Reference Manual for the Wireless Cable Modem Gateway CG814WG v2

5-6

Protecting Your Network

Blocking Access by Time of Day

The default blocking schedule is to block access all day. However, you can also block access

according to a daily schedule for each PC individually.

1.

In the

MAC Filter List

, select the PC for which the schedule will be modified.

2.

In the

Day(s) to Block

section, click the boxes next to the days when you want access blocked.

3.

In the

Time of Day to Block

section, select either

All Day

, or set the hours for internet

blocking.

4.

Click

Apply

to activate the settings.

Using Port Blocking

Firewall rules are used to block or allow specific traffic passing through from one side to the other.

Inbound rules (WAN to LAN) restrict access by outsiders to private resources, selectively allowing

only specific outside users to access specific resources. Instructions for setting up inbound rules

can be found in

“Port Forwarding“ on page -7

. Outbound rules (LAN to WAN) determine what

outside resources local users can have access to. This section describes how to set up outbound

rules.

A firewall has two default rules, one for inbound traffic and one for outbound. The default rules of

the CG814WG v2 are:

•

Inbound:

Block all access from outside except responses to requests from the LAN side.

•

Outbound:

Allow all access from the LAN side to the outside.

You may define additional rules that will specify exceptions to the default rules. By adding custom

rules, you can block or allow access based on the service or application, source or destination IP

addresses, and time of day.

Reference Manual for the Wireless Cable Modem Gateway CG814WG v2

Protecting Your Network

5-7

To configure outbound rules on the CG814WG v2, click the Port Blocking link on the Advanced

section of the main menu.

Figure 5-5:

Port Blocking menu

•

To block outbound traffic, select the service you would like to block from the drop-down list

of predefined services. Click Add.

•

If the service you would like to block is not in the predefined list, you can add a custom

service. Enter the range of ports you would like to block and select whether the ports are TCP,

UDP or Both. Click Add.

•

To delete an existing rule, select its button on the left side of the table and click Delete.

Port Forwarding

Because the CG814WG v2 uses Network Address Translation (NAT), your network presents only

one IP address to the Internet, and outside users cannot directly address any of your local

computers. However, by defining an inbound rule you can make a local server (for example, a Web

server or game server) visible and available to the Internet. The rule tells the gateway to direct

inbound traffic for a particular service to one local server based on the destination port number.

This is also known as Port Forwarding.

Reference Manual for the Wireless Cable Modem Gateway CG814WG v2

5-8

Protecting Your Network

Considerations for Port Forwarding

•

If the IP address of the local server PC is assigned by DHCP, it may change when the PC is

rebooted. To avoid this, you can assign a static IP address to your server outside the range that

is assigned by DHCP, but in the same subnet as the rest of your LAN. By default, the IP

addresses in the range of 192.168.0.2 through 192.168.0.9 are reserved for this.

•

Local PCs must access the local server using the PCs’ local LAN address (192.168.0.XXX, by

default). Attempts by local PCs to access the server using the external WAN IP address will

fail.

Remember that allowing inbound services opens holes in your firewall. Only enable those ports

that are necessary for your network.

The following are two application examples of inbound rules.

.

•

To forward inbound traffic:

1.

Select the service you would like to forward from the drop-down list of predefined

services.

Figure 5-6:

Port Forwarding menu

Note:

Some residential broadband ISP accounts do not allow you to run any server

processes (such as a Web or FTP server) from your location. Your ISP may periodically

check for servers and may suspend your account if it discovers any active services at

your location. If you are unsure, refer to the Acceptable Use Policy of your ISP.

Reference Manual for the Wireless Cable Modem Gateway CG814WG v2

Protecting Your Network

5-9

If the service you would like to forward is not in the predefined list, you can add a custom

service. Enter the range of ports you would like to forward and select whether the ports are

TCP, UDP or Both.

2.

Enter the IP address of the computer on your network to which you would like to direct the

inbound traffic

3.

Click Add.

4.

To access the local computer from the Internet, you must use the WAN address of your

gateway, which can be found on the Basic Settings page.

•

To delete an existing rule, select its button on the left side of the table and click Delete.

Using Port Triggering

Port Triggering is an advanced feature that allows you to dynamically open inbound ports based on

outbound traffic on different ports. This is an advanced feature that can be used for gaming and

other internet applications.

Port Forwarding can typically be used to enable similar functionality, but it is static and has some

limitations. Ports will be open to traffic from the internet until the port forwarding rule is removed.

Additionally, port forwarding does not work well for some applications when your WAN IP

address is assigned by DHCP, and is changed frequently. Port Triggering opens in incoming port

temporarily and can does not require the server on the internet to track your IP address if it is

changed.

Port Triggering monitors outbound traffic. When the gateway detects traffic on the specified

outbound port, it remembers the IP address of the computer that sent the data and “triggers” the

incoming port. Incoming traffic on the triggered port is then forwarded to the triggering computer.

An example of Port Triggering for Internet Relay Chat (IRC) is shown in

Figure 5-7

. When you

connect to an IRC server, the server tries to connect back on port 113 to do an Ident lookup. Unless

you have configured Port Forwarding to open port 113, the traffic will be blocked. In this example,

the initial login to the server in the range of ports 6660 to 6670 will be detected. This will trigger

the gateway to temporarily forward port 113 to the PC that initiated the login.

Reference Manual for the Wireless Cable Modem Gateway CG814WG v2

5-10

Protecting Your Network

To configure Port Triggering:

1.

In the Trigger Range, enter the outbound

ports that will be monitored for activity.

This will be the “trigger”.

2.

In the Target Range, enter the inbound ports

that should be forwarded when the trigger

occurs.

3.

Select the appropriate protocol: TCP, UDP

or Both.

4.

Check the Enable box

5.

Click

Apply

.

To clear a Port Triggering rule, you can either

remove the check from the Enable box, to

temporarily disable the rule, or you can select

the rule and click Delete.

Figure 5-7:

Port Triggering menu, with IRC

example.

Setting Up A Default DMZ Host

The Default DMZ Server feature is helpful when using some online games and videoconferencing

applications that are incompatible with NAT. The gateway is programmed to recognize some of

these applications and to work properly with them, but there are other applications that may not

function well. In some cases, one local PC can run the application properly if that PC’s IP address

is entered as the Default DMZ Host.

Note:

For security, you should avoid using the Default DMZ Server feature. When a

computer is designated as the Default DMZ Server, it loses much of the protection of the

firewall, and is exposed to many exploits from the Internet. If compromised, the

computer can be used to attack your network.