Nexland ISB Pro 800 Turbo and WaveBase Review
I recently received an offer to test drive a hardware-based firewall solution designed for SOHO use. Being the hardware junkie that I am, I agreed to have a look at Nexland's products. I was sent a couple of units for review, the ISB Pro800turbo and the ISB WaveBase. Both units are reasonably similar. The Pro 800turbo includes an 8-port 10/100 switch and allows you to load balance between two Ethernet-based broadband connections and the WaveBase includes a 4-port 10/100 switch and connectivity via an 802.11b wireless interface. Nexland has a variety of other products at various price points, which have a similar feature set.
Overall, I was impressed with how easy these products were to get set up. The Pro800turbo was plugged in, configured, and functioning with my @Home cable service in less than ten minutes. The documentation explained everything step by step with pictures and explanations an average Joe can understand. The feature set for these devices is quite impressive, allowing for quite a number of different ADSL/Cable Modem setups to work fairly easily. However, there were a few rough spots, which I will explain a bit later.
First, let me say what I like:
- Good docs for basic setup.
- They even include a few servers with IP addresses for troubleshooting lack
of DNS functionality, which is a nice touch.
- Web interface fairly self-explanatory.
- If not, the help screens are generally helpful.
- Some configuration possible over Serial.
- Useful, for example, when you need to integrate the product into an
existing network and the same IP address space is already being used or
another DHCP server is present.
- Can manipulate routing tables.
- Aside from Static Routes, RIPv2 is supported.
- Can use one IP for many external servers.
- Through a feature called "Virtual Servers," you can make your
single routable address serve many different services. Aside from several
pre-defined Virtual Servers for things like telnet, ftp, http, IPSec, PPTP,
and so on, you can also define your own.
- Dynamic DNS Support.
- Provides support for dyndns.org and tzo.com's
Dynamic DNS Service. This allows you to assign a DNS name to your non-static
or even semi-static IP address.
- IPSEC Passthru Support for Multiple Clients.
- This allows VPN Clients behind the Nexland
router to access VPN gateways via IPSec. More specifically, it allows
multiple clients to access the same VPN endpoint, which is usually
problematic. The high-end routers such as the
Pro800turbo and the WaveBase support an unlimited number of IPSec
connections to the same server. The
lower-end Nexland routers support a limited number of IPSec connections. I
tested this with Nokia's VPN Client both in IPSEC mode and UDP Encapsulation
mode (e.g. IPSEC over NAT) and it worked beautifully. I also tested this
with Check Point's SecuRemote, using both native IPSec mode and UDP
encapsulation mode and it worked as well.
- Load Balance or failover between 2 Broadband Connections.
- For the
Pro800turbo, you can configure two different broadband connections. These
can either be primary/backup or load balanced.
- Configurable Keepalive and Connection Check.
- By default, the
Nexland routers ping the default route. If this isn't possible or an
inaccurate way to validate the broadband connection is alive, you can
configure an IP address or a URL for the unit to check every so often. If
your DHCP address is re-allocated based on inactivity, you can tell the unit
to attempt to keep the DHCP address by issuing "keepalives."
- Analog Fallback.
- All of Nexland's products support fallback to an
analog connection over a serial line. The serial port works all the way up
to 230,400bps, which means it will support ISDN with both B channels (128k). This failover can be
automatic, depending on how you've configured it. A number of modems are
supported out of the box, though you can configure initialization and
dialing strings as necessary.
- Upgradeable Firmware.
- Firmware on all of Nexland's products is flashable via tftp. This flash upgrade facility is controlled by two DIP switches on the box itself, so nobody can simply tftp a flash file to the Nexland router without having physical access to it.
However, no product is without it's flaws. Some might view these as "nits" or even inappropriate requests for this type of product, but I have high expectations, what can I say? :-)
- Inadequate Documentation for Wireless LAN Setups.
- While there isn't
much to configure really, one major part of the configuration needed more
documentation -- WEP. It turns out that not every vendor implements WEP the
same way. What Nexland calls 128 bit WEP is exactly that, but the secret key
is only 104 bits, the other 24 bits are set by the "initialization
vector". Nokia's C110 cards, what I normally use, actually allow you to specify a secret key
of 128 bits. As such,
when I tried to enter a 128 bit WEP key, I had problems because it was only
accepting 104 of the bits. Nexland's Technical Support set me straight on
this point, however, their manuals or online FAQ didn't cover this at
- Packet Filtering is Overly Simplistic.
- While you can filter
outgoing traffic by IP address, TCP and UDP ports, you cannot filter by
other IP protocols. Also, you cannot filter traffic coming into the Virtual
Servers, custom or otherwise.
- Virtual Servers Does Not Support Non-TCP/UDP.
- Not too many services run over non-TCP/UDP services. They do provide
support for IPSec and PPTP (two real common ones), but it'd be nice to
specify an arbitrary IP protocol for a Virtual Server.
- RIPv2 Does Not Support Authentication.
- RIPv2 is supported, but it
appears to be passive RIPv2. No mention is made whether or not RIPv2
supports broadcast or multicast mode. It also does not allow you to
configure authentication (simple or MD5). I don't like RIP personally,
though it is useful in a small network. However, I prefer to run it
authenticated, if I'm going to do it at all.
- Inadequate Protection for Web Interface.
- The default is no password
and accessible from the internal network. They also allow you to specify a
password and/or a range of IP addresses on the WAN interface where the
interface is accessible. I would extend this in the following ways: allow
access only from certain IPs (WAN or LAN interface, specifying a single
range of IPs is inadequate), disallow access to web interface via WLAN or
Ethernet entirely (probably via a DIP switch), and possibly even encrypting access to the Web interface via SSL.
- Manual Lacks an Index.
- This makes it a little more difficult to
actually find things in the manual.
- No Load Balancing over Broadband and Analog Connections.
- I personally would find this useful, but I suppose this isn't a feature most
- DNS Reply Packets Have Wrong Source IP Address.
- If I do a DNS query
to an external DNS server thru the Nexland unit, the reply packets appear to
come from the internal IP address of the Nexland unit. This is a big problem
for a DNS server making the query since it tends to ignore the DNS packets
with the incorrect source address. Nexland Support tells me this is expected
behavior. I was able to correct this problem by setting the DNS forwarder on
my DNS server to point to the internal IP address of the Nexland unit.
However, this was not mentioned in the documentation or their online FAQs.
You can find out more about Nexland's product from their website at http://www.nexland.com/