Modem side firewall & Router side firewall

[nord_musician]

Hello, I'm new here and I gotta say that I love all the work done with the merln firmware, is fast, clean and neat.

I have a question about wether I should turn off one of my firewalls or not. My ISP (Comcast Xfinity) provided me a router modem (Arris TG862G) which I already set up in bridge mode, the firewall is still on, and my Asus 68U has also its own firewall on.

My current set up is: Modem Arris TG862G -> Router Asus RT68u (Merlin firmware) -> Switch Netgear GS108-400NAS ProSAFE GS108 -> Wired clients

Should I turn off my modem's firewall or my router's firewall?

Thanks in advance

 

[CooCooCaChoo]

That would depend on the capability of the modem's firewall. Does it also do IPv6? Can you add rules to it? Does it blend?

 

[RMerlin]

Most all-in-one devices tend to have very basic firewall capabilities, and they aren't kept up-to-date in terms of security. I recommend keeping the modem bridged, and relying on the Asus router as your firewall. It will also be far easier for you to manage, in addition to all the advanced features Asus provides such as the Trend Micro DPI engine.

 

[nord_musician]

That would depend on the capability of the modem's firewall. Does it also do IPv6? Can you add rules to it? Does it blend?

It does IPv6 but I'm running everything on IPv4. It doens't allow adding specific rules but the selection of a few.

• Maximum Security (High)
  LAN-to-WAN: Allow as per below.
  HTTP and HTTPS (TCP port 80, 443)
  DNS (TCP/UDP port 53)
  NTP(TCP port 119, 123)
  email (TCP port 25, 110, 143, 465, 587, 993, 995)
  VPN (GRE, UDP 500, TCP 1723)
  iTunes (TCP port 3689)
  WAN-to-LAN: Block all unrelated traffic and enable IDS.
  
  
• Typical Security (Medium)
  LAN-to-WAN: Allow all.
  
  WAN-to-LAN: Block as per below and enable IDS.
  IDENT (port 113)
  ICMP request
  Peer-to-peer apps:
  kazaa - (TCP/UDP port 1214)
  bittorrent - (TCP port 6881-6999)
  gnutella- (TCP/UDP port 6346)
  vuze - (TCP port 49152-65534)
• Minimum Security (Low)
  LAN-to-WAN: Allow all.
  
  WAN-to-LAN: Block as per below and enable IDS
  IDENT (port 113)
• Custom Security
  LAN-to-WAN: Allow all.
  
  WAN-to-LAN: IDS Enabled and block as per selections below.
  
  Block http (TCP port 80, 443)
  Block ICMP
  Block Multicast
  Block Peer-to-peer applications
  Block IDENT (port 113)
  Disable entire firewall
  -------------------------------------------------------------------------------

Most all-in-one devices tend to have very basic firewall capabilities, and they aren't kept up-to-date in terms of security. I recommend keeping the modem bridged, and relying on the Asus router as your firewall. It will also be far easier for you to manage, in addition to all the advanced features Asus provides such as the Trend Micro DPI engine.

Thanks for your attention

Having the modem's firewall deactivated does it means the router's processing resourses (CPU and RAM) will get more use and possibly "cough" and make me power off and on the router?

 

[RMerlin]

Having the modem's firewall deactivated does it means the router's processing resourses (CPU and RAM) will get more use and possibly "cough" and make me power off and on the router?

The router is designed for that specific job.

 

[nord_musician]

Thanks for the info!

 

[sfx2000]

When the CM/GW is in bridge mode, the Modem Firewall isn't used at all... that function is only applicable when it is the router/gateway. You will need to depend on the attached router for NAT/SPI protection...

 

[nord_musician]

Thanks for the clarification!