The Firewall submenu allows setting up a so-called demilitarized zone (DMZ), i.e. specify one host in the local network to which all the packets received at the external interfaces will be directed to. This host will be isolated from the other hosts of the LAN, so a malicious hacker won’t be able to access LAN resources even if he has managed to compromise a service in the demilitarized zone.
Also in this submenu, you can turn on dynamic packet filtering also referred to as Stateful Packet Inspection – SPI. The point of SPI is this, in a nutshell: the router analyzes packets it receives at its external interface and if a packet is a response to a request previously initiated from the LAN, the packet is passed through the firewall. Otherwise, the packet is discarded. This helps make the LAN more secure and protect it against IP spoofing, SYN attacks, etc.
For additional protection against intrusion from the Internet, the TEW-611BRP router offers a simple (which is another way of saying primitive) packet filter which is set up in the Inbound Filter submenu. It allows opening (or closing) the external interface of the router for certain IP addresses or address ranges. As far as I understand, the rules apply to all the ports open on the WAN interface at once. In other words, the administrator cannot close a certain port (for example, SMTP) for a certain host or an IP network which is of course inconvenient. Besides, the filter only supports a maximum of 8 rules.
Besides protection against attacks from the outside, the TEW-611BRP also offers you options to limit the local computers’ access to Internet resources; these options can be found in Access Control, Web Filter, and MAC Address Filter submenus.
From the Access Control menu the administrator can prohibit some or all of the local hosts to access certain IP-addresses and/or ports in the Internet (address and port ranges are supported; independent filtering for TCP and UDP is supported, too). In other words, this network filter sticks to an “allow everything which is not prohibited” policy. The usual way is to prohibit everything which is not explicitly allowed, but this is just a matter of habit. This doesn’t affect the functionality of this packet filter.
The Web Filter submenu allows creating a list of websites the users of the local network are allowed to access. This is a rather odd feature and, to my mind, quite a useless one. If you’re limiting users’ access to certain sites, it’s easier and more logical to set up a list of prohibited resources. On the other hand, if the administrator has to do this at all, he’d better solve this problem by using a dedicated transparent proxy rather than on the router level.
The MAC Address Filter submenu is very simple and allows the administrator to specify a list of MAC addresses which are permitted or denied connection to the router’s ports.
In the Traffic Shaping submenu you can divide (prioritize) the external interface bandwidth on the level of the local hosts and/or the protocols they use. The prioritization rules can be applied to all external connections as well as to certain external IP-addresses and ports, or ranges thereof.
In the Routing submenu you can view the routing table and enter static entries into it (this is a kind of web interface for the route utility available in most operating systems).
Many rules you create in the Advanced Settings menu can be scheduled to be in effect only some period of time or on an occurrence of a certain event. This is specified in the Schedules submenu; a maximum of 20 events can be created.
The remaining items of this menu are self-explanatory and do not require my comments.