TRENDnet adds dual-band draft 11n router TEW-672GR

[rogerbinns]

I got one of these a few days ago from Frys and ended up returning it. Firstly note that it is not simultaneous dual band. You either use 2.4 or 5GHz, but not both at the same time. Of course none of the packaging or marketing makes this clear. (I did see a comment elsewhere that a 673GR would be coming out in a few months that addresses this).

Initially I was very impressed that it didn't reboot on every settings change like other manufacturers devices do (there is an uptime counter in the status screen). However it soon turned out that you pretty much needed to manually reboot for settings to take effect. Even worse I have port forwarding/virtual server setup and making any other change would make the device forget it was doing forwarding until a reboot! (Needless to say the support call while I worked all this out was highly entertaining)

It also seemed to be doing some sort of DNS relay even for queries coming from outside. That caused my DNS server to give internal addresses to external queries which led to all sorts of grief.

Other than all that, it worked nicely. I particularly liked the ability to have multiple SSID each with different security settings. That meant I could use my main one with WPA and then have a secondary with WEP for use with the Nintendo DS. However there was no way to partition or firewall the traffic from the different SSIDs.

A suggestion for future reviews is to add port forwarding and other types of configuration and verify that devices aren't brittle while making other unrelated changes.

[article link]

 

[thiggins]

Thanks for the report, Roger. Why did you return it?

 

[rogerbinns]

Why did you return it?

It was pointless paying for a dual band if I could only use one of the bands. You can get good 2.4GHz only B/G/N devices from almost anyone or 5GHz only N addons. When the 673GR comes out I'll give that a try, unless I give up and just get the WRT610N.

The port forwarding and admin system messing up so badly was also worrying. I run my own email, DNS and web server so it has to work reliably for months on end.

An even bigger issue is the quality of all these sorts of devices. I have a Linksys WRT54GX. The wired portion and functionality like port forwarding is rock solid. However after somewhere between 2 days and 2 weeks, some of my wireless devices cannot establish a connection. A t-mobile UMA phone kept giving up on the wifi after a few minutes. Power cycling the Linksys fixes it. If you read reviews on Amazon and similar sites for almost any wireless router from any manufacturer you see consistent stories about dropped connections and having to power cycle. That is what has stopped me from upgrading before, but I hadn't seen any similar stories about Trendnet devices and thought maybe they were different.

Sadly no review sites seem to take the routers, connect a multitude of clients (eg laptops, desktops, xbox/ps3/wii, phone etc) and keep it all going for weeks looking at stability, incoming and outgoing connection availability etc. Note how Amazon reviews for the WRT600/610N mention the devices crashing yet not one "professional" review does. Most professional reviews are very superficial. (Yours aren't which is why I love the site!)

 

[thiggins]

Thanks for the information, Roger.

It's just not practical to do what you suggest for every router reviewed. Even if it were done on an occasional basis, differences in wireless environment, clients, etc. would make it difficult to be a predictor of reliability in anyone else's environment.

Amazon and similar reviews are helpful. But you need to take into account the experience level of the reviewer. How many of the "crashes" are due to the product and how many due to the user? It's hard to know.

It also seemed to be doing some sort of DNS relay even for queries coming from outside. That caused my DNS server to give internal addresses to external queries which led to all sorts of grief.

Many routers do some sort of DNS relay/caching. And not all do NAT loopback, which is what I think was causing your problem. You couldn't reach your servers by using the public IPs or domain names from LAN-side clients, could you? You could only reach them by using their private IPs, right?

I used to check for it on all routers, then stopped. Maybe I need to start again.

 

[rogerbinns]

It's just not practical to do what you suggest for every router reviewed. Even if it were done on an occasional basis, differences in wireless environment, clients, etc. would make it difficult to be a predictor of reliability in anyone else's environment.

I certainly understand that. The problem is that most "professional" reviews I see on the net seem to have used the device for a maximum of 30 minutes. The person buying the device uses it for years. Those 30 minutes do not seem to be a good indication of how it will behave for years unless getting very light sporadic usage, hence user reviews and my own experience of having to repeatedly power cycle devices. At least you spend way more time and check things like chipsets and antennas

Amazon and similar reviews are helpful. But you need to take into account the experience level of the reviewer.

Oh yes. It seems that there are always people who have to call support and despite that will never get their devices configured. Or my favourite of praising features the device doesn't actually have! But cases where they say they frequently power cycle to resolve issues is less ambiguous, although some of the blame may reside on the connecting devices not the router.

How many of the "crashes" are due to the product and how many due to the user? It's hard to know.

There should be no combination of settings that cause a device to crash - that is just extremely poor software development and lack of testing. My underlying concern is that the devices are also acting as firewalls. They are ensuring that the flood of malicious traffic from the outside stays away from your internal network. If the firmware is shoddy then how do you know how well they perform that function? How often do they misfire and let wireless devices with the wrong password connect? Source code for the firmware is not published so there is no way to tell other than bugs and sloppy coding in one part of a product is a good indication of bugs and sloppy coding in other parts of a product.

Many routers do some sort of DNS relay/caching. And not all do NAT loopback, which is what I think was causing your problem.

I set all this up long before any did NAT loopback. I run an internal server machine which hosts DNS, DHCP, file server, web server, web proxy, mail server etc. If a DNS query comes from the internal network 192.168.1.* then the internal server address is returned - 192.168.1.35. If the query comes from outside then the external IP is returned - ie 63.249.x.y. The router has DHCP turned off, DNS relay turned off (although the Trendnet didn't have such an option). It has port forwarding/virtual server turned on forwarding DNS, web, mail etc to the internal server. This configuration has worked well for many years on several routers and does not depend on NAT loopback, DNS relay or any other functionality in the router other than them acting as a firewall/router.

So in detail, how did the Trendnet mess up? On the DNS side what was happening was someone outside was making a query which would resolve in WHOIS to my server. So lets say 1.2.3.4 sent a DNS query which arrived on the external interface. The device would then port forward to my internal DNS server, but the source IP address would be 192.168.1.1 not 1.2.3.4. So my DNS server would consider it an internal query and return the internal server IP. Correctly port forwarding should have left the external 1.2.3.4 IP address as the source IP address on the packets. My best guess is that the device was effectively doing DNS relay but not paying attention to whether the request was coming from inside or outside. It is a huge security no-no to be resolving requests from outside anyway. I stopped this behaviour by removing the DNS server settings (there was no DNS relay setting and DNS relay should be internal requests only anyway). That also meant the box could no longer do name resolution so it couldn't configure its time via ntp since it couldn't do name lookups on the ntp servers.

And then on any configuration change, it would start forgetting to do port forwarding altogether until a (manual) reboot. So suddenly incoming traffic from outside would not be port forwarded at all and for example incoming traffic intended for my web server would instead get the administration interface of the router. This again is a huge security no-no - the device should never give the admin interface to the outside world unless explicitly configured to do so anyway.

Both bad behaviours are consistent with the device not distinguishing between the internal and external network interfaces. That is extremely bad since it messes up any pretence of being a firewall.

If I was doing this in a commercial environment then I wouldn't even let anything from that manufacturer through the door until they could prove they fundamentally understood networking and had their code audited so that firewall functionality always worked. In my home environment I am a little more forgiving and can individually harden my machines.

 

[thiggins]

And then on any configuration change, it would start forgetting to do port forwarding altogether until a (manual) reboot. So suddenly incoming traffic from outside would not be port forwarded at all and for example incoming traffic intended for my web server would instead get the administration interface of the router. This again is a huge security no-no - the device should never give the admin interface to the outside world unless explicitly configured to do so anyway.

I have seen this "feature" in other routers and agree that it is poor design. There should at least be a "nag" screen that reminds the user to reboot to apply the configuration change.

Given your knowledge and requirements, I'm surprised that you aren't running your own router using m0n0wall, pfSense, untangle, etc.

 

[rogerbinns]

I have seen this "feature" in other routers and agree that it is poor design. There should at least be a "nag" screen that reminds the user to reboot to apply the configuration change.

But many do. Or at least they make your browser sit there for several seconds while they "apply" the change, which in the olden days basically was the router restarting!. I guess the more complex firmware now takes too long to reboot so they just restart some daemons and hope for the best.

Given your knowledge and requirements, I'm surprised that you aren't running your own router using m0n0wall, pfSense, untangle, etc.

That wouldn't really help.

• I'd still need a wireless access point, and pretty much all of them include a router/firewall these days anyway.(+)
• A PC based router consumes considerably more power, unless you use some sort of seriously cut down box, running a small ARM/MIPS processor. You can get those cheaply with plastic mouldings saying Linksys, Netgear, DLink etc on the front Sadly you can't fix the software on them. (*)
• I could use my server since it is on all the time, but I really don't want to mix web server, print server, DNS server etc with the software you mentioned. I also run "unsecure" software on it such as a file server where the passwords are password as access to that is internal only. A single mistake could result in internal only services being unknowingly exposed to the outside world. A router/firewall is best doing that and that only.

(+) Alternatively a PCI/USB card can be placed in a PC, but I have yet to encounter any that are 100% supported by Linux, dual band etc. The exception is the Intel 4965 but you only get that in laptops (and it isn't simultaneous dual band anyway so two would be needed). I'm fairly sure even then that access point mode isn't supported until an upcoming kernel revision.

(*) Sometimes you can if you end up with the correct hardware versions, the reverse engineering has been done, there has been a release of DD-WRT/Tomato etc done, the developer hasn't decided to go closed source etc. Generally you are okay with older stable hardware but out of luck more recent hardware and more leading edge features.

So basically I could work around the shoddy vendors by spending lots more money on hardware and electricity, but don't really have enough internal stuff to justify it. If I had more machines, more important services, more users etc then DIY would be desireable. On the other hand you can then buy your stuff from Cisco instead of Linksys

 

[Unregistered]

TEW-672GR Performance

I just bought one of these and tested the performance on it today. I used Iperf to test performance between a 100mbps wired client and a draft N client using the Linksys WUSB600N adapter. I set the router to the 5GHz A/N mode with Auto 20/40MHz channel width. Average throughput was about 45Mbps in my initial test with no encryption. I tested again with WEP enabled and performance was around 47Mbps, so no performance penalty there. Then, I tested performance between a Wireless G laptop (integrated Broadcom wireless chip) and the WUSB600N client in 2.4GHz mixed mode and the throughput dropped to a dismal 7Mbps. I'm not sure whether the router is the limiting factor, or the client adapters, or some flaw in my testing methodology, but 7Mbps seems quite low. There are some neighboring networks in the 2.4GHz band so that may have been a factor as well. Overall, I'm a little disappointed in the wireless performance. I thought this router might be a good match for my WUSB600N adapter since they both use Ralink chipsets, but the results were less than ideal. The TEW-672GR does have a pretty slick admin interface though, and it doesn't get hot at all during heavy load. Hopefully performance will improve with future firmware revisions.

 

[thiggins]

I Then, I tested performance between a Wireless G laptop (integrated Broadcom wireless chip) and the WUSB600N client in 2.4GHz mixed mode and the throughput dropped to a dismal 7Mbps.

With a wireless to wireless test you are getting a throughput hit on both wireless links due to the mixed g / draft 11n activity. So the slowest link (the 11g) will set the ceiling for the end-to-end performance.