This article continues an overview of the functionality provided by the DD-WRT OpenSource router firmware. The previous article can be found at: DD-WRT Firmware on the Asus RT-N16 Router – Part 3, Services.
The previous article dealt with the different Services options available, whereas this article will detail the Security and Access Restrictions configuration options available.
The goal is to understand the different options provided by the DD-WRT OpenSource router firmware and compare it with the firmware provided by Asus when you purchase the RT-N16 device. Also, another popular OpenSource router firmware distribution from the Tomato Firmware group will be reviewed.
What is an SPI Firewall?
SPI stands for Stateful Packet Inspection.
It’s a firewall designed for two purposes: First, it keeps track of the state of a connection to the Internet. If the connection was originated from inside the home network it tracks this and the IP address the data is intended for. It then only allows this IP address to respond back to the internal IP address.
Secondly, it inspects the network packet for various things such as TCP flags, packet number sequences and the intended use of the packet data. If the SPI firewall determines the data could be harmful, it rejects the data.
So, is an SPI Firewall on your router required if every router already has NAT?
Short answer: probably.
The NAT (Network Address Translation) process in your router is responsible for translating the internal IP address of the computer in your home network to the public IP address assigned to you by your Internet Service Provider (ISP). It then reverses this process when the data response comes back from the Internet (WAN) and translates the public IP address back to the private IP address of your home computer.
Because of this process, NAT knows whether the data response from the Internet was in response to a request from you home network computer. If it is not, then NAT essentially becomes a firewall and blocks the data from reaching your home network. In this regard it performs the “Stateful” functionality of the SPI Firewall.
NAT was initially designed more from a routing perspective in allowing multiple home computers to be able to share one public Internet connection. The side benefit was that this process allows it to easily keep out unwanted traffic from the Internet.
An SPI Firewall was designed for the specific purpose of protecting and offers an extra level of protection in that it can inspect the network data packet contents. For this reason it should be left enabled. However, there are opinions on how deep or useful this packet inspection is for consumer grade routers.
The point to remember is that even without the SPI Firewall enabled, you still have protection from the NAT functionality built into your router.
CISCO offers a simple example of NAT and the SPI Firewall on their learning center website: Protecting Your Network.
Security – Firewall
Security – VPN Passthrough
Access Restrictions – WAN Access
The Access Restrictions screen allows you to block access to the Internet (WAN) for certain computers in your home network. You can specify a list of computers along with certain days of the week or times of the day.
The WAN Access option allows you to define as many as 10 different access policies. Maybe you want to allow your older kids access until midnight, and the younger ones only until 10:00 pm.
Another option allows you to block access to certain websites by entering the URL address for that website. You can exclude more websites by simply blocking those websites which contain certain keywords. However, using this option you may inadvertently block websites which are ok.
For blocking websites you may be better off by purchasing software to run on your computers or subscribing to an online service which does this for you. With a service, the websites it blocks are continuously updated and kept current without you having to manually maintain.
Return to the Firmware Overview: Asus RT-N16 Router Firmware Overview