TR Forums

This month's MaxPC did a step-by-step build and toward the end they said:
"One thing to note: Make sure your box is hooked up behind a NAT - you do not want to hook an unpatched machine directly to the Internet because it will come under attack almost immediately."

They didn't say "make sure you install your AV before you connect." My questions are, Why didn't they? and How hard is it to "make sure your box is behind a NAT"?

no need to tell you this I guess but - first-time builder, first time new install.

I have a router sitting around here - not N but G so maybe it isn't too old...do I have to do the whole configure process or if I just wire it between my modem and my new machine, does that mean I'm now "behind a NAT"? Will it even give me access if I don't configure it?

Thank you guys -for all your help - it is MUCH appreciated!

Yes, if you put the router between your PC and the broadband connection, you are effectively "behind a NAT". As long as you don't visit questionable sites or open iffy e-mail attachments before you've installed AV you should be fine with just the router as protection.

The purpose of a NAT router (also called a NAT firewall) is different from AV; in addition to allowing multiple PCs to share a single public IP address, it also prevents random people (and bots) out on the Internet from attempting to hack into your PC. It is amazing how frequently these attacks occur -- any system that is directly exposed to the Internet will come under some sort of attack every few minutes. A NAT router/firewall defends against these attacks by blocking all unsolicited inbound traffic before it reaches your PC.

Couple of caveats:

- Make sure you connect the broadband modem to the correct port on the router, otherwise the router will be acting only as a switch (and won't protect you).

- If the current configuration of the router isn't known, figure out how to reset it to its factory defaults before hooking it up to the Internet. If it has been used before it may have been configured with a DMZ port, which bypasses the firewall function. Assuming your ISP and your PC are both set up for DHCP (automatic IP configuration), the router's defaults are probably reasoanble... but if it doesn't seem to be working, RTFM!

To explain a bit further:

Your cable/DSL modem is assigned an IP address by your ISP. This address is one that is allowed to be routed over the entire 'Net. If you plug a computer directly into the modem, the computer will take on that globally-public IP address and thus be at major risk.

When you use a router/firewall the public IP address is assigned to the router/firewall. Devices attached to it are assigned IP addresses in ranges that, by definition, are not allowed on the global public 'Net. Even if someone knew your behind-the-router private IP address, no self-respecting backbone router would pass the traffic through.

Stateful firewalls are a lesson for another day, but they're a Good Thing.

EDIT: Oh, for the record, NAT stands for Network Address Translation. That's what your router/firewall does to translate & route traffic coming into it on the public IP address to whatever private IP addresses live behind it.

Captain Ned wrote:

Even if someone knew your behind-the-router private IP address, no self-respecting backbone router would pass the traffic through.

Even a crappy "Wal-Mart special" router should know better than to pass it through...

just brew it! wrote:

Even a crappy "Wal-Mart special" router should know better than to pass it through...

I was going for "the backbone would never let it happen" here, but agreed.

http://www.team-cymru.org/Services/Bogons/

Actually routers typically will pass bogons as there are some ISPs that use NAT within the ISP and hand out private IP addresses to their customers. And if we are going for full correctness, NAT is different from PAT and a real router is more than a NAT/PAT box. I'll take off my Cisco hat now that we've probably confused the OP

Getting back to the original question, basically as they said above. Grab your router, make sure nothing is set as DMZ, plug your internet connection in to the port labelled WAN, plug your PC in to one of the ports labelled LAN or connect to the router over wireless and you are good to go.

notfred wrote:

Actually routers typically will pass bogons as there are some ISPs that use NAT within the ISP and hand out private IP addresses to their customers.

Oh, yuck... I hadn't thought of that. But in that situation the WAN port of the router would still need to be on a different private subnet from the LAN side, so the router should still be able to block the unwanted traffic... right?

notfred wrote:

I'll take off my Cisco hat now that we've probably confused the OP

Don't mind us, canoli. We're just going off on a little tangent about some minutiae that doesn't affect what you're trying to do.

Hehe, I see that!

Thank You guys for your help - I love the easy answer of "just plug it in, default is good, you're all set"
So once I've got my assortment of AV / SW stuff installed, should I leave it that way? plugged in through the router?

Or does it make any difference? I assume my ISP has some sort of ... something ... to keep the really evil stuff from taking over their customers' machines. Can a $40 AV product - or a free one for that matter - and a handful of spyware scans really be enough protection? Or is there a lot of (or at least some) protection going on behind the scenes I don't know about?

Thanks again for your replies!

just brew it! wrote:

notfred wrote:

Actually routers typically will pass bogons as there are some ISPs that use NAT within the ISP and hand out private IP addresses to their customers.

Oh, yuck... I hadn't thought of that. But in that situation the WAN port of the router would still need to be on a different private subnet from the LAN side, so the router should still be able to block the unwanted traffic... right?

It certainly shouldn't let a bogon escape into the cloud.

To the OP:

ISPs, if they offer anything, usually offer free copies of McAfee or Norton. Personally, I rely on the NAT function of the home router and the freeware Microsoft Security Essentials. What goes on in the ISPs control centers isn't anything I can control so I don't worry about it.

ya, good point - "no control over ISPs, no need worrying"

I was really just wondering if I should leave the new computer wired through the router (default config, no wireless) after I'm done patching the OS and installing avast (free version probably) AV... even if it won't be doing any actual routing / switching.

Thanks!

just brew it! wrote:

But in that situation the WAN port of the router would still need to be on a different private subnet from the LAN side, so the router should still be able to block the unwanted traffic... right?

Yup, different subnets on different network segments otherwise all kinds of profanities ensue

canoli wrote:

So once I've got my assortment of AV / SW stuff installed, should I leave it that way? plugged in through the router?

Yes, leave it setup that way. There may be some stuff that will later require a little tweak to some of the router settings (you may need to setup some port forwarding for some games or things like that) but it should be fine for most of what you want to do.

canoli wrote:

I assume my ISP has some sort of ... something ... to keep the really evil stuff from taking over their customers' machines.

There's actually surprisingly little done to prevent hostile traffic. Given the efforts that some ISPs spend throttling / blocking Peer-to-Peer traffic such as BitTorrent, they could definitely do a lot more. However it's not really popular to call up your customers and tell them you are disconnecting their service because their PC is a SPAM spewing zombie and contributing to a DDoS attack. You get more money by keeping them connected and selling them an AV solution. At the very least if every ISP implemented unicast Reverse Path Forwarding (i.e. packets should only come from a potential path that you could send it) it would prevent spoofing of addresses. This uses up more processing power in the router (an extra lookup step is required) so may require them to buy bigger faster routers.

Thanks notfred - I actually understood a good portion of that!
And thanks for being clear about the easy part - "yes keep it that way"

I'm not afraid of a little configuring if that's what it needs - and if it adds a layer of protection - sure seems worth it.

I need to learn this stuff anyway - my roommate wants to share my cable modem but she wants a wireless connection - me I don't wanna mess with a good thing, which is - decently fast service and reliable.

I know it's a different topic - so if a new thread is better netiquette I'll do that.

my question is a basic one to understand what's possible - can a "router" (Netgear Wireless G WGR614) give her wireless service throughout our apartment, but also still keep me connected wired? (ugh, horrible english but hopefully you understood!)

Right now I'm just curious if it's even possible - one wired, one wireless. I assume it's done all the time but...
The problems I can conceive would be...maybe both connections have to be wireless for some reason? Or maybe the speed of the wired connection will drop considerably because I'm sharing it? Would either of us be able to "see" what the other is doing?

please feel free to tell me to go #$%@ myself with all these questions - meaning, "go start a new thread newbie!"

Thanks again for your help!

my question is a basic one to understand what's possible - can a "router" (Netgear Wireless G WGR614) give her wireless service throughout our apartment, but also still keep me connected wired? (ugh, horrible english but hopefully you understood!)

Your English is fine.

There is no problem with you connecting with a wire and her connecting wireless at the same time.

canoli wrote:

my question is a basic one to understand what's possible - can a "router" (Netgear Wireless G WGR614) give her wireless service throughout our apartment, but also still keep me connected wired? (ugh, horrible english but hopefully you understood!)

Yes, the router should be able to handle multiple wired and wireless connections simultaneously.

However, you may be disappointed in the performance of your WGR614. I have one of those too (the "V5" variant of it), and it is an absolutely horrible router. Long lags (apparently due to dropped DNS requests while surfing), and they haven't issued a firmware update for it in 5 years. Hopefully you've got something other than the V5; there have been nearly a dozen different versions of the WGR614 produced over the years. (I currently use my WGR614 only as a wireless access point; I've disabled its NAT/router functionality and use something else for that...)

thanks you guys.

hey JBI - I've got a "v7" - so that's just a newer revision then you think? ...which should mean I can expect better performance?

I am quite happy to buy a newer router. I understand the N (or are we still at pre-N?) is the latest standard and beats G by quite a bit?

I have to say though - I'm just beginning to read networking stuff - the forums, the websites, mags, etc. and it seems like every router out there has major problems...Brand X gets reviewed, the reviewer likes it - and then there are 90 comments all saying the thing sucks! it's crazy.

canoli wrote:

I have to say though - I'm just beginning to read networking stuff - the forums, the websites, mags, etc. and it seems like every router out there has major problems...Brand X gets reviewed, the reviewer likes it - and then there are 90 comments all saying the thing sucks! it's crazy.

Stick with something that can run the DD-WRT or Tomato open source firmwares. I'm using a Linksys WRT54GL with Tomato and am very happy. No N, but I have no need for N.

This Asus gets good press, runs DD-WRT, and has a built-in USB print server.

very cool Cap - thanks!

just did a quick read on DD-WRT on wiki - it reminded me why the open-source community is so great - "...vulnerable to this exploit, which was fixed a few hours after being documented ..."

A "few hours..." now that's customer service!

Thanks for the recommendation. I'll be doing my due diligence in the next few weeks, learning the basics of networking. Anything with "open-source" in its framework is a great place to start. Thanks again!

canoli wrote:

hey JBI - I've got a "v7" - so that's just a newer revision then you think? ...which should mean I can expect better performance?

Maybe. At least there ought to be newer firmware for it than I've got for mine.

canoli wrote:

I have to say though - I'm just beginning to read networking stuff - the forums, the websites, mags, etc. and it seems like every router out there has major problems...Brand X gets reviewed, the reviewer likes it - and then there are 90 comments all saying the thing sucks! it's crazy.

Yeah, tell me about it... After going through 3 routers in ~6 years (the previous 2 died, and the WGR614v5 is just plain annoying) I finally got pissed off enough to figure out how to build my own out of an old motherboard/CPU, a couple of NICs, and a copy of Ubuntu Server 10.04. The downsides are that it is rather bulky (ATX mid-tower case), and consumes a bit more electricity than a standalone router. But at least I've got complete control over it -- I can replace failing hardware components as needed with stuff from my spare parts collection, and run my choice of Open Source firewall software on it. (I'm not suggesting that you go this route yourself, I'm just mentioning it since it is how I chose to deal with the "most of the routers seem to suck" issue.)

Ho ho! Now THAT is truly the way to go. I don't blame you for mentioning it - I would, every chance I got! A custom, homemade router...I bow to thee!

seriously though, I'm glad it's not just my newbie impression - of course I went through the same thing with everything else. But at least with the rest of the gear you can find a final word or close to it - a few valid but opposing POVs - and then make your decision.

Routers - at least the market for them and the reviews - it just seems like a mess.

Dang - forgot to ask the question I really wanted to know --

after I install Win 7 - instead of going online to MS and getting the latest patches - shouldn't I install an AV - even a demo version - first?

All the articles I've read have "install an AV product" after getting the updates - so there must be a good reason why you don't install your AV first...but I can't think of what it might be. Can you tell me? Or maybe I'm just reading the wrong articles??

Thanks you guys!

If you're behind a consumer-grade router you're pretty safe if all you'll be doing is running Windows Update. If you're directly connected I'd use another machine (that already has A/V running) to D/L your AV of choice. Copy it over to your new box and install it before running the update cycles.

Also, while you're at the MS site, grab MS Security Essentials. It's free and it's good.

Thanks Cap - I bought a laptop recently that came with a Trend Micro disk and a free 90-day key - I never used installed it b/c I'm not a fan, but I was thinking I could use that temporarily for my new machine. Install OS, install AV, get updates, uninstall AV, install better AV.

Actually I thought most builders always downloaded the patches using a different machine - put them on a CD / USB key and then patched the new machine that way. But nobody seems to suggest that method anymore. Maybe nowadays you have to be connected to the MS Update site?

Thanks again for your reply!

oh -one more thing if you would - I see my BIOS vers is 1.1 and there's a 1.3 available on MSI's site - should I update the BIOS before I do anything else? There isn't much of a description, just 2 short lines about "- Update CPU micro code" and "Improved memory compatibility." I know they say not to update your BIOS unless you have to but since this is a new machine, maybe I should?

thanks again - any advice will be greatly appreciated!

Captain Ned wrote:

Stick with something that can run the DD-WRT or Tomato open source firmwares. I'm using a Linksys WRT54GL with Tomato and am very happy. No N, but I have no need for N.

This Asus gets good press, runs DD-WRT, and has a built-in USB print server.

Interesting. I've been looking for a router with a built-in BitTorrent client. That it supports DD-WRT is a plus. Any idea how well it handles BT?

Kurotetsu wrote:

Interesting. I've been looking for a router with a built-in BitTorrent client. That it supports DD-WRT is a plus. Any idea how well it handles BT?

Given that it's got 128MB of RAM, I think that it should have no issues with large routing tables.

canoli wrote:

Actually I thought most builders always downloaded the patches using a different machine - put them on a CD / USB key and then patched the new machine that way. But nobody seems to suggest that method anymore. Maybe nowadays you have to be connected to the MS Update site?

You certainly can (and should!) do Service Packs that way, but for the "Patch Tuesday" security fix stuff the easiest way to go is just connect to Windows Update.

canoli wrote:

oh -one more thing if you would - I see my BIOS vers is 1.1 and there's a 1.3 available on MSI's site - should I update the BIOS before I do anything else? There isn't much of a description, just 2 short lines about "- Update CPU micro code" and "Improved memory compatibility." I know they say not to update your BIOS unless you have to but since this is a new machine, maybe I should?

If your current CPU and RAM are properly recognized by the mobo there's no need to upgrade. Once the box is up and running for a few weeks take stock of how it's running and if there are mobo features that don't work as they should. If you're still 100% good there's still no need to update the BIOS.

I'll admit that my reticence for BIOS updating comes from the days when the first Windows-based BIOS flashers came out and bricked mobos all across the land. The only reason my box has a 3.5" floppy drive is for BIOS flashes. Of course, my mobo maker (Abit) gave up the ghost last year so whatever BIOS updates I can find are of the dodgy unknown-source hand-crufted variety.

Thanks JBI, thanks CN -

I think all is well so I guess I'll just leave well-enough along.

There is one little thing - the QPI Freq of the 980X is supposed to be 6400MHz.
But at the top of the Cell Menu in the BIOS it says Current QPI Freq is 4800MHz. Further down the Cell Menu, in the Memory section it has all the adjusted numbers and one of them is Adjusted QPI Freq and that reads 6400MHz. I don't know which one is the actual frequency...the manual is good but it doesn't explain that.

I'm sure (well, not so sure) that's specific to my board and hopefully other MSI X-Power / 980X owners might be able to tell me about. Of course if you have any thoughts on it I'd love to read them.

Thanks again for your help you guys.

so um...back to the ROUTER thing...

I'm installing Win 7 Pro now and when it's done I want to keep my laptop connected to the internet too. (and eventually add my roomie wireless)

My (probably dumb) question is about setting up the router is - should I wait until the new computer is ready to connect - or can I set it up now and just plug in a new wire for computer #2? Or does it even matter?

I suppose I'll have to use the Wizard too - I hate Wizards - since I'm nowhere near an "advanced user." Oh well, as long as I can connect both machines.

Thanks you guys - thanks a lot. sorry to keep bugging you with this router business...

A quick note that with Windows 7, the built-in Windows Firewall is on by default. So it is not like the old days of XP when you just need 20 seconds to get infected with a wide-open computer before you get to the AV/patches/etc.

I would stay away from the wizard. Usually the router CD installs some stupid program that I don't want on the computer. Read up on the manual about how to set it up. It should list some screens about the "advanced" mode where you usually go to an internal IP address with your web browser to configure the settings. If you are wired, chances are you don't need to do much on the router "website" unless you are on a DSL connection where you need to enter your username/password to get connected. The hard part comes when you want to enable wireless, but that's for another post.

Everybody was a newbie at one point in time. Don't worry.

Thanks FF - you're right I shouldn't worry so much - the whole point of the forums is to share information I guess! So thanks.

I wanted to see what would happen so I connected the router btw my laptop and the cable modem and it immediately took me to the setup page. I didn't insert the CD - ignored the Red-Label warning taped over the LAN ports - but I still ended up at the setup. I was hoping to bypass setup and just have the internet "feed through" the router, giving me the benefit of the NAT functionality.

Thanks for the reminder about the Win7 firewall - good they finally changed its default.

I think I may blow off the whole router/NAT deal and just install AV after I install Windows - before I ever connect to the internet. I'm sure the Win installer will complain about not being connected but hopefully I can work around that...