RUT 9XX firewall options

NETWORKING SOLUTIONS
1

Hello
Opening a global topic about firewall options that I don’t completely understand even looking in forums and manuals:
Context : using RUT 95[01] vai 4G. On local network behind the RUT, there are Windows or linux PC accessible via Teamviewer, VNC, etc …, Lan Cameras
to access them, I’m using port forwarding rules set in the RUT95X (explicite for VNC like 5900 to 5900, or redirecting like 9876 to 443 of the camera).
But in our experience, removing Software flow offloading resolved our VNC access issues, and improved (a bit) access to the cameras.
Obviously test were made in the best 4G conditions to avoid this variable.

  • software flow offloading :
    • we don’t understand clearly the relation between VNC and this option ?
    • can someone expain us (we want to know just to be in confortable conditions with what we set!)
  • Automatic helper assignment :
    • if I understand well help to automatically create rules depending on trafic? From what I read on internet, some linux kernels stop using this since a while : Automatic Helper Assignment | firewalld
    • So is this option still relevant?
    • Note : yes I red the topics related to people deactivating this option due to passive FTP issues
    • note 2 : we didn’t notice big changes with the option kept or disabled … :slight_smile:

thanks and BR
V

3

Greetings,

Software Flow Offloading (SFO) is a firewall/NAT acceleration feature that helps optimize packet processing by offloading some tasks from the CPU to the Linux network stack. However, this can sometimes interfere with certain network protocols, especially ones relying on stateful connections, such as VNC.

VNC uses the TCP protocol, and with SFO enabled, the firewall may not track connections as expected, leading to dropped or misrouted packets. Disabling SFO forces the router to handle connections through the full firewall processing pipeline, which can improve reliability for protocols like VNC.

Regarding the Automatic helper assignment, it does exactly what you’ve described. About its relevancy, it is relevant, yes; however, speaking from experience, I’ve seen some people have certain issues with it enabled, where disabling this option has helped them. So if you ever run into any issues, you may try disabling this option.

Regards,
M.

4

This topic was automatically closed after 60 days. New replies are no longer allowed.