Multitech RF550VPN SOHO VPN Router
These are no longer manufactured. See Kerio Control Firewall for an excellent VPN firewall/router.
(link dead, sorry)
Router is an inexpensive ($179.00 list ) Internet access router
with VPN capabilities suitable for home or small office use.
Features not found in lower end products include
- Five (5) IPSEC VPN tunnels
- Automatic dialup to emergency ISP if WAN connection fails
- Both client and WAN side filtering
- Virtual servers (inward port redirection)
- Redirect RF550VPN logging to a syslog server
- Flash upgradable firmware
Of course it also includes the normal features you would expect
in this sort of unit such as DHCP, PPPOE, and WAN sid MAC address
I set this up both as a home office router and also used a pair
of these to connect two offices with a VPN.
Physically, this is a small (7.1 x 4.9 x 1.4 inches high) unit
with a WAN ethernet port, 4 LAN ports (10/100 switch), and a DB-9
RS232 connector. You aren't limited to 4 connected computers; up to
253 client computers can use this (simply connect one of the 4 LAN
ports to your existing hub or switch).
Unfortunately, the current version of this does not include
support for additional subnets.
Small Office/Home Office Internet Access
The RF550VPN comes preset with a 192.168.2.1 IP address and with
DHCP active. The simplest way to handle this is to disconnect a
machine from the rest of your network, set it to use DHCP, and plug
it into one of the LAN ports (the WAN port can be connected or
unconnected at this time). Reboot the PC, and it will get address
192.168.2.2. You can now use a browser to configure the RF550VPN by
using http://192.168.2.1. You'll be able to change this to work
with your current network later.
WARNING: There is apparently a bug with some versions of
Netscape and older versions of Internet Explorer that can cause
problems. The only place I noticed this was in setting up VPN's
(see below). It's probably best to use the current IE6 version of
Internet Explorer to configure these. Using an older Netscape
browser broke the VPN- I had to redo it with IE to restablish the
Choose the Setup Wizard from the main menu to begin configuring
the unit. After setting the time, you get to change the IP address
and subnet mask. This change won't actually take affect until you
save and restart. There's no point in doing that until you finish
the rest of the configuration, at which time you can connect this
to the rest of the network and reset the PC to its normal
Next is Cable and ISP settings. You can leave the ISP address
blank for a DHCP assigned address or fill in a static address. You
can fill in a DNS address in either case. Only one DNS address is
requested; that's probably something that should be fixed in future
ISP Additional Settings lets you configure such things as PPPOE
where a user name and password are required by your ISP. You can
also assign a specific host name if required, and force this router
to use a specific hardware MAC address when the ISP has installed
setup software on a PC that locks you into one specific network
card. The RF550VPN will use that address in all its WAN traffic
(you can leave the PC that had this MAC address on the internal
networ; the RF550VPN only uses the assigned address for the WAN
If you have a backup dialup account, you can configure the
RF550VPN to use that if the Cable or DSL line goes down.
The final section of the Wizard is VPN settings; I'll cover that
For many simple setups, you are now done. Save and restart, and
it is ready to go. If you aren't using the DHCP here to assign IP
addresses to your PC's, you'll need to give them a default address
pointing at this and configure them for DNS.
If you are using DHCP or have a more complex network, there are
adjustments you may want to make under Advanced Settings.
Under DHCP Server Settings you can enable or disable DHCP and
assign the IP address range to use. You can also reserve specific
ip addresses for machines by MAC address, but you can't control any
other DHCP settings; this is a very basic DHCP server. If you need
more capability, you need to use something else within your
Virtual Server Settings lets you forward ports to your internal
network. You'd use this if you have internal mail or web
If you have internal subnets, you may need to add Static
Routing. You could also learn routes through RIP by turning that on
in Dynamic Routing.
Filter Settings lets you apply simple rules to LAN and WAN side
Modem Settings would only be used if you have a dialup account
and your modem is non-standard.
The RF550VPN supports up to 5 IPSEC VPN's. These can be router
to router (completely transparent to client machines; no software
on the clients) or, for road warriors, you can use (additional
cost) client software.
The combined throughput of all 5 VPN's is limited to 700k bps.
This is as much data as it can encrypt. Unless your Internet
connection is quite a bit faster than that, that's not really a
I setup a router to router VPN. The necessary information is
very simple. Each side of the connection has to have a name (it can
be the same name on both sides or different). You need to specify
the ip address scheme of the remote network and it needs to be
different than the other end. For example, here we show one side of
the VPN. This side uses a 10.1.1.0 network; the VPN it is
connecting to uses 192.168.2.0. You also need at least ONE of the
sides to have a static IP address- you specify the address or leave
it at 0's if the other side is dynamic.
The only other piece of information that can't be left at
defaults is the shared key. This will be the same on both sides.
This key obviously should be long and composed of alphanumeric,
numeric and punctuation characters for good security.
Once both sides are set up, all it takes to activate is an
attempt by one side to reach something on the other side. For
example, a machine on the 10.1.0.0 network could ping 192.168.2.1
(if one of the sides is dynamic, it is THAT side that will have to
initiate the connection).
Windows NT etc.
In most VPN situations, we have the unfortunate circumstance of
having to deal with an NT server at one end of the connection. The
problem with this is a chicken and egg scenario: the clients need
to authenticate to the NT server, but broadcasts to find the server
do not cross routers (and a VPN is a router).
The easiest (though most expensive) way to solve this is to put
in another NT server at the remote end and enable Wins resolution.
The cheap way (the way I'll discuss here) is to use LMHOSTS files
on the remote clients.
Note: it's not LMHOSTS.TXT or LMHOSTS.SAM- it's LMHOSTS with no
extension. It's too easy to get this wrong in the Windows GUI-
Windows stupidly hides file extensions and Windows programs are
adverse to creating files without extensions. It's better to drop
down to a DOS command prompt to work on these files.
Windows people get confused by HOSTS and LMHOSTS. You can have
either or both in your C:\WINDOWS ( or \WINNT or wherever your
system root is) and under some conditions they could even be
identical, but they serve different purposes. It's really very
simple: HOSTS is exactly like Unix /etc/hosts and serves exactly
the same purpose. An LMHOSTS can look like a HOSTS file, but it
also supports different syntax and its purpose is for browsing
across subnets. Here's an example of each; these files would be
installed on the 192.168.2.0 machines of the network described
10.1.1.1 "MYDOMAIN \0x1b" #PRE
10.1.1.1 NTSERV1 #PRE #DOM:MYDOMAIN
10.1.1.15 NTSERV2 #PRE #DOM:MYDOMAIN
Here we have a PDC (NTSERV1, Primary Domain Controller) and a
BDC (NTSERV2, Backup Domain Controller).
The magic line here is the one in LMHOSTS with the 0x1b. That
has to be the 16th character of the stuff between quotes, so
various domain names would look like this:
10.1.1.1 "MYDOMAIN \0x1b" #PRE
10.1.1.1 "DOMAIN \0x1b" #PRE
10.1.1.1 "LONGERDOMAIN \0x1b" #PRE
10.1.1.1 "SHRT \0x1b" #PRE
Put those files in place and either reboot or run:
The "-c" should show you that it has picked up the
NTSERV1 <03> UNIQUE 10.1.1.1 -1
NTSERV1 <00> UNIQUE 10.1.1.1 -1
NTSERV1 <20> UNIQUE 10.1.1.1 -1
NTSERV2 <03> UNIQUE 10.1.1.15 -1
NTSERV2 <00> UNIQUE 10.1.1.15 -1
NTSERV2 <20> UNIQUE 10.1.1.15 -1
MYDOMAIN <1B> UNIQUE 10.1.1.1 -1
Now the remote clients can log into the NT domain and access
resources as though they were local. I have found that the first
attempt to login often fails; click cancel and try again- the
second try usually gets through.
If you have other machines on the LAN, you need to list them if
you want to be able to access them. If you don't, you'll see them
in network neighborhood, but you won't be able to open them. You
would be able to access them by ip address however: start run
\\10.1.1.91 would work.
This of course means that you can't conveniently use DHCP for
machines with shared resources. NT Wins would overcome that.
The same is true from the "main" side- if those machines need to
access clients on the remote VPN, you have to have Wins or LMHOSTS
files there also. These would have 192.168.2.x listings.
When testing this, be sure you know a working login and
password. If you have an incorrect name or password, you may still
get a message that would make you think that you were unable to
connect to the NT machine. I also advise trying it from more than
one machine- I had one machine that was somehow screwed up
internally- it could access the internet, but it could NOT access
across the VPN. As it was due for replacement anyway I never did
get to find out why, but this machine tied me up for almost an hour
thinking there was something wrong with the VPN itself. There was
not anything wrong; it was just this machine.
If this page was useful to you, please help others find it:
More Articles by Tony Lawrence
- Find me on Google+