NETGEAR FVS336G Reviewed: VPN Your Way

[raleighthings]

I have an old aging Netopia 9100 that I need to retire for various reasons. Plus We want to have dual WAN access.

What we have/want.

Cable 2/2mpbs and DSL 3/.384mbps down/up speeds.

Mail and FTP servers plus a few other inbound initiated items like remote control on the cable link . Everything else (mainly surfing) on the DSL link.

Both cable and DSL have a /28 block of static IPs. Cable we get to see 13 of them. With DSL we get the full 16 plus one more for the router.

Mail and FTP servers are setup using WAN IP addresses. Say 209.209.209.209. Rest of assignments are of the 192.168.99.x NAT variety. Plus the servers also have 192.168.99.x IP addresses.

As best I can tell the FVS336G will let me do all of the above without mapping the external WAN addresses to internal 192... NAT addresses. (Doing NAT mapping causes some headaches for some of the software we use.)

I'd also be able to manually switch the servers to the DSL WAN via a configuration change if needed. Or the NAT to the cable WAN if needed.

And I could without a huge expense have a 2nd one sitting around for when lightning blows out the "live" one.

Anyone see a reason this would not work with this router? I've already figured out that most routers with a dedicated DMZ will let me do this but only if I put the servers only on the DMZ port or add a 2nd NIC to the servers so they can exist on the DMZ and the non DMZ LAN. With this unit it appears all could exist on the same LAN.

Thanks

 

[raleighthings]

Hmmm.

Should I have put this in the "Routers" topic?

 

[thiggins]

Hmmm.

Should I have put this in the "Routers" topic?

I have asked Doug Reid to respond to you post. Please be patient.

 

[raleighthings]

I have asked Doug Reid to respond to you post. Please be patient.

OK. I'm just new around here and not sure of what all goes where. Still learning.

Thanks

 

[Dan70]

I have an old aging Netopia 9100 that I need to retire for various reasons. Plus We want to have dual WAN access.

What we have/want.

Cable 2/2mpbs and DSL 3/.384mbps down/up speeds.
......
Thanks

I own a FVS336G since June 2008, and I'm kinda' dissapointed.
It hangs once or twice a month, the log vanishes and the clock restarts to 00:00 1st January 1970 after a power failure or a soft restart, and the tech support needs improvement.
Also, the throughput performance is stated 60 Mbps LAN to WAN, but in fact this is also the limit for WAN to LAN. (I have a fiber to the building connection with 100Mbps metropolitan speed and I cannot fully use it). When I asked them, they claimed that LAN to WAN is the same as WAN to LAN in their opinion.

They want to charge you for premium support for assisting in some advanced configurations of features their product claims to have (of course, config details are not in the manual).

My advice: check with tech support (pre-sales) in your country and ask them to confirm that FVS336 really does what you need, before buying it.

It has some fancy stuff, like the SSL portal (in which you don't need a VPN client to connect remotely - it does that with only a Web browser), but check before you buy it...

If you need the user manual, just ask.

Best regards,
Daniel

 

[raleighthings]

I have asked Doug Reid to respond to you post. Please be patient.

Is Doug around?

TIA

 

[Unregistered]

issue resolved?

since the original review for this was written, several firmware updates have been made available from netgear. i'm wondering if the issue of dropping the vpn tunnel due to the ISP changing the wan ip address has been resolved?

thanks!

 

[thiggins]

Don't know. You could check the release notes.

 

[Unregistered]

I purchased a FVS336G to try it out, and I too must say it's a disappointment.

When my brand new FVS336G arrived from Amazon, I noticed it was six versions of firmware behind, an indication that sales must indeed be slow. So, upgraded it to firmware version 3.0.4-19

The documentation and help seem to be from some other router, and hasn't been fully updated for the FVS336G, and even contains errors that confuse the first time installer. The errors seem to arise from them cutting & pasting sections describing inbound & outbound rules.

The configuration software on the router itself is fraught with inconsistencies & bugs. Before you can change a setting in a particular rule, you might have to plod through several other windows to disable the rule. Or, in some cases, you make a change, and it appears to take the change, but you go back and check and the setting has reverted to the older one.

The router is unable to implement at least several of its advertised functions, such as, when in Load Balancing mode, they say you can direct all of a selected type of traffic to only go through one WAN or the other. Here's from their documentation p2-12:

Note: Scenarios could arise when load balancing needs to be bypassed for certain
traffic or applications. If certain traffic needs to travel on a specific WAN
interface, configure protocol binding rules for that WAN interface. The rule
should match the desired traffic.

It doesn't work. You can configure protocol rules all day long and the traffic still goes where it likes. I called their tech support (international long-distance), but they didn't want to talk to me until I registered with them. I didn't have time to drive back to the office and crawl back into the router closet to get the serial number etc. so I was unable to get help - says Olga 5670 at NetGear.

Further, the default service rules are vague. For instance, there's an HTTP service rule. Does that refer to lan-user traffic, or a webserver you might have on your network? There's no way to find out exactly what the rule refers to.

Firewall logs are primitive too. For instance, you can't get a log of what's going through WAN1 or WAN2, only both combined.

Since various functions don't work. You begin to wonder if the disable-rule-checkboxes are working, and start deleting rules and adding them back in, trying to debug the various problems.

Since the basic functios didn't work. I didn't get around to trying its VPN capabilities. When I do get back to my router closet next week, it will be to replace it, not get its serial number for tech support. It's just another time-wasting product I don't have time for, especially if I can't get five minutes with their tech, after jumping through all their telephone extension hoops to find I have to go to the office for a serial number.

If all you need is a cheap basic load-balancing router, it sorta works. Of course if all you want to do is combine two networks, you don't need a dual wan router to do it.

If you need anything more than that, well, the FVS336G is still a work in progress, and I don't think they're spending much R&D on it.

 

[Unregistered]

Does it work with 3rd party IPSec clients?

Do you have to purchase the client licenses for IPSec VPN from Netgear, or do any third party clients work?

Does the client built into Vista work?

 

[thiggins]

You can use any IPsec client. But you'll be on your own to configure it.

 

[Dennis Wood]

I just finished several days of wrestling with the FVS336G router and I'll admit my "spidey" sense for flaky hardware/firmware is seriously inflamed on this one. The good news after about 4 hours with Netgear technical support is that they're quite friendly. In contrast, I've never called for support on the outgoing router (in about 2 years), a dlink DI-824VUP. We use two of these.

Issue 1:

a. After setting up the router, our VOIP Mediatrix device stopped working. A call to our VOIP provider revealed that the Mediatrix device was trying to register using it's private IP which should not be happening. After several hours working on the issue, including implementing firewall rules, no dice. Firewall rules made no sense btw as the issue was pretty obviously one to do with the router.

b. Day 2, after our VOIP provider sent packet traces and requested the router model number, he mentions SIP ALG, and I immediately recalled seeing that as an added feature in the last three firmware releases.

c. Second session with Netgear support reveals that yes, SIP ALG was added, but could not be turned off in the latest (as of today) firmware . Evidently I was not alone with this issue as the beta firmware provided by Netgear support added the checkbox to turn off SIP ALG. We got our phones back after installing the beta code and rebooting. SIP ALG is disabled by default in this firmware.

So all told, about 4 hours wasted :-(

Issue 2:

The SSL VPN software doesn't seem to work on Vista 64 bit. More on this shortly after more time on the phone....

 

[beisser]

I just finished several days of wrestling with the FVS336G router and I'll admit my "spidey" sense for flaky hardware/firmware is seriously inflamed on this one. The good news after about 4 hours with Netgear technical support is that they're quite friendly. In contrast, I've never called for support on the outgoing router (in about 2 years), a dlink DI-824VUP. We use two of these.

Issue 1:

a. After setting up the router, our VOIP Mediatrix device stopped working. A call to our VOIP provider revealed that the Mediatrix device was trying to register using it's private IP which should not be happening. After several hours working on the issue, including implementing firewall rules, no dice. Firewall rules made no sense btw as the issue was pretty obviously one to do with the router.

b. Day 2, after our VOIP provider sent packet traces and requested the router model number, he mentions SIP ALG, and I immediately recalled seeing that as an added feature in the last three firmware releases.

c. Second session with Netgear support reveals that yes, SIP ALG was added, but could not be turned off in the latest (as of today) firmware . Evidently I was not alone with this issue as the beta firmware provided by Netgear support added the checkbox to turn off SIP ALG. We got our phones back after installing the beta code and rebooting. SIP ALG is disabled by default in this firmware.

So all told, about 4 hours wasted :-(

Issue 2:

The SSL VPN software doesn't seem to work on Vista 64 bit. More on this shortly after more time on the phone....

on your issue1:

if you had me on the phone i cwould have told you that after 10 seconds and sent you the beta firmware.. us-support must be.. kinda slow

on your issue2:

netgear doesnt support 64 bit clients (or windows 7 in any flavor) yet. the only product that supports 64 bit vista (and only vista) is the ssl312. support for the fvs338g and/or srxn3205 may or may not come in a future firmware.

dont waste your time on the phone with issue 2. the most you can do is let them open a feature request.

 

[Dennis Wood]

Thanks B for that reply. Give me your phone number and I'll just call you next time Regarding SIP ALG...maybe these posts will help a few folks out! The 64bit SSL VPN support is something not mentioned anywhere in the FVS336G product literature, sales docs, specs or otherwise. Knowing this (and like many other folks I've found posts from since) I would not have purchased the product. We don't use 32 bit windows anymore, aside from one laptop. There is an indication on the Netgear forum that the Oct beta code may support 64bit Windows, otherwise we'll have no use for the product.

On the positive side, in testing with our one 32bit laptop, the SSL VPN performs much better than IPSEC did on the outgoing DLINK DI-824VUP router. It's faster, and the dropped connections so far have been zero. The ability to have just LAN addresses routing via VPN is great. This means that if you're using RDP to a remote workstation, you can still fire up a local browser using your local high speed connection without any network gymnastics. Adding in the ablity to port forward via SSL-VPN is another as you can then pick and choose what's traffic is routed to your VPN session, and what's not. Tim refers to all of these features in his review. The old router is actually still there as a wireless access point (but not routing) as the NETGEAR WNDAP330 wireless access point we just installed won't connect using WPA or WEP to several of our wireless devices. Sigh. Another 10 hours or so of precious life spent getting 1 year old (and several firmware revisions later) debugging hardware that should just work. The old saying is "If it ain't broke, don't fix it." My version is, "If it kind of works OK, and doesn't require too many resets/month, then just use what you've got" In terms of GUI interfaces to the myriad of devices we configure, I'd have to say the new QNAP AJAX interface is quite good. That is to say every other interface I've used, be it HP, DLINK, Netgear, Lexmark etc. reflects a lack of attention to the web interface. The Apple engineers would have a stroke if they worked with some of this stuff.

End of pseudo-rant

In terms of good feedback, the Netgear support staff are very friendly and with regard to the ProSafe products, if/when you get mired in the interface/bugs/code issues, are a phone call away at even late hours of the night. Yes, I got dropped on one call, and yes a few accents are hard to decipher, but it's obvious that Netgear is making a good effort.

Cheers,
Dennis.

 

[Dennis Wood]

Well, my question was answered and the thread closed over at Netgear's forums. If you want 64 bit SSL VPN before Christmas, look at another product.

It is being worked on, but the beta is not public. I was told to wait. If you call Netgear Prosafe US support you may get another answer as they told me it was already supported.

 

[beisser]

Well, my question was answered and the thread closed over at Netgear's forums. If you want 64 bit SSL VPN before Christmas, look at another product.

It is being worked on, but the beta is not public. I was told to wait. If you call Netgear Prosafe US support you may get another answer as they told me it was already supported.

like i said. is IS supported on the ssl312 and only on that.
maybe they mixed that up.

 

[daved]

Trying to decide between FVS336g and SRXN3205

Plan is to use this for my home/home office router - am running an "officeless" business and have a great fiber connection to my house so over time will probably host Exchange, fileserver, webserver, etc. at my house and have employees VPN in. As far as I can tell, the benefits of the FVS336g over the SRXN3205 are 1) Dual WAN support 2) 10 SSL VPN sessions vs 5 and 3) 25 IPSec sessions vs 5. Benefit of the SRXN3205 is of course the wireless N capability. But just wondering what other benefits one might have over the other that I'm not seeing. It's strange to me that number of VPN sessions is so much more limited on the SRXN3205 since Netgear basically says that the SRXN3205 is "based on" the FVS336g. Thinking I might just buy a FVS336g and then buy a Wireless N WAP later... Thoughts?

 

[thiggins]

I would separate the wireless from the VPN gateway. Less chance of one messing up the other due to firmware bugs. You also might want to locate the AP in a different spot to maximize coverage.

 

[Dennis Wood]

That's exactly what we did. The advantage of not having the AP as part of the router is that you can centralize it's location and therefore drop output power as appropriate. This doesn't help so much with the high gain antenna toting hackers...but it's just another measure to reduce your wireless footprint.

Daved, if you're looking for simultaneus support for wireless N (at 5GHz) and wireless B/G (at 2.4GHz), don't bother with the Netgear WNDAP330 as an access point. It can do N and G at the same time but only at 2.4GHz.

Beisser...duly noted. I'm hoping the FVS336G gets it's 64bit SSL code worked out sooner than later. Given the fact that it's a dual WAN router (which is why we bought it!) and geared to small business, I'm puzzled as to why it doesn't have 64bit SSL already...particularly given the SSL312 support. For now I'll wrestle with IPSEC for the 64 bit clients.. There was an open source IPSEC client floating around that works with the 336G. Can you post the name/link to the client?

 

[PUY]

[ssl and ubuntu]

We got a FVS 335g for our small office. So far, We agree with all the comments listed above. (personally I think it would be very difficult for Netgear to complicate configuration further for this device).

Now, we are having issues connecting UBUNTU via SSL.

We can see the portal, and complete the login information, but when the small window with the (connect/disconnect) buttons shows up, the browser crashes.

Has anyone been able to use the SSL connection using UBUNTU (8.10 or 9.04)?