Firewall settings on new TP-Link Archer D7 router

Celestion44

Established Member
Joined
Dec 29, 2007
Messages
594
Reaction score
159
Points
171
Location
South West
Morning everyone. I am really hoping there is at least one fellow member with a similar router who can help me out here.
Although I have been in touch with technical support, I fear my overall lack of IT knowledge means that I am not understanding what I am being told.
Having recently purchased this router, i went through the set up "wizard" routine and all appeared well until i discovered that the Firewall did not appear to be switched on by default. So I thought it logical to switch it on. I was then faced with radio buttons for "allow" and "deny", which look like this;

Allow the packets not specified by any filtering rules to passthrough this device.

Deny the packets not specified by any filtering rules to passthrough this device.

(Note: The device will match the incoming packet with the enabled filtering rules one by one down the list and apply to the first matching rule. If the packet is not specified by any filtering rules within the list, then the Default Filtering Rule will take effect)

I have absolutley no idea how to set up filtering rules and am a loss to know how best to proceed.
All I want is a router which "allows" all outgoing requests (from my home LAN) and by default "denies" all incoming requests (from the Internet). This was what I had with my old router.

Also, and not under the same menu as "Firewall" above, I have noticed a radio button for "SPI Firewall" under "WAN settings/WAN service setup". Should this be ticked or is in not relevant to what I am trying to achieve?

I would be so very grateful to any fellow member who could spare just a few moments to put me on the right track here. For now, I continue to use my old but damaged router!
 
I don't know your device, but the general principal in any security mechanism is usually to deny-by-default and only allow stuff that hits a rule that permits.

In general is seems to be the case that SOHO kit is by default configured as you require, ie allow all outbound connections and deny all inbound ones, thence you have to set up exceptions, (often called "port forwarding" rules) if you want to permit inbound connections. That's fine for most people, but there are those who want to (for example) "host" online games, set up their own web servers, allow access to files, etc. that need to then set up some inbound port forwarding rules to avail such.

So, I'd be setting deny by default and unless you have and reason to "allow in" connections from the Internet, you shouldn't need to set up any inbound port forwarding rules.

Of course, when you are using the Internet, traffic travels both to/from local hosts and the target Internet resources which sometimes confuses people in that they think that inbound rules need to be created to permit the "return" traffic. I usually suggest that people conceptualise this like a telephone system going through a modern "corporate" switchboard that can do things permit outbound calls but block inbound ones (a scenario not likely in the real world, but stick with me for the sake of debate.) Once an (outbound) call is established the "conversation" between the end points flows "both ways" though the switchboard, but the switchboard config prevents the establishment of any inbound calls.

Firewalls work much the same way, it's policing which direction connections can be established, (usually outbound only by default in SOHO.) Once a session (say to a web site) is established, the firewall permits two way traffic to/from that site until the connection is terminated, (either explicitly or it times out,) whence it gets shut down again. This is what SPI is all about (Stateful Packet Inspection.) It's the mechanism the firewall uses to "know" which pairs of hosts are legitimately talking to each other, so that it can permit packets between such hosts and drop any others. In SOHO kit, you don't normally need to worry about it - SPI "just works."
 
to mickevh - many thanks for your detailed reply & the example by visualising the telephone system. very helpful & clear. I understand exactly what you are saying.
My problem, however, is that I simply don't know what action to take to be able to "deny by default". I appreciate that this may sound strange but it may simply be a case that I am not understanding what I am being told by Technical Support. Logic tells me that I should be turning the Firewall on though!
So despite the very helpful reply, I would still very much like to hear from any members who have one of the "Archer" series routers from TP-Link and to know how they have gone about setting things up to prevent "inbound" requests and allow "outbound".
Thanks again.
 
Many thanks cjed for your helpful advice which makes a lot of sense to me and would have been my logical default option. However, because this is not exactly what I am being told to do by Technical Support, I hope you won't be offended by my asking if your advice is based on having first hand experience of the "Archer" range of routers.
 
No offence taken, I'm not a user of that particular range of routers (although I have used a large number of other routers).
 
despite helpful advice given by 2 fellow members, I would still very much like to hear from anyone with first hand experience of the Tp-Link "Archer" range of routers. many thanks.
 

The latest video from AVForums

Is 4K Blu-ray Worth It?
Subscribe to our YouTube channel
Back
Top Bottom