Posts | Tags | Archive

Tomato Advanced Firewall Settings


This post is heinously out of date but I'm keeping it around for historical purposes anyway

A user commented on the Tomato Wake-on-LAN post:

I found I couldn’t get wake on lan to work at all until I enabled Advanced->Firewall->Allow multicast.

Well that made me wonder what all those advanced settings did, and turns out the descriptions available suck! Well sometimes there wasn’t even a description to label as “suck” so lets put some descriptions in Google that are at least marginally better. In italics is the setting explanation from the Tomato manual at Wikibooks:

Tomato advaned firewall settings

Respond to ICMP pingIf checked the router will respond to ping requests from on the WAN interface. (Default: unchecked)

If you plan on using Wake-on-LAN this must be checked or the router will ignore the Magic Packet that actually tells your computer to turn on. If you don’t need to access your network remotely you can leave it unchecked.

Allow multicastIf checked, the router will allow multicast packets to reach the LAN. (Default: unchecked)

Multicast is a “one-to-many” communication method so a computer can send data to several computers at once via a single packet, improving efficiency. It is frequently used for streaming video and you may notice performance gains/losses by enabling/disabling it, total crapshoot. You can leave this unchecked most likely. Just to be confusing some routers like Linksys call this option “filter multicast” in which case you would leave that setting checked to disable (i.e. filter out) the multicast packets.

NAT loopbackIf checked, the router allows LAN devices to reach other LAN devices via the router’s WAN IP address and a properly configured port forward. If unchecked, LAN devices can only contact other LAN devices via their local IP addresses. (Default: Forwarded only)

This one is a little complicated but DynDNS has a good description with a diagram. For example the loopback problem occurs when there is a webserver on the same subnet with you. If you try to visit that webserver by browsing to or whatever it’s domain is the router would try to send you out onto the internet to visit the site. Problem is the server isn’t out on the internet from your perspective, it’s on your local area network. Most users will want to leave this at the default setting of Forwarded only. If you want more crazy detail on what is happening this thread should prove helpful.

Enable SYN cookiesActivates SYN cookies. (Default: unchecked)

Probably the best description in the whole book! SYN cookies are a tool for thwarting a SYN flood, an older type of DoS attack. I would enable this unless you find it causing problems with your router. The Tomato developer has commented about sparse and unconfirmed reports of issues with the setting. Well that’s something at least, hopefully it’s all correct yeah?!

© Justin Montgomery. Built using Pelican. Theme is subtle by Carey Metcalfe. Based on svbhack by Giulio Fidente.