Then this "TOP GUN" seems no more aware than you are, according to no less an authority than Watchguard themselves. (I shouldn't say that, because you are probably once again misrepresenting what he actually did say.)
In fact *some* models from Watchguard do have what they call "Deep Application Inspection" for HTTP and other protocols. None of the "X Edge" models or the "SOHO 6" models have it (which means no wireless models do). The "X Core" and "X Peak" products have it.
Of course *all* of those, both with and without your favored capability, are advertized by Watchguard as "FW Appliances".
Clearly you aren't correct about what defines a "FW Appliance".
Since I've been discussing the SOHO 6 only, up until now, and it appeared to be that was what you have... I'm beginning to wonder if you have any clue at all what you have or what it will do! Maybe all you actually know about it is what your "Top Gun" told you, and you can't even figure out with one right in front of you that it wasn't true! What a hoot...
You are just as poor at insults as you are at router/firewall facts.
I dropped the question about the 54g in comp.security.firewalls and got my answer from a Top Gun in that NG who installs and supports Linksys routers and Watchguard FW appliances. It is as I knew it was. You can take all of this and stick you know where -- Floyd Firewall.
"When it can tell the difference between HTTP and anything else on port
80, and that's not going to happen anytime soon, it will be a firewall."
Since that requires application layer inspection, even Cisco themselves accepted that prior to IOS 12.3(14T) they weren't too good at that.
formatting link
So what you're saying (or your alleged Top Gun whose credentials are unverified - not that I care one little bit) is that a firewall that was once a firewall (e.g. Cisco PIX) isn't a firewall anymore when the parameters for defining what a firewall actually is, change.
This was one of the key marketing points that Microsoft used against Cisco incidentally, that Cisco didn't do application layer inspection whereas Microsoft's Internet Acceleration Server firewall product did.
The 54G cannot tell when HTTP traffic is not coming down the port and block it when the port has been forwarded to a Web server. The FW such as Watchguard can tell that difference and block the traffic. That;'s way I got the WG. Whatever else you're trying to tell me about a 54G FW router and a Watchguard FW appliance is flatout moot to me.
Post away man until the *cows* jump over the FW or in other words you be happy with what you're using and I'll do the same. The thread is dead to me now and I don't want hear from you on this subject anymore.
snipped-for-privacy@apaflo.com (Floyd L. Davidson) wrote in news: snipped-for-privacy@barrow.com:
I don't give a rat's ass what you downloaded.
It does it by default you *clown* that's what a FW appliance does that's different from a packet filtering FW router. And again, the TOP GUN in that other NG confirmed that to me long ago.
I only paid $275 for it new at the time and you can get them used/reconditioned for under $100 with warrantee and the whole 9 yards.
And if you want more users and more power out of the box, you start buying that add on(s). The SOHO 6 has been discontinued here recently and has been replaced by the X series.
You need to take the 54G and stick it. I like the Linksys products and if I need a wireless solution I'll most like use a 54g, since you have been so kind as to explain its abilities in detail I might add.
But for you in general, you can stick the 54G.
I was joking about you being a little nutty. But now I have to change my mind. There is something
It's not about defeat anything? I made a mistake in not calling the 54G a FW appliance and I'll admit to it. I am just a man like evryone else. FF has gone off the deep-end and you're right there with him.
Before FF goes off the deep-end, I made a mistake in not calling the 54g a packet filtering FW solution. But like I said, I am just a man and I am not infallible.
In the interest of accuracy, a few corrections and amplifications:
formatting link
Watchguard 6tc is about $430 for 10 users street price. They typically go for about $150-$200 on eBay.
formatting link
Watchguard's 10 user limit can be increased to 25 or 50 users by adding additional user licenses. A nasty side effect of this is that Watchguard (and Sonicwall) both consider IP addresses heard to be users, even if the user is a network printer or computer that never routes through the Watchguard. This creates havoc if there are more than 10 devices on the LAN side.
Watchguard has a feature called MUVPN which is a single user VPN termination in the router used strictly for remote management. See:
formatting link
instructions. The MUVPN client is free to registered owners.
Seems far too low for a Watchguard 6tc. My guess is that the
3.1Mbits/sec is the 11Mbit/sec wireless performance, not the wired router performance. The 6tc has a 150Mhz processor which can do about
75Mbits/sec for conventional routing and about 20Mbits/sec through a VPN tunnel.
The lack of port triggering in the Watchguard is a real irritation. I have several applications (Echolink, various games) that function best with port triggering instead of redirection. Note that the Watchguard is also missing port reassignment (I thinks that's what it's called), where I can map an outside port number to a different port number on the inside. For example, if I telnet to port 2000 on the WAN side, I might want it to come out on port 23 on the LAN side.
Well, I think everything with TCP/IP has a loopback port somewhere.
Watchguard has a content filtering and URL blocking service.
formatting link
formatting link
No QoS or bandwidth management for Watchguard.
You might find this (added cost) multihoming Watchguard feature interesting:
formatting link
think I can convince Alchemy to do that but not as delivered.
WRT54G with Alchemy firmware can terminate a PPTP tunnel. The PPTP client is missing in Alchemy, but can be easily added. I haven't tried a WRT54G to WRT54G PPTP VPN yet.
The data sheet claims that ICSA certification is pending.
I have Watchguard SOHO routers at various customers (no wireless). They work nicely but I have some issues with the company. They want $75/year for a support contract. If I don't subscribe, I don't get upgrades or client software. Upgrades have apparently stopped for older obsolete products.
When I picked up a use SOHO router, I found that someone had reset the router to defaults, which clears any firmware upgrades. It was running the most basic "backup" firmware. In order to bring it up to date, Watchguard support demanded I purchase a contract. After some negotiation, I convinced them to give me the stupid firmware and to get out of my life, especially since the old SOHO is discontinued and it is highly unlikely that I'll see any further upgrades to justify paying for support. I didn't need a relationship, just the stupid firmware image. It took a bit of trickery to install, but it's now updated and sitting in the closet.
Incidentally, it's really easy to accidentally reset a Watchguard. Just plug a cable between two LAN ports and apply power. Say goodby to your configuration and firmware:
formatting link
There is one really nice Watchguard feature. The box is bright red, which methinks is proper for a firewall. (Better red than dead?)
Great. As I noted, all of the Watchguard figures came from a review on TomsHardward site, and which was last updated in November
2003. They also had a review of the WRT54G, but it was filled with
*many* errors (the product had just been released at the time).
I should have mentioned that the prices were 2003 "street price" according to the TomsHardware web site reviews.
New or used? The Linksys units go for $20-40 used. No doubt the introduction of the Linksys cause the value of used Watchguard units to take a dramatic fall.
Yikes! With the WRT54G there simply is no limit, of course. The specified figure is merely how many DHCP addresses it will serve. I'm not sure that is an accurate figure either, as it may be possible to assign addresses within a 16 bit subnet, rather than just a 24 bit subnet. (It isn't worth the effort to find out, and the web interface only does a 24 bit subnet.)
Okay. I did see a reference on their web page (after that was posted) which said something about remote administration.
Those numbers *all* have to be through the wireless! Even the WRT54G numbers are too low. Compared to the Watchguard unit, the Linksys box has a 200 Mhz cpu (both use a MIPS processor, but they are from different manufacturers, so I don't know how closely they compare).
That isn't what "loopback" refers to though. You'll note in the configuration for a WRT54G (with any of the third party firmware releases) that you can disable "loopback". That doesn't affect whether the lo device (IP 127.n.n.n) works, but changes whether the router/firewall allows traffic to be looped back to the internal network or not. Global loopback has the (dis)advantage of allowing any application to use the local proxy. If it is allowed then an internal application can sent packets to the external IP address, through the firewall, and have it forwarded back through.
Probably that should be listed as "Loopback enable/disable".
The Webblock optional software is not content filtering of packets though. It is a data base of URLs with supposedly known content type. Hence if you don't want anyone browsing "adult" sites, it will block that type of URLs by address, as one example.
The higher end Watchguard products (none of which include wireless) can filter packets for appropriate protocols (FTP, HTTP, etc.). The WRT54G can do the same for some protocols, but does not have such filtering for HTTP.
That wouldn't really be too hard to do. One of the LAN ports has to be isolated with a VLAN, and then connected to the Linux Ethernet device if connectivity is lost on the WLAN port.
That probably isn't really very useful for most home or small business users, who need the LAN port and don't have an extra
*unused* cable/dsl connection.
I noticed that some optional features are available as a subscription! Pay by the year...
Hardly, since I just joined a moment ago with the nice little gem about Cisco PIX not meeting your/your mates firewall spec until a specific version of IOS - pure fact, direct from Cisco. Deal with it.
Duane, you were done with this thread twice now, why keep coming back?
Is that the same guy that just decided that what constitues a firewall has is different depending one what version of Cisco IOS someones PIX is running?
Forget the Linksys for a moment and just consider what Jeff eloquently wrote a while ago. A firewall does not need to meet one persons spec to be the thing known universally as a firewall. To meet a certain functional spec for a particular deployment, sure but not everyones needs are the same.
Watchguard 6tc typically goes for about $430 new. About half or less used on eBay. Watchguard sells through dealers and direct at full $700 list price. $1000 for 50 users.
formatting link
prices from $400 to $450.
formatting link
formatting link
that this includes one year of "Live Security" updates. Incidentally, the Watchguard SOHO and Sonicwall SOHO have quite similar features and issues.
It works. I ran into that problem over and over with Sonicwall. I had an office with 8 IP's in use. No problem with a 10 user limit. However, laptops kept appearing on the office. What would happen is that someone would turn off a desktop machine, a few laptops would drift by causing the user count to max out. Then, the desktop would get turned on in the morning and find that it cannot connect to the internet. The algorithm for adding/dropping DHCP clients is to wait until the lease expires, which required that I cut the lease time down to an hour to get it to sorta work. I don't know if Watchguard has the same problem, but I suspect it does. Incidentally, both Watchguard and Sonicwall will assign up to 253 IP addresses from the DHCP server, but only route the first 10 (depending on license).
I found a better solution by using a /16 subnet instead of the usual /24. I would put devices that didn't need internet access in the subnet that did not see the router. However, that didn't solve the transient laptop issue, which required a short lease time, or power cycling the router, to be functional.
Ok. They kinda looked like wireless performance results. Note that using the router to terminate a VPN really puts a load on the CPU, which therefore has a big effect on performance. I don't have any reproducible numbers but I've seen over 50% drop in thruput.
No such feature in Watchguard or Sonicwall that I can find.
It's basically a blacklist with some keyword checking in the URL. I did a dumb thing and added my name to the keyword list to see how it worked. It didn't do anything so I stupidly left it. Then, I later went to do an online order. The URL sent by the web page included my name. I was instantly greeted with a "banned site" error message and a trashed online order. Oops. This type of web keyword and blacklist web filtering is really only designed for restricting access to "adult" sites, and not as some kind of firewall protection feature.
Agreed. However, it is an interesting feature. I setup one customer with a 3Com LAN Modem for dialup backup via Watchguard Dual ISP feature. There are probably better ways to do it, but this customer already had the hardware, so it was an easy solution. (Speaking of reliable, my DSL has been going up and down all morning).
That brings up the issue of command line editing. The WRT54G with Alchemy firmware has an easily accessible and useful command line available through telnet. Watchguard has a command line available through an obscure procedure, but the commands are not documented or officially supported. I've had support walk me through the cerimony once, but don't recall the details. I think it's VxWorks based, but I keep forgetting to check when I dive in there.
If you ever need an exercise in futility, try defining the ultimately fair and universally acceptable method of charging for router features. You can pay by the month, by the year, as part of a service contract, in the original selling price, as part of per-feature upgrades, or with a company wide site license. Whatever works, but you still pay. You can't give it away or the company goes broke.
I was thinking of buying some flame decals like the ones the model hot rod cars have coming out of the wheel wells. Those would look nice on a firewall. If it's gonna play firewall, it's gotta look like a wall on fire.
David Taylor wrote in news: snipped-for-privacy@news.cable.ntlworld.com:
You post to me and expect me not to respond? And what are you talking about here in the first place? Wait, I really don't want to know.
Yes indeed let's forget about what FF has said as he is no authority on anything.
The above can be said about a lot of things.
And it did get a little hot and heavy about the 54G in the FW NG by two Top Dogs. I read what I needed to about a 54G and the 3rd party firmware solution.
What happened in this thread over last few days is worthless to me as some nut with a wild hire needed to stand up and be counted.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.