MultiTech RF550VPN RouteFinderVPN – THG.RU

The article first appeared in Tom’s Hard News Email Newsletter

This review is provided courtesy of Tim Higgins of SmallNetBuilder.com. We are very glad to work with Tim, who has been a great source of knowledge and information on networking products since he founded Practically Networked. Today, Tim is running SmallNetBuilder.com, which we encourage you to visit. We hope to feature more of Tim’s reviews and articles on networking and networking products.

Copyright© Tim Higgins 2002. All rights reserved.

RF550VPN RouteFinderVPN Internet Security Appliance

The RF550VPN RouteFinderVPN Internet Security Appliance is MultiTech’s entry into the dog-eat-dog world of inexpensive VPN endpoint routers. Does the fact that the product doesn’t use a hardware co-processor give MultiTech a serious disadvantage? That’s one of the questions that I set out to answer…

Basic Features

The 550VPN looks like MultiTech’s other non-VPN RouteFinder series, packaged in a plain, beige box that’s not really designed to be stacked. All indicators are on the slightly rounded and sloped top surface of the unit, toward the front. Each of the four switched 10/100 LAN ports has its own Link/Activity, 10/100, and Full-Duplex/Collision indicators. The 10Mbps Ethernet WAN port has Link, Transmit, and Receive indicators; the serial WAN port has Transmit/Receive Data and Data Carrier Detect lights; there’s a Power light.

All connectors are on the rear panel, and include four RJ45 10/100 Ethernet connectors, a DB9-M serial port, 10Mbps WAN Ethernet port, and a 5VDC power connector. All of the LAN ports are auto MDI/MDI-X, which means that you can connect any 10/100BaseT Ethernet device with either a normal or crossover cable, and the port will configure itself so that you get a connection. This eliminates the need for a dedicated or switchable “uplink” port, and is a feature that I’d like to see all consumer routers and switches have.

The serial port is used to connect to an external modem or ISDN Terminal Adapter, making the 550VPN one of the few inexpensive IPsec endpoint routers that support these WAN connection methods. You can use the serial port as your only Internet connection, or as an auto-failover backup in case the Ethernet-connected broadband connection goes down. Serial port rates up to 460800bps are supported, as well as idle-time timeouts from none to 90 minutes, a static IP address, and modem initialization strings.

MultiTech doesn’t supply any cables with the router, but does include a 60-page Quick Start Guide that initially appeared to me to be the User Manual! Not to worry, however, there is also a separate User Manual in PDF version on an included CD, and other goodies on this CD include trial or freeware versions of TZO’s Dynamic DNS client, Kiwi Enterprises’ Syslog daemon, and MailServer Lite.

One of the computers connected to the 550VPN was running WinXP Home, and I was surprised to see an Internet Connection icon appear in XP’s System Status area. When I clicked on the icon to check it out, to my surprise I found that the router supports Universal Plug and Play (UPnP), even though MultiTech doesn’t mention this in any of their literature (but MultiTech did confirm this after I inquired). The support seems about on par with the implementation in the D-Link DI-804 [for more info see our UPnP-enabled router NTK], but seemed a little buggy. Sometimes it would show ports automatically opened for Windows Messenger, while at other times it indicated nothing when I clicked on the Settings button in the Internet Connection Properties window. The connection Disable button also seemed to have no effect.

Setup & Installation

MultiTech’s user interface has come a long way from the RouteFinder line’s early days, and today is on par with what you’ll find in most consumer-class routers. All administration is done through a web browser, including firmware updates (once you download the firmware file from MultiTech). Opening the router’s default address of 192.168.2.1 brings you to the main screen shown below (click on the image for a full-sized view).

From this screen, you can go to any of the router’s main admin categories, or start a Setup Wizard that will walk you through the screens you’ll need to get the router connected (and authenticated) to your ISP/BSP.

Setup & Installation, Continued

All the “usual suspects” of connection types are supported, along with the less-common PPTP required by some European BSPs. Controls for various authentication methods are logically grouped and disabled by default. If you need to use a particular method, you just check a box to enable it and fill in the required information.

Tip: The default setting has the WAN port set to be a DHCP client, no authentication used, and the dialup modem auto-failover feature disabled.

Like other current generation routers, the 550VPN automatically checks an NNTP server (you can’t select which one, however) for the correct time once it gets connected to the Internet. So, all you have to do is select your Time Zone on the first Setup Wizard screen and all your log entries will be properly date/ time stamped.

My main complaint with the setup is that changing any setting requires a slow reboot cycle that takes about a minute. This is definitely a pain when you’re trying out the router’s various features. I also found the ten second auto-refresh of the Device Status screen (shown below) and VPN status screens (not shown) to be annoying, with no way of disabling the auto-refresh.

That’s it for the basics. Let’s go check out the firewall’s features…

Firewall

The 550VPN uses a NAT-based firewall, with a typical set of features. You can statically forward up to 16 ports or port ranges (no protocol selection), and put one computer in DMZ (outside the firewall). But you can’t leave port forwarding information in the router and just disable the forwarding. You have to delete both the port and IP information to shut off the forwarding. On the other hand, people who run servers will appreciate that server “loop back” is supported.

Tip: See this page of our Hardware Router NTK – Terminology Guide for an explanation of “loop back.”

Filtering options include both WAN and LAN port filters, and URL filters. The port filters work by letting you define groups of port ranges and IP addresses that you set for either blocking or passing data. You can also set default rules or blocking or passing data for all LAN-to-WAN and WAN-to-LAN ports, which can be a little confusing. When I first tested the LAN port filtering, I checked the “LAN side filter enabled” box, changed the default filtering from “Pass” to “Block,” and set a filter for FTP service. I was then surprised to find not only FTP, but also mail and web access were blocked. Once I re-examined the settings, I discovered my error, changed the default filtering to “Pass,” and things worked as expected. I would have liked to have had the option to leave filters programmed, but enable/ disable them, and the option of logging access attempts to filtered ports, but neither of these options was available. Another drawback to be noted is that you can’t define a “trusted user” to whom the filters don’t apply, nor can you enable filters by time of day.

URL filtering works fairly simply: first, you enter any portion of a website address (not including “http://”) for sites that you want to block. The filter works by doing a wildcard match of the entered string against the URL, and if there’s a match, a “blocked” message appears on the user’s screen. Logs of access attempts for URL filtered sites aren’t sent to the syslog stream (more on that later), but can be emailed to a single email address immediately, hourly, daily (you specify the hour), or when the log fills up.

Enough about the firewall. On to the VPN features!

VPN

Tip: If you’re new to the subject of VPNs, take a look at our VPN FAQ and VPN Links & Tools sections.

The big question in my mind was what kind of IPsec performance do you get without a hardware co-processor to handle the IPsec encryption chores? MultiTech actually specs VPN throughput at 700kbps, so my job was to determine how ‘real’ that number was. Before I tell you what I discovered, though, I’ll hold you in suspense a little longer and run through the endpoint setup features first.

The 550VPN’s tunnel configuration features will be plenty flexible if you’re using a pair of them to set up an IPsec VPN between two sites, and MultiTech provides four setup examples in their Quick Start and User Guides that should help get you going.

I used a subnet-to-subnet configuration with static IPs for the remote gateways, and IKE (automatic) Association mode to set up my test tunnel between two 550VPNs. The setup screen for one router is shown above. Note that I had to change the base IP address of one of the routers from the factory-default 192.168.2.1 to 192.168.5.1, so that the routers (and I!) wouldn’t get confused trying to route between two identically-numbered subnets. I would also recommend using a more secure pre-shared key than I did.

If you need finer control over your tunnel setup, you can choose Manual Association mode, which changes the screen to indicate the different setup options shown below. Note that neither mode gives you control over what happens during Phase 1 and 2 of tunnel setup.

VPN, Continued

I had no trouble getting my test connection established once I had finished entering the setup information: all I had to do was try to access a computer on the “remote” end of the tunnel, and the routers established the tunnel automatically. That was very fortunate, because, although there’s a button in the VPN status log to drop a connection, there’s no “connect” button anywhere to be found.

Finding a computer on the remote end, however, presented more of a challenge, since the 550VPN does not support NetBIOS broadcast. This means that remote computers won’t appear in Network Neighborhood (or My Network Places) and you’ll have to do a little more work to connect to them.

Tip: See this tip in our VPN FAQ section for information on how to work around not having NetBIOS broadcast.

You’ll also need to do some detective work to see what’s happening during the tunnel setup process if you’re not successful in getting a tunnel up and running on your first try. Although there’s a VPN status screen available in the router’s admin interface, there’s no log of VPN-related activity. You’ll have to set up a syslog server/daemon (MultiTech supplies one on the CD), enable logging to it, and then read the logs with the syslog server application. The logs include all logged events, however, not just VPN-related traffic, and I found it hard to focus on just the VPN-related events. Given that most VPN novices are not likely to get a successful connection on the first try, the fact that there is no easy access VPN log is a major weakness of the 550VPN. MultiTech has remedied this limitation by supplying a VPN log within the browser admin interface in the 4.62 version of this firmware that is available now.

Okay, then, enough about the configuration! How does this sucker work? A look at the table below shows that MultiTech is actually on the conservative side in their 700kbps spec, with throughput measured at 740 and 750kbps. Response time (latency) is a little higher than you normally see in non-VPN routers, but still acceptable; but UDP streaming results indicate that the router was having difficulty keeping up with UDP data coming at it at 500kbps. Performance was the same in both Local-to-Remote and Remote-to-Local tests for all tests.

Although throughput is almost eight times slower than the Linksys BEFVP41 (which does have an IPsec co-processor chip), I wouldn’t rule out the 550VPN on the basis of speed alone. There are plenty of DSL connections running below 500kbps, and many cable modem systems routinely run well below the 1 to 1.5Mbps that they love to talk about, so a 700kbps IPsec tunnel may not be such a limiting factor.

Logging and other features

I’ve already covered the fact that most of the 550VPN’s logging requires running a syslog server or daemon, and that MultiTech supplies a freeware version of Kiwi Enterprises’ syslog program.

Tip: See this page of our Links & Tools section for other syslog servers.

The one log you do get in the browser admin interface is the Intruder Detection log shown above, which only records events that the router considers to be evidence of someone on the Internet side of the router trying to reach a machine on your LAN without being contacted first. For everything else, you’ll need to rely on the syslog function.

Other Features

The router has a few other features that I haven’t covered yet, so I’ll just run down the list quickly:

• You can set the router’s MTU (Maximum Transmission Unit) value (useful in getting some PPPoE-based connections to work).
• You can set and view static routes (useful in networks that have more than one subnet).
• Dynamic routing protocols RIP1, RIP1 compatible (transmit only) and RIP 2 send and receive are supported.
• You can save and load the router’s configuration.
• You can reboot the router.
• Firmware upgrades are done entirely via web browser (after you download the zipped firmware file).
• You can enable the router to respond to ping requests (this is disabled by default, which is good security practice).
• Dynamic DNS support is built-in for using dyndns.org. Free trial for TZO Dynamic DNS service included on CD.

The 550VPN can be administered from its WAN side by enabling access and entering a single IP address of the computer that you’ll use for administration. You can also change the port that the admin HTTP server resides on from its default of 80. You’ll want to do this if you have a web server on your LAN that you need to forward, or if you just want to make your admin server a little harder for the bad guys to reach. A more secure way to administer the router remotely is to simply go through the VPN tunnel and use the normal admin IP address of 192.168.2.1 (or whatever the base address is to which you set your router).

The 550VPN allows only one administrator at a time (a plus), and greets the second would-be administrator with a message that includes the IP address of the person who is currently logged in as administrator (possibly a big negative). If this happens, you can wait for the admin time-out (set to five minutes of inactivity and you can’t change it) to kick in, or just hit the logout button that’s always available in the left hand button bar.

Feature Tables

Performance

I discovered a problem with the Qcheck endpoint that was causing the UDP streaming tests to fail in both directions. After I corrected the problem, the tests showed the WAN-LAN direction was starting to hit the wall at 500Kbps, but LAN-WAN had no problem. Throughput is in line with most current generation routers and is more than adequate for virtually any broadband connection, with performance pretty much the same in both directions.

How We Test VPN Endpoint Routers

Our setup for testing routers with built-in VPN endpoints is straightforward.

• We try to get two of whatever product we are testing so that we minimize setup hassles.
• We connect both routers’ WAN ports to each other by plugging them into our main router’s LAN ports.
• The test VPN routers’ WAN ports are set to be DHCP clients and get their TCP/IP information from the DHCP server in the main router.

NOTE! Although the main router is connected to the Internet, all VPN traffic between the routers under test stays local behind the main router’s firewall.

Conclusion

In all, MultiTech seems to have produced a nice IPsec endpoint router for folks with light to moderate IPsec VPN needs. The limitation of five different IPsec tunnels shouldn’t be much of a problem, since you can have multiple users per tunnel. And the 700kbps or so tunnel throughput will be fine for the file sharing and remote-access needs of many users, especially those with lower priced (and lower speed) DSL connections, or taking advantage of the router’s dialup/ISDN WAN connection ability. Users who are heavily reliant on Microsoft Messenger or Remote Desktop features will also appreciate UPnP, with its NAT Transversal feature.

That said, there’s still some work to be done on the IPsec endpoint. Tunnel setup logging is definitely needed (and will be ready shortly, according to MultiTech), and buyers who need to connect to something other than another RouteFinder VPN will likely need some additional setup options, especially if they need exact control over what happens during Phase 1 and 2 tunnel setup.

With MultiTech’s retail price as low as $112 US (at time of review), it looks like they are on the mark with their pricing. So, if you’ve been thinking about ditching your IPsec client software and letting your router do the tunneling, you might want to check out the RouteFinder VPN.

Pros

• Supports dial-up/ISDN WAN connection, including auto-failover
• UPnP support
• Email alerts

Cons

• VPN performance could limit some high-bandwidth connections
• VPN setup log difficult to access and read
• Doesn’t support NetBIOS broadcast (MS Network browsing)
• No PPTP or L2TP endpoint support
• Limited VPN pass-thru capability