Flying into Other AirPorts
Apple started the wireless networking revolution with AirPort (and the rest of the industry acknowledges its role) but the AirPort Base Station is largely unchanged since its introduction nearly two years ago – no drop in price and only a few software updates that added overdue and welcome features. However, Apple is no longer the only provider of low-cost wireless access points as home users increasingly hooked up multiple machines, often with different operating systems, tied into broadband cable or DSL modems. Several companies now offer affordable wireless home gateways, which tie together firewall, router, and base station features into a single package costing between about $250 and $340.
AirPort, at its heart, is an implementation of the industry standard IEEE 802.11b, now also known as Wi-Fi (Wireless-Fidelity). Because Apple and its technology partner Lucent adhered to the standard, virtually all PC and Mac equipment is seamlessly interoperable. All the equipment surveyed in this article works with Apple’s AirPort Card, as well as PC and PCI Cards, and more exotic USB and Ethernet adapters from other manufacturers.
The only difficulty a Mac user faces in using these other gateways is proprietary Windows configuration software; this survey excludes gateways with that limitation. All gateways noted in this article, except the AirPort Base Station itself, use a Web-based interface.
Wi-Fi Basics — Wi-Fi lets you set up a short-range network of a few hundred feet using a high-frequency wireless data exchange. A base station, called an "access point" by non-Apple manufacturers, acts as an always-on relay that shuttles data back and forth between wirelessly connected machines and a wired network connection (Ethernet or dial-up). Some access points can relay traffic among each other to extend the range without requiring a wired Ethernet node.
You can also turn a single computer into a pseudo-base station using AirPort and other software, but that machine must be left on – and not crash – for others to relay through it. (For a general overview of Wi-Fi, see "Going to the AirPort" in TidBITS-567.)
The advantage of the new generation of home gateways is that they add firewall protection to the mix; some of them also allow you to protect both a wired and wireless local area network (LAN). The AirPort Base Station offers only a single kind of firewall-like filtering and doesn’t help a wired LAN at all.
These home gateways generally lack the network management and service robustness needed for corporate infrastructure, but easily handle the needs of a home or small office with less than a dozen machines and no high-traffic Web or Internet file server. Some gateways have built-in artificial limitations that restrict the number of simultaneous connections to 10 or 12, so it’s worth reading the specifications carefully if you plan to put a large number of machines on a gateway.
Common Features — The gateways mentioned below share a number of basic features in common.
DHCP Server. A DHCP (Dynamic Host Configuration Protocol) server hands out IP addresses to local machines on request. This avoids messy management of addresses. Many DHCP servers embedded into home gateways work in a bridge mode that enables them to offer DHCP service to machines on the wired local area network as well as the wireless one.
NAT (Network Address Translation). Most gateways that support DHCP also support NAT, which is a way to give machines on your network access to the Internet without requiring an Internet-reachable address for each one. When a machine behind the NAT gateway accesses the Internet, the gateway passes the request on to the Internet, then returns data to the original machine. The rest of the Internet is aware only of the NAT gateway – it never "sees" the machine which initiated the request. Since machines behind the NAT gateway aren’t directly accessible to the Internet, some manufacturers are promoting it as a firewall feature. Some NAT gateways allow you to "punch" through by creating a permanent inbound route through the gateway – this usually done on a port-by-port basis, so Web traffic (on port 80) could go to one machine behind the gateway, and SMTP traffic (on port 25) to another. This port mapping makes it possible to run Internet-reachable servers behind a NAT gateway.
DHCP Client. All of the gateways sport a DHCP client to request an address from a broadband provider. The gateway requires this client in order to route traffic through the provider if you don’t have permanent Internet addresses for your network.
PPPoE (PPP over Ethernet). Some broadband companies use PPPoE as a security measure and/or as a session length control tool. Of all the gateways surveyed, only the Orinoco currently lacks this feature; Agere’s FAQ says it’s coming soon. Asante hasn’t noted this detail yet.
<http://www.wavelan.com/template.html? section=m59&envelope=170& amp;page=2114>
Ethernet. All gateways include an Ethernet port for the wide area network (WAN), or Internet connection, and at least one port for the LAN. Many gateways offer switched 10/100 Mbps ports to increase network throughput among separately connected segments. For instance, on an office network, you might connect servers to one port and other machines to another, to keep office traffic from interfering with Internet traffic.
Modem. The Apple and Orinoco models include a built-in 56 Kbps modem that enables them to share a dial-up Internet connection with the rest of the machines on the network. The SMC Networks gateway has an RS-232C port – which can be converted to the Mac’s old-style round serial plug – to connect to an external modem or ISDN device.
Print spooling. The Asante, Linksys, MaxGate, and SMC Networks gateways have a parallel port (as an extra option on some) to allow the unit to function as a print spooler for printing from Windows – not much of a bonus for most Mac users.
Dynamic DNS. Dynamic DNS services enable you to map a dynamically assigned address to a fully qualified domain name (like host.example.com) whenever the machine gets a new address from a DHCP server. Although some ISPs offer this service, only the MaxGate unit has a built-in DNS server and a trial subscription to a provider that handles the dynamic updates.
Configuration — Apple made an obvious decision early on, perhaps due to their relationship with Lucent, to require a Macintosh application to configure the AirPort Base Station. However, a Java-based configuration tool originally designed for Lucent’s residential gateway will also configure Apple’s AirPort, and it works on all platforms with Java installed. (Lucent, in the meantime, has spun off its wireless and related divisions as a new company called Agere. Agere’s RG-1000 gateway comes with Windows-only configuration software, which tends to confirm the exclusivity theory.)
Most companies instead opt for Web-based configuration. The biggest disadvantage of a Web interface is security. Because of the huge increase in wireless networks and the behavior of most equipment to announce new networks as they become available, it’s trivial for neighbors or even passers-by to manipulate your gateway maliciously, or set it up for their own use. Most gateways offer simple password protection to access the gateway’s settings; I recommend instantly setting that password before proceeding.
(More obscurely, you can limit access to the specific Ethernet adapters on your network by entering the unique Ethernet Media Access Control (MAC) address of each machine, found in Apple System Profiler as Hardware Address in the AppleTalk section of Network overview, or in the Info dialogs (switch to Advanced mode to access them) of the TCP/IP or AppleTalk control panels.)
Web interfaces are wonky at times, applying settings incorrectly or generating strange errors. Web forms also limit the kind of data you can enter easily, along with the overall ease of interaction. Adding lots of machines and complex firewall settings can become tedious. Luckily, you only have to do it once, since the gateways all store settings in continuous memory that’s retained even when the device is unplugged.
Many gateways also use flash RAM to store their firmware (the software that drives the hardware). However, you may need to use software specific to a platform to update the firmware. Farallon, for instance, makes both Mac and Windows software packages to update firmware rather than rely on a Web interface to upload a file and apply it.
Encryption — A separate issue is network encryption, which keeps outsiders from connecting to your network and provides some semblance of protection for the traffic that passes across it. Apple’s AirPort, as well as most of the gateways surveyed, offer a simple form of limited security called Wireless Equivalency Protocol (WEP). It’s taken a lot of heat lately as weaknesses have been revealed, so if privacy is paramount for you, don’t rely solely on WEP. Corporations typically use some sort of Virtual Private Network (VPN) software with its own strong encryption to prevent breaches.
Despite the recent reports, it’s not a bad idea to use WEP as a reasonable and free line of first defense. There are some difficulties in setting WEP passwords that work under both Macs and PCs, or even among different PCs. First, you want to set only a 40- or 64-bit password, because that’s all the AirPort system supports. (The two are identical: the 24 missing bits are an initialization vector, which is used only for marketing purposes to pretend the encryption is stronger than it is.) Second, you must convert the password from the five hexadecimal format numbers that PCs use (base 16 numbers) into the text that the Apple AirPort software requires. Apple’s AirPort Admin software offers an Equivalent Network Password option, which is the hexadecimal sequence that PC software can employ. But none of the gateways surveyed offered an obvious method to take passwords in the other direction.
Firewall Protection — Because all the wireless traffic must wend its way through the gateway, most makers have put in firewall protection that blocks traffic and examines data as it passes between the Internet and your computers. All of the makers except Apple also provide two or more Ethernet ports so that a local wired LAN, if any, can also be protected by the same controls.
The amount of control over firewall features varies by maker, as does the difficulty of allowing certain kinds of traffic to pass through. Some units log attacks; the only manufacturer mentioning this feature is MaxGate. The Farallon specifically does not log, and Asante hasn’t released enough details about their unit yet to say one way or the other.
Gateway Rundown — Here’s a summary of the unique features of each gateway.
Asante FriendlyNet FR3002AL. Announced in April at the Seybold trade show, details about this gateway are not yet entirely available. However, it is known that the gateway features two switched 10/100 Mbps Ethernet ports, one each for WAN and LAN connections. (Actually, it may have two LAN and one WAN; the report is unclear.) It also has a parallel port and built-in print spooler. The list price is expected to be $320.
Linksys EtherFast Wireless AP + Cable/DSL Router w/4-Port Switch. For $260, the Linksys gateway offers Web-based administration and four LAN and one WAN Ethernet ports; online documentation is scanty.
Farallon’s NetLINE Wireless Broadband Gateway. The NetLINE’s firewall controls allow different machines to be set up with varying levels of protection, and for specific ports (for services like a Web site or a mail server) to be exposed to the outside world while protecting the rest of a machine. For $300, the NetLINE Wireless Broadband gateway provides one 10/100 Mbps LAN port and one WAN Ethernet port.
MaxGate UGate-3300. Also $300, this gateway offers one WAN and one LAN 10/100 Mbps Ethernet port. It also features a built-in DNS server that works with an external service provider for dynamic DNS. Its firewall and access logging description make it sound like it’s using a combination of NAT and packet filtering to provide security, rather than offering true port-based firewall protection.
SMC Networks Barricade 11 Mbps Wireless Broadband Router 4 Port. This $339 gateway has a parallel port for print spooling, three switched 10/100 Mbps Ethernet ports, one 10 Mbps WAN port, and firewall protection. It also has a unique feature: an RS-232C serial connection for an external modem or ISDN device so the company can provide the option of routing a dialup Internet connection without the expense of bundling a modem.
Making the Choice — Apple’s AirPort Base Station clearly doesn’t have as many features as some of these newer gateways (though it boasts a slick design and configuration through real Macintosh software). Of the newer gateways, my call goes to the Farallon NetLINE Wireless Broadband Gateway. In testing, I found its speed and reliability fine, and its configuration only mildly obscure. Most impressive is the NetLINE Wireless Broadband Gateway’s firewall feature set, which rivals the best and most expensive personal firewall software available for Mac or Windows. If you’re looking for an alternative to Apple’s AirPort Base Station, you won’t go wrong with this competitor from Farallon, and it’s worth looking at the other units as well if you need specific features they offer.
[Glenn Fleishman is a Seattle journalist who covers technology for publications like The New York Times, Fortune magazine, and Wired magazine.]