Features - Network, Firewall
The more interesting discoveries can be made via the Network Connections page. In Figure 9, I've activated the Advanced view, which exposes the Ethernet, Coax and Wireless Access Point options under Network (Home/Office).
Figure 9: Network Connections
By clicking the Ethernet edit icon, then the Settings button on the screen that appeared, I was able to access a screen that allowed me to assign the Ethernet connection to the Broadband Connection or DMZ networks, set the MTU and even assign each switch port to a VLAN!
When exploring the configuration options for the Broadband Connection, I once again found MTU settings. But also found controls to set the subnet mask, DNS servers, static routes as well as enable Multicast - IGMP proxy, disable the Firewall, switch from NAPT (internet sharing to straight routing mode and assign additional IP addresses to the interface. An inexperienced userhell, even mecould really mess themselves up with some of these controls. So I'm surprised that there isn't a mode to lock them out.
The Firewall Settings section is pretty extensive, but the most annoying. You start at the simple screen shown in Figure 10, which defaults to the Medium setting. Clicking on any of the other links in the left-hand nav bar (except Logout) takes you first to a warning screen with the message shown in Figure 11.
Figure 10: Firewall settings
Figure 11: Firewall settings
As you can imagine, this gets old really fast. I guess Actiontec figures that users will give up trying to access "advanced" features just to avoid this annoying nag.
Access Controls (port filtering) can be set for each attached device. The list of built-in services is extensive and you can also add your own using single ports or port ranges and TCP, UDP, ICMP, GRE, ESP, AH or a custom-specified protocol. Each rule can be scheduled for selected days, but the same time each day.
Port Forwarding controls have similar flexibility with custom service and scheduling options. There are also Port Triggering and DMZ Host functions for more ways to poke holes in the firewall. There is also a Static NAT function that will be useful if you have multiple IP addresses from your ISP and UPnP can be enabled (it's off by default). A special tip o' the hat goes to Actiontec for its implementation of UPnP. The 424 is one of the few routers I've tested whose GUI reflects ports opened via Windows clients using the UPnP Internet Connection Status Properties settings!
If you really are into advanced firewalling, then you'll like the Advanced Filtering features. You can set packet Drop / Reject / Accept / Accept Packet rules with time schedules. The last two options let you specify whether SPI is applied to the packets in the rule. You can also choose to log rule matches.
Speaking of logs, the controls are also found in this section under the Security Log link. After once again clicking through the advanced feature nag screen, which you'll also get if you click the Refresh button...sheesh! Log entries are in clear English and you can clear and save logs, but not send to a syslog server.
Log settings, which are all disabled by default, include incoming and outgoing connections, blocked events (all or individual categories such as blocked fragments, syn flood, etc.) and remote administration attempts. Note, however, that the log appears to be one looonnnggg page, which could really put a crimp on its usefulness. At least new events are added to the top of the page!