FreshTomato Wiki

User Tools

Site Tools

Trace:
advanced-firewall

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
Next revisionBoth sides next revision
advanced-firewall [2023/05/28 03:48] – [Firewall] hogwildadvanced-firewall [2023/05/28 04:13] – [NAT] -resize "advanced-firewall-NAT.jpg" to 454x113 hogwild
Line 6: Line 6:
 ===== Firewall ===== ===== Firewall =====
  
-{{:pasted:20220118-182859.png}} \\  \\ **WAN interfaces respond to ping and traceroute:  **If enabled, allows your device to reply to certain ICMP ping and traceroute request packets from Internet hosts. This is necessary for //ping //and //traceroute to //work from the Internet.+{{:pasted:20220118-182859.png}} \\  \\ **WAN interfaces respond to ping and traceroute:  **If enabled, this allows your device to reply to ICMP ping and traceroute request packets from Internet hosts. This is necessary for //ping //and //traceroute to //work from the Internet.
  
 **Limit communication to:  **This specifies the maximum number of requests per second to which the Firewall will reply. Setting a limit number is recommended to prevent DDoS attacks.\\   \\   \\  {{:pasted:20220118-183317.png}}\\ **Limit communication to:  **This specifies the maximum number of requests per second to which the Firewall will reply. Setting a limit number is recommended to prevent DDoS attacks.\\   \\   \\  {{:pasted:20220118-183317.png}}\\
  
- \\  \\ **Enable TCP SYN cookies:  **Enabling this protects the router from SYN Flood attacks via the "SYN cookies" technique. This function encodes information from the SYN packet into the (SYN/ACK) response. This is a standard technique for preventing SYN floods. However, enabling it creates secondary limitations which may cause issues with some old TCP/IP stacks.+ \\  \\ **Enable TCP SYN cookies:  **Enabling this protects the router from SYN Flood attacks via the "SYN cookies" technique. This function encodes information from the SYN packet into the (SYN/ACK) response. This is a standard method for preventing SYN floods. However, it has certain limitations which may cause issues with some old TCP/IP stacks.
  
 **Enable DCSP Fix:  **Checking this enables a workaround for packet marking, a well-known issue related to DSCP when connected to Comcast. **Enable DCSP Fix:  **Checking this enables a workaround for packet marking, a well-known issue related to DSCP when connected to Comcast.
  
-**Allow DHCP Spoofing:**+**Allow DHCP Spoofing: ** 
 + 
 +**Smart MTU black hole detection:**
  
-IPv6 IPSec Passthrough - Enabling this allow IPSec tunnels to pass through the firewall. It opens port 500 and the "ESP" protocol(50) to accomplish this. 
  
 ===== NAT ===== ===== NAT =====
  
-NAT loopback - also known as "Hairpinning", this technique allows LAN devices to access another LAN device via the WAN interface of your routerThis is common practice, for example, when connecting to the DDNS domain of your router from the LAN (for administration purposes)This legacy setting is rarely, if ever needed nowadays. It also can create a bottleneck on fast connections.+**NAT loopback:** This technique allows LAN devices to access each other via the router'WAN interface. Also known as "Hairpinning", this is commonly used when connecting to the DDNS domain of your router from the LAN. These days, this legacy setting is almost never needed. It also can create speed bottlenecks.
  
   * All   * All
Line 26: Line 27:
   * Disabled   * Disabled
  
-**NAT target** - Defines the way NAT is implemented for the sake of Hairpinning. Masquerade is the default, however this involves an additional lookup ad the mapping of done towards an interface. SNAT is minimally minutely faster as the NAT mapping points directly to the destination IP and so it bypasses the lookup stage.+\\ 
 + 
 +{{::advanced-firewall-nat.jpg?454}} \\ \\ 
 + 
 +**NAT target** - This defines the way NAT is implemented for use during loopback. Masquerade is the default, but involves an additional lookupad the mapping of done towards an interface. SNAT is minutely fasteras the NAT mapping points directly to the destination IP and so it bypasses the lookup stage. However, SNAT is less reliable than Masquerade.
  
  \\  \\
  
-\\ {{:pasted:20220118-185509.png}}\\  \\ 
  
-**Enable IGMP proxy** - Runs the IGMP (Internet Group Management Protocol) service on the router.+===== Multicast =====
  
-**LAN0/LAN1/LAN2/LAN3** - Specifies which bridges will be subscribed to partecipate in IGMP using the router as a proxy between the LANs selected. Essentially, this allows IGMP to work between VLANs.+ \\ \\ {{:pasted:20220118-185509.png}}\\  \\ 
 + 
 +**Enable IGMP proxy** - Checking this enables the IGMP (Internet Group Management Protocol) service. 
 + 
 +LAN0 - LAN3 Specifies which bridges will be participate in IGMP using the router as a proxy between the LANs selected. This allows IGMP to work between VLANs. 
 + 
 +  * LAN0 - Checking this specifies the LAN0 bridge will participate in IGMP. 
 +  * LAN1 - Checking this specifies the LAN1 bridge will participate in IGMP. 
 +  * LAN2 - Checking this specifies the LAN2 bridge will participate in IGMP 
 +  * LAN3 - Checking this specifies the LAN3 bridge will participate in IGMP 
 + 
 + \\
  
 **Enable quick leave** - This is a feature of IGMP v2. This allows the router to stop the streaming of a multicast to an IP address as soon as that end device sends the quick leave IGMP packet. **Enable quick leave** - This is a feature of IGMP v2. This allows the router to stop the streaming of a multicast to an IP address as soon as that end device sends the quick leave IGMP packet.
advanced-firewall.txt · Last modified: 2023/05/28 05:39 by hogwild

Page Tools

Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki