Routers, Firewall, and RoadRunner

[gstelmack]

I have upgraded to Road Runner Extreme. Along with this came a new modem / router combo, the Ubee DDW3611. This includes 4 gigabit ports for the router side, and 802.11n wireless networking. I can set this up in bridge mode so it works just like a cablemodem and then connect my old router, but with new smartphones in the house I like having the wireless capability. Plus gigabit ports on the router can't hurt as I move forward wiring the house.

The problem is that the firewall in this thing is pretty pathetic. There is an IP Flood Detection setting that if you leave it on causes major packet loss. I've turned that off, and almost everything is working fine, except most video streaming seems to want to cut off after around 20 minutes with a dropped connection. If I retry a minute or two later, it reconnects and goes fine for another 20 minutes.

There is another setting called "Firewall Protection". From reading that I just assume that means turning the firewall on and off, but the description is more narrow and claims it helps prevent denial of service attacks. I'm also hearing that this should be turned off, but that may just be a suggestion for bridge mode, and I get very nervous about turning the firewall off completely. So there's a mix of "does this really turn the whole firewall off?" and "do I need the setting anyway?".

So my first question is, with a router doing NAT for the rest of the network, how important is having a firewall active? And second, is anyone familiar enough with this modem to know if that setting deactivates the whole thing, or just some specific feature of it? There is no manual for the modem, and TWC is not supporting any other DOCSIS 3 modems right now (they have a Motorola that includes voice but is not fully supported yet, and they won't support you getting your own DOCSIS 3 modem), so I'm a bit stuck at finding answers about this thing.

Any networking gurus with any suggestions here that will prevent me from putting it in bridge mode and going back to my old router?

[gstelmack]

And apparently the thing has four operating modes: Bridge Mode, NAT mode, Router mode, and NAT router mode. I understand that Bridge Mode is just a pass-through, but I did not know you could have NAT and Router mode as two separate thing. Right now it's set to NAT mode, I wonder if it should be NAT and Router mode?

[cartman]

If you are worried about security, I tend to shy away from "all in one" solutions. If any part gets compromised, then the whole unit is compromised. The way I have my network set up is:

Cable ----> Cable Modem ------> Firewall -----> Switch

From the switch I have lines going to other switches and wireless access points.

[jeff061]

I think the NAT will be enough for what you are doing, that was going to be my recommendation before you mentioned it. That said I'm not at all familiar with that router.

Quote:

Cable ----> Cable Modem ------> Firewall -----> Switch

From the switch I have lines going to other switches and wireless access points.

Unless your access points are routers(in which case only wireless will be buffered) or you are running fancy enterprise switching all that needs to be compromised there is the firewall and you're done. No different from an all-in-one. Modems, switches and vanilla access points aren't going to stop anything.

[cartman]

True, but NAT itself isn't a firewall. Plus, once a vulnerability is found in a particular cable modem device, script kiddies go to town hacking for the hell of it since the vast majority of people rely solely on the cable modem to provide all of the protection, and they know which providers use which model devices. I like having a beefier independent firewall in place, and put the effort into locking down that, as I have more control there than I do at the cable modem.

[jeff061]

Nope, NAT isn't a firewall, but it's not going to allow inbound connections through without having port forwarding configured. Which is good enough for most people.

[gstelmack]

Quote:

Originally Posted by jeff061

Nope, NAT isn't a firewall, but it's not going to allow inbound connections through without having port forwarding configured. Which is good enough for most people.

That's what I was wondering about, and whether I should turn off the "Firewall Protection" setting because it may be blocking stuff it shouldn't be. But I don't want to go wide open, either.

The answer may be to go back into Bridge mode and stick my old router (an RP614 from Netgear) back in the as the main connection for internal network. Or optionally something beefire, my searching for info has turned up some interesting options from Sonicwall (saw that separately in a different discussion here) and Netgear. Not sure if that means losing the wireless though, although we mostly leave that turned off and only turn it on when we want to download an app to the smartphone.

[jeff061]

Sonicwall may be a little overkill for the home, though maybe they have a really cheap model, not sure

I'm happy with my D-Link, Netgear I believe is fine as well. Linksys has tanked over the last few years.

[gstelmack]

Thanks for all the advice folks. Going to play around with some stuff and see if I can pin down the issues.

[DanGarion]

I wish I could help you on this one, but all we are handing out in the LA West area are the Motorola SBG6580, which I'm not very fond of either. My only experience with the Ubee was when I went to North Carolina for training on our Signature Home/Service product. I will email the company from my TWC address and see if they can give me a manual (since their site has nothing).

[gstelmack]

Quote:

Originally Posted by DanGarion

I wish I could help you on this one, but all we are handing out in the LA West area are the Motorola SBG6580, which I'm not very fond of either. My only experience with the Ubee was when I went to North Carolina for training on our Signature Home/Service product. I will email the company from my TWC address and see if they can give me a manual (since their site has nothing).

See the fun part is most stuff is working fine, so even pinning this down on the router is just a shot in the dark. I still need to test streaming on another device, because the Sony Blu-Ray that started giving problems goes through Sony's servers which sometimes have issues, and my wife's machine (connected through same router) is not having the PuTTY issues mine is, so we'll see. But yeah, figuring out the firewall / router settings is a PITA on this Ubee.

[DanGarion]

I was able to get a User Guide from Ubee, if you like I can post it somewhere for you to download or email it to you. If you have a specific question that isn't covered in it I think I can get some answers from the advanced solutions engineer that wrote me back.

[gstelmack]

Quote:

Originally Posted by DanGarion

I was able to get a User Guide from Ubee, if you like I can post it somewhere for you to download or email it to you. If you have a specific question that isn't covered in it I think I can get some answers from the advanced solutions engineer that wrote me back.

You da man!

gstelmack AT nc DOT rr DOT com