A SOHO router is a firewall. A firewall allows you to access the Internet but prevents anyone from the Internet from being able to access your internal resources. This firewall feature generally can’t be disabled.
DMZ
Some SOHO routers allow you to configure an IP address on your internal network or a port on the router to be the demilitarized zone (DMZ). A DMZ is the middle man. Someone on the Internet will be able to access resources in the DMZ but could not access resources on the internal network. DMZ ports can be configured to allow unrestricted access, but best practice is to create port forwarding rules or disallow any access.
NAT
NAT stands for Network Address Translation. NAT is always on in your SOHO router. NAT is also called source NAT or PAT (Port Address Translation). With NAT, all of your internal devices are translated to a single external address on the Internet. So you can have hundreds of devices with their own internal IP addresses but with NAT they will all have the same external address and will appear as one device to the Internet.
Port forwarding
Port forwarding is opposite of NAT. External IP/port numbers are mapped to an internal IP/port. Port forwarding allows an internal device to be available externally. For example, if you set up a web server, gaming server, etc. and what this service to be accessible by the Internet. Port forwarding is also referred to as Destination NAT or Static NAT. The destination address is translated form a public IP to a private IP. Once this rule is set up it doesn’t expire or timeout. For example, a device on the Internet wants to access an internal resource on your network. The Internet device only knows your external IP. A Port forwarding table is able to translate the external IP to the internal IP of the internal resource that the Internet device is trying to connect to.
UPnP
UPnP stands for Universal Plug and Play. UPnP allows network devices to automatically configure the SOHO router and find other devices on the same network. UPnP is also called zero configuration. So for example, when you plug in a device the router you don’t need to manually create port forwarding rules.
With UPnP, the ports are open only when you are using that particular application.When you close a particular application those ports are disabled on the router. For security purposes you may want to disable UPnP so that you can manually configure which ports are enabled.
UPnP is intended primarily for private residential networks and not for corporate enterprise environments. If there are a lot of devices on the network, UPnP can consume a lot of network resources as it tries to discover all of the different devices on the network.
Whitelist/blacklist
SOHO routers may allow you to do content filtering through whitelists and blacklists. Any communication out to the Internet can be filtered by URL. With whitelisting, no traffic is allowed through the firewall unless the specific site is on the whitelist. With blacklist, all traffic is allowed except for anything listed on the blacklist. Whitelisting is more restrictive than blacklisting.
MAC filtering
MAC stands for Media Access Control. Every device that connects to your network has a unique MAC address. Your SOHO router can allow or disallow access based on MAC addresses. This allows a SOHO administrator to control exactly what devices are allowed to communicate through the router. The administrator would have to configure which MAC addresses are allowed. However, MAC addresses can be viewable by capturing packets going through your network. Additionally MAC address can be spoofed so MAC filtering should not be the only method of preventing someone from gaining access to your network. MAC filtering is not considered a security but rather security through obscurity.
