26

of

72

MAC ADDRESS FILTER (NETWORK FILTER)

The MAC address filter section can be used to filter network access by machines based on the

unique MAC addresses of their network adapter(s). It is most useful to prevent unauthorized

wireless devices from connecting to your network. A MAC address is a unique ID assigned by the

manufacturer of the network adapter.

MAC Filtering Setup

Choose the type of MAC filtering needed.

Turn MAC Filtering OFF:

When "OFF" is selected, MAC addresses are not used to

control network access.

Turn MAC Filtering ON and ALLOW computers listed to access the network:

When

"ALLOW" is selected, only computers with MAC addresses listed in the MAC Filtering

Rules list are granted network access.

Turn MAC Filtering ON and DENY computers listed to access the network:

When

"DENY" is selected, any computer with a MAC address listed in the MAC Filtering Rules

list is refused access to the network.

Add MAC Filtering Rule

Use this section to add MAC addresses to the list below.

MAC Address

Enter the MAC address of a computer that you want to control with MAC filtering.

Computers that have obtained an IP address from the router's DHCP server will be in the

DHCP Client List. Select a device from the drop down menu.

Save

Record the changes you have made into the following list.

MAC Filtering Rules

This section lists the network devices that are under control of MAC filtering.

FIREWALL SETTINGS

The router provides a tight firewall by virtue of the way NAT works. Unless you configure the

router to the contrary, the NAT does not respond to unsolicited incoming requests on any port,

thereby making your LAN invisible to Internet cyberattackers. However, some network

applications cannot run with a tight firewall. Those applications need to selectively open ports in

the firewall to function correctly. The options on this page control several ways of opening the

firewall to address the needs of specific types of applications. See also

Advanced

→

Virtual Server

,

Advanced

→

Port Forwarding

,

Advanced

→

Application Rules

, and

Advanced

→

Network (UPnP)

for related options.

27

of

72

Firewall Settings

Enable SPI

SPI ("stateful packet inspection" also known as "dynamic packet filtering") helps to

prevent cyberattacks by tracking more state per session. It validates that the traffic

passing through that session conforms to the protocol. When the protocol is TCP, SPI

checks that packet sequence numbers are within the valid range for the session,

discarding those packets that do not have valid sequence numbers.

Whether SPI is enabled or not, the router always tracks TCP connection states and

ensures that each TCP packet's flags are valid for the current state.

NAT Endpoint Filtering

The NAT Endpoint Filtering options control how the router's NAT manages incoming

connection requests to ports that are already being used.

Endpoint Independent

Once a LAN-side application has created a connection through a specific port, the NAT

will forward any incoming connection requests with the same port to the LAN-side

application regardless of their origin. This is the least restrictive option, giving the best

connectivity and allowing some applications (P2P applications in particular) to behave

almost as if they are directly connected to the Internet.

Address Restricted

The NAT forwards incoming connection requests to a LAN-side host only when they

come from the same IP address with which a connection was established. This allows the

remote application to send data back through a port different from the one used when the

outgoing session was created.

Port And Address Restricted

The NAT does not forward any incoming connection requests with the same port address

as an already establish connection.

Note that some of these options can interact with other port restrictions. Endpoint

Independent Filtering takes priority over inbound filters or schedules, so it is possible for

an incoming session request related to an outgoing session to enter through a port in

spite of an active inbound filter on that port. However, packets will be rejected as

expected when sent to blocked ports (whether blocked by schedule or by inbound filter)

for which there are no active sessions. Port and Address Restricted Filtering ensures that

inbound filters and schedules work precisely, but prevents some level of connectivity, and

therefore might require the use of port triggers, virtual servers, or gaming to open the

ports needed by the application. Address Restricted Filtering gives a compromise

position, which avoids problems when communicating with certain other types of NAT

router (symmetric NATs in particular) but leaves inbound filters and scheduled access

working as expected.

UDP Endpoint Filtering

Controls endpoint filtering for packets of the UDP protocol.

28

of

72

TCP Endpoint Filtering

Controls endpoint filtering for packets of the TCP protocol.

Formerly, the terms "Full Cone", "Restricted Cone", "Port Restricted Cone" and

"Symmetric" were used to refer to different variations of NATs. These terms are

purposely not used here, because they do not fully describe the behavior of this router's

NAT. While not a perfect mapping, the following loose correspondences between the

"cone" classification and the "endpoint filtering" modes can be drawn: if this router is

configured for endpoint independent filtering, it implements full cone behavior; address

restricted filtering implements restricted cone behavior; and port and address restricted

filtering implements port restricted cone behavior.

NAT Port Preservation

NAT Port preservation (on by default) tries to ensure that, when a LAN host makes an

Internet connection, the same LAN port is also used as the Internet visible port. This

ensures best compatibility for internet communications.

Under some circumstances it may be desirable to turn off this feature.

Anti-Spoof checking

Enabling this option can provide protection from certain kinds of "spoofing" attacks.

However, enble this option with care. With some modems, the WAN connection may be

lost when this option is enabled. In that case, it may be necessary to change the LAN

subnet to something other than 192.168.0.x (192.168.2.x, for example), to re-establish

the WAN connection.

DMZ Host

DMZ means "Demilitarized Zone." If an application has trouble working from behind the

router, you can expose one computer to the Internet and run the application on that

computer.

When a LAN host is configured as a DMZ host, it becomes the destination for all

incoming packets that do not match some other incoming session or rule. If any other

ingress rule is in place, that will be used instead of sending packets to the DMZ host; so,

an active session, virtual server, active port trigger, or gaming rule will take priority over

sending a packet to the DMZ host. (The DMZ policy resembles a default gaming rule that

forwards every port that is not specifically sent anywhere else.)

The router provides only limited firewall protection for the DMZ host. The router does not

forward a TCP packet that does not match an active DMZ session, unless it is a

connection establishment packet (SYN). Except for this limited protection, the DMZ host

is effectively "outside the firewall". Anyone considering using a DMZ host should also

consider running a firewall on that DMZ host system to provide additional protection.

Packets received by the DMZ host have their IP addresses translated from the WAN-side

IP address of the router to the LAN-side IP address of the DMZ host. However, port

numbers are not translated; so applications on the DMZ host can depend on specific port

numbers.

29

of

72

The DMZ capability is just one of several means for allowing incoming requests that

might appear unsolicited to the NAT. In general, the DMZ host should be used only if

there are no other alternatives, because it is much more exposed to cyberattacks than

any other system on the LAN. Thought should be given to using other configurations

instead: a virtual server, a gaming rule, or a port trigger. Virtual servers open one port for

incoming sessions bound for a specific application (and also allow port redirection and

the use of ALGs). gaming is rather like a selective DMZ, where incoming traffic targeted

at one or more ports is forwarded to a specific LAN host (thereby not exposing as many

ports as a DMZ host). Port triggering is a special form of gaming, which is activated by

outgoing traffic, and for which ports are only forwarded while the trigger is active.

Few applications truly require the use of the DMZ host. Following are examples of when

a DMZ host might be required:

•

A host needs to support several applications that might use overlapping ingress

ports such that two gaming rules cannot be used because they would potentially

be in conflict.

•

To handle incoming connections that use a protocol other than ICMP, TCP, UDP,

and IGMP (also GRE and ESP, when these protocols are enabled by the PPTP

and IPSec ALGs ).

Enable DMZ

Note:

Putting a computer in the DMZ may expose that computer to a variety of security

risks. Use of this option is only recommended as a last resort.

DMZ IP Address

Specify the LAN IP address of the LAN computer that you want to have unrestricted

Internet communication. If this computer obtains its address Automatically using DHCP,

then you may want to make a static reservation on the

Basic

→

Network Settings

page

so that the IP address of the DMZ computer does not change.

Non-UDP/TCP/ICMP LAN Sessions

When a LAN application that uses a protocol other than UDP, TCP, or ICMP initiates a

session to the Internet, the router's NAT can track such a session, even though it does

not recognize the protocol. This feature is useful because it enables certain applications

(most importantly a single VPN connection to a remote host) without the need for an

ALG.

Note that this feature does not apply to the DMZ host (if one is enabled). The DMZ host

always handles these kinds of sessions.

Enable

Enabling this option (the default setting) enables single VPN connections to a remote

host. (But, for multiple VPN connections, the appropriate VPN ALG must be used.)

Disabling this option, however, only disables VPN if the appropriate VPN ALG is also

disabled.

30

of

72

Application Level Gateway (ALG) Configuration

Here you can enable or disable ALGs. Some protocols and applications require special

handling of the IP payload to make them work with network address translation (NAT).

Each ALG provides special handling for a specific protocol or application. A number of

ALGs for common applications are enabled by default.

PPTP

Allows multiple machines on the LAN to connect to their corporate networks using PPTP

protocol. When the PPTP ALG is enabled, LAN computers can establish PPTP VPN

connections either with the same or with different VPN servers. When the PPTP ALG is

disabled, the router allows VPN operation in a restricted way -- LAN computers are

typically able to establish VPN tunnels to different VPN Internet servers but not to the

same server. The advantage of disabling the PPTP ALG is to increase VPN performance.

Enabling the PPTP ALG also allows incoming VPN connections to a LAN side VPN

server (refer to

Advanced

→

Virtual Server

).

IPSec (VPN)

Allows multiple VPN clients to connect to their corporate networks using IPSec. Some

VPN clients support traversal of IPSec through NAT. This option may interfere with the

operation of such VPN clients. If you are having trouble connecting with your corporate

network, try disabling this option.

Check with the system adminstrator of your corporate network whether your VPN client

supports NAT traversal.

Note that L2TP VPN connections typically use IPSec to secure the connection. To

achieve multiple VPN pass-through in this case, the IPSec ALG must be enabled.

RTSP

Allows applications that use Real Time Streaming Protocol to receive streaming media

from the internet. QuickTime and Real Player are some of the common applications using

this protocol.

Windows/MSN Messenger

Supports use on LAN computers of Microsoft Windows Messenger (the Internet

messaging client that ships with Microsoft Windows) and MSN Messenger. The SIP ALG

must also be enabled when the Windows Messenger ALG is enabled.

FTP

Allows FTP clients and servers to transfer data across NAT. Refer to the

Advanced

→

Virtual Server

page if you want to host an FTP server.

H.323 (Netmeeting)

Allows H.323 (specifically NetMeeting) clients to communicate across NAT. Note that if

you want your buddies to call you, you should also set up a virtual server for NetMeeting.

Refer to the

Advanced

→

Virtual Server

page for information on how to set up a virtual

server.