I recently obtained a Netgear LG6100D LTE Gateway from Sprint as a backup for my hard internet connections. The device seemed perfect on paper: Cellular connectivity for the home or business network!
I’ve used some bad consumer routers in my day, but this is one of the worst I’ve encountered. Or maybe it’s that it looked so promising at first and then let me down so hard.
Update (2014-08-26): I found that you can access the native Netgear web GUI. It has a heck of a lot more features, and solves many of the complaints I have with the “correct” way of configuring this device.
Upon logging in the user interface is clean, fairly informative, and I noticed that the values were updating automatically for Status and Data Usage. Some AJAX is a nice touch on this kind of device.
The very first thing I decided to do upon seeing the Wi-Fi networks listed in the lower-left was to disable WiFi. I’m going to be integrating this with my existing network, and I already have multiple access points.
Complaint 1: There is no place to turn off WiFi. You can turn off the “Guest Wi-Fi”, but can’t disable the 2.4Ghz and 5Ghz regular WiFi access points.
OK, fine. Not a huge deal. I set the passphrases to something ridiculously long and random, set the “Wi-Fi Range” to “Short”, hid the SSID and changed the connection rate to the lowest (narrowest) possible. The device is in my basement, so hopefully that’ll be enough to prevent any Nosy Nellies from racking up charges on my data plan.
The next thing I did was to set up my LAN. Here’s what the setup page looks like (I’m using some fake values for these screenshots):
I did actually RTFM for the DMZ setting so that I was sure what it did: All unsolicited traffic from public networks (the internet) will be forwarded to this address.
That’s perfect for me, because the only network devices downstream from the 6100D will be my routers. They’ll handle all the firewalling and NATing.
Complaint 2: Although the LAN settings allow you to specify any netmask you want (I went with a /16, or 255.255.0.0), you can only change the last octet of the DMZ IP. In other words, the DMZ device has to be on the same /24 as the 6100D.
Again, not a big deal, but for organizational purposes I would have liked to have had them on different /24s.
Because of that limitation I ended up messing with my settings. Here’s how I had the router configured at one point:
I then realized that those settings wouldn’t be ideal, and so I changed the LAN IP:
I saved it, and the third octet of the DMZ changed to “1” to match the third octet of the LAN IP. Then I changed the last octet of the DMZ to “1”, saved, and wound up with these settings:
But wait, the DMZ should be 10.222.1.1. I tried to change it again. It remained stuck (even across reboots) at 10.222.1.3.
Then I looked at the actual network traffic going from the 6100D to my router. DMZ traffic was going to 10.222.2.3 — the old setting.
Complaint 3: The DMZ IP address can become “stuck” on a value that doesn’t match what’s displayed in the GUI, and there is no way to change it.
I tried re-IPing the router back to 10.222.2.1 and then changing it and the DMZ value back in various different sequences. No dice.
I was afraid to do a factory or settings reset, as I worried that might wipe out some cellular data settings that were preloaded by Sprint. (In theory all it should need is the SIM, but you never know!)
I used the 6100D’s “Download / Backup” feature to download my config. It was base64 encoded plaintext. I decoded it and found this setting:
table=StaticNatConfig; columns=Enabled;LocalHostIPAddr;LocalHostMACAddr; 1;10.222.2.3;d4:ae:52:xx:xx:xx;
Great! That’s the setting!
I did notice that the URL now had the suffix ErrorNum=3, so I suppose that the upload failed.
Complaint 4: However no error was given in the GUI. There was no indication that the upload had failed, and certainly not a reason for the failure. (I want to be clear that I don’t blame the upload failure on Netgear; I probably didn’t notice/update some CRC or other information. My objection is the lack of reasonable error reporting).
Lack of error reporting brings me to the system log. I went there to see if there was explanation for the failed upload. There was no mention of the upload, but…
Complaint 5: All the dates were in 1970. Clearly this thing hadn’t synchronized with an NTP server or some such (even though it had been connected to the Sprint network for some time).
That brings me to the “Date & Time” settings:
I decided to set the date and time manually. I unchecked “Automatic Time Update” -> “Enabled” and hit “Submit”. I got alerted that the settings were saved successfully and, uhhh…
Complaint 6: There is no way to set the date and time manually. Look:
The “Local Time” field is static. There is no way to set the date and time. So why even be able to disable NTP in the first place? (Oh, there’s a reason — we’ll get to it.)
Incidentally, it says “EST(Central Standard Time)” in the time zone dropdown. I’ll not make that a separate complaint, but it gives you an idea of the amount of quality control that went into this thing.
While I was poking around in the plaintext config file, I found this little doozy:
table=AdminInfo;rev=2; columns=AdminUserID;AdminPassword;PWNotAllow;RemoteAccessEnable;SessionTimeoutEnable;SessionTimeoutInterval;SessionTimeoutTimeLeft;EnableGUIAuth;Preffered_Proto;RemoteHttpsEnable;EnableRecovery;SecQ1ID;SecAns1;SecQ2ID;SecAns2;UserRole;TimeStamp; admin;MyActualPassword;password;;;;;1;;;0;0;;0;;0;; admin;password;;0;0;20;16;1;0;1;0;;;;;;; ;;;;;;;;;;;;;;;;; support;password;;;;;;1;;;;;;;;1;; user;password;;;;;;1;;;;;;;;2;;
Complaint 7: The admin password is stored in plaintext in the backup file.
OK, it’s base64 encoded which will put off the average user-level pair of prying eyes. But I wouldn’t exactly feel comfortable leaving my router’s backup settings unencrypted on a network drive.
Complaint 8: What are those “user” and “support” accounts? I tried logging in as both from the GUI and could not. But is there some back door that I’m not aware of? They’re not mentioned in the GUI, and there’s no way to change those passwords that I can see (well, there is, but we’ll get to that).
I don’t know about you, but I find superfluous and immutable user accounts to be sketchy at best.
Let’s talk about why I’m using a DMZ host in this scenario.
I already have redundant router/firewalls that are directly connected to the internet using my two hard line connections. They both “own” public IPs and firewall/NAT traffic to and from my internal networks. They’re simply PCs running CentOS having 9 ethernet ports each, and they work great.
For me, this DMZ setting will result in “double-NATing”. In other words, all traffic coming into the 6100D will be DNATed to my router, and the router will DNAT it to my server. That’s sub-optimal for a variety of reasons.
(Of course if this “router” actually let me add “routes” I could use its port forwarding feature and obviate the need for the second level of NATing. We’ll get to that topic later on.)
The 6100D does offer a setting that’s extremely sexy on first glance: IP Passthrough.
From the documentation:
You can designate a computer behind the gateway to receive unsolicited traffic from the public
Note: The public WAN IP will be assigned to this computer.
That sounds perfect! Let’s look at the settings page for this feature:
Hmm.. “Device Name” is a drop-down with nothing in it. And what’s the DHCP lease time?
The documentation says:
In the Device Name drop-down list, select a computer.
In the DHCP Lease Time fields, enter the days, hours, minutes that you want to assign the public IP to this computer.
That was not very helpful, which is typical of the documentation.
Complaint 9: This feature does not work. There is never a computer listed in the “Device Name” dropdown. In fact, I tried this with the 6100D connected directly to my laptop back when it was fresh from the factory and it still didn’t work.
Besides that complaint, a whole host of questions are raised:
- Does the computer to which the IP is “passed through” use the upstream DHCP server on Sprint’s network, or does it use the DHCP server on the 6100D?
- If my cellular WAN IP address changes before the end of the lease time I’ve set, will it still update my computer’s address? What exactly does that lease time mean? And why is it there? Why not just use the upstream lease settings?
- Based upon what’s written in the documentation (“[time] that you want to assign the public IP to this computer”) is this really a DHCP setting, or does it mean that after that time period the IP will simply revert back to the 6100D instead of the downstream computer?
- Is it accomplishing the passthrough by bridging the WAN connection to the LAN connection? Or does it use some kind of internal double-NATing? In other words, by what mechanism does it “pass through” the IP?
Complaint 10: Even if I did see my computer listed in the “Device Name” dropdown, this feature would be completely useless to me as it’s documented to the point of obscurity.
Speaking of obscurity:
Complaint 11: The “Custom” setting on the firewall is useless. You cannot make custom firewall settings of any use.
Let me show you:
Looks simple enough. There are some default rules. ICMP is allowed, and a variety of TCP and UDP services are blocked. (Note that there is no “remove” button, but I suppose you could override these rules by putting another rule prior in the chain. It’s not really “custom”, but whatever.)
The page does state:
Control outbound traffic initiated from within the local network.
Inbound traffic may be controlled by configuring Port Forwarding.
Wonderful. So it’s more like half of a firewall. Port forwarding is not firewalling. I’m using the DMZ feature, not the port forwarding feature, yet I’d still like to block ports at the edge. This is not only for security, but to avoid unnecessary data usage charges (more on that later).
But OK, let’s press the “Add” button:
BTW – The “Rule Name” is actually the “Service Name”. You set up services in another section of the GUI. They are basically just named definitions of a port range and protocol. In this case I have already configured “VPN (SMR)” in services to match my OpenVPN server settings.
“Action” allows you to set either “Allow Always” or “Block Always”. I want allow.
Here’s why the custom firewall is meaningless:
THERE IS NO NETMASK FIELD! A firewall wherein you’d have to black- or white-list every individual IP is useless.
If I leave the “Lan Users” or “Wan Users” blank, I get an error that the IP addresses are required. If I set either to “0.0.0.0” (figuring maybe it would accept that as a wildcard) it gives an error that the IP is not valid. So neither “intuitive” ways of inputting 0.0.0.0/0 are allowed, let alone a more nuanced netmask.
Complaint 12: The documentation is terribly vague about a lot of things, and the custom firewall in particular. This is literally all it has to say on the matter:
Custom is an advanced configuration option that allows you to edit the firewall configuration directly. Only expert users should attempt this
I’ll grant that I’m not an expert on the Netgear 6100D custom firewall. So maybe there’s something I’m missing. But if there is, I can’t find it.
Oh, and those two screenshots that I’ve showed to you? That’s all there is to the “custom” firewall. The rule editing dialog is the same as the add dialog. That’s it.
Speaking of custom things:
Complaint 13: There is no ability to edit the routing table(s).
Leaving a heck of a lot out, here’s how I have the 6100D connected to my workstation:
WORKSTATION <-----> CORE ROUTER <-----> NETGEAR 6100D
My network is similar to this:
But since I can’t add a custom route to the 6100D, it tries to route all packets destined for my workstation over the public internet! Hence in order for me to even administer the device, I had to SNAT all traffic destined for 10.222.1.11/32 with a source of 10.222.1.1. It’s pretty stupid that I have to do that, but it works.
It also means that (even if I wanted to) I couldn’t use the Netgear’s “port forwarding” (DNATing) in my environment — none of my servers are on the 10.222.0.0/16 network.
Complaint 14: Dynamic DNS: Paid or Chinese.
The only two options for Dynamic DNS are DynDNS.org or 3322.org.
DynDNS.org no longer offers free DDNS services. 3322.org is apparently Pubyun, a Chinese company. I have no problem with it being a Chinese company in general, and it looks like they’ve been doing DDNS since 2001. However their website is in Chinese, and I can only assume that their servers are in China and that they may not provide support in English.
My problem is not with the two services on offer, it’s that they are the only two services on offer and that there is no custom option.
Fortunately I happen to know of a relatively new (and believe me, very unknown) DDNS service from Kisolabs that is both free and will let you spoof your device’s DNS so that it thinks it’s hitting DynDNS.org.
Let’s get to what is probably my biggest complaint of all.
In trying to resolve the DMZ IP address issue that I had, I said to myself, “hey Scott, this appears to be running some kind of *nix because the config file shows snippets of
iptables commands. Maybe you can SSH in.”
So I issued a
nc -z 10.222.1.11 1-1023 with the following results:
Connection to 10.222.1.11 23 port [tcp/telnet] succeeded! Connection to 10.222.1.11 80 port [tcp/http] succeeded! Connection to 10.222.1.11 179 port [tcp/bgp] succeeded! Connection to 10.222.1.11 443 port [tcp/https] succeeded!
Oh-kay. No SSH, but telnet is open!?
# telnet 10.222.1.11 Trying 10.222.1.11... Connected to 10.222.1.11. Escape character is '^]'. BusyBox v1.1.3 (2014.01.02-13:26+0000) Built-in shell (ash) Enter 'help' for a list of built-in commands. # ls /WFIO/current.cfg /WFIO/current.cfg (<- That's the configuration file that's manipulated by the GUI, and that's read on boot.) #
Wait. No authentication?
Complaint 15: NO AUTHENTICATION.
You’d think that maybe this would be an environment with some very strong deny permissions, but no.
Complaint 16: Not only are the configuration and even the GUI HTML files readable, THE CONFIG FILES ARE WRITABLE!
Complaint 17: And THE CONFIGURATION FILE CONTAINS THE ADMIN PASSWORD IN PLAIN TEXT!
Complaint 18: And THERE IS NO WAY TO DISABLE TELNET ACCESS from the GUI!
And remember: There is no way to turn off WiFi.
Who designed this thing???? It’s a security nightmare.
The only thing I can guess is that maybe Netgear charged its engineers with creating a honeypot, and they accidentally released that codebase to production for this device.
Oh, and search the user guide for “telnet”. You’ll find that it’s mentioned three times. Once in regards to services that could be permitted by the firewall, once in the index, and once on page 109:
Are Terminal Sessions Supported?
Terminal sessions (for example, via telnet or ssh) are not supported.*
*Documentation written by Kafka.
ARE YOU KIDDING ME?
The craziest part is that I haven’t even tried playing with most of the other settings. I can’t imagine how many complaints I’d have if I actually delved into this!
Even just trying to navigate between the settings that I do need is counter-intuitive. Let’s look at the left navigation bar:
You want to change the password to the router. Quick, which menu item do you click on!? Nope, I would’ve thought it was Security as well. But it’s under Settings.
And what about dynamic DNS settings? NOPE! That’s in Security.
When you do go into Settings there are four tabs from which to choose:
General is fair enough, but Network actually means “WAN / Cellular” and Router actually means “Basically Whatever”. Manage VPN is refreshingly self-explanatory.
Here’s the sub-menu under the Router tab:
Most of this is just… wrong.
- Even though there’s a section for “Port Forwarding”, the DMZ port forwarding setting is under “Basic”.
- Port filtering is here instead of under the Security menu.
- “MAC Address Cloning” only specifies that it’s the “Router MAC Address”. BUT THIS ROUTER HAS SEVEN INTERFACES! Does this apply to any one of the four WiFi interfaces, the LAN interface, or one of the two WAN interfaces? (The documentation makes it seem like it applies to the hardline WAN port — but all the other settings for the hard WAN interface are under the Network tab. So why is this here??)
- “File Sharing” should not be under the Router tab. It shouldn’t even be a feature on this device.
Hence, Complaint 19: Poor organization of the menus.
Thanks for hanging in there! I know it’s been a long ride, but let’s round this out to an even twenty:
Complaint 20: By default this thing suckles at your data plan.
It’s constantly in communication with various servers in the sprint.com and netgear.com domains. I can see this in the system logs. The requests appear to be for data usage information and NTP synchronization respectively. By default it also checks for system updates (I am up to date, BTW).
I haven’t done any “scientific” testing, but look at this:
In the last 50 minutes it’s used 0.12MB of data. My router is not pushing traffic to the 6100D, and I currently have no publicly addressable services served by it. I’m administering it over the LAN port.
That’s just “idle” utilization.
So, that’s 0.0024MB per minute. Assuming that’s an average level of utilization then it uses 104MB per month at idle.
That’s over 10% of my data cap just gone! Sprint actually sells a 100MB/month plan for this device. Imagine your face when it uses up your entire data cap (and then some) on trivial, unwanted, unnecessary data!
OK, to be fair I can disable NTP or point it to local (LAN-connected) servers. And maybe (maaayyybe) Sprint doesn’t actually bill for the data going to/from sprint.com. But are most users going to know this?
And remember that even (possibly) unbilled data to/from sprint.com will spawn DNS requests. Are you using Sprint’s DNS servers? Do they charge for that traffic?
But what about unsolicited requests on blocked ports? Does every TCP SYN count against my data plan? Does every UDP packet destined for my IP count against it?
Moreover, since I can’t set up custom firewall rules and don’t want to use “port forwarding” the 6100D is going to happily SYN/ACK any TCP connection and forward the packets right along to my DMZ host! So someone could rack up huge charges on my connection just by spamming my IP with large packets, even if I don’t reply!
In conclusion: The Netgear 6100D LTE Gateway is not ready for prime time. I couldn’t even recommend it for home use due to gaping security holes, let alone in a business environment as Sprint suggests:
What about me? I’m going to keep it. It’s my only reasonable option. Sprint has the most competitive pricing of any of the major providers, and this hardware appears to be the best available (at prices I’m willing to pay). I have found workarounds for all of the complaints that are strictly relevant to my environment. The security holes are acceptable to me because I’m using a one-off password and my LAN interface is firewalled off from being accessed by all but my own workstation.
It’s still the worst networking device I’ve seen since the “Cisco” (Linksys) RV042.
I’ve been doing this long enough to know that rants about a device that I’ve only owned for a few days may contain some inaccuracies. I may even be dead wrong about some of my overarching complaints and assumptions.
As of today (August 25, 2014) comments are closed on this site due to an extraordinary number of spammers. But please contact me by email if you have any comments or corrections: scott
Complaint 21: The 6100D runs a DLNA server, and there’s no way to turn it off. (Well, there is.)
Complaint 22: The 6100D listens on port 3457 on all interfaces and port 9000 on the LAN interface. They both appear to be HTTP servers, but I have no idea what they do or why they’re there. The documentation doesn’t mention them.
This isn’t a complaint about the device itself, so I’m not going to number it:
I posted a link to this review on both Netgear’s and Sprint’s timelines. Netgear hasn’t replied, but even worse Sprint did reply:
That’s just disgraceful. Am I talking to a bot?
I don’t expect Sprint’s social media rep to read the entire 3,500 word blog post. I’m not that self-important. But look at that last comment:
Sprint: What kind of device are you using? Have you tried to call the manufacturer of the device? Are you eligible for an upgrade? Let me know. – Brenda
The manufacturer and model number are both right in the title! And no, I’m not eligible for an upgrade. It says right in the blurb that “I recently obtained a Netgear LG6100D LTE Gateway from Sprint”. Not two years ago.
But that is completely irrelevant in the first place, because this device is not sold with a contract. You simply buy it. Now that is something their reps should know.
And this sounds like a classic ELIZA response from the 1960s:
Sorry that you feel this way. What’s going on to have you feel like this? – Fernendez
Get it together, Sprint.
Man, I just keep finding more and more stuff about this device that is just stupid or downright buggy.
Complaint 23: The device seems to, without obvious reason, occasionally flood the LAN with multicast messages from the
igmpproxy. That process uses about 75% CPU, with the remaining available CPU going to IO. It freezes the GUI, but it stops after a few minutes.
Complaint 24: IP forwarding seems to be based upon MAC address in some convoluted way, rather than the IP address you actually enter. This may actually be the cause of the DMZ problems I was having (discussed above), but in this case I’m specifically talking about “Port Forwarding”, not the DMZ setting.
Complaint 25: Another simple example of stupid design. Let’s look at yet another screencap:
The 6100D tracks data usage both by billing cycle and by session.
(I think “month” in this interface means “billing month”, but now that I look at it I’m not sure. It may mean “calendar month”. Who knows?)
Tracking data usage right in the router is a big plus! The billing usage data comes from Sprint’s servers (I can see that in the logs), so even though it says that it’s “approximate and may vary”, it should be a pretty good indication of billable usage. Hopefully.
So, what do you think that “Reset” button does? It’s right there tucked to the lower-right of the session data usage.
It should reset the usage counter for the session, wouldn’t you think? That would be really useful if, let’s say, you were playing Call of Duty and were curious as to how much traffic that game was pushing through the WWAN. You could reset it, play away, and then take a look.
It would be absolutely stupid and pointless if that button reset the statistics for your billing cycle. I mean, it wouldn’t actually reset your billing, right? It wouldn’t turn back time and start the month over, right?
WELL THE RESET BUTTON RESETS THE BILLING CYCLE USAGE STATISTICS, NOT THE SESSION STATISTICS.
You can see this evidenced in the screepcap, wherein I have 24 days left in my billing cycle and yet have used no data. Even though in my current session I have used 0.57MB!
This boggles my mind more than even the unsecured telnet interface. The telnet thing was clearly an accident. I’m giving them the benefit of the doubt that they probably just forgot to comment out the telnet daemon start command in the init script(s) before releasing to manufacturing. (Though it should have been caught in QA, but what do I know?)
But this reset button seems to be part of an intentional design decision. It’s so vastly illogical and pointless that I can’t imagine how it made it into this device. Unless the device is wholly under-planned, under-engineered, and under-tested. And it does indeed seem to be all those things at once.
Update (2014-08-28) – I’m just about done with Sprint
Today’s complaint is a bit of a tangent, as it doesn’t pertain to the device. It’s about Sprint’s website.
Specifically the bill payment section of their website. You know, the one that has to do with my hard-earned money and their revenue (something for which shareholders have a great concern — I’m glad I’m not one). This is the section of the site that should be absolutely reliable and well designed.
This is what I was treated to when I paid my bill:
Looks perfectly normal, right? But see that grey button in the lower-right? The one that says “Authorize”? The one I’m only supposed to click once to avoid duplicate charges? Well, I’ve already clicked it. It was yellow before, and now it’s grey.
It’s been grey like that for 75 minutes and nothing has happened. No “payment successful”, no “sorry, payment unsuccessful”, no timeout. No response at all.
And I’m sure that Sprint would be happy to tell me that it was the fault of my internet connection, except that I seriously doubt it because I wasn’t using their horrible device. Plus I paid four other bills while waiting for them to process my payment. Then I went to lunch.
So now here I am. I decided to go back to view my payment history, and there was nothing there. I checked my credit card online and there was no charge from Sprint. Fine. I’ll try again.
On my second try the payment went through in about 10 seconds. (Which in this day and age is an eternity.) Success!
But I don’t really trust these guys, and so I wanted to make sure it actually did go through properly. I went into the “Payment activity” tab and found this:
That’s right, no payments scheduled even though I did get a confirmation screen saying that my payment was scheduled successfully.
The one item in my “Payment history” is dated 11 days ago; That had to do with my account activation and etcetera.
It’s now been about 15 minutes since my payment was “successful”. I still don’t see it as scheduled or processed in my account on Sprint’s website. I haven’t received a confirmation email, either.
But I guess all is well for them: They got their money, as evidenced by my bank’s website. It would just be nice if they would let me know that it was applied to my account.
30 minutes later…
“Don’t worry guise! Teh sights are now down complerply!”
… My first time using it, and the entire f**king customer portion of their site is down. What a pile of s**t.
And how dare they say “We are enhancing this section of our site”. What nerve.
Hey Sprint: Your site broke and you lie to your customers about it? Unless you consider “basic f**king functionality” to be an “enhancement”. If that’s the case, I ask you to please post that opinion publicly. I dare you.
“We here at Sprint believe that a functional site is an enhancement over a non-functional site. That’s why we do our best to keep our site functional most of the time. Because we at Sprint care about our customers and their occasional access to such great features as online bill pay, viewing usage history, and letting them sometimes buy, you know, phones and stuff.”
I’ve been using Verizon Wireless for almost 15 years (since they were Bell Atlantic). And though they’re by no means perfect I’ve yet to see a catastrophic failure of their ability to process payments.