Firewall

The Firewall menu item allows you to set the parameters for the router’s firewall. Various settings are possible here.

Basic

Here you can configure the basic settings of the firewall.

Name	Description	Standard
Default Filter Policy	The options “Accept” and “Block” are possible.	Accept
Block Anonymous WAN Request (ping)	Enable to block ping requests generated anonymously from the network	Disabled
Filter Multicast	Click to enable filtering of Multicast	Enabled
Defend DoS Attack	Click to enable Defend against DoS attacks	Enabled

Filtering

At this point you can filter what the firewall should let through and what not. Various configurations are possible here, which you can reach via Firewall > Filtering.

Name	Description	Standard
Enable	Click to enable filtering	Enabled
Protocol	Selection of the protocol. Possible options are “TCP” / “UDP” / “ICMP”	All
Source	Set source IP address	Empty
Source Port	Set source port if corresponding protocol was selected	Empty
Destination	Set destination IP	Empty
Destination Port	Set destination port if corresponding protocol was selected	Empty
Action	Selection whether settings should be allowed (Accept) or blocked (Block)	Accept
Log	Click to enable logging of settings	Disabled
Description	Describe configuration	Empty

Content Filtering

The content filter in the firewall allows to filter the call of special URL’s, which can then be blocked or allowed. You can create the configuration under Firewall > Content Filtering.

Name	Description	Standard
Enable	Enable or disable the content filter function	Enabled
URL	Enter the URL to block or filter	Empty
Action	Selection whether URL is blocked (Block) or allowed (Accept)	Erlaubt
Log	Can be enabled for logging	Disabled
Description	Describe configuration	Empty

Port Mapping

NAT-PMP (NAT Port Mapping) allows a computer in a private network (behind a NAT router) to automatically configure the router so that devices behind the router can be reached from outside the private network. It essentially controls what is known as port forwarding. NAT-PMP, like UPnP, allows a program to request all incoming data from outside on a specific TCP or UDP port. You can perform the configuration under Firewall > Port Mapping.

Name	Description	Standard
Enable	Enable or disable port mapping	Enabled
Protocol	Selection of TCP, UDP or TCP&UDP protocols	TCP
Source	Enter source IP	0.0.0.0/0
Service Port	Enter the service port	8080
Internal Address	Set internal IP for mapping	Empty
Internal Port	Set port mapping to “inter”	8080
Log	Click to enable port mapping logging	Disabled
External Address (Optional) / Tunnel Name (OpenVPN)	Used in conjunction with VPN. For port forwarding with VPN, the virtual IP address of the TC router must be entered here	Empty
Description	Describe the meaning of the individual assignments	Empty

Virtual IP Mapping

The IP of an internal PC can be assigned to a virtual IP. An external network can access the internal PC via this virtual IP address. You can set up this configuration under Firewall > Virtual IP Mapping.

Name	Description	Standard
Virtual IP for Router	Set virtual IP for router	Empty
Source IP range	Set range of source IP addresses	Empty
Virtual IP	Set virtual IP	Empty
Real IP	Set real IP	Empty
Log	Enable logging for virtual IP	Disabled
Description	Describe configuration	Empty

DMZ

A Demilitarized Zone (DMZ) refers to a computer network with security-controlled access to the servers connected to it.

The systems set up in the DMZ are shielded from other networks (e.g. Internet, LAN) by one or more firewalls. This separation allows access to publicly accessible services while protecting the internal network (LAN) from unauthorized access from the outside.

The purpose is to make services of the computer network available to both the Internet (WAN) and the intranet (LAN) on a secure basis.

A DMZ provides protection by isolating a system from two or more networks.

By mapping all ports and the external PC, you can access all ports of the device connected to the TK100.

With this function it is not possible to assign the management port of the TK100 (e.g.: 80 TCP) to the port of the device. To forward port 80, change the management port of the router under System > Admin Access.

Name	Description	Standard
Enable DMZ	Click to enable DMZ	Disabled
DMZ Host	Set DMZ host IP	Empty
Source Address Range	Set IP address with restricted IP access	Empty
Interface	Selection of the corresponding interface	Empty

MAC-IP Bundling

MAC IP bundling means assigning a predefined IP address to a defined MAC address. Thus the given MAC address always gets the same IP address. You can reach this menu item under Firewall > MAC-IP Bundling.

If a firewall blocks all access to the external network, only PCs with MAC-IP bundling will gain access to the external network.

Name	Description	Standard
MAC Address	Set MAC address for bundling	Empty
IP Address	Set IP address for bundling	192.168.2.2
Description	Describe configuration	Empty

NAT

In computer networks, Network Address Translation (NAT) is the collective term for procedures that automatically replace address information in data packets with other information in order to connect different networks. They are therefore typically used on routers.

Use of Source NAT (SNAT)

It allows devices with private network addresses to connect to the Internet. Private IP addresses cannot usually be routed by the provider, so they must be translated into a public, routable IP address. The TK100 has implemented this function, which enables communication between different networks. In addition, a relevant security aspect is found in NAT, since a public IP address cannot be traced back to the associated private IP address.

Use of Destination NAT (DNAT)

This is used to offer services that are operated on computers under a single IP address. It is often referred to as port mapping or port forwarding.

Configuration - To configure NAT, go to the Firewall menu item and select the NAT subitem - Here you will find a list of all existing NAT rules - New NAT rules can be added using the Add button