Asus Router RX3042H User Manual

							
59
RX3042H User's Manual Configuring DDNS
8  Configuring DDNS
Dynamic DNS (DDNS) is a service that allows computers to use the 
same  domain  name,  even  when  the  IP  address  changes  from  time 
to  time  (during  reboot  or  when  the  ISPʼs  DHCP  server  resets  IP 
leases).  RX3042H  connects  to  a  DDNS  service  provider  whenever 
the  WAN  IP  address  changes.  It  supports  setting  up  the  web 
services  such  as  Web  server,  FTP  server  using  a  domain  name 
instead  of  the  IP  address.  DDNS  supports  the  DDNS  clients  with 
the following features:
•    Update  DNS  records  (addition)  when  an  external  interface 
comes up
•   Force DNS update
HTTP DDNS Client
HTTP  DDNS  client  uses  the  mechanism  provided  by  the  popular 
DDNS service providers for updating the DNS records dynamically. 
In this case, the service provider updates DNS records in the DNS. 
RX3042H  uses  HTTP  to  trigger  this  update.  RX3042H  supports 
HTTP DDNS update with the following service provider: •    www.dyndns.org
Figure 8.1. Network Diagram for HTTP DDNS
Whenever  IP  address  of  the  configured  DDNS  interface  changes, 
DDNS  update  is  sent  to  the  specified  DDNS  service  provider. 
RX3042H  should  be  configured  with  the  DDNS  username  and 
password that are obtained from your DDNS service provider. 
						

							
60
Configuring DDNS RX3042H User's Manual

8.1  DDNS Configuration Parameters
Table  8.1  describes  the  configuration  parameters  available  for 
DDNS service.
Table 8.1. DDNS Configuration Parameters
FieldDescription
InterfaceSelect the interface that the DDNS service is to be used.
StatusShows the state of DDNS.
Enable 
DDNS
Check  this  box  to  enable  DDNS  service;  otherwise,  keep  the 
box unchecked.
Domain 
Name
Enter the registered domain name into this field. For example, 
If the host name of your RX3042H is “host1” and the domain 
name  is  “yourdomain.com”,  The  fully  qualify  domain  name 
(FQDN) is “host1.yourdomain.com”.
UsernameEnter the username provided by your DDNS service provider 
in this field.
PasswordEnter  the  password  provided  by  your  DDNS  service  provider 
in this field.
8.2  Configuring HTTP DDNS Client
Figure 8.2. HTTP DDNS Configuration Page 
						

							
61
RX3042H User's Manual Configuring DDNS

Follow these instructions to configure the HTTP DDNS:
1. First, you should have already registered a domain name to the  DDNS service provider, dyndns. If you have not done so, please 
visit www.dyndns.org for more details.
2.  Open  the  DDNS  configuration  page  by  clicking  Advanced  -> 
DDNS Service menu.
3. Select the interface that the DDNS service is to be used.
4. Check Enable DDNS checkbox to enable the DDNS service.
5. Enter the registered domain name in the Domain Name field.
6.  Enter  the  username  and  password  provided  by  your  DDNS  service provider.
7.  Click  on  Apply  button  to  send  a  DNS  update  request  to  your 
DDNS  service  provider.  Note  that  DNS  update  request  will  also 
be  sent  to  your  DDNS  service  provider  automatically  whenever 
the WAN port status is changed. 
						

							
RX3042H User's Manual Configuring Firewall
63
9  Configuring Firewall and NAT
The  RX3042H  provides  built-in  firewall/NAT  functions,  enabling 
you  to  protect  the  system  against  denial  of  service  (DoS)  attacks 
and  other  types  of  malicious  accesses  to  your  LAN  while  providing 
Internet access sharing at the same time. You can also specify how 
to  monitor  attempted  attacks,  and  who  should  be  automatically 
notified.
This  chapter  describes  how  to  create/modify/delete ACL  (Access 
Control List) rules to control the data passing through your network. 
You will use firewall configuration pages to:
• Configure firewall global and DoS settings
• Create, modify, delete and view ACL rules.
Note:  When  you  define  an ACL  rule,  you  instruct  the  RX3042H  to 
examine each data packet it receives to determine whether it meets 
criteria  set  forth  in  the  rule.  The  criteria  can  include  the  network  or 
internet protocol it is carrying, the direction in which it is traveling (for 
example, from the LAN to the Internet or vice versa), the IP address 
of  the  sending  computer,  the  destination  IP  address,  and  other 
characteristics of the packet data.
If  the  packet  matches  the  criteria  established  in  a  rule,  the  packet 
can  either  be  accepted  (forwarded  towards  its  destination),  or 
denied (discarded), depending on the action specified in the rule.
9.1  Firewall Overview
9.1.1  Stateful Packet Inspection
The  stateful  packet  inspection  engine  in  the  RX3042H  maintains  a 
state  table  that  is  used  to  keep  track  of  connection  states  of  all  the 
packets  passing  through  the  firewall. The  firewall  will  open  a  “hole” 
to  allow  the  packet  to  pass  through  if  the  state  of  the  packet  that 
belongs  to  an  already  established  connection  matches  the  state 
maintained  by  the  stateful  packet  inspection  engine.  Otherwise, 
the  packet  will  be  dropped.  This  “hole”  will  be  closed  when  the 
connection  session  terminates.  No  configuration  is  required  for 
stateful packet inspection; it is enabled by default when the firewall 
is  enabled.  Please  refer  to  section  9.3.1  “Firewall  ”  to  enable  or 
disable firewall service on the RX3042H. 
						

							
Configuring Firewall RX3042H User's Manual
64

9.1.2  DoS (Denial of Service) Protection
Both DoS protection and stateful packet inspection provide first line 
of  defense  for  your  network.  No  configuration  is  required  for  both 
protections  on  your  network  as  long  as  firewall  is  enabled  for  the 
RX3042H.  By  default,  the  firewall  is  enabled  at  the  factory.  Please 
refer to section 9.3.1 “Firewall ” to enable or disable firewall service 
on the RX3042H.
9.1.3  Firewall and Access Control List (ACL)
9.1.3.1  Priority Order of ACL Rule
All ACL rules have a rule ID assigned – the smaller the rule ID, the 
higher the priority. Firewall monitors the traffic by extracting header 
information  from  the  packet  and  then  either  drops  or  forwards  the 
packet  by  looking  for  a  match  in  the ACL  rule  table  based  on  the 
header information. Note that the ACL rule checking starts from the 
rule  with  the  smallest  rule  ID  until  a  match  is  found  or  all  the ACL 
rules  are  examined.  If  no  match  is  found,  the  packet  is  dropped; 
otherwise,  the  packet  is  either  dropped  or  forwarded  based  on  the 
action defined in the matched ACL rule.
9.1.3.2  Tracking Connection State
The  stateful  packet  inspection  engine  in  the  firewall  keeps  track 
of  the  state,  or  progress,  of  a  network  connection.  By  storing 
information  about  each  connection  in  a  state  table,  RX3042H  is 
able  to  quickly  determine  if  a  packet  passing  through  the  firewall 
belongs to an already established connection. If it does, it is passed 
through the firewall without going through ACL rule evaluation.
For  example,  an  ACL  rule  allows  outbound  ICMP  packet  from 
192.168.1.1 to 192.168.2.1. When 192.168.1.1 send an ICMP echo 
request (i.e. a ping packet) to 192.168.2.1, 192.168.2.1 will send an 
ICMP echo reply to 192.168.1.1. In the RX3042H, you donʼt need to 
create another inbound ACL rule because stateful packet inspection 
engine  will  remember  the  connection  state  and  allows  the  ICMP 
echo reply to pass through the firewall
9.1.4  Default ACL Rules
The RX3042H supports two types of access rules: 
						

							
RX3042H User's Manual Configuring Firewall
65

•    ACL  Rules:  for  controlling  all  access  to  the  computers  on  the 
LAN  and  DMZ  and  for  controlling  access  to  external  networks 
for hosts on the LAN and DMZ.
•  Self-Access Rules: for controlling access to the RX3042H itself.
Default Access Rules
•  All traffic from external hosts to the hosts on the LAN and DMZ is 
denied.
•   All  traffic  originated  from  the  LAN  is  forwarded  to  the  external  network using NAT.
WARNING:  It  is  not  necessary  to  remove  the  default ACL rule from the ACL rule table! It is better to create  higher priority ACL rules to override the default rule.
9.2  NAT Overview
Network Address  Translation  allows  use  of  a  single  device,  such 
as  the  RX3042H,  to  act  as  an  agent  between  the  Internet  (public 
network)  and  a  local  (private)  network.  This  means  that  a  NAT 
IP  address  can  represent  an  entire  group  of  computers  to  any 
entity  outside  a  network.  Network  Address  Translation  (NAT)  is 
a  mechanism  for  conserving  registered  IP  addresses  in  large 
n e t w o r k s   a n d   s i m p l i f y i n g   I P  a d d r e s s i n g   m a n a g e m e n t   t a s k s . 
Because  of  the  translation  of  IP  addresses,  NAT  also  conceals 
true  network  address  from  privy  eyes  and  provide  a  certain  degree 
security to the local network.
The  NAT  modes  supported  are  static  NAT,  dynamic  NAT,  NAPT, 
reverse static NAT and reverse NAPT.
9.2.1  NAPT (Network Address and Port Translation)  
  or PAT (Port Address Translation)
 
Also called IP Masquerading, this feature maps many internal hosts 
to  one  globally  valid  Internet  address. The  mapping  contains  a  pool 
of network ports to be used for translation. Every packet is translated 
with  the  globally  valid  Internet  address  and  the  port  number  is 
translated  with  an  un-used  port  from  the  pool  of  network  ports. 
Figure 9.1 shows that all the hosts on the local network gain access 
to the Internet by mapping to only one globally valid IP address and 
different port numbers from a free pool of network ports.  
						

							
Configuring Firewall RX3042H User's Manual
66

Figure 9.1 NAPT – Map Any Internal PCs to a Single Global IP Address
Figure  9.2  Reverse  NAPT  –  Relayed  Incoming  Packets  to  the Internal Host Base on the Protocol, Port Number or IP Address 
						

							
RX3042H User's Manual Configuring Firewall
67

9.2.2  Reverse NAPT / Virtual Server
Reverse  NAPT  is  also  called  inbound  mapping,  port  mapping,  or 
virtual  server. Any  packet  coming  to  the  RX3042H  can  be  relayed 
to  the  internal  host  based  on  the  protocol,  port  number  and/or  IP 
address  specified  in  the  ACL  rule.  This  is  useful  when  multiple 
services are hosted on different internal hosts. Figure 9.2shows that 
web  server  (TCP/80)  is  hosted  on  PC A,  telnet  server  (TCP/23)  on 
PC B, DNS server (UDP/53) on PC C and FTP server (TCP/21) on 
PC D. This means that the inbound traffic of these four services will 
be directed to respective host hosting these services.
9.3  Firewall Settings – (Firewall/NAT ->Settings)
9.3.1  Firewall Options
Table 9.1 lists the firewall options parameters.
Table 9.1. Firewall Options Parameters
FieldDescription
DoS CheckCheck  or  uncheck  this  box  to  enable  or  disable  DoS 
check.  When  DoS  check  is  disabled,  the  following 
functionalities are disabled:
•  Stateful packet inspection
•  Skip all DoS attack check
Default NAT
Log Port Probing
Connection  attempt  to  closed  ports  will  be  logged  if 
this option is enabled.
Stealth ModeIf enabled, RX3042H will not respond to remote peerʼs 
attempt to connect to the closed TCP/UDP ports.
To configure firewall settings, follow the instructions below:
1.  Open  the  Firewall  Settings   configuration  page  as  shown  in 
Figure 9.3 by clicking on 
Firewall/NAT ->Settings menu.
2. Check or uncheck individual check box for each firewall option.
3. Click Apply to save the settings.
9.3.2  DoS Configuration 
						

							
Configuring Firewall RX3042H User's Manual
68

The  RX3042H  has  an Attack  Defense  Engine  that  protects  internal 
networks  from  Denial  of  Service  (DoS)  attacks  such  as  SYN 
flooding,  IP  smurfing,  LAND,  Ping  of  Death  and  all  re-assembly 
attacks.  It  can  drop  ICMP  redirects  and  IP  loose/strict  source 
routing  packets.  For  example,  a  security  device  with  the  RX3042H 
Firewall provides protection from “WinNuke”, a widely used program 
to  remotely  crash  unprotected  Windows  systems  in  the  Internet. 
The  RX3042H  Firewall  also  provides  protection  from  a  variety 
of  common  Internet  attacks  such  as  IP  Spoofing,  Ping  of  Death, 
Land Attack,  and  Reassembly  attacks.  For  a  complete  list  of  DoS 
protection provided by the RX3042H, please see Table 2.1.
9.3.2.1  DoS Protection Configuration Parameters
Table  9.2  provides  explanation  for  each  type  of  DoS  attacks.  You 
may  check  or  uncheck  the  check  box  to  enable  or  disable  the 
protection for each type DoS attacks.
Table 9.2. DoS Attack Definition
FieldDescription
IP Source Route
Intruder uses “source routing” in order to break into the 
target system.
IP SpoofingSpoofing  is  the  creation  of  TCP/IP  packets  using 
somebody elseʼs IP address. IP spoofing is an integral 
part  of  many  network  attacks  that  do  not  need  to  see 
responses.
LandAttacker  sends  out  packets  to  the  system  with  the 
same  source  and  destination  IP  address  being  that  of 
the target system and causes the target system trying 
to resolve an infinite series of connections to itself. This 
can cause the target system to slow down drastically.
Ping of DeathAn  attacker  sends  out  larger  than  64KB  packets  to 
cause certain operating system to crash.
SmurfAn  attacker  issues  ICMP  echo  requests  to  some 
broadcast  addresses.  Each  datagram  has  a  spoofed 
IP source address to be that of a real target-host. Most 
of  the  addressed  hosts  will  respond  with  an  ICMP 
echo reply, but not to the real initiating host, instead all 
replies  carry  the  IP  address  of  the  previously  spoofed 
host  as  their  current  destination  and  cause  the  victim 
host or network to slow down drastically.