User Manual
43
TCP Endpoint Filtering
Controls endpoint filtering for packets of the TCP protocol.
Formerly, the terms "Full Cone", "Restricted Cone", "Port Restricted Cone" and "Symmetric"
were used to refer to different variations of NATs. These terms are purposely not used here,
because they do not fully describe the behavior of this router's NAT. While not a perfect
mapping, the following loose correspondences between the "cone" classification and the
"endpoint filtering" modes can be drawn: if this router is configured for endpoint independent
filtering, it implements full cone behavior; address restricted filtering implements restricted
cone behavior; and port and address restricted filtering implements port restricted cone
behavior.
NAT Port Preservation
NAT Port preservation (on by default) tries to ensure that, when a LAN host makes an Internet
connection, the same LAN port is also used as the Internet visible port. This ensures best
compatibility for internet communications.
Under some circumstances it may be desirable to turn off this feature.
Anti-Spoof checking
Enabling this option can provide protection from certain kinds of "spoofing" attacks. However,
enble this option with care. With some modems, the WAN connection may be lost when this
option is enabled. In that case, it may be necessary to change the LAN subnet to something
other than 192.168.0.x (192.168.2.x, for example), to re-establish the WAN connection.
DMZ Host
DMZ means "Demilitarized Zone." If an application has trouble working from behind the router,
you can expose one computer to the Internet and run the application on that computer.
When a LAN host is configured as a DMZ host, it becomes the destination for all incoming
packets that do not match some other incoming session or rule. If any other ingress rule is in
place, that will be used instead of sending packets to the DMZ host; so, an active session,
virtual server, active port trigger, or port forwarding rule will take priority over sending a packet
to the DMZ host. (The DMZ policy resembles a default port forwarding rule that forwards every
port that is not specifically sent anywhere else.)
The router provides only limited firewall protection for the DMZ host. The router does not
forward a TCP packet that does not match an active DMZ session, unless it is a connection
establishment packet (SYN). Except for this limited protection, the DMZ host is effectively
"outside the firewall". Anyone considering using a DMZ host should also consider running a
firewall on that DMZ host system to provide additional protection.
Packets received by the DMZ host have their IP addresses translated from the WAN-side IP
address of the router to the LAN-side IP address of the DMZ host. However, port numbers are
not translated; so applications on the DMZ host can depend on specific port numbers.
The DMZ capability is just one of several means for allowing incoming requests that might
appear unsolicited to the NAT. In general, the DMZ host should be used only if there are no
other alternatives, because it is much more exposed to cyberattacks than any other system on
the LAN. Thought should be given to using other configurations instead: a virtual server, a port
forwarding rule, or a port trigger. Virtual servers open one port for incoming sessions bound for
a specific application (and also allow port redirection and the use of ALGs). Port forwarding is
rather like a selective DMZ, where incoming traffic targeted at one or more ports is forwarded
to a specific LAN host (thereby not exposing as many ports as a DMZ host). Port triggering is a
special form of port forwarding, which is activated by outgoing traffic, and for which ports are
only forwarded while the trigger is active.
Few applications truly require the use of the DMZ host. Following are examples of when a DMZ
host might be required: