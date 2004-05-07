Advanced Features

The SL1000 has a pretty advanced feature set - too advanced, perhaps, for the average SOHO user. A lot of the setup complexity stems from its multi-NAT features, since the SL1000 supports five NAT (Network Address Translation) modes:

The NAPT / PAT mode is what you normally encounter in consumer routers and lets multiple LAN clients share one IP address assigned by your ISP. Reverse NAPT is just the technically correct term for the port mapping or virtual server feature found on SOHO routers, which lets you make LAN-based servers accessible to the Internet.

The SL1000 isn't the first product to sport multi-NAT capabilities, but it has the most confusing interface that I've seen to allow access to those features. Where most other products give you a special screen to assign groups of LAN addresses to multiple WAN IP addresses, ASUS has chosen instead to incorporate the static and dynamic NAT modes into the ACL (Access Control List) Rules that are used to control traffic passing through the firewall.

ASUS' method allows more flexible use and finer control of the multiple IP addresses that you may have, but it unnecessarily complicates life for the larger population of users who have only one IP address to deal with. You'll see what I mean once I get into the Firewall features.

Another advanced feature - and a first for me - is the Self Access rules. Basically, ASUS takes a very secure approach to things - including access to the routing engine in the SL1000 itself! The pre-configured Self Access rules shown in Figure 5 allow LAN clients to access the admin screens (TCP 80 - Web and TCP 23 - Telnet) and even basic services such as DNS (UDP 53)!

Figure 5: Self Access rules

Note that since UDP ports 500 (ISAKMP) and 520 (RIP) are the only ones open to the SL1000 from the WAN, you'll need to set a rule to open it to the WAN - in addition to setting an appropriate ACL rule - to administrate the SL1000 from the WAN side. Although this additional step adds an extra measure of security, it's just one example of making things that should be easy, difficult.