Wireless Broadband == happy, happy

It amazes me how wireless + broadband has re-introduced computers back into my spare time. While I've owned a computer at home for at least the last 10+ years, since I use them all day at work I've only really used them at home on an severe as-needs basis. There are a couple of familiar reasons (heralded in many broadband adverts):

• it was in a different room, the spare room, which is always a somewhat depressing room.
  
• needed to dial up the internet over a slow modem connection
• there was really quite a lot of good telly on.
  
• it's anti-social (new-age-net-friends take note).
  

So finally threw out the tower, ordered a laptop, wireless router and a zippy broadband package. It's not just better, it's a different fish entirely. Now I can sit on the sofa watching telly and surfing or twiddling software I never had the time to play with before. The photos that have been languishing on my hard-drive (bought spiffy digital camera two years ago) have been uploaded to photobox. Skype let's me call friends for free and I can work from home when I need to.

No wonder laptop sales are set to out-sell desktops in the next month.

Now there was only one fly in this ointment: my choice of router. I chose the Asus wl-500g wireless router. This router came recommeded by a friend. It's 54g provides lots of spiffy additional features like USB ports (stream music / attach hard-drive for ftp server) and printer ports (meaning no more connecting printer cables, just print over wireless). Even basic setup was easy. The problem came when I wanted to start setting up the internet firewall. Its setup was really really old. You basically had to individually open up source and destination ports on the incoming WAN-to-LAN side. This is a real pain in the arse to do, a task beyond the capability of most users and the end result is not very secure. For every outgoing connection, for example HTTP (port 80) you have to open up inbound packets thar originate from a server on port 80. But you can't really filter them any further than on your IP range (e.g. 192.168.1.* - so try not to choose this as your DHCP range since it' usually the default). This isn't terribly secure.

Most firewalls from this millenium use Firewall SPI (Stateful Packet Inspection). The problem with the previous description of firewall setup is that it is a very simple mechanism that filters incoming and outgoing packets independently - i.e. at the raw IP level. But this isn't how a lot of information flows over the internet. Most information that you are interested in allowing through your firewall flows in terms of connections. I send a request to a HTTP server, it sends me responses. There are outgoing (request) packets and incoming (response) packets, but they are correlated. This in a nutshell is what SPI does. It tracks outgoing packets and when a packet arrives inbound it checks to see does it correlate with one that was sent out, if so it lets it pass. This turns out to cover most uses for home networking. Obviously if you are running dedicated servers you will need to open their inbound ports directly.

So where does this leave my router. Well the short story is that I spent several hours over a couple of days opening ports, testing software attempting to get my work VPN to work with my firewall. This also involved helping work IT debug their service, but that's another story. Anyway, I failed to get it completely working. It would work to a degree - this was very annoying. All the time I believed the product blurb "supports VPN pass-thru".

Turns out it didn't. There's a firmware upgrade available which fixes it. Download it, install it (then reset the router - unfortunately they don't tell you this) and wallah - everything now works pretty much out of the box. The router really is doing what it says on the tin.

So the moral: check for firmware upgrades (I know, I know).
The real moral: ASUS guys, you should add an auto-upgrade feature to your router (at least let people know one is available). You also need to provide better information on your web-site, such as "VPN pass-thru doens't work on firmware earlier than 1.9.X.X despite what we might have claimed on the box".