Kevin's Router Setup Page

Front Page \| Information \| Computer \| Computer setup tips \| Router setup tips \| Funnies & Everything Else \| XP setup tips \| Address munging for newsgroups \| Junkware \| Alternate Data Streams
Do you seem to be getting spam from my domain? Please see this note I'll put a after something when it's added to the page. After the item has been on the page for about a month, I'll take out the and just leave the "Added" date. At least I'll try to do it every now and then. If you find a dead link, a typo or have a suggestion, there's a link at the bottom of the page that you can use to send me an Email. Date format is MM/DD/YYYY	Do you use Computer Associates' ETrust Anti-virus? Even if you don't you should be concerned about Alternate Data Streams on Windows 2000 and XP. ETrust has created thousands of unnecessary files on my drives, and they haven't offered any solution yet. So I did some research. I like and use Firefox. Which ever browser you use, make sure you keep it updated. That goes for all critical software.

Do you seem to be getting spam from my domain? Please see this note

I'll put a

after something when it's added to the page. After the item has been on the page for about a month, I'll take out the

and just leave the "Added" date. At least I'll try to do it every now and then.

If you find a dead link, a typo or have a suggestion, there's a link at the bottom of the page that you can use to send me an Email.

Date format is MM/DD/YYYY

Do you use Computer Associates' ETrust Anti-virus? Even if you don't you should be concerned about Alternate Data Streams on Windows 2000 and XP. ETrust has created thousands of unnecessary files on my drives, and they haven't offered any solution yet. So I did some research.

I like and use Firefox. Which ever browser you use, make sure you keep it updated. That goes for all critical software.

For an excellent generic explanation of how NAT routers work and what the benefits are, see GRC's NAT page.

troubleshooting instructions

Please note that the configuration pages have changed a lot in the newer vesions of Firmware, but the principles are the same. And with other brands of routers many of the same principles apply.

If you're after my setup instructions for a Linksys router you can skip right to the details if you want.

January 15, 2007. We finally got around to getting a new router, a Linksys WRT54G. The default settings are acceptable, although I'd recommend changing a few of the wireless ones just to be safe. And they've broken the logging functions. For details see my WRT54G notes towards the bottom of the page.

I first had DSL, then switched to Cable. In terms of what I'm talking about here, there's basically no difference.

Lots of people are getting cable or DSL internet connections. In many cases they haven't previously used any security products like a firewall or router, but in my (and many other people's) opinion they need to on Cable (or DSL). If you have Windows 2000 or XP a firewall and/or router is essential. To make things easy for my friends I thought I'd just make a web page they could look at. And since they'll have high speed internet access, I'm going to use pictures. Anyone is welcome to use the page of course, although please keep in mind all the usual disclaimers. Basically, it ain't my fault if something goes wrong.

I recommend the use of a router (external hardware that sits between your cable modem and your computer) to block unsolicited inbound communications to your computer. And you should have it on hand before you get your high speed connection installed. I use a Linksys router but any well known brand should do. I'd also suggest the 4 port model even if you only have one computer. That way if you add more computers later, you can just plug them in. Or if someone comes over with a laptop computer they can use your connection while visiting. And with respect to multiple computers on a single connection, various ISPs have different policies, but in most cases it appears that they only want more money if you want more external IP addresses. With a router you can have multiple computers on one external IP address.

One advantage of a router over a firewall is that once you set it up you should never have to worry about it again. The major disadvantage is that a router is only good for inbound control. For outbound control you need a firewall. The firewall will also provide inbound protection, but requires more setup and ongoing adjustments. They're easy (you'll get a popup asking you to make a choice) and they decrease the longer you've used the product as it learns what's on your computer. There are several free firewalls, including Sunbelt which bought the old Kerio Firewall, ZoneAlarm and Outpost. Sunbelt and ZoneAlarm offer free and paid versions. Outpost has a 30 day trial available. More are listed on the Firewall page at The List of Lists. If you can't afford the router or don't want to spend the money, at least get a firewall. After all they can be had for free. A firewall is good to have in addition to a router. That way the router drops any potentially nasty inbound connections before your firewall even sees them, keeping things pretty quiet in that respect. Then your firewall only has to keep track of what programs you want to have access to the Internet. Once you've OK'd or blocked the programs currently on your computer, all you have to deal with is new installs or unexpected surprises. You may be shocked by what's on your computer and making connections without your knowledge. WIth a high speed always on connection this is even more important than it was on a dialup.

If you have more than one computer, and you're behind a router, try scanning your own computers from within your network, with and wthout the firewalls running. That way you'll know what your vulnerabilities are if you ever need to connect without the router. By doing the testing behind the router on your own computers you're safe from the hazards of the internet. One tool you can use for that is Superscan4. Go to Foundstone.com click on the Resources tab, then Free Tools then Scanning Tools. You can download it from that page.

To see the benefits, get your high speed connection installed, making sure that there's a firewall installed. Then go to ShieldsUp at GRC and run the "All Service Ports" test. Then put the router in and run the tests again. A firewall will provide similar results after some tweaking, but make more noise about it. (The warnings can be turned off for a firewall.) A couple of things to keep in mind:

Steve's ShieldsUp page only tests 1056 ports. There are 65,000 ports available. Just for TCP. And another 65,000 UDP ports. There are vulnerabilities associated with many of them, and new ones being found all the time. Plus specific ports opened up by programs you could have running (perhaps without your knowledge) on your computer. People scanning for open ports can check any or all of them. There are more comprehensive tests available at Broadbandreports.com. The Port Scan is pretty thorough, or you can try the full scan, although there is usually a wait. Other test sites are available too if you're interested. Try the SpywareWarrior page for an updated list. Two that do relatively thorough scans are BroadbandReports and PcFlank.
You don't want to dawdle around before installing a firewall and/or router. And would be preferred. I get an average of 20-30 scans an hour, and that number has been increasing for a couple of years. Most are benign in the sense that they aren't a type that would affect my computer anyway, but at least some of them could cause problems if I didn't have some protection and/or had something installed that I didn't know about. If you happen to get one of those scans right away, you could be in for serious trouble. Worm scans are very common and the lifespan of an unprotected XP computer on the internet can be measured in minutes unless your ISP happens to be blocking the ports that will infect it. Many are, some aren't. But a router protects you from all of the known and [so far] unknown scanning vulnerabilities.

Cable IP ranges are a favorite target because they have a relatively high percentage of unprotected computers and have always on, high speed connections. So if they can get access to your computer, they can use it to do a lot more scans, or to attack a web site, or store files that they are worried about keeping on thier own computer, or send spam, or pretty much anything they want. With everything being traced back to you instead of them. A huge percentage of spam is sent from compromised home computers with a high speed connection.

Setup Instructions

The instructions for setting up the Linksys are in the manual and pretty simple. In my case the default settings worked fine for nearly everything. There are only 5 things I recommend checking to be sure they are setup correctly, plus a couple that are worth checking to be sure they haven't changed the defaults. The locations of these tabs may vary slightly depending on the version of the firmware that is in your router, sometimes they will be under the "Advanced" tab, sometimes not. This applies specifically to Linksys routers, but since the industry (like most) is Monkey See, Monkey Do, most other routers will probably have something similar. Also please bear in mind that I'm only covering settings that are related to security. It's worth looking over the other options to see if they'll help you. Some could increase the speed of your data transfers. There's detailed information on the various [older] versions of Linksys firmware at Hansenonline, including descriptions of what the different tabs do. There are good FAQs about Linksys Routers at Broadband Reports Linksys FAQ and Tips, Tricks and Firmware pages. For more information specific to Linksys you can check the BroadbandReports Linksys Forums. It's also a good idea to periodically check for firmware updates at Linksys. Look for your model in the dropdown list and follow the links to Firmware. Avoid anything that's brand new in case of bugs, but anything over a couple of weeks old is probaly a good thing to do. I'm going to do it soon myself. I'd also suggest that you grab a couple of previous versions of firmware just in case of problems. You'll have to browse through Linksys's ftp site to find the right ones for your model and version, but it's worth having.

For some speed testing, try the Speed and Tweak Tests at BroadbandReports Tools. speedtest.net has a nice test, but it requires JavaScript and Flash.

To get to the router settings, open your browser, type http://192.168.1.1 in the address bar (this address may vary with other brands of routers) and press Enter. Tab past the user name field to the Password box and type in "admin" without the qoutes. Then it's just a matter of using the Tabs at the top of the pages to get to different settings.

The first thing to change is the Password. Since it's only accessible from your internal computer(s) behind the router you may not need to make it your most difficult password, but don't make it too easy either. There have been conflicting reports of a vulnerability that allows access to the log in screen from the internet. And of course you could make a configuration mistake. Some routers or firmware versions allow "Remote Administration", if yours does, be sure it's Disabled. Once you change the password, the next screen will require you to log in again.

Then you want to go to these tabs. You can click on the thumbnails next to each section for a larger image. These are from an older version of firmware, but the concepts are the same.

DMZ Tab
On the "DMZ" tab, set the DMZ IP host address to 192.168.1.200. What this does is makes any computer at that address actually be unprotected by the router. While that would probably not be a Good Thing under normal circustances, in this case it's cool. Because you don't have a computer at that address unless you have specifically forced a computer to log in with that address. So what the router does is send any unsolicited inbound traffic (scans or whatever) to the computer at that address. But since there's no computer there, there is no response. Scans (or whatever) simply go off into the electronic ozone, and your router (and any computers behind it) are invisible from the outside. Some routers or versions of firmware may not need the DMZ to secure all ports. But firmware changes or something else could cause a problem later, so the DMZ is an extra layer of protection. You can also use the DMZ to put a real computer "out there" if you need/want to, but you should only do this if you're sure you know what you're doing. Make sure that whatever address you use is outside the range of addresses that can be assigned by DHCP if you're using that on the router.

Logging Tab
On the "Log" tab, enable logging, and if it isn't set by default, "Send" the logs to 192.168.1.255. That causes the data to be broadcast to your whole network instead of sent to a specific computer. If you're using fixed IPs you can send it to a specific computer if you prefer. If you're running a firewall behind your router, you'll have to allow the SNMP Trap port (UDP port 162) through the firewall in order for the logging program to show you anything. If you're using the Windows XP ICF you'll have to add the port there too. Go to the NIC properties, click the Advanced tab, click Settings, click on Add. Put in a Description of Service like "SNMP Trap". Enter the IP of the source of the reports, your router in this case. External and Internal ports would both be 162. Click on the UDP radio button. OK your way out. You can only run one logging program (or anything using UDP port 162) at a time on any one computer since they don't share that port. Then you need an SNMP logging program. This will let you see the in and outbound traffic through the router. It's good for troubleshooting and also occasionally for spotting the unexpected outbound connection. And it can give you a warm fuzzy feeling to see the blocked inbound traffic. It will show up in the logs as going to the DMZ IP of 192.168.1.200. You can run the logging program occasionally, or leave it running all the time. There are lots of free log viewers. SNMP Logger is a very basic one. One's with more features include Wall Watcher and Log Viewer. Linklogger has a 30 day trial to see if you want to buy it. If you feel like putting those logs to good use you can see about using them to help compile attack reports by submitting them to either MyNetWatchMan or DShield. You'll need to be sure the log format is acceptable to the site before you can submit them. WallWatcher has the ability to automatically send your reports to either DShield or MyNetWatchman once you make some easy initial settings. Check the sites for the software you use and DShield or MyNetWatchman to see if there's an easy way to submit your logs. January 2007. On my new WRT54G inbound logging only works if the DMZ function is enabled. But external logging no longer works anyway.

DHCP Tab
This should be the default, but check it to be sure. On the DHCP tab make sure the starting IP address is something like 192.168.1.100. This allows you to have fixed IPs below .100 if you want, but any computers that connect to your router and ask for an IP address will get one at .100 or above. You want to keep this setting in mind when picking an IP for the DMZ. If you decide to start DHCP at .100, you don't want to pick .105 as the DMZ address since a computer might actually get assigned that address.

MAC Address Tab
Each Network Card (NIC) has it's own unique MAC Address (like a serial number). And the router has it's own NIC (two actually), so therefore it's own MAC Address. Some ISPs track the MAC address of the connected computer. The good news is that with a Linksys router (and most if not all others) you can have the router use any MAC Address you want. So you want to have it use the address of the computer you registered with. To get that address, on WIN95 and WIN98 Click Start/Run and type "winipcfg" (no qoutes) and press Enter. Use the drop down list to choose your NIC if necessary, it may be showing your modem instead. Make a note of the "Adapter Address". Be careful of the difference between zeros and the letter O. On W2K/XP, Click Start/Run and type "cmd" (no qoutes) and press Enter. In the window that appears, type "ipconfig /all" (no qoutes). Note the "Adapter Address". Enter that information on the "MAC Address Clone" page of the router set up. Click "Apply" and you should be done. It's possibly not necessary, but it can't hurt, so I always do it. And I was told recently by Comcast that they do track the MAC address of the computer connected to their modem, but only locally. If you connect a different computer (MAC Address) to the modem, you need to reboot the modem. Cloning the MAC Address in the router will avoid that aggravation, otherwise when you hook up the router, the modem will see it as a different computer and you won't be able to connect until you reboot the modem. This way if you have to remove the router for troubleshooting, the modem won't see a new MAC because it will be the same as the one that was cloned in the router.

Port 113 forwarding
Later versions of firmware (1.44.2 and up) no longer hide Port 113. This appears to be to eliminate some delays in sending email if your mail server checks that port. To avoid that delay I used to forward that port to my computer, then have my firewall drop the packet from everywhere except my ISPs mail server. Now, if you want that port to be stealthed you'll need to do the reverse of that. Go to the Forwarding tab in the router setup, then enter 113 in both sides of one line of the port ranges. In the IP address block, send it to an unused IP. The same one you're using for the DMZ (.200 in my example) would work fine. For more information on Port Forwarding, and instructions for port forwarding for specific applications, see Portforward.com.

These should be the defaults, but check to be sure. On the Filters tab, "Block WAN Request" should be enabled and "Remote Management" and "Remote Upgrade" should both be disabled. Block WAN Request is the one that should block pings for you. You can test at GRC ShieldsUp (scroll down) to see that it's doing what you expect. The Common Port test includes a test for Ping response. Always recheck your settings and retest after a firmware upgrade.

You're done. In the event of a problem with the router requiring that you reset it to the factory defaults, or if you decide to upgrade the firmware, these changes may need to be repeated.

Finally, if you need to call your ISP because of connection problems, they will almost certainly insist that you bypass the router. Before you do that you can try some of my troubleshooting steps first if you want to. If you do need to bypass the router the easiest way to do this is to simply take the cable that comes from your computer to the "LAN" plug on the router, unplug it from there, unplug the same type of cable (NOT the round TV type of cable) from the back of the modem and plug the first one in there. Don't forget that this causes you to lose any benefit of having the router, because it's not in the loop. This is where a firewall can be essential. Put the cables back as soon as you can. Assuming you're using an "Automatically assigned" IP address on your computer, you may not even need to reboot depending on your OS. If you're using fixed IPs on your computer, then you'll probably need to make some changes there and reboot.

WRT54G Notes

In January 2007 we finally updated from our BEFW11S4 to a WRT54G because the DHCP function on the older router wasn't working properly. Pretty much all of the above stuff is still true, although there's now lots of wireless options. There's absolutely no need to run their easy set up software, just log in to http://192.168.1.1/ with the default password of "admin". The only changes I made to get it up and running was to change the password, change the SSID from the default, enable Logging and clone in the same MAC address that the old router was using. I switched all the cables to the new router and everything worked. A ShieldsUP! test came out all green, so the defaults are acceptable. At least for the ethernet portion. Tim Higgins did a review of this router in June 2005. The firmware has changed markedly since then, as have some of the functions.

On the wireless side the router defaults to some rather weak settings. The "Wireless Network Mode" is set to "Mixed" which is OK, although if all your wireless connections will be "B Only" or "G Only", choose that. The SSID is "Linksys" and "Wireless Security" is set to "Disabled". At a minimum you want to enable the strongest Security Mode that you can, and change the default SSID. For more detailed advice, Google is your friend.

However there'a at least one other problem with the WRT54G. Linksys seems to have broken the logging functions. I spent an hour trying to figure out what setting I had wrong before I determined that it was the router. My logging software wasn't getting any data. Same with different software on a different computer with no firewall. If I went to the router configuration pages and then to the Log page, Logging was enabled correctly. I could open the Outgoing Log and there was data in it. But the Incoming Log was empty. It turned out that was due to not enabling the DMZ function. With it off unsolicited inbound packets are simply dropped, if it's enabled then the Incoming Log logs traffic. I called Linksys and worked my way up a couple of layers through some people who had no idea what I was talking about. "Logging, do you mean you can't get to the internet?" I finally got to someone who said he was aware of it, and that he'd talk to his supervisor and see if they could get something done about it. He promised that I'd get an email letting me know the status. For the moment it appears that the options are to use third party firmware or do without decent logs. I use my logs for a lot of things, but third party firmware will void the warranty.

After doing some Googling it appears that Linksys has changed the firmware to Syslog logging instead of SNMP Trap. And according to the Linklogger software site and some others that I found they completely disabled external logging for some reason. So if you want that, you'll need to use some third party firmware. Third party firmware also lets you do other things that the stock firmware doesn't. The WRT54G firmware is actually released under the GNU General Public License so there are all sorts of free versions available. See WiFi Planet for an article explaining it. You can get some from hyperwrt.org, HyperWRT Thibor, dd-wrt.com, Tomato and several other places for free or from sveasoft for 20 US dollars a year, which gives you access to their support functions. Others are listed in the Wi-Fi Planet article. There's also lots of information on the WRT54G series of routers at Wikipedia.

If you decide to try third party firmware make absolutely certain that it supports your model of router. That's partly because the later versions of the WRT54G (and to a lesser extent the WRT54GL and WRT54GS) have been crippled by Linksys in ways that limit what, if any, third party firmware can be installed. Some use a different chipset that isn't compatible, others have less RAM and Flash RAM so they can't run as many features. You can use the pages at wikipedia.org or dslreports.com to confirm your router model. The serial number is the best indicator if you don't trust the sticker on the bottom of the router.

Another option is to buy a different brand of router that will work with the third party firmware that has the features you want. This DD-WRT page lists other brands that can be used. The Buffalo WHR-HP-G54 is reportedly a good option as are some of their other models. Please note that I'm not personally familiar with them, so do your homework.

Written for

Check out the Any Browser pages.

If something doesn't work right please

Email me.

Last update 11:47 PM 1/20/2007