[dougand]

I tried to help my brother (who basically knows nothing about computers or routers or networking (which is even less than I know about them) set up his router to be secure. I can't be there, he's 2000 miles away from me, so I am trying to help him over the phone.

He got the router installed and working, but it essentially offers no security. After installing it, I had him go to www.grc.com and do the Shields Up test, and it basically said a ton of his ports are wide open to the world.

somewhere in the instructions it mentioned NAT, which I know would offer much more security than the wide open door. . in fact, the reason he even got the router in the first place (I told him to) was because the software firewalls weren't working at all (Shields Up said that while using Zonealarm the ports were wide open, and then later trying Outpost Firewall, they were wide open as well. .)

Does anyone have any suggestions about how to secure it or set up NAT on this router?

it's a wired router, model # DW7000 from Linksys.

He has windows 98 on his PC (it's an Athlon 550 or so). . ancient, and he's gonna get a new PC soon, but in the meantime needs to be online and would like some security. .

Thanks for any help anyone can give. .

btw, there IS a security tab on the software interface that installs on the PC, but it seems to point more than anything to a Zonealarm Pro download and/or a PC - Cillin one (seems that Linksys has some contractual agreements to those two companies to provide a commercial for their software. . problem is. . he bought the router to act as a firewall, and if ZA's free version doesn't do jack to stop incoming garbage from the internet, it's highly doubtful their pay version will either. . )

Thanks in advance. .

[StumpedTechy]

Linksys doesn't make a DW7000 that I know of. The only DW7000 I see is for a DirectWay and thats a satellite modem/router combo.

Also most "true" routers I have ever looked at have their NAT already secured down and you have to open and forward the ports in order to unsecure it. Its not like wireless where it comes out of the box unsecure.

Can you provide a link to this DW7000 your reffering to?

[dougand]

my bad. . you're right. . he gave me that model # over the phone last night. . I kept it in my memory. . and plum forgot that that was actually the model of the Satellite modem he has (from Hughesnet). .

the model of the Linksys router is BEFSR41 V.2

I did a bit of googling and found out part of what you just told me, bless you.

He bought the router used on Ebay. . but apparently it's wide open to the world, so it is unsecure (maybe the person who used it last had set it up that way). .

so he has to forward ports he wants to use?. .

which ports would those be and how would he do it? (I'm guessing the standard ones would be the http, www (if that's a port) and at least one for email. . any others you can think of?). .

Thanks

[Rockn]

Unless he has a static public IP address internally fir his account there should be nothing else open. If he bought it used and never set anything back to factory defaults this may be an issue. You might want to have him reset the router to it's factory settings and only add his account information for his ISP. After that there should be no ports open by default unless he does have a static IP from his provider.

[dougand]

Hey, thanks for the info. . also, does he need DHCP? I told him he didn't, since he has only one PC (which is connected to his HughesNet satellite modem) . .

how does he go about resetting it to the factory defaults?

Thanks

[StumpedTechy]

Quote:

I told him he didn't, since he has only one PC (which is connected to his HughesNet satellite modem) . .

He only needs DHCP if he wants DHCP. Alot of people who setup NAT rules don't use DHCP. The main reason for hardcoding the IP is because with NAT you have to specifiy the IP you want to forward to.

One thing scares me you say his PC is hooked directly to this modem... It should be the PC to the lan port on the router and the wan port on the router to this modem.. Without it setup like that the NAT won't work.

Also check because if it is setup correctly and just mistyped then the Ip he has may be in the DMZ of this new router and if thats the case then yes his PC would be wide open. (hence Rockn's reset the router to default suggestion)

On this model you have to do the following - hold in a small button with a pin on the back, pull the power plug, wait 5-10 seconds, plug it back in and release the pin.

[coulterp]

Quote:

Originally Posted by dougand

...
the model of the Linksys router is BEFSR41 V.2
so he has to forward ports he wants to use?. .
which ports would those be and how would he do it? (I'm guessing the standard ones would be the http, www (if that's a port) and at least one for email. . any others you can think of?). .
Thanks

He will not need to forward ports unless he is running web-servers etc on one of the PCs connected to the router - which I assume he will not be doing if he is as computer illiterate as you say he is!

You/he will only need port-forwarding if web/mail/etc servers are being run on the LAN that need to be contacted from the Internet. If you you/he just wish to be able to do is use IE, receive email, etc then port-forwarding is a red herring and the router default configuration should should cater for that.

As others have said the modem --> router --> PCs (and the PC is NOT directly connected to the modem). Probably a good idea to take if back to basics (factory defaults) if the previous history of the router configuration (off ebay) is unclear.

[dougand]

Sorry about the miscommunication. He does have the router between the PC and the satellite modem (he does now, even tho it isn't very secure). .

He may well have the ip address in wrong (or the wrong ip address). .

should his static ip address from hughes be the external ip addy on the router?. . or should it be the ip on his PC?

also, I'm guessing either the router or the satellite modem should be his default gateway (or does the modem even have an ip address?). .

he also had some question about enabling DNS or not (there's a radio dial button you can click to disable DNS). . and in the router's paperwork it says not to, but I told him that might be because the router people might not know he's using Hughes, and they might have their own DNS server he accesses. . I dunno. .

his having clicked to disable it didn't stop him from getting to the grc.com website, so I guess it works either way. .

Sorry I seem to be skipping from subject to subject, but any and all info I can get I am taking in and will be helpful

[coulterp]

Quote:

Originally Posted by dougand

...
He may well have the ip address in wrong (or the wrong ip address). .
should his static ip address from hughes be the external ip addy on the router?. . or should it be the ip on his PC?

No! That's the whole point of NAT! WAN IP on the router; PCs get a NAT'ed LAN IP address from the router.

Quote:

Originally Posted by dougand

...
so, I'm guessing either the router or the satellite modem should be his default gateway (or does the modem even have an ip address?). .

Yes - the PC should have the router (DHCP server) as default gateway. But if the PC is set to obtain IP address automatically then this too should happen automatically.

Quote:

Originally Posted by dougand

...
he also had some question about enabling DNS or not (there's a radio dial button you can click to disable DNS). . and in the router's paperwork it says not to, but I told him that might be because the router people might not know he's using Hughes, and they might have their own DNS server he accesses. . I dunno. .

He needs a DNS server. Automatically is usually easiest (i.e. don't disable) but there is not reason why DNS server IP addrs are not manually entered. It is a don't care as to what DNS server is used, as long as a valid one can be conntacted.

[StumpedTechy]

If you want my 2 cents here is how I do it.

Hook up the PC to the modem and do an ipconfig /all on the PC. Write down the IP, the gateway, the DNS servers and the subnet mask.

Change all settings in TCP/IP for the ethernet adapter to obtain automatically for IP and DNS.

Hook up the router to the modem hook up the PC to the router turn them ALL off. Turn on the modem, turn on the router, then turn on the pc waiting 1-2 minutes Per device.

Perform another ipconfig /all (number 2) on the PC.

Use the Gateway address usually something like 192.168.1.1 to put into the web browser. and log into the web based setup on the router.

Check your original ipconfig /all and make sure it all shows up in the WAN settings on the router.

Disable or enable DHCP and set the number of leases.
Make sure nothing is set in the DMZ this opens a hole in your network.
Make sure you have no settings in the Nat translating firewall (also known as Port Forwarding tab on this model).

If DHCP is enabled you can leave your TCP/IP set to obtain automatically. IF you hard code it to get by NAT settings then set TCP/IP settings to all the IP settings you had in the number 2 IPCONFIG /all. You can also add in a couple of the DNS servers you got in the first IPCONFIG /all if you want to.

The only thing you have to worry about is if DHCP is still enabled and you hardcode your IP then make sure the last octet eg X.X.X.# where # is 1-255 is outside of where DHCP is set to. E.G. if you have a lease of 10 computers and it starts at X.X.X.50 and goes to X.X.X.60 then you can place it anywhere from X.X.X.2 to X.X.X.49 or X.X.X.61 to X.X.X.254.

[dougand]

Quote:

Originally Posted by StumpedTechy

Change all settings in TCP/IP for the ethernet adapter to obtain automatically for IP

through DHCP??

Quote:

Originally Posted by StumpedTechy

Check your original ipconfig /all and make sure it all shows up in the WAN settings on the router..

You mean make sure the settings copied from the orig ipconfig shows up? (and shows up for the WAN? or for the PC?)

[StumpedTechy]

Yes the first time connection you will almost alsways useDHCP to first assign an IP. If not then you must know all the settings the router will give you. Linksys defaults are the following

IP - 192.168.1.1
subnet 255.255.255.0
gateway-192.168.1.1

but this can vary

you want to make sure the settings from the IPCONFIG before you added anythin shows up in the WAN on the router your new IPconfig should be on the 192.168address setup.

[dougand]

Quote:

Originally Posted by StumpedTechy

Change all settings in TCP/IP for the ethernet adapter to obtain automatically for IP and DNS.

How do I (in XP) get to the page where I do this? ( or the applet )

Quote:

Originally Posted by StumpedTechy

Make sure nothing is set in the DMZ this opens a hole in your network..

where do I configure this?. . where do I get to this page or window?. . I can't remember . .

Thanks again . .

[StumpedTechy]

Quote:

How do I (in XP) get to the page where I do this? ( or the applet )

Control Panel/Network connections (if in classic view)/Right click network connection you want to modify/properties/double click on TCP/IP

Quote:

where do I configure this?. . where do I get to this page or window?. . I can't remember . .

DMZs are in the router not in the OS. You have to access the router config and check for DMZ settings. Not all have it listed as DMZ though I know linksys does.

[dougand]

Quote:

Originally Posted by StumpedTechy

DMZs are in the router not in the OS. You have to access the router config and check for DMZ settings. Not all have it listed as DMZ though I know linksys does.

I thought that was the case, but do you have any idea how I find the window or page to set those up?. . I had my brother (over the phone) look in several places (the system tray, etc). . under "all programs". . etc. . but couldn't find anything. . .

any ideas?

I really appreciate all your help, by the way