Router SPI Firewall question

I've read on many sites about computer security and they can't emphasise enough the importance of enabling the router's SPI firewall. However, I've never really liked this idea because for some reason when I turn it on my BT and other internet operations take a bit of a performance hit. I've just recently tried enabling SPI protection again and what I noticed now is that I can achieve speeds up to 155kb/sec on BT but the speed drops pretty dramatically, it can't stablize. For 5 seconds I get 155kb/sec speed and then it would suddenly drop to 9kb/sec. Does anyone know how to tune the SPI firewall so that I can achieve both performance and protection??

Another question is: What is nat end-point filtering and if I was given the 3 options 1) Endpoint independent 2) Address Restricted 3) Port and Address restricted what is the best option given that I do use BT?

 

Some routers are impacted more than other. SPI looks at all incoming packets for items trying to piggyback the original request. This is the way worms are distributed. NAT is normally are you need if you run a FW locally on your pc. Not sure about your NAT end-point options. sounds like a type of proxy.

 

Can't you open up a port in the firewall that your BT uses?

 

yes I have done port forwarding. In fact, the options they provide are quite confusing. There's "virtual server", "Port Forwarding", and "applications"

Virtual server is if you're hosting a web-sever where multiple ports might be needed to connect to your computer (sounds like a #1 choice for BT)

but then...

Port forwarding opens up ports on 1 range and direct it to your computer (sounds very similar to 1st option)

then...

Applications: ports are automatically opened/closed depending on your application's needs. Wth? That just sounds like the last 2.

Because their variation is very little in nature I'm not sure which one is the best for BT and infact if I should enable them all. I don't use the standrard 6881- 6889 ports because most are prolly blocked or filtered by rogers (my ISP).

I've tried "applications" and got a bit better with the speeds but I have to tell you that it's still fairly slow (50kb/sec is the max I've seen) but a lot more stable.

I tried testing games online

My weapon of choice? TF2

Ping with no SPI + DMZ = 5ms lowest, 10ms average, high 30 ms.

Ping with SPI and port-forwarding = 30 ms lowest, 40-45 ms average, 93ms max

The difference is 3x!!! the average ping rose by 4x! I need some help on how to tweak this stuff.

As for blue68f100's comment it sounded like proxy to me at first too but it turns out it's the way that the NAT handles packet checking. So End point means it open all ports required when it detect the program sending out-going packets and closes them if it idles for 5 minutes or more, Address filtering means it only accepts a packet from an ip address that the application sends a request to and address + port filtering is self explanatory.

Right now in order to ensure that I get max speeds with BT I chose End-point filtering and so my max speed is around 80kb/sec and lowest is 0.1kb/sec average is at around 40ish kb/sec which isn't good because for those torrents in the past I can get up to 100+ kb/sec for max and it's usually stable at around there if not , 90kb/sec+

 

I put the router (WRT54G v8) in storage after my grandparents finished their visit. A SPI firewall is nice, but i'm fine with only using Sygate firewall on the one computer now directly connected to the cable modem.

 

Indeed I would agree with you on this one. If you have a choice of not using a router, I'd definately go without it. It can be very troublesome to configure. However, I have a laptop, my personal computer and 2 other computers that my family uses. This means I have 4 computers that are hooked onto the internet and so a router for me is necessary =/