SPI Firewall, security and trouble with DNS

Message

devsk · Post by **devsk** » Mon Jan 12, 2009 7:46 am

My router WGR614v5 has a built-in SPI firewall which analyzes incoming packets and blocks access. Now, the problem is that the processor on this thing is not fast enough and rules are weird. Its basically blocking replies to some valid DNS inquiries as well and dropping packets. I end up with firefox stuck in "looking up <blah>" on many pages. Konqueror almost always fails to load tabs with "unknown host" page.

Once I disable SPI firewall, I see no slowdowns in firefox, and konq works fine. My internet throughput (both up and down) improves A LOT! The router doesn't allow me to change any properties of the firewall. Its just enable/disable.

Now, the question is: Should I disable SPI firewall? I do get benefits of NAT from the router and have no open ports or DMZ. Is that enough? Or is the world not safe enough to leave SPI firewall disabled? What are your thoughts?

Is there a good router with good enough SPI firewall which works with DNS and VPN, can handle a bit of load, can be configured a little bit?

Plumbo · Post by **Plumbo** » Mon Jan 12, 2009 8:46 pm

I guess it all comes down to how paranoid you feel

Personally I would try to track down the source of the problems so that I could enable the firewall again. That shouldn't mean that you need to buy yourself another piece of hardware though.

Are you up to date on the firmware for your device? They usually release a couple of updates after some time, but alot of people just forget about updating it.
You could also consider looking at some alternatives like flashing it with dd-wrt or something, as that's known to be working very well with all supported hardware.
Check this site for compatibility and instructions if you want to check it out: http://www.dd-wrt.com/wiki/index.php/Supported_Devices

devsk · Post by **devsk** » Mon Jan 12, 2009 9:25 pm

I have the latest firmware for the router installed.

dd-wrt doesn't support wgr614v5....

I can try downgrading to earlier versions to see if the problem goes away with those but I am not sure if its safe. I don't want to end up with a brick.

The problem definitely is the SPI firewall because if I disable it, the problem goes away.

Plumbo · Post by **Plumbo** » Mon Jan 12, 2009 11:41 pm

Hmmm,,, I see others are having similar problems on another forum:

I also found that it has DNS lookup problems after switching between ISPs, which may be related to the problems others have reported with dynamic IP lease renewals. It appears to have updated the DNS addresses, but in fact DNS lookups can be unstable for a while after a switch, possibly due to an internal lookup cache not being cleared properly. It helps to specify the DNS addresses explicitly instead of relying on DHCP.

What kind of setup do you have for your ISP? Are you able to set the DNS adresses manually to see if that solves the issue?

devsk · Post by **devsk** » Tue Jan 13, 2009 1:51 am

I have tried everything. Manual ISP (comcast, for last 6 years) provided DNS servers in resolv.conf, 4.2.2.X series in resolv.conf, dnsmasq, named from bind. But everything ultimately gets stuck behind DNS from router because cache expires.

And its not just about DNS. I think in general the router is slow when SPI is enabled. I think its internal processor is not able to keep up with packet inspection when there is large barrage of packets. Not to mention it might detecting some of that as DOS.

Post by Hu » Tue Jan 13, 2009 3:31 am

What systems are protected by this router? If it is only shielding Linux hosts, I would turn off the router's firewall and use a packet filter on the Linux host. Linux can do stateful inspection of incoming traffic, and I would be surprised if Linux cannot match the router's features. If you have some other type of machine behind the router, particularly a Windows one, it is a harder decision. Theoretically, having it doing NAT should protect the internal hosts by virtue of it dropping incoming probes due to it not being able to map them to a specific machine.

devsk · Post by **devsk** » Tue Jan 13, 2009 7:04 am

Hu wrote:What systems are protected by this router? If it is only shielding Linux hosts, I would turn off the router's firewall and use a packet filter on the Linux host. Linux can do stateful inspection of incoming traffic, and I would be surprised if Linux cannot match the router's features. If you have some other type of machine behind the router, particularly a Windows one, it is a harder decision. Theoretically, having it doing NAT should protect the internal hosts by virtue of it dropping incoming probes due to it not being able to map them to a specific machine.

Yeah, it is serving a mix of Windows and Linux hosts.

minor_prophets · Post by **minor_prophets** » Tue Jan 13, 2009 8:41 pm

Will Tomato run on that router, I wonder.

I am running 2 wrt54g's w/ dd-wrt. I'm not thrilled. Definitely beats the crappy stock firmware from Linksys. I'm at the point now where I would rather build my own. I'm currently awaiting a CF-to-IDE attachment and a 3-GB lan daughtercard for one of those Jetway C7 1.2Ghz fanless jobers.

I'm just trying to sort out whether I'll be running netfilter or pf, CF card only and/or use a 2.5" sata drive I have.