Multiplayer gaming is a blast. No doubt about it. Getting together with friends for a LAN party, popping a few cold ones and wreaking digital havoc is one of the best reasons to have a PC.
But there are those who try to wreak a different kind of havoc – that of trashed data and denial of service. Crackers, script kiddies and their ilk would love nothing more than to crash your game server and then trash as many machines on your network as they can.
How do you keep out these digital neer-do-wells and still have some multiplayer fun? With a router, of course. Network Address Translation (NAT) routers have become de rigeur in broadband-connected homes, since they let multiple machines share a single broadband pipe and IP address.
Unfortunately, many online or multiplayer games that require several connections to your PC have difficulty working with NAT configurations. Thus many routers have added special features that open up selected ports for gaming use.
In the world of online multiplayer gaming, its easier to be a client than a server. Serving up a game usually requires exposing your game server machine to some degree of vulnerability. When client games try to connect to a game server, it appears to your network as if someone from outside is attempting to access a system within the network — which it is. Hardware and software firewalls, however, cant always distinguish between packets sent with a hostile intent from those who are simply coming in from gamers trying to connect to a server. Network router makers have responded by adding features gamers need to enable multiplayer gaming, while at the same time maintaining at least some level of security. Features like port forwarding, port triggering, and DMZ allow gamers to selectively punch holes in their firewall.
- Port Forwarding: This feature allows you to redirect traffic coming into a specific port or port address range to a specific IP address (the game servers).
- Port triggering: With this feature, a port is closed until a game running on one of your internal machines attempts to send traffic through it. When that happens, the router opens up the port, and leaves it open until the session terminates.
- DMZ: Any machine placed into a routers DMZ area is completely exposed to the Internet. This is typically a last-resort solution – and shouldnt even be considered without a software firewall on the exposed machine.
In this article we evaluate four of the latest routers from high-profile home networking hardware makers. We tested each product to see how well they implement the previous features, and how easy they are to set up and enable network-based multiplayer gaming.
If youre new to hosting an online multiplayer gaming server, well show you several examples of how you can host a server, while keeping your box well protected against unwanted intrusions. You should probably read our story from beginning to end.
If youre a grizzled networking vet, then this will be a refresher course. You can jump right to each individual review, or just head to the What to Buy section.
You can also refer to our Home LAN Security section for more information on tightening up your online gaming environment.
ZIFFPAGE TITLEHow We Tested
We looked at four routers for this review, two from D-Link, and one each from NetGear, and Linksys:
The overarching goal of our testing was less about performance than about security features and the ease of implementing them. For our testing, we first configured the routers to expose a game server to the rest of the world. We then port-scanned the router looking for open ports, which could be exploited by ill-intentioned crackers.
We configured each router as a DHCP server for internal clients, with a static IP WAN address hooked up to our labs T1 line.
We then began our testing by using a well-established game, Unreal Tournament (UT), with all the latest patches (version 4.36) and UT Bonus Packs (one through four). We ran a standard deathmatch server on a machine that was behind each routers firewall with the Advertise Server flag enabled.
We ran first with the routers default settings and checked to see if the server was visible via the Internet from a client machine on a different network segment. If the machine wasnt visible, we tried connecting directly to it using the “Open Location” command in UT. If this was unsuccessful, which in most cases it was, we then resorted to either putting the server in the routers DMZ (more on that in a bit), and then tried using whatever Port Forwarding features were available to us. We also evaluated Port Triggering if it was available.
Once we had the server visible on UTs master server list, we then used the same client machine and ran the Win32 version of nMap, an open-source freely available port-scanning utility, and scanned the range of port addresses that UT uses to see if these ports were open.
And finally, we looked at the visibility of Windows shares when running a box in the DMZ versus using port-forwarding.
Now lets look at each individual router to see how it performed.
ZIFFPAGE TITLEReview Summary and What
Lets take a quick look at how each router performed. You can reach our detailed reviews of each board by either clicking on the name in the chart below, or simply reading each sequentially by turning the page. Dont miss our special section after the reviews on setting up LAN Security at home.
So which one is best for you
Basic Networking: The D-Link DI-604 is a very solid little unit for under $50. The only feature we found missing was stateful packet inspection, but for under $50, this is going to be a very hard feature to find. The DI-604 runs reliably, allows enough configurability to both keep your home LAN safe, and game servers servin up the frags.
Whole Enchilada: The D-Link DI-764 is solid overall, and the fact that youre getting 802.11 a and b along with a solid router makes this a great one-stop-shopping kind of product. Were disappointed however that its purported turbo features on 802.11 a and b dont deliver nearly as much additional performance as wed like to see. Still, if you want both flavors of wireless networking and a home router all wrapped up in one, the DI-764 will package that all for you rather nicely. At this point, given the high state of flux in 802.11 standards, were a little reluctant to recommend buying a wireless access point/broadband router wrapped up in one, since current hardware may not be able to completely adapt (via firmware upgrade) to new standards coming down the pike. But if you want an all-in-one unit, this one will get it done.
Without a doubt the most feature-laden (and most expensive) of the four routers we looked at, D-Links DI-764 has nearly all the admin tools you could want, four 10/100 switched Ethernet LAN ports, one 10/100 WAN port, and 802.11a and b support. The DI-764 uses a TI 802.11b chipset which has a turbo mode called 802.11B+, as well as a higher-speed mode for 802.11a (using Atheros silicon), called Turbo.
As it turns out from our NetPerf testing for streaming media over different kinds of networks, these enhanced operation modes provide small performance improvements in throughput, but nowhere near the claimed speeds. However, both 802.11a and b have sufficient bandwidth and low enough ping times to facilitate multiplayer gaming, which for the purposes of this story are what were most interested in.
If you want to use these features, though, youll need to buy all D-Link hardware to get the best results. Plus, in the case of 802.11a, youll need to have D-Link hardware to talk to this routers access point. Despite these issues however, the DI-764 has a full spread of configuration options to let you lock your LAN down tight.
No SPI: One feature missing from the DI-764 is Stateful Packet Inspection (SPI), which at this price-point, should be a standard item. In brief, SPI looks not only at individual packets origins, destinations and protocol type, but also looks at groups of traffic to have a better idea whats happing both on your LAN and on your incoming and outgoing network traffic. For more on this topic, head over to our Home LAN Security story.
Getting the DI-764 running was very straightforward, and the Web-based admin interface has an initial setup wizard that allows you to configure the most vital settings. We had the DI-764 configured and ready to roll in about five minutes.
One of the 764s more interesting features is its ability to be configured for specific applications that require multiple connections. And these applications have difficulty working in NAT configurations. For instance, Unreal Tournament uses ports 7777-7779, but communicates with the Master Server at Epic Games on port 27900. Using Port Forwarding, you would have to open ports 7777-27900, which is one-third of all the ports available in TCP/IP. But using the DI-764s Special Applications feature, we were able to open ports 7777-7779 and 27900, allowing UT the necessary open ports to get a server going on the Net. The DI-764 comes pre-configured for Battle.net, Dialpad, ICU II, MSN Gaming Zone, PC-to-Phone, and QuickTime 4.
This feature is essentially Port Triggering by another name, since the opening of the specified ports happens only when a request is made from behind the LAN.
In the panel, youll see both private and public trigger ports listed, but in the DI-764s menus, the feature is called “Applications”, and lives under the “Advanced” menu header. Whats cool about this is that ports get opened only when a machine from behind the firewall requests it, and once that session is terminated, the port is then closed off again.
While there may be some vulnerability while the session is open, the needed port doesnt sit in an open state 24/7. However, one limitation of this feature is that only one app can use the Special Application Tunnel at a time. So if Junior has a server going for a grip-it-and-rip-session of UT 2003 and dad wants to fire up an Age of Mythology server, hell have to send Junior out to wash the car.
We then scanned the DI-764 using Nmap, and looked at the port addresses used by Unreal Tournament. On TCP, Nmap reported these ports as being filtered, whereas on UDP, it reported them being open.
Nmaps method of determining whether a given UDP port is open however seems a bit suspect to us. It sends 0 byte UDP packets to the specified port of the target machine. If Nmap receives an “ICMP port unreachable,” the port is assumed to be closed. However, if no response is received, Nmap assumes the port to be open.
While we like Nmap as a testing tool– we believe this particular method of port state determination is flawed, since a UDP port isnt obliged to answer a scan, whether its open or closed. Our concern is that the routers we tested here may be ignoring the port scan and discarding the probe packets, meaning that the ports are not open, and therefore do not pose a security risk.
The reason we have some doubt about Nmaps findings is that we tested a wide variety of UDP port address ranges, and Nmap reported all of them as being opened, which we seriously doubted. Our suspicions were confirmed first by the DI-764s log, which registers attacks and has the option to log dropped packets, and it reported events like the following. As it turns out, we were correct in our suspicions. A look at the DI-764s log file revealed that it was discarding the packets from the packet scan, and not responding to it, which yielded the false report that the ports were open.
“Dec/20/200215:40:02 Drop TCP packet from WAN 184.108.40.206:10025 220.127.116.11:25Rule: Default deny“
We also ran another port scan using a tool from Gibson Research called NanoProbe, which you can run on your system here. It scans ports for FTP (21), Telnet (23), SMTP (25), Finger(79), HTTP (80), POP3 (110), IDENT (113), RPC (135), NETBIOS (139), IMAP (143), HTTPS (443), MSFT DS (445) and UPnP (5000). This scan showed no vulnerabilities on the router.
Next, we tried to see a shared folder on a Windows machine that was behind the routers firewall. Windows file sharing uses ports 139 and 445, and TCP port scans of both of these ports showed them to be filtered, and both of these ports are locked out by default. We were unable to see either the machine itself, or the shared folder on the target machine.
Looking at its wireless configuration, the DI-764 has most of the admin features weve come to expect in access points. Missing, however, is the ability to explicitly disable ESSID broadcasting, which announces the APs presence (whether WEP is enabled or not). When this feature is disabled, the ESSID would have to be known by the client in order to connect to the AP.
Disabling ESSID broadcasting offers one more layer of security, along with WEP, to try and keep unwanted guests out of your wireless network. Neither is bulletproof of course, but D-Link should add this feature to the next firmware revision. We checked D-Links site to verify that the test unit we looked at was up to date with its firmware, and it was.
The DI-764 is the priciest router we looked at among the four, but for good reasons. Its dual-band 802.11 support, coupled with its relatively full compliment of admin features actually makes it a good value for its $240 street price. However, it lacks Stateful Packet Inspection, which for a router in this price range wed like to see it included. If youre keen on using 802.11a, youll need to invest in additional D-Link hardware to be able to talk to the DI-764. The only reason to consider this router over either the D-Link DI-604 or the LinkSys BEFSR81 is if you really need wireless networking in addition to a broadband router. However, even then, you may wish to consider a separate access point in lieu of the DI-764, as it increases your number of options.
The DI-604 is the classic case of “Big things come in small packages.” But dont let the 604s diminutive stature fool you. Inside this little $45 box lurk admin features-o-plenty, and the price is right. In fact, the DI-764 has the same administrative features found in its big and far more expensive brother, the DI-764. The main difference between the two is that the DI-764 has 802.11a and b wireless networking support.
Just like the DI-764, setting up the DI-604 was very straightforward, and the Web-based admin interface has an initial setup wizard that allows you to configure the most vital settings to get you up and running. Like the 764, we also had the DI-604 configured and ready to roll in about five minutes.
We could spend a lot of words telling you what we liked about the DI-604 but basically, we liked the same features in it that we liked in the DI-764. The 604s compact size allows it to be tucked away easily with your cable modem or DSL modem, and weve been running one of these 24/7 in our lab on our T1 line for about two months now, and it has been very solid, serving up IP addresses, and never crashing.
Our findings during Unreal Tournament testing were also the same as those seen with the DI-764. Getting an advertised server to be visible on the UT Master Server list required enabling either port forwarding (which D-Link calls “Virtual Server”) or port trigger, which D-Link calls Special Applications. Ditto for results using Nmap, but just to recap:
We scanned the DI-604 using Nmap, and looked at the port addresses used by Unreal Tournament. On TCP, Nmap reported these ports as being filtered, whereas on UDP, it reported them being open.
Nmaps method of determining whether a given UDP port is open however seems a bit suspect to us. It sends 0 byte UDP packets to the specified port of the target machine. If Nmap receives an “ICMP port unreachable,” the port is assumed to be closed. However, if no response is received, Nmap assumes the port to be open. As it turns out, the routers we tested here are ignoring the port scan and discarding the probe packets, meaning that the ports are not open, and therefore do not pose a security risk. This was confirmed with the vendors, a look at the router logs, and by doing additional scans using Gibson Research test tools.
Next, we tried to see a shared folder on a Windows machine that was behind the routers firewall. Windows file sharing uses ports 139 and 445, and TCP port scans of both of these ports showed them to be filtered. We were unable to see either the machine itself, or the shared folder on the target machine.
About the only complaint we have about the DI-604 is that it only has four ports on its 10/100 LAN switch. An eight-port version of this (maybe called the DI-608) would be a nice addition to the D-Link lineup. D-Link currently offers a seven-port broadband router called the DI-707, which appears to come close, and its street price is around $90. But this minor quibble aside, the DI-604 is a solid offering from D-Link, and brings a lot to the table for the money. If your network is small, the DI-604 will make for a reliable nerve center to keep the whole thing humming.
ZIFFPAGE TITLELinkSys BEFSR81
If youre looking for a high-capacity broadband router, Linksys has an 8-port switch / router, the BEFSR81, that seemed to fill the bill. We put it through our rigorous ExtremeTech test procedures to see how well it would perform.
PC Magazine reviewed the four-port little brother to this router. This router had some security holes, which Brett Glass noted in his informative security coverage. Since then, LinkSys has released a firmware update that plugged these holes. We tested with the latest firmware.
As noted in the PC Magazine review, LinkSys broadband routers support both NAT-style (network address translation) and stateful packet inspection (SPI), which leaves TCP and UDP ports closed until those ports are specifically requested, or manually left open by the router admin.
You configure the router by connecting to its IP port through a standard web browser.
Although we didnt test for performance, its worth nothing that the four-port version PC Magazine tested was also one of the speediest.
We set up the BEFSR81 router as the broadband router sitting between a cable modem and our test network. We uplinked the LinkSys to a Netgear 8-port switch, which allowed us to connect seven PCs and three networked appliances.
As a standard broadband router, the LinkSys was very easy to set up — plug in the Ethernet cable from the cable modem, turn everything on, and we were automatically connected to the Internet. Note that one reason it was so easy was that our local cable provider doesnt require PPPoE or any other authentication mechanisms just to establish a link — the connection is always live. If your connection requires PPPoE, configuration is somewhat more difficult – but not overwhelmingly so. The bundled documentation helps during this setup.
Part of our testing involved setting up an Unreal Tournament server and then attempting to access it from about 40 miles away. This was a bit more complicated. In the routers default state, the game server was invisible to the PCs trying to connect via the Internet. Even typing in the IP address of the router (or, when the IP address was hard coded, the PC), failed to reveal the existence of a game server.
The next step was to try the most extreme (and dangerous) option — we put the UT server PC in the DMZ. This exposed the system to the Net, so we hard-coded an IP address that wasnt an internal-only address. You do this in the network control panel, by disabling DHCP and typing in an IP address supplied by your ISP. This only works if you have more than one IP address made available to you by your broadband service provider – which typically costs more money.
This worked like a charm. Dave was soon happily fragging bots from his connection forty miles away (and kicking ass/taking names, I might add. – Dave).
DMZ Is Risky: However, configuring a PC in the DMZ is a risky proposition, particularly if other PCs on the internal network have valuable data. To the outside world, this machine appears to have your WAN address, the IP address youve either hard-coded in your router if your ISP gives you a static IP address, or the address your router has been dynamically assigned via DHCP from your ISP. But internally, this machine still has a 192.168.x.x address, and sits on the same IP segment as the rest of the machines on your network.
If youve got Windows File and Print sharing enabled, for example, a cracker could come in and wreak high holy havoc. If nothing else, that PC in the DMZ could be subject to DoS (denial of service) attacks such as the so-called “Ping of Death” that floods your system with pings, drowning out all other traffic. Your DMZ machine could even be co-opted by unfriendly script kiddies who use unguarded systems to launch attacks elsewhere.
The next step was to try port forwarding. This means specifically telling the router that one particular PC has access to outgoing TCP/IP ports needed by the game server, and that incoming packets from players systems are routed properly.
Since most games use UDP as their main protocol, you simply check the UDP box, fill in the port ranges (7777 to 27800 for Unreal Tournament) and fill in the internal IP address of the server. This also worked like a charm.
But even port forwarding still has some vulnerabilities. Its also inconvenient. If you have more than one PC, and you want to run a game server from different PCs at different times, then you have to set up individual port forwarding configurations for each PC. The LinkSys router, like the D-Link offerings, also has the option of port triggering, which is a more elegant solution.
To configure port triggering, you select that option from the port forwarding configuration screen. This is one of the few times that the LinkSys UI seemed awkward, and the port triggering screen looks a bit terse.
But in the end, it was really quite simple to set up– we just set the trigger port range for incoming and outgoing packets. When the server requests a port, that “triggers” the router to allow the packets to pass; the same holds true for incoming packets. Note that there is no specific information about the system, such as internal IP or MAC addresses exposed.
As a router for someone who wants to host game servers, the LinkSys BEFSR81 offers a lot of plusses: convenience and performance. Setup is easy and straightforward, and youll be hosting your own game servers in no time.
ZIFFPAGE TITLENetGear RP
NetGear currently offers five routers in its lineup of home-focused networking products. The RP-614 represents the baseline offering, but even so, it packs a lot of features into a very small package, similar to the D-Link DI-604.
Like just about all broadband routers, the RP-614 has a Web-based admin interface, and this makes it easy to configure. It has an initial setup wizard that gets you up and running within about five minutes. A helpful addition to the Web-based interface: a right-hand column on each page explains what the settings do. This is very helpful.
Wall Wart Woes: One annoyance encountered, and this is a particular pet peeve of ours, is that the RP-614 arrived with a dreaded wall-wart power supply. In an industry so focused on pinching pennies, looking for every opportunity to cut bill of materials is understandable. But its time to just say no to wall-wart power supplies. They eat too much power strip/AC outlet real estate, and represent some of the oldest, dumbest technology known to the electronics world. At the very least, its time for all hardware makers to adopt “line-lump” power supplies that put the step-down transformer in-line and give you a normal-sized plug. End of sermon.
In terms of advanced features, the RP-614 is pretty well appointed, though not quite as completely as the D-Link offerings. It offers port-forwarding, DMZ, dynamic DNS, and static routing. Missing from the mix, however, is port-triggering, a useful way to open specific ports only when theyre needed, and keep them closed the rest of the time. But, as a consolation prize, the dynamic DNS feature is useful, particularly if you have a domain name that you want to have associated with dynamically changing IP addresses (i.e. your ISP assigns you IP addresses dynamically, but you want to keep the same domain name for your game server). Sites like DynDNS provide this type of service. Still, if made to choose between the Dynamic DNS and port triggering, wed rather have port-triggering.
No Port Triggering: The RP614 lacks a key feature found in the D-Link routers called Port Triggering, which allows a port to be punched open dynamically when an application requests it. When the app is finished doing whatever it does, the port is shut down.
As a kind of consolation prize, the RP614 does allow you to block off specific domain names or IP addresses from being accessed– a useful feature for parents trying to steer their kids clear of questionable material (porn, hate sites, Tupperware, etc.). Theres even a “back door” feature that allows one trusted IP address to override this filter and access the verboten content. A nice feature, but having port triggering as well would be useful.
Like the D-Link offerings, we wound up having to use port forwarding to make the RP-614 visible on the UT Master List of available deathmatch servers. We also tried the DMZ option, but as well discuss in a bit, this should be an absolute LAST resort to getting a multiplayer server up and running, since it makes the server machine very vulnerable to attack. Once we enabled port-forwarding for the needed port addresses, we were able to get UT up and running.
Nmap port scans found the port address ranges used by UT to be filtered on the TCP side, and Nmap reported them as open on the UDP side. As previously noted, we have some concern about Nmaps reporting technique for UDP ports as being opened.
We ran into a stability issue as well. We left a dedicated UT server running over the weekend, and came back Monday to find the router had locked up hard, which required a special tool (a paper-clip) to reset it.
This was the only crash we saw from the RP-614, but it was also the only crash we saw in the entire roundup. This crash occurred while the unit was sitting relatively idle, so were left wondering whether it will crop again when under a fairly heavy load.
Next, we tried to see a shared folder on a Windows machine that was behind the routers firewall. Windows file sharing uses ports 139 and 445, and TCP port scans of both of these ports showed them to be filtered. We were unable to see either the machine itself, or the shared folder on the target machine.
The RP-614 brings together most of the features one would want to have in a broadband router, but given the choice between it and D-Links DI-604, well take the D-Link.
ZIFFPAGE TITLEHome LAN Security
Irrespective of what piece of networking gear you have or are looking to buy, there are some standard rules of the road that you should follow to avoid having one, or possibly all of the machines on your home network get trashed by some no-account script kiddie.
For starters, all the routers tested here support the DMZ feature, which essentially makes one machine on your network completely open to the Internet. Game servers left unprotected in DMZs are usually brought crashing down by gamer/crackers with more time than sense. So unless you like to watch a carcass get picked over by scavengers, dont ever put an unprotected game server box into the DMZ. Even so, some games simply require DMZ to operate.
Software firewalls like ZoneAlarm can protect a DMZed system well, and you can setup specific settings to ensure that most ports are locked down to prevent unwelcome visitors from making a mess of things. ZoneAlarm is still free after all these years, although the Pro version will run you $50 bucks. The free version gives you a very good working set of features, while the Pro version adds more enhanced email attachment threat quarantine and protection. The free version only quarantines VB scripts.
Another solid software firewall app is BlackIce, which is shareware, and a registered version goes for about $40. Note that the reviewed routers have basic firewall filtering built-in, but the software firewalls tend to fill in some important gaps. For an in-depth discussion on software versus hardware firewalls, check out PC Magazines recent story.
Features like port-triggering and port-forwarding are much better ways to put a multiplayer game server up on the Net, while at the same time minimize the threat to your server and other machines. Even so, you should run ZoneAlarm on any server box you let outsiders access. This requires some initial tweaking and permission giving to get working, but its a minimal fuss compared to a potentially massive calamity.
ZoneAlarm uses two simple sliders to set internal and external security levels. We played with ZoneAlarms settings for UT, and wound up having to dial down the external security setting from High to Medium, since the High setting essentially makes your machine invisible on the Net.
We liked these sliders so much, we think they would make a great addition to the broadband routers we tested. While the routers Web-based interfaces provide very granular control, they can be intimidating to network newbies. A simple slider would be a helpful addition.
Three of the four of the reviewed routers lack Stateful Packet Inspection (SPI), also referred to as dynamic packet filtering. In an opinion piece penned a while back, Bill Machrone explained SPI:
“[With Stateful Packet Inspection,] the router is trying to be intelligent about correlating behavior over time. It rejects packets that dont conform to expected behavior. SPI also knows about common exploits, broken and incomplete packets, and a bunch of other hacks. It rejects these packets, too. The downside of SPI is that the routers are more expensive and they tend to be slower, too. The dinky little microcontrollers that run inexpensive routers are hard-pressed to keep up with the data stream, much less examine every packet heuristically and logically.“
While SPI, despite the somewhat ironic acronym, would be a good added feature to the routers weve looked at here, for many it would seem to be overkill. The combination of a NAT router, good firewall policies, and software firewall apps like ZoneAlarm, you can have your network secure enough to keep out all but the most determined crackers, and your game servers should be protected as well.