|At a glance|
|Product||Linksys Gigabit VPN Router (LRT214) [Website]|
|Summary||VPN router with Gigabit ports and hardware DMZ port supporting PPTP, IPsec and OpenVPN tunnels|
|Pros||• Flexible VPN solutions for IPsec, SSL, and PPTP
• Integrated with OpenVPN for SSL
• Easy to use firewall
|Cons||• Software and manual “glitches”
• Low SSL VPN Client to Gateway throughput
Early in 2013, Cisco sold its Linksys brand to Belkin, with the deal completing in March of 2013. In November 2013, Belkin relaunched a small business line of Linksys products, including multiple unmanaged switches, IP cameras, access points and two VPN routers.
The LRT214 Gigabit VPN Router and LRT224 Dual WAN Gigabit VPN Router are nearly identical, sharing the same physical design and components. The difference is that one port on the LRT214 is a DMZ only port, while the same port on the LRT224 is a WAN/DMZ port. This makes the LRT214 a single WAN router and the LRT224 dual WAN. Linksys sent the LRT214 for review, so that’s what I’m looking at today.
The LRT214 is housed in a metal case measuring 5.25″W x 7.75″D x 1.75″H. The power supply is external and cooling is passive, so the device runs silently. There are two slots on its bottom for wall mounting. Physically, the LRT214 is very similar to the original Linksys RV042 I reviewed in 2007.
The front of the LRT214 is simply the Linksys name, as shown at the top of this review. On the top of the front edge are the indicator LEDs shown below. I like the VPN light, which indicates the status of the first Gateway-to-Gateway IPsec tunnel. However, I noticed if you use the Keep Alive feature in your IPsec tunnel config, the VPN LED will remain lit even if the tunnel is down.
The rear panel of the LRT214 has the Gigabit Ethernet ports, shown below.
As mentioned in the introduction, the LRT214 and LRT224 share the same components. When I opened it up to take inventory, I was struck at the board’s uncanny resemblance to the Cisco RV042G board. See for yourself in the side-by-side composite below.
Underneath the lower heatsink is a Cavium CN5020 CPU running at 300MHz. The LRT214 has 32 MB of Flash memory and 128 MB of RAM. Under the upper heatsink is a Broadcom BCM53125M 7 port Gigabit switch. A BCM54612 Gigabit Ethernet transceiver sitting to the heatsink’s right helps out the switch.
Linksys LRT214 and Cisco RV042G boards
The LRT214/224’s key components are summarized in Table 1, with the Cisco RV042G and RV042 v3’s for comparison. It appears that the LRT214 is hardware-wise a Cisco RV042G clone with a dual-core vs. single-core CPU.
|Linksys LRT214||Cisco RV042G||Cisco RV042 v3|
|CPU||Cavium CN5020 CPU @ 300MHz||Cavium CN5010 @ 300MHz||Cavium CN5010 @ 300MHz|
|Switch||Broadcom BCM53125M 7 port Gigabit switch & BCM54612 Gigabit Ethernet Transceiver||Broadcom BCM53125M + BCM54612E||Realtek RTL8309G|
|RAM||128 MB||128 MB||128 MB|
|Flash||32 MB||32 MB||32 MB|
|PLD||Lattice LCMX0256C||Lattice LCMX0256C||Lattice LCMXO2-256|
Table 1: RV042G / RV042 v3 component summary
The list below summarizes features listed on Linksys’ LRT214 specifications page.
- (4) 10/100/1000 LAN, (1) 10/100/1000 WAN, (1) 10/100/1000 DMZ
- 900 Mbps NAT throughput
- RIPv1/v2, RIPng
- 802.1Q VLAN – Support for 5 VLAN IDs, DHCP servers for each VLAN
- IPv6 support including DHCPv6, 6to4 tunnels, router advertisement
- QoS -rate control and priority based bandwidth controls
- DoS and ICMP protection
- 50 Schedule-based access rules
- 30 Port Forwarding rules
- 30 Port Triggering rules
- Static URL or keyword blocking (content filtering)
- DMZ port and DMZ host functionality
- IPsec – DES, 3DES, AES Encryption; MD5, SHA1 Authentication
- 50 IPsec Site to Site tunnels
- 5 SSL tunnels
- 5 PPTP tunnels
- 110 Mbps IPsec throughput
- 12 Mbps SSL throughput
The LRT214 is configured via web browser. The menus are responsive and have a basic, straightforward layout, with tabs for System Status, Quick Start, Configuration, Maintenance and Support. The Status page shows the current system information, port status, firewall status, and VPN status. Below are screenshots of the Status page from top to bottom. The Maintenance and Support menu tabs were clipped to better show page detail.
Status Screen, Top
Status Screen, Bottom
The Quick Start tab provides a wizard for configuring the WAN and LAN interfaces, setting the time, and changing the password. Note, the LRT214’s time configuration supports NTP. But the option for Daylight Savings only allows configuring daylight savings based on month and day instead of the US daylight savings rule, which goes from the second Sunday of March to the first Sunday of November.
The Support tab provides links that take you to Linksys’ product and Support pages. You can download the 75 page User Guide from the Support page. I found it a bit sparse on explanations, lacking configuration examples and including a few technical errors. An example is that page 13 of the manual has incorrect subnetting details.
I contacted Linksys for examples of VPN configurations and they provided draft documents of useful examples with screenshots. I was encouraged to hear they intend to post these examples on the support site in the future.
The Configuration tab is where you’ll find the bulk of the configuration options. The table below summarizes the LRT214’s menu tree.
Table 1: Menu tree
There are six 10/100/1000 Ethernet ports on the LRT214. Four of the ports are LAN ports, one port is a WAN port, and the other port is a DMZ port. As mentioned earlier, the DMZ port can also function as a second WAN port on LRT224.
The LRT214 is a Gigabit VPN router, which we verified in our testing. However the port setup screen shows only speed options for 10M and 100M as displayed below. The LRT manual states there should be options for 10M, 100M, and 1000M.
The LRT214 has two means of managing bandwidth. First, rate control rules can be set up to manage throughput by traffic type to specific IP addresses. Second, priority rules can be set up to provide High or Low priority by traffic type. There are 22 pre-defined traffic types. Additional traffic types can be defined by TCP/UDP/IP and port number.
I set up a simple rate control rule to limit throughput to 500 Kbps on a connection from a PC on the WAN side of the LRT to a PC on the LAN side of the LRT. Prior to putting the rule in place, I could transmit data between the two PCs in excess of 100 Mbps. With the rule active, shown below, I could only transmit date between my two PCs at 483 Kbps, validating the effectiveness of the LRT’s rate control capability. My rule configuration is shown below.
Bandwidth Rate Control
As mentioned, priority rules can also be set based on High or Low priority by traffic type. In addition, traffic can be prioritized in the port setup menu by physical port. However, the manual doesn’t go into detail what the LRT will do with Low priority traffic during periods of high utilization.
VLAN & IPv6
The LRT214 supports up to five 802.1Q VLANs. Each LAN port on the LRT must be an untagged member of one VLAN and can be a tagged member of 1-4 more VLANs. The LRT provides a DHCP server for each VLAN so devices on each VLAN can be automatically addressed with different subnets.
I was able to successfully test 802.1Q VLANs on the LRT214. As you can see in the screenshot below, ports 1-4 are by default in VLAN 1. I set up VLANs 3-5 and made port 3 on the LRT an untagged member of VLAN 4, plus a tagged member of VLAN 3 and 5.
I configured a trunk port on a switch with matching configurations and connected port 3 on the LRT to this trunk port. I then configured three ports on my switch, all as access ports, to be members of VLANs 3,4, and 5 respectively. Plugging a PC into each of these three access ports validated the VLAN capability of the LRT as the PC received an IP address from the corresponding DHCP server for each VLAN.
The LRT also supports IPv6 addressing. It can be configured to run in Dual Stack mode, meaning it will support IPv4 and IPv6 simultaneously. Additional IPv6 functionality include IPv6 router advertisement, DHCPv6 and 6to4 tunnels.
The LRT214 supports IPsec, SSL, and PPTP VPN connections. IPsec is supported for Gateway-to-Gateway and Client-to-Gateway tunnels. SSL and PPTP is supported for Client-to-Gateway tunnels. The LRT214 supports up to 50 IPsec tunnels, 5 SSL tunnels, and 5 PPTP tunnels.
For remote IPsec tunnels, Linksys supports the Shrew Soft client for Windows and Linux, and the Lobotomo IPSecuritas client for MacOS. For remote SSL tunnels, the LRT214 supports OpenVPN clients for Windows, MacOS, Android, and iOS devices. Finally, remote PPTP tunnels are also supported, which are natively supported by Windows, MacOS, Android and iOS devices.
Standard IPsec technologies are supported, including DES, 3DES, and AES encryption, along with SHA-1 and MD5 authentication. I was able to set up a Gateway-to-Gateway tunnel on the LRT214 to a ZyXEL ZyWALL 110 without issue. Following Linksys’ support guide for a Shrew Soft IPsec tunnel, I was also able to set up a Client-to-Gateway tunnel. In the screenshot, you can see I have both IPsec tunnels connected.
I find Linksys’ strategy for remote access software interesting. Instead of providing custom client software for remote access, Linksys has enabled the LRT214 to work with freely-available VPN client software.
I found especially interesting the LRT214’s integration of OpenVPN support. I use OpenVPN software on a Windows 8.1 PC for remote access to my day job. In my experience, OpenVPN is easy to use and reliable. OpenVPN provides client software for Windows, Macs, iPhones/iPads and Android devices.
The neat thing about the LRT214’s configuration for OpenVPN is all you do is enable the server, enable the client and configure a user name and password. You can customize the server settings for authentication options (password, certificate, or both), IP addresses, protocol, port, encryption and tunnel type if you like. But I found the defaults worked just fine.
Once you’ve enabled the server and client on the LRT214, the OpenVPN summary page allows you to click on an Export icon and download your SSL configuration file. On Windows, simply copy this file into the C:/Program Files/OpenVPN/config directory, and you’re ready to connect to the LRT214. Shown below is the LRT214’s OpenVPN summary page showing my active SSL tunnel. I circled the Export icon where you click to download the config file.
The LRT214 also supports OpenVPN connectivity on Android and iOS smartphones. However, the easiest option for smartphone remote access is to use PPTP tunnels, which doesn’t involve loading an app. On the LRT214, enable the PPTP server and add a user name and password. On my iPhone, all I had to do was enter the LRT’s WAN address, I used a DynDNS host name for the LRT’s WAN address and entered my user name and password to connect. Below is a screenshot of the LRT214’s PPTP config and status page…
…as well as a screen shot from my iPhone when connected to the LRT214 via PPTP.
iPhone and PPTP
To measure VPN throughput, I used iperf with default TCP settings, a TCP window size of 8 KB and no other options. I ran iperf on two PCs running 64-bit Windows with their software firewall disabled over a Gigabit network. (Running an iperf throughput test between two PCs uses the command iperf -s -w 8k on one PC and iperf -c (ip) -w 8k on the other PC.)
Below is a table showing my throughput measurements on the LRT214 with IPsec, SSL, and PPTP. IPsec was tested using AES 256 tunnel encryption.
|VPN Tunnel Type||Throughput (Mbps)|
|IPsec Site to Site||54.1||62.4|
Table 2: VPN Throughput
As listed in the features section above, Linksys rates the LRT214 capable of 110 Mbps for IPsec, which is higher than my measurement of 48.8 – 63.0 Mbps. A key difference is that Linksys’ rating is based on UDP traffic, while my test measured TCP traffic. We always measure VPN performance with TCP traffic, as it is the protocol used for common network applications like web browsers and email clients.
Linksys told me the LRT214 should be able to do 10-12 Mbps for SSL. In my tests, SSL throughput was asymmetric at 11.3 Mbps in one direction and 3.5 Mbps in the other. The 3.5 Mbps measurement reflects throughput of traffic sent from the remote client to the LRT’s LAN. If most of your remote traffic is going from the LRT’s LAN to the remote client, than this lower SSL Client-to-Gateway performance may not be a concern.
I measured the LRT214’s PPTP throughput to be more symmetric at 10.7 – 13.0 Mbps. Linksys didn’t provide a PPTP throughput rating for me to compare to.
The LRT’s firewall has an easy to configure firewall with three sets of controls. The first set of firewall controls are simple check boxes to enable/disable the Firewall, Stateful Packet Inspection (SPI), DoS Prevention, Block WAN Requests, Remote Management, HTTPS, Multicast Passthrough, and UPnP. You can also block Java, Cookies, Active X, and Access to Proxy Servers, as shown below.
The second set of firewall controls are Access Rules. Up to 50 Access Rules can be created to allow or deny traffic based on traffic type (as described previously in my discussion on bandwidth rate controls), source interface, source and destination IP address(es), and a schedule based on hours and days.
The screenshot below shows an access rule I created to block iperf traffic leaving the LAN interface. Prior to implementing the rule, I could establish an iperf connection from the LAN to a PC on the WAN. With my rule in place, I could not establish an iperf connection, validating the effectiveness of the rule.
Access Rule Example
The third set of firewall controls on the LRT214 is basic manual content filtering. The LRT214’s content filtering allows for blocking web traffic based on domain name and keywords and can be applied by a schedule based on hours and days. As a test, I created a rule to block web traffic to smallnetbuilder.com and got the message “This URLs or Page has been blocked.”
In my opinion, manual content filtering has limited effectiveness, because it is only as good as the administrator who enters the domains and keywords. There is also usally a low ceiling on the number of domains and keyword that can be entered. On the other hand, there is no subscription fee for manual content filtering. If more content filtering is desired, there is always the option of using OpenDNS.
We initially tested the LRT214 with firmware v1.0.1.01, using our standard test method. Our maximum simultaneous connections test, which reflects how many concurrent sessions a router can handle, indicated the LRT214’s limit was 345, a surprisingly low number. Linksys found the low result was due to the router interpreting our connection test tool’s traffic as an attack, which it blocked.
|WAN – LAN (Mbps)||697||609||887||798|
|LAN – WAN (Mbps)||733||492||746.3||811|
|Total Simultaneous (Mbps)||752||739||832||1,192|
|Maximum Simultaneous Connections||32,120||24,061||32,249||10,000|
Table 3: Routing Throughput performance
The new firmware brought the maximum simultaneous connections test result up to 32,120, which is where the test ran into in-use Windows ports, ending the test.
Unidirectional router throughput, shown below, remained about the same from firmware.01 to.02. We measured 697 Mbps for download and 733 Mbps for upload with firmware.02.
Bidirectional router throughput showed a definite prioritization of downlink over uplink traffic when the router is running as hard as it can. This behavior was also seen in the.01 firmware.
Table 4 summarizes performance and pricing for both LRT routers, as well as several Cisco VPN routers we have reviewed. Note the LRT224, RV320, and RV042 are all dual WAN routers, while the LRT214 and RV180 are single WAN routers. Pricing information is from Pricegrabber.com.
Table 4: Comparison summary
* RV042G was tested using IxChariot
From a price perspective, the LRT214 is $60 more expensive than the RV180 for single WAN routers and the LRT224 is $27 more expensive than the RV320 for dual WAN routers. The Linksys LRT and Cisco RV series routers all include limited lifetime warranties.
The LRT’s WAN-LAN and LAN-WAN throughput is clearly a step up from the RV042 but comparable to the Cisco RV320, RV180 and RV042G. Moreover, the LRT has the highest IPsec throughput measured among these devices.
I like how Linksys has configured the LRT to work with freely-available VPN software such as Shrew Soft, Lobotomo, and OpenVPN. I especially think OpenVPN is a good idea for SSL VPNs. As mentioned, I’ve been using OpenVPN for years and have had a positive experience with it. In my tests, Linksys’s OpenVPN solution is superior to the RV320’s SSL solution, as I found the Cisco virtual passage SSL driver problematic. Note, the RV180 does not support SSL VPNs.
In conclusion, the LRT214 was stable and never hung or crashed in my tests. Performance wise, the LRT214, RV180 and RV320 are relatively close. The differentiator is SSL VPN capability. For remote PC connectivity, I think SSL VPNs are a better solution than IPsec and PPTP. With a few updates to the firmware and support documentation, I think Belkin has a pretty solid VPN router with the Linksys LRT214.