Subscriber Gwyn sent a question about one of the basic functions of a router, and how it protects you on your cable, DSL, Ethernet or other connection to the Internet:
your comment:”But, someone on the Internet side of the router can not initiate a connection to your computer — they can only respond to your request”, by responding to your request, do you mean if you visit their website via the URL bar? I have a cable router and am certain that various websites are able to find out a lot about me and the stuff that’s on my pc.
I wrote back to Gwyn to give her a non-technical explanation of how a router works and protects the user.
A router isolates your computer from connection requests from the Internet side of the router. These are particular types of data packets at the Internet Protocol level, not at a level that you or I operate.
For example, when you use your web browser to visit a web site, there are a large number of data packets sent. The first is a “Can I talk to you?” connection request. The web server responds with an acknowledgment. at that point, your web browser sends its request for the specific web page to be sent. Then, the web server sends packets of data that contain the web page’s text, layout, images and even videos and music.
The request – the connection request – was the first packet sent. Everything after that continued as replies to the previous connection request.
Anything the server sends back in response to your connection will make it though your router to your computer (unless you have one of the newer models that does some more advanced testing caused Stateful Inspection of the data packets).
So, how does the router block the connection requests originating from the Internet side of the router?
The router actually bridges between two networks. The Internet is one big network. Your local home network, even if you have only one computer on the Local Area Network (LAN) connection of your router, is another network.
The two networks have different IP address ranges. In particular, your LAN probably uses IP addresses in the range of 192.168.0.0 to 192.168.255.255, since this is defined as a Private Network IP address. Further, the ISP-type routers will not forward data addressed to private network packets. Let’s guess that your computer’s IP address is 192.168.1.100.
Your router gets an IP address on your LAN (local area network) and also gets an IP address on your ISP’s network. The IP address on the ISP’s network actually is addressable from anywhere on the Internet (unless, however, your particular ISP is using private network IP addresses for their network). Let’s assume your ISP has assigned you the IP address 188.8.131.52 (actually, this IP address is one of the Google Public DNS IP addresses, http://code.google.com/speed/public-dns/).
So, as an example, a web server in the U.K. can receive a connection request from your computer 192.168.1.100 that goes to your router’s LAN connection at 192.168.1.1, is sent to the router’s WAN (wide area network, or Internet) side at 184.108.40.206, is tagged by the router with using a non-standard port number, say 5233 (don’t worry about that number that it’s non-standard – that’s just saying that it’s not a port number that is predefined with a special meaning) and then to the web server’s IP address.
The web server’s response goes in the reverse direction – back to 220.127.116.11 with the TCP port number selected (back to 18.104.22.168:5233).
The magic occurs at your router.
The router gets the response packet, remembers what it needs to do with anything arriving on TCP port 5233. The router bridges the data from the Internet into your local area network – and sends it to your computer.
All that happens transparently to you.
But, if a computer, say in China, tries to connect to your computer – it can’t. Your router has an accessible IP address, but your computer doesn’t., so the connection doesn’t happen.
Regarding web sites able to find out information about what’s on your PC, there are two possibilities:
- you might actually have a malware infection, but most malware really doesn’t want you to know you’re infected. I think #1 is more likely.
Gwen wrote back to say:
Many thanks for your excellently comprehensive answer.
The bottom line: I know that there are people who say "I don’t need a router; I only have one computer, not a network." I strongly believe that, if you are connecting to the Internet with anything other than a dial-up modem, you should have a router.
Even if you only have one computer, the router will treat the one computer and the router’s LAN port as a network, protecting your computer by isolating it from connection attempts from the Internet side of the router.