Sunday, October 13, 2019

The telephone company analogy for understanding your network

Networking using Phone Number Analogy

This is a simple guide to understanding basic networking, firewalls, port forwarding, servers and VPNs, using the analogy of telephone numbers at a small business.

I hope this will be useful to anyone who is troubleshooting connectivity issues in their network.

Single PC

You're a small business owner, with a 1-room office (computer).  You set up a phone number with you phone company (internet service provider, ISP) to get calls.  Your phone number (internet IP address) is publicly available and you accept all incoming calls.

Single PC Security

Things are not ideal since bad actors are tying up your phone line and trying to mislead your employees into sabotage.

So, you hire a security guard (firewall) who screens all incoming and outgoing calls (packets) at the office door.  He stops anything that looks wrong, and lets the rest through.

Obviously, the guard needs to be told when new employees (programs) are added.  Otherwise he will block their calls by accident.  This is usually done by flagging new outgoing calls as they happen and asking for a confirmation they are OK.

Note that all modern computers include a built-in software firewall.

Multiple PCs (Network)

Your business grows to multiple offices (computers) in one building.

You still only have one phone number, so calls no longer go directly to each office.  You hire a receptionist (router) that has a switchboard.  These handle all incoming and outgoing calls (packets) for the entire business (network).

The reception system (router) usually has three parts:

-  A receptionist that routes each incoming call to the right office;
-  A switchboard that allows calls to be connected through; and
-  A security guard that watches for bad incoming and outgoing calls (firewall).

Your receptionist/switchboard (router) will obviously connect any outbound calls (ougoing requests / outgoing packets) without any instructions.  There means there is no need to set up anything special for calls you initiate.

This includes things like normal web browsing, FTP, e-mail, etc.  This is the reason most people don't need to worry about setting up special settings in their routers for "ordinary" computer stuff.

Note this includes torrenting.  Torrenting software both makes outgoing calls, and listens for incoming calls.  Just doing outgoing calls is not ideal, but it is enough to make it work.

However, all incoming calls come through the single main number.  Your receptionist (router) does not know which office to connect it to.  Anyone calling for a specific office (accounting, finance, etc.) will not get connected.
Therefore, anyone looking for any of your services where they call you (incoming connections / incoming packets) will not automatically find the correct office (computer) in your business (network).

This applies to any service that you provide from inside your own network.  Examples include:
-  Web services (web server)
-  File transfer services (FTP server)
-  Media streaming services (Plex server, etc.)
-  Game servers (Minecraft server, etc.)
-  Torrenting software (uTorrent, qbitorrent, etc.)

Basically, if it has "server" in the name, and it's within your network, the outside world can't find it.

Again, the exception is torrenting.  Most torrenting software will work without port forwarding using just outgoing calls.  But it works better when you also allow incoming calls to connect through, because you get more connections faster.

To solve this and let others connect to you, you need several things:

1.  You assign local phone numbers (local ip addresses) to your offices (computers).  This allows calls into your business phone number (internet IP address)  can be connected to the right office (computer).

2.  These local numbers can be changeable (dynamic) or unchanging (static).  To keep calls from going to the wrong offices, we obviously want fixed local numbers (static ip addresses).

3.  You have to give your reception (router)  instructions on what to do with each kind of call.

Nobody outside your office knows your local numbers.  However, there is a default list of extensions (ports) that usually correspond to each kind of office.

-  To call your web site, they dial your phone number (internet IP address) plus extension 80 (port 80, http);
-  To call your FTP site, they dial your phone number (internet IP address) plus extension 21 (port 21, ftp);
-  To call your email, they dial your phone number (internet IP address) plus extension 110 (port 110, pop3)

and so on.

This lets your reception connect each kind of incoming call to the right local phone number

Unfortunately, there is no way to use just your internal phone numbers - they are hidden behind your switchboard, and are not standardized.  As callers can't dial direct, they have to use the extension numbers (port numbers) instead.

This process of matching the incoming call extension (port) to the right internal office number (internal ip address) is called port forwarding.

As you might imagine, port forwarding is very simple.  It's just a table that says this extension number (port number) gets connected to that internal phone number (internal IP address), which is permanently assigned to a specific office (computer).

From this, it is obviously a bad idea to have two offices (computers) that have the same extension (port forwarding).

For example, say you get a call for extension 80 (web server), but two offices (computers) have that extension (port).  What does your receptionist (router) do?

-  Connect only one office?  What if it's the wrong one?
-  Connect it randomly to one or the other? That doesn't work!
-  Connect it to both? How will the customer know which to listen to?

For these reasons, you can only designate each extension (port) to one office (computer).  (In other words, you can only port forward each type of packet to a single internal IP address.)

This means that if you have a web site office (web server), all of the web sites will need to live in that office (on that computer).  Similarly, you can only have one FTP server, one Plex server, etc.

Of course, some businesses have more than one.  Figuring out how to deal with this restriction is, arguably, a significant part of network administration.

There are cases where two different programs, on two different machines, want to use the same extension (port).  This can be a big problem.

Fortunately, most software makes outgoing calls, which are always OK.  It's only software that receives incoming calls that's a problem.  And having a semi-standardized list of extensions (ports) mitigates this problem.

Network Security

Of course, you also obviously have to tell all of the security guards (firewalls) in the chain to let the calls through.  This includes any guard in each office (local software firewall) plus the guard at reception (router firewall).

When you give your reception (router) the port forwarding instructions, the guard at reception (router firewall) will naturally see it and will let through any such calls automatically.  However, the guards in the offices (local software firewalls) don't get to see this, and so have to be told separately.

From this, it is tempting to turn off one or more firewalls, since they are theoretically redundant.  This is not a great idea since more firewalls mean more protection, but it can be done. 

If any given guard (firewall) is stopping the call from connecting, that port is said to be closed (blocked).  If all the guards are allowing the call through, the port is open.  Open ports ring through - blocked ports do not.


There may come a time when you no longer want the world to know your phone number (external IP address).

This is usually done for privacy reasons.  If your phone number is public, it is possible for your phone company (internet service provider) to listen in.  Some people don't like this.

To prevent this, you hire a call forwarding service (virtual private network, VPN).  From then on, all calls go through them.

To facilitate this, you change your published phone number (internet IP address) from your real number to the number of the call forwarding service (VPN).  Anyone trying to call you will be calling them instead, hiding your real phone number.

Forwarding can be handled at one of two places:

-   At the phone in each individual office (computer).  You need to place a special forwarding agent (VPN program / application) in each office (computer) to accomplish this.

-  At your main reception (router).  You just instruct your reception (router) to connect all outgoing calls to the forwarding service (VPN).  This covers your entire business (network) in a single step.

You can also tell reception to route only a block of internal offices through the VPN, and connect all other calls normally.

After setup, the process for outgoing calls is:

-  You call a special encrypted phone line at the forwarder (VPN).
-  They connect you through to the external number.
-  The call ID at the other end shows the number of the forwarder (VPN), not your real phone number.

As the forwarder handles calls for thousands of businesses, this process ensures that nobody can tell which outgoing calls are yours.  And as calls are encrypted, nobody can listen in.

This obviously works fine for all outgoing calls.  Aside from setting up the VPN service itself, nothing more is usually needed.

Incoming calls, however, are a different story.

Remember, you changed your phone number (internet IP address).  Customers are now calling your call forwarding service (VPN), and not you.

The forwarder handles thousands of customers.  So if they get a call at their own phone number to any given extension (port), they do not know who it is for.

For example, say they get a call for extension 80 (port 80).  Out of their thousands of clients, who is this for?  They can't know, so the call fails to connect.

Remember, the caller does not know your number - they only known the number of the VPN.  That is the point.  So the caller can't identify you to the VPN either.

This occurs from outside, and randomly, so you can't handle these with an outgoing call.  There is also no way to call them back since you never saw the incoming call in the first place, plus they might not even be listening anymore.

This means that if you use a VPN, any services you offer - web, FTP, game, etc. - will automatically be blocked, even if everything else is OK.  This is obviously a big issue.

To fix this, you have a few options.

1.  You can specifically tell your call forwarder to send extension calls to you.  This is known as VPN port forwarding.

Obviously, connecting specific calls to you is at odds with making you anonymous, and is technically challenging.  So not every VPN provider offers port forwarding, and those that do often require special setups.  Sometimes you have to manually reconfigure the VPN client daily (or so), which can be a pain.

Note that is not usually possible to set up VPN port forwarding at your reception (router), because it won't support it.  It's just too complex for consumer-grade routers.  You usually must use the software VPN application on the affected machine.

2.  You can stop using the VPN for the affected machines.  That is, your servers will have to live outside the VPN.

This is why you will often hear of people that have excluded certain machines from VPN service.  These machines are typically servers that can't work behind the VPN.

This works well if your server is separate from your working machine.  The server can live outside the VPN, but your personal machine can stay in, keeping your personal web traffic anonymous.

As most services are really simple, it is very easy to get a separate machine to use as your server.  For web and other simple stuff, almost anything will do.

Game and media servers are more complex.  However, these benefit from being outside the VPN since VPNs slow you down.

3.  For intermittent operation only, you can turn off the software VPN client on the affected machine.  This leaves you outside the VPN to do what you need to do, after which you can turn it back on.

This is cumbersome but is OK for some things.  For example, if you need to use a specific application that does not work well behind the VPN - maybe video conferencing - but only sometimes, turning off the VPN can be an easy solution.

4.  You can move your services to a machine outside your network.

For example, you can move your web hosting from a local network machine to a hosting service.  This outside service will not using a VPN, so no problem.

This obviously doesn't work well for game servers, and not at all for remote access, media or file services.  Those services need access to your local files by definition, and can't readily be moved to an offsite service.

5.  You can install the affected software on a separate machine that lives outside the VPN.

For example, maybe you set up video conferencing only on your laptop, and move it outside the VPN.  You keep your workstation on the VPN.

This means that you have to do all your video conferencing on your laptop, which may be inconvenient.  But your workstation is still protected by the VPN full-time, which is convenient.

At the end of it all, remember that VPNs just ensure privacy.  You will need to decide how important that privacy is, relative to the difficulty of setting up the software you need.

No comments:

Post a Comment