Q: Please help with optimum setup

Would it be a more efficient and secure setup if I disabled DCHP on the D-link and set up DHCP and NAT on the first Airport Extreme?

No.  The only reason to consider this would be if there were some special feature or service that required that the first AirPort be set up as the DHCP and NAT router for the network.

So the fact that everything is connected via an Airport Extreme protects it via the Extremes FireWall?

No, the firewall is in the D-Link device.  No firewall in the AirPorts.

The D-Link has DHCP for ranges 33 to 254, so my static devices should be in the range say 10 to 30?

Could be if you prefer, but it doesn't really matter since each AirPort always gets the same IP address.

Unfortunately, the document does not mention that the NAT "firewall" is not enabled when the AirPorts are in Bridge Mode.

Even if the AirPort is set up as a DHCP and NAT router, Apple is really stretching it to say that there is a "firewall" in the AirPort, since NAT is not really a firewall in the traditional sense.

D-Link, TP-Link, Netgear, Asus

Sorry, I don't use any of the products that you mention, so cannot help on any recommendations in that regard.

Apple put the security into the client.. so Mac or iOS device.. rather than putting a lot of security into the router.

There are good reasons for this. The security on the router (unless you have enterprise grade equipment) is designed mostly to protect the router itself. So from the point of view of security of router the Apple is very good. I have never heard of one being hacked. (even when there was a hole in it, Apple simply have so little configuration access that it hardly matters).

Attempts to hack your computers can come from a number of different methods. A standard NAT router blocks most direct hijack attempts. NAT is NOT a firewall as Bob has stated and can be broken but it does provide a first level of security. Having an SPI separate firewall in a router can also help. However it will cause issues and require lots of careful looking after to maintain the right level of allowing packets out of the system and legit packets back in without letting in the evil ones.

So the path for most security issues are infected websites and downloads. A router firewall cannot block these.. you have deliberately selected them. What a router firewall can do is block them calling home. That is the job of SPI firewall in the better routers.. so if you get a trojan for instance in a computer the SPI firewall will block that dialling out.. !! Of course virus and trojan writers will develop new methods to get around any static firewall block so it is extremely difficult to stop at the router.

The place to stop the security breakdown is in the device itself.. so it cannot be hacked or by using antivirus type software you can prevent a virus loading itself into memory.

Now some specifics.

Any low end modem router is built around virtually identical platform and firmware is OEM developed by the Chipset manufacturer and tweaked by the seller.. The difference between the brands you mention is minimal. They have all had issues with their firmware being hacked.. so it is important to use the latest version.

IMHO the better method is to use a bridged modem and the airport in PPPOE mode.. this is problematic for some users and impossible if the ISP doesn't support PPPOE (or IPOE now). So give it a try. A cheap bridged modem and run PPPOE client on the WAN of the airport. If it works for you and is reliable that will give you the best security unless you are prepared to buy something that takes third party.

What is more important is at the client end.. OS X and iOS up to date with latest patches.. I would not run anti-virus on a Mac as they are more problematic than they are worth but be a smart user and don't open downloads you don't know the source of. For PC of course you MUST run anti-virus and some security software as well. This is essential. Have excellent backups and expect over the course of a few years to need your current backup so you can wipe an infected computer and reinstall from a clean backup.. this is not without effort.

If the Apple router won't work in PPPOE with bridged modem post back for other methods to improve the security.

PPPoE on the AirPort might be worth a try, but is not something that I would normally recommend as a solution, since it seems to create more problems than it solves.

But, you never know. If Richard Mac User has the time to experiment and wants to give that a try for week or so, he will have a good idea of whether it will work or not on his network.

I have searched, and yes I can configure my modem/router in bridged mode

Before you do that, it might be a good idea to check with your Internet Service Provider to make sure that they will support this type of setup.

When / if you set up the modem/router in bridge mode, you will no longer be able to access the configuration settings on the device, as you have been able to do before.

Only the first, or "main" AirPort should be set up to provide the PPPoE connection credentials. Opinions vary on whether you should try the "Automatic" connection or "Always On" option in AirPort Utility. One setting may or may not work better than the other as far as connection stability.

I have never had much luck with the AirPorts supplying PPPoE connections, but your luck may be better than mine. Post back when you can to let us know how things are working.

If you want to update the "modem", you will have to set it back up again as a modem/router, do the update, then reconfigure it again as a bridge.

Of course, if you set up the modem as a modem/router to do the update, then the PPPoE settings on the AirPort will not be correct.  So, probably best to connect your computer directly to the modem/router when updates are performed.

Honestly, I do not think that you will be happy with PPPoE on the AirPort, but hope that I am wrong.