Sitecom WL-309 Router Manual PDF (Setup & Configuration Guide)

Page 56 / 74 Scroll up to view Page 51 - 55

56

A

GE

56

Firewall Settings

The device provides a tight firewall by virtue of the way NAT works. Unless you

configure the router to the contrary, the NAT does not respond to unsolicited

incoming requests on any port, thereby making your LAN invisible to Internet

cyber attacks. However, some network applications cannot run with a tight

firewall. Those applications need to selectively open ports in the firewall to

function correctly. The options on this page control several ways of opening the

firewall to address the needs of specific types of applications.

°

Enable SPI

: Place a check in this box to enable SPI. SPI ("stateful packet

inspection" also known as "dynamic packet filtering") helps to prevent cyber

attacks by tracking more state per session. It validates that the traffic passing

through that session conforms to the protocol. When the protocol is TCP, SPI

checks that packet sequence numbers are within the valid range for the

session, discarding those packets that do not have valid sequence numbers.

Whether SPI is enabled or not, the router always tracks TCP connection states

and ensures that each TCP packet's flags are valid for the current state.

°

TCP / UDP NAT Endpoint Filtering

options control how the router's NAT

manages incoming connection requests to ports that are already being used.

Select one of the radio buttons.

o

End Point Independent

Once a LAN-side application has created a

connection through a specific port, the NAT will forward any incoming

connection requests with the same port to the LAN-side application

regardless of their origin. This is the least restrictive option, giving the

best connectivity and allowing some applications (P2P applications in

particular) to behave almost as if they are directly connected to the

Internet.

o

Address Restricted

The NAT forwards incoming connection requests

to a LAN-side host only when they come from the same IP address

with which a connection was established. This allows the remote

Page 57 / 74

57

A

GE

57

application to send data back through a port different from the one

used when the outgoing session was created.

o

Port And Address Restricted

The NAT does not forward any

incoming connection requests with the same port address as an

already establish connection.

°

Note

: Some of these options can interact with other port restrictions.

Endpoint Independent Filtering takes priority over inbound filters or

schedules, so it is possible for an incoming session request related to an

outgoing session to enter through a port in spite of an active inbound filter on

that port. However, packets will be rejected as expected when sent to blocked

ports (whether blocked by schedule or by inbound filter) for which there are

no active sessions. Port and Address Restricted Filtering ensures that inbound

filters and schedules work precisely, but prevents some level of connectivity,

and therefore might require the use of port triggers, virtual servers, or port

forwarding to open the ports needed by the application. Address Restricted

Filtering gives a compromise position, which avoids problems when

communicating with certain other types of NAT router (symmetric NATs in

particular) but leaves inbound filters and scheduled access working as

expected.

°

Enable Port Preservation

:

Place a check in this box to enable Port

Preservation. NAT Port preservation (on by default) tries to ensure that, when

a LAN host makes an Internet connection, the same LAN port is also used as

the Internet visible port. This ensures best compatibility for internet

communications. Under some circumstances it may be desirable to turn off

this feature.

°

Enable anti-spoof checking

:

Place a check in this box to enable anti-spoof

checking. Enabling this option can provide protection from certain kinds of

"spoofing" attacks. However, enable this option with care. With some

modems, the WAN connection may be lost when this option is enabled. In

that case, it may be necessary to change the LAN subnet to something other

than 192.168.0.x (192.168.2.x, for example), to re-establish the WAN

connection.

°

Enable DMZ Host

: Place check in this box to enable DMZ host. DMZ host is a

demilitarized zone used to provide Internet services without sacrificing

unauthorized access to its local private network.

Typically, the DMZ host

contains devices accessible to Internet traffic, such as web, FTP, email and

DNS servers.

Page 58 / 74

58

A

GE

58

°

DMZ IP Address

: Specify the IP address of the DMZ host.

°

Non-UDP/TCP/ICMP LAN Sessions

: Place a check in this box to enable

this feature. When a LAN application that uses a protocol other than UDP, TCP,

or ICMP initiates a session to the Internet, the router's NAT can track such a

session, even though it does not recognize the protocol. This feature is useful

because it enables certain applications (most importantly a single VPN

connection to a remote host) without the need for an ALG.

°

Note

: This feature does not apply to the DMZ host (if one is enabled). The

DMZ host always handles these kinds of sessions.

°

Enabling this option (the default setting) enables single VPN connections to a

remote host. (But, for multiple VPN connections, the appropriate VPN ALG

must be used.) Disabling this option, however, only disables VPN if the

appropriate VPN ALG is also disabled.

°

Application Layer Gateway (ALG)

Configuration: Place a check in

appropriate feature boxes to enable them. . Some protocols and applications

require special handling of the IP payload to make them work with network

address translation (NAT). Each ALG provides special handling for a specific

protocol or application. A number of ALGs for common applications are

enabled by default.

o

PPTP

: Allows multiple machines on the LAN to connect to their

corporate networks using PPTP protocol. When the PPTP ALG is

enabled, LAN computers can establish PPTP VPN connections either

with the same or with different VPN servers. When the PPTP ALG is

disabled, the router allows VPN operation in a restricted way -- LAN

computers are typically able to establish VPN tunnels to different VPN

Internet servers but not to the same server. The advantage of

disabling the PPTP ALG is to increase VPN performance. Enabling the

PPTP ALG also allows incoming VPN connections to a LAN side VPN

server (refer to

Advanced > Virtual_Server

).

o

IPSec

: (VPN) Allows multiple VPN clients to connect to their corporate

networks using IPSec. Some VPN clients support traversal of IPSec

through NAT. This option may interfere with the operation of such VPN

clients. If you are having trouble connecting with your corporate

network, try disabling this option. Check with the system administrator

of your corporate network whether your VPN client supports NAT

traversal.

Page 59 / 74

59

A

GE

59

o

RTSP

: Allows applications that use Real Time Streaming Protocol to

receive streaming media from the internet. QuickTime and Real Player

are some of the common applications using this protocol.

o

Windows/MSN Messenger

: Supports use on LAN computers of

Microsoft Windows Messenger (the Internet messaging client that ships

with Microsoft Windows) and MSN Messenger. The SIP ALG must also

be enabled when the Windows Messenger ALG is enabled.

o

FTP

: Allows FTP clients and servers to transfer data across NAT.

o

H.323

(Netmeeting)

:

Allows

H.323

(specifically

Microsoft

Netmeeting) clients to communicate across NAT server.

o

SIP

: Allows devices and applications using VoIP (Voice over IP) to

communicate across NAT. Some VoIP applications and devices have the

ability to discover NAT devices and work around them. This ALG may

interfere with the operation of such devices. If you are having trouble

making VoIP calls, try turning this ALG off.

o

Wake-On-LAN

: This feature enables forwarding of "magic packets"

(that is, specially formatted wake-up packets) from the WAN to a LAN

computer or other device that is "Wake on LAN" (WOL) capable.

o

MMS

: Allows Windows Media Player, using MMS protocol, to receive

streaming media from the internet.

Click on the

Apply

button to store these settings.

Page 60 / 74

60

A

GE

60

WISH

WISH is short for Wireless Intelligent Stream Handling, a technology developed

to enhance your experience of using a wireless network by prioritizing the traffic

of different applications.

°

Enable WISH

: Place a check in this box to enable the WISH feature.

°

HTTP

:

Place a check in this box to add HTTP as a classifier. This allows the

device to recognize HTTP transfers for many common audio and video

streams and prioritize them above other traffic. Such streams are frequently

used by digital media players.

°

Windows Media Center

: Place a check in this box to add HTTP as a

classifier. This enables the router to recognize certain audio and video

streams generated by a Windows Media Center PC and to prioritize these

above other traffic. Such streams are used by systems known as Windows

Media Extenders, such as the Xbox 360.

°

Automatic

: Place a check in this box for the device to automatically

configure the classifiers. When enabled, this option causes the router to

automatically attempt to prioritize traffic streams that it doesn't otherwise

recognize, based on the behavior that the streams exhibit. This acts to

deprioritize streams that exhibit bulk transfer characteristics, such as file

transfers, while leaving interactive traffic, such as gaming or VoIP, running at

a normal priority.

°

Enable

: Place a check in this box to enable the WISH rule. A WISH Rule

identifies a specific message flow and assigns a priority to that flow. For most

Rate

Popular Sitecom Models

Famous Router IPs

Famous Router Companies

Bookmark Our Site

Share