I’ve decided against using ipsec on my router. This is mostly because the openswan packages in the white russian release of OpenWRT are broken. I found alternate ones which I can get to work but those packages break many other parts of the system (wan interface won’t start at boot, dnsmasq doesn’t work right, etc). I looked into openvpn, and that might be somethign I’ll try – if – I can successfully get a machine behind the router to do the decryption of the traffic. The processor in the wrt54g isn’t really beefy enough for what I want to do with it. As for now I”m happy. I can block NFS traffic from the wireless interface. I settled on using WEP plus mac address filtering on the wireless interface. Since I broke the default bridge I have the wireless in a different subnet. That makes it easy to prevent access to NFS from the wireless network. Once I get MythTV working like I want I will probably come back to openVPN so that I could watch shows on a laptop on the deck… I’ve installed snmpd and setup MRTG so I get pretty graphs of network traffic over each interface. I also use SNMP from the inside network to find the IP address of the WAN interface on the router. An internal machine uses the DDNS feature of bind to update my DNS for my home network
Update: I’m using cacti now for my interface graphing needs.