Like every other website on the planet, SmallNetBuilder uses cookies. Our cookies track login status, but we only allow admins to log in anyway, so those don't apply to you. Any other cookies you pick up during your visit come from advertisers, which we don't control.
If you continue to use the site, you agree to tolerate our use of cookies. Thank you!

Router Charts

Click for Router Charts

Router Ranker

Click for Router Ranker

NAS Charts

Click for NAS Charts

NAS Ranker

Click for NAS Ranker

More Tools

Click for More Tools

LAN & WAN Reviews


The FVS336G has a multitude of security options to customize its stateful packet inspection (SPI) firewall. By default, a stateful packet inspection firewall blocks all WAN-LAN traffic that hasn't been initiated by a device on the LAN. NETGEAR has 54 pre-built TCP/UDP services, such as HTTP and FTP, to simplify the opening of ports on the firewall. If additional ports need to be defined, the Services menu enables adding the needed definitions.  

Firewall rules can then be created to map traffic with specific destination ports to specific IP addresses. Additionally, up to three different schedules can be defined to apply to any custom firewall rules. This helps to lock down the network during off hours.

Figure 12 shows a successful FTP rule that maps external FTP requests to an internal server on my LAN, with no schedule applied, as per the "Allow Always" setting.

FTP rule setup

Figure 12: Setting an FTP rule

The FVS has a content filtering ability that can be configured to inspect the text in a URL for objectionable language. I was disappointed to find, however, that users clever enough to use an IP address instead of a URL can bypass URL text filtering. Up to 64 keywords can be added to the blocked list. Known acceptable URLs that may contain the objectionable word can be permitted via the trusted domain list.

For example, to block the word "ogle" but permit "," define "ogle" as a blocked keyword and "" as a trusted domain. This configuration will give a screen like Figure 13 below warning if a user goes to, but will allow access to

Keyword URL blocking message

Figure 13: A URL blocked by keyword displaying an error message

Note: the FVS336G's web filtering inspects the URL, not the content of the web page. An offensive web site could pass the content filter if the defined word isn't in the URL.

To block specific end users from accessing the Internet entirely, source MAC filtering can be enabled. Devices with their MACs added to the NETGEAR source MAC table will be able to access LAN devices, but will be blocked from the WAN interface.

Some network applications present challenges for NAT/SPI firewalls, as they are initiated with one destination port, but the server responds on another port. The SPI firewall would then not recognize the response and block the incoming flow. This can be overcome by defining the outgoing port and responding incoming ports using NETGEAR’s Security-Port Triggering menu as displayed in Figure 14.

Port Triggering

Figure 14: Port Triggering menu


A feature missing from the FVS336G is the ability to define a port or specific server to be part of a "demilitarized zone," more commonly known as the DMZ. I brought this up with NETGEAR, who indicated this is an intended feature that got delayed. A future release should add the ability of a software configurable DMZ port.

In the meantime, you can do essentially the same thing by setting port forwarding rules for TCP and UDP ports 1-65534 to the IP address of the machine that you want to place in the "DMZ."

The FVS336G also includes multiple tools for network troubleshooting, including ping, log output for firewall and VPN trouble shooting, DNS lookup and a packet capture feature. I was also impressed that the FVS336G has a debug capability, which I used while working with NETGEAR’s Engineers on the Dynamic DNS issue. Debug capability is the ability to produce an output of the data streams sent between devices, useful in troubleshooting code and device problems.


The FVS336G throughput results in Table 3 are impressive, considering the FVS336G's 300Mhz CPU compared to the FVX538's 533Mhz CPU. IPSec and SSL throughput numbers are displayed with two values, the first representing Remote-Local throughput, and the second representing Local-Remote throughput.

Notice that the FVS336G's SSL VPN performance is more than double that of the Linksys RVL200.

  IPSec Tunnels SSL Tunnels Throughput
IPSec (Mbps) SSL (Mbps) WAN-LAN (Mbps) LAN-WAN (Mbps)
FVS336G 25 10 16.9/15.2 10.8/11.4 59 58
FVX538 200 0 12.3/12.0   80 78
FVS124G 25 0 5.1/3.6   13 12
RVL200 1 5   4.7/3.9 37 39
RV042 30 0* 21.9/32.6   54 80
Table 3: Tunnels and throughput

(*Note: the RV042 supports five PPTP VPN tunnels.)

More LAN & WAN

Wi-Fi System Tools
Check out our Wi-Fi System Charts, Ranker and Finder!

Support Us!

If you like what we do and want to thank us, just buy something on Amazon. We'll get a small commission on anything you buy. Thanks!

Over In The Forums

v2.5.1 Updated 2020-05-10 Run an NTP server for your network. Graphs available for NTP accuracy on the Addons page of the WebUI.Inspired by kvic's p...
Hi there,This thread is about GNUton's Merlin builds for DSL devices.* A few words about how this project started:Some days back I bought a DSL-AC68U....
Hi all, I have been considering upgrading the home network primarily as it pertains to security. With the implementation of many IoT devices which wil...
I updated my ISP from 200 to 400 Mbps. So I tested the throughput, the ISP Modem is putting out 467 Mbps. I am testing using an ethernet cable directl...
Hello everyone, I recently bought an Asus RT-AX58U router for my mom's 2 story house. I'm very happy with the purchase but i'd like to extend the w...

Don't Miss These

  • 1
  • 2
  • 3