|NETGEAR FR114P 4 Port Cable/DSL ProSafe Firewall/Print Server|
|Summary||Next-generation, SPI-based 4 port 10/100 switched router w/ print server. Bundled with zer0knowledge’s Freedom Security and Privacy suite.|
|Update||4/30/2005 – Router now has traffic logging
7/30/2002 – Corrected performance test info.
|Pros||• Schedulable firewall rules
• Scheduled, emailed logs & alerts
• Built-in parallel-port printserver with LPR and bi-directional printer support
|Cons||• Can’t monitor or control print server via admin I/F|
NETGEAR’s FR114P Cable/DSL ProSafe Firewall is the core product of the recently introduced FR114P / FR114W / FM114P trio, which represent NETGEAR’s next-generation low-cost SOHO router family. It has a pretty nice feature set, and is pretty zippy in the throughput department, too!
The 114P comes in NETGEAR’s standard blue metal stackable cabinet. All indicators are on the front panel and include Link/Activity, and 100Mbps for each of the four LAN ports, Link/Activity and 100Mbps for the WAN, Activity and Alert for the built-in Print server, and Power and Test.
All four switched 10/100 LAN ports are on the rear panel, along with the 10/100 WAN port, power socket, Reset button, Normal / Uplink switch for port 4, and DB-25F parallel port for the print server. Yes, you read that correctly, the 114P has an auto-sensing 10/100 WAN port. Since most anything you’ll be connecting the router to will only be 10Mbps, the faster port doesn’t really provide a benefit. The main reason it’s there is that it comes as part of the new heart of the 114P (and its siblings), which is worth a little examination.
I don’t normally go into the details of the innards of the products that I review, although I do examine them all. As with PCs, there’s a great deal of similarity among SOHO routers / internet gateways, with most of the difference coming via the firmware that runs each product. Once in awhile, though, I see a new twist that bears noting, and this is certainly the case with the 114P.
The 114P uses the ADMtek 5106 Home Gateway Controller, which is a pretty slick piece of silicon! It’s not just a CPU, but also includes a non-blocking line-speed 7-port switch, WAN Ethernet interface, and five 10/100 LAN Ethernet ports. It also includes a couple of ways to add a print server, and support for both USB and two serial (dial-up/ISDN) WAN connections. About the only thing it doesn’t have is auto MDI/MDI-X capability on the LAN ports, so dedicated a shared uplink port or Normal / Uplink switch will needed if a manufacturer wants to include uplink capability.
After looking over the chip description and product profile presentation, my conclusion is that the 114P and its siblings are among the next generation of routers, which will use a single “home gateway” chip that does the job now done by three chips, and, of course, do it faster, better, and at a lower cost. I’d also expect to see this new router generation have a few more tricks up its sleeve, but I’ll let you draw your own conclusions about that, from looking over the ADMtek documentation.
Wrapping up the Basic Feature info, NETGEAR includes a printed Installation Guide, and Resource CD, and includes a normal CAT5 patch cable. The CD contains:
- PDF versions of the Installation guide and Reference Manual,
- some helpful info on setting up port forwarding, including a list of ports used by popular applications
- setup information for major broadband ISPs
- a copy of the Adobe Acrobat Reader installer
- a copy of NETGEAR’s Installation Assist
- a copy of zer0knowledge’s Freedom Anti-Virus program (Version 3.2)
The 114P’s setup and browser-based admin system is virtually identical to that used on NETGEAR’s popular VPN-endpoint router, but with some important differences that make the 114P much easier to use. Since I covered the admin features pretty well in the FVS318 review, I’ll just highlight the 114P’s differences here:
The unsizable-right-hand-frame problem has been fixed in the 114P. You can reduce the frame down to just a thin scroll bar, thus maximizing the center frame, which is were all the admin action is.
The 114P still uses same target window for all status pop-ups, but now the window is at least resizable.
You can do a reset-to-factory-defaults, but now also reboot the router via the admin interface.
- The log time-stamp problems seem to be fixed.
I found the same bugs in the admin login, which I’m repeating here since one can allow unauthorized users into your router and the other can prevent you from remotely accessing the router:
1) When you try to log into the router after being automatically logged out due to inactivity, you’ll be presented with the authentication/login box, but you’ll see the admin interface be refreshed in the browser window. If you just cancel the login box and refresh the browser, you’ll be back in without having to re-enter your login info. If you quit your browser between the time you’re auto logged out and when you try to re-login, you’ll have to enter the proper login info, however.
2) If an administrator (let’s call them Admin #1) quits their browser without logging out of the router and then Admin #2 else tries to log in from a different computer, Admin #2 will get the “Duplicate Administrator” message and not be able to log in. Admin #2 will have to wait until the auto-logout time expires, or have Admin #1 log back in from Admin #1’s computer, then log out to free up the session.
Let’s move on to the Firewall.
Firewall, Port Mapping & Filters
Although the FVS318 and FR114P’s firewalls are both SPI-based, the 114P’s firewall has a very different, and more flexible, interface than the 318’s. The 114P uses a Rules and Services model, which is used to control all port usage through the firewall.
Figure 1: Firewall Rules
(click on the image for a full-sized view)
Outbound Service rules (commonly known as Port Filters), are used to specify a range of ports, i.e. a service, that are either allowed or blocked from a range of LAN IP addresses to a range of WAN (Internet) IP addresses.
Inbound Services (usually known as Port Forwarding), have the same configuration features as Outbound Services, but are used to allow access to servers on your LAN that are behind the 114P’s firewall. Note that server “loopback” is supported for Inbound Services.
The 114P comes with service definitions for commonly used services such as HTTP (Web), FTP, and others, which you can pick from a drop-down list. When you need a service that’s not pre-defined, you can add it via the Custom Services screen, shown below.
Rules have a few other handy features. Although both Inbound and Outbound rules are schedulable as shown below, there is only one schedule, which can be applied on a rule by rule basis. You can also control the logging of each rule with selections of Never, Always, Match, and Not Match, as well as the order of precedence for rules in both directions. But note that there is no ability to set an outbound trigger port for the Inbound Services… the service mappings are static only.
As with the FVS318, you can exert finer control (than blocking all access with Outbound Services) over the websites that your users visit via the Block Sites feature. But in the 114P’s case, the Block Sites feature is not schedulable, and applies to websites only (vs. websites and newsgroups). You can still enter one “Trusted” IP address that will get unfiltered Internet access, however.
The 114P’s VPN support is pass-through only, but can handle multiple sessions to different remote VPN gateways for PPTP, IPsec, and L2TP protocols. Mapping of LAN based VPN servers for all three VPN protocols is handled, too, as long as you establish the proper Inbound services and rules.
Logging and Other Features
The Logging feature can selectively record the following events:
- Router operation (start up, get time etc)
- Connections to the Web-based interface of the router
- Known DoS attacks and Port Scans
- Attempted access to blocked sites
You can view, clear, refresh, and immediately send the log to one designated email address, or schedule the emailing of the log on an hourly, daily, weekly, or “when full” basis. Immediate email alerts can also be sent which are triggered by three different types of events.
Unfortunately, you don’t get general traffic logging, so can’t keep track of the sites that your users are visiting. Syslog or SNMP trap support would also be useful for log analysis and archiving, but for now, the emailed reports will have to do.
Update 4/30/2005 – Current firmware supports website and newsgroup traffic logging
Print Server & Other Features
The built-in parallel-port print server worked without a hitch when I tested it from a WinXP home machine using XP’s LPR service. The instructions in the Reference Manual were clear and I printed on the first try. NETGEAR also includes a print port driver, that I didn’t try, for Win95/98 users, or those folks who’d rather not use LPR with Win NT, 2000, or XP. The Reference Manual contains LPR setup info for MacOS 8, 9, and X, too.
NETGEAR’s spec says that bi-directional printers are supported, but I’d take that with a grain of salt, at least until some confirmation of this comes in from users.
The down side of the print server is that the only admin interface is two LEDs on the printer’s front panel, which indicate printer ready/activity, and whether the printer has thrown an error. It would be nice if you could have an email alert sent to you if the printer had a problem, and an admin screen that showed status, queue, and error messages, and let you kill and arrange jobs in the queue. Hope it’s on the list for a future firmware rev!
The router has a few other features that I haven’t mentioned, such as:
- you can set the router’s MTU (Maximum Transmission Unit) value (useful in getting some PPPoE-based connections to work)
- you can set and view 8 static routes (useful in networks that have more than one subnet)
- dynamic routing protocols RIP1, and RIP 2B, and RIP 2M are supported
- you can enable the router to respond to WAN ping requests (this is disabled by default, which is good security practice)
- dynamic DNS support is built-in for using dyndns.org.
• WAN to LAN tests are all run with LAN endpoint in DMZ
• LAN to WAN tests are run with LAN endpoint not in DMZ, except UDP Stream
The ADMtek chip looks like it provides more throughput than most users will ever need. The only weakness in the routing engine seems to be in the UDP streaming handling, which looks like it has trouble keeping up with a 500kbps stream rate. I don’t think this will be noticed in real life performance, however.
Update 7/30/2002 – The Performance test results have been republished, using a new test method for SPI+NAT routers. This has dropped the top LAN to WAN measured speed slightly and significantly lowered the WAN to LAN speed.
LAN to WAN test results with the LAN endpoint in DMZ are:
- Throughput – 1.5Mbps
- Response Time – 543mS avg / 545ms max.
For more information on the new test methods, read the “How we Test” page linked above, and the SMC 7004VBR review Performance section.
Routing Performance Test Results
|Test Description||Transfer Rate (Mbps)||Response Time (msec)||UDP stream|
|Throughput (kbps)||Lost data (%)|
|WAN – LAN||1.44||556 (avg)
|LAN – WAN||14.5||55 (avg)
|Firmware Version||V1.1 Release 00|
See details of how we test.
NETGEAR has done a nice job with the FR114P, packing fast SPI-based routing, schedulable firewall rules, blazing fast routing speed, and a parallel-port print server into a next-generation router with a street price of under $100. It’s definitely one to put on your short list!