Like every other website on the planet, SmallNetBuilder uses cookies. Our cookies track login status, but we only allow admins to log in anyway, so those don't apply to you. Any other cookies you pick up during your visit come from advertisers, which we don't control.
If you continue to use the site, you agree to tolerate our use of cookies. Thank you!

Router Charts

Click for Router Charts

Router Ranker

Click for Router Ranker

NAS Charts

Click for NAS Charts

NAS Ranker

Click for NAS Ranker

More Tools

Click for More Tools

LAN & WAN Reviews

Firewall, Port Mapping, & Filters

The SX's firewall has a different interface than that on its predecessors, but more importantly, it looks like Linksys may finally have an SPI implementation that works! There has been an "SPI" button on the Filters page for some time in previous models, but the implementation appears to be buggy and/or misunderstood by many users. The result is that the Linksys "SPI" feature has gotten the reputation for best working when it's set to OFF.

It looks that this is going to change with the new SX routing engine, whose implementation appears to be quite different. And from my limited testing, it looks like it actually works, too!

Linksys BEFSX41: Firewall screen

Figure 1: Firewall screen
(click on the image for a full-sized view)

Figure 1 shows what you see when you click on the Advanced Firewall Protection Enable radio button. This puts the SPI firewall into effect and,as you can see, gives you some other options that have been offered by competing SPI firewalls. You also get URL keyword blocking for 10 keywords of, if my count is correct, 79 characters each. Keywords can be full or partial URLs, or any text you want. If the text appears in the URL that a user tries to access, they browser will either hang or report that the page isn't available, since the SX doesn't put a "Blocked by Linksys" message or anything similar up.

Moving down the page you see a Time Filter setting, but don't get too excited. Although this feature provides time schedulable control of your LAN users' Internet access, your choices are limited to Block All Outgoing, Block All Incoming, or Block Both. There's no ability to limit the blocking to specific services (ports), and the scheduling doesn't apply to the Blocked URL Contents either. Scheduling flexibility is limited to one time period, which is applied to whatever range of consecutive days you choose. You get a nice little time grid display of the blocked periods, though.

The other firewall features are found on the Filters and Forwarding pages. Figure 2 shows the Filters page (top and bottom cut off), where you set up the port filtering features of the SX.

Linksys BEFSX41: Filters screen
Figure 2: Filters screen
(click on the image for a full-sized view)

This page takes a new approach to the Filter setup for Linksys. You can program up to 20 filters, each of which can be set to apply to Deny or Allow a selected service for both 5 MAC addresses and one range of IP addresses. You select the service you want from a pick list of pre-defined common services (DNS, POP, HTTP, etc.), or you can create new services, specifying both port range and TCP, UDP, or ICMP protocols. Filters can also be left programmed, but disabled, which I always find handy for test purposes. The main negative for the Filters feature vs. competitive products is that you can't schedule them, nor can you specify a trusted user, to whom the filters don't apply.

The other settings on the Filters page are ones you've seen before. You can set the router to not respond to ping requests (Block WAN Request), enable Multicast Pass Through and set the MTU (Maximum Transmission Unit) size (helpful for getting some DSL/PPPoE connections to work).

Also the same is the SX's remote administration, i.e. from the WAN, features. You can enable access to the router's admin interface (Remote Management) and separately allow upgrading (Remote Upgrade) from the WAN side. One improvement is that you now can set the port used by Remote Administration (the default is port 8080).

On the minus side, you can't limit Remote access to specific IP addresses or ranges and surprisingly, you can't access the admin interface of the router at the other end of an IPsec tunnel (or at least if you can, I couldn't figure out how!). You also can't soft reboot the router remotely (although you can force a reset to factory defaults). You can also have multiple users logged into the admin interface at the same time without getting a message telling you that you're not alone. I never got logged out of the router during testing, and you can't manually log out either.

Moving along to the Forwarding page, Figure 3 shows that the main page looks the same as other Linksys routers, except for the addition of the UPnP Forwarding button.

Linksys BEFSX41: Forwarding screen - Port Ranges
Figure 3: Forwarding screen - Port Ranges
(click on the image for a full-sized view)

Although this page (Figure 4) looks like it just provides access to single port mappings, it turns out that it really does interact with UPnP.

Linksys BEFSX41: UPnP Forwarding screen
Figure 4: UPnP Forwarding screen
(click on the image for a full-sized view)

Since this is the first router I've tested that performs this particular little trick, I thought I'd spend a little time talking about it.

UPnP Features

If you're unfamiliar with Universal Plug and Play, I suggest you read our FAQ and Need to Know, which will give you some background on the information that follows. I found that the SX is the first UPnP-enabled router that actually interacts with the UPnP Advanced Settings > Services window that you'll find via your XP-powered computer. Although you get only one port and protocol per service, and you still must fill in the correct IP address for the computer that you're establishing the service to, a service change you make via XP is displayed in the UPnP Forwarding screen and vice versa! Although it seems like an obvious thing, I haven't found this behavior on other UPnP-enabled routers... other Linksys products included!

Unfortunately, though, it looks like UPnP's NAT Transversal feature, which should automatically open ports in the router firewall for applications that support the feature, either doesn't work, or doesn't give any user-accessible indication that it's working. I use Windows Messenger to check for this, and didn't see any services opened for in the Internet Connect Advanced Settings > Services window, nor did I see anything opened in the other SX Forwarding screens.

So hats off to Linksys for doing something that should be included in all router UPnP implementations. Now let's get NAT Transversal working, including automatic user notification when it pokes holes in the firewall!

Let's move on to the VPN features and performance.

More LAN & WAN

Wi-Fi System Tools
Check out our Wi-Fi System Charts, Ranker and Finder!

Support Us!

If you like what we do and want to thank us, just buy something on Amazon. We'll get a small commission on anything you buy. Thanks!

Over In The Forums

Recently got a RT-AC86u and installed with the latest Merlin (384.18), and noticed WebUI being unresponsive after a while. Restarting the httpd servic...
I've installed last version of Asus Merlin. I have tried to install pyload but now the default version of python in entware is version 3. Pyload still...
Asuswrt-Merlin 384.19 beta is now available (except for the RT-AX56U which won't be available for this release, due to outdated GPL code).The main cha...
Hi There,Update 2020/07/28Here we have new 386 rc2 beta for public test(so the old links are removed).link:
Is there a way to disable the pop-up when hovering the mouse pointer over threads?

Don't Miss These

  • 1
  • 2
  • 3