Re: Router speeds...

["Dr. Neal Krawetz" <hf () hackerfactor com>]

On Fri Nov 25 15:14:33 2005, Rob, grandpa of Ryan, Trevor, Devon & Hannah wrote:
> Can I piggyback on that?

Sure!


> Now that I've got high-speed Internet (yes, I know, I'm a dinosaur), I'm in the
> market for a decent, cheap, firewall router.  NAT, possibly, since I want to use
> it to farm out the connection to a few machines behind it if that isn't too
> hard.  Nothing terribly fancy, but tuneable so that I can start getting a bit of
> a handle on firewall ACLs, but nothing that I need to spend enormous amounts of
> time on.  Preferably something common enough that I can get it at London Drugs,
> but I'd go for an oddball if there was sufficient reason.  
>
> Suggestions?


So far, I have played with Netgear, Linksys, SMC, D-Link, Belkin, and Cisco.
(the "Cisco" brand as opposed to the Cisco owned Linksys brand.)
NOTE: All of these support:
  - NAT
  - Discard ping from WAN
  - Logging (and emailing logs!)
  - Virtual servers
  - Disable UPnP (I hate this protocol)
  - One pseudo-DMZ host
  - Port triggers (usually for games or FTP -- traffic on one port
    opens a second port.  I use it for knock-knock protocols.)

My impression:
  - SMC: Very fast and reliable (until the unexpected and untimely
    death at the age of 5).  But, I still recommend these to people.
    SMC makes for a good home/SOHO NAT system.
    + Fast.  Their wired routers can get over 6Mb throughput.
      Newer ones can get nearly 10Mb.
      I don't know about wireless speeds.
    + Relaible -- handles outgoing nmap and scanrand without a problem.
      Handles external DoS/scans without a problem.
      (I went under a 72 hour DoS once -- never portscan organized
      crime -- and the little firewall had no problem.)
    + Virtual servers can be on different ports!
      E.g., WAN port 9992 translates to LAN host:22.  Very cool feature.
    + Allows assigning static DHCP addresses to specific MAC addresses.
    - Limited port triggers.
    + Easy web GUI.  (The best of the bunch.)
    - Not sold in stores.  (When you absolutely need one *now*, you
      need to wait a week for the package to be delivered.)

  - Netgear: Poor quality, poor performance.  I cannot recommend these.
    - Slow.  I only tried their wireless routers, but I could never
      get more than 2Mb -- even when only using the wired ports.
    - Unreliable.  Outbound nmap and scanrand slow the router.
      Do not try more than one nmap at a time, or it crashes!!!
      After a few nmap scans, be sure to reboot the router.
    + Allows assigning static DHCP addresses to specific MAC addresses.
    + GUI is nice, but doesn't make up for speed/reliability.

  - Linksys: ok, but buggy
    - A "reset to factory default" does not clear the IP/gateway settings
      for the wireless connection.  (Wired/dhcp becomes 192.168.1.1,
      but the wireless/dhcp remained at 192.168.100.1 (I had moved it there
      before the factory reset).  This caused over 2 hours of debugging.)
    + Wired routers are fast.
    - Wireless routers are slow, even if the wireless network is disabled.
      Expect 2-3 Mb max.
    - Poor web GUI.  Non-intuitive layout, cannot 
    - Does not allow assigning static DHCP addresses to specific MACs.
      (If it does allow this, I haven't found it yet.)
    - Way too many stickers.  "Do not plug in cables until you read
      the CD-ROM".  WTF!
    + The box is open source, and there are some cool open source
      projects that turn this $40 router into a $1000 gateway/firewall.
      (This is a huge plus.  But I haven't played with this yet.)
    + Supports disabling admin from the WiFi.  (A feature missing
      from Netgear.)
    - Inconsistent.  Different routers are better than others.
      The WRT56G is supposed to be one of the better ones.
      The WRT56GX is supposed to suck.  Avoid it like the plague.

  - D-Link: Surprisingly good.
    5 years ago, I wouldn't recommend D-Link to anyone.
    They've become much better.  (Opinion based on the DI-604.)
    + Fast.  My wired router benchmarks at 8Mb.
      (I suspect it could go faster, but my cable modem is only
      doing 10Mb on its network connector.)
    + Reliable.  So far, nmap and scanrand do not crash it.
    + Great logging!  It doesn't just reject, but tells which rule
      caused the rejection!
    + Supports firewall rules, not just virtual server.
      The rules can be LAN-WAN, WAN-LAN, or LAN-LAN!
      - Rules are a little buggy.  I think the GUI doesn't display them
        correctly.  I've needed to delete/re-add rules a few times in
        order to make changes.
    + Supports VPN tunnels
      - Configuring is not for the noobie.  GUI sucks.
    + Built-in support for Zone Alarm (if you're into that sort of thing).
    - GUI sucks.   (Did I say that already?)
      Every change requires a separate "apply".
      Every apply brings up a confirmation page rather than just doing it.
      Non-intuitive layout.  (Have they ever heard of a "usability study"?)
    - Help sucks.  Many of the GUI items are not mentioned in the
      "Help button" menus, or not described well.

  - Cisco: Good product, bad support.
    (PIX and other true gateways.)
    + A true gateway, not just a NAT with special additions.
    + "Name brand"
    - Expensive (How many D-Links can I buy for the same price as a PIX?)
    + Fast, reliable
    - Non-intuitive configuration.  Unless you know networking and
      cisco rulesets, this is a reason to avoid them.
    - Unless you pay for the $10,000/yr support, don't expect anyone
      to help you with any problems.

Since I don't know you, I cannot make a recommendation for you.
But I can suggest that you look at D-Link or SMC.
I'm very fond of the SMC Barricade series, and so far, the D-Link DI-604
seems very good.  (Give me a week and I'll let you know if my opinion
changes for the D-Link.)

As for wireless...  I suggest you buy three routers: two wired and
one wireless.  (In the US, the cost is less than $70 at Circuit Shitty
and Office Max.  Office Max has the DI-604 for $10 after rebate.)
  Internet -> wired #1 -> wired #2 -> LAN
  Internet -> wired #1 -> wireless -> WiFi network
Basically, this gives you a DMZ.
Wired connections keep their high throughput, without being slowed by
the wireless router.
Any wireless compromises do not get into the LAN.

Ideally, you want different brands for wired #1 and #2.
This way, a compromise to one does not get through the other.

I'm right now seeing if the D-Link's "LAN-LAN" ruleset can keep the
wireless out of the LAN without needing "wired #2".  This is looking
very good.  (I lose the DMZ, but keep the security from the WiFi.  I
want to move the wireless router out of the cage next week, so it reaches
the whole house.)

If your max throughput is 3Mb or less (dialup, DSL, etc.) then you
can get away with:
  Internet -> wireless -> wired -> LAN
You won't notice the slowness from the wireless router.

                                        -Neal
--
Neal Krawetz, Ph.D.
Hacker Factor Solutions
http://www.hackerfactor.com/

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.