The 2900G has a very capable SPI+NAT firewall, but again, the interface may keep you from taking full advantage of it. I found myself frequently consulting the PDF-based User Guide on the CD supplied with the router to translate terminology and figure out how to use some of the less common features.
I have to say that DrayTek’s method of using multiple PDF files linked via an HTML page for its User Guide gets points for novelty, but a thumbs-down for usability. Make sure you check out all the info on the CD, too, since there are useful tools and documentation there that aren’t found in the User Guide.
Port forwarding is handled three ways by the 2900G: Port Redirection, Open ports and DMZ. The most flexible is Port Redirection, which is shown in Figure 5.
Figure 5: Port Redirection
This feature both opens up to ten ports in the 2900G’s firewall so that Internet-based users can access a server on your LAN, but also allows you to run that server on a different port than its publically-known one. Figure 5 shows a sample mapping that will take normal port 21 FTP requests and direct them to a LAN-side FTP server running on port 2700. Note that you can specify TCP or UDP mapping, but not both, and can’t redirect port ranges.
The Open Ports feature handles mapping 10 port ranges to LAN-side clients, but you’re still limited to specifying TCP or UDP as the protocol. Note that neither feature supports triggered port mappings or server loopback. Lastly, the DMZ feature lets you open all ports to one client on the router’s LAN.
UPnP is also supported and disabled by default. You even get separate check boxes to enable Connection Control and Status services.
Now that you know how to let traffic into your LAN, let’s look at the controls you get for outbound data flow. DrayTek uses a rules-based filtering system that will be more comfortable to folks accustomed to configuring enterprise-grade firewalls. You get twelve filter sets, each of which can have up to seven filter rules like the one shown in Figure 6.
Figure 6: Filter Rule
Rules can be applied to outbound or inbound data, which DrayTek terms Call and Data filters respectively. I won’t get into a tutorial on how to program these filters, but suffice it to say that if you have complex filtering needs, the 2900G’s IP filters can probably handle it – if you can figure out how to work them.