Routers ( ['ruːtə (r)] or [' raʊ̯tər] ) or network routers are network devices that can forward network packets between several computer networks . They are most often used for Internet connection , for the secure coupling of several locations ( Virtual Private Network ) or for the direct coupling of several local network segments , if necessary with adaptation to different network technologies ( Ethernet , DSL , PPPoE , ISDN , ATM etc.).
Routers make their forwarding decision based on information from network layer 3 (for the IP protocol this is the network part in the IP address ). Many routers also translate between private and public IP addresses ( Network Address Translation , Port Address Translation , NAT / PAT ) or map firewall functions using a set of rules.
The routers designed for coupling home networks to the Internet are also called Internet routers .
Routers work on layer 3 ( network layer ) of the OSI reference model . A router has at least one interface ( English interface ), the network connects. Interfaces can also be virtual if they are e.g. B. used to switch data between virtual networks (VLAN). When data packets arrive , a router must use the OSI layer 3 destination address (e.g. the network part of the IP address) to determine the best route to the destination and thus the appropriate interface via which the data is to be forwarded. To do this, he makes use of a locally available routing table which indicates which network can be reached via which connection of the router or which local or remote router.
Routers can learn paths in three different ways and use this knowledge to create the routing table entries.
- Networks connected directly to the interface: They are automatically transferred to a routing table if an interface is configured with an IP address and this interface is active ("link up").
- static routes: These routes are entered by an administrator. On the one hand they are used for security, on the other hand they can only be managed if their number is limited. The scalability is a limiting factor for this method.
- Dynamic routes: In this case, routers learn accessible networks through a routing protocol that collects information about the network and its participants and distributes it to the members.
The function of the routing table is comparable to an address book, in which it is looked up whether a destination IP network is known, i.e. whether there is a route to this network and, if so, which local interface the router uses to transfer the data to it should. The routing decision is usually made based on the significance of the entries; more specific entries are chosen over less specific ones. An existing default route represents the least specific route that is used if there is no specific entry for the destination (network) beforehand. When referring to the entire Internet routing table as part of the inter-AS routing , it is common not to keep a default route.
Some routers are capable of policy-based routing (for strategy -based routing). The routing decision is not necessarily made on the basis of the destination address (OSI layer 3), but other criteria of the data packet can also be taken into account. These include, for example, the source IP address, quality requirements or parameters from higher layers such as TCP or UDP . For example, packets that transport HTTP content (web) can take a different route than packets with SMTP content (mail).
Routers can only process data packets suitable for routing, i.e. from routable protocols such as IP ( IPv4 or IPv6 ) or IPX / SPX . Other protocols, such as the original of MS-DOS and MS-Windows use NetBIOS and NetBEUI , which were meant only for small networks and their design here are not routable, are not forwarded by default by a router. However, there is the possibility of transmitting such data to remote routers via tunnels and corresponding functions such as data link switching (DLSw) and delivering them to the destination there. Packets from these protocol families are usually processed by systems that work on layer 2 , i.e. bridges or switches . Professional routers can perform these bridge functions if necessary and are called layer 3 switches . As a layer 3 system, all layer 2 functions end at the router, including the broadcast domain . This is particularly important in large local networks in order to keep the number of broadcasts low for the individual participants in a subnet. However, if broadcast-based services such as DHCP are to work across the router, the router must provide functions that can receive and evaluate these broadcasts and send them to another system for processing ( relay agent function ).
A distinction must also be made between single and multi-protocol routers (including multi-protocol routers). Single-protocol routers are only suitable for a network protocol such as IPv4 and can therefore only be used in homogeneous environments. Multi-protocol routers can handle several protocol families at the same time, such as DECnet , IPX / SPX, SNA , IP and others. Today, IP routers dominate the field, since practically all other network protocols are of subordinate importance and, if they are used, can often be encapsulated ( NetBIOS over TCP / IP , IP-encapsulated IPX). In the past, multi-protocol routers were very important in larger environments, at that time many manufacturers used different protocol families, so it was essential that the router supported several protocol stacks. Multiprotocol routers are found almost exclusively in wide area or ATM networks.
It is important to distinguish between the routed protocols (such as Internet Protocol or IPX ) and routing protocols . Routing protocols are used to manage the routing process and the communication between the routers, which exchange their routing tables ( e.g. BGP , RIP or OSPF ). Routed protocols, on the other hand, are the protocols on which the data packets transported by the router are based.
Backbone router, hardware router
The high-speed routers (also known as carrier-class routers) on the Internet (or in large companies) are today devices that are highly optimized for forwarding packets and that can route many terabits of data throughput per second in hardware. The required computing power is provided decentrally to a considerable extent by special network interfaces, a central processor (if available at all) is not or only very little loaded. The individual ports or interfaces can receive and send data independently of one another. They are either connected to one another via an internal high-speed bus ( backplane ) or crosswise ( matrix ). Such devices are usually designed for continuous operation (availability of 99.999% or higher) and have redundant hardware (power supply units) in order to avoid failures. It is also common to be able to exchange or expand all subcomponents during operation (hot plug). In the early days of computer networking, on the other hand, it was common to use standard workstations as routers, where routing was implemented using software.
A border router or edge routers usually come with ISPs ( Internet Service Providers ) are used. It must connect the network of the subscriber who operates it with other peers (partner routers). The routing protocol BGP predominantly runs on these routers .
The EBGP (External Border Gateway Protocol) is usually used for communication between the peers. This enables the router to transfer data to a neighboring autonomous system .
With some manufacturers (for example at Hewlett-Packard ) the high-speed routers (including carrier-class routers, backbone routers or hardware routers) cannot be found under a separate heading Router . Routers are marketed there together with the better equipped switches (layer 3 switch and higher, enterprise class). This is logical insofar as switches from the upper middle class range almost always master the routing functionality. Technically, these are systems that, like the devices known as routers, rely heavily on the forwarding of packets (router: based on the OSI layer 3 address like the IP address, switch: based on the OSI layer 2 address , the MAC address ) are optimized and offer many gigabits of data throughput per second. They are configured via the management interface and can optionally work as a router, switch and of course in mixed operation. In this area, the boundaries between the two device classes are becoming increasingly blurred, also financially.
Instead of special routing hardware ordinary PCs, laptops, nettops, may Unix - workstations and - server be used as a router. The functionality is taken over by the operating system and all arithmetic operations are carried out by the CPU . All POSIX -compliant operating systems master routing out of the box and even MS-DOS could be expanded with routing functionality with the software KA9Q from Phil Karn .
Windows also offers routing services in all NT-based workstation and server variants (NT, 2000, XP, 2003, Vista, 7). The server version of Apple's Mac OS X includes router functionality.
The free operating system OpenBSD (a UNIX variant) offers, in addition to the built-in, basic routing functions, several advanced routing services, such as OpenBGPD and OpenOSPFD , which can be found in commercial products. The Linux kernel contains extensive routing functionality and offers many configuration options; commercial products are nothing more than Linux with proprietary in-house developments. There are entire Linux distributions that are especially suitable for use as routers, for example Smoothwall , IPFire , IPCop or Fli4l . OpenWrt is a special case , it allows the user to create firmware that runs on an embedded device and can be configured via SSH and HTTP.
A router that contains a PPPoE client for dialing into the Internet via xDSL from an ISP and currently masters Network Address Translation (NAT) in IPv4 networks to convert a public IPv4 address to the various private IPv4 addresses of the LAN is called Called DSL router . Often these DSL routers are multifunctional devices with a switch , a WLAN access point , not infrequently with a small telecommunications system , a VoIP gateway or a DSL modem (xDSL of any type).
Firewall functionality in DSL routers
Almost all DSL routers today are NAT-capable and are therefore able to translate network addresses. Because it is not possible to establish a connection from the Internet to the network behind the NAT router, this functionality is already referred to by some manufacturers as a NAT firewall , although the protection level of a packet filter is not achieved. The block can be circumvented by configuring port forwarding , which is necessary for some virtual private network or peer-to-peer connections. In addition, most DSL routers for private use have a rudimentary packet filter, some of which are also stateful . These packet filters are used with IPv6. Because NAT is no longer available, port forwarding becomes a simple release of the port again. Linux is used as the operating system on many routers of this (consumer) class, and mostly iptables as a firewall . Such products usually do not contain a content filter. A safe alternative are free firewall distributions based on more secure operating systems , such as OPNsense .
Protective measures for DSL and WLAN routers
If programming errors are discovered, a router manufacturer can provide a new software update in order to improve or close security gaps. If the router is not brought up to date, you put your own network security at risk . Therefore, to protect personal data, it is essential that a software update is carried out at regular intervals.
Further measures to protect routers:
- only use current WLAN encryption ( WPA2 ) - WEP -encrypted access can be decrypted within a few minutes
- Change the passwords specified by the manufacturer, select only secure passwords
- rename the SSID
- Disable WPS and remote administration
- do not open any network ports arbitrarily and thoughtlessly
- Disabling UPnP functions that allow any software to open network ports
- Securing services that can be accessed from the Internet via port forwarding
- a powerful ( dedicated ) stateful firewall such as pfSense or OPNsense (the latter with ASLR and LibreSSL ) with a pure DSL modem
The combination of wireless access point , switch and router is often referred to as a WLAN router . This is correct as long as there are ports for connecting at least one second network, usually a WAN port. Routing takes place between the at least two networks, usually the WLAN and WAN (and, if available, between LAN and WAN ). If this WAN port is missing, these are only marketing terms, since pure access points work at OSI level 2 and are therefore bridges and not routers. WLAN routers are often not full-fledged routers, as they often have the same restrictions as DSL routers (PPPoE, NAT). With IPv6, NAT is not required for these devices; the router only has to be able to support tunnel protocols such as 6to4 in the transition phase .
Router in automation
With the penetration of network technology in industrial automation , modem routers with external access via telephone and cellular connections are increasingly being used. Industrial devices are software routers based on embedded Linux that are not optimized for high throughput, but for mechanical robustness, mounting in the control cabinet and durability.
Software or hardware router
In general, software routers mainly provide valuable and extensive services in the non-professional environment. In general, there are two different types of implementation for software routers, on the one hand a dedicated router, where a PC, workstation or server is used almost exclusively as a router (often as a DHCP , DNS server or firewall); on the other hand, there are non-dedicated routers, where a server takes over the routing in addition to its existing tasks. Both systems are well suited for the non-performance-critical area and can compete with professional solutions, especially when it comes to costs; they are usually inferior in terms of performance.
One of the reasons for this is that such systems have so far been based on a classic PCI bus with a 32-bit bus width and 33 MHz clock rate (PCI / 32/33). Theoretically, 1 GBit / s (1000 MBit / s, corresponds to about 133 MByte / s) in half-duplex mode ( HDX ) can be routed over such a bus ; since the network packets pass the PCI bus twice in this case (card – PCI – main memory – CPU – main memory – PCI – card) the maximum routable data flow of a software router based on it is reduced to about 0.5 Gbit / s. Today, Ethernet is almost always switched and operated in full-duplex mode FDX, so for example Gigabit Ethernet, although names like 1 Gbit / s Ethernet , 1GbE or 1000BASE-T suggest otherwise, already 2 Gbit / s (each 1GbE in each direction). It follows from this that a system based on PCI / 32/33 cannot achieve the maximum transfer rate of 2 GBit / s that is theoretically possible on the network side. Systems with a PCI / 64/66 bus can provide around 4 GBit / s on the bus side, just enough for the peak load of two 1GbE interfaces in FDX mode. Even higher-quality classic (legacy) server systems have faster interfaces (PCI-X 266 or better) as well as several independent PCI buses. You can achieve higher throughput rates without problems, but typically have high energy consumption. Which is why the cost-benefit question arises, especially in dedicated router operation. Hardware routers with specialized CPUs and application-specific working chipsets ( application-specific integrated circuit for short ASIC) do this much more energy-efficiently.
Only with the introduction of PCI Express (with 2 GBit / s for version 1.x and 4 GBit / s per lane for version 2.x in FDX mode - and more) is there a sufficient peripheral transfer rate for standard PCs Several 1GbE connections (also 10GbE) are available, so that energy-efficient, high-throughput software routers can be built from inexpensive standard hardware. Since all values have so far been of a theoretical nature and in practice not only data is passed through the bus, but routing decisions have to be made, a software router may continue to lose performance. As a precaution, only half of the theoretically possible data throughput should be assumed in practice. At such data rates with a software router, at least the cost-performance ratio is good and sufficient.
Hardware routers from the high-end area are, as they can have special high-performance buses or "cross bars", clearly superior in terms of performance - which is also reflected in the price. In addition, these systems are designed for fail-safe continuous operation ( availability of 99.999% and higher). Simple PCs cannot keep up, high-quality servers and workstations also have redundant components and are sufficiently fail-safe for many applications.
Some so-called hardware routers actually consist of PC components. Only the housing or the partially mechanically modified PCI slots and the "cryptic" operating system give the impression that these are special systems. Although these systems usually work very robustly and reliably, routing is carried out by software.
In order to be able to route 1GbE or 10GbE networks with high performance, for example, a high-priced hardware router is not necessarily required. Routing clusters can be used, assuming that the transmission speed is only slightly reduced. This can be made up of a software router (for example as a workstation with two PCI Express 10GbE LAN cards) per Ethernet line. The software routers are connected to one another via a professional switch with a sufficient number of ports and a correspondingly high throughput rate (several hundred GBit / s). In contrast to networks with a central backbone, the maximum data throughput rate of the entire routing cluster corresponds to the maximum throughput rate of the central switch (several hundred GBit / s). Optionally, the clusters can be designed redundantly (using high-availability Unix or HA Linux). Such cluster systems require a relatively large amount of space and do not achieve the performance and reliability of high-speed routers, but they are highly modular, easily scalable, comparatively high-performance and yet inexpensive. They are used where costs are valued higher than performance, for example in schools or universities.
In British English , the pronunciation [ˈɹuːtə (ɹ)] predominates . In the USA you can also hear [ˈɹaʊtɚ] to avoid homophony with a suggestive term. In German-speaking countries, the device is usually pronounced [ˈʀuːtɐ] .
- Broadcast storm
- Common Open Policy Service
- Drive-by pharming
- Media converter
- Network scheduler
- Spanning Tree Protocol
- Safe Germany in the Net eV: What to look out for when buying a router ( Memento from February 10, 2013 in the Internet Archive ), accessed on August 26, 2015
- Moritz Förster: Open Source Firewall: New major release of OPNsense for more security . In: Heise Open Source (online) . KW30, No. 2016, July 28, 2016. Accessed August 4, 2016.
- Sebastian Piecha, Dusan Zivadinovic: upgrade pfSense as a VDSL router PC to a high-speed router . In: heise nets . Hot media. Retrieved September 28, 2016.