A few weeks ago I reported that I had purchased a new firewall, a Netgear FVS124G. I was enthusiastic about it at first but, like most technology, the teething problems showed up rather quickly. Between then and now I’ve been dealing with technology at a level that I no longer enjoy. But it does appear that, with the help of people at the Vonage Forum, the Netgear Support Forum, and Netgear tech support I have managed to get most things working correctly.

The FVS124G has several features that attracted me:

Combined with my little Netgear GS608 Gigabit switched hub it makes a perfectly adequate small office backbone. The trouble was the firmware didn’t actually work in many areas. The idea behind dual WAN ports is that you can have two broadband connections. The firewall offers three modes of connecting:

  • Manual selection
  • Auto-rollover
  • Load Balancing

Manual mode means one WAN port is active. If it goes down (a daily occurrence with DSL in my area) you manually switch to the secondary (cable modem in my case.) Auto-rollover means that the firewall monitors the state of the primary WAN and if it senses failure it automatically switches over to the secondary. Load balancing is where both WAN ports are active and the firewall distributes traffic between them.

I wanted to use Load Balancing mode, taking advantage of the bandwidth available via both my DSL line and my cable modem line. I naively thought I could get better performance and reliability with less hassle. This is sorta true, sorta not. Everything has a price.

It turns out that lots of net connections require continuity – that is, they can’t send packets over two different broadband connections because the source IP address changes. HTTPS is one such protocol. VoIP is another. There are others, I’m sure. When these connections get broken up over two source IP addresses they cease to work. Since I’m a Vonage VoIP user once I switched to Load Balancing mode my phone stopped working. Not good.

I fiddled with that for quite a while, trying different firewall rules, QoS settings, etc. Nothing worked. The FVS124G has a protocol binding function which, in theory, would let me force all traffic from a given device or protocol to a specific WAN port. But it didn’t work. Even after setting up the correct rules a packet trace showed that VoIP packets were going over both WAN ports.

After reading some tech notes and forum entries I upgraded to the latest Netgear firmware release (v 1.1.38.) That was a disaster. The new firmware slowed my DSL connection to a crawl – about the same as an old 56k dial-up connection. It was terrible. So even if the other problems had be resolved, the new problems were worse. So I went back to my original firmware (v 1.1.30) and eventually got back to my starting point. But I couldn’t use Load Balancing.

The only way I could get the Vonage device to make a clean connection was to switch to Manual or Auto-rollover. Even with that I had to go through some hoops, as v 1.1.30 wasn’t SIP compliant and all the SIP functions had to be manually disabled by telneting into the box and issuing some arcane commands via a command line. In the end I settled on using Auto-rollover mode so that if my cable modem (now primary) went down (which it did with some regularity) the firewall would switch to DSL which, hopefully, would choose some different time to be down each day.

The trouble with this arrangement was that once the firewall “rolled over” to DSL it did not recover when the primary WAN came back online, instead going into Load Balancing mode and using both WAN ports. Which killed my phone service. Again. And required that I reboot the firewall.

Not much better than having to manually switch it.

As a result of all this testing, experimenting, and tech support contact the folks at Netgear asked if I would try an intermediate version of firmware, v 1.1.33, and try again.

I’m pleased to report that v 1.1.33 seems to be much better behaved. The protocol binding issue appears to be resolved, as well as having full SIP compliance. In fairly short order I have been able to verify that packets from the Vonage device are, indeed, staying on the WAN port for which they are designated. But there is still no free lunch.

You see, distributing traffic across two broadband connections adds overhead. Somewhere some processor must decide what packets go where, and that takes time. The net result is that total throughput in Load Balancing mode is actually somewhat lower than when using a single, dedicated WAN port. I had not thought about this.

To minimize the problem I can setup protocol binding rules to shape traffic and, essentially, perform manual load balancing. This seems to work pretty well. It lets me address my basic problem which is that my local LAN traffic was breaking up my VoIP connection, but it does little to add reliability. Now any given service or connection is subject to the service level of the broadband connection to which it is dedicated.

If my DSL line goes down (two or three times a day for 5-10 minutes each) my phone doesn’t work. If my cable modem goes down (this is getting rarer now) my e-mail and web browser don’t work. So I’m pretty much back where I started, except I do have clearer VoIP connections.

At least there is symmetry.