NETGEAR FVS336G vs DRAYTEK 2950G

[Dennis Wood]

Yes. The added feature set is enormous. I just made contact with Draytek US support and spoke with Josh there who is looking after my questions :-) On the 64bit issue, I'd just use the Windows built in VPN for now until 64 bit SSL shows up. I was doing the same for the FVS336G. One thing that I do like about Netgear's IPSEC implementation (strangely) is that it is a pain to configure and requires SHREW. I don't like the pain but using a customized client/server setup like this improves security in my eyes. On the other hand, creating VPN users on the Draytek takes 5 seconds and there is no goofing around to do. You can create just one user and give them any type of VPN access, including PPTP. On the Netgear you need to create one user for IPSEC, and then do it again for SSL VPN in a different database. PPTP is not supported on the Netgear router. Bottom line, very strong passwords should be used regardless of the product.

Here are what I see as major advantages that make the 2950G a unit to look at starting from the box. Keep in mind that the Draytek is almost twice the price, but in our case I wanted wireless G on the Draytek box (2950G). Netgear does not have a wireless version of the FVS336G. My limited tests with wireless N (WNDAP330) so far have been unimpressive with G being functionally just as fast as N, with better range despite slower reported connection speeds. So here are the Draytek advantages:

1. It comes with rack mount brackets (if you want to mount that way), albeit with an internal fan cooling where the FVS336G is silent. All connections aside from power are at the front, consistent with rack-mounted hardware. Netgear's are at the back.

2. The user interface is actually pretty easy to get around...eaiser to use than Netgear's which I found a bit confusing. In the Draytek all menus are listed at the left so you don't need to search for links/menus at the top of dialog windows as you do with Netgear.

3. Smartmonitor (now that I've got it sorted) is every LAN admin's dream come true in terms of open monitoring of network use. It allows you to completely monitor almost every aspect of WAN use and report this to your staff if required via the "server" workstation's Apache software. Setup is basically installing the Smartmonitor package, and plugging your workstation into the 2950's "Monitor" port. The workstation is usable as normal.

4. Adaptive load balancing...which we are using now in "According to Line Speed" mode. "Auto Weight" didn't work so well, however further testing would be required to confirm this in isolation. What I've found though is that given two ISPs on the dual WAN side, we had to direct SMTP/POP to one ISP (other was blocking them) and certain services like VOIP also have to be policy driven to one WAN interface. Netgear's load balancing is manual but as I've described, we had to manually direct six ports or so to a given WAN on both products because of their need for a consisten WAN IP address. Draytek's bandwidth monitoring reporting on both WAN interfaces is much more refinded than the basic information provided on the FVS336G.

5. Scheduling on the Netgear is limited to 3. On the 2950 you can set up 15 and have them cascaded (up to 4) if required.

6. Objects setting which lets you define IP objects, Service types, protocol's etc, etc. which can then be used elsewhere for QOS, scheduling etc.

7. The 2950 has extensive QOS options, many more than we'll likely use.

8. The VPN and Remote access section offers wizards for setup, as does the Netgear, but you only need to define a user once, regardless of the type of VPN. Setting up VPN connections is super simple on the Draytek. For 32 bit clients (no go on Vista 64bit) the Draytek DVD includes a wizard that configures clients using Windows built in VPN access. Netgear's IPSEC VPN is a lot more complicated to set up and truthfully took a few days of messing around with SHREW to get it working.

9. The wireless LAN section of this router is very well featured included the ability to do MAC level access control, bridging, repeating and station rate control. One other feature that is excellent for guest wireless acess etc. is wireless VLAN. This allows you to implement a date sensitive login prompt (up to 15) that automatically set the user to a VLAN. This allows you to isolate guests on the LAN WIFI with only internet access...and you can restrict the data rates! If that's not enough, you can schedule wireless off or on using any of the router schedules that you define.

10. Full syslog support and a syslog client included on the router tools DVD.

11. Diagnostics included ARP Cache table (you can quickly figure out which MAC addresses belong to which IP addresses), Traffic graphs, Data flow monitors etc. The Traffic graph shows daily demand visually on either WAN1 or WAN2 which is an indication of just how much traffic is going where. The DHCP table found there is quite usefull too, providing MAC and IP addresses related for you.

12. The Draytek offers UPNP support (Netgear does not) which makes UPNP devices on your LAN self-configuring for WAN access.

13. Finally the firewall has extensive filter options that would allow you lock down with very large collection of cascading filters.

So there you go. Spend about $460 and you're looking at a very impressive feature set and onboard wireless (you can purchase the router cheaper by opting out of wireless) with support that's OK, but certainly not world class. The ablity to extensively monitor your LAN-WAN traffic is something a small LAN admin, or SMB owner would appreciate. If you need guest WIFI access (or just office access) and want to segment/throttle it, then you're set with the 2950G. If you need SSL VPN for 32 bit clients and/or licence-free IPSEC, PPTP or L2TP VPN for windows clients, then you're set too.

Spend about half that on the Netgear FVS336G and you get a much smaller feature set with slightly flaky firmware (at least in my case) but impressive support, including context help everywhere. Again, you have 32bit SSL VPN but will need to either purchase VPN client licences, or figure out SHREW for your clients which is free.

So essentially my suspicions on the Draytek being an enterprise class device were more or less correct, at a price that is quite respectable. If I was planning Draytek's future, I'd fire up a forum right away (so we can search for answers!) and definitely work on some context help right in the router GUI as Netgear does. Sending out product for guys like Tim to review wouldn't hurt either. Otherwise, for what it's worth, I like this product. Btw, I bought both these routers outright and I don't work for either company! My only interest is to shed some light on the Draytek mystery that I've Googled across in my searches. Hope this helps a few folks.

Cheers,
Dennis.

[NFSbuff]

My goodness Dennis, that, as far as I'm concerned, is as complete a review as I would ever need to make a well informed decision. Thank you for that. For all intents and purposes, I'm now sold on the Draytek 2950. Your last post should be sticky'd, as it directly compares a product to one that has been reviewed on this site.

Again, thank you for all the information.

[Dennis Wood]

No worries :-) These two products are in a niche which will become significant as redundancy/bandwidth as well as VPN become more and more important for small business. We're a web based operation with a decent pile of media/data being uploaded/downloaded daily...so the router is for sure a very important part of the equation. Now back to work....

Cheers,
Dennis.

[NFSbuff]

Dennis, one other quick question. The fan you mention as being present on the Draytek--is it loud enough to be bothersome in a quiet office environment? I actually like the idea of actively cooled components on a high performance device, but if its annoyingly audible we'll have to make accommodations for that.

[Dennis Wood]

In a closed cabinet, you're OK. If it's out in the open you might get a complaint or two from anyone within 10ft. The noise is typical of any fan cooled switch, usually a bit worse than a workstation as the small fan generates a higher pitch than a 120mm PC cooling fan.

I should mention that in further tweaks there's something I forgot to mention as perhaps point 14. The Draytek has something like 40 profiles that you can activate to block P2P, Chat, IRC etc. as well as streaming media..and you can schedule it's blocking/filtering behaviour in the firewall section. There are further options for URL blocking as well as content filtering which are the best I've seen in devices like this. The QOS options which I was working with today were very nice to work with as we can decide exactly which WAN (upstream or downstream, or both!!) priorizes which traffic as percentages, or define rates. In other words you can define classes of protocols, IPs etc and decide how much importance they get on either WAN1 or WAN2 in any direction or combination as required. With our own VOIP SIP server, and a very busy web "guru" (on FTP all day), rsync remote replication, as well as web-based ecommerce being managed, the QOS options are perfect. I feel like I"m fine tuning a car here.

Smartmonitor is really, really impressing me in terms of monitoring pretty much everything going in or out of the router. After a support email I've got it set up like this on a 2 NIC workstation: NIC 1 is set up on the LAN as usual. NIC2 is set up with an IP on the same subnet, but no gateway is defined. NIC2 is connected to the router monitor port. Smartmonitor is set to listen to NIC 2. That works well.

I did also receive a revised app note for iPhone VPN access, but it doesn't work for me. This however is likely Rogers blocking VPN as I'm guessing I need to give them more money for VPN (based on google research). Strangely, tethering via 3G or Edge works just fine for VPN initiated from a laptop.

[Dennis Wood]

Draytek released a Smart VPN client package today (free) that works very nicely on 64 bit Vista and is listed as supporting Windows 7. The previous version did not. You can grab it here: http://www.draytek.com/user/SupportDLUtility.php#

I'd rate this client faster and easier to use even over SSH. After installing it took all of 10 seconds to set up and connect using LT2P to an already configured router. This was looking at the app "cold" so hat's off to the Draytek crew.

Very impressed.

On another note, the Smartmonitor application, which I'd now consider an essential LAN tool, runs much better on an XP SP3 workstation than it did on Vista 64. There is just one NIC on that workstation, connected to the monitoring port of the router, which is still allowing normal use of the workstation. On the Vista box we saw 100% CPU usage every now and then, something not being seen on XP.