’s hit with a ping, so that the port scanner thinks that nobody’s home at your IP address and doesn’t mark you for further investigation. Definitely a good feature to have, and to enable if you have it !
Remote Administration - This feature allows you to access the admin screens of your router from the WAN (Internet) side. Very handy if you travel frequently and need to adjust a setting on your router, or if you’re responsible for keeping routers at customer sites up and running. Since this feature can potentially allow anyone to gain control of your network if it’s not properly secured, you need to look for products that have ways to make it harder for anyone besides you to control the router. At minimum, you should be able to restrict Remote Admin access to specific IP addresses or range of addresses. Better yet, but harder to find, is the ability to specify the port number that you use to access the Admin HTTP server. This means that someone would not only have to know your router’s WAN IP address, but also the port number that you’ve assigned.
Print Server - This feature was made popular by SMC’s older Barricade line of routers. It allows you to connect a parallel port printer to the router instead of a networked computer and offload the printer sharing tasks to it. This means that printing doesn’t depend on a particular computer being up and running, and can also allow you to move your printer to a more centrally located spot. Most router-embedded print servers don’t have much memory (limiting the size of files that can be printed), may not handle printing from MacOS computers, and don’t support bi-directional printer features. Still, it’s a nice feature to have, especially when it adds hardly anything to the price of routers that have it.
MTU - This feature allows you to adjust the Maximum Transmission Unit of your router. It will probably be of interest to users with PPPoE based connections, or those folks trying to get VPN connections working, or both ! It’s needed because of the way that some BSPs set up their networks. Playing with this parameter on cable-modem connected computers was made popular by speedguide.net, but there’s no need to adjust this parameter on a router unless your BSP or router manufacturer recommends it.