Firewall/router suggestions?

[Phrederik]

Hey all!

I'm looking for a decent broadband router, preferrably with a four port
switch. It definately needs to have port translation (you hit the router on
the WAN side on port 8080 and it is forwarded to your server on port 12345
on the LAN side).

My old SMC 7004ABR router was four port and did the port translation, but
didn't offer much for logging, etc. It had issues keeping it's IP leased
from my ISP, so after two RMA's I tossed it out.

I've now got a SpeedStream 1 port router that does the trick, but its rather
slow. At $10, the price was right. It is also pretty barebones, like the old
SMC,but does work fine. I want to replace it with something faster.

I've had a Newtork Everywhere NWR04B(?) router that did everything I wanted
(and was wireless), except allow me to apply specific IP's to MAC addresses
in it's DHCP server, so I returned it.

I picked up a NetGear MR814 and it has LOADS of features and looks pretty
cool (802.11b wireless as well), but it is missing the port translation,
which I need.

Yesterday, I reluctantly picked up another SMC VBR7004 router, that matches
the NetGear for features, but is also missing the port translation. I
stupidly assumed that it would have it because the old one also did. The
description on the box is also misleading. I'm going to have to bite the
restock fee and return it. (NO MORE SMC FOR ME!!!)

....anyhow, can someone suggest a reasonably priced broadband firewall/router
that does port translation AND allows you to reserve IP's on it's DHCP
server? I really like the logging/email features of the new routers, not to
mention the "pretty interfaces" that they have, but functionality is more
important to me at this point.

Suggestions?

 

[Vanguard]

I am using the DLink DI-604. This is not a super high-power router but
it works for me. Whether it works for you really depends on how many
hosts you are going to have in your network tree that go to the router.
Although you can have its DHCP server assign up to 255 IP addresses, I
called DLink and their tech said that once you hit 15 hosts then the
amount of traffic will probably swamp the processor in the router (since
it is a switch). I only have 2 hosts on the router now and maybe might
go up to 4 at some time (this is for a home-use scenario). You don't
mention the size of your intranet so no one knows just how much
processing power would be needed within the router to handle all your
concurrent traffic to the Internet.

The DI-604 did not used to have the static IP address assignment that
you mention. It used to only provide dynamic IP addresses by DHCP.
However, in the latest firmware update, you can now configure static IP
addresses to any particular host. You use the MAC of the network card
to identify the host and assign a static IP address to it (if port 113
is enabled for IDENT/auth then you can also see the hostname). I find
this helpful on a home network because I really don't want to network
with the host(s) of other users in my home. I don't want to end up
playing admin to them all and have to run anti-virus and spyware
software and configure Messenger NT Service and worry about zombies and
so on. I have the router assign me a static IP address and then I
configure the router so none of the other hosts can connect to me. So
although we are using a router, to me it is just a link to the cable
modem and I'm protected from other "dirty" hosts. If I want to later
add a laptop or other desktop over which I manage then I can let just
that one connect to "my" private intranet.

I'm not quite sure what you mean by port translation other than you
probably mean that connections on the WAN side to port N get routed to
the LAN side to some particular host on port M. There are a couple ways
to achieve what you want. With the DI-604 you can configure a
demilitarized zone (DMZ) host. Connections to it look like it is a free
and clear host residing outside your firewall and router; i.e., to the
Internet, it is a directly accessed host, so you could run your web
server there without it going through the firewall (and any submit,
programs, data, and whatnot could be accessed from there to an intranet
host and go through the firewall). You obviously have to harden the DMZ
host as much as possible but sometimes you need an exposed host (but
your other intranet hosts are still protected).

The other technique is to define a virtual server. You define port N on
the WAN side which goes to a specific host on its port M. That way any
connects to port 80 (for a web server) that you want to make accessible
to the Internet would go to a specific host on, say, port 13538.
Actually, I've already used this but to fully stealth my network. Most
routers will NOT block port 113 for the IDENT/auth protocol. This is
because some old mail servers still use this defunct and hazardous
protocol to identify the sender, but this also leaves open a port a
hacker can test to see your network (i.e., get a response) and possibly
a host name. Even if you define a firewall rule in the router to block
port 113 and enable it, the router will not obey that firewall wall and
still will respond on port 113. I tested this using Shield's Up at
grc.com. That was the only port that wasn't stealthed on my router so
it was a lone pimple in an otherwise fully stealthed network. The
answer was to define a virtual server on WAN port 113 that went to a
non-existent host (and port). My router is configured to assign IP
addresses in the range of 192.168.0.x, where x = 0 to 255 (actually it
is currently set to have x = 100 to 199). So I created a virtual server
on a host with IP address 192.168.255.255 because there is no way the
router's DHCP server could ever assign a 192.168.255.x address. So any
IDENT/auth requests on WAN port 113 get routed to a non-existent host,
so there is no response and I'm fully stealthed.

I have not had any problems in keeping the leased IP address for the
router that is assigned by my ISP. When you have your computer directly
connected to the cable, you could run "ipconfig /release *" and
"ipconfig /renew" if your cable segment went down and their DHCP server
didn't renegotiate an new IP address to you. Obviously that won't work
if your computer now has a router between it and the cable modem,
because the ISP's DHCP server is going to assign an IP address to your
router. So the DI-604 has the release and renew functions available for
you to do the same there.

The DLink DI-604 is rated for a 100Mb Ethernet LAN. If you want a
gigabyte LAN then you'll have to look elsewhere. Personally I don't
feel the router provides a full-blown firewall. It allows you to define
some rules. But as far as URL or domain filtering, you only get about 9
domain strings you can list. I haven't hit the max for the URL
filtering yet but obviously there is some maximum that would be much
lower than available with a firewall running on a gateway host. That's
because there is just so much memory they can put into the router. The
memory is not upgradeable to enlarge it. The DI-604 does have some
logging. It looks like it will retain up to 150 records. Mine mostly
shows the DHCP assigns along with some SYN attacks. I don't know if the
firewall events get included in the log or if I haven't had any attacks
that triggered any firewall rules (the IDENT/auth virtual server is not
really a firewall rule although it will show up in the list of firewall
rules but cannot be edited on that screen). So it isn't going to show
you any problems with e-mail (which I would assume you would want done
on your e-mail server's host, anyway).

I paid $50 for the DLink DI-604 which had a $10 mail-in rebate. I
bought it retail at Best Buy. You can get it online for $37 (and get a
$10 mail-in rebate but it expires Sept 30). For a home network, I found
it quite capable. The latest firmware update added the feature of
assigned static IP addresses. Although I don't absolutely need static
IP addresses (and I still leave the client hosts configured to used DHCP
instead of configuring a static IP address in them), it makes sure that
I can isolate my computer from other "dirty" home computers.

 

[Phrederik]

Eeek... Long reply!

I am using the DLink DI-604. This is not a super high-power router but
it works for me. Whether it works for you really depends on how many
hosts you are going to have in your network tree that go to the router.

I have five machines that can be on behind the router. One is a laptop that
is currently wireless, but I'm going to get a specific wireless access point
for that (going with 802.11a for now)

The DI-604 did not used to have the static IP address assignment that
you mention. It used to only provide dynamic IP addresses by DHCP.
However, in the latest firmware update, you can now configure static IP
addresses to any particular host.

This isn't 100% crucial, but I don't like hardcoding IP's in the machines
themselves, but it's quite handy for specific machines to get specific IP's.
It's also handy to configure DNS so I can refer to machines by name instead
of IP's.

I'm not quite sure what you mean by port translation other than you
probably mean that connections on the WAN side to port N get routed to
the LAN side to some particular host on port M.

You got it right. I need to get to the desktop on most of my machines, so I
use Terminal Server to connect to them. All the clients listen on port 3389.
On the WAN side I would pick a unique port number for each client and let
the router forward that port to 3389 on a specific client IP.

There are a couple ways
to achieve what you want. With the DI-604 you can configure a
demilitarized zone (DMZ) host.

DMZ is bad... I have a switch in place between my broadband and router just
so I have a dirty connection should I ever need one.

The other technique is to define a virtual server. You define port N on
the WAN side which goes to a specific host on its port M. That way any
connects to port 80 (for a web server) that you want to make accessible
to the Internet would go to a specific host on, say, port 13538.

As I said above, that's what I do. It made perfect sense on my old SMC. The
new one doesn't allow you to specify a destination port. I *THINK* the
difference is that the new routers let you specify a range of ports on the
WAN side which makes it more difficult to "error check" if you specify a
destination port or range of ports. (Lazy programmers).

Actually, I've already used this but to fully stealth my network. Most
routers will NOT block port 113 for the IDENT/auth protocol. This is
because some old mail servers still use this defunct and hazardous
protocol to identify the sender, but this also leaves open a port a
hacker can test to see your network (i.e., get a response) and possibly
a host name. Even if you define a firewall rule in the router to block
port 113 and enable it, the router will not obey that firewall wall and
still will respond on port 113. I tested this using Shield's Up at
grc.com.

Good to know. I've never had this show as open that I remember, but I'm
going to check now. : )
Looks just like suspected it should.

I have not had any problems in keeping the leased IP address for the
router that is assigned by my ISP.

My problem is that the old SMC would renew the IP each day as it should, but
if it ever failed it just gave up and never tried again. Release/Renew on
the router wouldn't usually work either. I'd have to power cycle and usually
end up with a different IP. I haven't had DHCP problems with my Siemens
SpeedStream though. My only complaint about the Speedstream is that it seems
to be a bit slow.

The DLink DI-604 is rated for a 100Mb Ethernet LAN. If you want a
gigabyte LAN then you'll have to look elsewhere.

I'll be going gigabit on my LAN at the end of the year, but the broadband
connection is only 10mb, so a 10/100 connection on the router itself is
fine.

Personally I don't
feel the router provides a full-blown firewall.

They are a big improvement over the software firewalls out there. Like I
mentioned before, I've never seen port 113 open on any router I've owned.
They've done the best job of firewalling for me that I've ever seen.

It allows you to define
some rules. But as far as URL or domain filtering, you only get about 9
domain strings you can list. I haven't hit the max for the URL
filtering yet but obviously there is some maximum that would be much
lower than available with a firewall running on a gateway host.

I use a HOSTS file to block domains that I'm not interested in seeing. My
current HOSTS file is 399K in size.

That's
because there is just so much memory they can put into the router. The
memory is not upgradeable to enlarge it. The DI-604 does have some
logging. It looks like it will retain up to 150 records.

The nice thing with the newer routers is that they will email the log when
it gets full so you don't lose anything.

Mine mostly
shows the DHCP assigns along with some SYN attacks. I don't know if the
firewall events get included in the log or if I haven't had any attacks
that triggered any firewall rules (the IDENT/auth virtual server is not
really a firewall rule although it will show up in the list of firewall
rules but cannot be edited on that screen).

SYN attacks are the only thing I've seen in my logs other than DHCP results.
Not sure why these SYN attacks even happen... just seems like when I browse
to certain websites that these show up.

I paid $50 for the DLink DI-604 which had a $10 mail-in rebate. I
bought it retail at Best Buy. You can get it online for $37 (and get a
$10 mail-in rebate but it expires Sept 30).

I'm in Canada, so at least double any prices you see. I did get the new SMC
for $80 with a $45 rebate, but returned it when I couldn't get the port
translation. Definately a decent price.


Definatley appreciate the response. Thanks for taking the time!

 

[Stacey]

They are a big improvement over the software firewalls out there.

Yep but not as good as a real firewall box.

Like I
mentioned before, I've never seen port 113 open on any router I've owned.

Most keep this port open that I've checked and no way to stealth it.

They've done the best job of firewalling for me that I've ever seen.

Doesn't mean it's the best.... <G> Yes routers are cheap and pretty secure
but their are better solutions, it's just they are a lot more expencive or
more of a hassle.