Like every other website on the planet, SmallNetBuilder uses cookies. Our cookies track login status, but we only allow admins to log in anyway, so those don't apply to you. Any other cookies you pick up during your visit come from advertisers, which we don't control.
If you continue to use the site, you agree to tolerate our use of cookies. Thank you!

LAN & WAN Reviews

{mospagebreak toctitle= Introduction}

Introduction

Hawking Dual WAN Firewall Router w/4-Port Switch

Hawking Dual WAN Firewall Router w/4-Port Switch
Summary Dual Ethernet WAN SPI-based router. Inexpensive alternative to Symantec VPN 200, but without dialup/ISDN backup ports, and less sophisticated load balancing and failover.
Update 8/12/2003
- New firmware available that improves dual-WAN load balancing features.
- Nexland purchased by Symantec and pro800Turbo no longer available
Pros • Dual 10/100 WAN ports with auto-failover and load balancing
• Supports 16 WAN IP addresses
• High throughput
Cons • No Web traffic logging
• Poor documentation

Although the number of people with multiple broadband Internet connections is small, it must be growing enough to attract a second entrant to the market. Hawking's FR24 Dual WAN Broadband 4 Port Firewall Router is the first consumer-level router to take on Nexland's pro800Turbo (now the Symantec Firewall/VPN 200) on the dual WAN battlefield. Can a box that costs less than $100 really compete with an established product that costs almost five times (make that almost 20 times with Symantec's pricing) as much? You may be surprised at the answer!


Basic Features

The FR24 is housed in a black plastic case with a footprint about the size of a typical hard-cover novel. All indicators are along the front edge of the top panel and include Link/Activity/Speed for each of the four LAN ports, Link/Activity/Speed for each WAN, Power and Status. All LED's were bright and viewable from a wide angle, with link Speed indicated by the color of each LED.

The four switched 10/100 LAN ports are on the rear panel, along with two 10/100 WAN ports, power socket, Reset button. All LAN ports are auto MDI/MDI-X, eliminating the need for an Uplink port or Normal/Uplink switch for port expansion.

Hawking includes a printed Quick Installation Guide that I thought came up short on a number of counts, but I'll get into that more in the next section.

Opening up the FR24 confirmed my suspicion that, similar to many of the current crop of new-generation routers, it is based on the ADMtek 5106 Home Gateway Controller. The router had a very clean internal design, and although the ADMtek chip had no heatsink, seemed to run cool to the touch.


Setup and Administration

The FR24 can be administrated either via web browser or through a menu-driven Telnet interface. Although I confirmed that the Telnet interface worked from the LAN side of the router, I focused on the web interface. Pointing your browser to the default address of 192.168.1.1 brings up a login box that requires both a user name and password to be entered before it presents you with the Status screen shown in Figure 1.

Hawking FR24: Status screen

Figure 1: Status screen
(click on the image for a full-sized view)

Although the screen shot doesn't show it, this screen shows you information for both WAN ports and lets you perform both an IP address Release / Renew and PPPoE Connect / Disconnect on each WAN port.

The FR24 allows multiple simultaneous administrator logins and provides no warning on additional logins. There's no admin logout besides quitting your browser, and no admin idle timeout either. The overall responsiveness of the web interface was satisfactory with quick navigation from screen to screen. Some changes require a quick (about 10-15 second) reboot, while others don't. Remote administration can be enabled (it's off by default), and you can set the admin interface port number, but can't restrict access to specific IP addresses. You can also reboot the router, or force it to reload factory defaults via selections in the System Tools section, and save and restore router configuration to / from a local file.

Clicking on Setup Wizard in the top menu bar gives you the option of stepping through each of the setup screens by clicking on a Next button (after making your entries, of course!), or navigating directly to the desired screen by using the links in the left-hand column. The Setup LAN IP screen is where you set the base address, subnet mask and gateway IP address information for the router. You can also disable the router NAT (Internet sharing) function and set the port number for the router's HTTP (web) admin interface. Note that the DHCP server controls are not located here, but in the Advanced Setup section. You can set four different DHCP ranges and reserve IP addresses by MAC address, but you can't set DHCP lease time or force lease terminations to disconnect unwanted clients.

The Primary WAN screen makes you choose among Static IP Address, Dynamic IP Address, and PPPoE connection types, then presents you with a setup screen that has the appropriate setup parameters. Figure 2 shows the PPPoE screen for the Primary WAN.

Hawking FR24: Primary WAN PPPoE screen

Figure 2: Primary WAN PPPoE screen
(click on the image for a full-sized view)

Note that you can change the Maximum Segment Size (MSS) vs. the Maximum Transmission Unit (MTU) that most other routers provide as part of their PPPoE setup parameters. (A general conversion equation is MSS = MTU-40.) In all, the FR24 provides pretty much all the WAN setup controls that you'll need.


Bring on the reinforcements!

Since the FR24 is Hawking's first experience with a dual-WAN router, it's safe to say that they'll probably be learning a few things once they get the product out into the real world. Dual WAN routers can help provide a busy LAN with more bandwith in their "load balance" mode, but it's important to realize that they have their limitations and may not suit your needs.

The Secondary WAN setup screens are the same as the Primary WAN's, but as Figure 3 shows, you first must make some additional choices.

Hawking FR24: Secondary WAN selection screen

Figure 3: Secondary WAN selection screen
(click on the image for a full-sized view)

The second WAN connection can be set to one of three modes: disconnected; use when Primary WAN disconnected (auto-failover backup) and ; use when Primary WAN busy (load balancing). Since the FR24 Quick Start guide contained virtually no information on how these dual-WAN capabilities come into play, I had to contact Hawking for an explanation.

The lack of good documentation of the dual WAN features isn't the only weakness in the documentation. I found the manual to be generally weak on explanations of how many of the advanced router features work. You also may find yourself searching for the missing section that should have explained the WAN setup selections provided on the Setup Wizard screens. Hawking also committed one of my pet peeves of not including the information contained in the FR24's on-line Help in their Quick Installation Guide. In my opinion, a manual should be the one place where I can look to find an answer. Other information sources can contain duplicates or subsets of the information, but everything should be in the User Manual!


Firewall, Port Mapping & Filters

The FR24 has a Stateful Packet Inspection (SPI) based firewall and uses a rule-based firewall management system. It also supports Multi-NAT or Many-to-Many NAT for up to 16 WAN IP addresses.

Tip Tip: MultiNAT allows you to take multiple WAN IP addresses and share them with ranges of private LAN IP addresses. This lets you, for example, have up to 16 DMZ mappings (one for each WAN IP address you have), and also lets you have multiple virtual (mapped) servers of the same type (HTTP / Web servers for example) operating on the same port.

NOTE!NOTE! This feature is useable only if you have multiple WAN IP addresses assigned from your ISP!

Hawking also gives you some control over the Stateful Packet Inspection (SPI) features of the VBR's firewall as shown in Figure 4, including disabling all SPI features.

Hawking FR24: Advanced Firewall screen

Figure 4: Advanced Firewall
(click on the image for a full-sized view)

Port forwarding is provided for single ports via the Virtual Server feature and static port ranges via the WAN Access Controls shown in Figure 5.

Hawking FR24: WAN Access Control screen
Figure 5: WAN Access Control
(click on the image for a full-sized view)

Triggered port range mapping capabilities are not provided and port mappings are not schedulable, but server "loopback" is supported for Virtual servers and WAN-LAN rules.

Internet access control (Port Filters) is handled by the LAN Access Control screen shown in Figure 6.

Hawking FR24: LAN Access Control screen
Figure 6: LAN Access Controls
(click on the image for a full-sized view)

Both Control features let you specify source and destination IP address ranges, TCP or UDP port ranges (but not both in one rule), whether to discard or forward the matching packet, and whether the action is logged. On the downside, you can't name or edit rules, or temporarily disable them while leaving them programmed. There's also no abilitiy to schedule the time that the rules are applied.

Lest we not forget - because it's over in the Setup Wizard section - there's also the URL Keyword blocking feature, and the ability to block ActiveX controls, Java applets, Cookies, and Web proxy requests.


VPN

The FR24 supports PPTP, IPsec and L2TP VPN protocols for both Virtual servers and client pass through sessions, but the pass through capabilities may be too limited for some users. The number of simultaneous pass through sessions may not be a problem, since the FR24 supports four PPTP and at least 16 IPsec and L2TP sessions each. But the catch is that all sessions must terminate at the same remote VPN gateway.

 

Logging and Other Stuff

Logging is not one of the FR24's strong points, with no support for traffic logging. According to Hawking, the only things logged are connection status for each enabled Firewall Access Rule, Administration logins, and Hacker alerts. During my testing, I also noticed that WAN DHCP leases were also logged.

If you fill in your email address and SMTP server information, you'll get an email whenever the router detects a "hack" event, or when the log fills up. You can also mail a copy of the log on demand. There's no support for syslog or SNMP trap logging.

Other Features

There are a few other features that the FR24 sports that I haven't mentioned, so here you go:

  • there's a real-time clock that you can either set manually, or have automatically pick up the correct time from an NTP server (you set the time zone, but there's no Daylight Savings option)
  • you can save and load the router's configuration to a file on your computer
  • you can set the router to discard ping requests (disabled by default)
  • you can ping an IP address (would have been more useful to be able to run a series of pings and ping by domain name)
  • dynamic DNS is supported via dyndns.org

Logging and Other Features

Logging is not one of the FR24's strong points, with no support for traffic logging. According to Hawking, the only things logged are connection status for each enabled Firewall Access Rule, Administration logins, and Hacker alerts. During my testing, I also noticed that WAN DHCP leases were also logged.

If you fill in your email address and SMTP server information, you'll get an email whenever the router detects a "hack" event, or when the log fills up. You can also mail a copy of the log on demand. There's no support for syslog or SNMP trap logging.

Other Features

There are a few other features that the FR24 sports that I haven't mentioned, so here you go:

  • there's a real-time clock that you can either set manually, or have automatically pick up the correct time from an NTP server (you set the time zone, but there's no Daylight Savings option)
  • you can save and load the router's configuration to a file on your computer
  • you can set the router to discard ping requests (disabled by default)
  • you can ping an IP address (would have been more useful to be able to run a series of pings and ping by domain name)
  • dynamic DNS is supported via dyndns.org

Routing Performance

NOTE!Testing Notes:
WAN to LAN tests are all run with LAN endpoint in DMZ
LAN to WAN tests are run with LAN endpoint not in DMZ, except UDP Stream

The throughput numbers are similar to the maximum numbers that I've found with other ADMtek 5106 based routers. The FR24 seems to have better-tuned SPI performance, however, because I didn't see any real throughput difference with the SPI Firewall features enabled or disabled. Other routers show a definite hit in WAN-LAN performance with SPI kicked in. UDP testing didn't reveal any hiccups and I didn't experience any problems while I ran my computer's connection through the FR24 for a few days.

Since I don't have two broadband connections (or even one for that matter!), I had to improvise to test the Dual WAN capability. I attached both of the FR24's WAN ports to two of my main router's LAN ports, and found that both ports had no problem getting leases from my router's DHCP server. When I set the FR24's Secondary WAN to "use when Primary WAN disconnected" and physically disconnected the WAN1 cable, I found the router switched over properly, too.

But my testing of the load balancing mode was unsuccessful until I consulted again with Hawking and learned that the FR24 only switches in the extra bandwidth when the Primary WAN busy criteria is met and a new data request comes from another LAN client with a different IP address . This means that, for example, if you want to watch streaming video and download a large file at the same time from the same computer, the FR24 will only use the Primary WAN connection. I had been trying to do the testing with multiple applications from the same LAN client and had no luck getting the Secondary port to switch in.

Routing Performance Test Results

Test Description Transfer Rate (Mbps) Response Time (msec) UDP stream
Throughput (kbps) Lost data (%)
WAN - LAN 9.4 85 (avg)
95 (max)
500 0
LAN - WAN 9.9 81 (avg)
81 (max)
500 0
Firmware Version 6.26.01h Build 0039 L:01
See details of how we test.

Wrap Up

I think it's safe to say that Nexland's pro800Turbo is no longer the only dual-WAN router game in town, but also that the FR24 is not its equal. A key difference in the Dual WAN aspects of both products is that the pro800Turbo treats the two WAN ports more as equals for both failover and load sharing, while the FR24 primarily uses the WAN1 connection and only switches in WAN2 under certain conditions. The second key difference is that the FR24 lacks the pro800Turbo's dual serial COM ports that support an additional level of auto-failover to dialup or ISDN connections. Let's also not forget the usual assortment of troubles that most new routers have as they get banged on in the real world. The pro800Turbo has more than a year of "mileage" on it, while the FR24 is just starting down the learning curve.

All that said, the FR24's speed, SPI firewall features, and below $100 price make it worth at least a look, given that it's about one-fifth the price of the pro800Turbo. And even if you don't use the second WAN port, it's not a bad single port router either!

Discuss this in the Forums