firewall for under $200!
- Works with any OS.
|| - Limited
4/18/01 V47s firmware update adds port forwarding, allows base
IP address change and more. Go
here for Release Notes, here
I was pretty excited when I heard about the BroadGuard (BG)... a stateful
inspection router with a built-in 4port 10/100 switch for $180 (list)!
The realization, however, was not as great as the expectation, and you
may want to wait for a few firmware revisions before you give this box
Setup was done via a set of web-based administration screens (see screenshots
below), with the BG having a default address of 192.168.1.1.
better like the BG IP addressing scheme, because you can't change
it, and therefore you can't change the LAN subnet that is created
by the BG. All the clients attached to the BG will need
to be on a 192.168.1.X network. This limitation shouldn't
be a problem for most users, however, but could prevent its use in larger
networks with other routers. (SOHOware says this limitation is
on the priority list for change in an upcoming firmware release.)[NOTE:
Corrected in v47s firmware.]
suggest you use IE5 rather than Netscape 4.X to set up the BG.
Neither Netscape 4.5 or 4.75 would properly display either the DHCP
settings or Globally Disallowed Web site list pages.
You need to enter both a User Name and Password to access the admin screens.
You can change the Password (be sure to set a
strong one), but you can't change the User Name. Once you
login, you can access the admin screens as long as you don't quit your
web browser... there's no admin access timeout. There's no checking
for multiple Admin logins either, so it's possible to be logged into the
router from two clients at the same time.
The Admin screens cannot
be accessed from the WAN side of the BG, for remote administration.
But curiously, you can reach the screens by also entering the BG's WAN
IP address into your Browser. [NOTE: Corrected in v47s firmware.]
Once you're logged in, you should be able to connect the BG to most any
BSP (Broadband Service Provider). It comes set as a DHCP client
on the WAN port and with its DHCP LAN server enabled, easing the setup
for many users. You can also set the WAN IP information manually
and enter IP Address, Subnet Mask, Gateway, and two DNS Server information
MAC address cloning is supported for AT&T Broadband, MediaOne/RR
and other providers who use MAC address authentication. You can
set both Host Name and DNS info for @Home setup, too.
PPPoE connection management is provided for DSL users, where you
can enter your User Name, Password, and Service Name. The only method
not supported is the RoadRunner TAS protocol, which is in declining use.
The BG has Access Controls and a limited form of
Content control. You can control access to a fixed
set of applications (Email, FTP, News(NNTP), Bulletin Board Service(?),
and Web) for up to 10 IP addresses. If these applications
aren't what you want, you're out of luck, since you can't enter
the port numbers for any other services. (This limitation
is also on SOHOware's "To Do" list.)
Content control is provided via a "Globally Disallowed Website/Keyword
List". This list lets you enter up to 10 full URLs (web addresses)
or words that will have their web access blocked for all users.
Neither the Access or Content controls can be set by time of day.
The big show-stopper for many potential buyers, however, is the lack
of port forwarding/mapping capability. This is a big omission,
and again, on SOHOware's Top Priority list for fixing via firmware update.
The only thing you can do is place one LAN client in DMZ, i.e.
outside the BG's firewall and fully exposed to the Internet. [NOTE:
Corrected in v47s firmware.]
On a positive note, SOHOware says the BG will support multiple PPTP
and IPsec client pass-through sessions for VPN users. They also
say that the multiple sessions can be established to one VPN server, instead
of the one session-per-server multi-passthru capability of other manufacturers'
I found the BG to be lacking on these features.
You can't really view any logs via the admin interface.
And although the real-time Access Monitor can show you what kind
of traffic the BG is currently handling, you can't get
any historical or cumulative view, either via the Admin interface
or via Syslog or SNMP logging. There's no logging of admin
access, startup, shutdown,or other similar events either.
Port scans and any other attacks stopped by the
BG's stateful inspection firewall are viewable via the "Hacker
Alert" email alert system only. I wasn't able to get
this to work, even when I used the "Hacker Alert Test"
feature (the sample screenshot is courtesy of SOHOware).
Maybe this is because I couldn't define the SMTP server
for the BG to use... it tries to send mail using a SOHOware SMTP
server. SOHOware says they'll be changing this in production
units to allow users to specify an SMTP server, with a SOHOware
server provided as a default entry.
So since I couldn't see how the firewall was reacting to my port scans,
I couldn't really check it out. The only thing I can say is that
a port scan of common TCP ports showed the BroadGuard locked down tightly.
I ran the BG through the Qcheck test suite with the following results:
(Tests run with 5.13.0043s firmware)
[1Mbyte data size]
[10 iterations 100byte data size]
(Details of how we tested can be found here.)
The speed numbers are slower than current crop of inexpensive non stateful
packet inspection (SPI) firewalls, but fast enough for most broadband
connections. Response Time (latency) was about twice the norm for
most routers in this class, probably a by-product of the SPI firewall.
Another suspected by-product of the SPI firewall was the BG's behavior
with the UDP streaming test. I was able to complete some LAN to
WAN tests at 50Kbps, with 50Kbps throughput and 0% data loss, but when
I cranked the streaming rate to my normal 500Kbps, or ran WAN to LAN tests,
the BG wouldn't complete the test. However, I found that I could
still web-browse and receive email normally without having to reboot the
BG. My suspicion is that the test is throwing data at the
BG faster than it can handle it, or that there's something about the data
that it doesn't like. I had no problems using RealPlayer to listen
to a 16kbps audio stream through the BG, however.
The BroadGuard makes a nice first impression. The box's graphics
are attractive and informative, the product itself is well made (probably
the best RF shielding I've seen in a product in this class), and the documentation
is decent and supplied in printed form.
Unfortunately, the product doesn't deliver the goods in its present form,
unless your Internet sharing needs are very simple. My advice is
to wait until SOHOware has delivered a firmware update (or two) to add
the features that users have come to expect even in an inexpensive router,
SPI firewall or not!
Add YOUR Opinion
Opinion Summary: 55.6% | 44.4% | out of 27 reviews
Read Reviews by Users
Print this Page