Introduction and Basic Features
ZyXEL HomeSafe Parental Control Gateway Router with 802.11g Wireless (HS-100W) | |
---|---|
Summary | 802.11g router with built-in access time and application filtering parental controls for up to 10 users and subscription web filtering. Also available as HS-100 without wireless |
Update | None |
Pros | • Inexpensive • Easy to set up • Effective Content Filtering |
Cons | • Average Performance • Logging could be more extensive • Unclear user logout procedure |
ZyXEL’s HS-100W HomeSafe Parental Control Gateway has been specifically designed with emphasis on controlling broadband access in the home. It incorporates effective parental controls that limit not only the types of information that children can access online, but when they can access it as well.
The HS-100W comes bundled with features like a built in firewall to ward off hack attempts, secure 802.11b/g wireless communication abilities, content filtering, time-based access management, and real time logs and alerts for the more tech-savvy. And if you want to save a little money, you can opt for the HS-100, which has all the HS-100W’s features except for wireless.
I found that while the technology driving the HS-100W may not break any speed records, it does provide reliable performance that should prove satisfactory for almost any household or small business.
The HS-100W comes ready to install. In the box you will find a short pamphlet for quick installation as well as a CD with a very detailed User Guide (PDF). I found much of the web-based configuration to be intuitive enough to avoid having to spend time rummaging through the included documentation, but it is nice to know it’s there in case you need it. Inside you will also find a 9VAC power supply and a very short CAT5 Ethernet cable.
Housed in a metallic grey box, the HS-100W has a rather simple look that I liked. On the back of the device you will find: a single radio antenna, 10/100 WAN and four 10/100 LAN ports, reset-to-defaults button, and finally a power jack. Across the front you will find lights for the following: power and Link / Activity for each of the four 10/100 LAN ports, WAN, and WLAN. The single-type link / activity lights are easy to see, and I was especially pleased to discover the WLAN port strobe slowly while transferring information to or from a wireless device.
Figure 1: The HS-100W Board
(click image to enlarge)
Figure 1 is a shot of the HS-100W’s main board, You can see that the radio is integrated as a separate mini-PCI board, a Conexant PRISM-based ZCom XG-601, and is connected to a single non-removeable antenna. The HS-100W processor is Infineion-ADMTek ADM5120 Home Gateway Controller, which was also recently used by SMC in there Barricade High-Powered 2.4GHz 54Mbps Wireless Broadband Router.
Setup and Administration
The no-frills web based administration / configuration tool (Figure 2) is located by default at 192.168.1.1 and includes Setup and Parental Control wizards that you’re directed to upon first accessing the router. I liked that you’re first taken through a wizard which prompts you to create a login name and password for the administrative interface, and the online Help system was, well, helpful too.
Figure 2: The Web Based Administration Tool
(click image to enlarge)
The Setup Wizard walks you through seven steps that allow you to easily configure the HS-100W for your network. Here you will set up your device to connect to the WAN as well as configure your wireless connectivity. If you opt to set things up manually, just make your way to the WAN screen (Figure 3).
Figure 3: WAN setup
(click image to enlarge)
The HS-100W supports a wide array of connection types including static and dynamic IP, PPPoE and PPTP, as well as some not-so-common authentication protocols such as Telstra, RR (RoadRunner) Manager, RR Toshiba and Telia. There’s also support for setting the WAN port MAC address, in case your ISP uses that method as part of its authentication, but I couldn’t find options to enter the domain or Host name. The router also has the unusual option of redirecting traffic to another router in case its WAN connection goes down.
The Parental Control Wizard guides creation of a unique profile for up to ten users. Each profile includes a username / password, which is required for Internet access, content filters that control the websites the user is allowed to browse online, and application blocking that controls access to Internet services, such as Instant Messaging and Email. Each profile also includes the ability to set times that Internet access is available and the total time that the user may use the Internet when access is enabled. I’ll walk through each of these in detail later.
Firewall Features
Figure 4: Firewall, Settings
(click image to enlarge)
The Stateful Packet Inspection (SPI) features of the HS-100W’s built-in firewall are disabled by default and the configuration screen (Figure 4) provides us with two tabs – one for controlling general Settings and one for using Service Blocking. Since the SPI firewall features are in addition to the basic firewalling provided by the HS-100W’s NAT router, you could leave the “Enable firewall” box unchecked and probably never notice any difference. But if you open ports to expose servers on your LAN, you’ll definitely want to turn the SPI features on.
I was pleased to see a logging feature for the firewall which may help you to determine if someone is trying to hack into your system. There is also a Triangle Route Bypass feature for thwarting a certain type of DoS Attack, if you are concerned about that sort of thing.
Although similar in nature to the service blocking available in the Parental Control section, the firewall will allow you to do service blocking for all users, including those who have Parental Control accounts set up.
Figure 5: Firewall, Services
(click image to enlarge)
Although firewalls are normally used to control the flow of incoming traffic, the Service Blocking feature (Figure 5) will control whether your LAN users can access specific Internet services, i.e. outgoing traffic. You can create custom services by specifying a port range, or select from pre-defined services such as FTP, ICQ, and IRC.
You may also elect to block services on specific days by clicking the checkboxes labeled Monday-Friday, and even specify times to block within the specific days you’ve selected. These features are especially useful if you decide against using the Parental Controls but still want to keep people from running certain services.
Logging and Other Features
Figure 7: Log Views
(click image to enlarge)
Although most home users may not take advantage of the HS-100W’s logging features (Figure 7), I personally would have preferred to see a few more capabilities here like User-Level Web Browsing Reports. But to be fair, I did like the fact that ZxYEL went to the trouble of granting the HS-100W the ability to email log files at scheduled intervals. On screen, the log files are organized and easy to read, and from within the Log Settings tab (Figure 8), you can control a host of configuration options for logging.
To keep tabs on my network, I choose to log Attacks, and have these log files emailed to me weekly. Unfortunately robust traffic logging isn’t available, but you can at least log sites that are blocked by the parental controls which might give some insight into the types of information your kids are trying to get their hands on. In addition to this, you will discover support to send logs to a Syslog Daemon which is nice, but I found no way to setup SNMP Traps – I guess we can’t always have it all.
Figure 8: Log Settings
(click image to enlarge)
The HS-100W actually has many more routing features that allow it to be used in some relatively sophisticated networking setups. These features include:
- the ability to set static routes and specify dynamic routing protocols (RIP)
- UPnP support with separate enables for NAT Traversal and UPnP firewall bypass
- an Any IP feature that allows clients to connect without having to change their IP address settings
- IP Alias that allows up to three private subnets to be defined
- DHCP server that allows IP address reservation by MAC address
- Dynamic DNS client supporting dyndns.org
- Remote Management via HTTP, command-line via Telnet or SNMP applications
Wireless Features
Configuring the wireless settings (Figure 9) for the HS-100W is fairly straightforward.
Figure 9: Wireless Configuration
(click image to enlarge)
Aside from setting up an ESSID and choosing a method of encryption, you shouldn’t have to modify any of the default settings here. If you find that your HS-100W is conflicting with any device you use at home – let’s say a wireless PlayStation controller – and changing the channels on each doesn’t resolve the problem, you can simply turn off wireless support on the HS-100W by unchecking the Enable Wireless LAN checkbox. (Note that the WLAN light will be turned off when support for the Wireless LAN is disabled.)
I found the device to work best for me on Channel 11, and elected to use WPA-PSK for the best level of encryption. As with most wireless routers, you can filter connections by MAC address to avoid unsolicited connections to your internal network, but I’ve never found a real need for this. ZyXEL also opted to include support for a RADIUS authentication server, but I doubt seriously any home user would have one of these or even know what it is.
Local User Database
Figure 10: Wireless Configuration
(click image to enlarge)
Aside from setting up a secure radio transmission from a client to the AP on the HS-100W, you can also use its built-in Local User Database feature (Figure 10) to authenticate wireless access for up to 21 users with a simple username / password. Note that this is seperate from the logins for Parental Control and only effects connectivity for wireless users, essentially functioning as a mini RADIUS server.
Parental Controls
Since the HS-100W’s main claim to fame is its Parental Controls, I’ll do a deep dive on these features. As I mentioned earlier, the Parental Control Wizard, walks you through a series of configuration steps that guide creation of a unique profile for each user. These steps are easy to understand, but if you mess up, or even change your mind, you can always click “back” to make a change, or restart the wizard entirely. After selecting the appropriate time zone, you then set up the profiles that the parental control uses.
Figure 11: Create New Profile
(click image to enlarge)
There are no profiles created by default, so I decided to make three profiles: one for myself, and one each for my imaginary but beloved daughter Jill and her teenage brother Jack. After entering a username and password (Figure 11), you are prompted to select the user group that the profile should belong to (Figure 12).
There are several options to choose from including: Kids, Young Teen, Mature Teen, and Adult. (Selecting HELP while on this group menu will give you a break down of what content is filtered for each category. You may also customize these groups if you feel a need to do so.)
Figure 12: Parental Control Group selection
(click image to enlarge)
Next, it’s time to decide how to setup the Daily Time and Allowance for your profile (Figure 13). Since I did not want to restrict my own Internet access, I was sure to check the unrestricted option for Monday through Friday (I would have liked to see a single check box that would turn off all restrictions instead of having to select them individually).
Figure 13: Daily Time & Allowance
(click image to enlarge)
Purely for the sake of putting the HS-100W through its paces, I decided that wanted both of my imaginary children to have very limited Internet access, so I set up their Daily Time and Allowance to only allow Internet on Saturday and Sunday from 6PM to 8PM for a maximum of 30 minutes.
Once you’ve decided on a Daily Time and Allowance, you can use the Application Blocking feature (Figure 14) to restrict the Internet applications available to that user.
Figure 14: Application Blocking
(click image to enlarge)
There is a small list of programs to choose from, and restrictions may be placed on each of them for either Weekdays or Weekends. Note that ZyXEL reports that in their next scheduled firmware release you will be able to directly edit / add new predefined services for blocking. But for now, you will need to go to each user’s Parental Control profile to add services that are not listed here (look inside the Available Services tab for Edit Customized Services). For test purposes, I’ve set Jack and Jill to have IRC blocked in Figure 14.
In the last step, you will get a Profile Summary showing the specific settings you’ve selected for a user. From here you can click finish and be on your merry way, or add / edit another profile. If this is the first time you have run the profile wizard, you will be prompted to activate the content filtering service which runs through Content Control from Blue Coat (formerly Cerberian). Unfortunately, the service is not free, and requires a yearly subscription of $34.95. But ZxYEL provides a 15 day free trial so you can get a feel for it before signing up.
NOTE: The only content filtering available from the HS-100W is via the Blue Coat service. No subscription, no content controls!
Parental Controls – In Use
Once you’ve created the user profiles on your HS-100W, you will have to log into your account before you can surf the web or use any Internet programs. Things work exactly as you might expect, blocked programs are blocked, and filtered content is filtered. Obvious things like pornography and violence websites were blocked effectively by my tests. According to Blue Coat, their content filtering service is unique in that not only does it block URLs stored in its database, but it will also analyze full page content as a second line of defense. And even though I have dealt with few other content filtering services, I felt the HS-100W performed solidly.
Durring my testing of the content filtering, I came across a sizeable headache! After having logged on with my test account “Jack” and running some tests, it came time to login as “Jill”, but I had not seen any logout options… where could they be? I looked high and low to no avail, and eventually had to unplug the router to get things reset.
I later discovered that the logout option is presented by a popup (Figure 15 ) which my browser’s Popup Blocker discreetly blocked – so be careful not to make the same mistake! When I told ZxYEL about this, they informed me that their next firmware release will have the ability to present a logout screen simply by typing “logout” in your browser.
Figure 15: The Logout Popup Window
With all these features, you can see why I consider the HS-100W’s Parental Controls to be one of its stronger points. Given this type of control, you can imagine that even if you do not have children, the HS-100W could still be attractive for small business use and even simple wireless hotspots.
NOTE: The HS-100W Parental Control feature essentially acts as a captive portal for all Internet access – similar to Internet services found at hotels and wireless hotspots. This means that all Internet traffic is by default blocked until a user launches a web browser and logs into a valid Parental Control account. This can be bypassed for up to 10 users by entering their computers’ MAC addresses into the Parental Control Bypass list.
Routing Performance
To test out the HS-100W’s LAN performance, I used this Qcheck-based procedure described here. The 7 – 10Mbps throughput in the table below is adequate for most U.S. broadband connections, but not enough for the speedier connections found in less broadband-challenged countries.
NOTE: Machines used for routing and wireless performance testing were:
LAN and Wireless – HP Pavillion ze4300 laptop with AMD Mobile 2600, 500MB DDR 2100 RAM running Windows XP
WAN – DELL PowerEdge 2650 with Intel XEON 3.2GHz, 1GByte DDR RAM running Windows XP
Routing Performance Test Results
Test Description | Transfer Rate (Mbps) | Response Time (msec) | UDP stream | |
---|---|---|---|---|
Throughput (kbps) | Lost data (%) | |||
WAN – LAN | 6.9 | 1 (avg) 1 (max) |
500 | 0 |
LAN – WAN | 10.0 | 1 (avg) 1 (max) |
499 | 0 |
Firmware Version | 3.60 |
See details of how we test.
Wireless Tests
Since Qcheck can’t test throughput over a long period of time or generate plots, I decided to use the open source applications IPERF and its GUI front end, JPERF for wireless throughput measurements. The table below summarizes the test results.
Test Conditions:
– WEP encryption: DISABLED |
Firmware/Driver Versions:
AP f/w: |
|||
Test Description |
Transfer Rate (Mbps) |
Response Time (msec) |
UDP stream |
|
Throughput (kbps) |
Lost data (%) |
|||
Client to AP – |
19 |
1 (avg) |
500 |
0 % |
Client to AP – |
17 |
1 (avg) |
500 |
0 % |
Client to AP – |
17 |
2 (avg) |
499 |
0 % |
Test Conditions :
– WPA-PSK was enabled
– Throughput taken with IPERF at default settings (8 kByte file sizes) for 120 seconds, data collected each second and averaged.
– Qcheck used for Response Time and UDP Streaming results (500kbps rate)
– Condition 1: AP and STA in same room, 7 feet apart
– Condition 2: AP and STA in separate rooms, 1 wall between, 15 feet apart
– Condition 3: AP and STA in separate rooms, 2 walls between, 16 feet apart
The graphs JPERF generates are certainly not as detailed as those generated by IxChariot – which I would have preferred to use – but JPERF was an alternative that proved suitable for my needs, and is also free! I eventually decided I could improve upon the graphs generated by JPERF and opted to take data straight from IPERF and run it through Microsoft Graph after cleaning it up with some simple regular expressions. Figure 16 shows a plot of the Condition 1 results.
ex. iperf -c 192.168.1.35 -t 120 -i 1
Figure 16: Condition 1, Access Point and WiFi Adapter in same room, ~7 feet apart.
The results clearly show that the HS-100W / ZyAir G-220 provides a solid strength radio signal through 1 and 2 walls, with nominal performance degradation at the short distances I was able to test the device at. I would have been interested to push the HS-100W a bit further to test its maximum communication range but was limited by a variety of unfortunate circumstances.
ZyXEL was kind enough to send two WiFi Adapters to test out the HS-100Ws abilities, but I soon discovered that I was unable to get their ZyAir G-100 CardBus card to make a connection (regardless of the fact that it did detect a signal). Thinking this was merely a localized problem with my laptop, I tried in two others with the same frustrating results.
Luckily the ZyAir G-220 USB Adapter ZyXEL also sent worked fine, but since I did not have USB 2.0 ports on any of my laptops, I was forced into using my desktop for the client machine, and my testing abilities became clearly limited due to the lack of mobility! Ultimately I had to move the AP to several different rooms in my home to get the job done. Frustrating indeed!
Conclusions
If you are concerned about having easy-to-configure Parental Controls, the HS-100W just might be the right buy for you, especially when you consider its low cost. With relatively painless installation and easy to follow configuration, the HS-100W is likely to gain popularity in homes where parents are concerned about their children’s use of the Internet.
And even if making sure that kids don’t get to “undesirable” content in their Internet travels isn’t your thing, the HS-100W can also be used for simply enforcing basic controls on Internet access for a small business or neighborhood wireless hotspot. The HS-100W may not stand out in a crowd, but for the right needs, it has the right tools to get the job done.