3.8. Advanced Settings¶
You can find the Advanced Settings at System → Settings → Advanced.
You can configure Firewall timeouts for
as well as the conntrack states table size.
You can add multiple IPv4 or IPv6 addresses or networks which will not be blocked at the VT AIR login, when the username or password are incorrect. Otherwise the login is secured with a blocking function after 3 unsuccessful logins.
3.8.2. Firewall Helper¶
There are 4 firewall helper that help with protocols that need to open up additional random ports
You can enable each helper individually and the firewall will try to track any additional port that a connection of one of those protocols opens without you adding a new firewall rule for it.
3.8.3. Network Interfaces¶
You can disable hardware and software offload features here.
- GRO (Generic Receive Offload)
- GSO (Generic Segmentation Offload)
- TSO (TCP Segmentation Offload)
- UFO (UDP Fragmentation Offload)
- TX/RX Checksum Offload
A restart is not required to disable or enable any of the settings.
3.8.4. ARP Table¶
Here you can define the ARP Table cache threshold for IPv4 and IPv6, as well as for GC1, GC2 and GC3. The default values are: 1024 for GC1, 2048 for GC2 and 4096 for GC3. When you have a large amount of clients you might need to increase the values.
Gateway Change Kill States can be enabled or disabled. When enabled it will kill all States on Gateway change. This is useful when you want to force a gateway change. Be careful, it disrupts all connections though.
Clear Auditlog Weeks defines how long the auditlogs shall be kept with the System Action. Default is 52 weeks.
3.8.6. Firewall Flowtable¶
Flowtable is a fast forwarding path for TCP/UDP packages that pass the firewall. Packages first traverse the firewall on the normal way. After a state is established the connection is added to the flowtable. Any incoming package will now be sent from the incoming to the outgoing interface directly, bypassing the firewall infrastructure and therefore saving a lot of processing time.
This feature allows for 2-3 times faster package processing and it is compatible with QoS. It is enabled by default. If you enable IDS/IPS or logging for the firewall rule, this feature will not be enabled. If you encounter any issues, please disable this feature.
MTU must be the same on all involved interfaces. Otherwise you might see very low throughput on connections.
userspace process ^ | | | _____|____ ____\/___ / \ / \ | input | | output | \__________/ \_________/ ^ | | | _________ __________ --------- _____\/_____ / \ / \ |Routing | / \ --> ingress ---> prerouting ---> |decision| | postrouting |--> neigh_xmit \_________/ \__________/ ---------- \____________/ ^ | ^ | ^ | flowtable | ____\/___ | | | | / \ | | __\/___ | | forward |------------ | |-----| | \_________/ | |-----| | 'flow offload' rule | |-----| | adds entry to | |_____| | flowtable | | | | / \ | | /hit\_no_| | \ ? / | \ / | |__yes_________________fastpath bypass ____________________________| Fig.1 Netfilter hooks and flowtable interactions