Linksys EtherFast® BEFVP41 Router
- Connectivity: Wired
- Router Functionalities: VPN Endpoint Firewall DHCP Server
Available From
Why are these offers here?
Lowest Price!
- Overview
-
Reviews
- Compare Prices
User ReviewRead All Reviews »
Comparing the BEFVP41, Netgear FVS318 and the WRV54G
Pros
Works when VPN client is behind a NAT Firewall with a dynamic IP address.
Cons
Can't set time. Logging is primitive.
Recommended it?
Yes
The Bottom Line:
This VPN router was the cheapest one I tried but it worked the best in terms of remote VPN client access.
I have a requirement that when I am traveling on the road I can access my home network remotely. This could be either from a direct internet connection or from behind a NAT box. For example, I can modem dial up to Earthlink from my hotel room and then get a VPN connection (a direct internet connect) or I can sit in a Borders and use a T-Mobile Hotspot wireless internet connection and VPN into my home LAN. The T-Mobile Hotspot connection puts you behind a NAT box (a router that does network address translation).
At first I bought the newest VPN router from Linksys for $180, the WRV54G. This sleek looking box according to the documentation was exactly what I wanted. It supported client VPN connections and it also provided lots of routing diagnostics. There was only one small problem, it didn't work. I tried… and tried… and called Linksys support and I could not get the VPN part to work. I could get a VPN connection but no matter how we set the routing tables traffic would not go through it. So I gave up on Linksys support and I searched the newsgroups (using Google) and found very many people experiencing this same problem (and much worse!). It would seem for its short existence this router has a long history of problems. I was surprised to read this because I own many Linksys devices (routers, wireless cards, KVM's) and I have been happy with their products to date.
So I read where some people bought a cheaper Linksys VPN router (BEFVP41) and have had "virtually" no problems whatsoever with it. So I decided to give it a try and lo and behold… it worked… It was very easy to configure and the VPN screens were very straight forward. I was able to VPN through a dial up to Earthlink and then tried it through a T-Mobile hotspot at my local Borders and it worked great. I have kept the VPN connection open for 3 hours straight with a Terminal server client connecting to a computer on my home LAN and it worked very well.
So you would think this was the end of the story and another happy ending after I sent back my more expensive VPN router right? Not a chance. One of the things I wanted out of a new router (besides not being too expensive) was some more router log information. The BEFVP41 gives you some log information via a downloadable program called LogViewer but I wanted something a little more than what it provided.
Hence I decided to try a more expensive Netgear FVS318 VPN router. Sure enough it gave me much more information (like when people were port-scanning me, etc…) and it worked with any Syslog daemon (or service for Windows). The VPN setup was a little more in-depth but not drastically hard… I had it working through a direct internet connection in no time. However…I could not get it to work through a NAT router UNLESS I knew the client endpoint IP address. So if I am sitting in a Borders and I want to connect to my home LAN… I can't without telling the VPN router my PC's IP address. I don't know what the PC's IP address is because a T-Mobile (or any other WIFI) connection gives me an IP dynamically. It could be anything within the 10.*.*.* subnet range. So… after realizing I cannot get around this problem… I decided to stick with the BEFVP41 and I am so far very happy with it with only some small issues.
Issue 1: I cannot administer the router (via web interface) from my IPSEC client machine once I VPN in. This is not a severe problem for me because I can indirectly administer it through a terminal server session. I assume it is some sort of security measure and that is ok. It just seemed odd because the Netgear FVS318 allowed this functionality.
Issue 2: How do you set the NTP time server? Most any other router from Linksys or Netgear allows you to set the NTP server for retrieving the time. This one doesn't and in addition the time is not even set according to the status page. That is just plain bizarre.
Issue 3: The LogViewer program tells me that there are "evil dudes" port scanning my router and tells me what ports they are trying to connect to. That is nice… but I would like to see which connections were denied and which were allowed. I do have some ports open for some various devices from time to time yet the Linksys router doesn't tell me if the connections were successful or not. I have done a port scan myself and there would always be port 21(FTP) and 389 (LDAP) open on the router. I don't know why they are open for I did not open them and yet when I try to connect to them they get refused. The Netgear router would tell me which connects were denied explicitly. I suppose I am being picky here and yes I guess I am. Also the Netgear would have the FTP(21) port open and it too would deny any connection to it.
Issue 4: The WAN port doesn't automatically determine whether you have a crossover connect or not. It just demands one which is unlike any of the Linksys routers I have used before. It isn't really much of a problem but it shows this thing is a little dated.
By the way I am using an IPSEC client called SSH Sentinel 4.0 and it is a pretty popular client to use. It works very well for the BEFVP41 and the set up and configuration on the Advanced router screen is almost a one to one match with the IKE/IPSec proposal parameters screen. There are web sites that do a step by step configuration for setting up SSH Sentinel and the BEFVP41. Do a search on Google or one place to go is here: http://forum.homenethelp.com/SSH_Sentinel_and_Linksys_VPN_-_Another_Setup_Document/m_5590/tm.htm. Once you set it up it is pretty easy to make modifications. For example the document chooses MD5 for authentication but you could set it up as SHA instead. Just make sure the router and the software are exactly the same and it will work like a champ.
You could use IPSEC policies in Windows 2000/XP but there are some limitations such has you cannot have a dynamic client IP address. Also the XP/2000 IPSEC policies configuration has a not so nice UI.
Anyway I have decided to keep this router at home until I find one that works the same and has more router diagnostics and logging. I did want one that was wireless but I have a an 802.11G WAP sitting around anyway so it work the same (if not better).
At first I bought the newest VPN router from Linksys for $180, the WRV54G. This sleek looking box according to the documentation was exactly what I wanted. It supported client VPN connections and it also provided lots of routing diagnostics. There was only one small problem, it didn't work. I tried… and tried… and called Linksys support and I could not get the VPN part to work. I could get a VPN connection but no matter how we set the routing tables traffic would not go through it. So I gave up on Linksys support and I searched the newsgroups (using Google) and found very many people experiencing this same problem (and much worse!). It would seem for its short existence this router has a long history of problems. I was surprised to read this because I own many Linksys devices (routers, wireless cards, KVM's) and I have been happy with their products to date.
So I read where some people bought a cheaper Linksys VPN router (BEFVP41) and have had "virtually" no problems whatsoever with it. So I decided to give it a try and lo and behold… it worked… It was very easy to configure and the VPN screens were very straight forward. I was able to VPN through a dial up to Earthlink and then tried it through a T-Mobile hotspot at my local Borders and it worked great. I have kept the VPN connection open for 3 hours straight with a Terminal server client connecting to a computer on my home LAN and it worked very well.
So you would think this was the end of the story and another happy ending after I sent back my more expensive VPN router right? Not a chance. One of the things I wanted out of a new router (besides not being too expensive) was some more router log information. The BEFVP41 gives you some log information via a downloadable program called LogViewer but I wanted something a little more than what it provided.
Hence I decided to try a more expensive Netgear FVS318 VPN router. Sure enough it gave me much more information (like when people were port-scanning me, etc…) and it worked with any Syslog daemon (or service for Windows). The VPN setup was a little more in-depth but not drastically hard… I had it working through a direct internet connection in no time. However…I could not get it to work through a NAT router UNLESS I knew the client endpoint IP address. So if I am sitting in a Borders and I want to connect to my home LAN… I can't without telling the VPN router my PC's IP address. I don't know what the PC's IP address is because a T-Mobile (or any other WIFI) connection gives me an IP dynamically. It could be anything within the 10.*.*.* subnet range. So… after realizing I cannot get around this problem… I decided to stick with the BEFVP41 and I am so far very happy with it with only some small issues.
Issue 1: I cannot administer the router (via web interface) from my IPSEC client machine once I VPN in. This is not a severe problem for me because I can indirectly administer it through a terminal server session. I assume it is some sort of security measure and that is ok. It just seemed odd because the Netgear FVS318 allowed this functionality.
Issue 2: How do you set the NTP time server? Most any other router from Linksys or Netgear allows you to set the NTP server for retrieving the time. This one doesn't and in addition the time is not even set according to the status page. That is just plain bizarre.
Issue 3: The LogViewer program tells me that there are "evil dudes" port scanning my router and tells me what ports they are trying to connect to. That is nice… but I would like to see which connections were denied and which were allowed. I do have some ports open for some various devices from time to time yet the Linksys router doesn't tell me if the connections were successful or not. I have done a port scan myself and there would always be port 21(FTP) and 389 (LDAP) open on the router. I don't know why they are open for I did not open them and yet when I try to connect to them they get refused. The Netgear router would tell me which connects were denied explicitly. I suppose I am being picky here and yes I guess I am. Also the Netgear would have the FTP(21) port open and it too would deny any connection to it.
Issue 4: The WAN port doesn't automatically determine whether you have a crossover connect or not. It just demands one which is unlike any of the Linksys routers I have used before. It isn't really much of a problem but it shows this thing is a little dated.
By the way I am using an IPSEC client called SSH Sentinel 4.0 and it is a pretty popular client to use. It works very well for the BEFVP41 and the set up and configuration on the Advanced router screen is almost a one to one match with the IKE/IPSec proposal parameters screen. There are web sites that do a step by step configuration for setting up SSH Sentinel and the BEFVP41. Do a search on Google or one place to go is here: http://forum.homenethelp.com/SSH_Sentinel_and_Linksys_VPN_-_Another_Setup_Document/m_5590/tm.htm. Once you set it up it is pretty easy to make modifications. For example the document chooses MD5 for authentication but you could set it up as SHA instead. Just make sure the router and the software are exactly the same and it will work like a champ.
You could use IPSEC policies in Windows 2000/XP but there are some limitations such has you cannot have a dynamic client IP address. Also the XP/2000 IPSEC policies configuration has a not so nice UI.
Anyway I have decided to keep this router at home until I find one that works the same and has more router diagnostics and logging. I did want one that was wireless but I have a an 802.11G WAP sitting around anyway so it work the same (if not better).
