CRADLEPOINT

MBR95| USER MANUAL Firmware ver. 3.6.3



NETWORK SETTINGS

→

FIREWALL

© 2011

CRADLEPOINT, INC.

PLEASE VISIT

HTTP://KNOWLEDGEBASE.CRADLEPOINT.COM/

FOR MORE HELP AND RESOURCES

PAGE 59

6.4

Firewall (Advanced Mode only)

The router automatically provides a firewall. Unless you configure the router to the contrary, the router does not respond

to unsolicited incoming requests on any port, thereby making your LAN invisible to cyber attackers.

However, some network applications, such as some Internet gaming systems, cannot run with a tight firewall. Those

applications need to selectively open ports in the firewall to function correctly. The options on this page control ways of

opening the firewall to address the needs of specific types of applications.

6.4.1

Port Forwarding Rules

A port forwarding rule allows traffic from the Internet

to reach a computer on the inside of your network.

For example, a port forwarding rule might be used

to run a Web server.

Exercise caution when adding new rules as they impact the

security of your network.

Click

Add

to create a new port forwarding rule, or select an

existing rule and click

Edit

.

Add/Edit Port Forwarding Rule



Name:

Name your rule.



Use Port Range:

Changes the selection options to allow

you to input a range of ports (if desired).



Internet Port(s):

The port number(s) as you want it

defined on the Internet. Typically these will be the same

as the local port numbers, but they do not have to be.

These numbers will be mapped to the local port numbers.



Local Computer:

Select the IP address of an attached device from the dropdown menu, or manually input the IP

address of a device.

CRADLEPOINT

MBR95| USER MANUAL Firmware ver. 3.6.3



NETWORK SETTINGS

→

FIREWALL

© 2011

CRADLEPOINT, INC.

PLEASE VISIT

HTTP://KNOWLEDGEBASE.CRADLEPOINT.COM/

FOR MORE HELP AND RESOURCES

PAGE 60



Local Port(s):

The port number(s) that corresponds to the service (Web server, FTP, etc) on a local computer or

device. For example, you might input

“80”

in the

Local Port(s)

field to open a port for a Web server on a computer

within your network. The

Internet Port(s)

field could then also be 80, or you could choose another port number that

will be used across the Internet to access your Web server. If you choose a number other than 80 for the Internet

Port, connections to that number will be mapped to 80

—

and therefore the Web server

—

within your network.



Protocol:

Select from the following options in the dropdown menu:

o

TCP

o

UDP

o

TCP & UDP



Click

Submit

to save your completed port forwarding rule.

CRADLEPOINT

MBR95| USER MANUAL Firmware ver. 3.6.3



NETWORK SETTINGS

→

FIREWALL

© 2011

CRADLEPOINT, INC.

PLEASE VISIT

HTTP://KNOWLEDGEBASE.CRADLEPOINT.COM/

FOR MORE HELP AND RESOURCES

PAGE 61

6.4.2

IP Filter Rules (Advanced)

An "Incoming" IP filter rule restricts remote access

to computers on your local network. "Outgoing"

filter rules prevent computers on your local network

from initiating communication to the address range

specified in the rule.

This feature is especially useful when combined with port forwarding and/or DMZ to restrict remote access to a specified

host or network range. For example, in order to host a server you might have opened ports with a port forwarding rule that

could expose your LAN to cyber attacks. With an incoming IP filter rule, you can restrict the access to your LAN to only

known devices.



Name:

Name your rule.



Enabled:

Selected by default.



Direction:

“Any,” “Incoming,” or

“Outgoing”



Action:

“Allow” or “Deny”



Protocol:

Any, ICMP, TCP, UDP, GRE,

ESP, or SCTP.

IP Source / IP Destination



Network IP:

Optional field to specify a

matching network IP address for this rule

to match against.



Netmask:

Use this to define a subnet

size this rule will match against.



Port(s):

Use for a single port or a range

of ports. Fill in the left side for a single

port.

CRADLEPOINT

MBR95| USER MANUAL Firmware ver. 3.6.3



NETWORK SETTINGS

→

FIREWALL

© 2011

CRADLEPOINT, INC.

PLEASE VISIT

HTTP://KNOWLEDGEBASE.CRADLEPOINT.COM/

FOR MORE HELP AND RESOURCES

PAGE 62

Use

Network IP

,

Netmask

, and

Port(s)

to specify the ports and addresses for which the rule applies. You can specify a

range of ports or a single port. Similarly, the netmask can be used to define either a range of addresses (i.e.

255.255.255.0) or a single address (255.255.255.255).

If you leave these values blank, then all IP addresses and ports will be included.

IP Source

and

IP Destination

options

can be used to differentiate between the directions that packets go. You could permit packets to come from particular IP

addresses but then not allow packets to return to those addresses.

Example of an IP Filter Rule:

Suppose you have opened a port in your firewall in order to run a server. Someone, Johnny, is abusing that

opening, so you would like to restrict his access. Create a rule that will deny Johnny’s IP address.

Add IP Filter Rule



Name:

No more Johnny



Enabled:

Selected



Direction:

Incoming



Action:

Deny



Protocol:

Any

IP Source



Network IP:

172.22.24.160 (Johnny’s IP address)



Netmask:

255.255.255.255 (This netmask restricts the rule to one single address).



Port(s):

80

CRADLEPOINT

MBR95| USER MANUAL Firmware ver. 3.6.3



NETWORK SETTINGS

→

FIREWALL

© 2011

CRADLEPOINT, INC.

PLEASE VISIT

HTTP://KNOWLEDGEBASE.CRADLEPOINT.COM/

FOR MORE HELP AND RESOURCES

PAGE 63

6.4.3

DMZ: DeMilitarized Zone (Advanced)

A DMZ host is effectively not firewalled in the

sense that any computer on the Internet may

attempt to remotely access network services at the

DMZ IP address. Typical uses involve running a

public Web server or sharing files.

Input the

IP Address

of a single device in your network to create a DeMilitarized Zone for that device. To ensure that the

IP address of the selected device remains consistent, go to the “Reservations” section under

Network Settings

→

DHCP

Server

and reserve the IP address for the device.

As with port forwarding, use caution when enabling the DMZ feature as it can threaten the security of your

network. Only use DMZ as a last resort.

6.4.4

Firewall Options

Anti-Spoof:

Anti-Spoof checks help protect against

malicious users faking the source address in

packets they transmit in order to either hide

themselves or to impersonate someone else. Once

the user has spoofed their address they can launch

a network attack without revealing the true source

of the attack or attempt to gain access to network services that are restricted to certain addresses.

Packet Normalization:

Normalizing packets helps secure the router in untrusted environments. It does so by "scrubbing"

packets that are ambiguous or might represent a break-in attempt. Packet Normalization also helps insure reliable

connectivity for some WAN devices such as WiMAX modems. Only disable this option if you are sure you do not need it.

Static NAT Ports:

If enabled the source port does not translate in TCP and UDP packets during NAT. Some NAT

traversal protocols such as STUN(T) require that the source port stay the same when traversing the firewall.