Router firewall?

June 4, 2007 at 05:59:42
Specs: Xp Sp2, 2, 000 mhz

Can a router be used as a firewall?

See More: Router firewall?

Report •

June 4, 2007 at 06:38:21

In what sense? There are two kinds of firewalls - hardware (usually the router NAT) and software (application). For maximum protection you should use both because each function in different ways. For example, NAT stops what's coming into the PC and software firewall usually stops what's going out or what's trying to call home. Got it, eh?


Report •

June 4, 2007 at 07:23:00

Yes, that makes sense. Thanks. So I could have a router as a hardware firewall and a software firewall on my computer? Is it easy to setup a router as a firewall? Can all routers be firewalls?

Report •

June 4, 2007 at 07:29:53

All routers firewall - better known as router NAT (network address translation) - are enabled by default. You don't need to do anything or should do anything with it (it's a sophisticated scheme so complex that no one should ever tweak with it).


Report •

Related Solutions

June 4, 2007 at 07:39:03

Oh by the way by be aware that some router firewalls uses DMZ (DeMilitarized Zone) instead of NAT. They both work basically the same way, hiding your true private IP from the world.


Report •

June 4, 2007 at 10:54:34

Routers have a software package hardwired into them called a "DHCP Server". This sets up a TCP/IP protocol local area network and by default "firewalls" this LAN from the Internet.

To hack into your LAN and insert a virus or trojan (malware) an outsider must spoof a local IP Address - one assigned by the LAN network. However the router drops all "local" packets - identified by a local IP range, usually - that try to enter through the WAN port of the router. Local IP packets sent over the LAN ports move freely between clients, though. This is the basis of a Network Address Transition (NAT) firewall and is proof against almost all hacking tactics. NAT routers work fine for most applications but some network games and programs generate false hits and are wrongly blocked by them.

There's a more modern version called Stateful Packet Inspection (SPI) firewall that inspects packets via a filtering algorithm to reduce false hits but it does essentially the same thing. NAT and SPI are just as good as the other in protecting your LAN, SPI routers are more "friendly" to your games and applications.

The only hacking tactic that really works against a router is to bypass it. Either fool the user into manually installing malware on one of the clients or someone malitiously and deliberately installs the malware via floppy or thumbdrive. The only protection against this is a software firewall package that inspects outgoing packets and, if either from an unknown program or sent to a known 'blackhat' IP address, blocks the packet, warns the user, and logs the attempt.

For maximum security you need a hardware firewall on a router, a software firewall that scans outgoing packets, a good anti-virus program, and at least one anti-spyware program. These should be set to periodically check the mfr's website for updates and automatically install said updates if possible.

Report •

June 4, 2007 at 10:56:37

NAT neither blocks incomming nor outgoing traffic.
NAT (Network Address Translation)
The internal computer get's the public IP address for the short time of the request to the internet (everytime a request was made).
A Router firewall can pssibly block incomming and outgoing traffic,depending on which Router you're using.
Incomming traffic will be blocked in any case.
A software firewall at the local computer can additionally allow or deny traffic based on programms you're using.

So using both is alway a good idea and recommandet.


Report •

June 4, 2007 at 13:07:42

What kind of router are we talking about here? A SOHO "router" (and I use the term loosely) or a real router?

There is a difference.

Report •

June 4, 2007 at 13:38:55

Curt, could you explain the difference for us without having to wait for the OP to post back? Thanks


Report •

June 4, 2007 at 15:33:12

Well, simply put, a SOHO router isn't really a router at all. It's a switch with NAT, DHCP and a firewall added onto it. As far as I can tell from mine at home, it's only capable of very basic routing.

As an example, I have a Cisco 2800 router sitting in my office and what it's capable of, compared to a SOHO router is like comparing a highend enterprise level layer 3 switch with a hub.

Simply put, it's the features they come with and what they're capable of that differentiate them. Oh, and while a Cisco router like the one I mentioned can't "firewall" per se, you can do something like firewalling using access rules.

The reason the Cisco router is sitting in my office is, we've phased out all hardware based routers in favor of teamed (for redundancy) servers running UNIX (OpenBSD) for our routers/firewalls. Again, comparing what those are capable of to a SOHO router is the same as a hardware based router like the Cisco I mentioned to a SOHO. In fact, because the UNIX based boxes do 'real' firewalling, the Cisco's can't compare to them at that level either.

This is the reason I asked. The original posted doesn't give out much information and while I would wager he is talking about a SOHO router, I just thought, if he wasn't, I could answer his question for him.

As for the SOHO router, well, because it has the firewall built into it, it goes without saying that it can.

Report •

June 5, 2007 at 00:40:46

Thanks guys this is all good information. Curt R - I realise I wasn't very specific in my original post in terms of what type of router I was looking for, but that was because I knew very little about routers. However, because of OrionCA's account of the security provided by routers I have decided I am looking for a reasonable router with firewall capabilities. I have looked at some cisco routers on a few websites and they look quite good.

Which leads me onto another question, am I right in thinking that it's possible to connect two or three computers together usuing a hub/switches and then have that hub connected to a Router which then connects to the Internet?

Report •

June 5, 2007 at 00:50:03

I have found an ethernet LinkSys router on amazon. It says it has switches, does that mean I can connect computers together using it instead of a hub? It looks like a router and a hub all in one.

Report •

June 5, 2007 at 05:51:06

Curt R,

Thanks for taking the time to explain the difference. I appreciated it.


Linksys BEFSR41 is a router that you can use to connect up to four computers to the internet simultaneously. I used to have this before my ISP provided modem/router combo. Who is your ISP and what do they provide you for internet connection?


Report •

June 5, 2007 at 11:04:37

Which leads me onto another question, am I right in thinking that it's possible to connect two or three computers together usuing a hub/switches and then have that hub connected to a Router which then connects to the Internet?

You can....although, I'd recommend a switch instead of a hub. In a nutshell, hub's broadcast everything to all ports and switches intelligently move the data only to the port of the client that originated the transmission. What this means is, you have less collisions on a switch and therefore, better overall transfer rates.

Most SOHO routers come with 4 LAN ports to plug PC's into. My old D-Link DI-604 was just such a router. Like XpUser, my ISP provided me with a new modem/router/wireless AP combo unit when I upgraded my DSL to a higher bandwidth package. This unit too has 4 LAN ports.

If you purchase a SOHO router with only a single LAN port, then a switch would be necessary. If you buy one with 4 LAN ports and have more than 4 PC's to connect to it, again, a switch would be required. But, if you buy one with 4 LAN ports and only have say, three PC's to connect, you won't need anything else.


My pleasure.

Report •

July 17, 2007 at 09:37:56

I was just reading through this. I had Googled the same question that drew22299 had asked and found this forum/thread. I am about to change from a Verizon DSL connection to a Comcast cable connection. The problem I have is that my PC sits in a room with only a RJ 11 wall jack but no coaxial wall jack. There is a coaxial hook up in a nearby room so I figured a wireless router would solve the locational issue. Like drew22299, I only had a fundamental knowledge of what a router is and does. I was aware of the DHCP functionality but not the firewall functionality. Neither was I aware of the distinction between switches and hubs nor that there were effectively three primary types of routers (SPI, NAT, and SOHO).

We only have the desktop at home at the moment but I am likely to buy a laptop for the wife that I will want to connect to the router as well. I figure I can purchase the cable modem through Comcast (they had been offering a rebate on a Motorola modem that effectively made it free). If not that way, then through Tiger Direct or New Egg. My remaining question: Does the above rules apply to a wireless router or does that create other issues I should consider?

I’m really going for simple and inexpensive yet effective. Also, I already have a software firewall running.


Report •

Ask Question