Before starting forwarding ports, I'd like to take a minute to go over what is needed to use static IP addresses on your LAN. With DHCP all the IP configuration information is passed on to all the clients. This includes IP address, default gateway IP address and the IP addresses of up to three DNS servers. Even if you disable DNS in TCP/IP properties, the DHCP server will still give you the DNS server to allow the computer to resolve names.
When using static IP addresses, you have to provide all this information yourself. And, you have to enable DNS. This is the only way you can enter DNS server information, and without it, you will not be having any fun.
So, if you are going to use static IP addresses, you'll need to enter at least one DNS server address and a default gateway address, plus a static IP address that is outside the range of what the router hands out. By default, the range used by the Linksys router is 192.168.1.100 through 192.168.1.150. Stay clear of those address (you have 203 other to choose from!).
A lot of cable and DSL providers supply their own DNS servers, but they often have long resolution times which slow down your browsing. You can use a program like Namebench to test a list of public DNS servers and find the best alternative.
Port forwarding is a way of allowing outside users access to your LAN computers on a given port (or range of ports). Basically, if someone connects to the WAN IP address on port 80 on your router and you have set port 80 to be forwarded to an IP address on your LAN, then the router will allow that traffic to pass right through to the destination. To the outside world, it will seem like they are accessing the web server directly on the WAN IP address. The same goes for other services.
This is directly linked to the use of static IP address. The documentation that comes with the router claims that you must disable the DHCP server if you are going to use port forwarding; also, the config page where you set up the port forwarding says the same thing. This is INCORRECT! You do not have to disable the DHCP server on the Linksys router to use any of the features on the router 1). What Linksys probably should have said is that it makes sense to use static IP addresses on the machines you are forwarding ports to (disable DHCP on the client). When using DHCP, it is possible that you will not get the same IP address you had the last time. If you are forwarding ports to the old IP address, outside users will not be able to connect as the router will direct the traffic to the wrong computer. So, if you are going to set up a web server or a mail server, or any other type of server, then use a static IP address on that computer.
Forwarding ports is actually quite simple. Using a web browser, connect to the LAN IP of the router, and click the "Advanced" tab in the top-right corner. Then click the "Forwarding" tab to get to the port forwarding configuration screen. You can forward up to 10 ranges of ports. Simply enter the start port and the end port (same number in both if there's only one port), and click the Apply button to save configuration. Once the router has re-started, traffic will be forwarded to the IP address selected.
With firmware 1.37, you can also specify TCP, UPD or both to have better control over what type of traffic should be passed on to your LAN.
I briefly touched on filters in the Basics page. Think of filters as the opposite of forwarding. It only works from the inside (as opposed to forwarding which works only on the outside), and instead of allowing traffic, it blocks it. This is one way to prevent certain types of traffic to leave your network. In the Basics page I set up a filter to block NetBIOS traffic from going out. If you have any application that are strictly LAN based, and you want to make 100% sure that it does not transmit any data onto the Internet, then you can filter out the port (or range of ports) on. As with Forwarding, this is in the Advanced section.
I am filtering ports 135 - 139 and also port 1975. There was a big controversy a short time ago about Aureate/Radiate and their software. Some "freeware" (or adware, really) applications comes with advertising built in. In stead of you paying for the program, you get to watch some ads as you use the software. The software also keeps track of which web sites you go to so it can better determine what types of ads it should display on your computer. The Aureate/Radiate spyware application uses (or used) port 1975 to talk to mother. Although I don't have any of the spyware, I'm still blocking that port.
Since it appears that port filtering may contribute to the instability of the Linksys router, I'm withdrawing my recommendation of filtering any ports. Although that makes it possible for certain traffic to get onto the internet, this should not have any significant effect on the security of your LAN.
For a home network, leave these at the defaults. This only applies if you have multiple routers on your network, and most home networks would not need this.
This is a fairly new feature. Not entirely useful just yet, but I have some hope that Linksys will continue working on the feature until they get it right. (Note that this is my personal opinion, others might find it more useful than I). Logging can be disabled or enabled. If enabled and with "255" left as the last byte of the IP address, the router will broadcast log information onto your LAN, hoping that some program will catch the information. If you want to capture this information, you're better of specifying the IP address where the logging application is running (see static IP address above). You can also view the access logs on the router, but there's hardly any information there. It lists the IP address and port number of traffic passing through the router. This is fine to check and see if your SMTP traffic gets through, but it doesn't tell you anything about what else is hitting your router. You have no way of knowing if someone is trying to access a Sub-7 trojan on your computer, or is someone is doing a port-scan to see what ports are open. Since I'm running a web-server, the access log would be redundant, so I disabled it. The program "LogViewer" is available on the Firmware page.
Linksys have chosen an interesting definition of DMZ. Essentially, it's a "public" computer. Setting the IP address in the DMZ field to match that of a computer on your LAN, you are essentially placing that computer outside the router. That means the computer is not protected by the router. Any incoming traffic which is not forwarded somewhere else will be forwarded to the computer in the DMZ. This is not a good place to be, but unfortunately, sometimes it is required. If you wish to use MS NetMeeting, you need to place your computer in the DMZ. Due to the fact that MS NetMeeting uses some random port allocation, the router wouldn't be able to pass the traffic to your computer otherwise.
© 1999-2005 Lars M. Hansen