At a glance | |
---|---|
Product | NETGEAR ProSafe Dual WAN Gigabit Firewall (FVS336G-300) [Website] |
Summary | Updated, more powerful version of dual Gigabit WAN IPsec and SSL gateway router supporting 25 IPsec & 10 SSL concurrent tunnels with 4 port Gigabit switch. |
Pros | • Higher performance than previous versions • 802.1Q VLANs • Hardware DMZ port • Dual WAN |
Cons | • Confusing VPN wizards • SSL VPN setup is challenging |
Typical Price: $450 Buy From Amazon
Introduction
Updated 2/25/16 – Router performance retest due to measurement process error
We last looked at NETGEAR’s FVS336G VPN router over 7 years ago! The latest version, the FVS336G-300 aka "V3" offers quite a few enhancements over the original model, including a higher performance processor, hardware DMZ port and additional VPN options.
The FVS336Gv3 is designed for small and mid-sized customers with up to 100 users. It has a new look over the old model, now housed in an “industry-grade metal housing”. It remains a passively cooled, silent, desktop sized router designed to provide simultaneous connectivity to up to two internet providers, remote connectivity through a multitude of VPN options and security through a highly configurable firewall.
The FVS336v3 measures 10″W x 7″D x1.56″H. The front of the router now has both the LEDs and the RJ45 ports. So if you wanted to stick it on a shelf in a rack, everything is right where you need it. There are four 10/100/1000 Mbps LAN ports, and two 10/100/1000 Mbps WAN ports, shown below.
NETGEAR FVS336Gv3 Front
The rear has a console port, a locking security port, a factory reset button and power receptacle, shown below. The power callout is incorrect; that’s a DC input. Unlike the original, the V3’s power supply is outboard.
NETGEAR FVS336Gv3 Rear
Inside
The new V3 is equipped with a Cavium Octeon Plus CN5010 300 MHz single core CPU. The CN5010 has integrated coprocessors for packet I/O, QoS, TCP acceleration and VPN encryption. We’ve previously seen this processor in Cisco’s RV 120W and RV 220W and NETGEAR’s UTM10. The RV 220W uses a 400 MHz version, while the UTM10’s processor runs at 500 MHz.
Other key components include a Broadcom BCM53125 Gigabit Ethernet Switch, 32 MB of Macronix Flash and 128 MB of Samsung DDR2 SDRAM, shown in the board image below. Note there are heatsinks on both the CPU and switch that were removed for the photo.
NETGEAR FVS336Gv3 Mainboard
Table 1 shows the key components for the 336G-300. Components for the earlier version will be added when NETGEAR provides them.
FVS336G-300 (V3) | FVS336G-200 (V2) | FVS336G-100 (V1) | |
---|---|---|---|
CPU | Cavium Octeon Plus CN5010 @ 300MHz | Cavium CN3005 @ 300 MHz | Cavium CN3005 @ 300 MHz |
Switch | Broadcom BCM53125 | Broadcom BCM53115S + B5081 | Broadcom BCM5398 |
RAM | 128 MB | 128 MB DDR2 | 64 MB DDR2 |
Flash | 32 MB | 32 MB | 16 MB |
Table 1: Component summary
Features
Here’s a quick summary of the FVS336G’s key features. I’ll be getting into more detail on some of them later.
Network
- (2) 10/100/1000 WAN ports
- (4) 10/100/1000 LAN ports
- WAN Load Balancing and Failover
- 350 Mbps LAN-to-WAN Throughput rating
- IPv4 / IPv6 Support
- 802.1Q VLAN (254 VLANs)
- SIP ALG
- Bandwidth Profiles
- QoS
- Traffic Metering
- DDNS
Security
- SPI Firewall
- DoS Protection
- Block TCP/UDP Packet Flooding
- Hardware DMZ port
- MAC Address Filter
- Web object and keyword filter
VPN
- IPsec (78 Mbps throughput rating, up to 25 tunnels)
- SSL (14 Mbps throughput rating, up to 10 tunnels)
- PPTP and L2TP Server
- User authentication methods = AD, LDAP, RADIUS, WIKID, MIAS, NT Domain, Local Database
DMZ
As mentioned in the original review, DMZ was a feature intended for that model, but was delayed. The V3, however, allows LAN port 4 to be converted to a hardware DMZ port for both IPv4 and IPv6. Once enabled, the front DMZ LED lights and it’s up to you to create firewall rules to control traffic among the DMZ, LAN and WAN ports. I’ll comment further on DMZ firewall rules in the Security section of this review.
I like the addition of the DMZ port because it’s more flexible than firewall rules to an internal IP address. A hardware DMZ port allows for placing multiple devices in the router’s DMZ and applying specific traffic controls.
Dual WAN
The FVS336Gv3 is a dual WAN router with multiple options and traffic controls. Dynamic DNS is a useful feature when your internet connection has a dynamic IP address. Supported Dynamic DNS providers are DynDNS, DNS TZO, Oray DNS, and 3322 DDNS. I had no issues configuring the FVS336Gv3 with my DynDNS account.
With two WAN links, the router can be configured with one link as primary and the other secondary. Alternatively, both links can be used simultaneously in Load Balancing Mode or Round Robin. Load Balancing distributes traffic based on the configured speed of each WAN link. Round Robin equally distributes new connections to the Internet over each WAN link.
Protocol Binding can be used with the Load Balancing option to direct specific traffic types to a specific WAN link. For example, VoIP traffic can be sent over one WAN link, while web traffic can be sent over the other WAN link.
Traffic Metering can be applied on each WAN link to measure and/or limit the amount of bandwidth used.
QoS and Bandwidth profiles can be applied. QoS profiles are created to provide a minimum and maximum amount of bandwidth (rate control) or priority to specific traffic types. Bandwidth profiles are created to provide minimum and maximum bandwidth to individual devices or to groups of devices (based on IP or MAC addresses.)
Note, Traffic Metering, QoS, and Bandwidth profiles have an effect on the router’s performance when applied. The below warning about a “drop in performance” is displayed when enabling Bandwidth profiles. A similar warning is displayed when enabling QoS profiles and Traffic Metering.
Performance Warning
VLAN
New to the FVS336Gv3 is support for VLANs. NETGEAR’s spec sheet says the FVS336Gv3 supports 802.1Q VLANs, whereas the manual states “the VPN firewall supports port-based VLANs.” Based on my test, it looks to me like the FVS336Gv3 supports 802.1Q tagging.
On the LAN page of the FVS336Gv3, you can add a VLAN Profile as shown below. I created VLAN 66 with the 192.168.66.0/24 subnet. Notice also in the below, all ports have a default VLAN equal to “Default” which is VLAN 1. According to the manual, changing the default VLAN on a port changes the port’s untagged VLAN, or PVID. I left port 3, my test port, as a member of the default VLAN.
NETGEAR FVS336Gv3 Add VLAN
In the VLAN Profile page, you configure an IP address and DHCP server per VLAN. You also define whether a port is a member of a VLAN. In the test shown below, I made port 3 a member of VLAN 66. Essentially, port 3 is now acting as an 802.1Q trunk port configured as an untagged member of VLAN 1 and a tagged member of VLAN 66.
NETGEAR FVS336Gv3 VLAN Profile
I tested 802.1Q tagging by connecting port 3 of the FVS336Gv3 to a port on a Cisco SG200 802.1Q switch. The port on the switch was also configured as an 802.1Q trunk port as an untagged member of VLAN 1 and a tagged member of VLAN 66. I then verified that a PC connected to an access port on the switch assigned to VLAN 1 connected to VLAN 1 (192.168.1.0/24) on the router and a PC connected to an access port on the switch assigned to VLAN 66 (192.168.66.0/24) on the switch connected to VLAN 66 on the router.
IPv6
The 336G-300 supports IPv6 in many areas. IPv6 is supported on the WAN, LAN, and DMZ interfaces. Firewall rules, filters, port triggering, IPsec and SSL VPNs can all be configured to work with IPv6 traffic. IPv6 6to4 and ISATAP tunnels are also supported.
Enabling IPv6 on the FVS336Gv3 requires a reboot, so you might want to enable this first if your ISP supports IPv6. I did a basic IPv6 test to see if I could get a global IPv6 address on the WAN interface of the router and a global IPv6 prefix for my LAN devices. I connected the FVS to my Time Warner cable modem, with the modem in bridge mode. I enabled IPv6, enabled DHCP-PD, and enabled RADVD as shown in the gallery below. With all three enabled, I was able to get a global IPv6 prefix for LAN use, as shown in the second screenshot. Further, I was able to ping google.com and other Internet sites via IPv6.
Enable IPv4/IPv6 Dual Stack
Enable IPv6 Prefix Delegation
Enable global IPv6 address distribution to LAN
RADVD, or Router Advertisement Daemon, as explained in the FVS’ help menu “is stateless IPv6 auto configuration as it distributes IPv6 prefixes to all nodes on the network.”
VPN Hands On
The FVS336Gv3 has more VPN options than the original model. PPTP and L2TP tunnels are now supported, which enables remotely connecting hand-held devices and MacOS devices. For example, I was able to set up a PPTP tunnel between the FVS336Gv3 and my iPhone 5s.
PPTP
To set up PPTP tunnels on the FVS336Gv3, check the box to enable the PPTP server, create a range of IP addresses (outside the LAN subnet) for the VPN clients, select authentication method (I selected MSCHAPv2), select encryption method (I selected MPPE-128) and create a user with PPTP permissions. Note, I initially tried MPPE-40 encryption, but the tunnel didn’t come up until I changed the encryption method to MPPE-128.
On a Windows 8.1 PC, go to Control Panel, Network and Sharing Center, select Set Up a Connection or Network, Connect to a Workplace and Use my Internet connection (VPN). Then enter the IP/FQDN of the FVS’ WAN interface and click create. On an iPhone 5s, go to Settings, VPN, Add VPN Configuration, then enter the IP/FQDN of the FVS, your username and password, and click save.
I found that PPTP tunnels on the FVS336Gv3 are full tunnels, which means all client traffic, including Internet traffic routes through the VPN tunnel. The gallery has screenshots of my config on the FVS, on my PC, on my iPhone, and the FVS status page with the PPTP tunnel up.
Enable IPv4/IPv6 Dual Stack
Enable IPv6 Prefix Delegation
Enable global IPv6 address distribution to LAN
L2TP
The setup for an L2TP tunnel is almost the same as the PPTP tunnel. To set up an L2TP tunnel on the FVS336Gv3, check the box to enable the L2TP server, create another range of IP addresses (outside the LAN subnet and outside the range used for PPTP) for the VPN clients, select authentication method (I selected MSCHAPv2) and create a user with L2TP permissions.
Configuring an L2TP tunnel on Windows is exactly the same as a PPTP tunnel, as Windows will automatically detect whether the tunnel is PPTP or L2TP. As I observed with PPTP tunnels, L2TP tunnels on the FVS336Gv3 are also full tunnels. The below screenshot shows the active L2TP tunnel on the FVS336Gv3.
L2TP Tunnel Status
SSL
The FVS336Gv3 will support up to 10 simultaneous SSL VPN tunnels. Configuration for SSL VPN tunnels on the the FVS336v3 can be done with a wizard or manually. I found the FVS336v3’s SSL wizard confusing, so I manually entered my configurations. Below is a screenshot of my FVS configs for an SSL VPN tunnel.
FVS336Gv3 SSL Setup
As I’ve mentioned in previous reviews, I prefer SSL VPN tunnels over IPsec, PPTP, and L2TP for remote PC VPN tunnels as SSL tunnels are simpler than IPsec, but more secure than PPTP and L2TP. Further, I like using SSL VPN tunnels in split mode, which typically provides better client network performance.
However, I found establishing an SSL VPN tunnel to be more challenging and limited on the FVS336v3 than I had hoped. I believe it has something to do with the Windows Virtual Passage SSL adapter, screenshot below, which is used by some Cisco and NETGEAR routers for SSL VPNs.
Virtual Passage Adaptor
SSL VPNs with the FVS336v3 use a browser connection to set up the tunnel. NETGEAR’s spec sheet says IE9 and IE10 for 32 and 64 bit Windows, Firefox 27 and Safari 5.1.7 for MAC OSX 10.6+, and Firefox 12 for Ubuntu Linux are supported browsers. I was able to get an SSL VPN to work with IE11 on a 32 bit Windows 7 PC.
To get an SSL VPN working on Windows, you need to add the WAN IP/FQDN of the FVS to your trusted sites list in IE and run IE in Admin Mode to install and run the SSL VPN adapter. My working SSL VPN connection is shown in the FVS status screen below.
SSL Tunnel Status
As mentioned previously, both NETGEAR and Cisco use this adapter for their SSL VPN solutions and forums on both websites have multiple comments. I was unable to get the NETGEAR Virtual Passage adapter to work on a 64 bit Windows 8.1 PC with IE11. I didn’t get an error message, just no response when clicking the Connect or Uninstall icons shown in the screenshot below.
SSL Tunnel Login Screen
IPsec Client to Site
The NETGEAR FVS336Gv3 spec sheet indicates the FVS336Gv3 supports up to 25 simultaneous IPsec VPN tunnels. The FVS comes with one 30 day evaluation license for NETGEAR’s ProSafe VPN Client Lite. It’s Windows only and based on TheGreenBow VPN Client. I had no problem installing the software on a 64 bit Windows 7 PC I’ve used for testing other IPsec VPN clients.
I set up the software with the default values 3DES, SHA-1 and DH2 for Phase 1 (IKE Policy) and 3DES, SHA-1, and DH2 with PFS for Phase 2 (VPN Policy). I assigned a Local ID of doug.com and Remote ID of snb.com for the Local and Remote identifiers. I used a pre-shared key for the encryption key.
There is an IPsec configuration wizard on the FVS336v3, but I input my configuration manually. I set up the FVS with the same values as I used on the client. With my configuration input in the software and router, the tunnel connected right away. Images of the client software, client and FVS configs, and the established tunnel are shown in the gallery.
Enable IPv4/IPv6 Dual Stack
Enable IPv6 Prefix Delegation
Enable global IPv6 address distribution to LAN
IPsec Site to Site
I also tested a Site to Site VPN between the FVS336v3 and the Linksys LRT224. Manually setting up a Site-to-Site IPsec tunnel is pretty straightforward, as long as you use the same Phase 1 and Phase 2 values on both routers. I used the same Phase 1 and Phase 2 values as I did for the Client to Site VPN and the tunnel came right up. My configs and a screenshot of the established tunnel are shown in the gallery.
Enable IPv4/IPv6 Dual Stack
Enable IPv6 Prefix Delegation
Enable global IPv6 address distribution to LAN
VPN Performance
To measure VPN throughput on the FVS, I used two PCs running 64-bit Windows with software firewalls disabled. Using TotuSoft’s LAN Speed Test client and server application, with a file size of 100 MB, I measured throughput over Site to Site and Client to Site IPsec, SSL, L2TP, and PPTP tunnels. Table 2 shows the throughput results.
Tunnel Type | Client > Gateway | Gateway > Client |
---|---|---|
IPsec Site-to-Site | 45.6 | 43.9 |
IPsec Client-to-Site | 44.1 | 35.9 |
SSL | 8.0 | 9.9 |
PPTP | 6.5 | 6.6 |
L2TP | 13.0 | 11.6 |
Table 2: NETGEAR FVS336G-300 VPN throughput (Mbps)
IPsec VPN throughput on the FVS336Gv3 is significantly improved over the original FVS336G. On the original FVS336G, I measured peak IPsec Client > Gateway throughput at 16.9 Mbps. On the new FVS336Gv3, the same test yielded 44.1 Mbps.
The FVS336Gv3’s SSL throughput was actually a bit lower than the V1’s. On the V1, I measured peak SSL throughput at 11.4 Mbps. On the new V3, I measured peak SSL throughput at 9.9 Mbps.
Note that NETGEAR rates the FVS336Gv3 as capable of 78 Mbps for IPsec throughput and 14 Mbps for SSL throughput. Most manufacturers use a UDP based test to rate throughput on their devices. The TotuSoft test uses TCP based testing. UDP has lower overhead than TCP, which is the likely explanation for the difference between my measurements and NETGEAR’s ratings.
Security
The FVS336Gv3 SPI firewall configurations look similar to the original, with a few additions. Rules can be created to filter IPv4 and IPv6 traffic between the WAN and LAN based on Service; Schedule; LAN IP addresses, IP address ranges, or groups; WAN IP addresses or IP address ranges; QoS profiles and Bandwidth profiles. In addition, firewall rules can be created to filter traffic between the DMZ port and the WAN, as well as between the DMZ port and the LAN.
External WAN Attack prevention methods include blocking pings to the WAN port, blocking TCP and UDP floods and Stealth mode, which blocks port scans on the WAN ports. Session limits can also be applied in the firewall, limiting the number of sessions or percentage of total sessions that can be established by a single device on the network. Other firewall features include source MAC address filtering and Port Triggering.
Content Filtering on the FVS336Gv3 is the same rudimentary keyword blocking found on the original model. Per the FVS336Gv3’s help menu, “Up to 64 key words in the site’s name (web site URL, newsgroup name, etc.) can be specified, which will cause the access to the site be blocked.” Keyword blocking can be over-ridden by creating Trusted Domains. I set up a simple keyword block to filter on the word “sports.” Browsing to sports.com resulted in the below page, similar to the original FVS336G.
Keyword Blocking
Finally, the FVS336Gv3 firewall has the option to enable/disable a SIP ALG (Application Layer Gateway). NETGEAR’s specification sheet lists their SIP ALG as compatible with VoIP devices from Linksys, SNOM, Cisco, X-Lite, D-Link, Grandstream, Polycom, Siemens, and Aastra.
Routing Performance
Updated 2/25/16 – Router performance retest due to measurement process error
We tested router performance using our standard test method. Table 3 compares the original FVS336G to the V3.
Test Description | FVS336G-300 | FVS336G |
---|---|---|
WAN – LAN | 800 Mbps | 59 Mbps |
LAN – WAN | 766 Mbps | 58 Mbps |
Total Simultaneous | 918 Mbps | 56 Mbps |
Maximum Simultaneous Connections | 23,478 | 200 |
Firmware Version | 4.3.3-5 | 2.2.0-67 |
Table 3: Routing throughput
The FVS336Gv3’s performance improvement over the original model is huge! The newer model’s unidirectional throughput is at least 700 Mbps faster than the previous model, as shown in the plot below. The variation shown is typical of what we see on most of today’s routers.
Unidirectional Throughput
Simultaneous up/downlink router throughput is shown in the plot below. We measured simultaneous throughput on the FVS336Gv3 at 918 Mbps, a massive increase over the original FVS336G’s 56.3 Mbps.
Bidirectional Throughput
Closing Thoughts
Table 4 compares NETGEAR’s FVS336Gv3 to two other Dual WAN VPN routers I’ve reviewed, the Linksys LRT224 and Cisco’s RV320.
Test Description | FVS336G-300 | Linksys LRT224 | Cisco RV320 |
---|---|---|---|
WAN – LAN | 800 Mbps | 797 Mbps | 887 Mbps |
LAN – WAN | 766 Mbps | 721 Mbps | 746 Mbps |
Total Simultaneous | 918 Mbps | 805 Mbps | 832 Mbps |
Maximum Simultaneous Connections | 23,478 | 30,467 | 32,249 |
Price | $230 | $174 | $168 |
Table 4: VPN Router comparison
The NETGEAR comes in as the most expensive of the three at $230 (Amazon.com). From a feature standpoint, all three routers are similar, with multiple WAN ports, Gigabit LAN ports and support for IPsec, PPTP, and SSL VPN tunnels. From a router performance standpoint, all three routers are close on WAN-LAN and LAN-WAN throughput.
The FVS336Gv3 differentiates itself by adding L2TP VPNs to the mix, and clearly leading the other two routers on Total Simultaneous throughput. In addition, while all three routers offer a limited lifetime warranty, NETGEAR goes one step further and offers Next Business Day Replacement in the event of device failure.
Overall, the FVS336Gv3 is certainly a performance upgrade over the older FVS336G. I think the reliance on Windows’Virtual Passage SSL adapter holds the FVS336Gv3 back a bit, compared to other SSL VPN solutions, such as Open VPN. On the whole, though, the FVS336G-300 is a fast and highly configurable Dual WAN VPN Router.