Walkthrough and Review: OpenMesh G200 Router/Firewall

We serve small businesses in Central Ohio who leverage the Apple ecosystem. I can't tell you how often we run into companies who are using some consumer-grade POS "router" they got from Best Buy - or worse, are using what they got from their internet provider. These devices just don't provide anything close to adequate security for small businesses given today's threat landscape. While we feel that Cisco Meraki is the gold standard for business-grade cloud-managed networking, it's not right for everyone. For some time we've been looking for a device - and preferably a full stack (router, switches, and wireless access points) that we can confidently recommend to clients. As an OpenMesh partner, we were thrilled when they announced their G200 router. We've been fans of their wireless access points for quite a while, so we couldn't wait to get our hands on their router. After a couple weeks with it, here's our review. . .

Initial Impressions

My first impression of the device is it's light. While it seems well put together, it's lack of heft made me question its robustness. I really wonder what sort of user load this thing will handle. There are two WAN ports, one standard ethernet and the other is an SFP port. SFP is particularly nice if you are connecting directly via fiber. There are four LAN ports which operate as a switch by default, but can be set up independently. Two of the ports will provide 24v passive Power over Ethernet (PoE) to devices that will accept it (including OpenMesh's two new wireless access points). We feel that passive PoE was a curious choice as industry standard has moved to "regular" PoE (802.11af/at). So understand that if you have wireless access points, these two ports may or may not power them.

Setup

To set up the device, you need to have a Cloudtrax account. Cloudtrax is OpenMesh's cloud management portal. All devices are configured and managed in Cloudtrax. I initially had some trouble setting up the router. It simply didn't show up as an option in my Cloudtrax portal. After some digging, the answer was buried in a FAQ - that I needed to upgrade my Cloudtrax instance to the "New User Management System". Nothing on my Cloudtrax portal even told me this was an option, much less suggested that I upgrade to this new interface. Once I upgraded to the "New User Management Interface" (which looks exactly the same as before), I now had the "Routers" section in Cloudtrax. Adding the device is dead simple. You simply enter the MAC address, which is found on the box and the underside of the device, and specify which network you want to add it to. Then you have options for Port Settings, WAN Settings, LAN Settings, VLANs, Firewall/NAT, VPN, and QoS. We'll discuss each of these, as well as navigating Cloudtrax to manage the device.

Port Settings is where you set the specifics of each port. You can add a label to the LAN ports for identification purposes as well as set the link speed. And the WAN ports you can set the priority of one higher than the other,  and the link speed. In almost all cases, you'll leave the link speeds set to Auto all around. But we do run into some fiber providers who mandate that we drop the link speed of the WAN to 100Mb.

WAN Settings, as you'd expect, is where you set the connection settings specified by your internet provider. You can set it as DHCP, which grabs the network settings from your internet provider. Here, you can also manually specify which DNS servers you use. In our experience, most ISP-supplied DNS servers aren't very good. At this point, we're recommending Cloudflare's DNS servers as they provide a great combination of speed and privacy. If you need to set up the router with a static IP address, that's done here as well. Note that you'll have to get the device connected to Cloudtrax for the device to get those settings, so that kind of creates a chicken-and-the-egg dilemma. Out of the box the G200 will connect via DHCP, so you can connect the G200 behind another router and let it pull down the settings from Cloudtrax, but the flashing LED on top really doesn't signal when it's connected and has successfully applied the settings. This is important because the only other way to set a static IP on the device is to establish an SSH connection and manually set it using configuration files. And let's face it, regular non-IT folks aren't going to SSH into their devices. It's also worth mentioning that we've found that setting a static IP on the device really doesn't work properly if you set up a new G200 behind another G200. I understand not building a web-based configuration into the device itself as a way to reduce overhead, but doing so makes this process a lot harder than it needs to be. It's a corner that I feel shouldn't have been cut. It also struck me that there is no provision for dynamic DNS on the G200 itself. Particularly for those who do not have a static IP and wish to use VPN, this is a glaring omission!

LAN Settings is where you set the local IP address of the G200 as it will appear on your network and where you set the DHCP information for your local network. There is also a section for DHCP Reservations that really confused me for a while. This is where you can tell the G200 to issue a specific IP address to a specific device. You enter the MAC address of the device, a description, and the IP address you want that device to have. But. . .the catch is that any device you do this for must be in the DHCP pool. Which I guess makes sense since it's "DHCP Reservations". However, there are a lot of cases (such as virtual machines) that I can't or don't want to set a static IP and yet want them to get a specific IP address outside the DHCP pool. I think it would be much more useful and less potential conflict if this were "Fixed IP Assignments" and not "DHCP Reservations" and not restrict them to the DHCP pool.

VLANs We rarely set up VLANs for our clients. So while we didn't test this functionality the setup looks very straightforward. However, it seems that you must assign a VLAN to a specific LAN port, thereby limiting the device to a maximum of 4 VLANs. Perhaps I'm missing something here.

Firewall/NAT is where you would expect to find the various firewall rules, port forwarding, and NAT settings. But there are no firewall rules displayed at all. You assume the firewall is active, but if you're hoping for custom firewall rules you're going to be disappointed. For most folks, this won't be an issue, but for us IT types we like having a little more visibility about what is/is not being blocked. The port forwarding works fine. Just set a description, the incoming port, the protocol, the destination IP, and the destination port. If you've set up port forwarding before this won't throw you at all. However, you have to enter each port forward individually. There is no mechanism to add a range of ports in a single entry. What this means is that if you have to forward ports 3970-3972 you need to make three separate entries rather than a single entry covering that range. The extra data entry creates a lot more potential for transposing numbers and such. It just doesn't seem well thought-out.

VPN functions using OpenVPN and is almost too simple to set up. You enter a network address that's not on the same subnet as your LAN to act as the VPN server, you enter a subnet mask to tell it how many addresses can be given out, and check the box whether you want VPN users to access the primary LAN. From there, you add your VPN users by setting a Name (usually name of the connection), the login name, and then just click add. There is no creating a certificate authority, no creating user certs. Not even setting a password. So from the router side of things, it's super-easy. From the Mac side, it's not horrible but not as smooth as it could/should be. First, all of OpenMesh's documentation talks about VPN client setup in Windows. No mention of Mac setup at all. When asked about this over Twitter, OpenMesh suggested Tunnelblick as an OpenVPN client. It was like they just googled "OpenVPN Mac" and spit out the first thing that popped up rather than actually testing anything themselves. Anyway. . .Tunnelblick is garbage. Yes, it's free and yes it's open source. But it's still garbage. We've been using and deploying the Viscosity OpenVPN client from SparkLabs. Yes, it's payware ($9) but it's available for both Macs and Windows. And it's been rock solid. And after some brief testing, it seems to work just fine with the G200. When you download the user credentials for VPN connection, the G200 gives you a zip file containing the VPN client files you need. Inside that folder, you only care about one file - the "<loginname>.ovpn" file. Double-click that and it will bring the configuration into Viscosity. You may want to change the connection name in Viscosity, but this is optional. From there it seems to connect fine. When I first connected, it surprised me that the Viscosity VPN connection didn't even prompt for username/password on the first connection. Apparently it handles this authentication behind the scenes in the router configuration. I'd love to get more details from OpenMesh on how this is handled. We've been using OpenVPN for several years with pfSense devices and while its OpenVPN client export gives us a nice .visc file tailor-made for Viscosity, the user must enter username/password on the first connection. My only other concern is given the lack of heft of the device, I question how many simultaneous VPN connections the G200 will handle before performance is adversely affected.

QoS is short for Quality of Service. It tells the device to prioritize some traffic over other traffic. This especially comes into play if you have VoIP. You want to make sure that your network doesn't get so bogged down with other things that your VoIP calls get garbled and/or drop. But as implemented now, the G200's traffic shaping is completely useless. The traffic shaping only has a few options - Audio, File Sharing, Gaming, Search, Social, Video, Voice, and Web. But. . .the filters are set so high they won't filter the traffic at all. They allow you to set the priority as Unrestricted, High, Medium, and Low. However, even the "Low" setting only restricts to 200Mb. Which means that it will only throttle that traffic if it exceeds 200Mb. Well, when most internet connections are still ≤100Mb, it's impossible for any traffic to come close to that "Low" threshold. This needs to be A LOT more granular. For example, I want to be able to limit video to say no more than 5Mb of total bandwidth. I want to be able to block P2P traffic altogether. And I want to make sure that Voice gets no less than 3Mb of bandwidth. In the current implementation, QoS may as well not even be offered.

Cloudtrax and Performance

First, let's get performance out of the way. The G200 won't be a bottleneck. We tested the device up to 400Mb without issue. And I have a colleague who has gigabit fiber and he tested the device to better than 800Mb. To be fair, this is without any advanced security features such as content filtering or intrusion detection running, but this is still pretty impressive for a $250 device. However, the Cloudtrax interface is functional but with few quirks and a couple of glaring holes. First, the glaring holes. When going to Network Overview, the "Top Clients" section only shows the devices connected to our OpenMesh wireless access points. The wired devices don't show up on the Network Overview page at all. At the top of Network Overview, there's a pull-down for the wireless networks (SSIDs). It's almost as if OpenMesh didn't think to include the G200 as a player on the network here. A pretty serious WTF? Then when you go to Manage->Routers, it shows a list from which you have to click on the router to get to its information. As if there is going to be more than one router on a network. It's just an unnecessary extra click to get to the router's information. Once there, it shows you the graph for bandwidth use and here it shows you the basics of the router - the last time it checked into Cloudtrax, the model, MAC, and firmware. Then it shows the Clients page. This page left me confused - and has another gaping hole. I'm confused because I look at the list of clients and select the "Last 2 hours" setting and I see machines that I know have not been on the network in 4+ days. If the machines haven't been connected to the network for 4+ days, why does Cloudtrax seem to say it's seen them on the network in the last 2 hours? Yet when I go to Manage->Clients there's a column for "Last Seen" that seems to actually reflect reality. That column isn't available on the "Router Clients" page. In View Options, there's a choice for "Last Seen On" but checking that only displays the MAC address - again. Then there's another glaring hole. As mentioned above, when you go to Network Overview and look at Top Clients, that shows only wifi devices. Further, when you go to Manage->Clients, it too shows only wifi devices. So why are wired clients omitted from what should be a list of all devices on the network? Then. . .in Manage->Clients it shows information about what SSID the device is connected to, as well as measurements for upload and download totals (for the wifi devices). However, when you go to Manage->Routers and look at the G200's Status page, it shows the "Router Clients" - but it does not give any usage information at all for the wired clients. Nothing that tells me how much upload or download the wired devices are doing. It shows the info for the wifi-connected devices (in Manage->Clients), but why does it not show it for wired devices? This information is critical in resolving network issues in a timely fashion and it's just not here. The real problem is there's no one place to see information about all the devices on the network - wired and wireless. Right now, from an IT/MSP perspective the router's integration with Cloudtrax simply isn't up to scratch. Managing the device in Cloudtrax is cumbersome, confusing, and inaccurate. 

 

Summary

Let's start by saying this is a perfectly capable router that I would be glad to deploy to clients with less than 20 or 25 users. "But you just ripped it to shreds!", you say. Yeah, I did. And here's why. This is a perfectly capable device and it works well. With the firewall and VPN, in particular, there's more that I have to take on faith than I'd like, but functionally the device works really really well - especially for a $250 router. But. . .I think that if OpenMesh can fix some of the integration issues with Cloudtrax and connect some of those last dots, this thing has the potential to be the best small business router on the market today. I honestly think the foundation is there for this to be a truly unbeatable device. I know OpenMesh/Datto are committed to making the products great. Let's hope they can implement the feedback of their users and partners in short order.