Author: Tim Higgins
Review Date: 8/15/2001
|– Extremely fast|
– Built-in PPTP server and client endpoints and IPsec endpoint with no per-user licensing
– Two serial ports for simultaneous WAN dialup/ISDN and dial in RAS connection
|– Windows client required for setup|
– No DMZ
– Need to work out some kinks in the features
10/9/01 – New firmware upgrade available. Version 1.4.2 promises “improved firewall, port forwarding and IPSec support for IP aliases.”
SNAPgear is a new entry into the SOHO router market, with a sharp focus on providing PPTP and IPsec VPN capabilities without putting too large a dent in your pocket.
Background & Basic Features
SNAPgear, which is a wholly owned subsidiary of embedded OS supplier Lineo, is a very new company with a mission… to bring VPN networking to the masses! The product line is based on the Motorola ColdFire processor (the PRO uses the 5307 clocked at 90MHz) running Lineo’s uCLinux OS, and is based on Lineo’s SecureEdge reference design platform. It starts with the $249 Lite model and ends with the $549 PRO model, which is the one they sent us for review.
All versions have a serial port that can support dialup or ISDN WAN connection, in addition to the 10BaseT WAN Ethernet port. The $399 SOHO+ and PRO models have a second serial port that can be used to simultaneously support a dialup/ISDN WAN and dial-in RAS connections. These two models also support Telnet-based configuration, and RADIUS/TACACS+ authentication. The PRO, however, is the only model to have a security co-processor, which helps with the encryption processing and allows the PRO to support a total of 40 PPTP and 70 IPsec tunnels (more on this later).
The $299 Lite+ is the only model to include a 4 port 10/100 switch. All other versions have just one 10BaseT LAN port, with no uplink connector or switch. SNAPgear does include both normal and crossover UTP cables to make your setup job easier, though.
SNAPgear makes no secret about being Linux based and even lets you view, edit, save, and restore key Linux configuration files! So I found it curious that I needed to run a Windows based installation program to assign an IP address to the router before I could access the HTTP (web) based admin pages. As a result of this and other decisions that SNAPgear made about the setup process, it took me longer than it should have to set up the unit. So that you don’t repeat my experience, here’s how the unit comes set up:
So make things easy on yourself, and assign a static IP to the PC that you use for setup. The setup program will detect the subnet you’re in and you’ll just have to enter a number from 1 to 254 to complete the IP address for the box.
Once you assign the SNAPgear an address, you’ll be able to reach the admin pages, where you’ll need to enter the other information to get you connected. The Connect to Internet page (not shown) gives you the choice of Cable Modem, Modem, ADSL, and Do not Connect to Internet for non-PPPoE, Dialup, PPPoE, and no Internet connection respectively. The ADSL setup page shown here gives you the options you’ll need to get set up with most PPPoE based BSPs. Note that the Cable Modem setup page has choices for Generic, Big Pond Advance (a popular Australian BSP), and @Home networks.
You’ll probably need to visit this page, where you both set the IP address and subnet mask for the router itself, and find the settings for the router WAN port.
Your set-up may also include a visit to the LAN DHCP server page. In this screen shot, I’ve already set up the server and have a few IP addresses leased. Note the ability to end a lease, but also the absence of MAC address info for the lessees.
The SNAPgear has a decent set of routing features, but there are a few quirks you’ll need to be aware of, and features that they don’t have. First, the good stuff:
Port Forwarding (“Services”) –
Access Control/Port Filtering (“Security Groups”) –
In addition to the missing items mentioned above, here are a few other things that you should know about:
That’s it for the routing features. Now we can look at what SNAPgear’s really bringing to the party… their VPN features!
SNAPgear’s big feature is its powerful VPN capabilities. While most other routers provide only pass-thru capabilities for connecting VPN clients, the entire SNAPgear product line provides PPTP and IPsec endpoint capabilities. What this basically means is that the SNAPgear boxes set up and manage the VPN “tunnels” instead of having to use VPN software at each client.
If you want to set up your own VPN between two office locations, for example, you just need two SNAPgears… no extra licenses or options to buy. And if that doesn’t get your attention, maybe the fact that there are no per client or connection licenses to buy will!
Although all members of the SNAPgear family have the built-in endpoint capability, there are differences among the products, summarized in the table below, which I’ve borrowed from the SNAPgear Web site:
Note that although there is a limit to the number of tunnels that each product will support, SNAPgear says that there’s no limit to the number of users per tunnel.
To check things out, I set up the SNAPgear as a PPTP server, and used the standard Microsoft VPN client to connect via the Ethernet WAN connection. I had no problems either setting up the server or the PPTP connection itself. But once I connected, I wasn’t able to browse the remote network via Network Neighborhood, even though I could ping clients on it. A call to SNAPgear revealed that neither their PPTP or IPsec implementation presently supports MS Network browsing. They know this is a problem, however, and are at work on a solution other than using LMHOSTS tables, which is their current suggested workaround.
I was a little surprised at the performance of the PPTP connection (more below), which was slower that I expected it to be. SNAPgear told me that even though the PRO has a security co-processor, it’s used only for IPsec, so that may help explain what I measured.
I didn’t try out the IPsec capability because I didn’t have an IPsec client and SNAPgear doesn’t provide one as part of their package. This wouldn’t be a problem if you were a telecommuter connecting into your corporate network, since your company would be providing the other end of the VPN connection. But if you had a SNAPgear on your home LAN and wanted to use an IPsec connection to connect via the dial-in RAS, you’d have to buy an IPsec client. I’d like to see SNAPgear at least suggest a client, or offer some sort of a discount deal on one. Right now, your only option for the scenario above would be to fall back to using PPTP, since Windows includes a client in each copy of the OS.
I ran the Qcheck suite to test routing performance. I ran my normal WAN-LAN and LAN-WAN tests, but also ran tests using a PPTP connection between the same two computers. Results are shown in the tables below:
(Details of how we tested can be found here.)
I was a little reluctant to spend the time evaluating yet another SOHO router, especially from a startup whose distribution strategy is a work in progress. But after putting the SNAPgear PRO through its paces, I’m glad I did! Although the low-cost router field is pretty crowded, SNAPgear appears to be alone in their focus on a low cost, endpoint based solution.
Folks who know their way around Linux will feel right at home, given the ability to directly edit many config files from the web admin pages. They can even Telnet into the two top-end models and get a shell prompt!
As nice as these goodies are, SNAPgear’s got their work cut out for them. You presently can buy their products only direct, or through small distributors, and no retail distribution is on the horizon. There’s also work to do on the product itself, streamlining the install process, adding features, and getting MS network browsing working over VPN.
But, all things considered, it may be worth giving the SNAPgear a shot. I mean, where else can you go to set up a LAN to LAN IPsec tunnel, with no per user licensing, for as little as $250 per LAN?