The PhoneBoy Blog


Simplifying Telecom, Mobile Phones, Gadgets, and More!

Nexland ISB Pro 800 Turbo and WaveBase Review

I recently received an offer to test drive a hardware-based firewall solution designed for SOHO use. Being the hardware junkie that I am, I agreed to have a look at Nexland's products. I was sent a couple of units for review, the ISB Pro800turbo and the ISB WaveBase. Both units are reasonably similar. The Pro 800turbo includes an 8-port 10/100 switch and allows you to load balance between two Ethernet-based broadband connections and the WaveBase includes a 4-port 10/100 switch and connectivity via an 802.11b wireless interface. Nexland has a variety of other products at various price points, which have a similar feature set.

Overall, I was impressed with how easy these products were to get set up. The Pro800turbo was plugged in, configured, and functioning with my @Home cable service in less than ten minutes. The documentation explained everything step by step with pictures and explanations an average Joe can understand. The feature set for these devices is quite impressive, allowing for quite a number of different ADSL/Cable Modem setups to work fairly easily. However, there were a few rough spots, which I will explain a bit later.

First, let me say what I like:

Good docs for basic setup.
They even include a few servers with IP addresses for troubleshooting lack of DNS functionality, which is a nice touch.

Web interface fairly self-explanatory.
If not, the help screens are generally helpful.

Some configuration possible over Serial.
Useful, for example, when you need to integrate the product into an existing network and the same IP address space is already being used or another DHCP server is present.

Can manipulate routing tables.
Aside from Static Routes, RIPv2 is supported.

Can use one IP for many external servers.
Through a feature called "Virtual Servers," you can make your single routable address serve many different services. Aside from several pre-defined Virtual Servers for things like telnet, ftp, http, IPSec, PPTP, and so on, you can also define your own. 

Dynamic DNS Support.
Provides support for dyndns.org and tzo.com's Dynamic DNS Service. This allows you to assign a DNS name to your non-static or even semi-static IP address.

IPSEC Passthru Support for Multiple Clients.
This allows VPN Clients behind the Nexland router to access VPN gateways via IPSec. More specifically, it allows multiple clients to access the same VPN endpoint, which is usually problematic. The high-end routers such as the Pro800turbo and the WaveBase support an unlimited number of IPSec connections to the same server. The lower-end Nexland routers support a limited number of IPSec connections. I tested this with Nokia's VPN Client both in IPSEC mode and UDP Encapsulation mode (e.g. IPSEC over NAT) and it worked beautifully. I also tested this with Check Point's SecuRemote, using both native IPSec mode and UDP encapsulation mode and it worked as well.

Load Balance or failover between 2 Broadband Connections.
For the Pro800turbo, you can configure two different broadband connections. These can either be primary/backup or load balanced. 

Configurable Keepalive and Connection Check.
By default, the Nexland routers ping the default route. If this isn't possible or an inaccurate way to validate the broadband connection is alive, you can configure an IP address or a URL for the unit to check every so often. If your DHCP address is re-allocated based on inactivity, you can tell the unit to attempt to keep the DHCP address by issuing "keepalives."

Analog Fallback.
All of  Nexland's products support fallback to an analog connection over a serial line. The serial port works all the way up to 230,400bps, which means it will support ISDN with both B channels (128k). This failover can be automatic, depending on how you've configured it. A number of modems are supported out of the box, though you can configure initialization and dialing strings as necessary.

Upgradeable Firmware.
Firmware on all of Nexland's products is flashable via tftp. This flash upgrade facility is controlled by two DIP switches on the box itself, so nobody can simply tftp a flash file to the Nexland router without having physical access to it.

However, no product is without it's flaws. Some might view these as "nits" or even inappropriate requests for this type of product, but I have high expectations, what can I say? :-)

Inadequate Documentation for Wireless LAN Setups.
While there isn't much to configure really, one major part of the configuration needed more documentation -- WEP. It turns out that not every vendor implements WEP the same way. What Nexland calls 128 bit WEP is exactly that, but the secret key is only 104 bits, the other 24 bits are set by the "initialization vector". Nokia's C110 cards, what I normally use, actually allow you to specify a secret key of 128 bits. As such, when I tried to enter a 128 bit WEP key, I had problems because it was only accepting 104 of the bits. Nexland's Technical Support set me straight on this point, however, their manuals or online FAQ didn't cover this at all. 

Packet Filtering is Overly Simplistic.
While you can filter outgoing traffic by IP address, TCP and UDP ports, you cannot filter by other IP protocols. Also, you cannot filter traffic coming into the Virtual Servers, custom or otherwise.

Virtual Servers Does Not Support Non-TCP/UDP.
Not too many services run over non-TCP/UDP services. They do provide support for IPSec and PPTP (two real common ones), but it'd be nice to specify an arbitrary IP protocol for a Virtual Server. 

RIPv2 Does Not Support Authentication.
RIPv2 is supported, but it appears to be passive RIPv2. No mention is made whether or not RIPv2 supports broadcast or multicast mode. It also does not allow you to configure authentication (simple or MD5). I don't like RIP personally, though it is useful in a small network. However, I prefer to run it authenticated, if I'm going to do it at all. 

Inadequate Protection for Web Interface.
The default is no password and accessible from the internal network. They also allow you to specify a password and/or a range of IP addresses on the WAN interface where the interface is accessible. I would extend this in the following ways: allow access only from certain IPs (WAN or LAN interface, specifying a single range of IPs is inadequate), disallow access to web interface via WLAN or Ethernet entirely (probably via a DIP switch), and possibly even encrypting access to the Web interface via SSL.

Manual Lacks an Index.
This makes it a little more difficult to actually find things in the manual.

No Load Balancing over Broadband and Analog Connections.
I personally would find this useful, but I suppose this isn't a feature most people want/need.

DNS Reply Packets Have Wrong Source IP Address.
If I do a DNS query to an external DNS server thru the Nexland unit, the reply packets appear to come from the internal IP address of the Nexland unit. This is a big problem for a DNS server making the query since it tends to ignore the DNS packets with the incorrect source address. Nexland Support tells me this is expected behavior. I was able to correct this problem by setting the DNS forwarder on my DNS server to point to the internal IP address of the Nexland unit. However, this was not mentioned in the documentation or their online FAQs.

You can find out more about Nexland's product from their website at http://www.nexland.com/


C-List #Cybersecurity Celebrity, Podcaster, #noagenda Producer, Frequenter of shiny metal tubes, Expressor of personal opinions, and of course, a coffee achiever.