TechImpact / it happens there first

Every company you run across these days are cutting costs, and where I work is no different. So when we lost routers at two locations, I set to the task of replacing those routers, without sacrificing any of our CEO Bonus money. Fortunately, we work with a few larger companies that had over purchased (or recently closed) some of their branch offices. Routers were plentiful. The choice wasn't whether I could find a router to barter for, but which brand I wanted. It felt better than shopping at Wal-mart... ..

My first router was a brand new cisco branded wrv200. It appeared to have all of the features, and the same friendly setup you can expect from a linksys. So configuration time done, put it in the closet, plugged it in, and it was dead. I can't really say too much about it since I have yet to get a suitable replacement power supply, but I can say that it had been working just hours before. Who's to blame for this travesty, before I had time to guess, something shiny jumped in front of me, and I went to chase it.

A brand new out of the box FVS336G from Netgear. It had ALL the specs. Firewall, IPSEC vpn, SSL vpn, and a bunch of neat looking menus. I was thrilled ! I talked to my counter part at the remote office while we configured two of these units to VPN to each other. It took about 5 minutes to enter the ip addresses before bango! We have a vpn with a pingable remote partner. They were happy, I was happy, and everyone was working again. Of course, take make this unit in full production, I had to configure the DMZ hosts. This is normally a simple process where you define which remote ip points to which local ip and then apply rules for who can go there. Even in IOS land with its tauntenly long command lines, this is a simple affair, so I had no doubt my shiny new friend could do well here. I started with the most important services, our inbound VOIP provider. Click -> security.. Click -> firewall. Click add inbound rule. Since the FVS336 does not support a DMZ host per say, I had to add a rule that sent all inbound services to the dmz server. No big, click -- -- WARNING WARNING -- YOU HAVE JUST DISABLED YOUR ENTIRE NETWORK, AND THE ASPIRATOR FOR YOUR AILING MOTHER.

Ok, so apparently it was a big. Even though I had seen posts on the internet where some people recommended doing this, and it made perfect sense, it was a bad idea. Ok, next plan. Map each port through their cumbersome interface (yes, by now the shiny new toy is not so shiny any more), where you have to choose a single service, a single inbound ip, and a single wan ip to map to. I performed this mapping for each of the providers servers since their servers are not in a single consistent ip range. SIP:UDP, SIP:TCP, RTSP:UDP, RTSP:TCP, RTP times the three servers they provided. It took less time to write this stupid blog, than to enter those settings!

Ok, it all makes sense, everything is mapped, and everything is good. Begin the tests with a simple browsing to the internet to see if the service provider has us registered. Browsing is good, phone server seems to be up, and I was able to accept an inbound call. Check the remote sites -- !@#!%!! . VPN dropped! Ok, no worries, click the little reconnect button, and nothing. Ok. I'll figure that out later. Just check an outbound call, and ARGH!

I could go on for several pages about the epic battle trying to get the router to do both inbound services and vpn, but I'm afraid if I relive that much of the adventure, harm may have to come to several small animals. Needless to say, I now have a shiny toy sitting in my closet of shame. A place where hardware goes to watch the useful world pass it by, while I go to pay cash for a real cisco router. Sorry bonus pool.

by Chris Gamble