Author: Tim Higgins
Review Date: 9/1/2001
– Fast routing
– Bandwidth control
– Non TCP/IP protocol bridging
– Slow wireless
– Only 40 bit WEP
– No MAC address association control
– No port filtering
The Cayman 2E-H-W11 is an 802.11b wireless router with built-in 8 port 10BaseT hub, and a fast, flexible, NAT router paired with a poorly performing wireless side. Designed primarily to be sold to BSPs (Broadband Service Providers), it has some unique features that may interest experienced networkers… if they want to pay the price.
Setup and Administration
I didn’t have problems setting up the W11, since it has both HTTP (browser) and Telnet based admin interfaces (a serial console connection is also provided) and came with its built-in DHCP server enabled. My trusty test PC was set to be a DHCP client and leased an address without problem so that I could connect to the 192.168.1.254 admin server address.
During my testing, I was surprised to find the default setup of the W11 to be very insecure. Not only does the unit ship without a default admin password, but it has both the HTTP and Telnet admin interfaces open to the WAN side of the router! The unit allows multiple users to be logged into the admin server at the same time, with no notification of the additional logins. There’s also no way to limit WAN side admin access to either an IP address range or specific IP address to enhance admin security.
Note on the screen shot above, that you do get a security warning about the lack of password. But there’s nothing to warn the user that their router can be controlled by anyone who Telnets in or types their IP address into a web browser! This should be fixed IMMEDIATELY, since port scans for ports 23 and 80 are a daily, if not hourly occurrence for most users, even those of us on dialup connections! Cayman also doesn’t let you set the W11 so that it doesn’t respond to pings from the WAN side, although they say this is coming in a future firmware release.
Once you secure your W11, you’ll find pretty much everything you need to set up for most BSPs. For @Home use, you can set the router name and Domain Name for the DHCP server to hand out to clients. ATT Broadband and other MAC address authenticated users will need to use the Telnet interface’s CONFIG commands to change the WAN MAC address. PPPoE is supported, but you can just enter your Username and password — no idle time or auto-reconnect settings are provided.
The W11 has an interesting mix of routing capabilities. You can forward up to 64 ports or port ranges (“pinholes”), but the mappings are static, i.e. triggered maps are not supported. You currently can’t do any port filtering to control the services that users can access, but Cayman says they’ll be adding this in a future firmware release. You can also set one “default host” that is effectively placed on the WAN side of the firewall.
If VPN is your interest, you’ll find that the W11 supports pass-thru for multiple PPTP or IPsec client sessions. There’s no hard limit on the number of sessions or number of sessions per server. On the downside, “pinholes” won’t work for accessing PPTP and IPsec LAN-side servers from the Internet (WAN), although you can try using the “default host” function for this.
Up to 16 static routes are supported, and you can enable RIP1, RIP2, or RIP2 with MD5 authentication for dynamic routing.
Logging is restricted to configuration “console” type messages, with no Web site or other IP traffic logged, and no security (“hack”) attempts. Cayman says that “a soon to be available product” will provide security event logging, though. You can clear the log, but can’t save it or send it to a syslog or SNMP trap server. Other links on the Monitor page let you view a variety of router and network information.
The W11’s routing features include a few that you don’t normally find in a consumer router, but that a BSP would feel right at home with: (These features are available via the Telnet admin interface only.)
If you really want to get into the details, download the documentation from the Cayman Support site.
That about covers the Routing Features.
The 11W uses a Proxim Harmony 8430 802.11b PC card radio that supports 40 bit WEP encryption only. (The FCCID on the Proxim card shows that it’s an XI-300 sourced from Z-Com.) The radio is plugged into a PC card connector mounted inside the chassis enclosure, with the patch type antenna sticking out of a slot in the rear of the box. The antenna module is removable and connected via two miniature MMCX style connectors, so with the proper “pigtail” cables, it’s possible to attach other antennas.
The W11’s Monitor features will let you see wired and wireless DHCP clients (both MAC and IP addresses), and traffic statistics.
I ran the Qcheck suite to test routing performance, with the following results:
(Details of how we tested can be found here.)
I used an ORiNOCO Gold PC card as the wireless test partner and ran my usual Qcheck test suite. (More details of how I tested can be found here.)
The graph below (click for a full-sized view) shows TCP throughput over an approximately two minute period (details of the test are here).
Cayman sells a lot of product to BSPs and “enterprise” customers, but would like to develop more of a presence in the “residential” market. Unfortunately, I don’t think the 2E-H-W11 is the product that will do it.
Although it’s a fast router with a number of unique features, it lacks some of the basics such as port filtering, security “event” logging, and triggered port maps. Those shortcomings might not be so bad, but the wireless side of the product simply isn’t up to par with competitive offerings.
For $500 you can do a whole lot better, and so can Cayman.