NETGEAR FVS336G vs DRAYTEK 2950G

[Dennis Wood]

I've been experimenting with Dual Wan routers, which offer the ability to serve as SSL VPN servers. For many small businesses (particularly with asynchronous DSL or cable internet access) dual wan is a cheap way to ensure access to the web, and control bandwidth too. Since setting up the Netgear we've added a second ISP and have PPPOE DSL as well as cable internet running in. I've posted a bit about the Netgear FVS336G which I've got mixed feelings on. On my desk here is a Draytek 2950G which I will be testing out and comparing to the Netgear product. I purchased it from http://www.dsl-warehouse.com/ (thanks Alfredo!) and received it via our fedex account in one day. Tim did a review of the FVS336G which led to my purchase of the unit.

If you have any questions, post them up here.

Here are my general thoughts on the Netgear FVS336G:

1. On installing it, it immediately "broke" our VOIP access. After two days and multiple conversations with both Netgear support and our VOIP provider, it turned out the router was the issue. "Beta" firmware allowed me to toggle off SIP ALG which was the problem, and will be disabled by default in the release firmware.

2. SSL VPN support right now for 64 bit clients does not exist. If you're using 64 bit clients, you need to use IPSEC and SHREW as per this post. SSL VPN to 32 bit clients works very well, as well as being stable and fast.

3. The FVS336G Dual WAN function is not capable of adaptive load balancing. You need to specify what ports/IP addresses go to which WAN interface if you want to load balance. That said, so far so good. We're noticing a definite improvement here. The options for controlling traffic by port, IP address, time, QOS are extensive. The Draytek does do adaptive load balancing between the two WAN ports.

4. The FVS336G is fanless, quiet..but runs very hot. I've got some misgivings over how hot the unit is getting in terms of long term longevity. The Draytek unit uses a small fan which means it's not silent, but not too bad in terms of noise.

5. The FVS336G has no wireless cababilities, the Draytek 2950G has wireless G onboard but can be ordered without.

6. The FVS336G was less expensive ($239), nearly half the price of the Draytek 2950G ($460) unit. If you factor the Draytek's wireless G, then the price difference isn't as much. I guess you could buy two FVS336G units and ensure active cooling with an external fan

More thoughts on the Draytek 2950 review as time permits for play.

Cheers,
Dennis Wood

 

[ddevaux]

Interested in your DRAYTEK 2950G review

I will be very interested in hearing the results of your review!!

I've been looking high and low for a good router that will support both SSL VPN (for easy laptop access) and L2TP and/or PPTP VPN (for iPhone access..since the only IPSEC implementation it seems to support is Cisco's). It looks like the Draytek claims to do all of the above (and I've not had much luck finding other decently regarded routers that do).

 

[Dennis Wood]

DD thanks for that tip on the iPhone...I was looking for a VPN solution to work with the FVS336G and my iPhone and could not find one. Can you provide a link with respect to Draytek's solution? With a free RDP app for the iPhone, remote desktop access via the iPhone makes some sense, particularly if you require "instant" remote access to your network. The FVS336 has no PPTP to offer, and its IPSEC or SSL-VPN solution don't work with the iPhone VPN functions.

We've just sorted out a cable modem issue and will continue on with testing this week. I've been on the road this week so other than requesting the ISP replace the cable modem in our office, have done little. WAN2 on FVS336G has been dropping its IP every day or so, and not reconnecting so I needed to eliminate the modem (a new installation) first before going on.

Assuming the Draytek works as advertised, it will stay in our busy office for several reasons. First, Draytek provides a Smartmonitor application for the 2950 that gives you enterprise-class summaries of user/workstation activity, filtering, traffic through the router etc. Regular sampling of that information (with full disclosure!) goes a long way to address any issues from your network, or caused by the folks using it. It does require a server workstation, and installs Apache on it (not 100% happy with that) however the reporting function is comprehensive.

2. In a closed but actively ventilated cabinet, the FVS336 runs quite hot to the touch. This is something that IMHO likely will/or does contribute to early failure of the product. This is my opinion only, but another fan-less product, the HP Procurve 24 gigabit switch (fully loaded) we use is running in the same cabinet at about 1/3 of the temperature. As I said earlier, the Draytek 2950 unit has it's own small fan which I'm not crazy about, but it does run a whole lot cooler. I have never liked actively cooled products because the 50 cent fan is a point of failure, so my preference would be that both units would be fan-less, and designed for proper passive cooling. Most folks are not using these products in typical enterprise equipment closets with air conditioned rooms, elevated floors, temperature alarms and steel racks. Draytek however does include brackets to support rack mounting the 2950 which would make it's use in this environment a snap.

Netgear's documentation (including integrated help) is quite good, where Draytek's suffers, so I suspect I'll be doing a bit of head scratching as we go along. I'd go as far as to say Netgear's online/integrated help and phone support is amongst the best I've seen.

 

[ddevaux]

iPhone with Draytek 2950

Here's a link to the information I found on Draytek's website explaining how to establish a PPTP VPN tunnel with an IPhone/IPod touch.


http://www.draytek.com/user/SupportFAQDetail.php?ID=192


Since the iPhone supports L2TP as does the Draytek, I should think it would be possible to go that way as well (but I've not been able to find any similar information regarding using L2TP).

 

[Dennis Wood]

Perfect. I'll be testing that for sure.

 

[Dennis Wood]

After spending a few hours with the Draytek 2950G, it's clearly in a different class over the FVS336G. I'll attempt to compile some kind of a summary, but in a nutshell, no quirky behavior, active load balancing (Netgear's is manual) and a very large collection of features that I had no idea of. UPNP is supported (but not on the Netgear FVS336G) which made our VOIP hardware very happy with zero configuration on the router.

I'll have to compile some kind of a chart after more testing.

 

[Dennis Wood]

So some bad news after emailing Draytek support:

1. "Unfortunately we don't support SSL VPN on 64-bit Windows systems. I'm sorry for that. I'll forward your feature request to relevant department, hope that makes some differences." IPSEC worked using Windows 64bit built in IPSEC so connection there was a snap.

2. The iPhone PPTP connection does not work with the latest firmware on the 2950, and OS 3.1 on an iphone 3Gs. I've emailed support for help on this one.

The only other issue was setting up Smartmonitor which has no guide included in the download. You need to search their site for this:

http://www.draytek.co.uk/products/SmartMonitor.html

EDIT: The 2950G has a 5th monitor port (marked) so you can just plug the Smartmonitor workstation into that port. The workstation can be used as normal with the Smartmonitor application running in your taskbar. You must turn on port mirroring for the 2950's monitor port using the telnet commands below:

http://www.draytek.co.uk/support/kb_vigor_portmirror.html

This information should not have been so hard to find, but that's the only place I could find it! A simple pdf file attached to the Smartmonitor software package with this information would have been great. Sigh. Knowing that Tim's forum here is so well indexed by Google, hopefully the next guy will find this post and get a head start

 

[NFSbuff]

Dennis, what 64-bit version of Windows did you attempt SSL VPN with? Does it just not work or are there certificate signing issues? Is the native built-in VPN client in Windows the one you are referring to that works with the DrayTek?

Apologies for the barrage of questions, but we are seriously considering the DrayTek 2950G after our Netgear FVS336G fiasco. We've greatly appreciated the postings you've made comparing these two products.

 

[Dennis Wood]

Vista 64 bit Ultimate...but the email would suggest all 64 bit Windows versions are an issue. The errors are similar to what we were seeing attempting connection to the FVS336 using SSL VPN and Vista 64...failure to install the VPN driver. I know Netgear is working on this, but based on that email, not sure if Draytek is working on it. I'm guessing they'll have to.

Yes, I'm using the built in Windows 65 bit VPN client to test L2TP.

What was the "fiasco" all about? I'm glad to see I'm not the only one messing with the dual WAN challenge

 

[NFSbuff]

In a nutshell, the FVS336G's lack of adaptive load balancing was disappointing, UPNP broke all kinds of things and, in our short experience, the device was picky with what modems it would play nice with. Not the Netgear experience we were hoping for.

So, we're in the market again and from what we've seen reported the DrayTek is looking more and more desirable, sans the 64-bit client issue. I'm wondering if, based on the DrayTek supporting the native Windows VPN client, the SSL issue may be moot at this point? I suppose we'll have to see.

As far as you've used the DrayTek device, is it something you'd recommend at this point?

 

[Dennis Wood]

Yes. The added feature set is enormous. I just made contact with Draytek US support and spoke with Josh there who is looking after my questions On the 64bit issue, I'd just use the Windows built in VPN for now until 64 bit SSL shows up. I was doing the same for the FVS336G. One thing that I do like about Netgear's IPSEC implementation (strangely) is that it is a pain to configure and requires SHREW. I don't like the pain but using a customized client/server setup like this improves security in my eyes. On the other hand, creating VPN users on the Draytek takes 5 seconds and there is no goofing around to do. You can create just one user and give them any type of VPN access, including PPTP. On the Netgear you need to create one user for IPSEC, and then do it again for SSL VPN in a different database. PPTP is not supported on the Netgear router. Bottom line, very strong passwords should be used regardless of the product.

Here are what I see as major advantages that make the 2950G a unit to look at starting from the box. Keep in mind that the Draytek is almost twice the price, but in our case I wanted wireless G on the Draytek box (2950G). Netgear does not have a wireless version of the FVS336G. My limited tests with wireless N (WNDAP330) so far have been unimpressive with G being functionally just as fast as N, with better range despite slower reported connection speeds. So here are the Draytek advantages:

1. It comes with rack mount brackets (if you want to mount that way), albeit with an internal fan cooling where the FVS336G is silent. All connections aside from power are at the front, consistent with rack-mounted hardware. Netgear's are at the back.

2. The user interface is actually pretty easy to get around...eaiser to use than Netgear's which I found a bit confusing. In the Draytek all menus are listed at the left so you don't need to search for links/menus at the top of dialog windows as you do with Netgear.

3. Smartmonitor (now that I've got it sorted) is every LAN admin's dream come true in terms of open monitoring of network use. It allows you to completely monitor almost every aspect of WAN use and report this to your staff if required via the "server" workstation's Apache software. Setup is basically installing the Smartmonitor package, and plugging your workstation into the 2950's "Monitor" port. The workstation is usable as normal.

4. Adaptive load balancing...which we are using now in "According to Line Speed" mode. "Auto Weight" didn't work so well, however further testing would be required to confirm this in isolation. What I've found though is that given two ISPs on the dual WAN side, we had to direct SMTP/POP to one ISP (other was blocking them) and certain services like VOIP also have to be policy driven to one WAN interface. Netgear's load balancing is manual but as I've described, we had to manually direct six ports or so to a given WAN on both products because of their need for a consisten WAN IP address. Draytek's bandwidth monitoring reporting on both WAN interfaces is much more refinded than the basic information provided on the FVS336G.

5. Scheduling on the Netgear is limited to 3. On the 2950 you can set up 15 and have them cascaded (up to 4) if required.

6. Objects setting which lets you define IP objects, Service types, protocol's etc, etc. which can then be used elsewhere for QOS, scheduling etc.

7. The 2950 has extensive QOS options, many more than we'll likely use.

8. The VPN and Remote access section offers wizards for setup, as does the Netgear, but you only need to define a user once, regardless of the type of VPN. Setting up VPN connections is super simple on the Draytek. For 32 bit clients (no go on Vista 64bit) the Draytek DVD includes a wizard that configures clients using Windows built in VPN access. Netgear's IPSEC VPN is a lot more complicated to set up and truthfully took a few days of messing around with SHREW to get it working.

9. The wireless LAN section of this router is very well featured included the ability to do MAC level access control, bridging, repeating and station rate control. One other feature that is excellent for guest wireless acess etc. is wireless VLAN. This allows you to implement a date sensitive login prompt (up to 15) that automatically set the user to a VLAN. This allows you to isolate guests on the LAN WIFI with only internet access...and you can restrict the data rates! If that's not enough, you can schedule wireless off or on using any of the router schedules that you define.

10. Full syslog support and a syslog client included on the router tools DVD.

11. Diagnostics included ARP Cache table (you can quickly figure out which MAC addresses belong to which IP addresses), Traffic graphs, Data flow monitors etc. The Traffic graph shows daily demand visually on either WAN1 or WAN2 which is an indication of just how much traffic is going where. The DHCP table found there is quite usefull too, providing MAC and IP addresses related for you.

12. The Draytek offers UPNP support (Netgear does not) which makes UPNP devices on your LAN self-configuring for WAN access.

13. Finally the firewall has extensive filter options that would allow you lock down with very large collection of cascading filters.

So there you go. Spend about $460 and you're looking at a very impressive feature set and onboard wireless (you can purchase the router cheaper by opting out of wireless) with support that's OK, but certainly not world class. The ablity to extensively monitor your LAN-WAN traffic is something a small LAN admin, or SMB owner would appreciate. If you need guest WIFI access (or just office access) and want to segment/throttle it, then you're set with the 2950G. If you need SSL VPN for 32 bit clients and/or licence-free IPSEC, PPTP or L2TP VPN for windows clients, then you're set too.

Spend about half that on the Netgear FVS336G and you get a much smaller feature set with slightly flaky firmware (at least in my case) but impressive support, including context help everywhere. Again, you have 32bit SSL VPN but will need to either purchase VPN client licences, or figure out SHREW for your clients which is free.

So essentially my suspicions on the Draytek being an enterprise class device were more or less correct, at a price that is quite respectable. If I was planning Draytek's future, I'd fire up a forum right away (so we can search for answers!) and definitely work on some context help right in the router GUI as Netgear does. Sending out product for guys like Tim to review wouldn't hurt either. Otherwise, for what it's worth, I like this product. Btw, I bought both these routers outright and I don't work for either company! My only interest is to shed some light on the Draytek mystery that I've Googled across in my searches. Hope this helps a few folks.

Cheers,
Dennis.

 

[NFSbuff]

My goodness Dennis, that, as far as I'm concerned, is as complete a review as I would ever need to make a well informed decision. Thank you for that. For all intents and purposes, I'm now sold on the Draytek 2950. Your last post should be sticky'd, as it directly compares a product to one that has been reviewed on this site.

Again, thank you for all the information.

 

[Dennis Wood]

No worries These two products are in a niche which will become significant as redundancy/bandwidth as well as VPN become more and more important for small business. We're a web based operation with a decent pile of media/data being uploaded/downloaded daily...so the router is for sure a very important part of the equation. Now back to work....

Cheers,
Dennis.

 

[NFSbuff]

Dennis, one other quick question. The fan you mention as being present on the Draytek--is it loud enough to be bothersome in a quiet office environment? I actually like the idea of actively cooled components on a high performance device, but if its annoyingly audible we'll have to make accommodations for that.

 

[Dennis Wood]

In a closed cabinet, you're OK. If it's out in the open you might get a complaint or two from anyone within 10ft. The noise is typical of any fan cooled switch, usually a bit worse than a workstation as the small fan generates a higher pitch than a 120mm PC cooling fan.

I should mention that in further tweaks there's something I forgot to mention as perhaps point 14. The Draytek has something like 40 profiles that you can activate to block P2P, Chat, IRC etc. as well as streaming media..and you can schedule it's blocking/filtering behaviour in the firewall section. There are further options for URL blocking as well as content filtering which are the best I've seen in devices like this. The QOS options which I was working with today were very nice to work with as we can decide exactly which WAN (upstream or downstream, or both!!) priorizes which traffic as percentages, or define rates. In other words you can define classes of protocols, IPs etc and decide how much importance they get on either WAN1 or WAN2 in any direction or combination as required. With our own VOIP SIP server, and a very busy web "guru" (on FTP all day), rsync remote replication, as well as web-based ecommerce being managed, the QOS options are perfect. I feel like I"m fine tuning a car here.

Smartmonitor is really, really impressing me in terms of monitoring pretty much everything going in or out of the router. After a support email I've got it set up like this on a 2 NIC workstation: NIC 1 is set up on the LAN as usual. NIC2 is set up with an IP on the same subnet, but no gateway is defined. NIC2 is connected to the router monitor port. Smartmonitor is set to listen to NIC 2. That works well.

I did also receive a revised app note for iPhone VPN access, but it doesn't work for me. This however is likely Rogers blocking VPN as I'm guessing I need to give them more money for VPN (based on google research). Strangely, tethering via 3G or Edge works just fine for VPN initiated from a laptop.

 

[Dennis Wood]

Draytek released a Smart VPN client package today (free) that works very nicely on 64 bit Vista and is listed as supporting Windows 7. The previous version did not. You can grab it here: http://www.draytek.com/user/SupportDLUtility.php#

I'd rate this client faster and easier to use even over SSH. After installing it took all of 10 seconds to set up and connect using LT2P to an already configured router. This was looking at the app "cold" so hat's off to the Draytek crew.

Very impressed.

On another note, the Smartmonitor application, which I'd now consider an essential LAN tool, runs much better on an XP SP3 workstation than it did on Vista 64. There is just one NIC on that workstation, connected to the monitoring port of the router, which is still allowing normal use of the workstation. On the Vista box we saw 100% CPU usage every now and then, something not being seen on XP.

 

[Dennis Wood]

Finally got the iPhone VPN working to the Draytek 2950 router from both WIFI and Rogers E and 3G connections here in Canada. Basically if you have an iPhone in Canada on Rogers network you need to call and do two things:

1. Ask them to add the feature "Public IP". No one will know what you're talking about when you call, so just ask them to add this feature. Naturally it's not free at $10/month.

2. Change the APN settings on your phone. Normally with Rogers this is not possible (funny that) so you need to go to unlockit.co.nz (from your iphone) and load a custom profile into your phone. This web site works without requiring you to jailbreak your phone. The Rogers smartphone support folks can provide you with the APN, username and password you'll need to use.

Remote Desktop works fairly well on the phone over VPN using the free app iRDesktop, or the more fully featured paid app iTapRDP.

Hope that helps

 

[edhaswell]

Thank you, Dennis. The information you've provided is useful and much appreciated.

 

[Dennis Wood]

Ed, you're welcome

Draytek has just released updated firmware that adds support for java based SSL VPN (but not for 64 bit OS). Formerly you had to use IE to connect using the SSL VPN client..now you can use Firefox or other java based browsers.

If you're using 64 bit Windows, Draytek's free Smart VPN Client has been working flawlessly for us : http://www.draytek.com/user/SupportDLUtility.php or you can use SHREW: http://forums.smallnetbuilder.com/showthread.php?t=2437

 

[jwquiroz]

Draytek Router

Hi, where did you get the Draytek router in Canada. I have been trying to get one of those here without luck...