In a perfect world, firewalls and routers should be simple to implement, but in reality they tend to be quite complex, throw in VPN and the brew becomes horrible. We have been looking for a simple and somewhat cheaper solution to the enigmatic Firewall/Router/VPN problem and think we have hit on one promising candidate, the Netgear FVS318.
The Linksys BFR firewall/routers have been the staple of the Home Office crowd for most of the last 3 years, they offered adequate protection for bargain prices. They are not a Cisco level solution but they don't require a Ph.D to setup either. The Linksys is getting long in the tooth, however. There are other, newer Linksys products that offer better firewall (particularly a stateful firewall) but the new wrinkle was to get VPN in the tool, too. The newest Linksys products in the SOHO product range offer the ability to be the receiving end of a VPN tunnel, but not the initiating end.
The Netgear Firewall/Routers, till now, have been a little behind the curve. They have had features, but the price was too high, or they skipped the features to cut price. The FVS318 seems to have end run many of these issues. We found the price on this new product to be compelling ($104, though $125 is more common) and the features to be most interesting, particularly the VPN functionality.
VPN (Virtual Private Networking) is the ability to create a tunnel on the internet between you and someone else, through which your network traffic can go in relative security. This allows both parties in the VPN tunnel access to the others machine or network. We had a need to connect two offices, the offices to exchange important information, so the ability to create a VPN tunnel between them was considered beneficial.
Having existing low cost (cheap) firewall routers in place but without VPN capability, we were quite familiar with most of the settings on this product. The VPN side was new however. The instructions (on the CD, not in a printed form) were easy to follow and after making the mistake of assigning an external address range to the Remote Nework IP settings (they should be set to the Intranets IP range for the end you are pointing at) we were quickly able to establish a solid VPN tunnel across a sizeable portion of Northern New Jersey.
We pinged, and eventually got access to our Win2K and NT servers. It was a good day.
One issue that we had to overcome was that the Router has to have differing IP ranges at each end of the tunnel, you cannot set it up with 10.0.0.x at both ends. One end needs to on a different subnet. This required some mental gymnastics to workout how to least inconvienience the users and the system, as one end needed have it's IP numbers re-assigned.
Our situation has an existing router with a none routing IP range (192.168.1.x), the Netgear box sits with its WAN interface facing this IP range, you cannot have a 192.168.anything.anything address range for the LAN side, or you will lose the web administrator. I guess the internal routing table is a bit loose, and takes a whole range of IP addresses to be routed to one side or the other. We cured this by making the WAN side one non-routing range (10.x.x.x) and the LAN side a differing range (192.168.x.x).
In recent use, with multiple tunnels to different locations, one "feature" has stood out. It's not too much of a problem for small home networks, but could be a pain for larger settings; each tunnel seems to require a different subnet range. This means that while the main network may be 192.168.0.0, the tunneled-to networks seem to have to be 192.168.1.0, 192.168.2.0, 192.168.3.0, etc.. As I say this may not be an issue for small networks where they are getting thier IP addresses from the Netgears' DHCP service. On larger networks that are already say 192.168.1.0 and there is already one such subnet, it may be tough to work out a fix. And I understand why this subnetting needs to be, just think of the addressing from the standpoint of the central router; it has to have non overlapping address ranges to send traffic to. Maybe in the future they could add virtual VPN address ranges for the tunneled subnets!
The literature claims the small blue box will handle upto 8 VPN connections. More than enough for a small offices needs.
The Netgear site has an App note on getting Win2K to work with the VPN settings and while the PC end of it looks fiddly (and does not seem to use the standard VPN connection wizard,) it is available out of the box.
VPN set up between routers is fairly easy. We only experienced one slight issue, that being that the two ends took a nudge to get going. We set up the VPN, it claimed that the tunnel had been created, but we could not ping. So we disabled the the tunnel, altering a setting that we knew would fail, then set it back the way we wanted. This seemed to do the trick. Note that the setting of the IP mask is important: 255.255.255.255 will only contact one machine; 255.255.255.0 is what you need if contacting another router or a network.
The ability to send Netbios info across the tunnel is excellent. This allows for many forms of adminsitration of a remote (Windows) site that would not otherwise be possible. It also means that users on Windows machines can be given the opportunity to see servers at another location. We liked this, as it removed the need for a PC-Anywhere connection that had been dialed between locations. Now the user can run the actual application on their own machine.
There is a big upgrade in the offing, one that affects all FVS318 Owners: recently Netgear changed the base hardware of the FVS318 Router and created what is essentially a new product, this uses the new version 3.0 of the firmware. This new version is not compatible with older hardware. According to the Netgear site you can determine the basic version of your router from the label on the base of the unit, reading the serial number determines the version:
* FVS318v3 starts with FVS9 * FVS318v2 starts with FVS1 * FVS318v1 starts with FVS8 (from the Netgear website)
I will concern myself at this point with the older version 1 and 2 Routers, though look forward to trying one of the version 3 boxes which should have some nice speed.
The version 1 & 2 products have recieved at least 5 firmware updates. Get the latest (2.4 at the time of writing [12/12/2004]) from the Netgear website. You may find it gives a large number of useful updates and new features.
Resetting this box is dead easy, all you have to remember is - Be Patient! When reset using the little blue button, make sure the test LED really is on solidly. The LED will come on seemingly solidly after starting, but keep the reset button pressed for quite a few more seconds. The LED blinks off, then stays off for about 10 or 15 seconds, before blinking rapidly and finally glowing solidly. If you don't get this, activity you have not reset the router. After you reset in this manner you are completely back to factory defaults, or whatever level code you have upgraded to. When you do an Upgrade there is a menu option to cause the router to revert to factory settings, with this you don't need to do the hard reset.
This is a nice product, the firewall seems robust, and the VPN works like a charm. Bear in mind that at a street price of under $120 each, you are getting some of (though clearly not all of) the features of $800 routers (can we say Cisco CIX 501's?). The FVS318 VPN/firewall/router is a bargain.
Check out the newer FVS 336G review here.
|AM © 2002 -|