Thanks astro, I will try to play around and see what I can learn. I just hope I don’t make anything worse because these people use their computers for work and would not take it kindly if I mess up. Maybe I should try after hours. At any rate I hope to learn about this.
The address of a router on a small LAN is typically going to be the gateway address shown in IPCONFIG (run from DOS). There are other ways to find the gateway address based on the OS used.
A short lesson in how these networks are typically set up.
Your router will either automatically get an IP address from the upstream DHCP server (most likely scenario), or it will be configured with a static address assigned by your ISP.
Call the entire network on the inside of the router the “private” network. If the router is doing NAT, the private network will have an arbitrarily-assigned numbering scheme which should be a private address space (such as 192.168.123.x such as NutMagnet suggests). The way this is configured is that, using the configuration utility (or web interface to the router), you give the router’s inside interface an IP address on that network. You choose this address, but is typically either the high or low usable address for the network, i.e. 192.168.123.254 or 192.168.123.1. For the rest of this post, I’ll assume you’ve picked 192.168.123.1.
Next, all the machines on the private network need addresses in this same address space, and they need to set their “gateway” address to whatever the router’s inside address is set to (e.g. 192.168.123.1). You can do this one of two ways: on one hand, you can allocate and assign them by hand, as has been done on the existing network, or you can turn on the DHCP server on the router (using the config utility or web interface) and configure it to give out a range of addresses in your private space (but you need to exclude the router’s address, and it’s often helpful to leave some leftover in case you want to assign some by hand, for example for a server, so the range could be something like 192.168.123.2 - 192.168.123.32).
The way you get to this particular router’s configuration utility is by http’ing to it. So if it’s fresh out of the box, you’d plug your computer into it, have your computer obtain an address automatically, and use your browser to go to http://10.0.0.1/ . Since it’s already configured, its address will be different, but it’s easy to find out what its address is: it’s the “gateway” address configured for all the PC’s on the network (for all intents and purposes, “router” = “gateway”), as Clu points out.
Note that there’s a catch: if you change the router’s inside address, your connection to it will suddenly be gone. Let’s say the router is currently 193.0.3.1 and your PC is 193.0.3.2. You decide to do the right thing and renumber the private network to 192.168.123.x, so you go to http://193.0.3.1/ and change the router’s inside interface to 192.168.123.1 and set up the DHCP server. When you hit “apply” or “ok” or whatever, the router’s address changes and you can no longer talk to 193.0.3.1. What’s more, you probably won’t be able to talk to 192.168.123.1, since your PC’s network configuration is now on the completely wrong network. So you need to reconfigure your PC to use DHCP (or set the static address to 192.168.123.x), and then go to http://192.168.123.1/. Now, here’s the real catch: if you blow it and accidentally set the router’s inside address to 192.168.124.1 without realizing it, you have just cut off all access to this router’s config utility unless you want to spend several hours guessing at what network the PC needs to be on and what the router’s address is on that network. This is what the “restore factory settings” button is for, so make sure you know the drill for that before you go messing around. And to avoid the pain, just be extra careful when configuring the router’s inside interface.
Regarding NutMagnet’s comment about cloning the MAC address, this won’t really be necessary, since it sounds like you’re not going to add a firewall (as the router already acts as one). But to explain, there are scenarios where the ISP wants to make sure only a specific computer or computers can use the network, so they ask you for your computer’s MAC address and they put it in a database which governs what PC’s can obtain a DHCP address and/or authenticate using PPPOE (PPPOE is used for some DSL setups, but almost certainly not in the network in question). When you add a firewall, it sits between your PC and the ISP, and it actually requests the DHCP address or does the PPPOE authentication with the ISP, but it can be denied because it’s got a different MAC address than your PC. So most firewalls and home gateways have a setting for MAC address cloning, which allows you to set the MAC address on the outside interface to match that of your PC, thus pulling the wool over the ISP’s eyes.
ntucker, thanks, I have printed that out so I can have it at hand when I start the messing.
BTW, another question: How does the router know where to send incoming packets?
Suppose I have 6 computers on the local network but they all appear as a single IP to the outside internet. One of them asks for a web page. When the packets come back addressed to the external IP address how does the router know which computer to send them to?
sailor, the router keeps track of all outgoing transmissions in a big table, then matches them back for incoming transmissions. Each packet comes from a port on the transmitter and is sent to another port on the receiver. Some ports are statically defined (for example, HTTP is generally 80), and others are defined on the fly (for example, when you send a packet to a web server it is sent to 80, but it is sent from a port on your computer that is somewhat randomly generated). So, the NAT device takes requests from devices it’s protecting, and generates a similar request on the outgoing side. On the outgoing request, it assigns a transmitting port, and notes which IP address (and port) it was requested from initially. Then when packets come back to that port, it rebuilds the packet for the appropriate machine and sends it along.
sailor wrote
Yes, this is what I was alluding to earlier. Cleaning things up shouldn’t be a big deal, and can be very educational, but if there’s something you’re not counting on (and I can think of a couple possiblities which I mentioned in my first post), you could end up in the ugly situation where they don’t have internet access, or don’t have access to a server they need for work or such.
So… a few practical points:
[list=a]
[li]Figure out what sorts of things are important to them for usage. Email’s probably a given, perhaps access to some internal server, etc. This way, after you’re done with your changes, you can test and make sure that things haven’t busted.[/li][li]Do the changes overnight, or if you really want to be safe (and have more time to play and learn) do it on the weekend.[/li][li]Have contact information for their ISP on hand in case you need to contact them for any questions/issues that come up.[/li][li]Have an expert or two that you could contact with unforseen issues during the time you’ll make your mods just in case. If you post the date/time here, I’m sure many could. Of course, you should plan on the contingency that you lose internet access onsite.[/li][/list=a]
sailor wrote
The current configuration is actually very secure from hackers, as it has a NAT firewall in front of everything, and I suspect they have no servers on site. Although that’s the first question for them: do they have any servers which are accessable to the public world? Are they onsite or located elsewhere?
Also, putting virus protection software on the computers isn’t a bad idea. Also keeping up to date with patches on all of the computers.
As it’s a small company, just doing those things will make them far more secure than the average company out there.
Bill, no servers on site and antivirus software running on all computers so i guess it’s good news. I’m still planning on messing a bit just for learning.
To elaborate about onsite servers and the security provided as a side effect of NAT: all of your computers appear to the outside world to be one single machine operating on a single public IP address. Let’s say this is 4.3.2.1. What happens if one of your private computers (say 192.168.123.5) is a web server? You want people on the internet to be able to connect to port 80 (the HTTP port) and make HTTP requests to get web pages. Well, they can’t connect to port 80 on 192.168.123.5, because that address isn’t real anywhere except in your private network, and they can’t connect to port 80 on 4.3.2.1 because that’s your NAT router, and it’s not willing to accept that connection (unless it’s in response to outgoing traffic to that internet host, as outlined in Bill H’s excellent explanation of NAT).
So what you have to do is configure your router with a port redirection. You use the config utility / web interface again, and you tell the router, “all incoming connections to port 80 should be redirected to port 80 on 192.168.123.5” (note 3 parameters: incoming port, redirection IP, redirection port). Most routers will let you specify 10 or 20 of these redirections for various services.
So the way this provides security is that incoming connections, by default, will just be thrown away. If you want to allow incoming connections, you do it on a case-by-case basis by redirecting them to a specific PC inside the private network.
So before you go fiddling with the router, check its port redirection table and make sure they don’t have any defined. If they do have some defined, then you’ll have to figure out which PC’s they’re being redirected to and recreate those entries using your new numbering scheme. Also note that for all practical purposes, creating a port redirection to a particular machine requires that it use a static IP address rather than a dynamic IP address, otherwise that machine might get a different IP address later and then the redirection will go to the wrong machine. This is one of the reasons I mentioned that you might want to set your DHCP allocation range to something like 192.168.123.2 - 192.168.123.32. Then you assign your servers 192.168.123.33 and up and don’t worry about their addresses changing.
One more comment: you say there are no servers on site, but any machine can be a server, so you really should double check the port redirections. It’s entirely possible that whoever set up the network saw fit to create a port redirection for himself so he could get to file shares on his PC from the internet, or some similar situation.
Is there a way I can save to a file or print out the entire configuration of the router so I can restore it to the way it was if I mess things up?
I don’t know this router, but usually you can’t print the configuration from a web-based interface. You can try telnetting into the router and dig around, perhaps there’s a way to show the config (command “show config” in Cisco IOS, but there’s absolutely no reason to think this’ll work in this brand), and then print it.
Else, there usually aren’t that many pages in web-based interfaces, 15 at most. You could just print screen each of them.
Oh, by the way. There’s a password to access the router, and often times the customer doesn’t know it, as it was set up by the ISP initially. In fact, often times the ISP won’t release the password, as they consider the demark point to be the LAN jack coming out of the router, i.e. everything upstream from that jack is their property and responsibility.
So, be sure to call the ISP first with the customers permission and get the password. Often times, you’ll have to have the customer available as they’ll ask some authentication type question.
As a matter of fact, there is a very convenient way which exists on many routers, this one included. I looked it up in that manual just to make sure. The instructions are there (page 17ish), but the part about restoring the config appears to be incomplete. Basically, you FTP into the router (make sure it’s in binary mode) and “get system.cfg”. Then you end up with a local system.cfg file on your hard drive, and if you FTP to the router and “put system.cfg”, the configuration is restored.
You’ll have to fiddle with this, as that documentation is a little goofed up. They imply that you can do this as Anonymous with no password, and I sure hope that’s a misprint.
First, ask around for the password if a password is set. There is a small possibility that a password was never set.
Your router has no factory default password, so if you don’t know the password you can reset the router to factory default values and access the router through your web browser at http://10.0.0.1
To reset your router to the factory default (no password) state:
-
Login through the Serial Port and get to the command prompt.
-
Enter the “reboot” command.
-
During the boot process, the screen will start displaying a series of periods ("."). Enter the word “default” while the dots are being displayed.
You can use MS Hyper Terminal to connect through the Serial Port.
Note that setting the router to factory default will reset all settings, and may disrupt your connection to the Internet. Do this as a last resort.
It is recommended that you save the current router config before you begin changing settings. Use the instructions in previous posts to ftp and save the system.cfg file. You can always ftp and use the put system.cfg to restore it to it’s original state.
Good stuff, xash, but I suspect it’ll require a password to get the config via ftp, and resetting the password will certainly reset the config, so it’s highly likely he’ll need to a) hope it’s default, or b) get it from the ISP.
I’m hoping someone on his side set the password (if any). Yup, you’re right, if there’s a password and he can’t get to it then he can’t save the current config (by straighforward means atleast). On the other hand, if he’s figured out most of the posts in this thread, he won’t need the original config.
Also, could someone clarify whether an ISP has the legal right to retain and not release the password to a router owned by a subscriber ?
sailor, here’s a quick, not entirely complete (more like a guideline) worst case scenario plan:
-
Reboot router. Reset to factory settings.
-
Login to router through web browser at http://10.0.0.1
(Set your own password) -
Click on Simple Setup. Note that the factory default settings may already be enough to connect to the Internet. PPP is enabled by default, so is DHCP and NAT. IP address of the router is set to 10.0.0.1 an subnet mask is set to 255.0.0.0
Make changes in the Simple Setup if required (such as enter PPP username and password, etc., likely not required).
Since DHCP is enabled by default when reset to factory settings, it should ideally automatically get an IP address. Now, if you’ve set atleast one PC (the test PC) to use DHCP and obtain IP address automatically, it should get an ip address of 10.0.0.2 automatically and should be able to connect to the Internet.
-
Test whether the PC is getting access to the Internet (in Internet Explorer, check tools/internet options/connections/lan settings/automatically detect settings). If the PC is connecting to the Internet, that’s all, you don’t need to configure much else. If all’s well, just set each PC to use DHCP and get IP address automatically.
-
Power on and off the router once you make all the changes. Reboot each PC after making these changes.
sailor
Sorry, I dropped the ball on this. ntucker, Bill H. and xash have given you excellent info. and are more familiar with this particular router than I am. Good work, guys.