Any point of having a Software Firewall behind a Router?

photoshop

photoshop

photoshop

Soldato
Joined
7 Nov 2006
Posts
5,677
Location
Stockton on Tees
Hi,

I have a Netgear WGT624 (version 4) router which has a built in firewall.
I also have Zonealarm (ZA) aswell acting as a firewall.

Seeing as the router has a built in firewall should i uninstall ZA?
Is there any need for a software firewall when the router has one built in...?
 
only if you want to control outgoing traffic, which you can do with the router firewall, nut not on a per-program basis. otherwise no. i dont bother:)
 
As stated it's good for monitoring/blocking outbound connections. Controlling access from LAN'd machines and provides a secondary layer of security (you should always have more than 1 of any protection in use at a time (except in the bedroom ;) )

I always reccomend a software firewall I haven't done in depth analysis but my thinking is that Router firewalls providing NAT etc. will always allow established connections. So whether you established it or something nefarious on your machine, you have no control on that already established connection.

It also helps you with port forwarding etc. if something dodgy is using a forwarded port. Or say you were forwarding 22 for SSH to a server behind your routers firewall, most common household routers are going to allow any packets on that port from any host, a software firewall can be used to reject/drop from particular hosts, IP blocks etc. etc. They are normally much more configurable than standard home routers.
 
Ethics said:
It also helps you with port forwarding etc. if something dodgy is using a forwarded port. Or say you were forwarding 22 for SSH to a server behind your routers firewall, most common household routers are going to allow any packets on that port from any host, a software firewall can be used to reject/drop from particular hosts, IP blocks etc. etc. They are normally much more configurable than standard home routers.
Click to expand...

Port forwarding is causing me a nightmare at the moment! I use flashfxp for ftp using SSL security for ident. Even though i've forwarded port 113 on the router flashfxp still doesnt work! I've tried it without any firewall being active and still no joy :(

I think its because im using an ip from the router which is 192.168.X.X. When i connect to the site with FFxp i think the connection is not being established (says connection failed or lost) because the hosting site must be looking for my original IP address (the IP i get from Virgin). If i configure the router for "Static IP" then FFxp works but not using DHCP because it looks for my original ip and does not find it.

But Virgin does not like Static IP configs as i loose the connection within 24hrs and then have to set the router to DHCP to get internet access.

Any solutions to this???
 
Not really, i can't see why your remote FTP host isn't accepting a new IP unless it's a deliberate security measure?

I can imagine your staic ip doesnt work because virgins DHCP leases may expire after 24 hours, therefore people using statics are going to run into conflicts etc.

have you contacted the host? maybe they can help you. In the short term you could connect through a remote proxy that uses a static IP (tunnel the SSL through it?)

I realise it's an awfully complicated fix for what seems like a simple problem.

Port forwarding shouldn't factor in as you're establishing the connection and as such the router firewall shouldn't have to accept an incoming connection and route it to a particualr local machine.

*edit* reading Bledds post below, you're not actually hosting the FTP server are you??
 
Last edited:
photoshop, set your pc to use a static ip so 192.168.X something, and forward the port to that ip

are you on cable or adsl? cable only gets a new external ip if you don't connect for 3 days, wheras adsl updates each time you dial

externally use the ip that whatismyip.org tells you, to connect with
 
Guys i get a static IP address from Virgin. I've had this ip address for over a year.

Flashfxp works with the IP address from virgin but does not work for the IP address my router assigns my PC (192.168.X.X)
 
Wasnt very clear from your post tbh. Obviously using an internal dhcp server isn't going to work with port forwarding (as Bledd suggested), because when the lease changes and your machine gets a new ip, the forward rule isn't vaild. But i guess you know that from your post above.

"But Virgin does not like Static IP configs as i loose the connection within 24hrs and then have to set the router to DHCP to get internet access."

That implied you were changing the routers PPP connection, but you're talking about disabling the internal DHCP server? i'm not sure how that buggers the connection after 24 hours.

if you're the client connecting to a remote host you won't need port forwarding though, only if an external source was connecting to you behind the router as you'd need it to traverse NAT to your local IP (192.168.x.x) (which is using port forwarding) which i guess "Flashfxp works with the IP address from virgin but does not work for the IP address my router assigns my PC (192.168.X.X)" that suggests? in which case refer back to having to use satic IPs as port forwarding. Msot routers will have the option of running a DHCP server on the router, but reserving staic IPs for some machines , best of both worlds really, you could try that.
 
Now im totally lost. a lot of that went over my head.

Are you saying that port forwarding does not work when using DHCP?

If i set my router to Static IP, FFxp works fine. But i loose all connection after 24hrs or so and need to use DHCP again even though my IP address from virgin has NOT changed.

When i try to connect to a secure SSL site which requires "ident" (which is my username and IP address) it fails because my ident is setup for the original IP address from virgin and not from the one that the router assigns to my machine (and this can not be changed). this is why static works and DHCP does not. But static is rubbish because it dies after a day so i have to revert back to DHCP and then FFxp does not work.


FFxp searches for my original ip address but all it finds is the address which is assigned to my pc by the router. I need to somehow use DHCP and get FFxp to see my original ip address so connection can be established.

I need to find a fix to this and quick.
 
Last edited:
explain clearly what you're trying to do :), where the ftp server is, what type of internet you have etc..

i'd make a new post in the Networking section of the forum
 
bledd. said:
explain clearly what you're trying to do :), where the ftp server is, what type of internet you have etc..

i'd make a new post in the Networking section of the forum
Click to expand...

1. Im trying to get FlashFXp to work because it does not work when im using DHCP on my router. It works when using static ip on the router BUT virgin is notorious for not liking static ip setups on routers, thus my connection goes dead after a day or so and i have to use DHCP to have access to internet. MY IP address from Virgin Never Changes though! I do not have a dynamic ip address.

2. The FTP server i connect to uses SSL security aswell as formal identification in the form of a username and ip address. If all these factors are correct i have access. The ip address it looks for is the static ip address i have from virgin.

3. My connection is 4Mbit Virgin Broadband.

My router is Netgear WGT624 108Mbps
 
photoshop said:
1. Im trying to get FlashFXp to work because it does not work when im using DHCP on my router. It works when using static ip on the router BUT virgin is notorious for not liking static ip setups on routers, thus my connection goes dead after a day or so and i have to use DHCP to have access to internet. MY IP address from Virgin Never Changes though! I do not have a dynamic ip address.
Click to expand...

This may get moved but we can keep trying until then. There are 2 different concepts involved here. your PPP connection (the DSL/Cable you get from Virgin) This can be DHCP or static. And the LAN connection (the network your local machines are, with IPS 192.168.x.x) This can be DHCP or static as well. You have to make sure you are working with the right one. The fact that you lose your net connection suggests you may be setting the PPP to static. It may be that it's actually a DHCP connection from Virgin but the DHCP is assigning you the same IP over and over. So by setting it static it doesn't sync with Virgin. Could explain why you lose your connection. There will be a DHCP server built into your router, that is what handles static/dynamic amongst local machines. That is the one you need to disable (or reserve some IPS) for your port forwarding. But you say it works like that and you lose all connection after a day, weird.

2. The FTP server i connect to uses SSL security aswell as formal identification in the form of a username and ip address. If all these factors are correct i have access. The ip address it looks for is the static ip address i have from virgin.
Click to expand...

Yes it uses your external IP, it has no clue of your internal setup, that's all hidden behind your router. The router is what takes the traffic and passes it back down an established connection, so i'm not sure why you'd need port forwarding.

3. My connection is 4Mbit Virgin Broadband.

My router is Netgear WGT624 108Mbps
Click to expand...

Haven't used either, maybe there are known problems with them?

Maybe it would help if you list the exact process you go through to get it working (or not).
 
are you trying to host an ftp server, or is that at an external site that you're trying to connect to?

i've used static ip's (i have dhcp enabled on the router) for years with ntl/virgin, i've had a connection for about 6 months solid (one outage due to weather) linksys wrt54GL router
 
photoshop said:
Hi,

I have a Netgear WGT624 (version 4) router which has a built in firewall.
I also have Zonealarm (ZA) aswell acting as a firewall.

Seeing as the router has a built in firewall should i uninstall ZA?
Is there any need for a software firewall when the router has one built in...?
Click to expand...

Some ISPs leave holes in their supplied routers firewalls so that they can poke around your PC. A s/ware firewall prevents this.
 
Settings on Router:

54491150jp7.png

16789573qg1.png

51040997gp2.png

49278179qu2.png

37722497fa4.png

31692550li6.png


This is what happens in FlashFXP:

WinSock 2.0 -- OpenSSL 0.9.7g 11 Apr 2005
[L] Connecting to Y -> IP=xx.xx.xx.x PORT=xxxxx
[L] Connected to Y
Ident Request: xx.xx.xx.x - UserID: ian
[L] Connection failed (Connection lost)

It fails when it tries to identify me :(
 
do you specifically pay for a static IP? with virgin/ntl you tend to keep the same IP for majority of the time but it can change and is exactly why I use dyndns.org or no-ip.com to act as a pointer that points to my router regardless of if my IP changes (you will have to update this periodically though). using dyndns.org I host an FTP server on one of my machines.

to connect instead of typing xx.xx.xx.xx:zzzz where x is my external IP from virgin and z is the port number ive set up, i type cokecan72.dyndns.org:zzzz

if you have DHCP setup within your network and port forwarding then surely that wont work because your router will be auto assigning an IP to your computer which could also change from time to time? it would be best to set your PCto use a specific IP address within the range of IP's that your router supports (going by your pic, anythin from 192.168.1.2 to 192.168.1.255) as Bledd. said

just make sure you have the ftp program and/or port allowed through the firewall of zone alarm or the windows firewall if its enabled. On my D-Link router I allow access through the virtual server on a specific port and also allow that same port through the firewall on it to make sure nothing is blocking my connections.
 
Yes, if you forward ports to host a game on your router, but don't want those ports opened when not hosting, you need a software firewall that allows/blocks apps, and a router fw to allow/block ports.
 
You must log in or register to reply here.
Back
Top Bottom