FreshTomato Wiki

User Tools

Site Tools

Trace:
advanced-firewall

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
advanced-firewall [2022/01/18 19:13] rs232advanced-firewall [2024/11/27 00:42] (current) – [Multicast] hogwild
Line 1: Line 1:
 +====== Firewall ======
 +
 +The Firewall page allows you to configure options to protect or facilitate various types of network communications.
 +
 +
 ===== Firewall ===== ===== Firewall =====
  
-The Firewall page allows you to set up some options to protect/facilitate certain network communications.\\+{{:pasted:20220118-182859.png}} \\ 
 + 
 + \\ **WAN interfaces respond to ping and traceroute:  **lets your device reply to ping/traceroute request packets from Internet hosts. 
 + 
 +This is needed for //ping //and //traceroute to //work via the Internet. It also may be needed for proper functioning of some VPN or IPv6 protocols. 
 + 
 + \\ 
 + 
 +**Limit communication to: **specifies the maximum number of requests per second to which the Firewall replies. 
 + 
 +Setting a limit is recommended to prevent DDoS attacks.\\   \\   \\ {{:pasted:20220118-183317.png}}\\ 
 + 
 + \\ 
 + 
 +**Enable TCP SYN cookies:  **uses "SYN cookies" to protect the router from SYN Flood attacks. 
 + 
 +It encodes information from the SYN packet into the (SYN/ACK) response. It is a standard method for preventing SYN floods. However, it has limitations that may cause issues with some old TCP/IP stacks. 
 + 
 + \\ 
 + 
 +**Enable DCSP Fix:  **enables a workaround for packet marking, a well-known DCSP issue when using Comcast. 
 + 
 + \\ 
 + 
 +**Allow DHCP Spoofing: **makes FreshTomato accept/process packets from DHCP servers with different IP than the one it advertises. 
 + 
 +Such behaviour is often categorized as a DHCP spoofing attack, but rarely, might be legitimate. Using this lowers security.\\  \\ 
 + 
 +**Smart MTU black hole detection:** this feature detects ICMP black holes and smartly tries to adjust the path MTU. 
 + 
 +For details on MTU and black holes, see this blog post: [[https://blog.cloudflare.com/path-mtu-discovery-in-practice/|The CloudFlare Blog: Path MTU Discovery in Practice]] 
 + 
 + 
 +===== NAT ===== 
 + 
 +**NAT loopback:** lets LAN devices access each other via the router's WAN interface. 
 + 
 +Also known as "Hairpinning", it's often used when connecting to the DDNS domain of your router via the LAN. These days, this setting is almost never needed. Also, it can create speed bottlenecks. 
 + 
 + \\ 
 + 
 +  * All 
 +  * Forwarded Only 
 +  * Disabled 
 + 
 + \\ 
 + 
 +{{::advanced-firewall-nat-2024.1.png?361}} 
 + 
 +\\ 
 + 
 +**NAT target: **defines how NAT is implemented in loopback situations. 
 + 
 +Masquerade is the default, but involves an additional lookup, and the mapping is done towards an interface. SNAT is minutely faster, as its NAT mapping points directly to the destination IP, thus bypassing the lookup stage. However, SNAT is less reliable than Masquerade. 
 + 
 + \\ 
 + 
 + 
 +===== Multicast ===== 
 + 
 + \\ \\ {{:pasted:20220118-185509.png?742}}\\  \\ 
 + 
 +**Enable IGMP proxy: **enables the Internet Group Management Protocol service. 
 + 
 +LAN0 - LAN3 specify which bridges will participate in IGMP, with the router acting as a proxy between chosen LANs. This lets IGMP work between VLANs. 
 + 
 + \\ 
 + 
 +  * LAN0 - Causes the LAN0 bridge to join in IGMP proxy. 
 +  * LAN1 - Causes the LAN1 bridge to join in IGMP proxy. 
 +  * LAN2 - Causes the LAN2 bridge to join in IGMP proxy. 
 +  * LAN3 - Causes the LAN3 bridge to join in IGMP proxy. 
 + 
 + \\ 
 + 
 +**Enable quick leave:** this IGMPv2 feature lets the router stop multicasting to an IP that has sent it a "quick leave" packet. 
 + 
 + \\ 
 + 
 +**Custom Configuration:** lets you configure advanced settings for the IGMP proxy daemon. Consult official documentation.\\   \\ 
 + 
 + \\ {{:pasted:20220118-190050.png}}\\  \\ 
 + 
 +**Enable Udpxy: **like IGMP proxy, this lets devices on different VLANs do multicast communications. 
 + 
 +Since they are similar, use one or the other, but not both at the same time. 
 + 
 + \\ 
 + 
 +**Upstream interface: **here, enter the expected stream source location. 
 + 
 +(Default: blank). 
 + 
 + \\ 
 + 
 +**LAN0/LAN1/LAN2/LAN3** - specifies the location streaming clients should be found. 
 + 
 + \\ 
 + 
 +**Enable client statistics:** causes FreshTomato to collect statistics about Udpxy clients. 
 + 
 + \\ 
 + 
 +**Max clients: **the maximum number of simultaneous Udpxy clients. 
 + 
 +Udpxy is is a lightweight protocol, so it works well for a limited number of clients. You might want to set a maximum limit. 
 + 
 + \\ 
 + 
 +**Udpxy port: **specifies the port on which to receive Udpxy information from your router.\\  \\   \\  {{:pasted:20220118-190844.png}}\\  \\ 
 + 
 + \\ 
 + 
 +**Efficient Multicast Forwarding (IGMP Snooping): **IGMP snooping makes the router's switch facilitate discovery of Multicast IGMP clients. This helps to send multicast traffic only towards ports with at least one multicast subscriber, reducing overall multicast traffic. 
 + 
 +However, caution is advised. IGMP Snooping can interfere with functioning of UPnP or DLNA. This can make Multicast configuration errors or deficiencies appear as UPnP issues. Enabling IGMP snooping on a router's switch interferes with UPnP/DLNA device discovery. Specifically, it can interfere with SSDP protocol transmissions. If IGMP snooping is improperly configured (say, without an active querier/IGMP proxy), it can make UPnP appear unreliable. 
 + 
 +A common symptom of this is a network host (say, a Smart TV) which appears after it's powered on, but then "disappears" from the network after a few minutes. To be more precise, typically 30 minutes. This is because the default setting for when IGMP group membership will expire. Please be aware of the wireless multicast forwarding setting in the the //Advanced///[[advanced-wireless|Wireless]] menu. 
 + 
 + \\ 
 + 
 +**Force IGMPv2: **forces IGMPv2 to be used on the network. 
 + 
 +IGMPv2 enhances IGMP with additional messages/behavior to optimize end-to-end client-server communication. Probably the most important one is the "Leave Group" message. When a host wants to stop listening to a multicast group address, it reports to the router that it has stopped listening. In v1, the host simply stopped listening, without informing the router. 
 + 
 + \\
  
-{{:pasted:20220118-182859.png}}\\ +Other features of IGMPv2 include:
-**WAN interfaces respond to ping and traceroute** - When enabled this option allows your device to respond to certain ICMP/UDP packets so that a ''ping'' and ''traceroute'' work from Internet.\\ +
-**Limit communication to**: This number imposes a maximum number of requests per seconds. It is advised to set up a limit to prevent DDOS attacks.\\+
  
-{{:pasted:20220118-183317.png}}\\ +Group specific membership queryNow, the router can send membership query for a specific group addressWhen the router receives a leave group messageit will use this query to check if there are still hosts interested in receiving the multicast traffic.
-**Enable TCP SYN cookies** - Enabling this will protect the router from SYN Flood attacks via well known technique called SYN cookiesThis technique encodes info from the SYN packet into the responce (SYN/ACK). Please notedespite being a standard technique enabling this option imposes some secondary limitation some old TCP/IP staks might not be easy to handle\\ +
-**Enable DCSP Fix** - This enables a work-around for a well-known issue related SCP (packet marking) when connected to the ISP Comcast\\ +
-**IPv6 IPSec Passthrough** - FIXME\\+
  
-{{:pasted:20220118-184523.png}}\\ +MRT (Maximum Response Time) field. This new field in query messages specifies how much time hosts have to respond to the query.
-**NAT loopback** - NAT loopback a.k.a Hairpinning is a well know technique that allows LAN devices to access another LAN device via the WAN interface of your router. This is common practice when calling e.g. the DDNS domain of your router from the LAN for administration purpose. Please  note this is somehow a legacy setting an it's probably not needed any more. Also be aware of communication bottleneck introduced by this system on fast connections.\\ +
-**NAT target** - Define the way NAT is implemented for the sake of Hairpinning. Masquerade is the default however this involves an additional lookup ad the mapping of done towards an interface. SNAT is faster (if ever measurable) as the NAT mapping point directly to the destination IP hence bypassing the lookup stage.+
  
-Multicast\\ +Querier election processWhen two routers are on the same subnet, only one should send query messagesHaving an "election" process ensures only one router, with the lowest IP address, becomes the active querier.
-{{:pasted:20220118-185509.png}}\\ +
-**Enable IGMP proxy** - Runs the IGMP (Internet Group Management Protocol) for your router.\\ +
-**LAN0/LAN1/LAN2/LAN3** - where enabled the bridges will partecipate in IGMP subscription using the router as a proxy between the LANs selected. This essentially allows IGMP to work between VLANs.\\ +
-**Enable quick leave** - This is a feature of IGMP v2 and allows the router to stop streaming of the multicast IP as soon as the end device sends the quick leave IGMP packet.\\ +
-**Custom Configuration** - This option allows you to set up some advanced parameters for the IGMP proxy daemon. Make sure to consult the official documentation.\\+
  
-{{:pasted:20220118-190050.png}}\\ + \\
-**Enable Udpxy** - Similarly to IGMP proxy Udpxy allows multicast communication between sender and receiver sitting in different VLANs. NOTE: since the behavior is pretty much identical you should use either but not both at the same time.\\ +
-**Upstream interface** - leave empty for default - Defines where the stream source is expected to live.\\ +
-**LAN0/LAN1/LAN2/LAN3** - this is where the stream clients are expected to live.\\ +
-**Enable client statistics** - As the option suggest if enabled statistical information about the clients is collected. +
-**Max clients** - Considering this is a lightwave protocol it works well for a limited number of clients, you might want to impose a maximum number if any.\\ +
-**Udpxy port**- This is where you can consult the Udpxy information on your router.\\+
  
-{{:pasted:20220118-190844.png}}\\ + \\ \\   \\
-**Efficient Multicast Forwarding (IGMP Snooping)** - IGMP snooping is a way to have the switch (router) facilitating the discovery of multicast (IGMP) clients. Beware that enabling IGMP snooping might interfare with some multicast based applications/protocols, a well know issue revolve around Upnp.\\ +
-**Force IGMPv2** - IGMPv2 enhances the IGMP communication supporting additional messages/behavior to optimise the end-to-end communication between client and server. Possibly the most important being the "Group Leave" message which is lacking instead in IGMP v1.\\+
  
  
advanced-firewall.1642533233.txt.gz · Last modified: by rs232

Page Tools

Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki