Next, let's look at features that are different from the 336G's, as well as a few of those I didn't cover in my 336G review.
DMZ - One of the features lacking in the 336G was a Demilitarized Zone (DMZ) port. But the 318G has addressed that shortcoming. When enabled as a DMZ, port 8 is on a separate subnet, has a separate DHCP server, and traffic to and from port 8 is treated separately from traffic to and from ports 1-7.
There is a handy indicator light next to port 8 on the front of the 318G that is lit when port 8 is configured as a DMZ. When not enabled as a DMZ, port 8 functions the same as ports 1-7. Rules can be configured in the 318G to allow or block traffic between each of the three zones in the router, which are the WAN, LAN, and DMZ.
A potential use of a DMZ is to provide Internet access to guest devices, but not allow guest devices to access servers and other company resources on the LAN. This requires a firewall rule that allows traffic to and from the DMZ and WAN, but blocks traffic between the DMZ and LAN.
To test this scenario, I enabled the DMZ feature and connected my laptop to port 8. I received an IP address different from the IP address I received on ports 1-7, and couldn't ping or Telnet to my devices in ports 1-7. Further, I couldn't access the Internet. This means that the 318G's DMZ blocks all traffic in and out of the DMZ until a rule permitting the traffic is created.
To allow my laptop to connect to the Internet from the DMZ, I created a rule to allow all services between the DMZ and WAN (Figure 6), which worked as intended.
Figure 6: DMZ WAN rules
To test the DMZ's flexibility, I created a rule in the LAN DMZ menu to see if I could allow traffic between the LAN and DMZ. The rule shown in Figure 7 also worked as intended. Of course, this rule defeats the purpose of having a DMZ port, so isn't recommended!
Figure 7: DMZ LAN rules
Note that rules can be disabled in addition to being deleted. This comes in handy for testing or temporary access control.
SIP ALG - As previously noted, the 318G's firewall includes a SIP ALG (Application Level Gateway). A router with a SIP ALG changes the source IP address in the SIP header of a VoIP signaling packet to the router's WAN IP address instead of the SIP device's LAN IP address. This helps VoIP networks deal with private to public Network Address Translations (NATs).
The VoIP company I work for prefers customers disable ALGs, since our network has devices to overcome this problem. However, many other Service Providers and Enterprise VoIP networks find ALGs useful in maintaining VoIP connectivity behind NAT routers.
I enabled and tested NETGEAR's ALG with a VoIP device set to connect to a public SIP server and ran a packet capture on the WAN interface of the 318G and Figure 8 shows the Wireshark output. The top circled IP address is the source IP address, which is my public WAN address, and the bottom circled IP address is the source IP address in the SIP header. As you can see, both addresses match.
Without an ALG, the addresses wouldn't match. The bottom circled IP address would be a private LAN IP address (such as 192.168.1.44) In VoIP networks that can't deal with different source and header IP addresses, call failures can occur.
Figure 8: SIP ALG in action
UPnP - The 318G supports UPnP enable/disable and can display devices that have discovered the device through UPnP. With the UPnP feature enabled on the 318G, the router was detected and displayed as a “Linux Internet Gateway Device” in my Vista laptop's View Computers and Devices display shown below. Double-clicking on the icon in my laptop brought me directly to the 318G's web configuration page, which I found to be a handy way to locate and manage the router.
Figure 9: Admin access via UPnP
Bandwidth Profiles - The 318G can control how much bandwidth is used by specific types of traffic. For example, a Bandwidth Profile could be configured to limit FTP downloads to only 100 Kbps.
I tested this by running a speed test on my DSL service through speedtest.net, which showed 9.37 Mbps download and 630 Kbps upload throughput. I then built the Bandwidth Profile shown in Figure 10, applied it via the 318G's firewall and re-ran the speed test to see if the router actually throttled my bandwidth usage. I then built a LAN WAN firewall rule to allow all traffic and applied the Bandwidth Profile to the new rule.
Figure 10: Bandwidth control
The Bandwidth Profile rule in Figure 10 should limit download bandwidth (Inbound traffic) to 100-150 Kbps. The Speedtest.net test result shown in Figure 11 shows download bandwidth after applying the Bandwidth Profile of only .14 Mbps, or about 140 Kbps, which is in the range of the configured Bandwidth Profile of 100-150 Kbps.
Figure 11: Bandwidth control test
I also disabled the firewall rule and re-ran the speed test again, confirming that bandwidth returned to normal.
Session Limits are another tool for bandwidth management. They cap the number of sessions each individual user can run simultaneously. In other words, using session limits could stop someone from surfing multiple web sites, downloading files, and streaming video simultaneously.
In all, I am impressed by the 318G's security / firewall features.