My struggles with setting up an old Siemens laptop as a firewall is going nowhere.
FreeBSD 4.x just doesn't like the hardware inside that old computer, and I desperately needed some sort of firewall and router. I've been running Fortech's Proxy+ on Windows NT and 2000 for three years, and it has served me well. The only thing I sorely missed was the ability to do cvsup'ing from my desktop FreeBSD behind the proxy and an easy way of forwarding ports. Proxy+ has an FTP gateway built in, but CVSup does not like that very much. Port forwarding/redirection through a proxy is just too much of a pain in the ass.
Hence my (failed) attempts to build a firewall out of junk components gathering dust in various parts of my apartment.
Time to spend some money.
I went out and bought a Belkin F5D6230-3 Wireless Access Point and Cable/DSL Router. It uses the 802.11b standard for its wireless stuff. While in the store I checked with the staff whether it would support Mac AirPort cards. They scratched their heads, checked Belkin's web pages and proclaimed that it did. I do not own an AirPort card for my Mac yet, but who wants to own obsolete hardware the day I do? In short: this router supports a Mac with an AirPort card in it.
The manual (which I also checked out while in the store) listed these features:
My router had Runtime Code Version V1.01.001 and Boot Code Version V1.00. Hardware version was 01. There's a firmware update available on Belkin's website that reportedly fixes a couple of PPTP issues.
This is not a test of whether the router performs as advertised, it's more a writeup on my initial impressions after a couple of days of operation.
Unpacking and setting up
The small box contains the router, a power supply, a CD with some software and a manual. Once I powered up the router and connected it to one of my computers, a entered http://192.168.2.1 in a browser and started configuring. Lo and behold! The menus were all in German! Okay, to be fair, Germany is probably a very big market for Belkin, but you have sort of come to expect that things like these are English out of the box. Luckily, you can easily change the firmware inside the router to show you English menus instead, so that was the first thing I did. In the meantime I tried the best I could to navigate through the German choices. If your German isn't what it used to be, you might run into problems at this point. I do not know Belkin's strategy on default language vs. European shipping country, so your mileage may vary. The accompanying CD contains language files for Spanish, French, German, Dutch, Italian and English. The printed manual came ring bound in all of the Nordic languages as well as German. There's Spanish, French, Dutch, Italian and English manuals in PDF format on the CD.
If your ISP accepts traffic only from a certain MAC-address, the router can fake it. Just remember to only use the old network card on LANs from then on.
Administration
In order to do admin tasks on the router, you'll need a browser. The manual recommends MSIE5, and probably for a reason. I could connect to the web interface with IE5, Safari, Konqueror, Mozilla and Omniweb on Windows, Mac OS X and FreeBSD. No matter what OS I ran Opera from, I couldn't connect. It connected allright, but the browser displayed nothing. Since there's no (real) technical reason for stopping Opera from accessing the web interface, Belkin should remedy this ASAP. And no, telling Opera to pose as MSIE5 or Netscape did not help.
NAT and DHCP
The router only deals with TCP/IP. If you have enabled other protocols on your computers, that's allright, but the Belkin router won't handle them.
The router does NAT (Network Address Translation) in the private class C range. That means all your computers connected to the router gets addreses in the 192.168.2.x range. By default, the DHCP range is 192.168.2.4-22. You can change this in the router setup, but you cannot make it hand out class B or A IP-addresses. That's fair enough, because you probably won't do any sort of advanced subnetting with hundreds of computers in a small home LAN. If you do, this router is not for you. The lease time is set to "forever" by default, but you can change it to more sane values - like a week - if you like. DHCP servers with IP-address lease times set to forever should be outlawed. It defies the whole concept of DHCP.
You cannot change anything in the DHCP server other than the IP-range and lease time. Subnetting is therefore out of the question, but people with a no more than a handful of computers on the network does not need subnetting.
You can also disable the DHCP server in the router altogether, meaning you get to fiddle with network settings on your own. Netmask is always 255.255.255.0 and default gateway is always 192.168.2.1. Strangely enough, you can also disable NAT. I don't know why anyone would want to do this, but it's possible. One word of warning though: if you disable NAT and DHCP, the router will (in some cases) forward DHCP requests to the WAN, possibly trigging a reaction from your ISP. I don't know what will happen if you configure the router to have a static WAN address and disable NAT and DHCP. In any case, make sure you leave NAT on at all times.
Caveat: if you boot up a Windows 98, 2000 or XP computer as a DHCP client without any DHCP server available, something called APIPA makes sure you automatically get a random IP-address. This random IP-address is on a different network than the Belkin router, and that means you can't reach the web interface on it. Connect your Windows computers to a powered-up router and boot it before you do anything else. Since APIPA addresses cannot be dropped with ipconfig /release, you will need to boot.
Firewall
The "stateful inspection" firewall inside is quite forgettable. There's no need to configure it besides enabling it if all you want to do is web surfing and mail. According to Steve Gibson's Shields Up!, everything was stealthed nicely, which means most wannabe hackers won't even know you're out there. Enabling remote administration of the router (from outside the firewall) leaves port 88 open for HTTP requests though. You can add a second layer of security here by only accepting administration from a single IP address. In any case, the administration can be password protected. By default there's no password on the web interface.
In order to play online games (or whatever), you can configure port redirecting with TCP or UDP through the firewall. This explicitly opens ports on the outside and redirects them to specified ports on the inside computers. It is also possible to do this the other way around; redirecting traffic from the outside to servers on the inside. For example, if you have an FTP server on your LAN and want to connect to it from the internet, you set up a "virtual server" in the firewall, redirecting port 21 connections from the router WAN interface to a specified computer in the LAN.
If port redirecting doesn't cut it for you, placing a computer in a DMZ is the way to go. You can place one single computer in the router's DMZ, giving it full access to the net without the added security of a firewall. The DMZ computer will still have a private non-routable IP-address though. Pretty neat.
There's also a logging facility in the firewall, but it does not log anything I would consider useful. The manual states that attempts to break into your network will be logged here, but I have yet to see anything actually firewall-related in the log. Maybe they should have named it "event log" instead of "security log"? If you need to log TCP/IP traffic to and from your firewall, this router is not for you.
MAC filtering
Like most wireless routers and access points, the Belkin F5D6230-3 can accept or deny wireless clients access to the WAN interface based on MAC address. It can also stop wireless clients from associating with the WLAN. This is not bulletproof from a security standpoint since MAC adresses can be forged, but you'll avoid the "wardrivers" with a minimum of effort. MAC filtering is perhaps the most confusing part of the router config. Three different parameters needs to be juggled just right in order to accept or deny WLAN connections; MAC-address, accept or deny, WAN or LAN. If WLAN security is important for you, testing the settings you did hereis the recipe for success.
The switch
The swith built into the router is a regular 3-port 10/100 ethernet switch. I connected another switch to one of the ports and discovered nothing out of the ordinary afterwards. With this in mind, the only limit to how many computers you can connect to the router is the IP range of the DHCP server inside it. That's about 250 computers if you tweak the factory settings a little.
Conclusion
The Belkin F5D6230-3 is a nice router packed in a small hideable unit, perfect for broadband users and wireless laptop owners. The default configuration should suit most people. Changing bits inside it to connect it whatever broadband/LAN solution you have is fairly easy with the detailed well-written manual handy. Physically, the router is flat on all sides, making it possible to stack things on top of it. 3Com take heed!
For about ?265 (and roughly the same in US Dollars), you get a firewall/router/WLAN access point with some bells and whistles. Apart from the strange fact that it speaks German by default, it appeared well thought out. I've had broadband access for three years now, and Belkin seems to have understood what home broadband users needs.
Note: Belkin also sells a 802.11g 54Mbps router (F5D7230) with the same features as this one.
Useful links
Belkin F5D6230-3 homepage
F5D6230 Drivers and manuals
F5D6230-3 FAQ