Page 26 / 72 Scroll up to view Page 21 - 25
26
of
72
MAC ADDRESS FILTER (NETWORK FILTER)
The MAC address filter section can be used to filter network access by machines based on the
unique MAC addresses of their network adapter(s). It is most useful to prevent unauthorized
wireless devices from connecting to your network. A MAC address is a unique ID assigned by the
manufacturer of the network adapter.
MAC Filtering Setup
Choose the type of MAC filtering needed.
Turn MAC Filtering OFF:
When "OFF" is selected, MAC addresses are not used to
control network access.
Turn MAC Filtering ON and ALLOW computers listed to access the network:
When
"ALLOW" is selected, only computers with MAC addresses listed in the MAC Filtering
Rules list are granted network access.
Turn MAC Filtering ON and DENY computers listed to access the network:
When
"DENY" is selected, any computer with a MAC address listed in the MAC Filtering Rules
list is refused access to the network.
Add MAC Filtering Rule
Use this section to add MAC addresses to the list below.
MAC Address
Enter the MAC address of a computer that you want to control with MAC filtering.
Computers that have obtained an IP address from the router's DHCP server will be in the
DHCP Client List. Select a device from the drop down menu.
Save
Record the changes you have made into the following list.
MAC Filtering Rules
This section lists the network devices that are under control of MAC filtering.
FIREWALL SETTINGS
The router provides a tight firewall by virtue of the way NAT works. Unless you configure the
router to the contrary, the NAT does not respond to unsolicited incoming requests on any port,
thereby making your LAN invisible to Internet cyberattackers. However, some network
applications cannot run with a tight firewall. Those applications need to selectively open ports in
the firewall to function correctly. The options on this page control several ways of opening the
firewall to address the needs of specific types of applications. See also
Advanced
Virtual Server
,
Advanced
Port Forwarding
,
Advanced
Application Rules
, and
Advanced
Network (UPnP)
for related options.
Page 27 / 72
27
of
72
Firewall Settings
Enable SPI
SPI ("stateful packet inspection" also known as "dynamic packet filtering") helps to
prevent cyberattacks by tracking more state per session. It validates that the traffic
passing through that session conforms to the protocol. When the protocol is TCP, SPI
checks that packet sequence numbers are within the valid range for the session,
discarding those packets that do not have valid sequence numbers.
Whether SPI is enabled or not, the router always tracks TCP connection states and
ensures that each TCP packet's flags are valid for the current state.
NAT Endpoint Filtering
The NAT Endpoint Filtering options control how the router's NAT manages incoming
connection requests to ports that are already being used.
Endpoint Independent
Once a LAN-side application has created a connection through a specific port, the NAT
will forward any incoming connection requests with the same port to the LAN-side
application regardless of their origin. This is the least restrictive option, giving the best
connectivity and allowing some applications (P2P applications in particular) to behave
almost as if they are directly connected to the Internet.
Address Restricted
The NAT forwards incoming connection requests to a LAN-side host only when they
come from the same IP address with which a connection was established. This allows the
remote application to send data back through a port different from the one used when the
outgoing session was created.
Port And Address Restricted
The NAT does not forward any incoming connection requests with the same port address
as an already establish connection.
Note that some of these options can interact with other port restrictions. Endpoint
Independent Filtering takes priority over inbound filters or schedules, so it is possible for
an incoming session request related to an outgoing session to enter through a port in
spite of an active inbound filter on that port. However, packets will be rejected as
expected when sent to blocked ports (whether blocked by schedule or by inbound filter)
for which there are no active sessions. Port and Address Restricted Filtering ensures that
inbound filters and schedules work precisely, but prevents some level of connectivity, and
therefore might require the use of port triggers, virtual servers, or gaming to open the
ports needed by the application. Address Restricted Filtering gives a compromise
position, which avoids problems when communicating with certain other types of NAT
router (symmetric NATs in particular) but leaves inbound filters and scheduled access
working as expected.
UDP Endpoint Filtering
Controls endpoint filtering for packets of the UDP protocol.
Page 28 / 72
28
of
72
TCP Endpoint Filtering
Controls endpoint filtering for packets of the TCP protocol.
Formerly, the terms "Full Cone", "Restricted Cone", "Port Restricted Cone" and
"Symmetric" were used to refer to different variations of NATs. These terms are
purposely not used here, because they do not fully describe the behavior of this router's
NAT. While not a perfect mapping, the following loose correspondences between the
"cone" classification and the "endpoint filtering" modes can be drawn: if this router is
configured for endpoint independent filtering, it implements full cone behavior; address
restricted filtering implements restricted cone behavior; and port and address restricted
filtering implements port restricted cone behavior.
NAT Port Preservation
NAT Port preservation (on by default) tries to ensure that, when a LAN host makes an
Internet connection, the same LAN port is also used as the Internet visible port. This
ensures best compatibility for internet communications.
Under some circumstances it may be desirable to turn off this feature.
Anti-Spoof checking
Enabling this option can provide protection from certain kinds of "spoofing" attacks.
However, enble this option with care. With some modems, the WAN connection may be
lost when this option is enabled. In that case, it may be necessary to change the LAN
subnet to something other than 192.168.0.x (192.168.2.x, for example), to re-establish
the WAN connection.
DMZ Host
DMZ means "Demilitarized Zone." If an application has trouble working from behind the
router, you can expose one computer to the Internet and run the application on that
computer.
When a LAN host is configured as a DMZ host, it becomes the destination for all
incoming packets that do not match some other incoming session or rule. If any other
ingress rule is in place, that will be used instead of sending packets to the DMZ host; so,
an active session, virtual server, active port trigger, or gaming rule will take priority over
sending a packet to the DMZ host. (The DMZ policy resembles a default gaming rule that
forwards every port that is not specifically sent anywhere else.)
The router provides only limited firewall protection for the DMZ host. The router does not
forward a TCP packet that does not match an active DMZ session, unless it is a
connection establishment packet (SYN). Except for this limited protection, the DMZ host
is effectively "outside the firewall". Anyone considering using a DMZ host should also
consider running a firewall on that DMZ host system to provide additional protection.
Packets received by the DMZ host have their IP addresses translated from the WAN-side
IP address of the router to the LAN-side IP address of the DMZ host. However, port
numbers are not translated; so applications on the DMZ host can depend on specific port
numbers.
Page 29 / 72
29
of
72
The DMZ capability is just one of several means for allowing incoming requests that
might appear unsolicited to the NAT. In general, the DMZ host should be used only if
there are no other alternatives, because it is much more exposed to cyberattacks than
any other system on the LAN. Thought should be given to using other configurations
instead: a virtual server, a gaming rule, or a port trigger. Virtual servers open one port for
incoming sessions bound for a specific application (and also allow port redirection and
the use of ALGs). gaming is rather like a selective DMZ, where incoming traffic targeted
at one or more ports is forwarded to a specific LAN host (thereby not exposing as many
ports as a DMZ host). Port triggering is a special form of gaming, which is activated by
outgoing traffic, and for which ports are only forwarded while the trigger is active.
Few applications truly require the use of the DMZ host. Following are examples of when
a DMZ host might be required:
A host needs to support several applications that might use overlapping ingress
ports such that two gaming rules cannot be used because they would potentially
be in conflict.
To handle incoming connections that use a protocol other than ICMP, TCP, UDP,
and IGMP (also GRE and ESP, when these protocols are enabled by the PPTP
and IPSec ALGs ).
Enable DMZ
Note:
Putting a computer in the DMZ may expose that computer to a variety of security
risks. Use of this option is only recommended as a last resort.
DMZ IP Address
Specify the LAN IP address of the LAN computer that you want to have unrestricted
Internet communication. If this computer obtains its address Automatically using DHCP,
then you may want to make a static reservation on the
Basic
Network Settings
page
so that the IP address of the DMZ computer does not change.
Non-UDP/TCP/ICMP LAN Sessions
When a LAN application that uses a protocol other than UDP, TCP, or ICMP initiates a
session to the Internet, the router's NAT can track such a session, even though it does
not recognize the protocol. This feature is useful because it enables certain applications
(most importantly a single VPN connection to a remote host) without the need for an
ALG.
Note that this feature does not apply to the DMZ host (if one is enabled). The DMZ host
always handles these kinds of sessions.
Enable
Enabling this option (the default setting) enables single VPN connections to a remote
host. (But, for multiple VPN connections, the appropriate VPN ALG must be used.)
Disabling this option, however, only disables VPN if the appropriate VPN ALG is also
disabled.
Page 30 / 72
30
of
72
Application Level Gateway (ALG) Configuration
Here you can enable or disable ALGs. Some protocols and applications require special
handling of the IP payload to make them work with network address translation (NAT).
Each ALG provides special handling for a specific protocol or application. A number of
ALGs for common applications are enabled by default.
PPTP
Allows multiple machines on the LAN to connect to their corporate networks using PPTP
protocol. When the PPTP ALG is enabled, LAN computers can establish PPTP VPN
connections either with the same or with different VPN servers. When the PPTP ALG is
disabled, the router allows VPN operation in a restricted way -- LAN computers are
typically able to establish VPN tunnels to different VPN Internet servers but not to the
same server. The advantage of disabling the PPTP ALG is to increase VPN performance.
Enabling the PPTP ALG also allows incoming VPN connections to a LAN side VPN
server (refer to
Advanced
Virtual Server
).
IPSec (VPN)
Allows multiple VPN clients to connect to their corporate networks using IPSec. Some
VPN clients support traversal of IPSec through NAT. This option may interfere with the
operation of such VPN clients. If you are having trouble connecting with your corporate
network, try disabling this option.
Check with the system adminstrator of your corporate network whether your VPN client
supports NAT traversal.
Note that L2TP VPN connections typically use IPSec to secure the connection. To
achieve multiple VPN pass-through in this case, the IPSec ALG must be enabled.
RTSP
Allows applications that use Real Time Streaming Protocol to receive streaming media
from the internet. QuickTime and Real Player are some of the common applications using
this protocol.
Windows/MSN Messenger
Supports use on LAN computers of Microsoft Windows Messenger (the Internet
messaging client that ships with Microsoft Windows) and MSN Messenger. The SIP ALG
must also be enabled when the Windows Messenger ALG is enabled.
FTP
Allows FTP clients and servers to transfer data across NAT. Refer to the
Advanced
Virtual Server
page if you want to host an FTP server.
H.323 (Netmeeting)
Allows H.323 (specifically NetMeeting) clients to communicate across NAT. Note that if
you want your buddies to call you, you should also set up a virtual server for NetMeeting.
Refer to the
Advanced
Virtual Server
page for information on how to set up a virtual
server.

Rate

4 / 5 based on 1 vote.

Popular Kyocera Models

Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top