An introduction to important setup options on your router for getting the best performance and security. If you're not across modulation types, NAT and port forwarding, QoS and IPv6 then read on.
Most homes – and many small businesses – get online via a domestic router. It’s an easy way to share a single internet connection with any number of wired and wireless clients, and it provides a welcome layer of security between your PC and the outside world. Routers typically come with a friendly configuration wizard, and Wi-Fi Protected Setup makes it simple to create and connect to a secure wireless network.
In your router’s administration pages, however, you’ll find configurable settings that you can adjust to better suit your needs. We’ll show you how to get the best speed from your broadband connection, make your PC accessible from outside your network, and ensure your wireless configuration is both fast and secure.
Finding your way around
Router configuration can be daunting, because each manufacturer has its own way of doing things. Across different brands of router, options will appear in different places and will sometimes even have different names.
In the screenshots accompanying this feature we’ve used a Netgear N600 router, but no matter what brand of router you’re using, all the settings we discuss here will be accessible via its web administration interface. You can normally get there by typing an IP address (such as 192.168.1.1) into your browser; a quick Google search will normally uncover the IP address for your router model. When you first connect, be sure to change the administrator password – the default passwords for common routers are well known, making it easy for intruders to hijack your network connection.
If you have cable broadband, you probably need to provide only a username and password provided by your ISP to get online. To connect over ADSL, however, several settings must be configured correctly. Many ISPs provide branded routers with pre-configured parameters, but if you’re setting up your own router you’ll need to set the appropriate values yourself.
The first two such settings are the virtual channel identifier and virtual path identifier (VCI and VPI, for short). These specify the “virtual circuit” on which your router will try to communicate. You need to be on the same circuit as the ISP’s DSL gateway: the right values are normally 0 and either 35 or 38, but check with your ISP.
Next, you’ll need to select the correct encapsulation type: the format in which network data will be exchanged over the virtual circuit. The most common type is PPPoA, short for point-to-point protocol over asynchronous transfer mode; but some ISPs use other systems, such as bridged IP or PPP over Ethernet. Unless you’re a network engineer, you don’t need to worry about the technical differences between these systems – you just need to ensure you have the right one.
Finally, your router needs to know what sort of electrical modulation is used to convey data over the copper wire of your phone line. G.DMT and G.Lite (also known as G.992.1 and G.992.2) are the original ADSL standards, with theoretical maximum download speeds of 8Mbits/sec and 2Mbits/sec respectively. G.992.3 and G.992.4 are ADSL2 protocols, supporting up to 12Mbits/sec downstream; G.992.5, commonly known as ADSL2+, supports speeds of up to 24Mbits/sec.
Many ISPs support more than one modulation mode, and some routers can automatically try several modulation types, connecting via the fastest available. You can enable this by selecting “multimode”, or ticking boxes for more than one modulation type. However, the more modes the router has to try, the longer it will take to establish a connection when first switched on; and faster modulation modes may be less stable than slower ones.
When these settings are correct, your router should find the ADSL connection and start “training” the connection – trying to determine the maximum stable connection speed. Once this is completed, its status should be shown as “connected” or “showtime”.
A successful DSL connection doesn’t necessarily mean you’re connected to the net. You may also need to provide a username and password, and specify an authentication method (most often the challenge-handshake authentication protocol, or CHAP). Your router will also need to know the IP address of at least one domain name server (DNS). Again, all this information should be provided by your ISP.
NAT & port forwarding
Once your router is online, it will be assigned a unique internet IP address. This address will be shared between all your network clients, via a system called network address translation (NAT). This works by assigning each client on your network its own local IP address, which is valid only within your LAN. When a client wants to communicate externally, the router forwards the connection via its external IP address, and forwards any response back to the client that initiated the connection.
This setup is fine for the typical household, but the catch is that sharing one internet address across the whole LAN makes it impossible for a remote computer to initiate a connection to a particular PC on your network. This makes it difficult for worms and hackers to reach a potentially vulnerable system; but if you want to run an online service such as a web or FTP server, your router must be configured to forward incoming traffic to the particular PC that’s hosting the service.
The process is called port forwarding, since it involves forwarding all traffic that arrives on a particular “port” to a particular client. In reality, all network packets arrive via the same physical connection, but different notional ports are associated with different services. Web servers, for example, ordinarily operate on port 80, while FTP servers use port 21. You can find the official list of standard ports here
A computer can run services on any number of different ports concurrently, and your router can be configured to forward whichever ports you wish to whichever clients you choose – while dropping other unwanted requests.
It isn’t always necessary to configure port forwarding manually. Almost all routers support universal plug-and-play (UPnP). This allows compatible applications such as web servers and BitTorrent clients to automatically configure your router to allow traffic through: simply ensure the box is ticked in your router’s configuration pages. Your router may also support port triggering: if enabled, the router will remember when a client makes an outgoing connection on a particular port, and will automatically direct incoming connections on that port to that same client.
If you do need to set up port forwarding manually, the option should be readily available in your router interface. Typically, you only need to enter the local IP address of the PC hosting the service, then specify the port – or, on some routers, the type of service you want to run, which will then automatically be translated to a port or range of ports. You may also be asked to choose whether to forward TCP packets, UDP packets or both. TCP is normal internet traffic; UDP is a simpler protocol that’s sometimes used by audio and video streaming applications, as well as online games.
Reserved IP addresses
There’s one potential “gotcha” with port forwarding. When you create a port forwarding rule, you associate a port with a local IP address. But these local addresses are allocated dynamically – using the dynamic host configuration protocol (DHCP) – so if you regularly turn your devices on and off, they can end up with different addresses from one day to the next.
The solution is to “reserve” an IP address for your local PC, so it always gets the same one. The way you do this varies from router to router: typically, it will be listed under “LAN setup” or “DHCP settings”. If you see a list of connected clients, you may see the option to click “reserve” to permanently assign an address to a particular client. Otherwise, you may need to enter details manually.
It’s also possible to specify a static IP address at the client end. But this option is provided chiefly for compatibility with older systems that don’t support DHCP. With a modern router, there’s no advantage to doing it this way, and it involves more fiddly configuration, so we suggest you steer clear.
A router isn’t only a gateway to the internet; it’s a gateway to your personal network. If an intruder can somehow connect to this network, he could in theory intercept personal data and even install malware on your PCs. This type of attack is rare, but with wireless networking it isn’t a risk you can ignore.
You can start protecting yourself by choosing a suitably anonymous SSID (the broadcast name of your network). Don’t use your name or address as your network name, since this information could feasibly be of use to criminals. There’s probably no need to go so far as hiding your SSID: if your network is properly secured, it doesn’t matter if would-be intruders can see it – they won’t be able to get in. Certain devices may also be unable to connect to hidden networks.
Make sure you’re using a secure encryption method. The old WEP system (standing, ironically enough, for Wired Equivalent Privacy) can be broken in a few minutes by a determined hacker. In 2003, it was superseded by WPA (Wi-Fi Protected Access), but this too has its flaws: it uses an encryption protocol called temporal key integrity protocol (TKIP), which can be hijacked to send rogue packets and instructions to devices on your network.
The best choice is WPA2, which replaces TKIP with much stronger AES encryption – also referred to as CCMP, which stands, via a very roundabout process of abbreviation, for Counter Mode with Cipher Block Chaining Message Authentication Code Protocol.
WPA2 comes in two flavours: WPA2-Personal and WPA2-Enterprise. Personal security simply requires clients to provide a “Pre-Shared Key” – a passphrase of between eight and 63 characters – in order to join the network. For this reason, it’s also sometimes referred to as WPA2-PSK. The passphrase can include spaces and punctuation marks, so you can use a multiword phrase that’s easy to remember but effectively impossible for an attacker to find by brute force.
The Enterprise option is more flexible: clients can be granted individual access to different resources, and easily tracked. However, this is achieved with the assistance of a dedicated RADIUS (Remote Authentication Dial In User Service) server, external to the router. For a home network that’s overkill.
Unless your wireless client is positioned within spitting distance of the router, the speed of your connection will fluctuate, thanks to ambient interference from other devices. If your clients are located far from your router, or through several walls interference can compromise your transfer speeds to a significant degree.
To maximise your performance, check that your router is set to connect at its fastest speed: most routers support a range of wireless modes, from 802.11b (11Mbits/sec) right up to 802.11n (300Mbits/sec). It’s also worth switching to the 5GHz transmission band (if available), which suffers less from interference than the longer-established 2.4GHz band. Typically, routers that support 5GHz can run a legacy 2.4GHz network concurrently, so older clients that don’t support 5GHz wireless can still connect.
You could also try switching your router to a different wireless channel. There are 13 channels to choose from in the 2.4GHz band (plus a 14th channel that isn’t used in Europe), and 19 channels in the 5GHz band. You can discover which channels are already being used by nearby networks using the free inSSIDer tool
. Run this on a wireless-equipped PC and it will give you a graphical display of all the wireless networks that can be detected, along with their signal strength. Sadly, unless you have a dedicated RF spectrum analyser, there’s no easy way to tell which channels might be affected by interference from household appliances: you’ll just have to experiment to see where the best performance is to be found.
Quality of Service
A final way to get the best performance from your network is to make use of your router’s Quality of Service (QoS) features. The most common QoS system is Wi-Fi Multimedia (WMM), which is part of the 802.11n standard. WMM prioritises different types of wireless traffic according to how time-critical the content is: video chat, for example, needs to reach its destination quickly to maintain a smooth video and audio stream. Web pages can arrive at a more leisurely pace without degrading your experience.
QoS only applies within your local network. If your video is stuttering because your internet connection is saturated – perhaps because several people are trying to use video chat at once – there’s nothing your router can do to help. However, most ISPs use their own QoS systems that will at least prioritise these video links over less urgent traffic.
Where QoS is useful is if you’re using lots of local bandwidth. For example, you might be streaming a movie from a home server in the front room when an automated local backup job starts up. Without QoS, these two tasks will have equal network priority, and the backup could interfere with the video. With QoS, the video will always be prioritised to keep things smooth. QoS is useful in a business context, too, where VoIP communications can be automatically prioritised over other connections.
Unless you have a particular reason for wanting all traffic to be considered equal, it makes sense to keep QoS switched on. If you don’t like the default settings, you can normally define custom rules: for example, in some households online gaming may be considered more important than video chat. Your router will typically allow you to set your own QoS rules on a port-by-port basis, or to specify which clients should get priority at times of high network usage.
In this feature we focus on IPv4, the four-number addressing system that’s been the standard since the dawn of the internet. However, as the number of internet clients continues to grow, IPv4 is running out of addresses. Internet services are therefore gradually transitioning to IPv6, using much longer addresses such as 3f2e:1910:4595:3:208:f7ff:fe61:67cf.
Unless your router is several years old, it’s likely that IPv6 support will be built in and enabled by default. With IPv6 enabled, your router will receive an IPv6 address from your ISP, in addition to its IPv4 address, and it will assign IPv6 addresses to your clients as well as IPv4 ones. Unlike DHCP-assigned local IPv4 addresses, these addresses are valid all across the internet. So if you’re running a web server on an IPv6 network, you have no need for port forwarding: it should be possible for an external computer to reach your PC directly via its (rather unwieldy) numerical IPv6 address.
In practice, ISPs, routers and server software may not yet fully support this, but it’s on the cards.
How to keep your home Wi-Fi running fast
Broadband: testing your DNS speed
How to build a home network: routers, connections, storage
Streaming music around your house: an introduction