The Netgear DG824M is Netgear's latest baby in the ADSL modem market place (May 2003). It is readily recognisable as a member of the current Netgear family from the sleek silver case that is used across several members of the Netgear range. The DG824M builds on the popularity of the DG814 by adding an 802.11b wireless access point, stateful packet inspecting firewall, intrusion detection logging and denial of service protection. These new features do not compromise the ease of set-up that was the hallmark of the DG814.
The original features of the earlier router are retained, i.e. the 4 port 10/100 auto-sensing/auto-uplink RJ-45 Ethernet ports and URL content filtering. The web interface is the sole configuration method and should be as easy to use for both PC and Mac users.
One addition to the DG824M during the course of the review was a firmware upgrade that has added Universal Plug and Play (UPnP) support. UPnP is used by Windows Messenger in the Microsoft XP operating system to enable video and voice conferencing when behind a NAT router. Microsoft DirectX 9 has also added UPnP to some games. This should help to make multi player gaming simpler, for games that previously did not cope when running behind NAT routers. The review is based around firmware version 1.3 Release 03.
The package contains the usual selection of parts namely the power supply brick (15V 1Amp), RJ-45 network patch cable (3m), RJ-11 lead (3m), wireless antenna, an Excelsus Z-420UK-A microfilter (the A designation denotes a newer model that is a higher in specification than previous Excelsus filters, and should support caller ID devices), 3 year warranty card, 24x7 support phone number card (020 7 - London number), short four page quick set-up guide and finally a resource CD, containing the full manual.
The rear of the router provides all the connection points for the router. Running from left to right: power input socket, wireless antenna socket, recessed reset switch, 4 x RJ-45 Ethernet ports, and the RJ-11 ADSL socket. The front of the router has eight different LED's for the flashing light addicts, again going from left to right these are: power LED, test/diagnostics indicator, Internet activity, wireless activity, finally the four numbered LED's show which Ethernet ports are active and whether they are running at 10Mbps or 100Mbps. The various activity LED's flash off/on to indicate activity. For people wanting to monitor the throughput from the router, a simple page showing the LAN and WAN throughput is available via the web interface.
Configuring the DG824M is a walk in the park, and is about as simple as it can be made. The quick set-up guide does assume you have your computer's network card already installed and expecting to obtain its IP address from a DHCP server. If this is the case, the process simply involves connecting all the leads as shown in the set-up guide and then switching on the router.
The ADSL activity LED will change to solid green once the ADSL link has established. Assuming the ADSL line successfully synchronises, it is a case of opening a copy of a web browser on your computer and navigating to http://192.168.0.1 (the URL for the web based configuration pages built into the DG824M). The browser will ask for a username and password for the router, the defaults are admin and password respectively. If you do not see the page shown below then consult the Troubleshooting section of the manual on the resource CD.
The set-up wizard is the best way to configure the router, particularly if this is your first time, simply let the router detect the various settings and supply your ADSL username and password when requested. The router will store this information and log you on automatically when ever it is turned on.
The picture above shows that the router has detected a PPPoA connection from a BT IPStream Home 500 ADSL line. Clicking Next takes you to the final stage of the wizard which allows you to enter your username and password. It is worth pointing out that for the best performance from the router, setting an Idle Timeout of zero is preferred which will ensure the unit remains connected 24/7 and will automatically reconnect if the connection drops for any reason.
The next step is to press the Apply button, or if you wish click Test. The Test button will log onto the ISP and attempt to open the Netgear website in a new window. Whenever you make a major change to the configuration, a progress bar will appear as the router saves the configuration and reboots. Rebooting the router takes around one minute. Observant readers will have noticed the extensive help in the right hand pane of each web page, these help sections provide short notes which are particularly useful for new users.
Once the router has rebooted you should be online, and able to access the Internet.
The wireless side of the product is enabled by default, and uses the same DHCP ranges as the Ethernet side of the router. The router uses the SSID Wireless and channel 3, with no WEP encryption enabled. It is recommended that once you have got the initial wireless connection running that you change the default SSID, and enable WEP. Additionally the router allows you to restrict wireless access to a group of up to 20 trusted computers, this list is constructed by adding each wireless computer's MAC address to the 'Trusted PC' list. To make life simple, the Maintenance section of the web configuration displays the MAC addresses of all devices that currently have a DHCP assigned address. The LAP IP setting allows you to reserve a specific IP address for each MAC address, via the 'Reserved IP Table'.
Unfortunately, there appears to be no way of disabling the wireless part of the router, or assigning it a different IP range to provide additional protection from the wired part of your LAN. The ability to disable the wireless side of a router is important, both from a security view point, and for people that may need to disable it periodically possibly for diagnostic purposes.
Most routers that feature firewalls require configuration within a separate section to the NAPT/NAT port forwarding area. For many people, port forwarding is not needed unless you are running applications that others on the Internet need to access through an inbound connection. However, if you need to run your own web server, use Microsoft Netmeeting, transfer files in IRC or play some types of games on-line (although not Counter-Strike or Quake3), then this may be needed.
The DG824M is a rare beast in that the firewall and port forwarding is combined. For a user this makes life much simpler, as you can quickly see which ports are forwarded and which are blocked. The default configuration of the DG824M's firewall is shown below.
This default configuration is really nothing more than what all NAT routers will provide in terms of security. In other words, all outbound connections are possible, but any unsolicited incoming connection is dropped. The firewall only becomes useful once you start to configure it, e.g. to block a range of outbound ports, or to only allow specific inbound services.
To configure an inbound service simply click the Add button in the Inbound Services section. The screen shots below outline how to configure the router to forward TCP port 25 to a computer running an SMTP server. The DG824M has a long list of pre-configured services you can select from, SMTP is one of those. If a service is not available, then you can define a new service via the Services menu.
Various other options must be specified in addition to the selection of a specific service. The Action field provides several options:
Options 1 and 3 assume you have set-up some scheduling, by default the scheduling is turned off in the router. So at this stage just options (2) and (4) are relevant, and as the default Inbound rules is to block anyway, only option (4) is any use. You can selection options (1) or (3) and then set-up the schedule later. The LAN Server IP address is the IP address of the computer that is running the service (normally in the format 192.168.0.x with this router). The WAN users field is designed to allow you to control who can use the service, three options exist:
One useful trick if you want to monitor attempts to get into your network is to set-up a blocking rule for a specific port and direct it to a LAN server that doesn't actually exist, and then set the log option to record instances that match.
It is possible to build groups of rules, for example with the SMTP entry, it is possible to add a number of rules using the SMTP service that allow individual IP addresses to access that service. Additionally it is possible to add a rule that exposes a service to all users, and then add a number of blocking rules for individual or ranges of IP addresses. What is important when constructing the rules is the order they are applied in. The two Inbound and Outbound service tables are order based, rule 1 is applied before rule 2 and so on. The web interface allows you to move rules up and down the lists, thereby changing the order in which rules are applied. A total of 60 rules are allowed within the firewall setup (combined Inbound and Outbound entries) in addition to port ranges, which should be sufficient for most users.
Configuration of Outbound rules is where the use of a firewall comes into its own. By blocking outbound ports you can stop people running software that you do not want them to run, one example is if you are sharing the LAN and you want your online gaming to be as smooth as possible, you could block the common peer to peer application ports and perhaps improve your latency. The default rule is to allow all outbound traffic but this can be overridden.
The screenshot above shows how you can block all outbound TCP traffic. A new service called AllPorts was created which uses TCP port 1 through to 65534. This service was then added with a Block Always action. To allow some simple Internet access the three services, HTTP, SMTP and POP3 have been allowed. This illustrates how a tight control can be exerted over outbound traffic. One additional difference with the outbound traffic is that you can also control which computers on your local LAN the rule applies to, allowing you to define different sets of rules for different computers. One use for this would be to restrict web access from the children's computers to certain periods, or by defining which servers they can access, restrict their web access to a limited number of sites.
The ability to forward/block ranges of ports is very useful, but some applications may require all ports to be forwarded. The DG824M has a Default DMZ server option to cope with this, simply enter the IP address of the computer that is to receive all the traffic by default. Exposing a machine in this manner, creates a large security problem. Therefore it is best to only use this option if you have a software firewall on that computer, or are fully aware of the implications. For people wanting to hide as much as possible from Internet users, the router does give you the ability to decide whether you want to respond to ping requests or not.
Logging is often a neglected feature in the ADSL router market. The DG824M allows you to log a variety of events, for example attempts access to blocked sites, connections to the router's web interface, router start-up times, known Denial of Service (DoS) attacks and port scans. The logs that are generated can either be viewed in the routers web configuration, or you can configure it to e-mail the file to you. The option to e-mail the log file is very useful, as it allows you to monitor the router, without the addition of extra software.
The router can be configured to send alerts on major events such as a DoS attack, or simply to send logs when they are full or on a hourly, daily or weekly schedule. The exact content of the email and the on-screen logs will vary according to what ports you have set-up to log activity.
To ensure the times quoted in the logfiles are accurate the Schedule page in the web configuration allows you to specify what time zone you are using the router in. The router will automatically attempt to contact a time server on the Internet once it is online, but you can override this to specify a time server of your choice. The schedule page also allows you to define a period of time for days of the week, and this schedule can then be used by your firewall rules. The schedule is somewhat limited as only one entry can be created. This restriction makes it difficult to create a schedule with access enabled between 4pm and 8pm on a weekday, with an extended period of access at the weekends.
The router includes various options for monitoring including the status of the router, which computers are using the DHCP server, configuration backup (very important when you have lots of firewall rules), change of password for security reasons, simple diagnostics and support for firmware upgrades.
The status page, an example of which is shown above, provides the best way of determining what the router is doing, unfortunately ADSL line attenuation figures were not accessible in the firmware version used for the review. As shown above, the firmware version and IP address of the Internet interface are retrievable. Additionally for users having problems with their connection, the ADSL Modem section will tell you your line speed and other parameters. The Show Statistics button displays how long both the Internet connection and the LAN have been running, and the actual amount of bandwidth in use. Clicking Show WAN Status displays how long you have been online, but more importantly it gives you feedback about the connection, when establishing. The screenshot below depicts what you should see when the connection is up and running, obviously the blue rectangle is where you would see your Internet IP address. The purpose of the Connect/Disconnect buttons are so you can manually reconnect without having to reboot the router.
Before finishing with the maintenance section, Remote Management should be mentioned. The web configuration is normally hidden from the Internet, but you can allow it to be accessed. Normally exposing the router's web interface to the Internet is a security risk, but the DG824M lets you restrict access to an IP address or a range of addresses. This potentially allows you to manage your router from a different network, or for a support desk to gain access to the router and verify your various settings.
UPnP is still a router option that appears not to be fully adopted by manufacturers. The DG824M has only gained UPnP support in very recent firmware revisions. In actual use the DG824M seems to not have its UPnP support fully operational. Running Windows (MSN) Messenger (v4.7) between a PC on a wireless link behind the DG824M and another PC connected to the Internet via a dialup, only permitted limited Windows Messenger functionality. Windows Messenger worked fine when the call was placed from a PC on the internal side of the DG824M and no problems were experienced with audio, video, file sending/receiving and the whiteboard. However, we were not able to get incoming call requests to work at all.
This is a bit of disappointment as other UPnP capable routers boast full Messenger functionality, and the appearance of the UPnP gateway icons in XP always seems to work.
The DG824M has a varied history with the early versions being very unstable, although later versions appear to be much better. One major bug still present in version 1.3 Release 03 is that if you copy large amounts of files across the wireless network the router will crash, and require a reboot to get going again. Generally it takes 200-300MB of file transfers for it to happen but oddly enough, day to day intermittent usage seems to be stable. Netgear are working on this bug, so hopefully a later firmware upgrade will fix this.
In general use if you ignore the occasional lock-up of the router, the wireless side performs very well. The table below shows that the DG824M is currently tied with the Linksys WET11 (range wise). This table is produced from a simple walk around my local area and testing whether I can still get Internet access at various points. In practice this means the DG824M should cope with three to four brick walls, and in a large open area such as a garden with a clear line of sight to the router, a range of 150m is attainable.
|Hardware Used||Score out of 20|
|ELSA Lancom wireless access point, PCMCIA card antenna||10|
|Asus 6030VI modem/router||13|
|Linksys WAP11 access point||15|
|Linksys WET11 access point||16|
|Solwise SAR-715PVW, PCMCIA card antenna||12|
Perhaps the main reason the DG824M performs so well is that it has an external antenna. Looking inside the case, it also appears that upgrades to support 802.11g may be possible as the wireless sub-system is based on a PCMCIA card. Whether Netgear will offer an upgrade path is unknown at this time, but given the DG824M can sustain 4 to 5Mbps over its wireless link, it has more than enough performance for sharing of an ADSL connection.
One of the regular checks we do on routers is the performance for online gaming. Counter-Strike is still the game of choice for this and it is pleasing to report that the DG824M actually survives a full update of the server list inside the game. Though there is one caveat - the router's DoS protection, complained 11 times during the full refresh, protesting about UDP floods, sometimes the trace route command can also generate this warning. The actual game play seemed to be fine, with no extra UDP flood reports at all. The in game ping is smooth both using the wired and wireless network.
Microsoft Netmeeting is another application we usually test and found that once you create the Inbound rule to forward H323 services to the PC running Netmeeting, both incoming and outgoing calls are made possible. Audio and video conferencing worked, with files been sent and received successfully.
In terms of Virtual Private Networking (VPN) support only PPTP has been tested for the review and we found no additional configuration was needed on the router. One strange oddity is that connections to a remote Microsoft SQL server simply time out, whereas we have not experienced any problems with other NAT routers.
The DG824M is a great ADSL router and has excellent wireless range. Unfortunately the polish and shine of the chassis does not fully reflect itself in the router's firmware. For the vast majority of users the shortcomings are not much of a problem. Without deliberately setting out to crash the router it seems to run fine, but perform a large backup file transfer and it may stop and require a reboot.
For the consumer market, the router has one of the easiest firewalls to set-up. Compared to the Speed Touch 510v4, the firewall it is much more understandable, and therefore a more likely to be used. Configuring the firewall still requires some knowledge of TCP/UDP ports, but compared to other routers it is very clear as to what you need to do to block traffic. One other aspect that would be useful is support for protocols other than TCP and UDP, not many applications use them, but support for ICMP would be helpful as the firewall could then be configured to log ping requests, for example.
The UPnP performance is a disappointment and should be second on the "to be fixed" list after wireless stability issues. If you do not use Windows Messenger video conferencing then it's not a worry. For Messenger addicts it would be wise to look elsewhere for your ADSL hardware.
In summary the Netgear DG824M is almost a perfect wireless ADSL router. Once the firmware is fixed it should become a firm favourite with consumers. Alas at present it has a few caveats that people need to consider.
£149.99 – Netgear DG824M
Prices listed above are excluding postage and VAT.
|Where to Buy:||See our DSL Hardware FAQ|
The contents of this review should not be relied upon in making a purchasing decision - You should always discuss your requirements with your service provider and hardware supplier.