Thursday, November 3, 2011

Change Google password on Android phone

Q:  I changed my online Google password and now my Android phone doesn't sync.  How do I change/update the password on my phone?

A:  Try to log in to the market on the phone.  You will then be prompted for the new password.

Saturday, October 29, 2011

OpenVPN with Site to Site Routing

OpenVPN with Site to Site Routing
Connecting two sites using OpenVPN is very simple. One side is configured as a client, and the other as a server. Usually with site to site connections you want to use shared keys.
The instructions below are for basic site to site connectivity. For advanced options/configurations see the Advanced Options Section below and the pfSense book. For other modes such as SSL/TLS, or remote access, look in the Category:OpenVPN OpenVPN category of the doc wiki.
This document only covers pfSense 2.0. For 1.2.3, see OpenVPN Site To Site.

Info


You can have both IPSec and OpenVPN enabled/in use at the same time, however, not for the same subnets. Any IPSec tunnel that references the same pair of subnets you wish to use in OpenVPN must be disabled, but IPSec and OpenVPN do not conflict.
The way OpenVPN works is that one end of the tunnel needs to be the “server” and the other the “client”, it does not matter which, though if doing more than one site, you should have the main site as the “server”.
You must create a firewall rule on the Server's WAN interface to allow traffic through, otherwise the traffic will be blocked and the VPN will fail to connect. To filter incoming traffic across the VPN, add rules to the OpenVPN tab under Firewall > Rules.
OpenVPN in shared key mode is the recommend method for site to site connections, unless you have a half dozen or more sites. For PKI and advanced options/configurations see OpenVPN Site-to-Site PKI (SSL) and the pfSense book.
For more than 5 connections site to site or roadwarrior VPNs you probably want to use SSL/TLS (PKI) for ease of management.

Server Settings


Go to VPN > OpenVPN you will be on the server page by default, click the + symbol
Server Mode : Peer to Peer (Shared Key)
Protocol : UDP - TCP is undesirable because every packet is retransmitted that is lost, and if its using TCP, it will be retransmitted anyway. This would slow down the VPN if you have a lot of lost traffic on the WAN connection. TCP is really only useful if you need to bypass firewalls, in which case your port should be 443 as almost no one blocks this one. Must match on each side. If you choose port 443, ensure the WebGUI is not running on that port first.
Device Mode : tun
Interface : Whichever interface you want the server to use for incoming connections. Typically WAN, but may be an OPT WAN. You may also use "any" and then it will bind to all interfaces.
Local Port : The port this OpenVPN server will listen on. 1194 is the default OpenVPN port. Each server requires a unique port. Make sure not to use a port in use by another service otherwise problems can occur.
Description : A name for this VPN. Shows up in various places where you can select the VPN from a list, such as Status > Services, or Diagnostics > Packet Capture.
Shared key : On 2.0, the keys can be made in the GUI. You can check "Automatically generate a shared key.", and when the settings are saved, a key will be generated for you. You can then copy/paste the key into the client.
Encryption algorithm : This setting must match on both sides. Any of the crypto options are fine, it depends on the user preference. If you are on ALIX, you should use aes-128-cbc, see this wiki For most others, aes-256-cbc is good, or whatever you like. CAST/DES/RC2 may be less secure, but are also faster.
Hardware Crypto : If your device has hardware crypto support, you can choose it from this list. For ALIX and many others, use "BSD cryptodev engine" to use supported onboard devices.
Tunnel Network : The suggested default in the GUI of 10.0.8.0/24 is sufficient, but really recommend using any random unused network inside of the RFC1918 space. For site-to-site shared key, you really only need a /30, not a /24.
Remote network : Enter the remote (Client Side) LAN here, to access more than one network, use the custom options field, for more info please see Advanced Options section below and the pfSense book.
Compression : Check this if you want to compress data on the tunnel. If you primarily transfer bulk data or encrypted protocols like https/ssh, this may only add unnecessary overhead.
Type-of-Service : Set the TOS IP header value of tunnel packets to match the encapsulated packet value. Useful if you want to do traffic shaping on the OpenVPN traffic itself, but it does expose some data about the contents of the packet, so it is a potential security risk.

Client Settings


Go to VPN > OpenVPN You will be on the server page by default, click Clients tab, and then the + symbol.
Server Mode : Peer to Peer (Shared Key)
Protocol : Match the setting from the server side.
Device Mode : tun
Interface : Whichever interface you want the server to use for outbound traffic. Typically WAN, but may be an OPT WAN. You may also use "any" and then it will bind to all interfaces.
Local Port : Leave this blank for a random port. The port this OpenVPN client will use for its side (source port). 1194 is the default OpenVPN port. Each process requires a unique port. Make sure not to use a port in use by another service otherwise problems can occur.
Server host or address: FQDN (vpn.example.com) or IP (69.64.6.21)
Server Port: The port the OpenVPN client will connect to on the Server
Description : A name for this VPN. Shows up in various places where you can select the VPN from a list, such as Status > Services, or Diagnostics > Packet Capture.
Shared key : Copy/paste the key from the server.
Encryption algorithm : Match the setting from the server side.
Hardware Crypto : If your device has hardware crypto support, you can choose it from this list. For ALIX and many others, use "BSD cryptodev engine" to use supported onboard devices.
Tunnel Network : The suggested default in the GUI of 10.0.8.0/24 is sufficient, but really recommend using any random unused network inside of the RFC1918 space. For site-to-site shared key, you really only need a /30, not a /24.
Remote network : Enter the remote (Server Side) LAN here, to access more than one network, use the custom options field, for more info please see Advanced Options section below and the pfSense book.
Compression : Match the setting from the server side.
Type-of-Service : Set the TOS IP header value of tunnel packets to match the encapsulated packet value. Useful if you want to do traffic shaping on the OpenVPN traffic itself, but it does expose some data about the contents of the packet, so it is a potential security risk.

Advanced Options


To access additional networks, you add a route to the side opposite where the network is located. For example, to access 172.18.4.0/24, which resides on the server side, add the following custom option:

route 172.18.4.0 255.255.255.0;

pfSense cannot recieve list of available packages

Check to see if any upstream security appliances are blocking.  I had the same issue and noticed that my security appliance was blocking 'WEB-PHP xmlrpc.php post attempt' when attempting to connect to 69.64.6.21 for list of Available Packages.  The Firmware updates were working fine but the Available Packages were being blocked.

Thursday, October 27, 2011

Shortcut to minimize the remote session (RDP) to my local machine

Create keyboard macro to do following:
CTRL+ALT+BREAK to break RDP
ALT+Spacbar
n to minimize

Friday, July 15, 2011

How to Install GD Library

How to Install GD Library

  1. Go to WHM -> Software -> EasyApache
  2. If prompted to upgrade, do so then repeat the above step
  3. Begin customizing based on the current provile
  4. Proceed through the screens until you get to "Step 5"
  5. On "Step 5," click on "Exhaustive Options"
  6. Under PHP, check the checkbox for GD
  7. Proceed with Build & Compile Process

Sunday, July 10, 2011

How to eliminate the Open File Security Warning

I get a warning message every time I try to copy or move files from my NAS.

Message is "Are you sure you want to copy or move files to this folder"

How to eliminate the “Open File Security Warning” from programs accessed from the file server.

Open the Control Panel
1. Open Internet Options
2. Click the Security Tab
3. Click on Local Intranet
4. Click on Sties
5. Click Advanced
6. Type the drive letter of your file server where the application is located in the “Add this website to this zone” box.
7. Click Add
8. Click Close
9. Click OK
10. Close Internet Options by clicking OK
11. Close the Control Panel

Saturday, June 18, 2011

Excel Concatenate Date Cells With Text Cells

You must first convert the referenced date cells to text, otherwise you end up with an unexpected result.
B3=165
C3=6/14/2011
D3=TEXT(C3,"m/d/yy")&" "&B3

Result in cell D3 will be: 6/14/11 165

Sunday, June 12, 2011

Alternating Sort Using Excel

Q: How to sort a list of names alternating gender in ascending height order?
  1. Assuming the following are in different columns: First Name, Last Name, Gender, Height in Inches.
  2. Four level sort: 1) Gender, 2) Height, 3) Last Name, 4) First Name
  3. Create a helper column and do a series fill for the male names and a series fill for the female names. Both starting with the same number.  Start number should be high enough so that list of names does not increase place value.  Example: 300 male names series fill starting at 101, 5000 male names series fill starting at 1001.
  4. Create a second helper column that concatenates the first helper column (the series fill column) with the gender column.  Result should look like this: 101F
  5. Sort by second helper column (concatenated cells).
  6. Results should be in alternating gender order sorted by height.

Saturday, May 7, 2011

Avocent Cyclades PM IPDU Password Reset

Connect blue Cisco cable w/ null modem adapter to serial port.
Run terminal program (Tera Term)

To erase admin password use loopback plug/dongle part #CON0132.
The RJ45 pin layout for the loopback plug is:
1-8
2-7
3-6

Plug loopback plug into OUT port of the Cyclades IPDU, then serial console to IN port. In a a few seconds the loopback plug will be recognized and reset the admin user password to the factory defaults which is “pm8″.

What adapter/cable should I use when connecting a Cyclades PM to the DSR SPC port?
You need to use the 210105 adapter. It comes with the PM. The pinout is:

RJ-45                 RJ-45
DSR                       PM
--------              --------
 1   CTS ------------ RTS    1
 2   DTR ------------ DCD    7
 3   GND ------------ N/C    5
 4   TXD ------------ RXD    6
 5   RXD ------------ TXD    3
 6   GND ------------ GND    4
 7   DSR ------------ DTR    2
 8   RTS ------------ DSR    8

APC AP9631 or AP9630 Network Management Card Firmware Upgrade

  1. Unplug battery and disconnect battery connector.
  2. Install card.
  3. Set static IP first.
  4. Download firmware from APC web site. Make sure you have correct firmware.  Symmetra vs Smart-UPS.

If upgrade fails mid-stream then:

  1. Connect to card via serial cable and terminal program (Tera Term).
  2. Default logon -  User: apc  Pass: apc
  3. Use '?' command for list of commands.
  4. User 'tcpip' command to set static IP.
  5. Reboot device.
  6. Exit from serial logon.
  7. Conect to card via network port and Windows firmware upgrade application.
  8. Upgrade firmware.

Sunday, April 24, 2011

Fix Windows Sleep mode from waking up by itself

Taken from: http://www.cravingtech.com/fix-windows-vista7-sleep-mode-from-waking-up-by-itself.html

Prevent your Network Card to wake your Windows Vista/7 up from its sleep

Check your network card properties through the device manager and disable the “Allow this devide to wake the computer” feature.

    Right click on your “My Computer” then select Properties.
    Click Device Manager on the left side of the Properties window.
    Check your Network card on the Network Adapters (Click on the + sign to expand).
    Right click on your network card and select properties.
    Go to the Power Management tab and untick the option there to prevent your network card from ever waking up your Windows.
    networkwakeupvistaautomatically Fix Windows Vista/7 Sleep mode from waking up by itself

Find out what wakes up your Windows 7/Vista from its sleep


To find out what event/device woke up your Windows from its sleep state, go to command prompt (type cmd on the Run/Search box and press ENTER), then type this:
powercfg –lastwake

wakeupeventviewer Fix Windows Vista/7 Sleep mode from waking up by itself

To get the most detailed info (and probably easiest) on the device that wakes your Windows up during the sleep, type:
powercfg –devicequery wake_armed

mousewakeupwindows Fix Windows Vista/7 Sleep mode from waking up by itself

There! You’ll find the culprit icon wink Fix Windows Vista/7 Sleep mode from waking up by itself I clicked my mouse to wake my Windows up intentionally so that’s why you see an HID compliant mouse on the screenshot above. Yours might be different.

Hope this helps!

If it still doesn’t work:

    Check out your Power Management Options on your Control Panel (Start, Control Panel, Power Settings, Change plan settings, Change advanced power settings).
    -> “Multimedia settings” option, “When sharing media.” ->”Allow the computer to sleep.
    -> Check other options one by one while you’re at it.


Fix Windows Media Center Random Wake Up

start > type in cmd in the search
right click "Run as Administrator"
Type powercfg -lastwake and press enter.

If you see a line like the following then we can fix it.

Supplied Reason: Windows will execute 'MicrosoftWindowsMedia Centermcupdate_scheduled' scheduled task that requested waking the computer.
How To fix

Open Task Scheduler and change the media center run schedule.

Start > All Programs > Accessories > System Tools > Task SchedulerTask Scheduler Library > Microsoft > Windows > Media Center

You will see the mcupdate_scheduled task in the center.

Right click on it and select "Properties".
Select the Conditions tab
Uncheck "wake the computer to run this task"

Your media center machine will no longer wake from sleep to get the guide / media updates when your machine is asleep. Instead it will automatically update the next time the PC is awake.


 Disable Wake Timers
Control Panel>Power Options>Change Plan Settings>Change Advanced Power Settings>Sleep> Now make sure you disable wake timers. What is probably happening is that you have a virus protector update or something along those lines scheduled and that’s what is waking the computer.

Sunday, April 10, 2011

pfSense 2.1 OpenVPN Configuration Settings

pfSense 2.1 OpenVPN Settings

This will allow you connect in from a roaming machine/device via OpenVPN to pfSense.

Step 1 Create a New Certificate Authority (CA) Certificate (System: Certificate Authority Manager)

Descriptive name: ca-01 (Make up a unique name. You typically will only need to make one of these.)
Method: Create an internal Certificate Authority
Key Length: 2048 bit
Digest Algorithm: SHA256
Lifetime: 3650 days
Complete remainder of form with bogus information. Make sure every certificate has a different common name (CN).

Step 2 Create a New Server Certificate (System: Certificate Manager)

Note: You will create one server certificate for each VPN server you create.

Method: Create an internal Certificate
Descriptive name: server-cert-01 (Make up a unique name.)
Certificate Authority: ca-01 (Select the same CA name that you created in step 1.)
Key Length: 2048 bit
Digest Algorithm: SHA256
Certificate Type: Server Certificate
Lifetime: 3650 days
Complete remainder of form with bogus information. Make sure every certificate has a different common name (CN).

Step 3 Create a New User Certificate (System: Certificate Manager)

Note: You will create one user certificate for every server certificate. So each VPN server will result in two certificates. One server cert and one user cert. Recommend a naming scheme that will help you identify which server cert goes with what user cert e.g. server-cert-01, user-cert-01, server-cert-02, user-cert-02, etc.

Method: Create an internal Certificate
Descriptive name: user-cert-01 (Make up a unique name.)
Certificate Authority: ca-01 (Select the same CA name that you created in step 1.)
Key Length: 2048 bit
Digest Algorithm: SHA256
Certificate Type: Server Certificate
Lifetime: 3650 days
Complete remainder of form with bogus information. Make sure every certificate has a different common name (CN).

Step 4: Create OpenVPN Server (OpenVPN: Server)

General Information
Server Mode: Remote Access (SSL/TLS)
Protocol: UDP
Local Port: Option 1) Use default setting of 1194 (This port should be avoided as it is both a target and easily blocked.). Option 2) Anything between 34,981 - 36,000 (The ports in this range are typically unused and available.). Option 3) Use 443 and change protocol from UDP to TCP (This will make the VPN traffic look like you were accessing a secure web page.).
Description: vpn-01

Crytographic Settings
TLS Authentication: Checked
Generate TLS Key: Checked
Peer Certificate Authority: ca-01 (Select the same CA name that you created in step 1.)
Peer Certificate Revocation List: Not used at this time.
Server Certificate: server-cert-01 (Select the same Certificate name that you created in step 2.)
DH Parameters Length: 1024 bits
Encryption Algorithm: BF-CBC 128 (Use BF-CBC 128 for maximum compatibility as AES will not work with some configs. Use AES-256-CBC for maximum security if client will accept.)
Hardware Crypto: No Hardware Crypto Acceleration
Certificate Depth: One (Client+Server)

Tunnel Settings
IPv4 Tunnel Network: 10.0.8.0/24 (Pick a subnet that you are not using.)
IPv4 Tunnel Network: Leave Blank
Redirect Gateway: Checked (This is optional and can be enabled on the client side if necessary.)
IPv4 Local Network: This is generally set to your LAN network.
Concurrent Connections: 200
Compression: Checked (Optional but highly recommended.)
Type-of-Service: NOT Checked
Inter-Client Communication: Checked (Optional.)
Duplicate Connections: NOT Checked
Note: Duplicate Connections check box on server will allow multiple concurrent connections from clients using the same Common Name, so one cert can be used by more than one connection/users. This is not generally recommended, but may be needed for some scenarios. Every VPN cert should have their own CN, so every connection/user will have one unique cert.

Client Settings
Dynamic IP: Checked
Address Pool: Checked
Topology: NOT Checked
DNS Default Domain: NOT Checked
DNS Servers: Checked (Any two valid DNS server IPs e.g. Server 1) 75.75.75.75 Server 2) 75.75.76.76)
NTP Servers: NOT Checked
NetBIOS Options: NOT Checked

Advanced Configuration
Advanced: Not used. Leave blank.

Step 5: Open WAN Firewall for VPN Use (Firewall: Rules: WAN)

Edit Firewall Rules
Action: Pass
Disabled: NOT Checked
Interface: WAN
TCP/IP Version: IPv4
Protocol: UDP (Or TCP if you are using port 443 in step 4.)
Source: Any
Destination: WAN address
Destination port range: 1194 (Or what ever you selected in step 4.Both from and to will have same value.)
Log: NOT Checked
Description: Enter a name here.

Step 6: Open OpenVPN Firewall for VPN Use (Firewall: Rules: OpenVPN)

Edit Firewall Rules
Action: Pass
Disabled: NOT Checked
Interface: OpenVPN
TCP/IP Version: IPv4
Protocol: Any
Source: Any
Destination: Any
Destination port range: Any
Log: NOT Checked
Description: Enter a name here.

Step 7: Install OpenVPN Client Export Utility (System: Package Manager)

Step 8: Export OpenVPN Client Files (OpenVPN: Client Export Utility)

Remote Access Server: Select the server you created in step 4.  If the wrong server is selected the exported files will not work!  This is very easy to overlook.
Host Name Resolution: Interface IP Address
Verify Server CN: Automatic
Use Random Local Port: Checked
Certificate Export Options: NOT Checked
Use Proxy: NOT Checked
Management Interface OpenVPNManager: NOT Checked
Additional configurations options: ping 10;verb 3
Note: Add the following as needed:
redirect-gateway def1 #(redirect-gateway def1 will force all the traffic from client across VPN e.g., web browsing)
auth-user-pass #(allows the OpenVPN server to securely obtain a username and password from a connecting client, and to use that information as a basis for authenticating the client)
Client Install Packages: Select the user cert that matches up with the Remote Access Server name you selected earlier.

Step 9: Create Firewall Rules (Firewall: Rules)

WAN
Proto: Select the protocol that you selected in step 4 e.g. TCP or UDP.
Source Type: Any
Source Port: Any
Destination Type: WAN address
Destination Port: Select the port that you selected in step 4 e.g. 443, 1194, etc.
Gateway: Any
Queue: None
Schedule: None

OpenVPN
Proto: Any
Source Type: Any
Source Port: Any
Destination Type: Any
Destination Port: Any
Gateway: Any
Queue: None
Schedule: None

Sunday, April 3, 2011

Prints From Digital Images

Q. I would like to automate the image resizing using Lightroom instead of PS. However, the jpeg quality option is not 1 to 12 but rather 1 to 100%. Should I set it at 83% quality (based on 10 of 12)?
A. With Lightroom 84% is an equivalent to a level 10 jpeg.

Q. What type of file do you require?
A. We require level 10 JPEG files to be sent to us.

Q. Is it okay to embed an ICC profile?
A. Embedding a valid ICC profile in your image is very important. Without embedding the profile our software has no idea what colorspace your file is in. This will result in uexpected color in the prints. All files not tagged with an embedded profile are assumed to be in sRGB.

Q. What colorspace do you accept?
A. We accept any colorspace as long as it is embedded in the file. Our software will read the colorspace embedded in the file and print appropriately for that colorspace. We recommend the use of a standard working space profile such as Adobe RGB 1998 or sRGB.

Q.How many pixels/inch should my image have?
A. 200 - 300 ppi.

Canon 7D ISO Noise

Canon 7D ISO Noise Test Results

100 125
160 200

250 320
400 500

0640 0800
1000 1250

1600 2000
2500 3200

04000 05000
06400 12800



Higher number = lower noise
ISO Noise ISO Noise
100 98 160 99
125 92 100 98
160 99 200 97
200 97 320 97
250 92 400 95
320 97 640 93
400 95 125 92
500 89 250 92
640 93 500 89
800 88 800 88
1000 84 1250 86
1250 86 1000 84
1600 83 1600 83
2000 79 2000 79
2500 75 2500 75
3200 72 3200 72
4000 70 4000 70
5000 68 5000 68
6400 66 6400 66
12800 61 12800 61



18 MP APS–C CMOS Sensor
Designed and manufactured by Canon, the sensor produces an outstanding image and offers fantastic performance at high and low conditions, thanks to a new photodiode and microlens construction.

ISO Range
The EOS 7D enables photographers to capture subjects in their natural light.  The ISO range (100 – 6,400) is expandable to 12,800.

Dual “DIGIC 4” processors
By utilizing Dual “DIGIC 4” processors, users of the EOS 7D never have to compromise between shooting speed, image quality and ISO performance.

Canon CMOS sensor
The EOS 7D includes a new 18 megapixel CMOS sensor with a wide ISO range that delivers excellent results in both the low and high-speed ranges as well as improved image quality. The sensor is a standard APS-C size (22.4x14.9mm) and produces an effective field of view of 1.6x the lens focal length.

The EOS 7D sensor features condensed circuitry with improved sensitivity and increased capacity of the photodiodes, which enables shooting at high ISO and prevents overloading when shooting in bright conditions. The ISO range (100 - 6400) is expandable to 12800 enabling photographers to capture subjects in their natural light without the use of a flash.  

The EOS 7D sensor includes gapless microlenses that have been moved closer to the photodiodes.  These technological advances, which were developed and manufactured by Canon, improve the signal to noise ratio creating very clean high ISO images.

Dual “DIGIC 4”

DIGIC 4 removes the highly noticeable color noise as well as reducing luminance noise without loss in detail, allowing for very clean high ISO images. Even at ISO 6400 noise levels are similar to those of ISO 1600 from DIGIC III.  Auto Lighting Optimizer is now also available during manual exposure, without any drop in performance.

Thursday, March 24, 2011

How do I reset Windows Update components?

This article helps you reset the Windows Update components.



http://support.microsoft.com/kb/971058

Sunday, March 13, 2011

Class A Host/Subnet Table

Class A Host/Subnet Table

Class A
Number of
Bits Borrowed            Subnet         Effective     Number of      Number of Subnet
from Host Portion        Mask           Subnets       Hosts/Subnet   Mask Bits
-------               ---------------   ---------     -------------  -------------
  1                    255.128.0.0            2       8388606           /9
  2                    255.192.0.0            4       4194302           /10
  3                    255.224.0.0            8       2097150           /11
  4                    255.240.0.0           16       1048574           /12
  5                    255.248.0.0           32        524286           /13
  6                    255.252.0.0           64        262142           /14
  7                    255.254.0.0          128        131070           /15
  8                    255.255.0.0          256         65534           /16
  9                    255.255.128.0        512         32766           /17
  10                   255.255.192.0       1024         16382           /18
  11                   255.255.224.0       2048          8190           /19
  12                   255.255.240.0       4096          4094           /20
  13                   255.255.248.0       8192          2046           /21
  14                   255.255.252.0      16384          1022           /22
  15                   255.255.254.0      32768           510           /23
  16                   255.255.255.0      65536           254           /24
  17                   255.255.255.128   131072           126           /25
  18                   255.255.255.192   262144            62           /26
  19                   255.255.255.224   524288            30           /27
  20                   255.255.255.240  1048576            14           /28
  21                   255.255.255.248  2097152             6           /29
  22                   255.255.255.252  4194304             2           /30
  23                   255.255.255.254  8388608             2*          /31

Saturday, March 12, 2011

Multi-NAT Router Networks

Taken from: http://www.grc.com/nat/nats.htm 
 
Multi-NAT Router Networks
Configuration Details



NAT router default settings are designed to allow a router (one router) to be dropped into an existing network — inserted between a cable or DSL modem and the computer it was previously connected to — without requiring any configuration changes of any equipment — modem, router, or computer. But when multiple NAT routers will be used to create more complex network topologies, some customization is usually needed. A bit more understanding of NAT router operation will clarify what's going on and guide you toward making the required router configuration changes needed to create more complex networks.
What is a Router ?
Stated as clearly as possible: A router is a device used to interconnect separate networks of computers. The individual destination addresses of packets of data arriving at the router are examined and compared to the address ranges of the networks to which the router is connected. If a packet of data is addressed to a machine on another network, the router will briefly assume responsibility for that packet by "routing it" (re-transmitting it) out of the appropriate network connection interface.

In the case of small "two-interface" personal and small office routers, the router is responsible for "routing" traffic between the machines that are NOT in our network and the machines that ARE in our network:



Computers communicating with each other on the same Ethernet network, address and send their data packets directly to each other through an Ethernet switch or hub. But as we saw above, packets addressed to computers that are NOT located on the same local network need to be "routed" to a foreign network. Packets addressed to machines outside of our local network are sent to the local network's "Gateway". Each local network has a "Gateway IP" which is an IP address within the local network's address range. The Ethernet interface with this IP receives any packets that are addressed to any IP outside of our local network. Since our local NAT router serves as the "gateway" for our LAN, the IP address of its LAN interface is known to every computer on the LAN, and it is to that gateway interface that all non-local packets are sent.



There are two key facts to focus on here:

 Computers on a LAN determine whether the destination IP of packets they are sending lies within their LAN's address range. If so, the packet is sent directly to the Ethernet interface of the machine having that IP. But if the destination address of the packet falls outside of the LAN's address range, the packet is sent to the network's gateway Ethernet interface for "routing" toward its destination network.
 Packets arriving at the router's LAN interface with a destination IP falling outside of the LAN's address range are "routed" out of the router's WAN interface.
What is DHCP ?
D.H.C.P. stands for Dynamic Host Configuration Protocol. It is a very slick means by which any computer wanting to participate on a local area network can be automatically assigned an available (not currently in use) IP address and provided with all other important local area network information, such as the IP address of the LAN's gateway interface.

When a computer's network interface has been configured to "obtain its IP address automatically", it sends a "broadcast" throughout the local LAN using a special Ethernet broadcast address which it can use without knowing anything else about the local network's configuration. A listening DHCP server — in this case running and waiting patiently in our NAT router — answers these crys for help by replying with all the specific LAN settings each computer needs to communicate locally and globally. In this fashion, the configuration of individual machines is handled automatically.
NAT Routers are usually also DHCP clients too.
As we've seen, NAT routers contain a DHCP server that is used to automatically configure their client computers on the LAN. But many NAT routers are also DHCP clients of the public Internet ISP.

When the NAT router is powered up, it broadcasts its own DHCP query out of its WAN-side network interface asking the Internet ISP to assign it an available public Internet IP address and to provide it with any other information it will need for communicating over the ISP's network.
This comes into play in "multi-router networks" since the "internal" NAT router will be a DHCP server to the client machines on its LAN, and it will simultaneously be a DHCP client to the external NAT router which serves as its DHCP server.



Public and Private IPs
The scientists and engineers who designed Internet predicted that non-public private networks of machines might want to use the same "IP" Internet Protocol as was used by the global public Internetwork. They realized that "address collision" problems would quickly arise if machines on private "intranets" were using the same IP addresses as machines on the public Internet. If the public and private networks were ever interconnected address ambiguities would arise for the private machines.
To prevent the possibility of public and private IP address collisions, three large ranges of Internet addresses were reserved and set aside in advance for use by private networks:


Network DesignationFirst AddressLast AddressNumber of Addresses
192.168.0.0/16192.168.0.0192.168.255.25565,536
172.16.0.0/12172.16.0.0172.31.255.2551,048,576
10.0.0.0/810.0.0.010.255.255.25516,777,216
The IP addresses within these three ranges are forbidden for use on the public Internet. They can, therefore, be freely used, and re-used, within any private network without fear that any machine on the public Internet might be using the same IP as one on a private network. In terms of your own NAT router configuration, this means that whatever you do, you will want to be certain that your NAT router(s) translate their public WAN-side IP into LAN sub-networks that fall completely within these private IP ranges. This also means that you are free to use any of the IP address ranges shown above which your NAT router's configuration options will allow.



Putting it all together . . .
We can distill all of the information above into three simple rules:

 Unless your ISP requires non-DHCP configuration for your primary external NAT router, or you have special needs for establishing fixed addresses for specific machines within your network, you may use your NAT router's built-in DHCP server and client to automatically assign and establish all IP addresses within your network.
 Every NAT router must be configured to use blocks of non-public, private IP addresses shown in the table above.
 Routers decide whether to route local data packets "upstream", out of their WAN port based upon whether or not the packet's destination IP address falls within the local LAN address range. Therefore, the IP address assigned to a router's WAN port must lie outside the address range the router is using for its LAN-side addresses.
Following these two simple rules, a typical two-router configuration could be setup with the external NAT router configured to issue LAN addresses in the 192.168.1.* range and the internal router configured to issue its LAN addresses from the non-overlapping range 192.168.2.*.
Since the internal router's DHCP client would receive an address for its WAN port from the external router's LAN range (192.168.1.*), no address it receives — where the third address byte is "1" — could possibly conflict with any of the 192.168.2.* addresses it will be assigning to its own machines. Therefore the internal router will always be able to determine whether data packets are bound for other machines within its LAN, or need to be "routed" out of its WAN port.
If your routers allow the third number of their LAN networks to be user-specified and configured (as all routers we've seen do), while assigning the final address byte automatically as needed, you can sequentially and uniquely number every NAT router within your network (of any complexity), and use that number as the third address byte assigned to machines within that router's LAN network. In this way, EVERY computer will have a unique private address, none of the private LAN networks will be overlapping, and there will never be any collision with the Internet's public IP space.
Making the electrical connection
Standard Ethernet network cables with standard "RJ-45" Male connectors are wired "straight through". This means that pin 1 at one end is wired to pin 1 at the other end, pin 2 connects to pin 2, and so on for all eight pins. This means that pins which connect to signal outputs at one end of the cable need to connect to signal inputs at the other. This is handled automatically for users by having their RJ-45 Female counterparts available in two different signal arrangements:

PC Ethernet adapters uniformly use one set of pins for inputs and outputs (we'll call it "A-style"), and Ethernet switches and hubs deliberately use the reverse arrangement ("B-style"). This allows PC adapters (A) to be plugged directly into switches and hubs (B) with "straight through" cables.
Since a NAT router's LAN ports are meant to be plugged directly into PCs (A), the router's LAN-side connections have the arrangement of switches and hubs (B). But since a NAT router's WAN port is meant to emulate and take the place of a single PC, its WAN-side connection is that of a PC (A!). This conveniently means that the WAN connection from internal NAT routers, which appear to be PCs, can be plugged directly into the LAN ports of another (external) NAT router using a standard "straight through" Ethernet cable.



So long as you have configured each NAT router on your network to have different and "non-overlapping" WAN-side and LAN-side networks, all of the DHCP clients and servers should interact correctly, and packets should all be routed exactly the way you want.

NAT Router Security Solutions


Taken from:  http://www.grc.com/nat/nat.htm
 
NAT Router Security Solutions
Tips & Tricks You Haven't Seen Before



What does a NAT router do?
A NAT router creates a local area network (LAN) of private IP addresses and interconnects that LAN to the wide area network (WAN) known as the Internet. The "Network Address Translation" (NAT) performed by the router allows multiple computers (machines) connected to the LAN behind the router to communicate with the external Internet.
The most common use for NAT routers is serving as an "interface" between the global public WAN Internet and a private non-public LAN:



One of the key benefits of NAT routers (and the main reason for their purchase by residential and small office users) is that the router appears to the Internet as a single machine with a single IP address. This effectively masks the fact that many computers on the LAN side of the router may be simultaneously sharing that single IP. This is good for the Internet since it helps to conserve the Net's limited IP space.
There were dire predictions for many years that the Internet was going to "run out" of IP addresses. (And it would have by now!) But the widespread use of NAT routing technology has slowed the "apparent" growth of the Internet by enabling the use of many more machines than IP addresses.
While some ISPs may grumble a bit about the idea of many computers sharing a single "Internet account", they are also relieved, since each ISP has a limited allocation of customer IPs. Therefore, as home and office networks grow in size, NAT routers are ISP-friendly.
A few important bits of terminology we are about to need:
The Internet is called a "packet switched" network because all data moves across it in individual "packets" of data. Each packet contains the source IP address that apparently originated the packet — which is the IP address to which replies will be sent — and the destination IP address which the packet is trying to reach. Many common packets also contain "source port" and "destination port" numbers to give finer granularity to the source and destination addresses.

A NAT Router's Inherent Security
Although NAT routers are not generally purchased for their security benefits, all NAT routers inherently function as very effective hardware firewalls (with a few caveats examined below). As a hardware firewall they prevent "unsolicited", unexpected, unwanted, and potentially annoying or dangerous traffic from the public Internet from passing through the router and entering the user's private LAN network.

The reason they do this is very simple: With multiple "internal" computers on the LAN behind the router, the router must know which internal computer should receive each incoming packet of data. Since ALL incoming packets of data have the same IP address (the single IP address of the router), the only way the router knows which computer should receive the incoming packet is if one of the internal computers on the private LAN FIRST sent data packets out to the source of the returning packets.
How is this done?
Since the NAT router links the internal private network to the Internet, it sees everything sent out to the Internet by the computers on the LAN. It memorizes each outgoing packet's destination IP and port number in an internal "connections" table and assigns the packet its own IP and one of its own ports for accepting the return traffic. Finally, it records this information, along with the IP address of the internal machine on the LAN that sent the outgoing packet, in a "current connections" table.

When any incoming packets arrive at the router from the Internet, the router scans its "current connections" table to see whether this data is expected by looking for the remote IP and port number in the current connections table. If a match is found, the table entry also tells the router which computer in the private LAN is expecting to receive the incoming traffic from that remote address. So the router re-addresses (translates) the packet to that internal machine and sends it into the LAN.
And here's the really good part:
If the arriving packet does not exactly match traffic that is currently expected by the router, the router figures that it's just unwanted "Internet noise" and discards the unsolicited packet of data.

With a NAT router protecting your connection to the Internet — even if you only have one computer on the LAN behind the router — none of the Internet scanning and worms and hackers and other annoying and malicious Internet nonsense can get to your computer or computers.
If the NAT router isn't already expecting the incoming data, because one of the machines on the LAN asked for it from the Internet, the router silently discards it and your private network is never bothered.
So now that we have the basics . . .



Let's get a bit more advanced
Since NAT routers allow data to pass readily from the internal secure LAN out to the external insecure Internet WAN, but will automatically BLOCK unsolicited inbound data from the WAN, a NAT router can be thought of as a sort of one-way valve:
When designing your own Internet "plumbing" it's
useful to think of a NAT router as a one-way valve.


Packets of data can freely flow from the secure LAN out to the insecure
WAN, but "unsolicited" traffic attempting to flow in from the insecure
WAN to the secure LAN is automatically blocked from entering.

Also, a multi-port NAT router is two components in one box:



As you can see from the block diagram above, internally a NAT router is a standard network switch interconnecting the machines plugged into the router to the router's network address translation WAN interface. What's significant for our discussion is that all of the internal machines are interconnected on the same LAN. This is convenient for sharing files and data among the machines, but it creates a security problem if all of the machines are not equally secure and trustworthy. If any malware or Trojan software were to somehow get onto any one of the machines, and that machine is on the LAN with all of the others (as it normally is), the malicious software would have access to every other uninfected machine sharing the once-secure LAN. By sending "ARP broadcasts" to the LAN, an infected machine can determine the IP and "MAC" addresses of every other machine on the LAN . . . and go to work on them.
Malicious hackers know all about this LAN-side vulnerability. This is why many recent viruses and worms attempt to spread not only by scanning the Internet for additional vulnerable targets, but they also attempt to spread locally through Windows file sharing, RPC vulnerabilities, and many other well-known Windows insecurities. Once one machine gets hit, every machine on the LAN can fall victim.
What can be done to improve LAN security with multiple machines?
Here's where thinking about NAT routers as one-way valves comes in. A second NAT router can be used on the internal LAN to create a second, even MORE SECURE LAN:



Yes, this works! NAT routers can be cascaded "IN SERIES" and used as one-way security flow valves. Looking at the diagram above:  Machines on the "Semi-Secure" (middle) LAN can access the Internet, but they are protected by the "External NAT" from most Internet badness.
 Machines on the "Super-Secure" internal LAN can also access the Internet, first by going out through the "Internal NAT" and then the "External NAT". As with machines on the Semi-Secure LAN, the "External NAT" will keep unsolicited traffic from entering the network.
 Because the Semi-Secure LAN is on the OUTSIDE (WAN side) of the Internal NAT, the machines on the Semi-Secure LAN are unable to freely access the machines behind the Internal NAT.
 The machines behind the Internal NAT can access the machines in the middle, but NOT the other way around!
Where would TWO NAT routers be useful?

   Completely isolating a router's DMZ network and servers.

   Isolating an open or low-security wireless access point.

   Protecting one "high-value" machine from the rest of the network.



Our Multi-NAT Router Networks configuration details page contains extensive detailed background information on NAT router operation and configuration within multi-NAT router networks.
Let's look at each application in turn:


Completely isolating a router's DMZ network and servers:
Our previous discussion of NAT routers stated that incoming packets which have not been explicitly solicited by machines on the router's LAN side are discarded. The router's default "discard all unsolicited packets" configuration can be altered for more advanced applications:

 Port Forwarding can be enabled to configure routers to forward unsolicited packets arriving at specified router ports to specified machines within the router's LAN network. This can be useful when using some instant messaging, VoIP, or peer-to-peer systems that are otherwise unable to penetrate the firewall that NAT routers inherently create.

 A Routing DMZ machine can also be specified, separately or additionally, to receive any and all unsolicited traffic that is not otherwise being returned to other machines on the router's LAN network. This puts the specified machine "out on the front line" of the Internet to receive anything that might be aimed at the router's public IP. ("DMZ" stands for "De-Militarized Zone")



As you might imagine, a router's "DMZ" machine, and even a "port forwarded" machine needs to have substantial security or it will be crawling with Internet fungus in no time. That's a BIG problem from a security standpoint. Why?



As the NAT router block diagram above shows, a NAT router has a standard Ethernet switch interconnecting ALL of its LAN-side ports. There's nothing "separate" about the port hosting the special "DMZ" machine. It's on the internal LAN! This means that anything that might crawl into it through a forwarded router port, or due to its being the DMZ host, has access to every other machine on the internal private LAN. (That's really bad.) What can be done to create a super-secure internal LAN, while still allowing the flexibility of having one or more security-challenged DMZ or port-forwarded machines? Just use a secondary NAT router:



Remember that NAT routers are like one-way flow valves for data:



Data can flow freely OUT through the router from the LAN to the WAN, but unsolicited data is blocked from flowing back IN from the WAN to the LAN. Since there is nothing to prevent TWO NAT routers from being "chained" and connected in series, the security-challenged machine can be completely isolated from the internal network by sandwiching it in between the two chained routers. It's behind the external router and in front of the internal router. Since it's in front of the internal router, its traffic can not flow into the internal LAN, but it can still reach the Internet (through the external router)  . . . and the users on the internal LAN can reach it since it's outside the internal LAN. Now let's look at the second typical application:


Isolating an open or low-security wireless access point:
Suppose you have a first-generation wireless Wi-Fi NAT router access point running either fully-open (you never bothered to setup any security at all) or with crackable WEP encryption (because your hardware cannot be upgraded to the later generation of really good WPA encryption).



Since the wireless access point radio is simply on the external router's LAN switch, ANYONE who has, or gains, access to your wireless network is also on the rest of your LAN and can directly access any of your other machines. You can leave your old and not-so-secure WEP Wi-Fi access point right where it is by adding a second NAT router to protect your LAN from any dangers created by the wireless router:



Our final application example:


Protecting one "high-value" machine from the rest of the network:
Suppose that rather than protecting all of your network from one "external danger" — like a machine on a DMZ or a Wi-Fi access point — you want to protect one "high-value" machine from potential insecurity within the rest of your own network.

For example, suppose that each of your teenage kids has their own computer connected to your shared "family" LAN created by a single NAT router. Or you might be the boss in a small office, where everyone in the office is sharing a single NAT router. In either case, you might not like the idea, for whatever reason, of having your (dad or boss) computer on the same LAN network as everyone else. If your kids or employees were to get themselves infected, download or bring something really nasty home from school, it could quickly spread to all "peer" machines connected to the same LAN network.
So in this case the main LAN, as opposed to a single high-risk machine, is the "scary zone" and you want to protect your single "high-value" machine from anything that might be going on out on that network. So this time you give your single machine its own "one-way security valve" NAT router. The router participates on the LAN with the other high-risk "scary" computers while preventing anything out there from crawling into your machine:




As we have seen, NAT routers make valuable network security devices and offer much more flexibility than just being used to interface a local network to the Internet. They can also be used as "one-way security valves" to create layers of protected sub-networks.