Features - more
Port forwarding on the TW100 has three options: Virtual Server; Special Application and DMZ. The Virtual Server menu is where Port Forwarding rules can be applied. There are nine predefined traffic types, including AUTH, DNS, FTP, ISAKMP, POP3, SMTP, TELNET, and HTTP. Up to 20 forwarding rules can be created to any of the predefined traffic types or a user-defined port and then enabled or disabled with a single click. Figure 8 shows a port forwarding rule to direct FTP traffic to a specific server. Note that separate public and private port numbers can be set and one of 100 schedules can be applied to each rule.
Figure 8: Port forwarding rule for FTP
Special Applications is where triggered port forwarding rules are created. Specify an outbound port and inbound port, and the TW100 firewall will permit inbound traffic triggered by the specified outbound flow. There are six predefined applications, including Battle.net, Dialpad, ICU II, MSN Gaming Zone, PC-to-Phone, and Quick Time 4. Up to eight rules can be created so that any of the predefined applications will “trigger” the opening of the firewall to permit return or incoming traffic. Custom triggering rules can also be created to any of the predefined application or a specified port and then enabled or disabled with a single click.
DMZ is also included in the TW100's suite of network security options.
An noted earlier, rules for Packet Filtering and Traffic Control can be enabled/disabled based on 100 customizable time schedules, allowing you to automatically enable and disable network management. To facilitate time based schedules, the TW100 synchs with a network time server, ensuring it is running on accurate time, including adjusting for Daylight Savings Time.
Rounding out the TW100's firewall controls are simple check boxes to allow UPnP and IGMP traffic on the LAN, as well as to permit passthru of PPTP, L2TP, and IPsec traffic. The TW100 can also detect and block DoS attacks including SYN Attacks, WinNuke, Port Scans, Ping of Death, and Land Attacks.
Overall, the TW100 firewall is simple to use, but relatively basic. There are more advanced firewall options out there, but as I'll cover in the end of this review, not many VPN firewall routers are as cost effective.
In addition to Firewall and VPN capability, the TW100 offers a few other features. These options are configured in the Advanced Settings and Toolbox menus. Advanced Settings provides configuration options for syslog, dynamic DNS support, Quality of Service (QoS) configuration, SNMP capability and basic routing support for static and dynamic (RIP v1 and v2) routes. The Advanced Settings menu is also where schedules are created for use on firewall rules, discussed earlier.
I set up a simple syslog server using the free Kiwi syslog server and configured the TW100 to send its log messages to a PC. I had to open UDP port 514 on the Windows firewall to allow the traffic to hit the syslog server, but then immediately saw messages coming in from the TW100, as shown in Figure 9.
Figure 9: Kiwi syslog server
The TW100 provides priority-based Quality of Service (QoS) for controlling upstream traffic Configuration is done by entering an upstream bandwidth value, then specifying a traffic flow by local IP:port to remote IP:port and selecting priority High, Normal, or Low.
I did a simple functional QoS test using iperf. I set the TW100 upstream bandwidth to 10 Mbps, even though the WAN port was connected to a 100 Mbps port. (In practice, you would set this equal to the maximum upstream bandwidth provided by your ISP.) Without QoS enabled, my LAN-WAN throughput was about 90 Mbps. With QoS enabled and upstream bandwidth set to 10 Mbps, I saw LAN-WAN throughput at 9.65 Mbps, validating the 10 Mbps limit I set. The High, Normal and Low settings would then be used to raise or lower priority for specific traffic flows during periods of high network traffic.
Figure 10: Upstream QoS
The Toolbox menu provides functions for firmware management, configuration backups, resetting the device to default, rebooting the device and a few other miscellaneous functions. A nice feature in the miscellaneous menu is Wake-on-LAN functionality.
Wake-on-LAN with a VPN router is very handy and worked well for me on the TW100. If you have a PC that supports Wake-on-LAN and want to access it remotely, you can save electricity and leave it off except when needed. This is consistent with the "GREENnet" power saving feature mentioned earlier.
To use the Wake-on-LAN feature, save the MAC address of your local PC that you want to access remotely in the Wake-on-LAN menu of the TW100 (Figure 11). Then, VPN into your network, log in to the router, and click “Wake up” in the miscellaneous menu. Your PC will turn on and once it completes its boot cycle, you'll be able to access it via Remote Desktop Connection or other remote protocols.
Figure 11: Wake On LAN configuration
Missing from the TW100, however, is support for IPv6. Although many of us may not need IPv6 in our small networks today, it's already here for others and will keep those users from purchasing the product.
Routing performance for the TW100 using our standard test method and 1.00.02 firmware is summarized in Table 1. The 90 Mbps range speeds are essentially 100 Mbps wire speed, with the 141 Mbps total simultaneous result indicating that the routing section is capable of higher speeds than the 100 Mbps ports will support. And, speaking of simultaneous, the TW100 maxed out our simultaneous connection test at 34,925 sessions.
Throughput - (Mbps)
|WAN - LAN||93|
|LAN - WAN||92|
|Maximum Simultaneous Connections||34,925 (test limit)|
Table 1: Routing throughput
The composite IxChariot plot in Figure 12 of the three routing tests below shows upstream routing has a bit higher variation than downlink.
Figure 12: TW100-BRV214 routing throughput
Use the Router Charts for more comparisons.