Firewall and Filtering

These features let you control what you let connect to your wireless network and what can pass through from the Internet to the local networks. By default, anyone and anything can connect to your wireless network, and there is no traffic from the Internet allowed to pass through to any computer on the local network.

Common Features

Firewall features can vary from router to router. Most routers have these basic features:

1. Restrict access to WLAN (or sometimes both WLAN and wired LAN) by MAC address


2. Internet IP/Domain blocking so certain Internet websites are blocked to local computers


3. Port Forwarding so Internet clients can access a machine on the local network


4. Port Filtering so certain Internet ports/services are blocked to local computers


5. De-Militarized Zone (DMZ) makes it appear that a local computer is directly connected to the WAN connection so it has full 2-way Internet access.

Some routers also have intrusion detection and notification so that the router will send you an email if it believes someone attempted to bypass the firewall. Another possible feature is DoS (Denial of Service) detection and dropping connections to try to keep your Internet access up. Some malicious hackers will initiate a DoS attack to try to knock your network off the Internet. This feature helps combat that.

Restrict access by MAC address

Each network card or device has a MAC address that is roughly unique. Because of that, you can restrict connection to your network card to a specific MAC address. The downside to this is that it can be tedious to implement, and the MAC address for any network device can be changed. MAC addresses are generally transmitted in plaintext so someone sniffing your network can simply find your MAC address and then change their network card’s MAC address to the same value.

Using this feature requires you to enter the MAC address for every computer on your wireless network. Some routers also have the capability to restrict wired network connection by MAC address. The method to get the MAC address varies by OS and device. Generally, single-use devices (such as a network hard drive) will print their MAC address on a sticker on the bottom or back of the device. In Windows XP, you can get the MAC address by pressing the Start button and then going to Run. In Run, type in “cmd” and press ENTER. That will pop up the command line. Now type “ipconfig /all” and press ENTER. That will print out information for each network card in your computer. The “Physical Address” is the MAC address.

Port Filtering and IP/Domain blocking

Most routers have some means of blocking a specific ports or services from being accessed by LAN clients. This is done by setting up access rules. The amount of control varies from router to router. Some routers let you enter the exact ports while others only let you select from certain pre-configured ports. Some routers let you specify a specific client PC for the rule to act on while others allow you to specify an Internet IP address or IP range for the rule to act on.

Usually, there is a separate section for IP/domain blocking but sometimes it is integrated into the port filtering rules. Just enter the domain or IP that you want to block access to. You can also usually block websites based on keywords in the URL. This will block any URL that keyword is found in.

Most routers also offer some sort of scheduling control for the rules. For instance, if you want to have certain limited access rules all the time except after 9pm (when the kids have been put to bed) to 2am, you can do that. If you want to only allow wide open web surfing during lunch hour and the rest of the time have limited surfing ability, you can often set that up as well.

Port Forwarding (aka Virtual Servers and Special Applications)

Port Forwarding allows Internet computers to connect to an open port on a local computer. For instance, if you wanted to offer an FTP server from a local computer to the Internet, then you’d configure a port (could be 21, 9250, or whatever) on the router to forward to port 21 on the local computer where the FTP server is running. This allows Internet traffic through to the local network so some caution should be taken when implementing this as it could open your local network up to someone on the outside.

Some applications, such as some Internet games, videoconferencing, IP telephony, require multiple connections. Sometimes, that application will not be allowed to work through the router. A few routers have a feature where you can configure the server to open multiple public ports when a certain port is triggered by the application. This gets pretty advanced and requires knowledge of what ports an application needs to use and what port to specify as a “trigger port.” If you are having problems with an Internet application, the vendor may bring this up as a solution for solving the problem.

Generally, if your router doesn’t have this multiple connections feature (sometimes called Special Applications), you may have to put that computer into the router’s DMZ so it will allow the application to work.

De-Militarized Zone (DMZ)

The De-Militarized Zone means that the router offers no protection for a specific local computer. The computer appears to the Internet as though it is directly connected to the Internet so all incoming traffic goes directly to that computer. It is not protected at all by the router. It is also possible someone could compromise that computer and gain access inside the local network. Using the DMZ is generally considered as a last resort to get an application working.

Just enter the IP of the local computer that you want to be in the DMZ and enable DMZ.

Virtual Private Networks (VPN)

Some routers have special means of handling Virtual Private Networks (VPN). Other routers may require putting the client computer for the VPN in the DMZ, which has reduced security. VPN features vary widely from router to router, and many routers do not have any VPN-specific features at all.

VPN Passthrough

A VPN passthrough detects PPTP and IPSec protocols and passes those through the router automatically. All you have to do is enable PPTP and/or IPSec in the VPN Passthrough section. The is the easiest means of handling VPNs because it requires minimal configuration effort, but it’s not quite as secure as a VPN tunnel.

VPN Tunnel

The VPN router creates a tunnel between two endpoints (your home network and your work network) so that the data and information between those points is secure.

You will need to configure both a local group and remote group of IPs (computers) that are allowed to access the VPN tunnel. Enter the IP address for the Remote Security Gateway, which is the VPN device (second VPN router, server, or computer with VPN IPSec software) on the remote end of the VPN tunnel.

VPN Tunnels allow encryption, and DES and 3DES are generally the two choices. 3DES is more secure, so it is generally recommended. The remote end of the tunnel needs to be configured to use the same type of encryption. The key exchange is either handled automatically through IKE or manually by typing in the encryption key into the form on the router.

VPN Tunnels can also be configured with authentication if you want an extra level of security.

Conclusion

Although routers have different styles and organization for their admin functions, they tend to have the same sort of features. Having read this guide, you now know what to look for in your router manual to guide you the rest of the way. Very few routers include a full, hard copy manual but instead put the manual on CD. You can also download the manual from your router manufacturer’s website.