How to Configure Your Router Firewall

Step 1: Verify SPI firewall is enabled

Stateful Packet Inspection (SPI) firewall tracks the state of active connections and blocks unsolicited inbound packets. In your router admin panel, navigate to Firewall or Security settings and confirm SPI firewall is enabled. This is the most important setting — it should always be on. Disabling it exposes every device on your network to direct inbound connection attempts from the internet.

Step 2: Enable DoS and DDoS protection

Many routers include protection against denial-of-service attacks — SYN flood, ICMP flood, and UDP flood protection. Enable these if available. They rate-limit inbound traffic from single sources, which prevents your connection from being saturated by attack traffic. On ASUS and Netgear routers, look for 'DoS Protection' under the Firewall section.

Step 3: Review inbound port rules

Navigate to Port Forwarding or Virtual Server rules. Any open port is an entry point into your network. Review each rule: if you do not recognise an open port, disable it. Common safe rules: game server ports you actively use, a Plex media server. Risky rules: RDP (port 3389) exposed to the internet — use a VPN instead of exposing RDP directly.

Step 4: Disable UPnP

UPnP allows devices on your network to automatically request port openings without your approval. Malware can exploit this to open ports. Disable UPnP in your router's firewall or advanced settings. If a specific application stops working after disabling UPnP, add a manual port forwarding rule for it instead — this gives you explicit control over what is exposed.

Step 5: Block incoming ICMP ping (optional)

Blocking ICMP ping from the internet makes your router's public IP less visible to automated scanners. Navigate to Firewall > WAN or Advanced settings and disable 'Respond to ping from internet' or 'ICMP Echo'. This is a minor hardening step — a determined attacker can find your IP without ping, but it reduces automated scan noise.

Step 6: Enable access log

Enable the router's firewall log to monitor blocked connection attempts. Navigate to Administration or System Log and enable security logging. Periodically review the log for repeated attempts from specific IPs — a pattern of attempts on a specific port may indicate active scanning. This is informational for most home users but valuable if you notice unusual network behaviour.

Frequently Asked Questions

Does my router firewall protect from malware?

A router firewall blocks unsolicited inbound connections — it does not scan for malware or block outbound connections from infected devices. If a device on your network is infected and makes outbound connections to a command-and-control server, the router firewall does not block this by default. DNS-based blocking (Quad9 DNS, Pi-hole) adds protection against known malicious domains.

Should I put my router in DMZ mode for gaming?

DMZ mode disables the firewall for the specified device, exposing it fully to the internet. Avoid DMZ for gaming — use specific port forwarding rules for the ports the game requires instead. DMZ is appropriate only for a second router or dedicated server where you want to handle its own firewall rules.

What is a hardware firewall vs a software firewall?

Your router's firewall is a hardware firewall (network-level): it filters traffic before it reaches any device. Software firewalls (Windows Defender Firewall, macOS Application Firewall) run on individual devices and filter per-application traffic. Both serve complementary roles — the router firewall protects the network perimeter; the software firewall protects individual devices from other devices on the local network.