Page 56 / 74 Scroll up to view Page 51 - 55
56
A
GE
56
Firewall Settings
The device provides a tight firewall by virtue of the way NAT works. Unless you
configure the router to the contrary, the NAT does not respond to unsolicited
incoming requests on any port, thereby making your LAN invisible to Internet
cyber attacks. However, some network applications cannot run with a tight
firewall. Those applications need to selectively open ports in the firewall to
function correctly. The options on this page control several ways of opening the
firewall to address the needs of specific types of applications.
°
Enable SPI
: Place a check in this box to enable SPI. SPI ("stateful packet
inspection" also known as "dynamic packet filtering") helps to prevent cyber
attacks by tracking more state per session. It validates that the traffic passing
through that session conforms to the protocol. When the protocol is TCP, SPI
checks that packet sequence numbers are within the valid range for the
session, discarding those packets that do not have valid sequence numbers.
Whether SPI is enabled or not, the router always tracks TCP connection states
and ensures that each TCP packet's flags are valid for the current state.
°
TCP / UDP NAT Endpoint Filtering
options control how the router's NAT
manages incoming connection requests to ports that are already being used.
Select one of the radio buttons.
o
End Point Independent
Once a LAN-side application has created a
connection through a specific port, the NAT will forward any incoming
connection requests with the same port to the LAN-side application
regardless of their origin. This is the least restrictive option, giving the
best connectivity and allowing some applications (P2P applications in
particular) to behave almost as if they are directly connected to the
Internet.
o
Address Restricted
The NAT forwards incoming connection requests
to a LAN-side host only when they come from the same IP address
with which a connection was established. This allows the remote
Page 57 / 74
57
A
GE
57
application to send data back through a port different from the one
used when the outgoing session was created.
o
Port And Address Restricted
The NAT does not forward any
incoming connection requests with the same port address as an
already establish connection.
°
Note
: Some of these options can interact with other port restrictions.
Endpoint Independent Filtering takes priority over inbound filters or
schedules, so it is possible for an incoming session request related to an
outgoing session to enter through a port in spite of an active inbound filter on
that port. However, packets will be rejected as expected when sent to blocked
ports (whether blocked by schedule or by inbound filter) for which there are
no active sessions. Port and Address Restricted Filtering ensures that inbound
filters and schedules work precisely, but prevents some level of connectivity,
and therefore might require the use of port triggers, virtual servers, or port
forwarding to open the ports needed by the application. Address Restricted
Filtering gives a compromise position, which avoids problems when
communicating with certain other types of NAT router (symmetric NATs in
particular) but leaves inbound filters and scheduled access working as
expected.
°
Enable Port Preservation
:
Place a check in this box to enable Port
Preservation. NAT Port preservation (on by default) tries to ensure that, when
a LAN host makes an Internet connection, the same LAN port is also used as
the Internet visible port. This ensures best compatibility for internet
communications. Under some circumstances it may be desirable to turn off
this feature.
°
Enable anti-spoof checking
:
Place a check in this box to enable anti-spoof
checking. Enabling this option can provide protection from certain kinds of
"spoofing" attacks. However, enable this option with care. With some
modems, the WAN connection may be lost when this option is enabled. In
that case, it may be necessary to change the LAN subnet to something other
than 192.168.0.x (192.168.2.x, for example), to re-establish the WAN
connection.
°
Enable DMZ Host
: Place check in this box to enable DMZ host. DMZ host is a
demilitarized zone used to provide Internet services without sacrificing
unauthorized access to its local private network.
Typically, the DMZ host
contains devices accessible to Internet traffic, such as web, FTP, email and
DNS servers.
Page 58 / 74
58
A
GE
58
°
DMZ IP Address
: Specify the IP address of the DMZ host.
°
Non-UDP/TCP/ICMP LAN Sessions
: Place a check in this box to enable
this feature. When a LAN application that uses a protocol other than UDP, TCP,
or ICMP initiates a session to the Internet, the router's NAT can track such a
session, even though it does not recognize the protocol. This feature is useful
because it enables certain applications (most importantly a single VPN
connection to a remote host) without the need for an ALG.
°
Note
: This feature does not apply to the DMZ host (if one is enabled). The
DMZ host always handles these kinds of sessions.
°
Enabling this option (the default setting) enables single VPN connections to a
remote host. (But, for multiple VPN connections, the appropriate VPN ALG
must be used.) Disabling this option, however, only disables VPN if the
appropriate VPN ALG is also disabled.
°
Application Layer Gateway (ALG)
Configuration: Place a check in
appropriate feature boxes to enable them. . Some protocols and applications
require special handling of the IP payload to make them work with network
address translation (NAT). Each ALG provides special handling for a specific
protocol or application. A number of ALGs for common applications are
enabled by default.
o
PPTP
: Allows multiple machines on the LAN to connect to their
corporate networks using PPTP protocol. When the PPTP ALG is
enabled, LAN computers can establish PPTP VPN connections either
with the same or with different VPN servers. When the PPTP ALG is
disabled, the router allows VPN operation in a restricted way -- LAN
computers are typically able to establish VPN tunnels to different VPN
Internet servers but not to the same server. The advantage of
disabling the PPTP ALG is to increase VPN performance. Enabling the
PPTP ALG also allows incoming VPN connections to a LAN side VPN
server (refer to
Advanced > Virtual_Server
).
o
IPSec
: (VPN) Allows multiple VPN clients to connect to their corporate
networks using IPSec. Some VPN clients support traversal of IPSec
through NAT. This option may interfere with the operation of such VPN
clients. If you are having trouble connecting with your corporate
network, try disabling this option. Check with the system administrator
of your corporate network whether your VPN client supports NAT
traversal.
Page 59 / 74
59
A
GE
59
o
RTSP
: Allows applications that use Real Time Streaming Protocol to
receive streaming media from the internet. QuickTime and Real Player
are some of the common applications using this protocol.
o
Windows/MSN Messenger
: Supports use on LAN computers of
Microsoft Windows Messenger (the Internet messaging client that ships
with Microsoft Windows) and MSN Messenger. The SIP ALG must also
be enabled when the Windows Messenger ALG is enabled.
o
FTP
: Allows FTP clients and servers to transfer data across NAT.
o
H.323
(Netmeeting)
:
Allows
H.323
(specifically
Microsoft
Netmeeting) clients to communicate across NAT server.
o
SIP
: Allows devices and applications using VoIP (Voice over IP) to
communicate across NAT. Some VoIP applications and devices have the
ability to discover NAT devices and work around them. This ALG may
interfere with the operation of such devices. If you are having trouble
making VoIP calls, try turning this ALG off.
o
Wake-On-LAN
: This feature enables forwarding of "magic packets"
(that is, specially formatted wake-up packets) from the WAN to a LAN
computer or other device that is "Wake on LAN" (WOL) capable.
o
MMS
: Allows Windows Media Player, using MMS protocol, to receive
streaming media from the internet.
Click on the
Apply
button to store these settings.
Page 60 / 74
60
A
GE
60
WISH
WISH is short for Wireless Intelligent Stream Handling, a technology developed
to enhance your experience of using a wireless network by prioritizing the traffic
of different applications.
°
Enable WISH
: Place a check in this box to enable the WISH feature.
°
HTTP
:
Place a check in this box to add HTTP as a classifier. This allows the
device to recognize HTTP transfers for many common audio and video
streams and prioritize them above other traffic. Such streams are frequently
used by digital media players.
°
Windows Media Center
: Place a check in this box to add HTTP as a
classifier. This enables the router to recognize certain audio and video
streams generated by a Windows Media Center PC and to prioritize these
above other traffic. Such streams are used by systems known as Windows
Media Extenders, such as the Xbox 360.
°
Automatic
: Place a check in this box for the device to automatically
configure the classifiers. When enabled, this option causes the router to
automatically attempt to prioritize traffic streams that it doesn't otherwise
recognize, based on the behavior that the streams exhibit. This acts to
deprioritize streams that exhibit bulk transfer characteristics, such as file
transfers, while leaving interactive traffic, such as gaming or VoIP, running at
a normal priority.
°
Enable
: Place a check in this box to enable the WISH rule. A WISH Rule
identifies a specific message flow and assigns a priority to that flow. For most

Rate

4 / 5 based on 1 vote.

Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top