Double your broadband, double your fun

1 2 Page 2
Page 2 of 2

If only there weren't so many shortcomings: The quick-installation guide (25 pocket-book pages with tiny print) said we must provide the IP address of a timeserver during installation of the H2WR54G, but didn't say progress stops until a timeserver IP address is in place and the system verifies it. Then the guide suggested we look up timeservers on the Web, forgetting that we have no router to the Internet until we fill in a timeserver IP address in the setup screens. That's as good a Catch-22 as ever seen in a setup guide. We plugged in another router and checked its timeserver setting for a valid IP address, but we have no idea how a typical small-business owner would handle this snafu. Any of the four 10/100Base-T Ethernet ports can be used for DMZ by providing the IP address of the device to be seen on the Internet. There is no QoS support.

Choosing the PC's IP address and selecting one or more of the 16 standard services displayed can create firewall rules. There's no way to block all users from using, for instance, MSN Messenger, only individual devices. This level of protection fits a consumer device or very small business, but not one serious about security. At least the firewall is enabled by default, as is the denial-of-service protection. There is no enterprise authentication support, such as RADIUS or even Lightweight Directory Access Protocol.

The minimal browser-based management application uses the left menu template, but none of the pages are long or detailed enough to need tabs for drilling down. Two logs are available, one system and one security, but no parsing or explanations are offered, and there's no way to send the logs via e-mail or to a Syslog server as with the other units. A well-illustrated electronic manual of just under 100 pages is included.

The second shortcoming appeared when we tried to steer outgoing e-mail to the WAN1 link using the cable connection. We couldn't figure out where on the administration screens to configure SMTP routing, so we sent an e-mail to technical support. The good news: They answered by the next morning. The bad news: There is no way to route SMTP traffic to one WAN link. This seems odd because the target audience seems to be entry-level home, home-office and small-business customers, and they are the types most likely to rely on e-mail from a service provider. Users of this router must either have their own e-mail servers or be able to send outgoing mail through a hosting service because you can't reliably send e-mail if both WAN ports are active.

WAN failover and reconnection worked, although streaming audio sessions had to be restarted. When set to backup rather than load balancing, the switch-over time from cable to DSl took about 20 seconds. Load balancing can be turned on, but the only control option is a percentage based on data transfer sessions. Feature-packed but detail-light, the Hawking's low price should make it popular with small businesses, but the minimal security settings and management control will limit its usefulness.

Fortinet FortiGate-60

Another metal box with the standard four ports of 10/100Base-T for local connections, two WAN ports and even a DMZ port, the FortiGate-60 offers a wide contrast of good and aggravating points. This was the only box we tested with USB ports for USB modem backups, even though the ZyWall includes a serial port for dial backup.

The quick-start guide is a 11- by 17-inch sheet of paper filled front and back with data, defusing the quick portion of the name. The guide demands Internet Explorer, but Mozilla's Firefox browser worked (except for a few display oddities) but you must use HTTPS for a secure link.

Management screens use the left menus with submenus and tabbed pages. After initial configuration, we discovered that although instructed to gather DNS details from the ISPs and pass them along to the clients, the FortiGate-60 didn't do that reliably, meaning clients couldn't resolve Internet addresses properly. Only by loading DNS addresses deep in the configuration (System>DHCP>Server >Scope Wizard>Modify) could we guarantee that every client learned the proper DNS addresses necessary to reach sites on the Internet.

The management screen gave no clue about the performance of the WAN links because there are no statistics available. You can see if the links are connected, but you can only tell which broadband connection carries the load by watching lights flash on the front of the box. Worse, traffic won't leave the internal network out to the Internet using the second WAN link unless you make a specific firewall policy addition. Until you take this extra step (not required by other products), there's no failover support.

After going through the firewall policy steps and configuring the Distance parameter to tell the system which route is preferred, failover started working reliably and quickly.

Although the manual doesn't say it, the failover route (in our case WAN2) must be set higher than the default route's number 1, such as 10. This tells the system to use WAN2 when WAN1 dies. If the distance numbers are the same, both WAN links will be used concurrently, but there is no load balancing as such. When configured, the FortiGate-60 failed over quickly and reconnected back to WAN1 quickly (about 5 seconds). The only indication on the administrative program is on a Routing Monitor page that shows WAN2 as the static, default route. The Status page still showed WAN1 as connected, but Fortinet says that's by design and represents the administrative setting. We expected actual WAN link status on the Status page.

The feature list for the FortiGate-60 is impressive, including expected VPNs, a firewall with 50 services predefined in the drop-down menu, and virus checking for files and e-mail (with the services enabled and updated from Fortinet). But you probably will need more help than the manual provides (we did). A roller coaster of enticing, frustrating, then well performing sums up the FortiGate-60. Once you fight through the setup and purchase the optional features you want, things work fairly well.

Security or access?

Based on the number of inexpensive routers for small business flooding the market, we hoped to find several dual-WAN routers that focused on Internet access redundancy. Instead, we found Internet security appliances with dual-WAN connections added as an afterthought.

We hope the market takes a hint from the Hawking's aggressive pricing and begins to offer flexible routing products for redundancy and failover while keeping advanced management and security features.

Now that so many homes and businesses have access to megabits of bandwidth for relatively inexpensively, the market seems ready for ways to utilize the available broadband connections.

Company: SonicWall Cost: Between $525 and $975, depending on software. Pros: Flexible firewall rules andservices; excellent security controls; quick fail over and reconnect. Cons: Aggravating DHCP installation; multiple services require more money.
Company: Zyxel Cost: About $1,050. Pros: Easy installation; copious manual; good online application notes; port flexibility (5 DMZ Ethernet ports, 1 LAN port). Cons: Little use of slower WAN link; console commands needed for SMTP outbound routing control.
Company: Xincom Cost: About $700. Pros: Easy installation and WAN setup; clear administration screens; quick, sometimes seamless, WAN fail-over. Cons: Difficult security and firewall configuration; requires Microsoft Internet Explorer.
Company: Fortinet Cost: About $700. Pros: Quick fail over and recovery; plenty of extra (optional) features available. Cons: Confusing configuration; no real-time status information on the Status page.
Company: Hawking Technologies Cost: About $130. Pros: Least expensive; includes decent 802.11g wireless access point/router. Cons: Serious installation glitch; no way to route SMTP to one WAN.
The breakdown  SonicWallZyxelXincomFortinetHawking
WAN handling, load balancing support 30%43.543.53
Security features 20%4.543.53.53
Installation and configuration 15%34422
Network monitoring 15%3.53.531.53
Documentation 10%44322.5

Additional features 10%

(VPNs, DMZ, SMTP handling)
TOTAL SCORE3.883.783.552.882.8
Scoring Key: 5: Exceptional; 4: Very good; 3: Average; 2: Below average; 1: Consistently subpar
Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2004 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2