The only "hard" router I've used that can do these network captures is the Netgear FVS338, it's a great feature. I wanted this at home, where I normally run an Apple Airport so I decided to fork out $95 and get a Linksys WRT54GL so I could flash the firmware with OpenWRT.
Flashing firmware was very smooth. What you get is a very basic web interface for configuration, enough to get up, and the ability to ssh in and do very powerful stuff with iptables.
The things I needed were:
# forward port 999 to 22 on the home linux box at 172.16.1.100
iptables -t nat -A prerouting_wan -p tcp --dport 999 -j DNAT --to 172.16.1.100:22
iptables -A forwarding_wan -p tcp --dport 22 -d 172.16.1.100 -j ACCEPT
Also, to allow for PPTP passthrough I had to:
# ipkg install kmod-ipt-nat-extra
and reboot. See here.
The hardware and software seems totally reliable so far. I hope there is more in the web interface in future. For me, what is great is that I can get a command line for pings, traceroutes and tcpdumps (there is 7Mb available in /tmp for saving the captures).
For $95 you get a very powerful router, similar to devices costing an order of magnitude more. Recommended for network geeks.