|At a glance|
|Product||Linksys Dual WAN Gigabit VPN Router (LRT224) [Website]|
|Summary||Dual WAN VPN router with Gigabit ports and hardware DMZ port supporting PPTP, IPsec and OpenVPN tunnels|
|Pros||• Flexible VPN solutions for IPsec, SSL, and PPTP
• Integrated with OpenVPN for SSL
• Easy to use firewall
|Cons||• Low SSL VPN Client to Gateway throughput
• Protocol binding configurations can be confusing
There are currently two routers in the Linksys product line for business, the LRT214 Gigabit VPN Router and LRT224 Dual WAN Gigabit VPN Router I am reviewing today. These two routers are identical in size, shape, number of ports, and internal components. Both routers have four LAN ports and two WAN ports. Functionality on both routers is nearly identical. The difference is the second WAN port on the LRT214 can only be used as a DMZ port, while the second WAN port on the LRT224 can be used as a DMZ port or WAN port.
I reviewed the LRT214 in March 2014. Since that review, Linksys has updated the firmware for the LRT214 and LRT224 from v1.0.1.02 to v1.0.2.06. In this review on the LRT224, I’m going to cover some of the firmware updates, a bit more of the LRT214 and LRT224 functionality, as well as the LRT224’s Dual WAN capability.
The LRT2x4 are housed in a metal case measuring 5.25″W x 7.75″D x 1.75″H with an external power supply and rubber feet for desktop use. There are slots on the bottom panel for wall mounting. The device has no cooling fans, so it runs silently.
The top of the LRT224, shown below, also has indicator LEDs near the front edge. As mentioned in my review of the LRT214, I like the VPN LED that indicates the status of the first Gateway-to-Gateway IPsec tunnel. However, I observed in my LRT214 review that the VPN LED would remain lit if the VPN Keep Alive feature was enabled, even if the tunnel was down. I was impressed to see this issue has been corrected on the LRT224 with firmware v1.0.2.06.
Top and LEDs
The rear panel of the LRT224 has the Ethernet ports, shown below. The last port on the right for the LRT224 is a WAN/DMZ port, whereas the last port on the right for the LRT214 is a DMZ port only.
The LRT214 and LRT224 share the same hardware. Below is a shot of the mainboard. Underneath the lower heatsink is a Cavium CN5020 CPU running at 300 MHz. The LRT2x4 have 32 MB of Flash memory and 128 MB of RAM. The Ethernet components include Broadcom BCM53125M and BCM54612 chips.
The below is a highlight of the features listed on Linksys’ LRT224 specifications page.
- (4) 10/100/1000 LAN, (1) 10/100/1000 WAN, (1) 10/100/1000 WAN/DMZ
- Dual WAN failover, load balancing and protocol/IP binding per WAN port
- 900 Mbps NAT throughput
- RIPv1/v2, RIPng
- 802.1Q VLAN – Support for 5 VLAN IDs, DHCP servers for each VLAN
- IPv6 support including DHCPv6, 6to4 tunnels, router advertisement
- QoS -rate control and priority based bandwidth controls
- DoS and ICMP protection
- 50 Schedule-based access rules
- 30 Port Forwarding rules
- 30 Port Triggering rules
- Static URL or keyword blocking (content filtering)
- DMZ port and DMZ host functionality
- IPsec – DES, 3DES, AES Encryption; MD5, SHA1 Authentication
- 50 IPsec Site to Site tunnels
- VPN backup for Site to Site tunnels
- 5 SSL tunnels (supports OpenVPN)
- 5 PPTP tunnels
- 110 Mbps IPsec throughput
- 12 Mbps SSL throughput
The LRT214 and LRT224 share the same manual. I commented in my review of the LRT214 that the manual was a “a bit sparse on explanations, lacking configuration examples, and with a few technical errors.” The LRT2x4 manual has since been updated, and I noticed the technical error I cited has been corrected.
Further, there are now quite a few configuration examples provided in the FAQ section of the LRT2x4 support pages. Specifically, I noticed Linksys has posted configuration examples for IPsec Gateway to Gateway tunnels, IPsec Client to Gateway tunnels (for both the IPSecuritas and Shrewsoft client), PPTP tunnels, and OpenVPN tunnels.
A minor issue, still not corrected, is the LRT2x4’s options for Daylight Savings Time. The menu only allows configuring daylight savings based on month and day instead of the US daylight savings rule which goes from the second Sunday of March to the first Sunday of November.
The menus for the LRT224 with firmware v1.0.2.06 have a few differences from the the menus for the LRT214 with firmware v1.0.1.02. I’ve bolded the new menu options in the below chart. There is an Outgoing Mail Server option, which I’ll discuss in the VPN section. Dual WAN configuration is unique to the LRT224, and the Session Control menu is new to firmware v1.0.2.06.
I’ll cover both in the next section of this review. Also new to the menu are the EasyLink VPN options which I’ll cover in the VPN section of this review.
The LRT’s default for Dual WAN operation is to automatically load balance traffic across both WAN links. Alternatively, you can specify one WAN link as primary and the other as secondary.
To detect WAN failure at Layer 3, which can occur if your physical WAN connection is up but there is a problem with your ISP, you can enable Network Sevice Detection. Network Service Detection, shown in the screenshot below, will ping your WAN default gateway, a host on your ISP network, a host somewhere on the Internet and/or a DNS resolved domain name. You can select any combination of these ping checks, but each selected check has to fail to trigger a failover.
Network Service Detection
WAN failover works well on the LRT224. I tested WAN failover on the LRT224 by running a continuous ping to google.com (ping google.com -t) from a PC connected to a LAN port on the LRT224. I then pulled the Ethernet cable connected to the WAN1 interface. Only one ping failed before the LRT224 redirected traffic to the WAN2 interface. Failover from the WAN2 interface to the WAN1 interface was equally fast with the same test.
To manage traffic flows over dual WAN links, you can map specific traffic types to a specific WAN link. For example, I set up a Protocol Binding rule to map SIP (VoIP) traffic to the WAN1 interface, shown below. However, the manual is a bit confusing regarding Protocol Binding, referencing an option called “Assigned Routing” which doesn’t appear in the Protocol Binding configuration menus.
I successfully tested Bandwidth Control in my review of the LRT214. The LRT224 allows bandwidth control rules to be applied in the same manner as the LRT214 by WAN interface. This means you can specify how much bandwidth a specific application is permitted to consume by protocol, port, and source/destination IP addresses.
Session Controls are also available to manage individual users Internet usage. Session controls by source IP can be applied to limit each device on your network to a maximum number of total sessions or a maximum number of UDP and TCP sessions. Alternatively, you can disable a device’s access to the Internet for up to 1440 minutes once it exceeds a specified maximum number of sessions.
I observed in my review of the LRT214 that “the port setup screen only shows speed options for 10M and 100M.” This remains the case in the LRT224. The manual has been updated to explain that you can configure a port at 10M or 100M, or use Auto Negotiation which should configure the port at 1000M if connected to another Gigabit Ethernet device.
I connected a LAN port on the LRT224 to a Gigabit Ethernet port of a Cisco SG200-26 switch. The LRT224 status screen, shown below, confirms the LRT224 successfully auto-negotiated a 1000Mbps connection.
The LRT2x4 supports up to five 802.1Q VLANs. Each LAN port on the LRT must be an untagged member of one VLAN and can be a tagged member of 1-4 more VLANs. The LRT provides a DHCP server for each VLAN so devices on each VLAN can be automatically addressed with different subnets.
The LRT2x4 routers also support IPv6. Specifically, IPv6 6to4 tunnels are supported. 6to4 tunnels are a method to pass IPv6 traffic through an IPv4 network. Enabling support for IPv6 and 6to4 tunnels on the LRT2x4 requires a click to enable Dual-Stack mode to support both IPv4 and IPv6, as well as enabling 6to4 as the IPv6 transition method.
The LRT224 supports IPsec, SSL, and PPTP VPN connections. In my review of the LRT214, I validated the LRT2x4’s capability to set up an IPsec VPN tunnel to another brand of router, as well as to IPsec client software. As mentioned earlier, Linksys has posted configuration guides on their support site for how to use the LRT2x4 with IPsec client software from IPSecuritas and Shrewsoft.
A more advanced LRT2x4 VPN feature for IPsec gateway to gateway tunnels is the VPN tunnel backup feature. This feature allows you to specify the IP address of a second VPN router to connect to in the event an active tunnel fails.
A new VPN feature on the LRT2x4 routers available in firmware v1.0.2.06 is EasyLink VPN. EasyLink simplifies the IPsec configuration process for a gateway to gateway IPsec tunnel between two LRT routers. Standard IPsec configuration involves specifying Phase 1 and 2 encryption, authentication, timers, and key exchange (DH) methods.
With the EasyLink feature and a pair of Linksys LRT2x4 routers, all you have to do is create a user name and password and enter the IP address of the far end router to establish an IPsec tunnel. Essentially, EasyLink eliminates having to specify Phase 1 and 2 encryption, authentication, timers, and key exchange (DH) methods. Note, the LRT2x4 can support up to 50 IPsec tunnels, of which 5 are reserved for EasyLink configuration.
I upgraded the LRT214 to firmware v1.0.2.06 and set up an EasyLink tunnel between the LRT214 and the LRT224. On one LRT, I enabled the EasyLink VPN server and created an inbound EasyLink connection by entering just two values, an account name and password. On the other LRT, I created an outbound EasyLink connection by entering three values, the same account name and password, plus the WAN IP address of the far end LRT. The tunnel came right up, as shown in the screenshot below.
In my review of the LRT214, I also validated the LRT2x4’s capability to set up SSL and PPTP VPN connections. I successfully set up an SSL tunnel to a Windows PC. Further, I was able to validate PPTP tunnels from the LRT214 to a Windows PC and an iPhone.
The LRT2x4 uses the OpenVPN client for remote SSL connections. Since my review of the LRT214, Linksys has made a few improvements to further simplify OpenVPN configuration on the LRT. First, the support site now includes configuration guides on how to configure the LRT with OpenVPN using certificates, as well as how to set up OpenVPN on an Android and iOS device. Using certificates for an SSL tunnel increases security, but also increases configuration complexity. With Linksys’ guide on how to configure OpenVPN certificates, I had no problems setting it up.
Second, a feature was added in firmware v1.0.2.06 to email the client OpenVPN config directly from the router to a user’s email address. All you need to do is configure mail server settings on the LRT and you can click to email the OpenVPN config from the router to the remote user. This makes it easier to configure the OpenVPN client on the end user’s PC or device.
To measure VPN throughput on the LRT224, I used two PCs running 64-bit Windows with their software firewall disabled. Using TotuSoft’s LAN Speed Test client and server application, with a file size of 100 MB, I measured throughput over the EasyLink IPsec tunnel as well as over an OpenVPN SSL tunnel. Below are my throughput measurements.
|VPN Tunnel Type||Throughput (Mbps)|
|IPsec Site to Site||69.2||70.8|
Table 2: VPN Throughput
Note, since my review of the LRT214, we changed our VPN throughput measuring tool from iperf to the TotuSoft LAN Speed Test tool, so a comparison of my measurements on the LRT214 to the LRT224 isn’t exactly apples to apples. However, VPN throughput appears to be improved for both IPsec and SSL.
On the LRT214 with firmware v1.0.1.02, I measured IPsec throughput at 54.1 Mbps for Client-Gateway and 62.4 Mbps for Gateway-Client. As you can see, on the LRT224 with firmware v1.0.2.06, I measured IPsec throughput at 69.2 Mbps for Client-Gateway and 70.8 Mbps for Gateway-Client.
SSL throughput was quite asymmetrical when I tested it on the LRT214 with firmware v1.0.1.02. SSL throughput is now nearly the same in both directions on the LRT224 with firmware v1.0.2.06, a nice improvement. On the LRT214 with firmware v1.0.1.02, I measured SSL throughput at 3.5 Mbps for Client-Gateway and 11.3 Mbps for Gateway-Client. As you can see, on the LRT224 with firmware v1.0.2.06, I measured SSL throughput at 11.6 Mbps for Client-Gateway and 12.3 Mbps for Gateway-Client.
Firewall options on the LRT224 with firmware v1.0.2.06 appear to be unchanged from my review of the LRT214 with firmware 1.0.1.02. The LRT’s firewall remains relatively easy to configure, with checkboxes to enable external threat protections, access rules to allow or deny traffic based on traffic type, source interface, source and destination IP address(es), and a schedule based on hours and days and basic manual content filtering.
We tested router performance using our standard test method. The results below compare the LRT214 with firmware v1.0.1.02, the LRT224 with firmware v1.0.2.06, the Cisco RV320 and the Cisco RV180.
|WAN – LAN||796.5||697||887.0||798.3|
|LAN – WAN||721.4||732.9||746.3||811.2|
|Maximum Simultaneous Connections||39,162||32,120||32,249||10,000|
Table 3: Routing Throughput
Unidirectional router throughput for firmware v1.0.2.06, shown in the IxChariot plot below, has changed a bit on the LRT2x4 from firmware v1.0.1.02 to v1.0.2.06. Downlink throughput increased and uplink declined slightly, but the differences are minor.
The composite unidirectional plot shows very steady downlink throughput peaking over 900 Mbps. This is about as good as we can measure and indicates wire-speed Gigabit downlink throughput. Uplink throughput is not as steady, with periodic downward throughput spikes.
Some of this can be attributed to quirks in IxChariot. The large jump in downlink throughput just before the 20 second mark is definitely an IxChariot quirk that we also see in 802.11ac wireless tests. The jump is an artifact of the way IxChariot handles packet aggregation on high speed links and is not a problem with the router itself.
Bidirectional router throughput again shows a definite preference for downlink traffic when both directions are fully loaded. In the end, both the LRT214 and 224 have plenty of routing throughput for most any broadband connection.
Table 4 lists throughput and pricing information for both Linksys LRT routers, as well as the previously mentioned RV320 and RV180. Note, the LRT224, RV320, and RV042 are all dual WAN routers, while the LRT214 and RV180 are single WAN routers. Pricing information is from Pricegrabber.com.
Table 4: Product Comparison
Regarding price, the LRT224 comes in about the same as the Cisco RV320. In my opinion, the LRT’s OpenVPN SSL solution is superior to the RV320’s virtual passage SSL solution. The LRT224 is only $20 more than the LRT214 and has dual WAN ports. Frankly, even if I had only a single ISP connection, I’d go with the LRT224 for future flexibility.
I concluded my review of the LRT214 saying “with a few updates to the firmware and support documentation, I think Belkin has a pretty solid VPN router with the Linksys LRT214”. I think Belkin / Linksys is moving in the right direction. With continued focus on improving firmware and support documentation, the LRT2x4 routers can become the best business routers on the market.