Updates

4/18/01 V47s firmware update adds port forwarding, allows base IP address change and more. Go here for Release Notes, here for download.

I was pretty excited when I heard about the BroadGuard (BG)... a stateful inspection router with a built-in 4port 10/100 switch for $180 (list)!  The realization, however, was not as great as the expectation, and you may want to wait for a few firmware revisions before you give this box a try.

Setup was done via a set of web-based administration screens (see screenshots below), with the BG having a default address of 192.168.1.1.

You'd better like the BG IP addressing scheme, because you can't change it, and therefore you can't change the LAN subnet that is created by the BG.   All the clients attached to the BG will need to be on a 192.168.1.X  network. This limitation shouldn't be a problem for most users, however, but could prevent its use in larger networks with other routers.   (SOHOware says this limitation is on the priority list for change in an upcoming firmware release.)[NOTE: Corrected in v47s firmware.]

I suggest you use IE5 rather than Netscape 4.X to set up the BG.  Neither Netscape 4.5 or 4.75 would properly display either the DHCP settings or Globally Disallowed Web site list pages. 

You need to enter both a User Name and Password to access the admin screens.  You can change the Password (be sure to set a strong one), but you can't change the User Name.  Once you login, you can access the admin screens as long as you don't quit your web browser... there's no admin access timeout.  There's no checking for multiple Admin logins either, so it's possible to be logged into the router from two clients at the same time.

The Admin screens cannot be accessed from the WAN side of the BG, for remote administration.  But curiously, you can reach the screens by also entering the BG's WAN IP address into your Browser. [NOTE: Corrected in v47s firmware.]

Once you're logged in, you should be able to connect the BG to most any BSP (Broadband Service Provider).  It comes set as a DHCP client on the WAN port and with its DHCP LAN server enabled, easing the setup for many users.  You can also set the WAN IP information manually and enter IP Address, Subnet Mask, Gateway, and two DNS Server information

MAC address cloning is supported for AT&T Broadband, MediaOne/RR and other providers who use MAC address authentication.  You can set both Host Name and DNS info for @Home setup, too.  PPPoE connection management is provided for DSL users, where you can enter your User Name, Password, and Service Name.  The only method not supported is the RoadRunner TAS protocol, which is in declining use.

The BG has Access Controls and a limited form of Content control.  You can control access to a fixed set of applications (Email, FTP, News(NNTP), Bulletin Board Service(?), and Web) for up to 10 IP addresses.  If these applications aren't what you want, you're out of luck, since you can't enter the port numbers for any other services.  (This limitation is also on SOHOware's "To Do" list.)

Content control is provided via a "Globally Disallowed Website/Keyword List".  This list lets you enter up to 10 full URLs (web addresses) or words that will have their web access blocked for all users.   Neither the Access or Content controls can be set by time of day.

The big show-stopper for many potential buyers, however, is the lack of port forwarding/mapping capability.  This is a big omission, and again, on SOHOware's Top Priority list for fixing via firmware update.  The only thing you can do is place one LAN client in DMZ, i.e. outside the BG's firewall and fully exposed to the Internet. [NOTE: Corrected in v47s firmware.]

On a positive note, SOHOware says the BG will support multiple PPTP and IPsec client pass-through sessions for VPN users.  They also say that the multiple sessions can be established to one VPN server, instead of the one session-per-server multi-passthru capability of other manufacturers' products.

I found the BG to be lacking on these features.  You can't really view any logs via the admin interface.  And although the real-time Access Monitor can show you what kind of traffic the BG is currently handling, you can't get any historical or cumulative view, either via the Admin interface or via Syslog or SNMP logging.  There's no logging of admin access, startup, shutdown,or other similar events either.

Port scans and any other attacks stopped by the BG's stateful inspection firewall are viewable via the "Hacker Alert" email alert system only.  I wasn't able to get this to work, even when I used the "Hacker Alert Test" feature (the sample screenshot is courtesy of SOHOware).  Maybe this is because I couldn't define the SMTP server for the BG to use... it tries to send mail using a SOHOware SMTP server.  SOHOware says they'll be changing this in production units to allow users to specify an SMTP server, with a SOHOware server provided as a default entry.

So since I couldn't see how the firewall was reacting to my port scans, I couldn't really check it out.  The only thing I can say is that a port scan of common TCP ports showed the BroadGuard locked down tightly. 

I ran the BG through the Qcheck test suite with the following results:

(Tests run with 5.13.0043s firmware)

(Details of how we tested can be found here.) 

The speed numbers are slower than current crop of inexpensive non stateful packet inspection (SPI) firewalls, but fast enough for most broadband connections.  Response Time (latency) was about twice the norm for most routers in this class, probably a by-product of the SPI firewall. 

Another suspected by-product of the SPI firewall was the BG's behavior with the UDP streaming test.  I was able to complete some LAN to WAN tests at 50Kbps, with 50Kbps throughput and 0% data loss, but when I cranked the streaming rate to my normal 500Kbps, or ran WAN to LAN tests, the BG wouldn't complete the test.  However, I found that I could still web-browse and receive email normally without having to reboot the BG.   My suspicion is that the test is throwing data at the BG faster than it can handle it, or that there's something about the data that it doesn't like.  I had no problems using RealPlayer to listen to a 16kbps audio stream through the BG, however.

The BroadGuard makes a nice first impression.  The box's graphics are attractive and informative, the product itself is well made (probably the best RF shielding I've seen in a product in this class), and the documentation is decent and supplied in printed form.

Unfortunately, the product doesn't deliver the goods in its present form, unless your Internet sharing needs are very simple.  My advice is to wait until SOHOware has delivered a firmware update (or two) to add the features that users have come to expect even in an inexpensive router, SPI firewall or not!