Tips for Securing Your Home Router
Seemingly minor and easily overlooked settings can still have profound security implications. Here are some steps you can take to make sure your wired or wireless home router — and by extension, your network — is as secure as possible.
Most Popular Reviews
Microsoft Windows Home Server
If you have a home network, you'll welcome the easy file sharing, remote access and the image-based backup features of Windows Home Server.
MikroTik's The Dude
This free tool delivers many of the same capabilities that you'd find in pricey network monitoring tools. As long as you don't mind tinkering, The Dude is a decent network utility that should be worth the download.
ZyXEL Prestige 310 Broadband Sharing Gateway
Author: Tim Higgins Review Date: 12/10/2000
Model: Prestige 310
Originally reviewed on 11/15/99
- Reliable PPPoE connections
still harder than it should be
- No port range mapping
12/5/99Review has been updated, reflecting comments from helpful visitor
LAN 10 and 100 Link/Activity
One RJ45 10BaseT WAN
One RJ45 10/100BaseT LAN
DB9F Serial console
CDRom with installation software
printed Read Me First
printed User Guide
one normal UTP cable
one crossover UTP cable
one DB9M to DB9F/DB25F serial console cable
120V Power supply
NO Hardware Reset switch
NO Uplink or Normal / Crossover switch
for LAN Ports (see this
page if this concerns you!)
When we first looked at the P310 about a year ago, we found that it had
a difficult user interface and that it was surprisingly slower than competing
routers. Many users wrote to dispute our speed findings, but we
were unable to retest the box, since we had returned it to ZyXEL.
ZyXEL recently asked us for a retest and sent us a current box for evaluation.
We reran our speed tests and poked at the improvements that have been
made in the admin interface. The following review is mostly the
same as the original, but has been updated in the relevant areas.
up is (still) hard to do...
Update: ZyXEL continues to evolve the administration interface
of the P310, and it now consists of a Telnet interface, a Windows application
(the Prestige Network Commander (PNC)), and a web interface. The
new eval unit suprisingly came with V2.51 firmware installed, instead
of a newer 3.2x version, so we had to download the new firmware from
The good news is that the PNC definitely makes setting up the P310
easier. The bad news is that PNC version 2.30 doesn't seem to
like the 3.23 firmware, since the PNC threw an error every time we tried
to run it after the upgrade. We also had trouble logging into
the web interface, too, but finally managed to get in via IE5.0 instead
of Netscape 4.75.
Verdict: the Telnet interface is still the most reliable and full-featured
way to set up the router.
ZyXEL wisely ships the P310 with a WAN Telnet filter enabled and
an administration password. This ensures that, if nothing else,
novice users won't be able to connect the unit to their cable modem and
then have the P310 cracked into before they even know what's happening.
They also supply a handy utility for Windows
users that allows you to set the most common parameters required for internet
access (Static or dynamic WAN IP (DHCP), subnet mask, gateway, and any
ISP specific authentication, if required). However, more advanced configuration
issues must be performed with your favorite Telnet program from the LAN
side (default IP of the P310 is 192.168.1.1). If you are not a Windows
user, you must do all configuration by telnet. This will be no big deal
for Linux and Unix users, but it may be the first time a MacOS user has
had to deal with a terminal emulator and Telnet.
If your cable company uses DHCP and does not
require a special authentication program or MAC address, the P310 will
work with zero configuration, acting as DHCP client on the WAN and DHCP
server on the LAN.
However, if the default LAN IP of 192.168.1.1 is
not compatible with your local numbering scheme, you must perform
all initial configuration via the serial connection and a VT100 capable
terminal program. This provides access to the same interface like Telnet
above, but does not require a functional TCP/IP connection. The included
serial cable and adapter is compatible with most PCs but Macintosh users
must supply their own serial cable.
Given this setup method, ZyXEL tries to make things as easy as possible
for users to set up the unit. The documentation is clear and they
even include normal, and "crossover" UTP cables, as well as
a serial cable. However, since virtually all comparable routers
have simpler to use and understand web-based setup, this older style interface
may cause networking novices (particularly MacOS users) to look for other,
You can manually set the P310's WAN port information or have it act as
a DHCP client and obtain everything automatically. The P310 can
handle "host name" authentication (like @Home uses) , the RoadRunner
TAS Authentication methods, and allow you to set the MAC address on the
WAN port. This last method will help MediaOne/RR users whose service
is tied to a specific NIC.
On the LAN side, you can set the starting IP and range of addresses that
the DHCP server will hand out, or disable it and assign your IP info manually.
The P310 manual can be found here
(in PDF format). Good printed documentation comes with the unit,
including a helpful Read Me First sheet, a summary of required settings
for common applications, and a sheet for xDSL users. The ZyXEL Web site
is also very helpful and includes FAQ for both the router
OS (ZyNOS) and the router
itself, as well as a download area for firmware updates.
You can even sign
up for a Prestige Users mailing list.
The P310 has a number of features that network-savvy users will appreciate.
It supports the RIP-1, RIP-2M, and RIP-2B routing protocols and you can
set the unit to send only, receive only or do both with its routing information.
You can set up to 8 static routes in the P310 itself. These features
make it easy to incorporate the P310 into larger networks with multiple
You can open holes in the P310's firewall (called SUA servers) so that
servers on your LAN can be accessed from the Internet, but you are limited
to 10 single-port-number-to-LAN IP mappings (increased from 8)
and you can't specify TCP or UDP protocol. Port range mappings are
still also not supported.
actually get a total of 12 SUA servers, but one is dedicated to the
Default Server, and another to the RoadRunner login protocol.
One IP address can be designated as the Default Server. (This
is similar to the DMZ Host, or Exposed Computerfeature
on other routers.) Any inbound service request that doesn't have
a defined IP address to handle it will be sent to the Default Server.
Opening holes in your firewall can compromise your LAN's security if
Filtering is very flexible, but the hardest to use feature of the P310.
Filters allow you to block data from entering or leaving your LAN.
ZyXEL has provided powerful filtering capability, but, unfortunately,
you need to configure it at a level that requires more understanding of
networking protocols than most users will have. The
P310 comes by default with filters enabled that block telnet from the
WAN side and limit NetBIOS traffic to the LAN.
Network Administrators will find a complete set of "Maintenance"
features, all accessible via Telnet. System status can be monitored,
the unit can be reset, and error logs can be examined, among other features.
If you have a system that supports the UNIX syslog feature, the
P310 will even log activity to it. Finally, for the very adventurous,
you can enter the P310's OS mode and do packet traces and other fun stuff!
The P310 handles PPPoE pretty reliably (more so than the more
popular Linksys Etherfast router series). VPN capabilities
include PPTP client passthru, LAN-side PPTP server (requires
one mapped port.. see the Help
page) passthru, and one IPsec client passthru. Logging
requires use of a syslog client.
Linux and Unix users can use the clients that come with their OS. See
this page for how to use syslog
with a Windows or MacOS system.
Even with all the things you can do with the P310, there are
still a few things you can't, such as:
We also ran tests with the 2.51 firmware and saw slight improvement in
WAN-LAN routing speed (v2.51 was about 4.7Mbps) and much better UDP streaming
performance (v2.51 had a 209Kbps throughput with 39% packet loss).
We opened up the new unit and confirmed that ZyXEL hadn't changed processors
or clock speed. These new numbers are much better news, but probably
nothing that existing 310 (or NETGEAR RT311) users don't already know.
I still have mixed feelings about the P310, but they now are
mainly due to the user interface and lack of port range mapping.
Even after a year's worth of work, the Telnet interface still remains
the best way to set up the box. The Windows-only PNC utility is
helpful, especially for filter configuration, but it's Windows-only and
seems to not work properly with the new 3.23 firmware. Finally,
the web interface is still the worst of the three and may never be developed
to the point where it's equal to what is offered on most other popular
My bottom line is that the P310 is an aggressively priced, fast, full
featured router that is still hampered by an unfriendly user interface. Its
sister router, the NETGEAR RT311, has sold more units, mainly due to NETGEAR's
aggressive pricing and better retail distribution. But, now that
ZyXEL is also competing in the pricing wars, is widely available through
on-line retailers, and introduces new firmware first, the P310 is definitely
worth a look if you're considering the RT311.