Author: Tim Higgins
Review Date: 3/23/2000

Model: WG2500

Pros:– Supports IPsec and PPTP for VPN.
– Fast
– Built-in 4 port 10BaseT hub.
Cons:– Limited port mapping.
– On-line documentation only.


9/4/00 Version 2.1 firmware adds an optional Web blocking subscription service ($49/year), port range mapping, port range blocking, protocol blocking, and a limited Socks5 proxy.

5/3/00 PPPoE support added via Version 1.5.7 firmware update.

The Basics

The SOHO is packaged in a small, bright red box.  All 10BaseT RJ45 jacks (one WAN, 4 LAN, no uplink) are on the rear panel of the unit, along with the power adapter input (the router is powered by a small external power unit).  One normal UTP cable is included with the product.

The front panel has a full complement of indicator lights including:

  • On and Mode (“Mode” blinks if the unit isn’t happy)
  • WAN Link & Data
  • Link & Data for each of the 4 built-in 10BaseT hub ports

There is no reset button on the unit, but a “Reboot” button is available via the web-based administration pages.


The Setup

WatchGuard / BeadleNet has improved the installation process from when I tested the BeadleNet SOHO2000.  Although the one page “installation guide” that comes with the unit still tells you to go to a web page to register your unit, you no longer must register your unit in order to obtain the installation instructions (which you can view here).  You do have to register, however, in order to gain access to the HelpSupport and Live Security pages of the router admin screens.

The SOHO has browser based administration, and sets up easily.  You just power up the SOHO, plug a computer with its TCP/IP set to obtain an address automatically (or from a DHCP server) into one of the WAN ports, boot the computer, launch your web browser, and enter into your browser Location box.

If everything is working, you’ll get the Admin page opening screen. NOTE: The Admin pages are not password protected by default, but you can set a password on the User Information Admin page.

When I opened my router’s admin page,  the page included a clickable link telling me that a software update was available.  Even nicer was the fact that all I had to do to update the router firmware was to click on the link!  No searching for a firmware updater. No inability to update because I’m using a non-Windows computer. No futzing with selecting a router and selecting a firmware code update file.  All routers should be this easy to update! (Hey, you other guys!  Are you listening?!)

Although there’s a System Status page that summarizes your SOHO’s setup (and contains the WAN port MAC address that you’ll need for some MediaOne affiliates’ setup and the router Reboot button), you’ll have to visit the Public Network, Private Network and Firewall pages to complete your router setup.

The Public Network screen lets you set the WAN port to either have its IP address info set manually or pick it up from your ISP’s DHCP server.  You can input a computer name and Domain name (which @Home users will need) and specify a primary and secondary DNS server.  There isn’t any provision for the TAS login that some RoadRunner users need, however, and PPPoE isn’t supported, although a firmware upgrade is scheduled for April.

The Private Network (LAN) screen lets you Enable/Disable the DHCP server and set the server’s base address, subnet mask and first address that the server will issue.  The base SOHO will hand out only 10 addresses.  You can upgrade it to handle either 25 or 50 users, however.

Fun with the Firewall

Since security is WatchGuard’s business, they did a good job of clearly describing Firewall settings.  There are two views into the Firewall settings, Basic and Advanced.

The router default is to deny all incoming data.  The Basic settings use drop down boxes to select common services to map to the IP addresses in the SOHO’s DHCP server range.  You can specify up to 5 port mappings.  The only other thing that the Basic screen lets you do is to enable “Web Activity Tracking”.  However, this feature isn’t yet implemented.

If you click on the Advanced screen (no password protection to access it), the dropdown boxes disappear in the port mapping section and you enter the port number and IP addresses directly.  You still only get 5 single port to IP mappings.  You can’t specify TCP or UDP and you can’t forward port ranges.  Although this keeps things simple, it’s limited, especially considering the price of the SOHO.
Update 9/4/00 Version 2.1 firmware adds port range mapping & Socks5 proxy for ICQ and IRC.

Further features available in Advanced mode are:

  • You can set one IP to have “DMZ pass through”, which places it outside the SOHO firewall.

  • Remote logging (sent over an encrypted channel to a WatchGuard log host only)

  • Allow temporary WAN access to the SOHO’s admin HTTP server.
    (This allows WatchGuard support to see and/or fix problems in your setup.  It times out after 10 minutes.  If you want constant WAN access to the server, you’ll have to map a port. If you do this be sure to set a password on the User Information page!)

  • Disable Microsoft Networking from LAN to WAN.


Other Features

WatchGuard has given the SOHO very flexible VPN capability.  You can have multiple PPTP and IPsec clients on the LAN and you can also host one each of a LAN-side PPTP and IPsec server.  I didn’t check either of these capabilities.

The SOHO doesn’t have detailed logging capabilities, but it does have a Network Event log and a Network Statistics feature.

When you register the SOHO, you can also register for the WatchGuard’s Live Security feature.  Live Security alerts you to SOHO firmware updates (as I found out when I installed the SOHO and described above), allows you to easily update your firmware, and subscribes you to an email list that periodically delivers security related information including new Virus alerts.  These Live Security emails are archived and you can access them by clicking on the Live Security link in the SOHO admin page Navigation bar.  I was unable to access any of the archives after repeated attempts, however.



The SOHO passed my download test with flying colors, clocking in between 
4.3 and 4.5Mbps
. The SOHO might be even faster than my measurements, because my baseline computer to computer measurement without the router was pretty close to what I measured with the SOHO in between.

I also checked LAN to WAN transfer speed, since some users will be hosting FTP, HTTP, or other servers behind the SOHO.  Some of the other products I’ve tested have had noticeably slower LAN to WAN vs. WAN to LAN routing speed, but not the SOHO.  The LAN to WAN measurement was virtually the same as the WAN to LAN performance. Impressive!  Note that I did not test simultaneous routing in both directions.  I encountered no corruption, timeout or other problems during the tests.


The downside

Like its competitors, the SOHO doesn’t do everything. Here’s the list:

  • No detailed traffic logging.

  • No content filtering.
    Update 9/4/00 Version 2.1 firmware adds an optional Web blocking subscription service ($49/year)

  • No access control
    Update 9/4/00 Version 2.1 firmware adds port range blocking & protocol blocking. Blocking applies to all machine on the LAN, i.e. you can’t block specific ports/protocols on specific machines.

  • No support for the RoadRunner TAS login protocol


Summary Updated 9/4/00 

The SOHO has a lot going for it.  It’s fast, includes a 4 port 10BaseT hub, supports PPTP and IPsec clients and servers, has the best software update process I’ve seen, and the Live Security feature supplies a steady stream of Internet security information.

On the downside, although port forwarding has been improved, the SOHO doesn’t have the triggered maps that lower priced competitors now have. Also, its hub is 10BaseT vs. 100BaseT, and its price point is high, (although close to or below most other IPsec capable products).  I also found its Web site-based-only documentation system inconvenient and somewhat frustrating at times. (In fact, during the course of preparing this review, the WatchGuard site was temporarily unreachable more than once.)  I would prefer to see some sort of user documentation included with the SOHO, even if it is on CD-ROM rather than printed.

On the whole, the SOHO’s a capable unit, and I’d expect WatchGuard’s toll-free 24/7 support to be a cut above its competitors, given WatchGuard’s focus on the corporate market. But the competition’s catching up fast in features and pressing downward on price, so WatchGuard better keep their design team busy!