SPI Firewalls / Product Advice

[Smedley]

As my home Internet service was upgraded to 100mbps, my trusty Netgear FVS338 router can no longer keep up with the connection speed. It maxes out at about 65 mbps.

I have been looking for a new wired router that has a NAT (WAN<->LAN) throughput of at least 100mbps and without a fan (router is in bedroom).

I tried a Cisco RV320 (great specs), but it wouldn't pass more than 50mbps in practice (with the latest firmware).

The newer Asus and Netgear wireless routers have great throughput and I could just turn off the radios, but are the firewalls as robust as that on the Netgear ProSafe line? Is there a real difference in firewall capabilities or effectiveness between home and business class routers? Is having an ICSA Firewall certification important?

If anyone knows of a wired, fan-less, SOHO router with high throughput, please let me know!

 

[Samir]

It's a bit hard to find a reliable router that's in the 100+ range. You move into smb routers, and while they're fine for most stuff, they have so many options that are buggy that they need rebooting regularly to be reliable.

As far as the firewalls, the main thing that you've got is NAT. That's quite powerful within itself. Couple that with some good security software on the computer itself and you'll be fine. SMB routers can actually be less secure because they have a lot of capabilities to punch holes in the firewall--great for businesses with servers, etc., but not necessary for just a plain-jane secure home setup.

I think the FVS318N I just got can do WAN to LAN in excess of 100Mbit. I know it can to site to site VPNs at 30+ which is quite fast. It's also got a pretty decent firewall, and no fan.

 

[sinshiva]

Hey,

I'm using the n66r as you've mentioned, with the radios disabled. As a firewall, it drops packets and you can disable icmp, too. I don't think it filters IDENT port 113 properly, though, so i am forwarding that port to 1.1.1.1. This had to be done along with all the typical port forwards to give xbox live a truly open connection. Not sure if there's a better way of doing that, but this seems to work for me.

the business class routers are probably better for vpn features, etc., though.

 

[Samir]

Does that router do DMZ? If the xbox needs an open connection, that's the best way to do it.

Business class routers have a lot more filtering and port forwarding options and are good at some of the unique and more challenging networks that are being built in the wired home. For as small of a cost upgrade they are from consumer routers, I don't see why more people don't use them. They definitely are too cheap to use for 'real' business networking.

 

[sinshiva]

Does that router do DMZ? If the xbox needs an open connection, that's the best way to do it.

sorry, i know this is getting OT; but for xbox port forwarding, i've had the best luck by just forwarding both tcp/udp of ports 53, 80, 88 and 3074 to the xbox while making an extra rule to filter IDENT port 113 by making it go nowhere (not localhost!). IDENT filtering has been included in my linksys routers, or at least via dd-wrt. i think the asus router itself tends to respond to IDENT unless you port forward it. port 113 shows up as 'invisible' or dropping packets via the ShieldsUp port scanning service, but i assume it's not properly forming the request and is inaccurate.

tl;dr, i went from a 'moderate' nat to fully open just by port forwarding 113 to nowhere, after setting up the regular forwards. never been a fan of DMZ.

 

[Samir]

sorry, i know this is getting OT; but for xbox port forwarding, i've had the best luck by just forwarding both tcp/udp of ports 53, 80, 88 and 3074 to the xbox while making an extra rule to filter IDENT port 113 by making it go nowhere (not localhost!). IDENT filtering has been included in my linksys routers, or at least via dd-wrt. i think the asus router itself tends to respond to IDENT unless you port forward it. port 113 shows up as 'invisible' or dropping packets via the ShieldsUp port scanning service, but i assume it's not properly forming the request and is inaccurate.

tl;dr, i went from a 'moderate' nat to fully open just by port forwarding 113 to nowhere, after setting up the regular forwards. never been a fan of DMZ.

If the port forwarding does the job, then it's definitely the preferred way. Although when I find I'm connecting some passive device to the Internet (ie something that doesn't get malware/virus/exploits), I just dmz it and forget about it.

 

[Dreamslacker]

Does that router do DMZ? If the xbox needs an open connection, that's the best way to do it.

Actually, that's not the way to roll for consoles like the Xbox and PS3. The optimal solution for those consoles is to use upnp. DMZ is a quick dirty solution that will only allow one console to work. The only real way to allow multiple units (or where you concurrently need to port forward other devices) is to use upnp.

 

[sinshiva]

Well, if you only have one of each console, port forwarding > *. When you have more, though, there's no getting around UPnP afaik.

 

[Samir]

Actually, that's not the way to roll for consoles like the Xbox and PS3. The optimal solution for those consoles is to use upnp. DMZ is a quick dirty solution that will only allow one console to work. The only real way to allow multiple units (or where you concurrently need to port forward other devices) is to use upnp.

Interesting. I didn't even know they were designed for multiple units on the same network. Good to know!

 

[sinshiva]

UPnP is by design a vulnerability. Perhaps not as bad as DMZ, but if you can get by with neither, your network will be better off for it

 

[Samir]

I disable upnp unless there's no other way around using it. It's very easily exploited.

 

[stig]

As my home Internet service was upgraded to 100mbps, my trusty Netgear FVS338 router can no longer keep up with the connection speed. It maxes out at about 65 mbps.

I have been looking for a new wired router that has a NAT (WAN<->LAN) throughput of at least 100mbps and without a fan (router is in bedroom).

I tried a Cisco RV320 (great specs), but it wouldn't pass more than 50mbps in practice (with the latest firmware).

The newer Asus and Netgear wireless routers have great throughput and I could just turn off the radios, but are the firewalls as robust as that on the Netgear ProSafe line? Is there a real difference in firewall capabilities or effectiveness between home and business class routers? Is having an ICSA Firewall certification important?

If anyone knows of a wired, fan-less, SOHO router with high throughput, please let me know!

The Ubiquite EdgeRouter Lite will handle 100Mb with ease. Some reporting much more: https://community.ubnt.com/t5/EdgeM...th-Dual-Stack-IPv4-amp-IPv6/m-p/532268#M12895 This isn't really intended as a home router and can be learning curve, but the lastest version of software has a wizzard that should make it easy for most configurations.

---
stig
Ubiquiti EdgeMAX software developer

 

[Samir]

The Ubiquite EdgeRouter Lite will handle 100Mb with ease. Some reporting much more: https://community.ubnt.com/t5/EdgeM...th-Dual-Stack-IPv4-amp-IPv6/m-p/532268#M12895 This isn't really intended as a home router and can be learning curve, but the lastest version of software has a wizzard that should make it easy for most configurations.

---
stig
Ubiquiti EdgeMAX software developer

I've seen these mentioned on a couple of the networking forums I've visited.

I just looked at the products and the forums and it seems like these are a heavily CLI configured device that's on par with 'real' Cisco gear in performance and complexity. Have I missed anything?