Mercutio
Fatwah on Western Digital
Anyone remember Mega-Maid from Mel Brooks' "Spaceballs"?
Mega-Maid does not have enough suck to describe the Linksys BEFSX41.
OK, granted, it's a little Linksys black-box Internet Access device. I'll bet 80% of the folks who visit here either have something similar or have at least configured one.
Switching? Fine. It switches. NAT-ing? It's good at that too.
But then there's the VPN thing...
The BEFSX41 is actually the VPN equivalent of anti-matter.
Allow me to explain:
The "VPN" in the product name actually refers to the fact that if you've got two BEFSX41, one on each end of a connection, you can have the routers build an IPSEC-encrypted tunnel with all the 3DES calculations offloaded to the routers.
That certainly is spiffy, isn't it? 'Cause, y'know, that's exactly what I was expecting. Not.
What I was expecting was a device with some kind of built-in client and/or server. Except that the BEFSX41 can't connect to a "standard" P2TP or L2TP RAS server with Windows 200x nor a Linux-based SSH server. Nor can a Linux or Windows client connect to the BEFSX41, at least not using IPSEC with shared key encryption.
So.. I moved on to port redirection to an internal VPN RAS server. Redirected ports 1723 and 500 (required for PPTP) to an internal machine and let fly with a connection on an external client.
Nothing.
After futzing around with the logs, and turning off all firewalling-like options, I discovered that the BEFSX41 has no facility for forwarding IP Protocol #47, Generic Route Encapsulation (this is a protocol, not a port. ICMP, the protocol used by the "ping" command, is protocol #6) to an internal address. No PPTP-based VPN will ever connect unless it can receive that information.
L2TP also failed to connect. I couldn't find a cause, but port 1701 was redirected.
But... some helpful folks who have posted rants similar to this one noted (the reason I am posting this is as a warning and so google snags it, folks) that if you download the 1.41.3 firmware from Linksys' FTP site (this was a downgrade, and that firmware is not availabe on Linksys' web site), the BEFSX41 properly forwards GRE info along with everything else.
And... that worked. I connected. Authenticated. Windows flashed "you are connected" and I could see the connection in RRAS Manager on my server. 30 seconds after connection, though, the VPN would disconnect and no further connections were possible until the router was hard-reset.
I literally spent all day trying to make a VPN work with one of these things. I couldn't do it. In the end I slapped a WRT54G in between the same cables and I was at least able to use my 2000 server as a VPN host.
The BEFSX41 is not worth money. Period. Linksys should be paying people to take it. Stay away.
Mega-Maid does not have enough suck to describe the Linksys BEFSX41.
OK, granted, it's a little Linksys black-box Internet Access device. I'll bet 80% of the folks who visit here either have something similar or have at least configured one.
Switching? Fine. It switches. NAT-ing? It's good at that too.
But then there's the VPN thing...
The BEFSX41 is actually the VPN equivalent of anti-matter.
Allow me to explain:
The "VPN" in the product name actually refers to the fact that if you've got two BEFSX41, one on each end of a connection, you can have the routers build an IPSEC-encrypted tunnel with all the 3DES calculations offloaded to the routers.
That certainly is spiffy, isn't it? 'Cause, y'know, that's exactly what I was expecting. Not.
What I was expecting was a device with some kind of built-in client and/or server. Except that the BEFSX41 can't connect to a "standard" P2TP or L2TP RAS server with Windows 200x nor a Linux-based SSH server. Nor can a Linux or Windows client connect to the BEFSX41, at least not using IPSEC with shared key encryption.
So.. I moved on to port redirection to an internal VPN RAS server. Redirected ports 1723 and 500 (required for PPTP) to an internal machine and let fly with a connection on an external client.
Nothing.
After futzing around with the logs, and turning off all firewalling-like options, I discovered that the BEFSX41 has no facility for forwarding IP Protocol #47, Generic Route Encapsulation (this is a protocol, not a port. ICMP, the protocol used by the "ping" command, is protocol #6) to an internal address. No PPTP-based VPN will ever connect unless it can receive that information.
L2TP also failed to connect. I couldn't find a cause, but port 1701 was redirected.
But... some helpful folks who have posted rants similar to this one noted (the reason I am posting this is as a warning and so google snags it, folks) that if you download the 1.41.3 firmware from Linksys' FTP site (this was a downgrade, and that firmware is not availabe on Linksys' web site), the BEFSX41 properly forwards GRE info along with everything else.
And... that worked. I connected. Authenticated. Windows flashed "you are connected" and I could see the connection in RRAS Manager on my server. 30 seconds after connection, though, the VPN would disconnect and no further connections were possible until the router was hard-reset.
I literally spent all day trying to make a VPN work with one of these things. I couldn't do it. In the end I slapped a WRT54G in between the same cables and I was at least able to use my 2000 server as a VPN host.
The BEFSX41 is not worth money. Period. Linksys should be paying people to take it. Stay away.
