It's back to school time and some college campus network administrators are finding they have their hands full trying to control the wave of network problems caused by students' use of inexpensive wired and wireless routers connected to their networks.
Students are bringing their routers to campus and connecting them to the campus network, often in violation of their school's Computing or Networking policy. The results aren't pretty from a network administrator's view and are causing big problems for both users and the folks who keep the networks humming.
In this NeedToKnow, I'll show you the problems that an improperly connected and configured router can cause with a campus network. I'll also describe how to connect up the right way, and save your network administrators, fellow students, and yourself a lot of hassle.
Let's just plug this baby in...
Here's a typical scenario:
- A student has a residential gateway / router at home that typically includes an integrated multi-port switch (with Uplink capability) and sometimes built-in Wireless capability.
- The student brings the router to campus and connects the Uplink port to the campus network so they can attach multiple computers to the campus network, and perhaps use the router's wireless capability for a wireless-equipped laptop. The router configuration is usually not changed from the home settings, where the router was used to share a DSL or cable modem connection.
The main problem comes from the fact that since the LAN side of the router is now connected to the campus network, the router's DHCP server will try to hand out DHCP leases to new computers as they are attached to the network and request IP address information. Normally, these requests would be answered by the campus DHCP server, which also hands out Gateway and DNS information - essential for proper Internet connection - along with an IP address and subnet mask appropriate to the subnet that the computer has been connected to. But since the "rogue" DHCP servers also hear the request and may not be as busy as the campus DHCP server, the "rogues" often win the race and answer the DHCP request first.
The result of this DHCP server battle is that the requesting computer not only ends up with an incorrect IP address that is based on the router's DHCP server set up, but it also gets incorrect Gateway and DNS information. (That information would have been obtained by the router's WAN-side DHCP client... if the WAN port were connected.) This yields a throughly confused computer that might be able to communicate with some other machines (depending on where they got their IP address info from), but that certainly can't connect to the Internet due to the incorrect Gateway and DNS info.
On the other hand, some computers may not get a DHCP lease at all if the campus DHCP server never gets to answer the request. This is bcasue most consumer routers are configured to hand out only a few dozen addresses. Once the limited number of leases has been exhausted, the server will report "out of addresses" to the next requesters
UPnP can't figure it out...
If the router is UPnP-enabled [see related article], UPnP ends up basically being disabled. Since the entire subnet the student connected the router to is now on the same downstream (LAN) side of the gateway, all computers running Win2000 or XP (or other Windows OSes with UPnP added) will get UPnP messages from whichever Internet Gateway Devices (routers or IGDs) are connected to the LAN. Since routers aren't intended to have their LAN ports interconnected, UPnP wasn't designed to handle messages from multiple IGD's, and the result is unpredictable UPnP behavior.
In a simple experiment, I connected the LAN sides of two UPnP enabled routers (a Linksys BEFSX41 and D-Link DI-804) together and plugged a computer running WinXP Home into one of the router's LAN ports. As expected, the results were unpredictable with icons for each router appearing and disappearing in My Network Places. When icons for both routers were present, I was only able to reach the admin page for the router that leased the IP address to my computer.
On the other hand, the XP Network Connections window never showed more than one Internet Gateway. But the computer sometimes got confused and locked up when I attempted to show the IGD's properties, and other times connected properly to the IGD in the same subnet. The result is a problem for a UPnP-savvy person who is trying to use UPnP to configure their router, since a random DHCP renewal can assign them to another subnet from which they won't be able to access their router. Owners of UPnP-enabled routers might also have curious users accidently or purposely enable services in their router's firewall via the Internet Connection icon that appears in their System Tray or Network Connections window. But since the router WAN port isn't connected (in most cases), there will no harm done.
Doing it correctly
What should you do to correctly share the single network connection in your dorm room?
Check the campus policy - As I said at the top of this article, many campuses have rules prohibiting the attachment of any unauthorized networking devices, or restricting their use to certain networks and/or configurations. If you get caught messing up the network, the penalty may be stiffer than you think (expulsion in some policies I've seen), so find out ahead of time, and make an informed decision.
Use a switch - If your campus policy does allow more than one computer, the campus network administrators probably want to control the IP address info that your multiple computers receive. Using a switch or hub to connect more computers (instead of a router) allows all the devices connected to the switch / hub to be directly on the campus network and properly connected to campus-level servers and services. If you have a router and want to use it as a switch, see Tip 5 below.
Connect the router properly - If you can share the connection, connect the router just as you would to a cable modem or DSL connection. Connect the WAN port of the router to the campus network, and keep your multiple machines on the LAN side of the router. You'll probably just need to set the WAN side of your router to be a DHCP client (dynamic IP address setting).
If you need more ports than the router supplies, use an additional hub or switch, or a router with UPnP and the LAN DHCP server DISABLED (see Tip 5below).
Know the risks of running a wireless connection - If your router has wireless capabilities, you must take extra care to prevent compromising the security of both your campus network and your own computers.
- First find out if running a wireless Access Point is allowed. It probably isn't, and the penalties are probably stiffer than just attaching more than one wired computer, considering the additional security risk that an open wireless connection presents.
- Enable WEP - Use 128bit mode (or higher if your router supports it) and a non-obvious key. It's more secure than no WEP, and will send "doorknob rattlers" on to the next victim.
- Use MAC address Association control - If your router doesn't have it, look for one that does or a firmware update that adds it. Set it to allow association to the list of MAC addresses that you provide, and block all others from associating with your Acess Point.
- Change the ESSID - Don't use the default ESSID and don't use simple or location-descriptive IDs.
- Close your Network - Enable the "Closed Network" option if your router has it. "Disable ESSID broadcast" also does the same thing. This will prevent wireless clients using "ANY" as an ESSID from connecting.
- Shut off DHCP and UPnP - If you must use a router for its wireless Access Point, or just as a switch to get more ports in your room, shut off the DHCP server and shut off UPnP . Shutting off the DHCP server is the most important, since it can wreak the most havoc with the campus network. Shutting off UPnP may be more difficult, because all routers haven't provided this capability, or make it hard to find.