If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
Thread Tools | Display Modes |
#1
|
|||
|
|||
Firewall/router suggestions?
Hey all!
I'm looking for a decent broadband router, preferrably with a four port switch. It definately needs to have port translation (you hit the router on the WAN side on port 8080 and it is forwarded to your server on port 12345 on the LAN side). My old SMC 7004ABR router was four port and did the port translation, but didn't offer much for logging, etc. It had issues keeping it's IP leased from my ISP, so after two RMA's I tossed it out. I've now got a SpeedStream 1 port router that does the trick, but its rather slow. At $10, the price was right. It is also pretty barebones, like the old SMC,but does work fine. I want to replace it with something faster. I've had a Newtork Everywhere NWR04B(?) router that did everything I wanted (and was wireless), except allow me to apply specific IP's to MAC addresses in it's DHCP server, so I returned it. I picked up a NetGear MR814 and it has LOADS of features and looks pretty cool (802.11b wireless as well), but it is missing the port translation, which I need. Yesterday, I reluctantly picked up another SMC VBR7004 router, that matches the NetGear for features, but is also missing the port translation. I stupidly assumed that it would have it because the old one also did. The description on the box is also misleading. I'm going to have to bite the restock fee and return it. (NO MORE SMC FOR ME!!!) ....anyhow, can someone suggest a reasonably priced broadband firewall/router that does port translation AND allows you to reserve IP's on it's DHCP server? I really like the logging/email features of the new routers, not to mention the "pretty interfaces" that they have, but functionality is more important to me at this point. Suggestions? |
#2
|
|||
|
|||
I am using the DLink DI-604. This is not a super high-power router but
it works for me. Whether it works for you really depends on how many hosts you are going to have in your network tree that go to the router. Although you can have its DHCP server assign up to 255 IP addresses, I called DLink and their tech said that once you hit 15 hosts then the amount of traffic will probably swamp the processor in the router (since it is a switch). I only have 2 hosts on the router now and maybe might go up to 4 at some time (this is for a home-use scenario). You don't mention the size of your intranet so no one knows just how much processing power would be needed within the router to handle all your concurrent traffic to the Internet. The DI-604 did not used to have the static IP address assignment that you mention. It used to only provide dynamic IP addresses by DHCP. However, in the latest firmware update, you can now configure static IP addresses to any particular host. You use the MAC of the network card to identify the host and assign a static IP address to it (if port 113 is enabled for IDENT/auth then you can also see the hostname). I find this helpful on a home network because I really don't want to network with the host(s) of other users in my home. I don't want to end up playing admin to them all and have to run anti-virus and spyware software and configure Messenger NT Service and worry about zombies and so on. I have the router assign me a static IP address and then I configure the router so none of the other hosts can connect to me. So although we are using a router, to me it is just a link to the cable modem and I'm protected from other "dirty" hosts. If I want to later add a laptop or other desktop over which I manage then I can let just that one connect to "my" private intranet. I'm not quite sure what you mean by port translation other than you probably mean that connections on the WAN side to port N get routed to the LAN side to some particular host on port M. There are a couple ways to achieve what you want. With the DI-604 you can configure a demilitarized zone (DMZ) host. Connections to it look like it is a free and clear host residing outside your firewall and router; i.e., to the Internet, it is a directly accessed host, so you could run your web server there without it going through the firewall (and any submit, programs, data, and whatnot could be accessed from there to an intranet host and go through the firewall). You obviously have to harden the DMZ host as much as possible but sometimes you need an exposed host (but your other intranet hosts are still protected). The other technique is to define a virtual server. You define port N on the WAN side which goes to a specific host on its port M. That way any connects to port 80 (for a web server) that you want to make accessible to the Internet would go to a specific host on, say, port 13538. Actually, I've already used this but to fully stealth my network. Most routers will NOT block port 113 for the IDENT/auth protocol. This is because some old mail servers still use this defunct and hazardous protocol to identify the sender, but this also leaves open a port a hacker can test to see your network (i.e., get a response) and possibly a host name. Even if you define a firewall rule in the router to block port 113 and enable it, the router will not obey that firewall wall and still will respond on port 113. I tested this using Shield's Up at grc.com. That was the only port that wasn't stealthed on my router so it was a lone pimple in an otherwise fully stealthed network. The answer was to define a virtual server on WAN port 113 that went to a non-existent host (and port). My router is configured to assign IP addresses in the range of 192.168.0.x, where x = 0 to 255 (actually it is currently set to have x = 100 to 199). So I created a virtual server on a host with IP address 192.168.255.255 because there is no way the router's DHCP server could ever assign a 192.168.255.x address. So any IDENT/auth requests on WAN port 113 get routed to a non-existent host, so there is no response and I'm fully stealthed. I have not had any problems in keeping the leased IP address for the router that is assigned by my ISP. When you have your computer directly connected to the cable, you could run "ipconfig /release *" and "ipconfig /renew" if your cable segment went down and their DHCP server didn't renegotiate an new IP address to you. Obviously that won't work if your computer now has a router between it and the cable modem, because the ISP's DHCP server is going to assign an IP address to your router. So the DI-604 has the release and renew functions available for you to do the same there. The DLink DI-604 is rated for a 100Mb Ethernet LAN. If you want a gigabyte LAN then you'll have to look elsewhere. Personally I don't feel the router provides a full-blown firewall. It allows you to define some rules. But as far as URL or domain filtering, you only get about 9 domain strings you can list. I haven't hit the max for the URL filtering yet but obviously there is some maximum that would be much lower than available with a firewall running on a gateway host. That's because there is just so much memory they can put into the router. The memory is not upgradeable to enlarge it. The DI-604 does have some logging. It looks like it will retain up to 150 records. Mine mostly shows the DHCP assigns along with some SYN attacks. I don't know if the firewall events get included in the log or if I haven't had any attacks that triggered any firewall rules (the IDENT/auth virtual server is not really a firewall rule although it will show up in the list of firewall rules but cannot be edited on that screen). So it isn't going to show you any problems with e-mail (which I would assume you would want done on your e-mail server's host, anyway). I paid $50 for the DLink DI-604 which had a $10 mail-in rebate. I bought it retail at Best Buy. You can get it online for $37 (and get a $10 mail-in rebate but it expires Sept 30). For a home network, I found it quite capable. The latest firmware update added the feature of assigned static IP addresses. Although I don't absolutely need static IP addresses (and I still leave the client hosts configured to used DHCP instead of configuring a static IP address in them), it makes sure that I can isolate my computer from other "dirty" home computers. -- __________________________________________________ __________ ** Share with others. Post replies in the newsgroup. ** If present, remove all "-NIX" from my email address. __________________________________________________ __________ "Phrederik" wrote in message news:910cb.11795$TM4.5138@pd7tw2no... Hey all! I'm looking for a decent broadband router, preferrably with a four port switch. It definately needs to have port translation (you hit the router on the WAN side on port 8080 and it is forwarded to your server on port 12345 on the LAN side). My old SMC 7004ABR router was four port and did the port translation, but didn't offer much for logging, etc. It had issues keeping it's IP leased from my ISP, so after two RMA's I tossed it out. I've now got a SpeedStream 1 port router that does the trick, but its rather slow. At $10, the price was right. It is also pretty barebones, like the old SMC,but does work fine. I want to replace it with something faster. I've had a Newtork Everywhere NWR04B(?) router that did everything I wanted (and was wireless), except allow me to apply specific IP's to MAC addresses in it's DHCP server, so I returned it. I picked up a NetGear MR814 and it has LOADS of features and looks pretty cool (802.11b wireless as well), but it is missing the port translation, which I need. Yesterday, I reluctantly picked up another SMC VBR7004 router, that matches the NetGear for features, but is also missing the port translation. I stupidly assumed that it would have it because the old one also did. The description on the box is also misleading. I'm going to have to bite the restock fee and return it. (NO MORE SMC FOR ME!!!) ...anyhow, can someone suggest a reasonably priced broadband firewall/router that does port translation AND allows you to reserve IP's on it's DHCP server? I really like the logging/email features of the new routers, not to mention the "pretty interfaces" that they have, but functionality is more important to me at this point. Suggestions? |
#3
|
|||
|
|||
Eeek... Long reply!
"Vanguard" wrote in message news:q7scb.427164$cF.132822@rwcrnsc53... I am using the DLink DI-604. This is not a super high-power router but it works for me. Whether it works for you really depends on how many hosts you are going to have in your network tree that go to the router. I have five machines that can be on behind the router. One is a laptop that is currently wireless, but I'm going to get a specific wireless access point for that (going with 802.11a for now) The DI-604 did not used to have the static IP address assignment that you mention. It used to only provide dynamic IP addresses by DHCP. However, in the latest firmware update, you can now configure static IP addresses to any particular host. This isn't 100% crucial, but I don't like hardcoding IP's in the machines themselves, but it's quite handy for specific machines to get specific IP's. It's also handy to configure DNS so I can refer to machines by name instead of IP's. I'm not quite sure what you mean by port translation other than you probably mean that connections on the WAN side to port N get routed to the LAN side to some particular host on port M. You got it right. I need to get to the desktop on most of my machines, so I use Terminal Server to connect to them. All the clients listen on port 3389. On the WAN side I would pick a unique port number for each client and let the router forward that port to 3389 on a specific client IP. There are a couple ways to achieve what you want. With the DI-604 you can configure a demilitarized zone (DMZ) host. DMZ is bad... I have a switch in place between my broadband and router just so I have a dirty connection should I ever need one. The other technique is to define a virtual server. You define port N on the WAN side which goes to a specific host on its port M. That way any connects to port 80 (for a web server) that you want to make accessible to the Internet would go to a specific host on, say, port 13538. As I said above, that's what I do. It made perfect sense on my old SMC. The new one doesn't allow you to specify a destination port. I *THINK* the difference is that the new routers let you specify a range of ports on the WAN side which makes it more difficult to "error check" if you specify a destination port or range of ports. (Lazy programmers). Actually, I've already used this but to fully stealth my network. Most routers will NOT block port 113 for the IDENT/auth protocol. This is because some old mail servers still use this defunct and hazardous protocol to identify the sender, but this also leaves open a port a hacker can test to see your network (i.e., get a response) and possibly a host name. Even if you define a firewall rule in the router to block port 113 and enable it, the router will not obey that firewall wall and still will respond on port 113. I tested this using Shield's Up at grc.com. Good to know. I've never had this show as open that I remember, but I'm going to check now. : ) Looks just like suspected it should. I have not had any problems in keeping the leased IP address for the router that is assigned by my ISP. My problem is that the old SMC would renew the IP each day as it should, but if it ever failed it just gave up and never tried again. Release/Renew on the router wouldn't usually work either. I'd have to power cycle and usually end up with a different IP. I haven't had DHCP problems with my Siemens SpeedStream though. My only complaint about the Speedstream is that it seems to be a bit slow. The DLink DI-604 is rated for a 100Mb Ethernet LAN. If you want a gigabyte LAN then you'll have to look elsewhere. I'll be going gigabit on my LAN at the end of the year, but the broadband connection is only 10mb, so a 10/100 connection on the router itself is fine. Personally I don't feel the router provides a full-blown firewall. They are a big improvement over the software firewalls out there. Like I mentioned before, I've never seen port 113 open on any router I've owned. They've done the best job of firewalling for me that I've ever seen. It allows you to define some rules. But as far as URL or domain filtering, you only get about 9 domain strings you can list. I haven't hit the max for the URL filtering yet but obviously there is some maximum that would be much lower than available with a firewall running on a gateway host. I use a HOSTS file to block domains that I'm not interested in seeing. My current HOSTS file is 399K in size. That's because there is just so much memory they can put into the router. The memory is not upgradeable to enlarge it. The DI-604 does have some logging. It looks like it will retain up to 150 records. The nice thing with the newer routers is that they will email the log when it gets full so you don't lose anything. Mine mostly shows the DHCP assigns along with some SYN attacks. I don't know if the firewall events get included in the log or if I haven't had any attacks that triggered any firewall rules (the IDENT/auth virtual server is not really a firewall rule although it will show up in the list of firewall rules but cannot be edited on that screen). SYN attacks are the only thing I've seen in my logs other than DHCP results. Not sure why these SYN attacks even happen... just seems like when I browse to certain websites that these show up. I paid $50 for the DLink DI-604 which had a $10 mail-in rebate. I bought it retail at Best Buy. You can get it online for $37 (and get a $10 mail-in rebate but it expires Sept 30). I'm in Canada, so at least double any prices you see. I did get the new SMC for $80 with a $45 rebate, but returned it when I couldn't get the port translation. Definately a decent price. Definatley appreciate the response. Thanks for taking the time! |
#4
|
|||
|
|||
Phrederik wrote:
Personally I don't feel the router provides a full-blown firewall. They are a big improvement over the software firewalls out there. Yep but not as good as a real firewall box. Like I mentioned before, I've never seen port 113 open on any router I've owned. Most keep this port open that I've checked and no way to stealth it. They've done the best job of firewalling for me that I've ever seen. Doesn't mean it's the best.... G Yes routers are cheap and pretty secure but their are better solutions, it's just they are a lot more expencive or more of a hassle. -- Stacey |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
suggestions 4 building svr to host file downloads. | -|Turbosyde|- | General | 3 | September 23rd 03 07:11 PM |
Suggestions to improve Wolfenstein ET/gaming on my PC | Mitchua | General | 10 | July 29th 03 12:12 PM |
Looking for a videocard/CPU/misc. parts, any suggestions? | Cyde Weys | General | 9 | July 12th 03 12:14 AM |
New Computer Building Suggestions | Yifei Chen | General | 5 | June 30th 03 10:20 PM |
UK laptop suggestions | Richard Hayden | General | 2 | June 24th 03 10:29 AM |