Author: Tim Higgins
Review Date: 9/29/2000
– Excellent logging and alert features
– Very good Access controls, including Time
– Very good Content controls
– Slower than less expensive products
– No port range forwarding
– No “DMZ”
– Expensive feature upgrades
11/06/01 – SOHO2 and SOHO firmware upgraded to 220.127.116.11 for new VPN enhancments.
2/01 – Replaced by the SOHO2. (See Tele2 review.)
1/11/01 – Port range mapping and other improvements have been made in version 5.1.0 and higher firmware. See this page for Release Notes.
Check this page for a summary of the SOHO’s capabilities.
It’s taken me long enough to review one of the products that helped to establish the category of inexpensive routers, but after enough reader requests (and procrastination), I finally dug into this very feature-rich product.
The good news is that if you’ve been unhappy with the limited feature offerings of many of the products in this market, you’re gonna love the SOHO. It has a lot of what you’ve been looking for: a secure firewall with excellent logging, report and alert functions; extensive access control and content filtering features; and even a One-to-One NAT feature that lets you share more than one public IP address with firewall protected clients.
What’s not so good news, though is the slower speed and more limited port forwarding capabilities of the SOHO. For that story, however, you’ll have to read on….
Warning! This is a looonng review. If you have specific interests, go to the bottom of the page and use the links to take you where you want to go.
Setup and Basic Features
The SOHO comes with a printed quickstart guide and user manual, and a Java-based setup wizard that makes setting up easy. A companion CD is also included that contains PDF versions of these and other docs. The CD also includes utility software, copies of the Adobe Acrobat reader, Netscape browser, and router firmware. All the PDF documentation and more is located at the SonicWall FTP site. The SonicWall support Web site also has an extensive FAQ file, which you can either search or browse.
As I said, the setup wizard makes setup easy, but you’ll need to assign a static IP address in the 192.168.168.X range to the computer that you use for setup because the SOHO comes set with an IP address of 192.168.168.168 and the LAN DHCP server turned off. The SOHO also doesn’t come with the WAN side set to be a DHCP client, so there’s little chance of doing a “plug-and-go” installation. The wizard forces you to set a admin password as part of the setup, but doesn’t do any checking to make sure that the password is a strong one.
Once you get set up, you’ll need to reset the IP address of the computer that used for setup and the Sonicwall tells you this clearly as the wizard finishes up its work. You can play with the setup Wizard via the SonicWall Web site so I won’t bother with any screen shots, and just give you some key setup features:
The SOHO can handle single or multiple Static IPs, single dynamic IP, or PPPoE WAN connections.
It does not have any special support for RoadRunner TAS login
It does not handle WAN Mac address cloning or changing (MediaOne and other MAC address authenticated users should note that the router serial number is its WAN MAC address.)
You can enter Domain and Host Names, for @Home setup
Once you login to the SOHO’s Web Management Interface, however, you’ll find plenty of knobs to twiddle. You can see for yourself with SonicWall’s Management Interface demo.
As you work you way through the Management Interface menus, it seems like the feature set just goes on and on. After working with the SOHO for a few days, I found that although it has lots of features that other less expensive products don’t have, it lacks some features that you may expect to find. So before we dig into the extensive feature set, let’s take a look at what you’ll be missing:
Also known as “default server” in some routers, this feature allows you to place one LAN computer completely outside the router firewall. You won’t find this feature in the SOHO, since SonicWall’s focus is security (they do call the product an “Internet Security Appliance” after all…) and they feel that this is an inherently insecure way to allow WAN traffic past the firewall. See the Access section of the review for what the SOHO does provide for getting traffic through the firewall.
Port Range Forwarding:
You can set access rules on up to 128 single TCP, UDP, or ICMP ports (more on this later), but you can’t forward port ranges and you won’t find triggered port maps either. Instead SonicWall has built special handling into the SOHO for NetMeeting and other applications that require special port handling.
WAN address “loopback”:
If you have LAN based servers that you set as Public servers, you’ll have to reach them via their private LAN IP address from LAN side machines.
10/100 switched LAN ports:
The 4 LAN ports are 10BaseT only and they are repeated, not switched. In other words the LAN side is a four port 10BaseT hub. Note that port number 4 is hard-wired as a crossover port, so you’ll need to use a crossover cable to connect a normal LAN client, i.e. a computer to that port. Although a short crossover cable is provided with the SOHO, it seems an odd design choice.
Bummed? Don’t be. There are plenty of features to get your LAN securely connected to the net. Let’s start by looking at the Access controls.
NOTE: Opening holes in your firewall can compromise your LAN’s security if done incorrectly.
(You may want to refer to the Access Controls Management Interface page as you read this section. NOTE that the SOHO does not have the DMZ function, so you won’t see the DMZ checkboxes.)
The SOHO’s access controls manage the flow of traffic (data) through its firewall and are based on Services and Rules:
Each Service is a Name / single Port Number / Protocol association.
For example, the HTTP (Webserver) rule is defined as Port 80, with the TCP Protocol.
The SOHO comes with common Services such as HTTP, FTP, DNS, POP3, SMTP, etc. already defined and you can add your own services up to a total of 128 Services.
Each Rule contains an Action (Allow or Deny), Source IP address, Destination IP address, and IP protocol to decide if the IP traffic is allowed to pass through the firewall.
The Default rules that come with the router ALLOW all traffic to pass from LAN to WAN and DENY all traffic to pass from WAN to LAN. The Help page that can be accessed from the Access page does a good job of explaining the process and mechanics of establishing new rules. Once you have defined Services, you can set up new rules on either the Services page or Rules page. The Services page method may be more familiar to users of inexpensive routers; the Rules page method may be more familiar to users accustomed to dealing with professional level firewall products. Note that you can’t modify or disable the stateful packet inspection features of the firewall, so you’re always protected against Denial of Service (DoS) attacks and port scans. But since custom (user defined) Rules take precedence over stateful packet inspection, you can weaken the firewall by Rules that open too many ports or ports used by applications such as Back Orifice.
Other Access features are a checkbox that will allow Microsoft Networking (NetBIOS) traffic flow from LAN to WAN, and a “stealth” mode that will cause inbound packets to be dropped instead of the firewall responding with a message that the port is closed (this is NOT enabled by default). You can also change the outbound connection timeout from its default of 5 minutes.
User privileges are a little tricky to understand, so let’s start with the easy stuff first. Any Access controls you define apply to all users, both LAN and WAN based, by default. You can define up to 100 users with privileged access rights, with two privileges available:
- Unrestricted access to the LAN from a remote location on the Internet
- Unrestricted access to the Internet from the LAN (bypassing Web, News, Java, and ActiveX blocking)
The first privilege is available only if you are not using NAT, i.e. are just using the firewall features of the SOHO and have routable IP addresses assigned to all your LAN machines. The second feature is available no matter what mode you’re using and allows selected users to bypass any filtering that you establish.
The last Access feature is control of the Management interface. The default is control from LAN only, and you can choose to enable control from the LAN and WAN, or from SonicWall’s Global Management System. The WAN Management Access is fully encrypted via IPsec and you must install a VPN client (downloadable from the Sonicwall Web site) on whatever computers that you will use to manage the SOHO remotely. You won’t get that kind of remote management security from the cheaper routers!
That’s pretty much it for how to control WHO has access to your LAN. Now let’s see how you can control WHAT they can look at!
Filtering that nasty web stuff!
The SOHO has quite an array of Content filtering features. Here’s the list:
- You can individually choose to block ActiveX, Java applets, Cookies, or access to WAN based Proxy servers
- You can have the filtering active only during a certain time of the day (just one range) and certain days of the week (one range), or all the time
- You can set a time limit for each web browsing session. (When the timeout is reached, the user gets sent to the Consent page (see below) in order to restart the session.)
- You can enter up to 256 “Trusted” and 256 “Forbidden” domains
- You can display a message (up to 255 characters long) on the user’s web browser if they try to access a filtered web site.
- You can enter a list of keywords to filter. If the keyword is contained in a URL, access to the site will be blocked.
If the above features aren’t enough you can subscribe to CyberPatrol’s CyberNOT content filter list. The SOHO comes with a 30 day trial subscription, but extending that subscription will cost you $175 for a year’s subscription.. ouch! If you do subscribe, you can set the SOHO to update the list weekly, at a date and time that you can select. If the update should fail for some reason, you can select whether to block or enable all site access.
To round out its filtering features, the SOHO has a Consent feature that allows a user to choose whether they want filtered or unfiltered web access. This feature requires that you create a web page with links back to specific URLs in the SOHO for the filtering selection, and some optional pages for confirming your selection.
Hint: The URLs for this feature must be fully qualified and not contain “http://”.
You also can set IP addresses that will always be filtered. These users will get sent to another web page that you must create that contains a link back to a SOHO URL that enables the filtered session.
Beating the Virus rap…
I’ve always felt that a great feature for router/gateway products would be automatic Virus protection. After all, the threat to your network from viruses, trojans and other such nasties is at least as great as the “open port” danger that everyone seems to focus on. McAfee Clinic’s VirusScan on-line product has taken a big step toward providing this automatic protection, and SonicWall has taken this automatic protection to the next level:
- First the SOHO will automatically install Anti-Virus protection on every PC on your network.
- Second, the SOHO automatically updates the software as soon as a new DAT file or engine is available instead of the scheduled once per week update provided by McAfee’s Clinic.
- Finally, if the software has been deactivated or uninstalled on a LAN Client, the SOHO will reactivate and/or reinstall it on the PC.
The catch for all this magic is…you guessed it… it ain’t free. You need to purchase a subscription for each system on your LAN that you want to be protected. Subscriptions cost $30/user/year, the same as a McAfee Clinic subscription would cost you. This wonderfulness is also only available for Windows based machines. MacOS, Linux, and others will have to continue to protect themselves the old-fashioned way.
Had enough? Hope not, since we’re only half way through!
Blocking and Logging
As described on our “How Firewalls Work” page, all NAT based routers do some sort of “stateful Inspection”. The difference in NAT firewalls is how much inspection they do, and the SOHO does a lot!
The SOHO’s focus is on blocking Denial of Service (DoS) attacks and port scans, and it appears to do it well. I tried both a port scanning program which scanned ports used by common Trojan and similar attacks and also a Network Management tool which mapped networks by pinging ranges of IP addresses. In both cases, the SOHO logged and blocked the scans, and emailed me an Alert (more about that later). It even properly identified the program being scanned for in some cases. I didn’t check any of the SOHO’s DoS attack blocking capabilities, mainly because I didn’t have time to locate an attack program.
The SOHO’s has many logging features. You can select what’s logged, and what is considered an Alert. There’s also a Log Redundancy filter that’s enabled by default that prevents duplicate consecutive log messages from being logged. These messages can be common, due to things like network retry mechanisms, and SonicWall recommends keeping the filter enabled to avoid unnecessarily filling up the log too soon. If the log does fill up (which shouldn’t happen due to the automatic log emailing feature), you can choose between clearing the log and shutting down the SOHO in order to preserve the log data. Detailed logging to a Syslog server is also supported if you really want the gory details (if you need a Windows or MacOS Syslog client, go to this page).
But what good is all this stuff if you don’t remember to check it? The SOHO helps you out there, too, with log and alert emailing. You can email the log to one email address at a specified daily or weekly time, or when the log fills up. Alerts are sent within seconds of detection, to a separately defined email address from the log email address.
Unlike the inexpensive routers which have recently added logging capability, the SOHO does not keep a log of Web site access. Instead it performs three rolling analyses, which can be viewed, but not emailed:
- Top 25 Most Accessed Web sites
- Top 25 Bandwidth users by IP address
- Top 25 Bandwidth consumers by service (Port and Protocol)
These reports will give you a quick idea of where your bandwidth is going. You can enable and disable data collection and clear the accumulated data, but can’t save it.
That about does it for logging and reports.
Keeping it private
Those of you who need to use either PPTP or IPsec based VPN tunnels to connect to another network won’t be disappointed by the SOHO. Contrary to what you may believe from reading the SOHO’s product descriptions, you don’t have to buy a $500 VPN upgrade to get VPN capability. The SOHO handles VPN passthru for both unlimited PPTP and IPsec clients and will support a PPTP server as long as you establish the proper Public Server via the Access features (see this page for info on doing this). Note that your clients will need to be running the appropriate VPN client software for this “free” VPN capability
So why would you want to spend $500? The simple answer is that you need the VPN upgrade if:
you want to establish IPsec based VPN connections from the WAN to machines on the LAN, i.e. allow remote users to securely access LAN clients via your IPsec server
you want to establish a “box-to-box” VPN with another SonicWall product, to connect two offices, for example
you don’t want to run VPN client software on your clients, but want the SOHO to terminate the VPN “tunnel” from a remote VPN server instead.
If you want to do any of the above, you might be better off with the SOHO Telecommuter. The Telecommuter has the SOHO’s capabilities, plus the VPN “upgrade” built-in. The trade-off is that is supports 5 vs. the SOHO’s 10 users, but at an on-line price of $500, it’s a much better deal than a $370 SOHO plus a $500 upgrade! By the way the SonicWall VPN is compatible with IPsec VPNs like the Check Point Firewall-1, Cisco PIX, Nortel Contivity and Axent Raptor.
Remote users accessing your VPN enabled LAN will need VPN client software, which can be downloaded from the SonicWall site.
Advanced (?!) features
After wading through all the features, many of which are considered “Advanced” on other routers, I thought “What could they possibly have on this ‘Advanced’ menu?” Answer: Features that really are advanced, and probably beyond the scope of most small LAN users. But read on and decide for yourself!
The first Advanced tab allows you to automatically send all HTTP requests to a Proxy server instead of directly to the Web, without having to change any LAN client browser settings! Not really a small LAN feature, this allows web page requests to be filled by a local proxy server instead of going out over the web to fetch the page. Done properly, this can conserve bandwidth (done badly, it really ticks off users). The catch is that the proxy server must be located on the WAN side of the router. If your ISP has one of these servers, you can experiment with enabling and disabling it to see if it really speeds web browsing, and not have to mess with changing anyone’s browser settings.
This feature allows you to use the SOHO to protect only some machines connected to it. You can enter up to 64 IP address ranges and have those ranges be attached either the the SOHO’s LAN or WAN port, or use the normal configuration of having the WAN link attached to the SOHO router.
I have to confess that I found this feature hard to follow and even this FAQ didn’t help much, except to explain that most people probably wouldn’t use this feature, and that you can’t use this feature and NAT routing together.
Moving right along, we come to the third tab that allows you set static routes in cases where you use the SOHO on a LAN with other routers and want machines behind each router to find each other. Note that the SOHO does not support any dynamic routing protocols such as RIP, since SonicWall feels that they are insecure (see this FAQ).
Hidden deep in the bowels of the SOHO’s menus is this neat little feature, usually found only on enterprise grade routers. To use it, though, you’ll need to have more than one IP address from your ISP. If you do, then One-to-One NAT allows you to set up multiple Public Servers that can be assigned to different IP addresses. See this example of three LAN based webservers assigned to three WAN IP addresses.
If your brain hurts, just hold on ‘cuz we’re coming into the home stretch!
But wait, there’s more!
The SOHO has a number of features that don’t fit neatly into one of the previous categories of this review, so I’ll use my favorite review shortcut: the List:
You can restart the Sonicwall from the Management Interface as well as from a button on the back of the box
You can Import and Export router settings (to make it easy to restore your settings after a firmware upgrade), or reset them to factory defaults
Firmware upgrading is done via a browser Java applet that worked just fine with my Netscape 4.5 browser. You do have to download the firmware file to a machine on your LAN first, however. You can also ask to be notified when new firmware is available
You have five built-in Diagnostic tools including DNS lookup, Traceroute, Ping, Packet Trace, and “Tech Support Report” that will dump a file that can help SonicWall engineers help you debug problems with your router.
There’s a full featured LAN DHCP server, which you can control pretty much everything on, including Lease time and reserving IPs according to MAC address. You can also shut it off! The DHCP Status screen shows you all active IP to MAC address bindings. You can’t, however, manually end a DHCP lease.
I think, finally, that’s it for features.
Speed is not my middle name…
As I hinted back on Page 1, the SOHO does not have routing speed to match its impressive feature set. Although it uses a 33MHz Motorola 68030 processor with 4MB of ram and 2MB of Flash memory (and tells you so right on the first screen that you see when you enter the Management Interface) this processing power doesn’t match the speeds of the more recently designed inexpensive routers. Read ’em and weep…
All numbers are in Mbits per second (Mbps).
(Details of the measurement method can be found here.)
Although these numbers are plenty fast for most broadband connections, they’re no match for the speeds of the more recently designed boxes like the Netgear RT314 / ZyXEL P314 twins. (Of course the 314’s features and admin interfaces are no match for the SOHO’s either!)
Since I’ve started to use netIQ’s (formerly Ganymede) free QCheck utility for my wireless speed tests, I thought I’d give it a shot with the SOHO.
|Response Time (ping)||8ms avg||8ms avg|
(1MByte file transfer)
10 sec duration)
The Throughput tests were consistent with my Wireless testing findings in that they showed higher numbers than my browser-based file transfer test shows. This is because Qcheck does not include any protocol overhead, such as headers, trailers, flow control, and connection setup in its calculations (see the Qcheck FAQ for more info). The UDP Streaming test was the strongest evidence that the SOHO’s router just couldn’t keep up with faster data streams, especially on the LAN to WAN test. The nice thing about using the QCheck program is that it’s easy to use and freely available so you can run your own tests.
I have mixed feelings about finally testing the SOHO. On one hand, I finally have first-hand experience with this much-praised product and can more confidently answer questions about it. On the other hand, it’s definitely going to be hard to go back to looking at less-featured products and be impressed!
If I were SonicWall and wanted to own the low-cost router market, I’d do a couple of things:
get a faster processor and whatever else needed into this puppy to speed it up.
bring back the single port version (which you can still find as a WebRamp700s…but the one priced for $200 or so) but with a 10/100 autosensing LAN port
get the price as low as you can…$150 would be excellent
promote the hell out of it
And if they could get the SOHO to host Quake3 and Unreal Tournament servers without disconnect problems, then they’d really have something!