Section 72. Configure Router Firewall Settings

72. Configure Router Firewall Settings

The actual settings available for your WiFi router's firewall depend on the WiFi router you purchased. In most cases, the firewall settings for your home WiFi router are pretty simple; they might only allow you to turn the firewall on and off and to configure a computer to run outside the firewall in what is called the demilitarized zone (DMZ). Web servers and gaming servers can be run in the DMZ so you don't have to use port forwarding or port triggering to allow users outside the network to attach to the server (not opening ports and running a single computer in the DMZ actually protects the internal network in the long run). Port triggering and port forwarding are discussed in Configure Port Forwarding and Port Triggering.

Other settings you might have control over in terms of firewall settings relate to whether the router interface can be pinged from the Internet (pinging can be useful as a diagnostic tool but can open the network to potential attacks). The ping command is discussed in About Command-Line Tools and Use Command-Line Tools. Your router's firewall settings might also allow you to set the maximum packet size that can be transmitted to the network. This is called the Maximum Transmit Unit (MTU) size; it is typically configured at 1500 bytes but can be adjusted to a smaller size if required by your Internet service provider.

Open Router Configuration Web Page

Log on to your router as the administrator using your web browser; type the URL for your router in the browser's Address box and then provide the login name and password for the router when prompted for this information. You can find the URL for your router in the documentation that came with your router; routers also typically come with a quick start sheet (a one-page flyer) that provides the URL or web address for your router and the default logon name and password. If you don't have access to either of these information pages, go to the router manufacturer's website and access their support page, which should provide links to specific product pages where you can download the documentation for your WiFi router.

Access Firewall Settings

On the main page of the router's configuration website, select the link that takes you to the router's firewall settings. For example, on my Netgear WiFi router's configuration page, the firewall settings are on the WAN Setup page, so I click the WAN Setup link on the left side of the page. Each router's setup pages are different, so consult the router's documentation and setup manual for more information.

Note

Firewall settings are typically found on a router's WAN setup configuration page because the WAN (wide area network) connection is the connection to the Internet (the Internet is a wide area network). Some routers provide you with the capability to change the connection between your network and the Internet from automatic (meaning it happens automatically through the router) to manual. A manual connection requires you to use the manual connection feature on your router to get an Internet connection up and running. The automatic connection setting is actually better because you do not have to reset the connection if it goes down or is interrupted. When the automatic setting is in force, the router automatically connects to the Internet when access is needed.

Enable/Disable Firewall

Select the appropriate check box or option button to turn on your router's firewall. Some routers (such as my Netgear router) have the firewall enabled by default, and the configuration page does not provide an enable option; it only allows you to disable the firewall by selecting Disable SPI Firewall. Disabling the firewall opens up your network to the possibility of outside attack. There is actually no good reason to disable the firewall, even if access to gaming or other services is a problem, because all connectivity issues can be resolved with port triggering and port forwarding settings (see Configure Port Forwarding and Port Triggering).

Specify DMZ Server IP Address

If you want to operate a computer or a server (such as a computer that is acting as a web server or a gaming server) outside the firewall, you can have the router place that computer in the DMZ. This means that the network is still protected from attack but that the DMZ computer could potentially be attacked. To place a computer on your network in the DMZ using a Netgear router, select the Default DMZ Server check box and then enter the IP address of the computer that will be placed in the DMZ. If you need to find the IP address for a computer, go to that computer and click the Start button and then choose Run. Type command in the Run box and click OK. In the command window that opens, type ipconfig/all and press Enter. You will be provided with the IP address and the other IP settings for the computer.

Note

The DMZ isn't really a place; it is a virtual location configured by your WiFi router's firewall. The DMZ is a virtual place that resides between your protected internal network and the public Internet. Placing a computer in the DMZ allows it to communicate with the Internet without the router's firewall inspecting the data flowing to and from the computer. It is not uncommon for computers offering certain services to be placed in the DMZ. Even large corporations sometimes place communication servers in the DMZ so that they do not have to open ports on the firewall to allow access to the server.

Allow Pinging of Router Internet Interface

Ping is a command-line tool used to determine whether a connection exists between two computers or other network devices. For example, if you can't seem to connect to another computer on the network that has a shared folder, you can ping the computer using its IP address to see whether there is a connection problem. By default, most WiFi routers are configured so that the router's interface or connection to the Internet cannot be pinged. The Internet interface for you router is actually assigned its IP address by your Internet service provider. So the Internet interface on the router is really its public interface. Allowing the public interface to be pinged can open the router up to attack since it can be "pinged to death." A malicious individual on the Internet could send a barrage of ping packets or oversized ping packets that would actually bring down the router's public interface. This kind of attack is called the "Ping of Death."

Enable the router's Internet interface for pinging only if your Internet service provider (or you) needs to ping that interface to determine whether there is a connectivity problem. For my Netgear router, I select the Respond to Ping on Internet Port option to turn on this feature. When you have determined that the interface can be reached by a ping (from you or the ISP technician), I suggest that you disable the feature.

Set MTU Size

The Maximum Transmit Unit (MTU) value for Ethernet networks such as your WiFi network is 1500 bytes. Leave the MTU setting at the default unless your Internet service provider requires that a different setting be used. If you're unsure about the MTU value, contact your ISP. To change the MTU on my Netgear router, I click in the MTU text box and type a different value. Each router provides a slightly different configuration screen for setting the MTU.

Your Internet service provider determines the optimal MTU for the network it services by trial and error. The only way you might perceive that you don't have the correct MTU setting for your ISP connection would be a slight slowing of the connection to the Internetand this would only be in situations where your MTU is set higher than the ISP's and your data packets have to be broken into smaller chunks for transmission. So, bottom line, call your ISP and see whether it uses a special MTU setting.

Apply Firewall Settings to Router Configuration

When you have set the firewall configuration for your router, you must apply or save the new settings (whether you apply or save the settings depends on your WiFi router). For example, for my Netgear WGR 614 router, I click the Apply button to apply and save the firewall settings.