A key element to Cradlepoint's WiPipe technology is Quality of Service, or QoS. According to Cradlepoint's whitepaper, WiPipe equipped routers can employ dynamic QoS functionality when using the 3G/4G modem for Internet access. In addition, the MBR900 supports Wireless Intelligent Stream Handling (WISH) and detailed Traffic Shaping. These features all come courtesy of the Ubicom CPU.
Dynamic QoS is an interesting concept. Cradlepoint's whitepaper states a “WiPipe powered router is capable of identifying the wireless environment in which it is deployed, and … can automatically self-configure for best performance.” As shown in my speed tests results, the MBR900 performs as well as a far more powerful laptop connected to the same USB modem.
By default, WISH prioritizes HTTP and Windows Media Center traffic over the WLAN. Custom rules can be applied to all protocols, TCP, UDP, TCP and UDP, ICMP, or a specific protocol. A custom rule can be applied to a specific IP address or range, as well a specific port or port range. Four different priorities can be assigned to a wireless traffic type, from Background (low priority) to Voice (top priority.)
The traffic shaping feature has both an automatic element and a manual configuration element. The automatic element, as previously described, attempts to estimate your upload speed and determine whether you have a Cable or xDSL Internet connection. I enabled auto, which required a reboot, and observed the below screen when the router came back up.
Figure 11: Traffic shaping
As previously mentioned, the router somehow determined my upload speed on my DSL connection to be 1518 Kbps when it actually was 650kbps. It was even further off when estimating the upload speed on the USB modem. Thus, if using traffic shaping on the MBR900, you’re better off manually entering your connection speeds.
Manual traffic shaping is done by specifying your Internet connection speeds and via detailed traffic shaping rules. Traffic shaping rules use similar options as WISH rules and can be applied to all protocols, TCP, UDP, TCP and UDP, ICMP, or a specific protocol. Traffic priority is assigned a number from 1-255, with 1 being top priority. Traffic shaping rules also require specifying source IP and port ranges, as well as destination IP and port ranges.
The MBR-900 has quite a few options for managing traffic flows on the network. There are nine different menus for controlling security functions on the router. Those menus are Access Control, Firewall, Gaming, Inbound Filter, MAC Address Filter, Special Applications, Virtual Server, and Web Filter.
The Access Control menu enables creating and applying a detailed filtering rule that can be run on a specific schedule; applied to one or more hosts on the LAN; log, filter, or block all web traffic; block traffic to specific IP and port ranges; and log web access.
For example, an Access Control rule is needed to apply Web Filtering to specific PCs on the LAN. I created the below rule to apply web content filtering to a specific PC, as shown below.
Figure 12: Access control policy
The Firewall menu has numerous radio button and check box options for enabling/disabling functions such as Stateful Packet Inspection, UDP and TCP endpoint filtering, as well as the ability to create a DMZ for a single PC. Enabled by default are application layer gateways (ALG) for PPTP, IPSec, RTSP, MSN, FTP, H.323, SIP, WOL, and MMS.
Sometimes ALGs improve connectivity for various services, sometimes they interfere. In my day job, we often advise VoIP customers to disable SIP ALGs in their routers. I was impressed that even with the MBR-900’s SIP ALG enabled, I was able to use my company VoIP phone.
Gaming options enable opening the firewall for 27 common network based games, shown below. Custom games rules can be created for other applications based on TCP and UDP ports. Game rules can then be applied to specific PCs and on a custom defined schedule.
Figure 13: Firewall gaming rules
Inbound filters can be applied to restrict inbound traffic to predefined IP addresses or ranges. Further, devices can be allowed or denied Internet access with the use of the MAC Address Filter.
Application rules can also be created. These are similar to Gaming rules, but instead of applying the rule to specific devices, the rule is applied to all devices connected to the MBR. There are six prebuilt applications (AIM, BitTorrent, Calista, ICQ, MSN, and PalTalk), and more can be created based on TCP or UDP port numbers.
Virtual Server rules can also be created, which is a nice way to set up port forwarding. Twelve typical network server applications are prebuilt, such as Telnet, HTTP, DNS, etc.., for forwarding specific outside traffic directly to an internal server.
The Web Filtering menu is where content filtering is enabled and customized. The MBR-900 uses OpenDNS for web traffic filtering. Enabling OpenDNS connects the MBR-900 to the free OpenDNS service. I have been using OpenDNS free service in my home for some time, and I was pleased to see it built in to this router. Instead of filtering traffic based on URLs, OpenDNS won’t resolve objectionable websites, instead returning a warning page as shown below.
Figure 14: Access block message
With OpenDNS enabled on the MBR-900, the device will use OpenDNS’ DNS IP address and one of 5 different levels of filtering, labeled minimal, good, better, best, or custom, as shown below. You’ll also notice after you’ve enabled OpenDNS that the DNS IP addresses have changed on the MBR’s WAN interface.
Figure 15: OpenDNS content filtering options
In addition to OpenDNS web content filtering, the MBR-900 allows you to create a whitelist or blacklist of specific URLs. If a whitelist, then the router will only permit access to the listed sites. If a blacklist, the router will block access to the listed sites and present a web page such as the one shown below.
Figure 16: Website block message
I've tested several UTM (Unified Threat Management) security devices, which usually come with a monthly subscription fee for features like web content filtering. The MBR900 provides all the above security features without any additional monthly costs.