Many of the features of the WZR-HP are standard features found on all routers, so I’ll comment briefly on unique features for each of the tabbed sections:
Setup – This tab provides easy access to a number of built-in wizards that can help assist you with configuration. It also gives you a quick summary of your Internet connection as well as your wireless configuration.
Internet/LAN – This tab is a bit confusing, as there is also another tab named LAN Config. However, options on this tab allow you to configure your Internet connection, set up Dynamic DNS (DynDNS or TZO), change your LAN and DHCP settings, enable/disable NAT, and create static routes. The WZR-HP supports DHCP reservation, and you can change the DHCP lease period.
One unique feature, also found in other legacy Buffalo routers, is a built in VPN server. Using PPTP, the VPN server provides layer 2 access for up to 5 remote clients. While PPTP is generally considered insecure and has been superseded by L2TP/IPSEC, it still is found in use because it’s easy to configure.
All versions of Windows dating back to Windows 95 have a built-in PPTP client, as does Mac OS X. For a home environment, it’s an easy and free way to set up a VPN. Note that the PPTP user list is a separate list from the user list for the NAS function. Figure 8 shows the sub-tabs for the Internet/LAN tab as well as the PPTP configuration page.
Figure 8: PPTP VPN configuration
Wireless Config – This tab allows you to configure virtually all wireless settings. You can enable/disable the radio, change the operating channel or let the AirStation pick the best channel for you and disable SSID broadcast. While all of these features are fairly standard, the WZR-HP has a unique “Multi-Security” feature that’s worth talking about (Figure 9). When enabled, you can configure up to three wireless security profiles, each with a separate SSID and wireless security setting.
Figure 9: Wireless Multi-security setup
But you don't have free reign for how you set wireless security for the three WLANs. For SSID1, you have a choice of WPA or WPA/WPA2, SSID2 supports WPA2/AES only and for SSID3, WEP is the only choice. This allows you to have the security of WPA/WPA2, but also provides backwards compatibility with legacy wireless devices that only support WEP. All three profiles connect to the single wired LAN and single DHCP server. Note that only the PSK forms of WPA are supported. If you need the Enterprise (RADIUS) version, you'll have to take a pass on the WZR-HP.
Checking the Separate Feature box in an SSID will block traffic between wireless clients only. The blocking works both for clients associated with the same SSID and also between SSIDs. Each WLAN, however, has free access to wired LAN clients. This means that if the weakest wireless security link, WEP, is compromised, all wired clients could be compromised.
While I like the multiple security feature, I think I prefer the “Guest” feature found in many D- Link routers. The Guest WLAN feature allows you to provide wireless access on a separate VLAN that has access only to the Internet.
Security – There not too much to say about this tab. The major feature found here is the ability to set up IP filtering rules. Up to 32 rules are supported.
Lan Config – In this tab (Figure 10) you set up port forwarding to forward traffic from the Internet to a specific LAN IP address. Ports for common services are pre-populated as shown.
Figure 10: Port Forwarding
The QoS sub-tab lets you set low, medium or high priority for various types of traffic (port based) being sent to the Internet only. There is no downlink QoS, nor is there an automatic QoS feature like that found on most D-Link routers.
Other functions on this tab include setting up the IP address for the DMZ, enabling / disabling UPnP, and configuring the Movie Engine options. Note: you must enable the Movie Engine using the switch on the front panel – you can’t enable it through the web UI.