No, it's not that difficult to configure.
No, it's not that difficult to configure.
Huawei's CLI combines elements of HP and Cisco features. If you're unfamiliar with configuring enterprise routers, it's best to wait until you solidify your knowledge. This is mainly a router configuration tool, lacking firewall capabilities—so you'll need to set up basic ACLs. Additionally, handling NAT, DHCP, and wireless bridging adds complexity. It's far from a plug-and-play solution.
It appears the device likely lacks a basic SPI firewall, though many Cisco routers include one. Huawei may offer similar functionality. How does it manage NAT without an SPI firewall? I’m used to seeing routers combine NAT and SPI into a single packet processing system, like Linux iptables. If the router can perform NAT for a large private IP block to one public IP, it provides comparable protection against incoming threats.
Stateful firewall is correct, but NAT isn't a real firewall. ISRs use IOS firewalls by design. ASRs employ zone-based firewalls which act like ACLs and policies. NAT and firewall capabilities are separate but often overlap in behavior. The concept of a firewall is unclear—where the boundary lies is hard to define. It's a debated subject. Existing sessions must be present, and attackers need to spoof them to bypass NAT. Most agree that vulnerabilities can't fully stop this. However, router policies and ACLs still play a role in reducing risks. I’d love to learn more about firewalls for better answers, but I’ll wait until I finish my CCNP and dive into CCNA security.
But what you mentioned essentially, and I'm not aiming to force a specific choice, is whether this router, when set up with the firewall it supports, matches the security level of a typical home router or something similar to PFSense if no extra software is installed. To my understanding, a dedicated firewall device handles SPI and other filtering—especially subscription-based threat blocking—either transparently or as part of the routing process. In contrast, a router with just SPI (like iptables) only applies SPI to traffic that has been NAT'd and to internal traffic. You also have UTM solutions adding extra layers like real-time malware scanning and email inspection, while Next Gen Firewalls perform deep packet inspection at Layer 7. These options are sometimes combined into one product.
Looking at the manual, this appears to be more of an ISR with fundamental firewall capabilities. It offers basic firewall functions similar to those in consumer routers, such as inspecting incoming packets, preventing port scanning, implementing blacklisting, and managing trusted zones. Essentially, it relies on simplified ACLs. While firewalls do more than just stateless or stateful checks, the distinction between what qualifies as a firewall versus something else can be unclear technically.