Security

Matt2 · December 11, 2025, 4:11pm

I purchased a better router flint router as I had before was the shadow router. We upgraded for better security.
The reason being is because the security I put on my for qsm , bang enabling STP enabling imgp3 with all the ports isolated and strict filtering with rebinding attack. All of that on one channel because I disabled guest channel and subnet to guest channel also hiding is for guest channel. All going through adguard DNS. Every time I game on Xbox I watch people in host rooms manipulating my ping. I can feel in the game that they have a hold of my connection and lo and behold when I check my firewall settings I e leaked DNs or anything leaked is not enabled. So people are getting in to my router how do I stop this. I even have an arp aware load balancer. But nothing seems to be working. Does anybody know what I can put on my router to stop people hacking me.

xize11 · December 11, 2025, 11:03pm

first lets be real, hacking happens to anyone every second daily or close to that, your network is constantly bruteforced and port scanned by tons of bots like everyone else.

Your router has a firewall which easily blocks any unsolicitated traffic.

Firewalls always work from source to destination, if a local client talks to site A, site A gets the green card to communicate back on the same line and therefor is allowed.

The firewall blocks traffic, if you did not first iniated traffic, on GL routers perhaps only icmp(ping) is open you can disable this in the security settings.

So as far as security goes you should be okay on this, there is always a what if sure.

However there is one issue I can see which can cause more problems:

STP is usefull to avoid local network loops, your priority should be the lowest on the main switch which is your main router, on other switches you should increase the priority, and the farest switch should be the highest priority count, the lower the more the switch gets seen as head switch.

Igmp snooping... Maybe disable this, normally if a network operates properly there is no need for igmp snooping, igmp snooping is used if there is alot of noise and it cuts off other multicast packets which are low to respond.

^ these two do not add much to security and in some events also can introduce new issues.

STP can cause issues if hardware offloading is enabled, and you have a very congested local network, since the nature of offloading skips the cpu for the offloading chip for more free cpu cycles, it is possible it starts dropping packets and invalidates checksums because it is full, then STP can do very bad things and lockup the network.

Dns rebinding can be good, but not if you use the router as second router, or if you use vpn services through the router.

You can however do a few things to increase some security:

enable dnssec, this harness you against dns poisoning, although the other side needs to support it, so it is not always that secure and there have been vulns in the past, so my conclusion is encryption is the way, but this is a good asset.
use DoH or DoT so you are more resilent against predictfull patterns because encryption isn't as much predictfull as raw dns they can't monitor and inject exactly when you download something as a drive by attempt, especially for automated downloads of dependencies, these will be far more protected, which also harness you against dns poisoning.
for gaming online choose a vpn, if they decide to attack you, the vpn goes down not your whole internet, you can easily change up a other vpn location.
use strong generated passwords, mostly prefered from a password manager, if ssh is not need disable it, or use key authentication, with putty via puttygen you can generate a key set and upload it via luci.
use better passwords for wifi with wpa3 or wpa2+AES, if you have devices which can use local vpn software maybe consider to make it a use, or flash OpenWrt for a more advanced step to include a wifi only vpn server which cascades to your normal external vpn, this might be also possible with the vpn server setup in gl software.
isolate iot devices in a different network.

As for the disconnections, this can be for different reasons and it can be as easy as a network configuration error, censorship on the cdn/clouds, or just players with overal bad internet, isp doing breaking things, failing ipv6.

Matt2 · December 11, 2025, 11:54pm

I have done all those things including VPN I have to had to stop using VPN on the flint, I have used surfshark and mullvard and still get the same results as I did on the shadow. Thank you for responding but everything that has been suggested I already have and tried in the past. It seems when it comes to gaming on Xbox there isn't much to be done. I've complained to Xbox but haven't really got anywhere. Maybe it's being done through the server itself.

xize11 · December 12, 2025, 12:04am

it is possible xbox does not support ipv6, dual stack or having a ipv6 dns only, can slow down connections.

It is possible they block various vpn, I know from experience some mullvad vpn locations are really bad because some users abused countries valuta for cheaper games, and some come from a restrictive territorium, you may have to allow some of their domains over wan by policy, but you have to be carefull especially with peer to peer games.

Often it is fine to allow 'auth', and 'mission' servers, as peers are the direct connections not resolved by the policy.