SMC Barricade 7004AWBR
A 4-Port Wireless Broadband Router with built-in 802.11b and print server
| Date: | 06.05.2002 07:38 |
| Type: | Wireless |
| Author: | Tom (Bouncer) Blakely, CCNA, CCDA |
| Manufacturer: | SMC |
| Product/Model: | Barricade SMC7004AWBR |
| List Price: | $209.99 |
| Online Price: | $164.88 @ JandR.com |
Introduction:
SMC Networks is a leading provider of high-performance, standards-based networking solutions. The company provides networking hardware for both the home office and small office environments (SOHO) as well as the small and medium business markets. The Barricade Wireless Broadband Router is a great networking solution for home and small business users. The unit is platform independent, combines a 3-port 10/100 Mbps dual-speed switch, a built-in print server, a serial port, wireless access point and firewall security for protection against intruders.
Routers have come a long ways from just a few years ago. The idea that a small, home router would have some features that would even make the big boys jealous seemed laughable. No one's laughing now. Let's take a look at the SMC7004AWBR. It's a heavy duty, feature rich box, at a bargain basement price.
Functions and key features:
- Network Address Translation (NAT) Router
- Firewall (port or address filtering)
- Wireless access point 11 Mbps DSSS WLAN, IEEE 802.11b compatible, with auto fallback.
- Printer Server
- 3-port 10/100 Auto-sensing Ethernet switch
- Support for Port mapping up to 20 differnet services
- VPN support - PPTP server and clients
- DHCP server & client
- Web based configuration
- MAC Address control - allows you to assign different level of access for clients on the LAN
- Virtual servers support
- DMZ Host support
- Support for Packet Triggering
What's in the package:
- SMC Wireless Barricade Router
- Power Adapter
- Quick Installation Guide
- Installation CD with complete user documentation
- CAT-5 Cable
Updated firmware, printer drivers, as well as copies of the manual can be downloaded directly from SMC
 | |
The front includes lighted indicators for:
M1 & M2 status
WAN Link/Activity
LAN Link/Activity
Wireless Link
Wireless Activity
Ethernet LAN Link/Activity (1 per port)
Ethernet LAN 10/100 (1 per port)
The Router supports six different addressing schemes for the WAN port:
- Static: A fixed Adress assigned by your ISP
- Dynamic: A Changeable address assigned by your ISP
- Dyanmic / RoadRunner: The same as above but with some special subset rules.
- PPPoE: Point-to-Point Protocol over Ethernet: Frequently used by DSL companies.
- PPTP: Point-to-Point Tunnel Protocol: Used to create a secure connection between two LANs across a WAN link.
- Dial Up Network: (External Serial Modem not supplied)
The first four options are normal, but the last two are impressive add-ons, and not usually seen in a home router.
Let's deal with each section independently, shall we?
Management Interface:
The router interface is Web driven, and very easy to use. Below is a picture of one of the basic management screens when you first logon:
 | |
NAT, refers to the ability to use one public address to represent multiple inside private addresses. The NAT takes the requests from the inside machines, and presents them to the internet as if they were all coming from the one external IP address. The advantage to this is two fold: It saves limited address space, and as a byproduct, it increases security. When you open a session through NAT, the router tags that session with a number. And it knows that any information coming back to that number is for the particular inside machine. If the router gets a request from the internet for a number it doesn't have, it drops the packet because it doesn't know what to do with it. Basically, this means that most normal communications to the internet have to be started from the inside. So people outside cannot simply initiate communications to the inside machines.
On the NAT router side we have the ability to clone a MAC address from a machine on your home LAN. This is necessary for some cable companies who authenticate based on the MAC (Hardware) address of a network Card in your machine. The router will pretend that it is your machine to the network, allowing you to authenticate. It may or may not be necessary to do this, but sometimes it is, and the router provides for that scenario. In either case the router will acquire a DHCP address from the ISP, as well as default gateway and DNS server information. These are used for directing information to the proper exit, and acquiring a number, to match a name. It will then store this information and pass them on to any of your home computers that connect. The router will even automatically renew your address and connection for you. This means that barring system changes at the ISP, you should have the same addressing information fairly consistently and maintain connectivity. This feature is most useful for those of you on DSL PPPoE type connections, or who are using a Dynamic DNS service.
The router has quite a few security features, enough so that simply calling it a Firewall doesn't do it justice.
On the LAN side of the router, You can decide what machines can communicate with the router by hardware address (MAC). MAC filtering is most useful across the wireless link, to prevent other people from accidentally (or otherwise) accessing your router and your LAN. However, if you're so inclined, or if you're using it in a small office you can apply it so that only the hardware addresses of the servers you specify will be able to communicate with the router. The wireless side goes even further, and can be set to only allow certain devices to associate with the machine. That is, the router won't even acknowledge those devices across the wireless link unless they meet certain security requirements. We'll get more into this in the wireless section. The only limitation is that you can only specify up to 32 different devices for MAC authentication.
Packet Filtering can be done on *both* an Incoming and Outgoing Filter basis.
Within the Incoming or Outgoing Filter, you can select:
- Source and Destination Address.
- A Single port or a Range of ports.
- Whether the port is TCP or UDP port (or both).
Looking at the picture, you may notice that I block incoming Telnet (23), NetBIOS services (137,138,139) and SNMP (161,162). The reason you don't see any addresses, is that if you leave the address field blank it applies to all addresses. In the example above, I'm blocking ANY outside address and ANY port that attempts to reach ANY inside address on the ports I have specified.
The combination of Incoming and Outgoing filter sets is quite powerful. It allows you to customize who may browse the web, or what outside servers you will allow to communicate with you to exchange mail or files, as I did above. When combined with MAC address control, you can very effectively limit who may communicate through the router in either direction on both the wired and wireless portions. You are limited to 20 incoming and 20 outgoing filter sets. However, You can block a range of addresses or ports, not just individual ones. If you take another look you'll see that I blocked 137-139. That's all ports starting with 137, and ending with 139. So blocking ranges is very easy. You can even put a "T" or "U" in front to specify whether you want to block only the TCP or only the UDP. If you don't specify, as in my example, both TCP and UDP ports are blocked.
Some of the other nice features are shown below.
Here you can set up a DMZ server, a server which is NOT protected by the packet filter, and open to the internet. Be advised, if you do this it is a good idea to run a local firewall on that server. Interestingly, you can manage the router remotely if you need to. Be advised there is a security risk in turning this feature on, so, consider whether you really need the ability to manage the router from some other place not on your LAN. You can discard pings from the WAN side. This is a security issue and you're less likely to attract the attention of curious types if they don't know you're there. In some instance you may want to respond to a ping, normally, I like my privacy.
Printer Server
The printer server is very straightforward. SMC provides a printer client that you put on your machines, they print to the client. The client forwards it to the router, and the port translates to the actual printer. It's very straightforward, works well, and there was no observed impact on printing while browsing or testing.
As if all that weren't enough, they also put in wireless access!
Wireless Services:
802.11b Networking provides for up to 11mbps across the link with fallback to 5mbps and 2mbps if interference is present. While all the makers of these devices claim large radius, the truth is the radio isn't that powerful, and you're not likely to see 11mbps of connectivity more than fity to sixty feet away from the router. Now, with wireless, the real issue is security. Theoretically, any person wandering in range of your unit can access it, and your LAN as well as your connection to the internet. This is why Wireless Encryption Protocol (WEP) was developed. So that:
A) Your wireless device can be authenticated, and
B) traffic between it and the access Point (AP) can be protected from interception and/or decryption.
However, this added encryption feature comes at a price. because of the overhead it imposes, and the fact that packets must be encrypted and decrypted at either end with zero tolerance for errors, you're throughput will probably drop to about 45% of what it was.
Test Results Across Switch:
AVG: 85.226 Mbps (This is normal and well within range. No 100Mbps switch ever actually transfer at 100Mbps.. overhead and other issues prevent it.)
Test Results Across Wireless:
From Wireless Station:
No WEP: 4.869 Mbps
WEP 64bit: 2.270 Mbps
WEP 128bit: 2.245 Mbps
From Wired LAN Station:
No WEP: 4.860
WEP 64bit: 3.552 Mbps
WEP 128bit: 3.545 Mbps
The conclusion drawn from the wireless tests is that if you're going to encrypt, you might as well do 128bit encryption. The additional overhead is marginal compared to the initial impact you take on throughput with 64bit WEP. Frankly, the additional encryption is more secure. It is a good idea to combine this with MAC address control. You want to make certain that the devices communicating to the router are the proper ones. You want to avoid accidental crosstalk from other wireless LANs and their devices. You also want to make sure that these devices have the appropriate permissions.
You may note that the wired station takes less of a hit in throughput in the tests. The reason is that it's not trying to encrypt anything, and is handing that off to the router. The router is faster than the small wireless card in the laptop at encrypting and decrypting. At least part of the bottleneck here is apparently the wireless NIC used in testing.
Note that a lot of the changes you do with the router require a router reboot. This is quick though, and shouldn't pose much of a problem. It is worth mentioning though in case you can't afford even a momentary (less than ten seconds) outage.
WAN Port:
I have a 1.5Mbps internet connection. This does not stress the WAN port.
Conclusion:
Without a doubt, this is one of the best bang-f0r-the-buck routers out there. Ease of use, functionality, security and wireless expandability all make it a highly recommended choice.
Tom (Bouncer) Blakely, CCNA, CCDA, reporting from The Bouncer Bunker, somewhere on the East Coast of the USA:
| Rating | |
|---|---|
| Overall Rating: |  |
Copyright © 1998 - 2003 Speed Guide, Inc. All rights reserved.
All trademarks and logos are © of their respective owners.