Gosh that takes me back a bit, because I remember first getting my SAR and there was a complaint going around at the time that it didnt support upnp properly.. and how upnp was really good and made things much easier.
Although I obviously later updated the firmware because of other things, I never really bothered with upnp and alway did my own port forwarding.
With the 2100 I cnat honestly remember whether I ever enabled it or not - I just left it at the default setting, which I dont know if was on or off. I never seemed to have any problems with either router.
Router hi-jacking seems to be the "in thing" atm - particularly DNS hijackers and theres another possible hijack, that targets routers that still have the default u/n and password. -
link Like you I also set DNS on the local machines rather than using the router.
The best thing is to turn off upnp and make sure that you dont use the default router login settings.
Your other suggestions are also very good too, to ensure that your network is locked down and all bases covered.