@SpeedyC, I don't know the exact router model you might have, so I had a look at the dlink site for a model that would have the same firewall options that you posted. I used the DIR-890L/R as it has the same firewall settings. Here's the link to the support page:
https://support.dlink.ca/ProductInfo.aspx?m=DIR-890L%2FR
Select the downloads link and then download the User Manual (English) 1.00 dated 02/17/15
Have a look at page 100 for the firewall explanations. Some of them are very basic and really don't say a whole lot.
Here's what I would set:
Enable DMZ: Disabled
Enable SPI IPv4: Enabled
Enable Anti-Spoof checking: Enabled
IPv6 Simple Security: Enabled only if you're running IPV6
IPv6 Ingress Filtering: Enabled regardless of whether or not you're running IPv6.
Application Level Gateway (ALG) Configuration:
PPTP: Point-to-Point Tunneling Protocol: Enabled only if you need it for VPN use. See comments below:
IPSec (VPN): Enabled only if you're using IPSec VPNs
RTSP: Real Time Streaming Protocol: this might be useful for Streaming purposes. There's no indication of whether or not this is upload only, or for both downloads and uploads. This would be worthy of an experiment for streaming downloads, and for uploads if you happen to be a gaming streamer.
SIP: Session Initiation Protocol (SIP), SIP manages registering devices, maintaining call presence, and overseeing the call audio. There is more to this which you can research online. The problem with SIP is that the router will rewrite the incoming protocol to one that is specified by Dlink. That may, or may not match the SIP protocol used by your VOIP provider if in fact you use a VOIP phone. More than likely it won't match the protocol used by the provider. If you do use a VOIP phone, your VOIP provider probably has a recommended setting for your router, or for routers in general. I suspect that the recommendation would be to disable SIP, so that the signaling protocol makes it thru the router, to the VOIP phone without being mangled by the router. That should allow the VOIP phone to function as its expected to.
Relevent links:
Ok, here's a couple of Wikepedia links that are worth glancing at:
PPTP:
https://en.wikipedia.org/wiki/Point-to-Point_Tunneling_Protocol
Note the second sentance in the article: "The Point-to-Point Tunneling Protocol (PPTP) is an obsolete method for implementing virtual private networks. PPTP has many well known security issues."Seems like its a hazard in itself.
RTSP:
https://en.wikipedia.org/wiki/Real_Time_Streaming_Protocol
Here's some food for thought:
Enable DMZ: I would keep this Disabled unless you know that you need it. If you do, I'd set up an IP Reservation for the device in question and then set to run in the DMZ. With the IP Reservation, if the router reboots at some point in time, it will assign the same IP address to the device in question so that if the DMZ is specified by IP address instead of MAC address, the correct device will end up in the DMZ.
Enable SPI IPv4: if you run this Enabled, you might find that the data rate drops due to the Stateful Packet Inspection that is running. What you see will depend on your internet plan data rate and the horsepower of the router. I wouldn't be surprised to see a data rate drop. Here's one of many internet articles on SPI:
https://fastestvpn.com/blog/spi-firewall-protect-network-traffic/
Enable Anti-Spoof checking: If you had a look at the user manual that I linked, you'll see that there's very little explanation as to exactly what this does. Given the port scans that continually occur these days, it might be worth enabling to see what effect, if any, that it has on your internet data rates.
IPv6 Simple Security: the user manual has no explanation of how this works, so, if you're using IPV6, I'd enable this, but, keep mind that it may come with a performance penalty.
IPv6 Ingress Filtering: Enabled regardless of whether or not you're running IPv6. I use an Asus RT-AX86U which has a separate IPV6 firewall setting which can be enabled regardless of the state of IPV6 (Enabled or Disabled). So, I keep the IPV6 firewall enabled at all times. There is probably a greatly reduced chance of a port scan via IPV6, but, its not terribly difficult to determine the address ranges for an ISP, after which you can simply scan thru the entire range. Yup, it will be large range to scan thru, but, that's not difficult these days. Here's the Hurricane Electric page for Rogers, which contains the base IPV4 and IPV6 address and their address ranges.
https://bgp.he.net/search?search%5Bsearch%5D=Rogers+Communications+Canada+Inc.&commit=Search
Application Level Gateway (ALG) Configuration:
PPTP: Point-to-Point Tunneling Protocol: Enabled only if you need it for VPN use.
IPSec (VPN): Enabled only if you're using IPSec VPNs
RTSP: Real Time Streaming Protocol: this might be useful for Streaming purposes. There's no indication of whether or not this is upload only, or for both downloads and uploads. This would be worthy of an experiment for streaming downloads, and for uploads if you happen to be a gaming streamer.
SIP: Session Initiation Protocol (SIP): As indicated above, this setting will depend on whether or not you use a VOIP phone. If you don't use a VOIP phone, I'd disable it.
Out of curiosity, what model of router do you have, and, what's the latest firmware version date that is loaded? If that's out of date by more than a year, and there's no sign on the horizon of a firmware update, it will be time to find another router that receives regular firmware updates. There's way too much happening these days in terms of router security problems to leave your network protection to a router that isn't keeping up with those threats.
For each of those settings in your post that might actually be useful to you, only enable one at a time and take at least a day or two to assess the impact on the router processing and data rate throughput. Without knowing what router model you have, I can only speculate that you might find that the router doesn't have enough horsepower to do everything that you might want it to do. Take your time when it comes to enabling those settings, changing one function at a time.
Hope this helps 🙂