Review of Netopia 3387WG-VGX + ENT feature upgrade

Rating: 4/5 with ENT upgrade Rating: 3/5 with basic features only Product page:

Upgrade instructions: (requires different firmware file from Netopia support for this model that is not yet listed on their website) Observations The unit out of the box only supports the basic router features. It claims to support QOS priority tagging even in basic mode though I was unable to fully test this. Basic mode features are similar to any other broadband router on the market with a DHCP server, server port maps for inbound access and NAT firewall for security. I believe the most compelling features are offered in the Enterprise version of the software though home users may want this unit in it's basic configuration if they want to run VOIP terminals behind the router and utilize the QOS feature but have no need for VPN or routing. I believe that most home users are going to be sticking with the very cheap and highly available models from Dlink, Linksys, Netgear and others rather than this unit. The box it comes in is just plain white cardboard with a serial number sticker and a model number sticker. It just doesn't distinguish itself at this competitive retail level.

An upgrade is available on Netopia's website to the Enterprise (ENT) features which includes VPN endpoint/server, firewall, and routing capabilities. This is where it starts to get interesting. I upgraded my unit to the ENT feature set (requires a firmware upgrade file which you may need to contact support to obtain). This is a $99usd upgrade. If you do obtain the upgrade you need to install the license key for the upgrade before re-flashing the firmware with the enterprise software. Enterprise features on this unit are identical to the 3387W-ENT. The only upgrades are 54Mbit, 802.11g radio (previous model is 11Mbit

802.11b), QOS support, double the memory and flash size and a faster processor at 200Mhz vs. 166Mhz for previous model. All other new features are available in the previous model after doing a firmware upgrade to the newest version.

I was not able to test the new QOS feature unfortunately. I simply do not have any equipment or applications that would be able to stress test this feature at the moment.

Performance: I currently have my unit configured with 8 separate IPSEC tunnels to multiple different vendors of equipment including Nortel VPN Routers, other Netopia units, a Linksys RV VPN router, and a Watchguard Firebox X core router. All these links maintain nearly 100% connectivity uptime outside of ISP maintenance windows. Network interruptions are generally handled gracefully and the tunnels will do dead peer detection when properly configured to keep a tunnel nailed up. I have been able to saturate my 1.1Mbit bandwidth achieving a 116KB/s file transfer rate through a 3des encrypted tunnel so the unit is adequate for any typical ADSL or cable modem high speed internet connection. The previous model would not quite reach the maximum throughput of my connection under the same conditions but it came close to 62KB/s so I have been using them on

640Kbit ADSL connections but looking for something faster for anything requiring something faster. Tunnel traffic does not support compression so applications that would benefit greatly from a compressed VPN tunnel may require a more costly device such as the Nortel VPN Router line. (IPsec tunnel data compression is actually a vendor specific extension to the standard and is not widely supported and rarely can it inter-operate between vendors) Nortel has the best tunnel compression in my experience. Overall bang for the buck is pretty good. These units nicely straddle the performance gap between high performing higher priced models from Nortel, Cisco, and Watchguard and the low price low performance models from Netgear, Linksys and the older Netopia models. The previous Netopia model is still my lowest cost champion. Limitations to the total number of VPN connections, server rules, firewall rules and other internal settings may prevent use in a larger network though my experience has been that any small business with less than 10 small branch offices or less than 15 total branch VPN and remote user VPN tunnels and under 40 users on the LAN with a standard ADSL/Cable modem internet connection should have little reason to require a more powerful unit.

Software stability appears to be excellent for this price range. I have had no problems with software on the unit. The direct competitors to this unit would be the Netgear prosafe VPN routers and Linksys RV series routers. My experience with both Linksys and Netgear VPN routers has been that the software on those units contain more frequent problems such as VPN tunnels that fail to connect until the unit is restarted, VPN tunnels that do not recover from WAN interruptions, and units freezing and requiring a restart.

Wireless on the unit appears to work as advertised. One of the features that Netopia boasts about is the increased range of their wireless product over other vendors. I can verify that they do get better usable range compared to my other wireless access point equipment that I have used. I have an old dual antenna Linksys WAP11 that I used to use and it would not provide a usable signal for very far in my office. After going through a few walls the Linksys access point is very spotty at the far side of the office. I can get a good solid connection with this Netopia wireless under the same conditions. Speed wise, it's exactly the same as just about any other wireless base station at close range, at the outer edges the increased coverage helps to boost the usable speeds. I find that the absolute maximum range of the Netopia is similar to the Linksys, it's just that in the outer range where the Linksys is unable to provide a solid connection I can get a good connection with the Netopia. It seems like the Netopia just maintains that connection better until it hits the outer range and then it drops off from usable to nothing very quickly. Wireless security is similar to any access point with WEP and WPA modes in pre-shared key modes and an option for WPA with a radius server. You cannot filter or firewall the wireless clients separately from the LAN ports unfortunately. I think it would be nice to be able to setup the Wireless radio as a separate interface to the router but it operates as a bridge to the LAN ports like most other wireless routers on the market. I just though that with the VPN features it might make sense to force the Wireless clients to connect via a VPN connection to gain access to resources on the LAN side if you wanted to. In the wireless area they get points for the signal coverage but they follow the crowd when it comes to wireless security and configuration. The wireless coverage should mean that Netopia's integrated hotspot units would be excellent though I have not tested them. The hotspot units are the same basic equipment with different firmware loaded so the wireless performance will be the same.

Overall if you do not require the higher speed radio, faster processor or the QOS features then the previous model is a much better deal. Currently pricing for the 3387W-ENT is $100 less than the price of the

3387WG-VGX and the previous model includes the enterprise features out of the box, which saves an additional $99usd.

The other models in this VGX line include internal ADSL modems rather than an Ethernet port with or without the wireless radio. There are no models with wired Ethernet ports only; the previous model line included the 3386-ENT that had no wireless radio and an Ethernet WAN interface.

When would it be more appropriate to use a higher priced VPN router? There are some good reasons to use a more expensive but higher featured router like a Nortel VPN Router, Watchguard X Core or similar enterprise class VPN product, let me throw out a bunch. If you have many mobile users who require VPN access then the management of an enterprise product is far better than the manual setup telnet interface in the Netopia product. If you require more complex routing features. If you have a higher speed WAN link than offered by a typical ADSL/Cable modem. If your branch office VPN links require data compression. If you have a requirement for more complex firewall settings. If you require integration with corporate directory servers. If you make frequent changes to your configuration. If you require central policy enforcement on mobile user VPN settings. If you require specialized redundancy features. If you require specialized WAN interfaces. If you desire application proxies. All these are features that you will typically only find on an enterprise level product. If any of those features are worth the extra $600 minimum to get into something on the bottom end of the enterprise range then you need to look elsewhere. I have personally been using the Nortel Contivity VPN Router for most of my higher end VPN needs and the Watchguard Firebox X line for users who desire a wide and large set of integrated firewall and VPN features.

I would have rated this unit 5/5 if they included the ENT feature out of the box along with pricing that is near the previous models. They have significantly increased the price by about $200-$250cad on these models for the hardware and for the extra cost of feature upgrades that were not necessary in the previous generation. The out of the box package just doesn't do it for me though. Without the ENT features there just isn't much there. I expect most people will only experience a basic Netopia unit if it is provided to them by their ISP as it's not geared for retail sales. Once you upgrade to the ENT features it's a different ballgame though, good features, decent price, and good performance. If the previous unit had not been so cheap I probably would like this model more than I do now especially considering the price of lower end enterprise units that this unit compares favourably to are still much higher.