FreshTomato Wiki

User Tools

Site Tools

Trace:
advanced-firewall

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
Last revisionBoth sides next revision
advanced-firewall [2023/05/28 04:26] – [Multicast] -clarity-very hard to understand hogwildadvanced-firewall [2023/05/28 05:05] – [Multicast] -clarity of IGMP Snooping and Force IGMPv2 details hogwild
Line 6: Line 6:
 ===== Firewall ===== ===== Firewall =====
  
-{{:pasted:20220118-182859.png}} \\  \\ **WAN interfaces respond to ping and traceroute:  **If enabled, this allows your device to reply to ICMP ping and traceroute request packets from Internet hosts. This is necessary for //ping //and //traceroute to //work from the Internet.+{{:pasted:20220118-182859.png}} \\
  
-**Limit communication to:  **This specifies the maximum number of requests per second to which the Firewall will reply. Setting a limit number is recommended to prevent DDoS attacks.\\   \\   \\  {{:pasted:20220118-183317.png}}\\+ \\ **WAN interfaces respond to ping and traceroute:  **If enabled, this allows your device to reply to ICMP ping and traceroute request packets from Internet hostsThis is necessary for //ping //and //traceroute to //work from the Internet.
  
- \\  \\ **Enable TCP SYN cookies:  **Enabling this protects the router from SYN Flood attacks via the "SYN cookies" technique. This function encodes information from the SYN packet into the (SYN/ACK) response. This is a standard method for preventing SYN floods. However, it has certain limitations which may cause issues with some old TCP/IP stacks.+**Limit communication to:  **This specifies the maximum number of requests per second to which the Firewall will reply. Setting a limit number is recommended to prevent DDoS attacks.\\   \\   \\ {{:pasted:20220118-183317.png}}\\ 
 + 
 + \\ 
 + 
 +**Enable TCP SYN cookies:  **Enabling this uses the "SYN cookies" technique to protect the router from SYN Flood attacks. This function encodes information from the SYN packet into the (SYN/ACK) response. This is a standard method for preventing SYN floods. However, it has certain limitations which may cause issues with some old TCP/IP stacks.
  
 **Enable DCSP Fix:  **Checking this enables a workaround for packet marking, a well-known issue related to DSCP when connected to Comcast. **Enable DCSP Fix:  **Checking this enables a workaround for packet marking, a well-known issue related to DSCP when connected to Comcast.
Line 46: Line 50:
   * LAN0 - Checking this means the LAN0 bridge will participate in IGMP proxy.   * LAN0 - Checking this means the LAN0 bridge will participate in IGMP proxy.
   * LAN1 - Checking this means the LAN1 bridge will participate in IGMP proxy.   * LAN1 - Checking this means the LAN1 bridge will participate in IGMP proxy.
-  * LAN2 - Checking this means the LAN2 bridge will participate in IGMP proxy/+  * LAN2 - Checking this means the LAN2 bridge will participate in IGMP proxy.
   * LAN3 - Checking this means the LAN3 bridge will participate in IGMP proxy.   * LAN3 - Checking this means the LAN3 bridge will participate in IGMP proxy.
  
Line 53: Line 57:
 **Enable quick leave** - This is a feature of IGMP v2 and later. Enabling this allows the router to stop streaming multicast to an IP address as soon as that device sends a "quick leave" IGMP packet. **Enable quick leave** - This is a feature of IGMP v2 and later. Enabling this allows the router to stop streaming multicast to an IP address as soon as that device sends a "quick leave" IGMP packet.
  
-**Custom Configuration** - This option allows you to set up advanced parameters for the IGMP proxy daemon. Please consult the official IGMP documentation before finalizing these settings.\\   \\+**Custom Configuration** - This option allows you to set advanced parameters for the IGMP proxy daemon. Consult official IGMP documentation before using this.\\   \\
  
  \\ {{:pasted:20220118-190050.png}}\\  \\  \\ {{:pasted:20220118-190050.png}}\\  \\
Line 69: Line 73:
 **Udpxy port**- This specifies the port on which you can recive Udpxy information from your router.\\  \\   \\  {{:pasted:20220118-190844.png}}\\  \\ **Udpxy port**- This specifies the port on which you can recive Udpxy information from your router.\\  \\   \\  {{:pasted:20220118-190844.png}}\\  \\
  
-**Efficient Multicast Forwarding (IGMP Snooping) -** IGMP snooping is a way to have the switch (part of the router) facilitating the discovery of multicast (IGMPclients. The idea is to only multicast traffic towards ethernet ports where there'at least one group joiner (a.k.a. subscriber client)Beware, UPnP is often the only significant multicast application in use in digital home networks; therefore, multicast network misconfiguration or other deficiencies can appear as UPnP issues rather than underlying network issues. If IGMP snooping is enabled on a switch, or more commonly a wireless router/switch, it will interfere with UPnP/DLNA device discovery (SSDP) if incorrectly or incompletely configured (e.g. without an active querier or IGMP proxy), making UPnP appear unreliable. Typical scenarios observed include server or client (e.g. smart TV) appearing after power on, and then disappearing after a few minutes (often 30 by default configuration) due to IGMP group membership expiringOn this very topic please beware of the wireless multicast forwarding under [[advanced-wireless|Advanced Wireless]]+**Efficient Multicast Forwarding (IGMP Snooping) -** IGMP snooping makes the router'switch facilitate discovery of Multicast IGMP clients. This will help to send multicast traffic only towards ports with at least one multicast subscriber. 
 + 
 +However, caution is advised. Often, UPnP or DLNA is the only significant multicast application in use on a home network. Thus, multicast configuration issues or other deficiencies can appear as UPnP issues, but are actually underlying network issues. 
 + 
 +Enabling IGMP snooping on a wireless router's/switch will interfere with UPnP/DLNA device discovery. Specifically, the SSDP protocol transmissions. If IGMP snooping is incorrectly or incompletely configured (say, without an active querier or IGMP proxy), this make UPnP appear unreliable. 
 + 
 +A common symptom of this is network host (say, a Smart TV) which appears after it's powered on, but then "disappears" from the network after a few minutes. To be more precise, often this period is 30 minutes. This is because the defaut setting for when IGMP group membership will expirePlease be aware of the wireless multicast forwarding setting in the the //Advanced///[[advanced-wireless|Wireless]] menu.
  
-**Force IGMPv2** - IGMPv2 enhances the IGMP communication supporting additional messages/behavior to optimise the end-to-end communication between client and server. Possibly the most important being the "Group Leave" message which is lacking instead in IGMP v1.\\   \\+**Force IGMPv2** - IGMPv2 enhances IGMP with additional messages/behavior to optimize end-to-end client-server communicationPerhaps the most important of these additional messages is the "Group Leave" message. This message did not exist in previous IGMP versions.\\   \\
  
  
advanced-firewall.txt · Last modified: 2023/05/28 05:39 by hogwild

Page Tools

Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki