120 likes | 132 Vues
Learn how to set up NAT routers and configure basic settings such as WAN, LAN, firewall, DMZ, VPN, and more. Includes practical exercises and summary of NAT router functions.
E N D
Small NAT Routers • Objectives • to learn how to setup NAT routers basic settings • Contents • WAN configuration • LAN configuration • Firewall & DMZ • VPN • Practicals • working with NAT routers • Summary
NAT Router ISP gateway hosts Overview of NAT routers • NAT router basic functions • Ethernet WAN port to public network gateway • Ethernet LAN clients through builtin NAT to ISP • Simple firewall functionallity • DHCP for LAN clients/hosts • Limited PortForwarding/Adress forwarding translation • NAT router extended functions DMZ – Virtual demilitirased zone configuration VPN – client and or server services for private interconnection SNMP – Remote managed through SNMP standard 1 or 2 ROUTING – Private network routing WAN – mediaconverter
Setting up NAT router, variants • Usally NAT routers is equipped with WEB interface • Most ”SOHO” NAT routers are equipped with WEB interface control panels • Wizard for help connecting to public gateway • Use telnet and command lines • More qualified routers lack, or have a weak web interface • You have to know their unix like OS which is text based • Some smaller SOHO devices like Zyxel and Cisco have textbased • Terminal settings is usally VT100 (using hyperterminal) • From LAN/WAN or serial console port • LAN port address is usally 192.168.0.1 for small routers • LAN port address is printed on router or in manual if other • Serial port configuration using: 9600bps 8N1 • More qualified routers can use SNMP after setup • Configuration files using TFTP
The first steps, SOHO device • Connecting WAN and LAN • Connect your NAT router WAN port to public link • Connect your PC client to LAN port • Power up your NAT router then power up your PC client • Login through NAT router WEB interface • Check the delivered DHCP parameters to your PC In command line, type: ipconfig /all Look after line say: Default Gateway . . . . . . . . . : 192.168.0.1 • Type default gateway IP address in Address field of web-browser (found in documentation) Use login name: admin Login without entering any password • The security avare person note that entire config is in clear html post and gets • Usally not a problem this time, because nobody more than you are connected to router
WAN settings of NAT router • DI804HV as an example of SOHO NAT router • First is to setup WAN configuration • You can use wizards or manual (recomended for endusers) • Common WAN settings: • Dynamic • Static • PPPoE • Dial-up Network • Others • Exercise 1: • Connect your WAN port to LAN switch in lab (dhcp from lab server) • Connect you client to LAN port of NAT router, start router, start client • Access your router with WEB and WAN settings with DYNAMIC adress • Goto STATUS and click on DEVICE info • Click on DHCP renew, see if you have an IP address • Try to go out on internet with your client
LAN settings of NAT router • You can change router LAN IP address • If you change router LAN IP address, the subnet it si in will be calculated. • This will be the default gateway for all connected LAN clients • You can leave as is, for single subnets without VPN’s • You can use any subnetmask • This must be set accordingly to your subnet class Standard subnet masks Or any calculated A 255.0.0.0 My 255.255.255.240 B 255.255.0.0 C 255.255.255.0 • Add domain name if you have one • This is mostly for eye only, but can be essential for authentication
DHCP server settings • DHCP On or Off ? • For comfort of users it can be a good idea to have it on • Can rupture DMZ or virtual servers in LAN side of router • DHCP scope • Follow NAT router internal IP LAN address setting • Standard for most NAT routers is 192.168.0.100 to 192.168.0.199 • Any range can be used, dont deliver broadcast addresses! • Bevare of overlapping scopes if more than one DHCP server in same subnet • DHCP lease times • Some routers can have leasetimes forever • The settings must reflect number of stimultanious clients. • Standard is for most settings 1 Week • Static DHCP settings • Used for clients who shuld recieve same IP address all the time based on their MAC address.
Advanced settings • Most NAT routers will have all nitty-gritty for firewall and various DMZ settings below Advanced meny. • We are looking on the DI804HV which have most of the posibilities that the proffessional big routers have • Virtual server • Do portforwarding and port translating to deligated LAN client address • Application • Open ports in the firewall settings dynamically, trigged by traffic on WAN port • Filter • Allowing/Denying LAN clients to access outside WAN • Firewall • Traditional stateful firewall settings to allow certaini traffic to pass or not • SNMP • Network management protocol for control and statistical data
Dynamic DNS, DDNS • What is dynamic dns? • A special service which annonces the NAT router public WAN IP address onto a dns. • Same mechanism as Master and Slave DNS, a zone transfer. • It is a limited DNS service, companies have permanet public IP addresses • This has the negative side of service interruptions depending on DNS worldwide replication of new IP address. • Provider • The slave DNS you have contract with • Hostanme is your ddns hostname • DDNS need account information • Username • Password
Routing • Static routing for your private network’s • Makes VPN, local routers, failover gateways work • Control your traffic flow • Increase security • Dynamic routing protocols Recieve and send Routing information: RIP v1 & RIP v2 • Destination • Network to reach • Subnet Mask • The network to reach subnet mask • Gateway • The gateway to send traffic to in order to reach the destination • HOP • The distans in network hop towards destination
Basic DMZ • The DMZ • Used to open the firewall fully for traffic to and from LAN clients • Basic DMZ • This router we are study can only handle one LAN client, stateless DMZ. • Virtual servers and Application is also a form of DMZ, but only for deligated services. • Comes in two variants, stateful and stateless • Statefull DMZ • Can handle several LAN clients even if thry have private IP addresses • Full DMZ (traditional) • Is used then client have public IP addresses • Can serve several clients in the protected zone with DMZ • DMZ is used for bastion hosts or public servers • Last resort of regular Virtual server does not work.