Yeah, I preferred the command line simply because the sofware is for winderz only.
Well, after reading up a bit in their manual, I can reccomend one really easy way to handle this. Since it appears that you are using a setup similar to this : (beware -- bad artwork)
dsl -> 5861 -> Lan (3 PCs, 1 Server)
I would do this -- in the built in sofware, turn on the firewall and do the usual blocking. Now setup hostmapping for the server. And setup the firewall rules accordingly.
Now, your workstations will by default be able to access the net (if you enable nat). I personally hated dealing with the dhcp server, mainly because I hate dhcp in the first place. So I disabled mine. And my 5861 used 192.168.254.0/24 as the default subnet, with .254 as the 5861 unitself.
I have currently 2 nodes connected -- a mail server and my gateway. The mail server is setup with hostmapping, the gateway isnt yet, although I may add it at a later time. The firewalls on each unit filter appropriately for each duty -- mail server only needs mail, gateway more stuff, but no mail -- yadda adda...
My suggestion is similar. Once you have the natting in place the workstations will be able to do their work. restrictions can be added with a firewall/proxy. For the server -- well the same thing. And since you can setup the server to accept ssh quite easily, the rest is history.
For the ssh session from outside the LAN, say you were given 184.108.40.206/32 as your IP. you can do an (assuming the server is 192.168.254.1):
system addHostMapping 220.127.116.11 18.104.22.168 192.168.254.1
will get thru to the server provided that the source IP isnt firewalled, and you are setup to go thru port 22 (ssh can be remapped to an alternate port)
Does that suit what you need?