Hi,

I've got a new 2860 (+ 2xAP900) which I'm in the process of setting up.

There are so many intricate settings (which I expected), I don't know when I will be ready to go live with it. How do people test the security of their system?

thanks

Security in what context, Wifi, WAN, LAN->WAN, VPN?

Basic rules are these:

1. if you are you running any LAN side servers, only forward the ports you need. There are several web tools out there that will do a port scan of your IP to tell you what ports you have open.
2. If you are running a VPN, then use the most secure type, lots of info out there on different VPN types, and don't forget strong passwords.
3. Wifi, use a random password generator for your wifi, or at least a passphrase that makes no sense.
4. Enable DOS defenses, I only use portscan and flood defenses.
5. Unless you need it, turn off respond to Ping from WAN.
6. Change your default admin password!

That's my default. I also have some IP blocks set up for HK and Chinese addresses.

I'm sure others can add to thise.

Thanks - some good tips there.

Is there any reason why you don't check all the DOS options?
Will the default firewall block everything nasty?
No gotchas on the default NAT settings?

Many thanks

I dont have a reason for not using all of the DOS options really. When I first got the 2860 I ticked everything. I've had some stability issues which seem to be resolved now with the firmware version I'm running but I guess I de-ticked those others at some point and never reset them. I suspect unless you have something really interesting to hide ( your not GCHQ are you? ) most hackers will not be botherinng to trry a DOS attack on you.

The default firewall will only block what it's told to. My port forward rules only expose my mail server ports and one that I use for my streaming when I am away from home, plus my VPN. I have addded some extra rules to block some chinese and HK addresses that were trying to either send mail or were trying to access my VPN.

A useful one I use is the following:



This adds all incoming packets to the log; it's not enabled all the time but allows me to see who is connecting. I usually use this in conjunction with my server logs. I will then add a block on that address or range of addresses in the case of the Chinese and HK filters.

As you can see, I only care about what comes knocking at the door, not about what happens within the LAN, I have no interest in blocking access to the WAN for anything, not even facebook!

OOTB the dafaults work well enough, NAT settings are fine depending on your LAN setup. I would suggest the following though.

Make sure you use the Bind IP to Mac for your servers and also under Applications is Lan DNS/DNS Forwarding, Add entries there for your local servers, for example I have some for several bits of kit, and one for my mail server so that a request from a PC or iPad or phone gets directed to the local address rather than the WAN address. So add an entry where the domain name is like this - lmail.draytek.com -and them the ip address points to the server, in my case 192.168.1.30. BTW, draytek is not my domain name

Hope that helps, shout if you need more.

Amadeus wrote: Is there any reason why you don't check all the DOS options?

DoS protection on a router is a bit of a gimmick. If somebody determined wants to take down your internet connection by saturating your line with information, then your router dropping those packets when it receives them won't make a difference; no other information will be able to get through.

On the other hand, DoS protection was causing me a few issues; the router thought that my opening lots of browser windows concurrently was a DoS attack and it blocked my PC.

Marjohn56: wow - thanks for the great info. I'll read and digest. The luxury with having a (generally) working setup is that I can play with it and understand it before I put the new device live. Not sure I'll get through the entire manual tho!

Takeo_Ischi: Sure, I can appreciate that. TBH, I don't really understand each of the many options for the DOS options but it seemed to make sense to check them all. Now I know there could be some instability (which both of you have mentioned), I'll keep an eye on it.

My wife is out tomorrow morning so that's 4 hours of play time, running through the manual, trying to work out what some of the options do!

Thanks for taking the time to reply guys.