Firewall, Port Mapping, & Filters
The VP41's firewalling comes from its NAT router, but you can enable an optional SPI (Stateful Packet Inspection) mode. The User Manual's explanation of this feature is pretty terse and I found quite a bit of confusion about what it does in my quick scan of the newsgroups.
The port forwarding features include both static port ranges (with protocol selection), dynamic (triggered) ports, and a DMZ feature that allows you to virtually place one computer on the WAN side of the firewall.
I usually like to check to see if the port filtering feature (sometimes called Access Control) of a router gives some indication to the user who is being blocked. While checking for this, I discovered that the Linksys' Filter features didn't work as I'd assumed they did. First, a user who is being blocked doesn't get any indication that they're being blocked, other than the fact that their application just hangs or doesn't work. Then I discovered that the outbound Log doesn't log anything for a blocked IP address or Port range. Third, there's no interaction between the Filtered Private IP Range and Filtered Private Port Range settings. This means you can filter Internet access to specific services and applications for all LAN users by ports, or you can filter access to all Internet services for specific users by IP address, but you can't filter specific services for different groups of users. You can, though, block access to all services for up to fifty MAC addresses. Finally, the filters can't be left defined and enabled and disabled. To disable a filter, you have to clear its settings.
There are a few other settings on the Filters page worth noting. You can set the router to not respond to ping requests (Block WAN Request), enable Multicast Pass Through and set the MTU (Maximum Transmission Unit) size (helpful for getting some DSL/PPPoE connections to work).
Like its siblings, the VP41 has a mixed bag of remote administration, i.e. from the WAN, features. You can enable access to the router's admin interface (Remote Management) and separately allow upgrading (Remote Upgrade) from the WAN side.
Tip: When you have Remote Management enabled, the admin interface switches to port 8080, so that it doesn't interfere with forwarded web servers. So if the WAN IP of the router is 2126.96.36.199, you'd enter http://2188.8.131.52:8080 into your Web browser from any WAN (Internet) side computer to access the admin screens.
On the minus side, you can't limit Remote access to specific IP addresses or ranges and surprisingly, you can't access the admin interface of the router at the other end of an IPsec tunnel (or at least if you can, I couldn't figure out how!). You also can't soft reboot the router remotely (although you can force a reset to factory defaults). You can also have multiple users logged into the admin interface at the same time without getting a message telling you that you're not alone. Finally, you can't change the admin interface time-out (looks like it's set to 5 minutes of inactivity), and you can't log-out of the router.
Now that we're done with the firewall, let's go see where the action really is for this puppy... its VPN features!