Firewall in Linksys WRTXXX's... Disappointed!!!!

Discussion in 'Cisco/Linksys Wireless Routers' started by MaliMrav, Jun 22, 2007.

  1. MaliMrav

    MaliMrav LI Guru Member

    Ok folks,

    I have had a Billion 4402VGO ADSL modem for the last two years and have just the other day bought, in Singapore, the WRT350N.
    All the hype made it so attractive I just had to have it!
    Anyway... I installed it this morning, expecting it to give birth to kids, for the price I paid for it. Needless to say I was humongously disappointed with the over simplification of the setup, almost "Microsoft like" basic firewall!
    You know what, the Billion ****s all over the Linksys's! What's with the "every port open" and close the ones you want??? SPI....crap!
    The Billion's firewall, in comparison to this one is like is like comparing Firewall one with the Windows® inbuilt one.
    ...oh, did I mention that I am disappointed?
    So now, how do I stop my PC from sending unsolicited information out of my network? It's not even SPI! I tried to first block all traffic and just let out known ports, thinking that ACK packets would be let through (as per SPI). No it doesn't work. In fact, I cannot figure out how this crap "access control" is supposed to work!
    I would take this back to the shop in a heart beat if I wasn't here in Sydney. Shame on you, Cisco! This is not like you to over simplify a product and leave your customer vulnerable, just for the sake of an easy installation and little tech support. Has Bill Gates been whispering into your ear?

  2. Toxic

    Toxic Administrator Staff Member

    best if you point your anger over to linksys tech support ( this site is a community based site that is not run by Linksys.
  3. Mastec

    Mastec Network Guru Member

    You go to the Linksys forums to voice your opinion or speak the truth they will either delete your post, edit it to their liking or ban you.
  4. Toxic

    Toxic Administrator Staff Member


    Editing posts is a result of a user who will not ask for advise but just let off steam and be abusive. the vast majority of forums are here to help as long as the user will conduct himself in a manner that is is not insulting.

    If I came to your front door and started shouting at the top of my voice at you, what would you do?

    If I came to your house, but was civilised and expressed concern or asked for advise, I am sure you would give it.

    if you act in a manner that a forum admin does not like, well you know the answer.

    I have already asked the initial poster to rasie the issue to Linksys Tech Support (not the forums)

    if he can give as much detail info as possible on his problem, then prehaps Linksys might help him, though giving off to a support team rep will get you knowhere, they are not paid to listen to abuse:)
  5. vincentfox

    vincentfox Network Guru Member

    Sorry you have had bad experience. Many people have issues with Linksys firmware, especially first releases. But there are many alternate firmware for Linksys products that might be worth trying.

    Check DD-WRT I read a while ago they were planning to have support for this product in their v24-beta firmware, perhaps it is usable by now. I like Linksys a lot mainly because they are cheap supplier of some good Broadcom reference boards. Often they are in unattractive packages and with buggy firmware, but I find that problem to be solvable.
  6. Mastec

    Mastec Network Guru Member

    I am not saying it happens to me. I have over 800 posts there and continue posting. I am just reffering to those who are sick of the CSR's telling them to update the firmware, update the firmware and update the firmware. When I had trouble a year or so ago, I went straight to the source and had my situation handled a different way and it was taken care of. So its not me with the bad experience, I just laugh at the others when they find their posts edited.
  7. vincentfox

    vincentfox Network Guru Member

    Undoubtedly you can get response if you badger Linksys enough. How does shouting in an enthusiast forum reach Linksys though? I really doubt any Linksys employees read this forum.
  8. Mastec

    Mastec Network Guru Member

    My situation was that my WRT54Gv4 puked still under warranty. I sent off for an RMA replacement and they sent me a v6. I was slightly upset so I called and talked to the CSR's until they were tired of hearing it. On their website it says they will replace equipment with an equal piece of equipment. The v4 and v6 are not even close to being the same except in color. They connected me to supervisor in California who listened and had a WRT54GL on the way. I didn't get on the Linksys forums whining and crying like others do that have had the same experience.
  9. Toink

    Toink Network Guru Member

    Welcome to the forum. Perhaps you can post here what you really want to do with your firewall. There's plenty of people here to help you out. I understand your frustrations over the WRT350N coz I own one myself :)

    I know what you mean because I experienced it firsthand over there at the Linksys forums - all because I spoke the truth about this particular router having some problems with the current f/w version --- I was not disrespectful, mind you :) I was merely telling the truth... It's just that I think the mods there have really lonely lives - not having any idea what a sense of humour is he-he. I mean hey, I'm a mod too in another forum but I know when to cut and where to draw the line....

    Actually them Linksys employees do visit this forum. It's just that they'd shrug it off and let the consumers find their own solutions - just like the Linksys engineers who visit the official Linksys forum. As the mod there said:
    There are more intellectual people here at combined than all the engineers at Linksys. :) :)
  10. Toxic

    Toxic Administrator Staff Member

    Linksys Techies used to hang out on dslreports forums until linksys users got abusive. there are many linksys employees frequenting these forums but thye will always remain anonymous to stop the onward attacks. they do pick up on real issues with linksys hardware here and use it as a base for understanding issues with users and their hardware.

    however this forum was designed as a community forum to help each other and not as a site for rants and raves. is fot that.
  11. Slimey

    Slimey Network Guru Member

    fyi DD-WRT added support for WRT350N in the v24 builds a while back.
  12. eric_stewart

    eric_stewart Super Moderator Staff Member Member

    Hate to rain on your parade buddy, but before you open your mouth, let's get something straight....

    SPI (ergo Stateful Packet Inspection) firewalls are designed to inspect the standard handshakes of stateful protocols such as TCP. ie:

    1.....Client------------(SYN)----------->Server (session initiated)
    2.....Client<----------(SYN,ACK)--------Server (session 1/2 built)
    3.....Client------------(ACK)----------->Server (session est'd)
    4.<------------------------Start Data Traffic-------------------->

    Breaking it down and using the numbers above for reference....

    (1) Session Initiated
    If the client is on the inside of the firewall, the default behaviour of the SPI algorithm on the Linksys boxes is to allow the initial SYN from the client to go out without any access rules prohibiting it. This is equivalent to pressing a doorbell.

    In other words, unless there is a rule specifically disallowing the inside client to solicit a connection to an outside host this is allowed. This is the default behaviour on $15,000 Cisco PIX and ASA firewalls, CheckPoint, NetScreen, Symantec, Sygate and others........

    (2) Session 1/2 Built
    The SPI firewall will examine all packets arriving from the outside and will allow acceptable responses to the initial SYN from the inside host. This is equivalent to allowing the server to answer the doorbell. Note that while SYN,ACK is the way that a server says that it's open for business, there are other acceptable responses. For example, a server might say it's too busy by saying RST (ie: reset) or (if it's not protocol compliant) it might say FIN (ie: finish). Stateful firewalls will recognize all acceptable responses, and *implicitly* allow them through without the requirement for any access lists. This is the elegance of an SPI "knows" the rules for communication for the 3-way handshake works (pictured in the example) as well as all other subsequent conversations that might happen between the client and the server and dynamically makes up rules to allow these flows through.

    (3) Session Established
    The client, being polite, will complete the 3-way handshake that opens up the session with the server by sending an ACK (acknowledgement). This is equivalent to saying "thank you" when the server comes to the door. The session is now said to be "established" and the SPI firewall will continue to statefully examine all data packets in subsequent phase of communication which is....

    (4) Start Data Traffic
    Now that the data "pipe" (session) is open, data traffic flows through it. The majority of the steady-state traffic between the client and the server will have just the "ACK" bit set. Sometimes, because of traffic congestion issues, etc., other bits will be set in addition to the ACK bit. For example URG, ACK (urgent, acknowledgement) or PSH,ACK (push, acknowledgement) .

    In summary, the firewall is designed to allow inside->outside connections to initiate without control by default. Also (and by default) the majority of SPI firewalls will not allow that initial SYN (see item 1) to go outside->inside from a client to a server unless *explicitly* allowed. This has got nothing to do with SPI logic, per se, but is just solid best practices. You implicitly *don't* trust the bad guys on the outside security zone but you implicitly *do* trust the guys on the inside.

    Too bad you don't understand how it works, but (and I'll bet you follow Cricket) a good batsman never blames his bat. Maybe you should understand a bit more about how things work before you blame Linksys or Cisco or whomever. While you're pointing a finger at them, you have at least three pointed back at yourself.

  13. MaliMrav

    MaliMrav LI Guru Member

    Umm... sorry folks, I think I over did it a little :redface:

    Ok, from what I gather is that people in general are unhappy with Linksys routers, their buggy firmware and little or no support from Linksys CSR's.

    I apologies for my first post being a spleen vent, I should know better! :rolleyes: I had spent a good part of 6 hours since I opened my present (my WRT350N) and installed it; to going through the setup and being shocked at its basically, particularly in the "Security" section. I trolled the web for hours looking for anything that could explain how to work around the access control to get anywhere near the functionality of, even a IPTables like firewall setup. This was initially what I was going to post here and god knows how it turned into a rant. :confused:

    However, I'd like to thank Mastec, Toxic, vincentfox as they have inadvertently answered a lot of my questions I didn't even ask. :wink:

    @ Slimey
    Thanks for the info in DD-WRT. I'd already tried that firmware before I posted here. The issue with it was that the Wan port did not lite up and so it would not PPPoE to the ADSL modem at all. When I stuck the ADSL modem into port 1 of the 1Gig switch the WAN port lit up but still no PPPoE :confused: Looks as though something got seriously mixed up in the compiling :rolleyes:

    @ eric_stewart
    Thank you also for the refresh tutorial on SPI. I assure you I have 16 years of experience in IT and can recite....well let's just say I've been around quite a while and that I know that SPI, in a nutshell means that the FW will allow incoming packets from the WAN side if and only if they are an answer to a request coming from that host, then redirected (packet mangled) to the internal host that originally sent the request. My question is how can I get the firewall up to a stage that every inbound and OUTbound traffic is stopped first (except for SIN,ACK and ACK, obviously) and then let only traffic out that I'd like.

    Once again, sorry for the rant and thank you for all your help in spite of me being a DH

  14. Toxic

    Toxic Administrator Staff Member

    Vlad have you posted your issues in the DDWRT forum with concern to your problem? 3rd party firmware usually does require a faull factory reset before and after upgrading to a new build as there can be issues with old nvram settings conflicting with new settings from the 3rd party firmware.
  15. Rekoil

    Rekoil LI Guru Member

    Although I haven't used PPPoE I see that same problem on my router with the mixed up led's. It doesn't worry me though as it's only cosmetic. dd-wrt is working well for me.
  16. MaliMrav

    MaliMrav LI Guru Member

    Thanks Toxic, not a bad idea. I went through the dd-wrt firmware and in all honesty, although I'm impressed with the added features and so on, the firewall is still as sucky as Linksys's.
    @ Rekoil - Yeah, it's not actually cosmetic only, the WAN port doesn't work, therefore no PPPoE and therefore not a router, just a layer 3 switch. :(

  17. Rekoil

    Rekoil LI Guru Member

    WAN port works fine for me. Except the led for the WAN port doesn't show. Instead LAN port 1 is shown on the WAN led, LAN port 2 on the led for port 1, LAN port 3 on the LED for port 2, etc. and LAN port 4's led isn't used at all. I'm sure this will be fixed as the release of dd-wrt v24 gets closer.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice