Like every other website on the planet, SmallNetBuilder uses cookies. Our cookies track login status, but we only allow admins to log in anyway, so those don't apply to you. Any other cookies you pick up during your visit come from advertisers, which we don't control.
If you continue to use the site, you agree to tolerate our use of cookies. Thank you!

Router Charts

Click for Router Charts

Router Ranker

Click for Router Ranker

NAS Charts

Click for NAS Charts

NAS Ranker

Click for NAS Ranker

More Tools

Click for More Tools

LAN & WAN Reviews

Firewall Features

Once I started to dig into the 8200's firewall configuration, however, I found the Network Map doesn't reflect its Access Control (Port / Service filters) settings. Ok, so maybe that's not so bad, but I found the Access Control tab didn't reflect controls put into effect by the Security > General tab, which I think is a bad thing.

The Security tab offers three general Security levels - Maximum, Typical, and Minimum (Figure 3).

USR8200 - General Security levels

Figure 3: General Security Levels
(click on the image for a full-sized view)

Maximum allows all clients access to only Telnet, FTP, HTTP, HTTPS, DNS, IMAP, POP3 and SMTP services and is the default setting. I bumped into this early in my testing when I found that an SSH program that I use wouldn't work - no thanks to the (lack of) information in the Access Control page. A quick change to the Typical setting fixed the problem.

But I'm puzzled by the inclusion of the Minimum setting, and its name. Since it essentially removes the 8200's firewall by Accepting all Outbound and Inbound traffic, I think it would be more appropriately titled No Security and have some explanatory warning as to the security risk this setting exposes your LAN to. Although USR isn't unique in its use of a Rule and Service firewall model, I think it is unique in providing access to an Accept All rule for Inbound traffic, which essentially turns off the 8200's firewall protection.

USR8200 - Access Control
Figure 4: Access Control
(click on the image for a full-sized view)

At any rate, if you do want to set up Access Controls, the 8200 tries to make it easy by presenting an extensive list of pre-made filters that you can just check off (Figure 4). But then it makes it difficult by allowing you to set those filters only for either the entire LAN or a single IP address (or computer name) at a time. At least you can edit and temporarily disable rules, but there's no ability to schedule them to be in effect during specific days and time periods.

Inbound port forwarding (Local Servers) setup looks and works pretty much like the Access Controls, except you don't get an "entire LAN" option. As with Access Controls, Local Servers aren't schedulable. Triggered port mappings are not supported, but "Loopback" for Local Servers is.

If these simple filtering options don't suit you, and you have some experience in setting up multi-stage firewalls, you can try the Advanced Filtering features.

USR8200 - Advanced Filtering
Figure 5: Advanced Filtering
(click on the image for a full-sized view)

Figure 5 shows the available rule sets and Figure 6 shows just some of the settings for each of the sets. The good news is that this is pro-level firewall configuration ability.

USR8200 - Advanced Filtering Rules

Figure 6: Advanced Filtering Rules
(click on the image for a full-sized view)

The bad news is that you're on your own to figure out how and when to use this powerful capability and which of the rule sets to apply. The HTML User Manual is no help, and (at the time of review) there aren't any applications notes to help either.

Rounding out the firewall's features is the Restrictions feature. This is basic URL level filtering, but Figure 7 reveals a problem with USR's implementation.

USR8200 - Restrictions
Figure 7: Restrictions
(click on the image for a full-sized view)

Clicking the New Entry link allows you to enter only IP addresses or URLs that can be resolved to IP addresses. You can't enter just words or wildcard forms of URLs, i.e. * Figure 7 shows that two of the websites that I randomly chose resolve differently in their www and root forms. So entering would not block a user who tries to surf to

Other limitations are that the Restrictions apply to all LAN users and you can't set a "trusted user". Options to block proxies, Java applets and Active X controls and Cookies also aren't supported.

Let's move on to the VPN features and performance.

More LAN & WAN

Wi-Fi System Tools
Check out our Wi-Fi System Charts, Ranker and Finder!

Support Us!

If you like what we do and want to thank us, just buy something on Amazon. We'll get a small commission on anything you buy. Thanks!

Over In The Forums

Hi all,I have an RT-AC68P router set up as my main mesh node and an RT-AC68U as the client mesh node. It seems one of these is acting up. I get freque...
There was a thread here by another poster. There were some disagreements and that thread was deleted. I found the script by @Martineau on Pastebin, bu...
Asuswrt-Merlin 384.19 beta is now available (except for the RT-AX56U which won't be available for this release, due to outdated GPL code).Aug 9th: Bet...
I am pleased to announce the release of CakeQOS-Merlin!Current Version: 1.0.2 (Changelog)CakeQOS-Merlin is a custom add-on for supported Asus routers ...
I've been seeing this snap in my log and it happens every few minutes. Can anyone identify what this is?Aug 11 22:28:39 kernel: pgd = ffffffc011f25000...

Don't Miss These

  • 1
  • 2
  • 3