Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[lalittle]

I just updated my MC "server" system to Win7 64bit and I can no longer get MC Library Server to work -- the client simply cannot see the server anymore.  I'm using the exact same IP address on my LAN's network card (I manually entered a static address for IPv4) and nothing has changed on the client.  The systems can "see" each other I can share files, so the network is "working" -- I just can't get the client to see the MC Library Server.

It was always a breeze setting this up on XP systems -- I just added a library on the client and manually entered the server's IP address, and it worked.  Are there any tricks or maybe just things to look for in order to get it to work with Win7, perhaps some Win7 setting I'm not familiar with?  Are there any issues with MC Library Server if the client is XP and the server is Win7?

Thanks,

Larry

[glynor]

A couple questions:

1. Did you enable the Homegroup feature when you set up the Windows 7 box?  If so, try disabling it.  It is actually pretty nice to use if you've never set up file sharing on a Windows network before (grandma-style), but if you know what you're doing, it will seem like it messes everything up.

2. Check your firewall settings in Windows 7.

PS. Assigning a static IP via DHCP on your router, if it supports this feature, will be a lot more robust than manually assigning a static IP on an individual machine.  Most routers can link a MAC address to an IP and give it a static lease on a specified IP address.  Often, it will even do DNS lookup for you then (so you can just type the machine's name rather than the IP address), though sometimes this needs to be configured separately.

[JimH]

It may be blocked by the firewall on the server.

[lalittle]

Library Server works fine in the OTHER direction -- i.e. if I start LS on the XP system, I can connect to it from the Win7 system.  The XP system, however, will not connect when I set up the Win7 system as the server.

Thanks again for any help with this,

Larry

[glynor]

Library Server works fine in the OTHER direction -- i.e. if I start LS on the XP system, I can connect to it from the Win7 system.  The XP system, however, will not connect when I set up the Win7 system as the server.

Again... This makes me think "firewall" (it is allowing "outbound" connections, but not "inbound" connections, which is typical firewall behavior).  The firewall settings in Windows 7 are substantially more powerful (and complex) than they were in XP.  It is likely blocking your server.

[lalittle]

Thanks for the fast posts -- I keep having to retype my responses to keep up with you guys. 

My LAN is not connected via a router -- the systems are connected via a switch and this NIC does not access an internet connection.  I am not using the "homegroup" thing -- I actually found it to confusing compared to what I'm used to.

I think you guys are correct regarding the firewall.  The Win7 system is using windows firewall with the default settings.  I just checked it and Media Center is set to "block" for the public network and "allow" for private (it's actually in the list four times for some reason -- twice for "private" and twice for "public.")  I am not able to make this a "private" network since in Win7, when you manually assign an IP address with no "default gateway," it automatically makes it an "unidentified network" that cannot be changed to "home" or "work" -- hence it's hard set to "public."  If you guys have any advice on how to "fix" this, or what to set for the "default gateway," I could make it a "work" or "home" network, which I believe would be "private," correct?  That would be the best way to fix this.

If that's not possible, can I just change the setting to "allow" for public networks?  Is this safe, or is this a potential security risk?  On this note, why is it "block" by default -- i.e. where/how was it decided that this would be the default setting?  I never had any interaction with this, but I noticed that this is the ONLY program that is set to "block" in the entire huge list.  There are tons of other programs that were automatically set to "allow" for "public" networks -- how did windows decide how to set all these programs?

Thanks again for the help,

Larry

[glynor]

My LAN is not connected via a router -- the systems are connected via a switch and this NIC does not access an internet connection.  I am not using the "homegroup" thing -- I actually found it to confusing compared to what I'm used to.

Then disable the firewall for that NIC.  Windows 7's firewall has granular control and you can turn it on and off for each individual NIC in your machine.  You do not need a firewall to protect you from a network not connected to the outside world.  Your only risk then is that one of your local machines would get infected with a worm or trojan inside the network via some other means (removable media or via a separate LAN connection on the same machine).  If this happens, you're probably in-deep anyway because it'll attack services (like File & Printer Sharing) that will be exposed on the private network anyway.

I think you guys are correct regarding the firewall.  The Win7 system is using windows firewall with the default settings.  I just checked it and Media Center is set to "block" for the public network and "allow" for private (it's actually in the list four times for some reason -- twice for "private" and twice for "public.")  I am not able to make this a "private" network since in Win7, when you manually assign an IP address with no "default gateway," it automatically makes it an "unidentified network" that cannot be changed to "home" or "work" -- hence it's hard set to "public."  If you guys have any advice on how to "fix" this, or what to set for the "default gateway," I could make it a "work" or "home" network, which I believe would be "private," correct?  That would be the best way to fix this.

It doesn't matter what you set the default gateway to if you are on a "closed loop" ethernet (with no external gateway) because all attempts to communicate outside the network will fail no matter what.  I generally set it to loopback (the machine's own IP address in this instance, so it matches the subnet mask) when I happen to set up ad-hoc networks this way.

If that's not possible, can I just change the setting to "allow" for public networks?  Is this safe, or is this a potential security risk?  On this note, why is it "block" by default -- i.e. where/how was it decided that this would be the default setting?  I never had any interaction with this, but I noticed that this is the ONLY program that is set to "block" in the entire huge list.  There are tons of other programs that were automatically set to "allow" for "public" networks -- how did windows decide how to set all these programs?

Like I said... Just disable the firewall entirely on that NIC.  There is no security risk possible on that LAN because it isn't connected to an outside network anywhere, which is the best kind of security.  However, so you know how it works... Your little ad-hoc network should certainly be classified as a private network.  Basically the three network types are:

Domain: A corporate network controlled by a Windows Server ActiveDirectory domain.  You must be running Windows 7 Professional or better to use this type of network.
Private: A network where you control, and generally "trust", all of the machines connected internally.  This would include machines behind a NAT firewall, and networks like the one you are on.  You should NEVER set an open WiFi (unencrypted) network as a Private network, as you have no way to control access to this network.
Public: Is everything else.  This would include mostly public open WiFi networks and if you (stupidly) connect your machine directly to your upstream provider (cable/DSL modem, etc).

The "Public/Private" distinction is referring to these categories (or "profiles").  It has nothing to do with the IP destination of the traffic, it is related to the physical NIC and the "type" of network that it happens to be connected to at that moment.  So, if a NIC is designated as attached to a "Public" network, then it will not allow ANY communications from blocked applications at all (whether the destination of the packets is internal to the network or trying to get outside the network).  The fact that you can configure applications one way for "Private" networks and another way for "Public" networks is a convenience mostly designed for Laptop users, who often switch back and forth between the two types.  With the Windows XP style firewall, you were forced to either "always allow for all NICs", "always allow for this specific NIC", and "Never allow globally".  However, imagine you are using a laptop and you want to be able to allow services when you are at home using your WPA2-AES encrypted network (which might be most of the time), but DISALLOW these same services when you have your laptop at a hotel on their public WiFi (using the same NIC but attached do a different network).  In XP, you had to manually reconfigure the firewall each time you switched (or just run unprotected, which is what most people do).  In Windows 7, you can set the home network as Private and then when you connect to the hotel WiFi, set it as Public, and you're all set.

I'm not sure how it decides what to set the defaults to for each service, but it probably has to do with a calculation of the security risk entailed by allowing the communications.  I'm not sure, but it probably determines if the application needs to open ports, and if so, sets Public to "off".  Known and trusted applications (which don't need port forwarding) may default to "on" for both.

So, if your network is set as Public, and you have MC blocked on Public networks, then that's why it isn't working (duh).  The best bet would NOT be to allow MC on Public networks, which isn't a good idea (doesn't much matter if you are dealing with a non-portable system).

[glynor]

To be clear: On a home, wired, non-portable machine connected to a LAN where you own and trust all of the machines on the network, you basically just want to set the network type to "Private" and then you can completely ignore all of the firewall options that relate to "Public" networks, because they have nothing to do with your setup.

[lalittle]

Thanks for all the details.  I used to use Zonealarm before switching to win7, so I'm unfamiliar with the win7 firewall and its settings.

I tried temporarily switching MC public to "allow" in the w7 firewall, and it did allow the LS connection, so I confirmed that this IS indeed the issue (as everybody had assumed.)

I have a couple followup questions if you have the time:

I'm sure that disabling the firewall on this NIC would work, but what I'd really LIKE to do would be able to set the nic to a private network (I guess that would be either "work" or "home" on w7 -- I have the "professional" version.)  This seems like the "correct" solution since this is, after all, a "private" network -- w7 is simply preventing me from setting it this way so far.  The problem is that without a "default gateway" set up, you CANNOT change this in w7 -- the lack of a specific default gateway setting forces the network to "unidentified" in w7, which this forces it to be "public" and prevents it from being changed like other networks.

What I'm still confused about is what to actually set the default gateway to (I never had to set this on my XP systems.)  I can't set it to the same IP address as the NIC, and I'm not sure what the "machine's own IP address" is as you mentioned above.  I thought that "loopback" referred to 127.0.0.1, but w7 won't take this for the default gateway -- it says that "127" is not valid choice for the first field.  Can you

One clarification regarding wifi:  I have a second nic in this system which is connected to my router and used for the internet connection as well as to share files with my laptop.  It is a "secured" network (WPA2-PSK I believe.)  Should this network be set to "public," or is it okay to have it set to "work"?  I "thought" that setting it to "work" was the correct choice in order to be able to more easily share files with my laptop over the wifi, but I'm a confused now.  Should this be set to "public," or is "public" just used for unsecured networks?

Thanks again for your help -- I tried searching the web for this stuff, but it's VASTLY easier to ask someone direct questions, so I really appreciate your time here.

Larry

PS.  Is the W7 firewall secure enough, or should I go back to a third party firewall like Zonealarm or Norton, etc.?  I wanted to use something other than ZA due to system slowdowns, and I was under the impression that w7 firewall was now secure enough to use instead of third party firewalls, but I'm still interested in other opinions on this.

[lalittle]

Okay -- so here's what I've tried so far.

If I disable the firewall on that NIC, W7 throws up a "serious" warning message.  The only way to disable this is to disable the "Windows firewall" messages, which I don't want to do for security reasons.

This means that the solution is to figure out what to enter for the "default gateway" on the LAN's NIC, which in turn will allow me to set this network to private (i.e. "work.")  I tried entering an address similar to the ones I use for the actual computers -- i.e. if my systems were 192.168.1.1 and 192.168.1.2, I tried using 192.168.1.3 for the "default gateway."  This prevents the connection from working at all.

I can't enter the same address as the NIC itself, so I entered the address that the OTHER system uses -- i.e. on the 192.168.1.2 system I entered 192.168.1.1 for the default gateway.  After I did this, I ended up seeing TWO networks for this card.  I STILL see the "unidentified network," but I ALSO see "Network 2," which DOES let me make it a "work" network.  This appears to have made it so LS can now work, but it doesn't seem right that I now see two networks for the same card, one public and one private.  My worry is that this will cause problems down the road.

Any suggestions?  I've spent hours searching the web for help with this, and while I can find other people complaining of the exact same issues (i.e. two networks on one card after assigning a default gateway, etc.), I cannot find any solution to the issue.

Thanks for any further help with this,

Larryrry

[glynor]

The address you set for the Default Gateway MUST be part of the same subnet as the machine itself (it must match the subnet mask "filter").  That's why you can't use the real "loopback" address for the Default Gateway because 127.x.x.x won't match your subnet mask.

So, for example, if your machine is configured like this:

IP: 192.168.1.3
Subnet Mask: 255.255.255.0

That defines the subnet as 192.168.0.1 - 192.168.0.254.

Therefore, you could assign the Default Gateway to ANY of those choices.  You said that you tried this, it seemed, and then "it didn't work".  I'm not sure what you mean by this.  Any local-network communication will not use the Default Gateway (which is why you can leave it blank and the network still works).  Any communication "on the subnet" (matching the subnet mask) will be sent out directly to the recipient machine, via a lookup in an ARP table (or, failing that, it will do an ARP broadcast to locate the machine in question).

So, if your machines are:

192.168.1.3
192.168.1.2
192.168.1.1

All with the same subnet mask of 255.255.255.0 (a typical class c network) then when you try to send data to/from any of those machines, it will never use the Default Gateway.  The Default Gateway is only used to send data OUTSIDE the subnet.  So, in the same example, if you tried to send packets to 192.168.2.1, then it would try to use the Default Gateway.

In Windows XP it didn't matter what you set the Default Gateway to if it wasn't ever going to be used.  I almost always set it to "loopback" (the actual IP of the machine in question, because you can't use 127.0.0.1).  It could just be a black hole non-existing machine on the network.  This apparently doesn't work in Windows 7, according to the results you're seeing.  I think Windows 7 tries to see if the Default Gateway is alive and then warns you if it isn't.  That's fine, just point it at one of the other machines on the network (preferably the Library Server's address for most of the machines, and then just pick one at random for the Library Server itself).  Like I said before, that'll never actually be USED unless you try to send packets outside of the local subnet.

I'll say this... It would be MUCH easier, and likely more reliable, to actually HAVE a DHCP server on the subnet that could act as the default gateway and DNS server for the subnet (and just keep the WAN port unplugged if you want it to not be able to go online).  There's a few ways you can do this...

1. Buy a little Linksys or Netgear (or similar) Router.  Make sure to buy one that can support "Static DHCP" (automatically assigning a pre-selected IP address to a specific computer based on its MAC address).  This feature sometimes goes by other names.  If you get a router supported by one of the popular third-party Firmware options (like many of the Linksys routers), they all support this feature.  Good third party firmware options include: dd-wrt, OpenWrt, and Tomato Firmware.

2. If you have an old computer that isn't in use, you could configure it with a free copy of Astaro Security Gateway (the license for home use is free), IPCop, or Smoothwall and use that as your DHCP server.

3. If you don't want to go that route, you could just install Ubuntu on an old machine and set it up as a DHCP server (and then you could have a Ubuntu box to play with too, which might be fun).

[glynor]

It looks like this guy has the exact same issue as you: http://windows7forums.com/windows-7-networking/26143-unidentified-network-static-ip-lan-homegroup.html

Doesn't appear to be much of a solution currently.

[lalittle]

Thanks for the details Glynor.

Was there was a typo in your post above?:

IP: 192.168.1.3
Subnet Mask: 255.255.255.0

That defines the subnet as 192.168.0.1 - 192.168.0.254.

Did you mean 192.168.1.1 - 192.168.1.254 (i.e. 1's instead of 0's for the 3rd number)?

When I said "it didn't work," I meant that when I set the default gateway to an unused address within the subnet (i.e. 192.168.1.10 using your example above) I lost the connection -- the systems could no longer see each other.  This didn't really make sense to me given everything I've read about this -- maybe it's a win7 thing.  The only default gateway setting that has worked for me so far is to set it to the OTHER computer's IP address.  This, however, leads to the "two networks on one NIC" situation described above.  I have no idea whether or not this is an actual problem, or if it's just a sort of "display glitch."  The system appears to treat the connection as a private network after doing this (i.e. MC LS works), so it's as if the "unidentified network" is simply ignored.

Another strange issue is that when I set ANY default gateway on the XP system's "local network" NIC, the internet connection (that uses the second NIC) stops working.  In other words, the presence of a default gateway on the "LAN" NIC prevents the internet connection from working on the "Internet" NIC.  Deleting the default gateway setting fixes this.  So far, this does not seem to be an issue with the w7 system -- I can have the default NIC set and still connect to the internet.

I did read that having default gateways set on two NICs in a system can be problematic (as evidenced by the xp system's behavior), but this seems to be the only way to get the w7 system to work correctly.  On this note, do you see any potential problems with having a default gateway set for both NICs in a system?  How does the system know which default gateway to use at any given time?  Does it just try them both in some order?

I'm currently using a switch for the LAN connection, but maybe it would make things easier to use a router instead.  I'm using two NICs in each system (one for LAN and one for Internet), so my concern was that this could lead to even more complications.  Are there any potential issues with having BOTH NICs in the system connected to their own routers?  Can I manually assign IP addresses to each system using a router, or would the router always take control of this and automatically decide what IP address to assign to each system that is plugged in?  I'd like to be able to control this so I could maintain consistency over time as systems were changed.

I can also find other reports of these types of issues with w7 -- it appears that this is simply how w7 works.  I don't know if this is something that will be changed -- as far as I can tell, MS does not feel that this is a "problem" at this point.

Any comments on Windows Firewall vs third party firewalls?

Once again, I can't thank you enough for all your help here,

Larry

[sunfire7]

I experimented same issue with win7 x64, homegroup disabled, win firewall disabled, eset firewall well configured (i tried disabled too), and still having issues with the network, but after doing a ping to other pc from the win7 x64 machine all works as it should..... i dont know the reason.

Oh and yes, the firewall of my AP is completely disabled too.

[glynor]

Thanks for the details Glynor.

Was there was a typo in your post above?:

Did you mean 192.168.1.1 - 192.168.1.254 (i.e. 1's instead of 0's for the 3rd number)?

I'll try to answer the rest more thoroughly tomorrow when I have more time, but yes... That was a typo.  Good catch.

Regarding using a router for the internal LAN, and assigining IP addresses, that's what I was going on about with the "static DHCP" stuff above.  Re-read my post.  DHCP is the protocol that routers use to automatically assign IP addresses to the machines that they "control".  Static DHCP is a mechanism by which you tell the router: "whenever you see this MAC address, assign it this specific IP address, rather than choosing one via the normal means".

One last question... Can you explain why you are using a complex multi-honed network like that?  I had assumed that most of the machines in your network were not connected to the Internet, and that this was done for security purposes.  However, now it appears that both machines are connected via their own separate NICs, independently.   Using this setup seems unnecessarily complex, and probably somewhat insecure (complexity is the enemy of security).

If you are trying to set it up this way in order to increase your security, somehow, you are likely failing...  You'd almost certainly be more secure with a two-tier network setup...

Internet
|
Cable/DSL Modem
|
"Insecure" Router.  NAT firewall enabled, but ports forwarded to some machines internally if you need services exposed.  Any "dangerous" machines and guest machines would be connected to this router.  Often it would be convenient to use a Wireless router for this, if you have any WiFi devices.  In addition to any external servers and other "dangerous machines" you'd use one of the switch ports here to connect to the second router...
|
Second "Secure" Router.  NAT firewall enabled, port forwarding disallowed or severely restricted.  Wireless isn't preferred here, but if used, should be secured via WPA2 using AES encryption and a very good key (generated using Perfect Paper Passwords, preferably).
|
Your regular, trusted machines would be connected here.  They can have their internal firewalls turned off or set with very liberal security policies.  However, you can NEVER allow an untrusted machine access to this network.  You'd set this to be a "private" network in Win7.

[lalittle]

I'll try to answer the rest more thoroughly tomorrow when I have more time, but yes... That was a typo.  Good catch.

Regarding using a router for the internal LAN, and assigning IP addresses, that's what I was going on about with the "static DHCP" stuff above.  Re-read my post.

Okay -- I looked into my router's setup and I believe I found the place to manually assign addresses.  Thanks.

One last question... Can you explain why you are using a complex multi-honed network like that?

When we first signed up for broadband several years back, using two modems was the standard way our ISP hooked up two systems (our ISP wasn't using routers yet.)  We grew to like the two modem setup for the extra bandwidth it provided, and to avoid some of the complications with gaming with two systems simultaneously connected through a single router and modem.  In steam games, for example, you need to make manual changes to the specific ports used in games order to have both systems online at the same time.  Not an insurmountable issue, but it's just easier with two modems, and you get extra bandwidth to boot.  It's also easier to troubleshoot ISP problems when they occur since you can tell if an issue is unique to just one system, and if it is, you can still get online with the other one.

Another reason was the extra security provided by being able to adjust the security settings differently for each actual NIC.  I could completely disable file sharing on the "internet" NIC, and only enable it on the "LAN" NIC.  This, however, might no longer be a consideration given that I'm tempted to allow file sharing on the "internet" NIC on Desktop 2, which would allow our laptops to wirelessly connect to the internet AND to share files with Desktop 2 over the same wireless connection.

I'm still studying your two tier setup.  You have a router plugged into a second router -- are there any potential complications with doing this or getting it set up?  It seems like there could be.  Your setup also only uses a single modem, which I believe would eliminate the advantages I listed above.  Here are some more details about how our network is set up -- I'm curious if this changes your suggestions at all.

We normally have two desktop systems and one or two laptops.  We sometimes have more desktops connected, but for now I'll just use the scenario of 2 desktops plus one laptop (wireless):

Each desktop has two NICs -- one for internet and one for the LAN.  On Desktop 1, file sharing is disabled on the actual "internet" NIC itself.  I believe this provides an extra layer of protection since even if the router itself was somehow breached, file sharing is disabled on the actual NIC.  This NIC is connected to a router, which connects to a modem.  When I enable wireless on this router, I use WPA2-PSK (AES) encryption with a secure password.  I don't always enable wireless on this router since I use Desktop 2's router for wireless laptop internet instead.  The router on Desktop 1 is essentially just being used as a NAT firewall.

The "LAN" NIC on Desktop 1 is connected to a switch, and file sharing is enabled on this NIC.  Desktop 2's "LAN" NIC is also connected to this switch, and the network is set to "work" (i.e. "private.")  This allows file sharing between the two desktops due to the lower security restrictions, and I believe the connection is pretty secure since there is NO internet connection associated with the NICs themselves.

Desktop 2's "internet" NIC is connected to a second router and in turn a second modem, also with WPA2-PSK (AES) security and a secure password.  I use this router for wireless laptop connection.

In other words:

Desktop (1 and 2):
     "Internet" NIC (file sharing DISabled, Public network) > Router > modem
     "LAN" NIC (file sharing ENabled, Private network) > Switch

I "think" this is fairly secure, but I'd be curious to hear what you think (assuming I wasn't too confusing with my explanation.)

This all works fine EXCEPT for the fact that the laptop has no wireless file sharing capabilities with either system.  If I want this ability, I have to connect the laptop to the switch with a cable.  This is rather inconvenient, however, and I am tempted to enable file sharing on Desktop 2's "internet" NIC so that I can do wireless file sharing between the laptop and Desktop 2.  According to all the documentation, this is how the router is actually "designed" to work -- i.e. to offer LAN AND internet connections over the same line, and still be secure.  I'm not clear, however, if this would lower security too much for "real world" setups.  If I did this, Desktop 1 would remain the same as above, but Desktop 2 would now look like this:

Desktop 2:
     "Internet" NIC (file sharing ENabled, Public or Private network -- not sure) > Router > modem
     "LAN" NIC (file sharing ENabled, Private network) > Switch

I have a few questions about this.  I'm not clear what the ramifications would be if I made the "Intenet" network a "private" network.  As long as I'm behind the router, can I go ahead and make this a "private" network, or should any network associated with an internet connection always be made "public"?  If I disable network file sharing OTHER than "password protected sharing" for private networks, it seems like this would make file sharing secure (since you'd have to have the password to see any files), but I'm not sure about the Windows Firewall implications.  If this was a private network, the firewall could allow connections in that it wouldn't if it was public.

Another option would be to make the "Intenet" NIC a "public" network, but enable password protected sharing on "public" networks.  The thing I'm not sure about is whether or not this would offer the "full" file sharing abilities I need, which would be to share more than just "public" folders.  I "think" that this would work -- i.e. that it's "normal" to have "password protected sharing" over public networks, correct?

A third option would be to use a third wifi router instead of the switch.  I could make this a "private" network and allow file sharing over wifi, but there would be no modem connected to this router, and therefore it would not be associated with an internet connection.  The drawback of this setup would be that we'd have separate wifi networks for internet vs file sharing, meaning that the laptop would either be connected to the LAN or to the internet at any given time, but not both.

I'm honestly not sure which of these setups would be the most secure, of if there is another setup that would be better, but I'd be really interested to hear any opinions on this.

Thanks a million for all your time helping me out with this -- your feedback has been extremely helpful.

Larry

[glynor]

You have a router plugged into a second router -- are there any potential complications with doing this or getting it set up?  It seems like there could be.  

All routers are plugged into a second router.  The Internet is a series of routers, all interconnected.  No, there are no serious complications with doing this.  The only issue is that if you need to open ports on the "internal" (secure) network, then you have to forward them twice (once on the external router, from it to the internal router, and then again on the internal router to the computer offering the service).  Again, though, you should strive to have no open ports on the internal LAN at all, for the best security.  Use the external router as your "DMZ" and allow open ports (and WiFi) access there.

It is true that you would eliminate having two modems, set up the way I suggested.  I'm shocked that your ISP even allows your setup, without requiring you to have and pay for two separate accounts.  Time Warner would NOT be so kind.

Instead, you could certainly keep it the way you have it, and just use a router for your LAN instead of a dumb switch.  The WAN port on the router wouldn't be connected to a modem, so there would be no Internet access via the LAN, but that's not a big problem, since the machines would have their own connections.  Using a Router in place of the switch would provide you with a "real" default gateway on that LAN, and would stop confusing Windows 7, even though the machines on the LAN would never actually use that default gateway.  Then you get into all sorts of problems with multi-homed networks though, which can be confusing.  If a machine has two NICs, and both have default gateways, you have to instruct the machine how to decide where to send Internet traffic vs. LAN traffic.  This isn't always easy.  More info here: http://social.technet.microsoft.com/Forums/en/w7itpronetworking/thread/fa3009fd-f8c3-4291-82f1-8888092d9fa7

However, don't think that you have better security the way you're set up.  If one machine DOES gets infected (maybe a laptop that you take out to a hotel somewhere, or perhaps it gets infected via an email attachment or something).  Once a machine is infected connects to the LAN, via ANY connection, then ALL machines on the LAN are exposed.  Most trojans/worms will spread via ANY NIC they detect in a system.   If they are all connected via the LAN (assuming the infection can spread via a vulnerability in Windows File Sharing or some other open service on the internal LAN), then ALL of your machines connected to the LAN would be vulnerable.  It doesn't matter if they are connected to their own separate cable/dsl modems.  Worms don't always have to come from "outside" (the Internet).  The infected machine will attach any/all machines that it can "see", via any means available.  (Again, this isn't true for all worms, but is true for most of the "bad" ones, like conficker.)

With a two-tier system, you'd effectively have to have THREE simultaneous firewall breaches to become infected (with a worm that spreads via a vulnerability in a network protocol, anyway).  Both of the two Routers would serve as a NAT Firewall, and then the worm would also have to get through the Windows software firewall as well.

To help make it more clear, here is a map of my home network (fairly accurate):

[lalittle]

Thanks for the diagram.

What's your opinion on using/enabling UPnP on the router?  Do I understand correctly that this is a way of having software be able to automatically configure the ports it needs?  It seems like this would have potential security issues, but I see instructions all over the place to have this "on" in order to get various applications and games work, and most routers typically default to having this "on."  The instructions from Netgear and others specifically recommend to set this "on," and they don't mention any security risks, so I'm not clear how much of a risk this might be.

Thanks again,

Larry

[MrHaugen]

Turning UPnP on for the router only enables this on the internal networks. Have not verified this by 100% certainty, but enabling such a thing from the Internet would be nuts.

[JimH]

... enabling such a thing from the Internet would be nuts.

I don't believe it would be any more dangerous than enabling external access on any other port and service.  HTTP, for example.  Its safety would depend on the service running being robust, with no known vulnerabilities.

[MrHaugen]

I don't believe it would be any more dangerous than enabling external access on any other port and service.  HTTP, for example.  Its safety would depend on the service running being robust, with no known vulnerabilities.

The difference is that you talk about opening one port, to a service or application you know and trust. To let applications decide what ports needs to be opened is a whole different scenario. (I've not read much about the UPnP settings on the routers, so I could be totally off here)

To open a number of ports for forwarding (Internet to Internal network) from the Internal network, is one thing. In most cases this is applications you know and trust. To let any applications on the whole Internet tell your router what ports to open and where to forward the data would be a humongous security flaw. I've not tested if it IS possible. Never thought of the idea that it could.

It would be similar to equipping the Armored truck Security guards with water guns, have the keys in their pockets and staying outside the truck clinging to the doors, not to fall off

[lalittle]

Turning UPnP on for the router only enables this on the internal networks. Have not verified this by 100% certainty, but enabling such a thing from the Internet would be nuts.

I'm confused (as usual.)  If it didn't work on the "internet" networks, how would it help with online gaming, which is one of the primary reasons that people say to enable this on the router?  If it only effected internal networks, wouldn't any online gaming be unaffected?

Here are a few excerpts from a Netgear router manual talking about UPnP:

If you use applications such as multiplayer gaming, peer-to-peer connections, realtime
communications such as instant messaging, or remote assistance (a feature in
Windows XP), you should also enable Universal Plug and Play (UPnP) according
to the instructions in “Universal Plug and Play” on page 6-13.

Universal Plug and Play (UPnP) helps devices, such as Internet appliances and computers, to
access the network and connect to other devices as needed. UPnP devices can automatically
discover the services from other registered UPnP devices on the network.

UPnP can be enabled or disabled for automatic device configuration.
The default setting for UPnP is disabled. If this check box is not selected, the router does
not allow any device to automatically control the resources, such as port forwarding
(mapping) of the router.

Note that the default setting is actually "enabled" even though it says it is "disabled."  They must have changed this in a newer firmware.

It seems like this would be a security risk, but I'm still a bit fuzzy on exactly how the UPnP setting on the router works, so I'm wondering if I'm just misunderstanding some fundamental aspect of this.

Thanks again for the feedback here,

Larry

[lalittle]

I'm finding that there is a LOT of disagreement on the web regarding the comparative security risks between enabling UPnP on routers vs. setting up manual port forwarding.

There is an interesting article here http://networking.nitecruzr.net/2006/01/nat-routers-with-upnp-security-risk-or.html that says that UPnP can actually be MORE secure than port forwarding.  For example, it says:

UPnP is actually more secure when your computers can be trusted. UPnP, as I state above, will dynamically instruct the router to close specific ports when they are not needed. Port forwarding, and port triggering, leave ports open forever.

I'd be interested in hearing more opinions about this -- at this point, I'm totally unclear what the actual truth is on this subject.

Thanks,

Larry

[lalittle]

The general points of the argument appear to be:

The anti-UPnP people say that with UPnP enabled on the router, malware that infected a computer could open any ports it wants on the router.  The pro-UPnP people say that with port forwarding, certain ports are ALWAYS open, which is an even bigger security risk since UPnP closes the ports when they aren't actually being used.

The pro-UPnP people also say that once malware is on your system, it can already do what it wants, so opening ports doesn't actually cause any "extra" risk or damage.

I honestly don't know what the "real" answer is on this subject.  Everybody agrees that keeping malware off the system in the first place is obviously best, but it seems like the fact that UPnP can close ports (unlike port forwarding setups), it actually might offer slightly higher security against malware initially getting in.

I'm just not sure what to believe at this point.

Larry

[glynor]

I fall somewhere in-between...  However, I definitely fall more on the anti-UPnP side of the argument.  I think the risk of having software on your system be able to open ANY PORT it wants on your firewall with absolutely no user interaction whatsoever, basically defeats the purpose of having a firewall at all.  Sure, opening a specific port can be a risk, if you are just opening them willy-nilly with no regard for what that actually means and what you actually need to do.

The flaw in the pro-UPnP contingent's argument, in my opinion, is this... There is no inherent "risk" associated with having a port open.  The risk is that the service you are offering on that port will be flawed, and allow an external attacker to access it remotely, exploit the flaw, and do something bad to your machine (steal data, install malware, etc).  So, their argument is that the ports are only open when they are "in-use" (when the service in question is actually running) and closed the rest of the time, which is "safer".  However, if a service has a flaw, then it has a flaw all the time.  With UPnP, if the service is running, then the port is open.  If the service is NOT running, then the port closes.  With a port forwarding setup, the port is always open.  However, you are still only vulnerable to attack when the service is running (they are trying to exploit a flaw in a running service on a particular port).  So, if the service is not running, but the port is still open, you aren't vulnerable to anything, because no one is "home" when they knock on the port (there is no service there running with a flaw to exploit).  So this "ports always open" vs. "only open when needed" argument is mostly FUD.  About the only "danger" that UPnP protects you from is that an attacker will scan your network when you don't happen to be using a particular service, see that the port is open, and say "Aha!  I can't get them now because they aren't running the service now, but I'll come back later and try again when they might be using this hypothetical service that typically runs on that port that they have open."  This risk seems fairy minor, and is easily avoided with many services by simply not using the default ports!

Plus, most true services would be running all the time.  Things like Web Servers, FTP Servers, SSH servers, and the rest are all things you might need to open ports for, but they are also generally only useful if they are running all the time.  So the UPnP method would also have the ports open all the time.  The only exceptions would be things like video games that require external ports to be opened.  However, most modern games no longer require this unless you are running a dedicated server yourself at home.  And besides, you still aren't vulnerable just because a port is open!  You have to both have the port open and a service running and listening on that port (and the service has to have a flaw that allows a remote attacker to inject code).  So, even with those games as examples, you'd still only be vulnerable if you were actually running the game-server at the time of the attack.  Otherwise it would be an open port with no answering service.

All of this would still be fine with UPnP (it is still "better", marginally, to only open ports when you need them)... If there was some method of pre-approving the ports that it was allowed to open and notification/approval mechanism.  There is not.  All of that was sacrificed at the altar of simplicity (really, sacrificed at the altar of "we don't want support calls about port forwarding anymore" in truth).  UPnP can open ports up all the time when you don't NEED them.  It allows ANY software application to automatically open any port, or port range, it wants, without asking you or confirming anything at all.  When you forward ports, it is a manually done operation.  You decide to do it, and therefore should understand the risks.  You'd make sure you always keep the software listening to the port on that machine up-to-date immediately when new releases come out.  You manually evaluate the risk-vs-reward of opening the port.  You know it is confined to a specific machine, limited to specific software and services, and you can take steps to mitigate the risk by being vigilant over this limited possible attack scope.  With UPnP, ports can be set to open just because you installed a game or a VoIP application or chat client.  Even though you might only ever be playing that game in single-player offline mode, and never applying updates.  Even though you might only be using that chat client to do regular chat, and not file exchange (which is what typically requires open ports in chat clients).  Even though you might not NEED the open ports, they get opened every time you run the application.  Heck, with UPnP, a port can be opened even by a Java or ActiveX application running in a web browser!  So, you could open ports simply by visiting a web page and clicking "yes" on a "do you want to run this Java applet" dialog box.  You don't get to choose what you need and what you don't.  The answer is always "yes".

Plus, the argument that "once you get infected, all bets are off anyway" is completely incorrect.  While it is true that once you get infected, the damage can be severe and "disinfection" is often difficult or impossible without completely wiping the machines in question.... There are MANY examples of malware that prefers to run services with open ports.  This allows external attackers to connect directly to the trojan horse on your machine without needing to have the trojan inside the network initiate the connection, which makes it much simpler to use effectively as a "zombie" machine (and simpler to collect the data off of the machine).  For example, the most common use that attackers have for a zombie machine is to set up a sendmail server on the machine to use for sending spam, and sendmail requires open ports!  Sure, most NAT firewalls won't protect you from malware inside your network trying to send communications outbound, but they DO protect you from external people trying to connect to that same malware "inbound".  But not if you turn on UPnP!

With UPnP, since ANY software on ANY machine can open ANY port it wants (without asking or even notifying you), then you must make absolutely sure that ALL software on ALL of your machines is always up-to-date, and that you are never (for even a second) exposed to any malware that might want to run a service.  This is an epic task, and not one that I'm too keen to attempt.

[MrHaugen]

I'm confused (as usual.)  If it didn't work on the "internet" networks, how would it help with online gaming, which is one of the primary reasons that people say to enable this on the router?  If it only effected internal networks, wouldn't any online gaming be unaffected?

I'm not saying that it's a total no no. If you have activated UPnP on the router, all I'm saying is that I would be shocked if you could initiate a port open and forward command from an application originating from an external network. This is the Internet in most cases, and it's a LOT of bad **** out there. It's a WHOLE different story to let an application that is detected coming from the Internal network (the safe place), to be able to tell the router what ports to open up so the device can work like it's supposed to.

I hope UPnP can not be activated for the external connections.

Other than that I have not much against UPnP on routers. It's only that I generally know what I'm doing on my router, so I'm much more at peace doing it my self. than having several applications opening up things.

[lalittle]

If the Router has UPnP enabled and some malware told it to open a port, would the software firewall still block the incoming connection, or would you have to assume that if the malware was already on the system, it would have the ability to tell the software firewall to let the connection through?

On a related note, if you use port forwarding instead, would malware have the ability to "find" the open port, and would you effectively be in the same situation?  It seems like the pro-UPnP people are saying that one open port is just as dangerous as the ability to open ANY port.

My gut reaction is that UPnP seems like a big security risk -- if a web page can open a port with some java script, that seems like a big problem to me.  It's really confusing, however, when some people simply say that it only "feels" this way until you look at what's actually happening, and that port forwarding is actually worse.  It's bizarre how completely opposite the opinions are on this.

Thanks,

Larry

[lalittle]

I hope UPnP can not be activated for the external connections.

As far as I can tell, the primary point of UPnP is to work on external connections since internal connections are often "trusted" and don't need the extra security.  UPnP definitely effects the "internet" network connection.

Does this go against your "hope," or am I just misunderstanding what you're saying?

Thanks,

Larry

[gappie]

interesting thread. no answers from me but ive been always wondering how to set those things on my router, so i apreciate your questions a lot lalittle, and the answers from mrhaugen and glynor. although all those virtual condoms i need to just enter the intenet do give me a bit of a headache.

 
gab

[JimH]

I think there may be too much caution in this thread.  I would trust the router manufacturers on the UPnP service.  Enable it on any router.

Here's a similar thread at greenbutton.com:
http://thegreenbutton.com/forums/p/78042/385541.aspx

There may also be a firewall issue on the server.

[lalittle]

I think there may be too much caution in this thread.

The problem is that some opinions on this (not here, but in other threads around the web) are SO strong on the idea that UPnP is a huge security risk, while others say that it's not a risk at ALL.  As with other security issues, it's really hard to figure out the actual "truth" on the matter.

I would trust the router manufacturers on the UPnP service.  Enable it on any router.

The fact that routers are now having it "enabled" by default definitely strikes me as a big reason to trust it.  Then again, they could be trying to make things "easier" at the expense of making things less secure.  Then again...again, if it was as bad a security risk as people say, why wouldn't the router manufacturers at least "warn" people about the risks?  At this time, I've yet to see ANY router manufacturer talk about any risks with using UPnP.

I definitely appreciate the discussion, however, so thanks for the input.

Larry

[lalittle]

interesting thread. no answers from me but ive been always wondering how to set those things on my router, so i apreciate your questions a lot lalittle, and the answers from mrhaugen and glynor. although all those virtual condoms i need to just enter the intenet do give me a bit of a headache.

 
gab

It's really messy trying to figure out what the "right" thing to do is these days, and I agree -- it gives me a headache as well.  Every once in a while I delve into this for a bit in the hope that on average, I'll end up on the correct side of these arguments... but it can get really frustrating.

Larry

[lalittle]

And then there's "port triggering" as opposed to "port forwarding."  Does THIS offer any extra security over port forwarding, or is it just more difficult to set up?

Larry

[lalittle]

I discovered another consideration.

Some devices like smartphones apparently require UPnP in order to connect to a WiFi network.  I tested this out myself, and I found that my droid could not connect to the router unless UPnP was enabled.  This is not realy an issue for me personally given that I don't really need local wifi for my droid (the 3G network works fine for me), but I thought it was an interesting point.

UPDATE:  I just tried my Droid again, and this time it DID connect with UPnP disabled on the router.  I guess the lack of connection was a fluke due to something else.  Kind of weird, however, that when I tested this earlier it only connected with UPnP enabled.  Anyway, it now works with UPnP off, so... whatever.  I'm starting to think that Jim has the best attitude on this one -- i.e. just trust the router manufacturers.

I assume there is a way to solve this without UPnP (i.e. some sort of port forwarding solution), but in my brief exploration of this, I couldn't anyone listing any specifics.

Here, however, is the really strange thing about this:  There are reports on the web from people saying that have to have UPnP enabled in order to get things like smartphones and gaming consoles to work, but there are OTHER reports that say this is NOT needed.  I can find specific reports from different people sharing their experiences, and the reports directly contradict each other.  It seems like this might depend on the specific router -- perhaps the specific implementation of "enabling" UPnP on any given router is not always the same.

Weird.

Larry

[glynor]

The router manufacturers enable it because it reduces support costs, plain and simple.  People call router manufacturers all the time to ask about forwarding ports.  UPnP stops those calls and saves Netgear money, so they enable it.  I think I explained the concepts fairly well earlier.

High-end router manufacturers certainly don't have it enabled by default!  My Astaro Security Gateway comes pre-configured to not allow any network traffic at all other than very basic web/email traffic (inbound or outbound) and then you are expected to configure it and loosen restrictions as needed until you have just the stuff you need enabled and nothing else.  That's how most "real" security solutions function.

Obviously that is unrealistic (and unwise) for a consumer-grade router.  And besides, UPnP can be very useful inside a network.  I'm not knocking UPnP for configuring internal network resources (letting your Xbox talk to your PC, for example) at all!  But enabling it on an Internet-facing router is a different thing.  It even could be useful on a router, I just wish it were implemented differently.  Opening ports without asking or a chance to decline just isn't safe no matter what the excuse.

If the Router has UPnP enabled and some malware told it to open a port, would the software firewall still block the incoming connection, or would you have to assume that if the malware was already on the system, it would have the ability to tell the software firewall to let the connection through?

It would, if enabled and if UPnP is also not enabled in the Software Firewall.  If the machine is compromised, though, you must assume that all software on the system is compromised.

On a related note, if you use port forwarding instead, would malware have the ability to "find" the open port, and would you effectively be in the same situation?  It seems like the pro-UPnP people are saying that one open port is just as dangerous as the ability to open ANY port.

It could, but not all do.  However, this still misses the point.  It assumes that you would/might want to map some open ports on all machines that you own!

This certainly isn't the case for me.  I try to limit my exposure by only serving data to and from a single server.  Most of the machines in my network have no ports open to the external network ever.  Certainly not "high exposure" machines like my Laptop.

UPnP allows software to open a port on your entire network and forward all traffic for that port to that machine (to itself).  That is the nature of the mechanism.  I don't want anything open on my Laptop.  I don't want anything open on my HTPC.  Neither of those machines have any reason to use an open port!  But UPnP on a router doesn't let you make those choices.  If you turn it on, it is on for every device on the internal network running any arbitrary software application.  You can't pick and choose anything.

That's the central disagreement that I have with most of the pro-UPnP arguments: They assume that you want to open ports all the time on every single machine and device you own, when in reality, this should be quite rare.  Again, though, the idea of UPnP isn't bad, it is the current implementation that is bad and insecure.  Just have the router ask me somehow before it does it, and I'll shut up.  But the problem is that doing that is a challenging endeavor (and expensive, development time wise), so none of the "cheap, consumer-grade" router manufacturers do it.

UPDATE:  I just tried my Droid again, and this time it DID connect with UPnP disabled on the router.  I guess the lack of connection was a fluke due to something else.  Kind of weird, however, that when I tested this earlier it only connected with UPnP enabled.  Anyway, it now works with UPnP off, so... whatever.

I would find it extremely unlikely that any 802.11 device would require (or even use) UPnP for network configuration.  The network protocols for WiFi discovery and address allocation all have nothing to do with UPnP.

If they did, it would seem to be a non-compliant 802.11 device.

[sunfire7]

well, nice topic, very interesting.  Anyone have tested my solution ? the ping one, works for me !