4. Firewall, Port Mapping, Filters

I first thought that the VBR's firewall features were going to be pretty much the same old same-old, but it turned out that SMC had a few tricks up its sleeve to try to set the VBR apart from the pack.

First in the "unique feature" department is the VBR's Multi-NAT capability. SMC calls this "Address Mapping", and as Figure 2 below shows, with it, you can take multiple WAN IP addresses and assign them to ranges of private LAN IP addresses. This lets you, for example, put more than one LAN client in DMZ (one for each WAN IP address you have), and also lets you have multiple virtual (mapped) servers of the same type (FTP servers for example) operating on the same port.

NOTE! This feature is useable only if you have multiple WAN IP addresses assigned from your ISP!

Figure 2: Address Mapping
(click on the image for a full-sized view)

SMC let you define up to 10 Address Mappings and 8 DMZ machines, but again, you need an ISP-assigned IP address for each Mapping or DMZ assignment.

The second unique feature is the control that you get over the Stateful Packet Inspection (SPI) features of the VBR's firewall. Figures 3 and 4 show some of the "knobs" that you can tweak on the firewall.

Figure 3: Intrusion Detection
(click on the image for a full-sized view)

The Intrusion Detection and Stateful Packet Inspection sections are fairly straightforward. The SPI and Anti-DoS firewall protection checkbox allows you to turn most of the SPI features on and off. If you leave SPI on, the checkboxes in the Stateful Packet Inspection section allow you to turn off SPI features for specific types of traffic.

Figure 4: More Intrusion Detection
(click on the image for a full-sized view)

The settings in the Connection Policy and DoS Detect Criteria sections are harder to decipher. Unfortunately, you'll need to go elsewhere to understand when and how to change most of the settings, since SMC's User Guide offers no useful information. This page is also where you set up the Email hack alert feature, which is supposed to send an email when a hack attempt is detected. I say supposed, because although I port-scanned the crap out of the VBR, it never sent a single email alert. I asked SMC about this and will cover their response in the Logging section later on.

Moving on to the more typically found firewall features, you'll find both static single port (Virtual Servers) and triggered port range (Special Applications) mapping capabilities, but you won't find static port range mappings. SMC says, however, that this will be added in a future firmware update. Note that server "loopback" is not supported for Virtual servers, and the port mappings are not schedulable.

See this page of the Hardware Router Terminology Guide if you need an explanation of static vs. triggered port mapping.

Tip: See this page of our Hardware Router NTK - Terminology Guide for an explanation of "loopback".

The VBR's Access Controls (Port Filters), allow you to pick from a built-in list of common services, and add a custom rule (not shown on the screen shot) that can contain up to 5 single ports or port ranges, in either UDP or TCP protocols (but not both at once) to apply to a range of LAN IP addresses.

Figure 5: Access Controls
(click on the image for a full-sized view)

You can only create rules that block the specified ports... not the sometimes handier allow type rules. You can disable all rules and leave them programmed, but can't disable rules on an individual basis.

The VBR's Scheduling Features are the most flexible that I've found in recent routers. For each Access Control rule, you can apply one of 10 schedules that you set up, or have the rule always in force.

Figure 6: Rule Schedule
(click on the image for a full-sized view)

Figure 6 shows that each day has its own time period, a flexibility that you don't often find among rule-schedulable routers. Schedules also can be applied to the URL Keyword blocking feature, which is treated just like an Access Control port filter rule for scheduling purposes. Note that although you can set different times for keyword blocking for different groups of LAN clients, you get only one set of URL keywords.

In all, I thought the VBR had a pretty good set of Firewall related features, except for the missing static port range mapping.