Hello I am new I tried search for this but go no hits. I just setup my first node and it’s getting data however my netgear armor firewall is loosing it’s mind blocking 100s of what it perseives to be ddos attacks. Port forwarding looks good dashboard shows online and audit shows 100% for the four satallites I’m connected to
Just disable this snakeoil armor firewall.
4 Likes
O I agree except I can’t find where to disable it
It came on by default with the new router and can’t find any configuration for it
+1.
100% of those “security detections” are 100% garbage. They can be made useful if you spend ridiculous amount of time configuring and maintaining! the ruleset (often it’s suricata under the hood) tailored to your network, and then you still won’t get any guarantees. If you just flip the switch – you’ll get massive number of false positives, important stuff will drown in that noise, even if it was to be detected in the first place, which is very unlikely.
For 100% of home and small business users, who don’t have budget for a dedicated security team, it’s 100% waste of time maintaining and loss of performance running those rules.
The only thing from a home firewall you need are two rules: allow established incoming connections and block all other connections, except to known lan services. These are the defaults on 100% of home gateways out of the box.
Everything else is a counterproductive marketing fluff.
Footnotes:
- Same goes about Synology DDoS protection that can be triggered by pinging the nas from (gasp!) TWO other hosts simultaneously.
- The only feartue outside of basic firewall worth enabling is fq_codel (SmartQueues, SQM, etc) that some home routers offer. It’s quite CPU intensive but is worth even upgrading the router to the beefier one. This is the only exception, that also vanishes if you have fiber or faster Internet.
2 Likes
This does not work? How do I turn NETGEAR Armor on or off using the Nighthawk or Orbi app? - NETGEAR Support
so these are all new ‘alerts’ that only started when firing up the node. so my concern is that maybe i could be egressing or ingressing but dumb built in netgear is instead denying those connections. even though i have the firewall rule setup. i really dont like the lake of visibility. if this was a palo at work i would see exactly what it was blocking but not on consumer hardware
yup, buried in their app only… not on the gateway web page that’s frustrating
2 Likes
Put it in bridge mode and buy yourself a better router, that you can coustomise, like Asus TUF Gaming 3000 v2. There are many options, but this I use in allmost all my locations, and I’m pretty happy with it. The bandwidth limiter and Wireguard work great.
It’s not an add, it’s just my expirience.
I have several ddos protection before my storj nodes. But I got never one to trigger. Maybe the fine-tuning is too loose?
Or is there a difference between resedentual protection and commercial protection?
@arrogantrabbit did a good post with explanation. Using such kind of firewalls is possible, if you would carefully configure rules and will keep them updated to do not block the needed traffic. And this is hard to maintain without a basic security knowledge.
By default Asus has the same issue, might be turned off more easily though.
See:
1 Like
I have 2 ASUS router in 2 different location and I never had that issue.
ASUS ac3100
And ASUS ax3100
All routers with DDOS protection active give that error. You buy one just to be able to deactivate that. The ISP ones are very limited in options.
Or you’re lucky, or your nodes are small. I don’t know which of both it is. I got that problem at the moment my nodes were cumulative 10TB in size.
I have several locations with more than 20TB stored on 2 nodes. No problems after disabling DDOS protection and also, the other third partie protections, because they interfere with storagenodes.