Back in August I reviewed the Netgear 6100D from Sprint and followed up with a post detailing some advanced configuration options.

The Video

I also installed a flat panel 4G antenna from 4G Antenna Shop. I made a video detailing the unboxing and installation (which I just got around to editing together):

It’s my first video of this sort, so if you have any feedback please let me know in the YouTube comments or by email!

4G Antenna Shop

I didn’t get into it in the video, but overall I’d recommend 4G Antenna Shop. The cable and antenna I got were both of very high quality and definitely worth the price.

Their customer service was great; I had a couple of questions about my order, and one of their guys (Robert) got back to me within 15 minutes and was extremely helpful. They shipped really quickly, too.

I did have two minor issues, both of which I talk about in the video:

During checkout they give you the option of selecting your device so that they can provide the correct adapters to go from the cable (if you order it through them) to the device. At the time I’d ordered, they had an option for “Netgear Sprint Spark LTE”, which I thought was the Netgear 6100D. There was no separate option for the 6100D, but it turned out that they were referencing a different product, and so I received the wrong adapters. (They’ve since added the 6100D as an option.)

I chalked this up to being mostly my fault, as I didn’t know that there was another Netgear LTE device out there for Sprint Spark.

My other issue was with the packing job. Again, it’s a minor complaint because nothing was damaged, but the box arrived pretty beaten up with holes in the top from the antenna mount having poked through. There was no packing material to keep the box rigid, and the antenna and cable were just sorta rattling around inside.

Bear with Me…

Oh, and sorry if I rambled on a bit in the video. If you couldn’t tell from a lot of my other posts on here, I have an aversion to brevity. :)

I’m hoping to get some more how-to and instructional videos out there in 2015, so please subscribe to my YouTube channel!

(Hey, I’m allowed to shill for myself, right?)

This post is all about solutions.

Really, it’s about one very big solution:

http://[Netgear 6100D Address]/index.asp

What is that? Oh, not much, just the native Netgear configuration GUI.

It has about ten times the feature set of Sprint’s half-baked GUI. Seriously.

Already have a problem?

This didn’t happen to me at first, but I must have triggered some state within the 6100D that causes this screen to appear when returning to the Netgear GUI after having used the Sprint GUI:

If you find yourself redirected to this utterly pointless landing page, just change the path of the URL to /adv_index.asp (I assume you want the advanced config page).

Clicking “Take me to the Internet” uselessly takes you to Netgear’s site.

The good…

What can it do that the Sprint branded GUI can’t?

• Static routes
• Ability to turn the DLNA server off (Sprint doesn’t even mention it, but it’s enabled by default)
• Multicast settings
• UPnP advertisement settings (as opposed to just on or off)
• Better port forwarding settings with port triggering
• Wireless repeater settings
• The ability to disable the WiFi radios Update: Though this option exists, hitting the “Apply” button on the page does nothing.
• FTP server settings
• Email notification settings (for alerts and logs)
• A DMZ server setting that lets you change all four octets
• VPN passthrough settings
• RIP settings
• QoS settings
• The menu system is generally organized in a logical fashion and it’s easy to navigate
• The ability to send and receive SMS messages (It doesn’t work for me, but that’s probably because my plan doesn’t include SMS)

…and that’s just what I found on my first quick look.

Sprint completely crippled this device.

…the bad and the ugly

• Sometimes the Netgear GUI redirects you to a page that asks if you want to use a wizard to configure the router or configure it manually. A minor annoyance.
• The interface has a very 90s look and feel (as opposed to the Sprint-branded interface which is cleaner)
• There’s a link to “documentation”, which opens up a window for the N600 Wireless Dual Band Gigabit Router*
• I still can’t find a place to turn off the telnet console
• Strangely the date and time settings only list “AU 2011-2012″ as a daylight savings time option.
• They really can’t get their timezone knowledge together. On the Sprint GUI it lists “EST (Central Standard Time)”, and in the Netgear GUI the timezone options are “EST”, “CST”, and “WST” (which should be PST).
• After using the Netgear web GUI and going back to the Sprint-branded GUI, it requires that you agree to the EULA again. This makes me think that at least one flag is getting wiped out when the Netgear GUI re-writes the config.

*Check out the N600 User Manual. It describes a lot of the 6100D settings in more detail than the Sprint documentation.

Major flaws

I don’t mean to harp on this, but it’s so significant that I can’t help it:

There is an an unprotected telnet server that cannot be turned off, requires no authentication, and lets anyone view and MODIFY the router’s config. This includes VIEWING THE ADMIN PASSWORD IN PLAINTEXT!

I’ve hit another bug twice now:

For no consistent reason that I can discern, the device will start flooding the LAN with IGMP (multicast) messages. For example:

15:25:09.027136 IP (tos 0xc0, ttl 1, id 0, offset 0, flags [none], proto IGMP (2), length 36, options (RA))
    10.222.2.1 > 224.0.0.1: igmp query v3

It’s creating these messages as fast as it can; When this is happening igmpproxy uses around 75% CPU with the remainder used for IO. The GUI also becomes unresponsive. Fortunately BusyBox (via telnet) does not, so a remote reboot is possible.

This IGMP activity lasts a few minutes, but then refreshing the GUI causes (?) it to start again. I haven’t spent a lot of time testing this issue, but it is a PITA.

Then we have a nice one where the router seems use THE MAC ADDRESS for port forwarding regardless of the actual IP setting.

For example, let’s look at this composite of screencaps:

What’s going on here?

On the top is the active port forwarding configuration of the 6100D, after a save. On the bottom is a tcpdump of the traffic between the 6100D and my core router.

The 6100D is sending traffic to 10.222.2.3 even though I have it set to send traffic to 10.222.1.1.

Where is it getting the IP address 10.222.2.3? Well, it’s right there in the lower right of the device settings. But that option is NOT selected.

Why is it showing that IP? Without getting into too much detail, I have two core routers running in a master/backup configuration. They each have a “real” IP on the 10.222.1.0/16 network (last octets being 3 and 4 respectively, as well as a VIP (last octet of 1).

The routers are also my VPN servers, so I want VPN traffic (in this example) sent to the VIP, which is 10.222.1.1. This way it doesn’t matter if the backup router takes over; The VIP will be reassigned to it and traffic will continue to flow.

The address of 10.222.2.3 came from a misconfiguration (my fault). I forgot to change that when I changed the VIP. That is no big deal in this case, because this is a /16 (class B) network, and so 10.222.2.3 and 10.222.1.1 can coexist on it just fine.

My misconfiguration is not the cause of the problem, because even after I changed the “real” IP on the router to 10.222.1.3, it still sent traffic to that IP instead of the VIP!

However, both the “real” IP and the VIP have the same MAC address. This shouldn’t be a problem either, because we only need to use the ARP table to find the MAC address for the IP, and not the other way around. Here’s the ARP table on the 6100D:

For some reason it’s picking the first MAC address and forwarding traffic there; I have no idea why they designed it like that!

Let’s dig into the config file (located at /WFIO/current.cfg in the 6100D’s unsecured BusyBox environment):

table=FWPortRedirectionConfig;
columns=Enable;Nickname;Protocol;WANPortStart;WANPortEnd;LANIPAddress;LANPortStart;INSTNUM;isPredefined;isMore;portMapIndex;HostName;Permissions;Le
0;Westell Modem Service VoIP SIP;udp;5060;5060;MODEMREDIRECT;5060;1;1;0;0;;0;0;0;;
1;Westell Modem Service Envoy;tcp;6363;6363;MODEMREDIRECT;6363;2;1;0;0;;0;0;0;;
1;Westell Modem Service Rip;udp;520;520;MODEMREDIRECT;520;3;1;0;0;;0;0;0;;
1;VPN (SMR);tcp;1199;1199;10.222.1.3;1199;4;1;0;3;10.222.1.1;GUI, TR069;0;0;d4:ae:52:d4:62:02;

First of all, why does it have two services enabled by default and not listed in the GUI?

Secondly, the last line is my entry. You’ll see that it has 10.222.1.3 listed as well as 10.222.1.1. Well, looking at the column headers it decided to stick in 10.222.1.3 as the LANIPAddress, with a HostName of 10.222.1.1.

So the setting in the GUI for “Internal IP address” is actually the setting for the host name!?!?

The worst part is that if I go into the BusyBox environment and manually change the LANIPAddress field to the correct IP, upon reboot it changes it right back. There’s no way to win with this thing!

The problem arises that both of my core routers have different MAC addresses. So if this thing is basing its decisions on the MAC address, what’s going to happen when the master fails and the backup takes over? The master’s MAC address will be offline. The VIP will still be online, but this thing may just ignore it.

(By the way, this is a testing environment. That’s why you don’t see an entry in the ARP table for the backup router’s IP.)

I could remove the “real” IP address from the routers and just use a VIP, but that is irritating from an administrative perspective because the backup router will be unaddressable on this network. Also, it may not solve the problem because the MAC address of the VIP will of course change in the event of a failure.

I also can’t give the master and backup the same MAC address, because that would confuse any device connected to this network.

Sigh. This will require more testing.

SOLVED!

The solution is simple, obvious, and of course it took a couple of hours to think of it:

Put the 6100D on its own /24 and give the core routers a VIP in that /24.

In other words, the LAN configuration on the 6100D is now:

IP: 10.222.2.11
Mask: 255.255.255.0

And the core routers now share:

VIP: 10.222.2.1 with a mask of 255.255.255.0

For administrative purposes (and expansion, etc) the master core router still holds its “real” IP of 10.222.1.3, but it’s now masked as a /24, and it still has a VIP of 10.222.1.1/24.

Despite having yet another IP on that physical network, it’s fenced from the others by its subnet mask (so the 6100D isn’t just basing its decisions on the MAC address). Here we see the correct IP is detected for the core router’s MAC address:

Apparently the 6100D is a real slave to subnets.

Config diffs

Before fiddling with port forwarding and various other settings, I saved one setting in the Netgear GUI: I added a static route. That resulted in this snippet being added to the config file:

table=StaticNetworkConfig;
columns=Enabled;Nickname;InterfaceTable;InterfaceReference;RouteType;IPDestination;IPNetmask;IPGateway;Metric;RIPAdvertised;SaveToFlash;INSTNUM;
1;Test Route;;;Network;10.78.1.0;255.255.255.0;10.222.1.1;10;1;1;2;

The following entry was also added, even though I didn’t modify the NTP settings:

table=NTPConfig;
columns=Enabled;NTPServer;NTPServerSec;Interval;DayLightSavingsUsed;LocalTimeZone;BackoffIntervalMin;BackoffIntervalMax;TimeZoneName;DayLightSavingsStart;DayLightSavingsEnd;
0;time-b.netgear.com;time-a.netgear.com;3600;1;GMT+5;5;60;;M4.1.0/02:00:00;M10.5.0/02:00:00;

Otherwise it doesn’t look like anything else was altered, aside from some timestamps (phew). More importantly, the router still works!

That’s important because I was concerned that the Netgear GUI might wipe out or otherwise alter important settings that the Sprint GUI had added in.

I keep talking about the GUIs because the fact is that I don’t know if there is any difference between the two GUIs as far as configuration management on the back end goes. They may well use the same configuration management scheme, in which case of course they won’t conflict! But it’s possible that they manage the config differently, and could kill each other’s settings.

Disclaimer

I just found out about this roughly 30 minutes ago. I have no idea what undesirable consequences might arise from changing settings in the Netgear GUI. I don’t even know if all of them will work as intended. So use this information at your own risk!

I recently obtained a Netgear LG6100D LTE Gateway from Sprint as a backup for my hard internet connections. The device seemed perfect on paper: Cellular connectivity for the home or business network!

I’ve used some bad consumer routers in my day, but this is one of the worst I’ve encountered. Or maybe it’s that it looked so promising at first and then let me down so hard.

Update (2014-08-26): I found that you can access the native Netgear web GUI. It has a heck of a lot more features, and solves many of the complaints I have with the “correct” way of configuring this device.

Upon logging in the user interface is clean, fairly informative, and I noticed that the values were updating automatically for Status and Data Usage. Some AJAX is a nice touch on this kind of device.

The very first thing I decided to do upon seeing the Wi-Fi networks listed in the lower-left was to disable WiFi. I’m going to be integrating this with my existing network, and I already have multiple access points.

Complaint 1: There is no place to turn off WiFi. You can turn off the “Guest Wi-Fi”, but can’t disable the 2.4Ghz and 5Ghz regular WiFi access points.

OK, fine. Not a huge deal. I set the passphrases to something ridiculously long and random, set the “Wi-Fi Range” to “Short”, hid the SSID and changed the connection rate to the lowest (narrowest) possible. The device is in my basement, so hopefully that’ll be enough to prevent any Nosy Nellies from racking up charges on my data plan.

The next thing I did was to set up my LAN. Here’s what the setup page looks like (I’m using some fake values for these screenshots):

I did actually RTFM for the DMZ setting so that I was sure what it did: All unsolicited traffic from public networks (the internet) will be forwarded to this address.

That’s perfect for me, because the only network devices downstream from the 6100D will be my routers. They’ll handle all the firewalling and NATing.

Complaint 2: Although the LAN settings allow you to specify any netmask you want (I went with a /16, or 255.255.0.0), you can only change the last octet of the DMZ IP. In other words, the DMZ device has to be on the same /24 as the 6100D.

Again, not a big deal, but for organizational purposes I would have liked to have had them on different /24s.

Because of that limitation I ended up messing with my settings. Here’s how I had the router configured at one point:

LAN: 10.222.2.1/16
DMZ: 10.222.2.3

I then realized that those settings wouldn’t be ideal, and so I changed the LAN IP:

LAN: 10.222.1.11/16

I saved it, and the third octet of the DMZ changed to “1” to match the third octet of the LAN IP. Then I changed the last octet of the DMZ to “1”, saved, and wound up with these settings:

LAN: 10.222.1.11/16
DMZ: 10.222.1.3

But wait, the DMZ should be 10.222.1.1. I tried to change it again. It remained stuck (even across reboots) at 10.222.1.3.

Then I looked at the actual network traffic going from the 6100D to my router. DMZ traffic was going to 10.222.2.3 — the old setting.

Complaint 3: The DMZ IP address can become “stuck” on a value that doesn’t match what’s displayed in the GUI, and there is no way to change it.

I tried re-IPing the router back to 10.222.2.1 and then changing it and the DMZ value back in various different sequences. No dice.

I was afraid to do a factory or settings reset, as I worried that might wipe out some cellular data settings that were preloaded by Sprint. (In theory all it should need is the SIM, but you never know!)

I used the 6100D’s “Download / Backup” feature to download my config. It was base64 encoded plaintext. I decoded it and found this setting:

table=StaticNatConfig;
columns=Enabled;LocalHostIPAddr;LocalHostMACAddr;
1;10.222.2.3;d4:ae:52:xx:xx:xx;

Great! That’s the setting!

I changed it, re-encoded the text to base64, and uploaded it to the device. A JavaScript alert dialog warned me that the router was going to reboot… and nothing happened.

I did notice that the URL now had the suffix ErrorNum=3, so I suppose that the upload failed.

Complaint 4: However no error was given in the GUI. There was no indication that the upload had failed, and certainly not a reason for the failure. (I want to be clear that I don’t blame the upload failure on Netgear; I probably didn’t notice/update some CRC or other information. My objection is the lack of reasonable error reporting).

Lack of error reporting brings me to the system log. I went there to see if there was explanation for the failed upload. There was no mention of the upload, but…

Complaint 5: All the dates were in 1970. Clearly this thing hadn’t synchronized with an NTP server or some such (even though it had been connected to the Sprint network for some time).

That brings me to the “Date & Time” settings:

I decided to set the date and time manually. I unchecked “Automatic Time Update” -> “Enabled” and hit “Submit”. I got alerted that the settings were saved successfully and, uhhh…

Complaint 6: There is no way to set the date and time manually. Look:

The “Local Time” field is static. There is no way to set the date and time. So why even be able to disable NTP in the first place? (Oh, there’s a reason — we’ll get to it.)

Incidentally, it says “EST(Central Standard Time)” in the time zone dropdown. I’ll not make that a separate complaint, but it gives you an idea of the amount of quality control that went into this thing.

While I was poking around in the plaintext config file, I found this little doozy:

table=AdminInfo;rev=2;
columns=AdminUserID;AdminPassword;PWNotAllow;RemoteAccessEnable;SessionTimeoutEnable;SessionTimeoutInterval;SessionTimeoutTimeLeft;EnableGUIAuth;Preffered_Proto;RemoteHttpsEnable;EnableRecovery;SecQ1ID;SecAns1;SecQ2ID;SecAns2;UserRole;TimeStamp;
admin;MyActualPassword;password;;;;;1;;;0;0;;0;;0;;
admin;password;;0;0;20;16;1;0;1;0;;;;;;;
;;;;;;;;;;;;;;;;;
support;password;;;;;;1;;;;;;;;1;;
user;password;;;;;;1;;;;;;;;2;;

Complaint 7: The admin password is stored in plaintext in the backup file.

OK, it’s base64 encoded which will put off the average user-level pair of prying eyes. But I wouldn’t exactly feel comfortable leaving my router’s backup settings unencrypted on a network drive.

Complaint 8: What are those “user” and “support” accounts? I tried logging in as both from the GUI and could not. But is there some back door that I’m not aware of? They’re not mentioned in the GUI, and there’s no way to change those passwords that I can see (well, there is, but we’ll get to that).

I don’t know about you, but I find superfluous and immutable user accounts to be sketchy at best.

Let’s talk about why I’m using a DMZ host in this scenario.

I already have redundant router/firewalls that are directly connected to the internet using my two hard line connections. They both “own” public IPs and firewall/NAT traffic to and from my internal networks. They’re simply PCs running CentOS having 9 ethernet ports each, and they work great.

For me, this DMZ setting will result in “double-NATing”. In other words, all traffic coming into the 6100D will be DNATed to my router, and the router will DNAT it to my server. That’s sub-optimal for a variety of reasons.

(Of course if this “router” actually let me add “routes” I could use its port forwarding feature and obviate the need for the second level of NATing. We’ll get to that topic later on.)

The 6100D does offer a setting that’s extremely sexy on first glance: IP Passthrough.

From the documentation:

You can designate a computer behind the gateway to receive unsolicited traffic from the public 
network.

Note: The public WAN IP will be assigned to this computer.

That sounds perfect! Let’s look at the settings page for this feature:

Hmm.. “Device Name” is a drop-down with nothing in it. And what’s the DHCP lease time?

The documentation says:

In the Device Name drop-down list, select a computer.
[..]
In the DHCP Lease Time fields, enter the days, hours, minutes that you want to assign the public IP to this computer.

That was not very helpful, which is typical of the documentation.

Complaint 9: This feature does not work. There is never a computer listed in the “Device Name” dropdown. In fact, I tried this with the 6100D connected directly to my laptop back when it was fresh from the factory and it still didn’t work.

Besides that complaint, a whole host of questions are raised:

• Does the computer to which the IP is “passed through” use the upstream DHCP server on Sprint’s network, or does it use the DHCP server on the 6100D?
• If my cellular WAN IP address changes before the end of the lease time I’ve set, will it still update my computer’s address? What exactly does that lease time mean? And why is it there? Why not just use the upstream lease settings?
• Based upon what’s written in the documentation (“[time] that you want to assign the public IP to this computer”) is this really a DHCP setting, or does it mean that after that time period the IP will simply revert back to the 6100D instead of the downstream computer?
• Is it accomplishing the passthrough by bridging the WAN connection to the LAN connection? Or does it use some kind of internal double-NATing? In other words, by what mechanism does it “pass through” the IP?

Complaint 10: Even if I did see my computer listed in the “Device Name” dropdown, this feature would be completely useless to me as it’s documented to the point of obscurity.

Speaking of obscurity:

Complaint 11: The “Custom” setting on the firewall is useless. You cannot make custom firewall settings of any use.

Let me show you:

Looks simple enough. There are some default rules. ICMP is allowed, and a variety of TCP and UDP services are blocked. (Note that there is no “remove” button, but I suppose you could override these rules by putting another rule prior in the chain. It’s not really “custom”, but whatever.)

The page does state:

Control outbound traffic initiated from within the local network.
Inbound traffic may be controlled by configuring Port Forwarding.

Wonderful. So it’s more like half of a firewall. Port forwarding is not firewalling. I’m using the DMZ feature, not the port forwarding feature, yet I’d still like to block ports at the edge. This is not only for security, but to avoid unnecessary data usage charges (more on that later).

But OK, let’s press the “Add” button:

BTW – The “Rule Name” is actually the “Service Name”. You set up services in another section of the GUI. They are basically just named definitions of a port range and protocol. In this case I have already configured “VPN (SMR)” in services to match my OpenVPN server settings.

“Action” allows you to set either “Allow Always” or “Block Always”. I want allow.

Here’s why the custom firewall is meaningless:

THERE IS NO NETMASK FIELD! A firewall wherein you’d have to black- or white-list every individual IP is useless.

If I leave the “Lan Users” or “Wan Users” blank, I get an error that the IP addresses are required. If I set either to “0.0.0.0” (figuring maybe it would accept that as a wildcard) it gives an error that the IP is not valid. So neither “intuitive” ways of inputting 0.0.0.0/0 are allowed, let alone a more nuanced netmask.

Complaint 12: The documentation is terribly vague about a lot of things, and the custom firewall in particular. This is literally all it has to say on the matter:

Custom is an advanced configuration option that allows you to edit the firewall configuration directly. Only expert users should attempt this

I’ll grant that I’m not an expert on the Netgear 6100D custom firewall. So maybe there’s something I’m missing. But if there is, I can’t find it.

Oh, and those two screenshots that I’ve showed to you? That’s all there is to the “custom” firewall. The rule editing dialog is the same as the add dialog. That’s it.

Speaking of custom things:

Complaint 13: There is no ability to edit the routing table(s).

Leaving a heck of a lot out, here’s how I have the 6100D connected to my workstation:

WORKSTATION <-----> CORE ROUTER <-----> NETGEAR 6100D

My network is similar to this:

Workstation: 10.10.1.50
Core router: 10.10.1.1, 10.222.1.1
Netgear 6100D: 10.222.1.11

But since I can’t add a custom route to the 6100D, it tries to route all packets destined for my workstation over the public internet! Hence in order for me to even administer the device, I had to SNAT all traffic destined for 10.222.1.11/32 with a source of 10.222.1.1. It’s pretty stupid that I have to do that, but it works.

It also means that (even if I wanted to) I couldn’t use the Netgear’s “port forwarding” (DNATing) in my environment — none of my servers are on the 10.222.0.0/16 network.

Complaint 14: Dynamic DNS: Paid or Chinese.

The only two options for Dynamic DNS are DynDNS.org or 3322.org.

DynDNS.org no longer offers free DDNS services. 3322.org is apparently Pubyun, a Chinese company. I have no problem with it being a Chinese company in general, and it looks like they’ve been doing DDNS since 2001. However their website is in Chinese, and I can only assume that their servers are in China and that they may not provide support in English.

My problem is not with the two services on offer, it’s that they are the only two services on offer and that there is no custom option.

Fortunately I happen to know of a relatively new (and believe me, very unknown) DDNS service from Kisolabs that is both free and will let you spoof your device’s DNS so that it thinks it’s hitting DynDNS.org.

Let’s get to what is probably my biggest complaint of all.

In trying to resolve the DMZ IP address issue that I had, I said to myself, “hey Scott, this appears to be running some kind of *nix because the config file shows snippets of iptables commands. Maybe you can SSH in.”

So I issued a nc -z 10.222.1.11 1-1023 with the following results:

Connection to 10.222.1.11 23 port [tcp/telnet] succeeded!
Connection to 10.222.1.11 80 port [tcp/http] succeeded!
Connection to 10.222.1.11 179 port [tcp/bgp] succeeded!
Connection to 10.222.1.11 443 port [tcp/https] succeeded!

Oh-kay. No SSH, but telnet is open!?

# telnet 10.222.1.11
Trying 10.222.1.11...
Connected to 10.222.1.11.
Escape character is '^]'.

BusyBox v1.1.3 (2014.01.02-13:26+0000) Built-in shell (ash)
Enter 'help' for a list of built-in commands.

# ls /WFIO/current.cfg  
/WFIO/current.cfg (<- That's the configuration file that's manipulated by the GUI, and that's read on boot.)
#

Wait. No authentication?

Complaint 15: NO AUTHENTICATION.

You’d think that maybe this would be an environment with some very strong deny permissions, but no.

Complaint 16: Not only are the configuration and even the GUI HTML files readable, THE CONFIG FILES ARE WRITABLE!

Complaint 17: And THE CONFIGURATION FILE CONTAINS THE ADMIN PASSWORD IN PLAIN TEXT!

Complaint 18: And THERE IS NO WAY TO DISABLE TELNET ACCESS from the GUI!

And remember: There is no way to turn off WiFi.

Who designed this thing???? It’s a security nightmare.

The only thing I can guess is that maybe Netgear charged its engineers with creating a honeypot, and they accidentally released that codebase to production for this device.

Oh, and search the user guide for “telnet”. You’ll find that it’s mentioned three times. Once in regards to services that could be permitted by the firewall, once in the index, and once on page 109:

Are Terminal Sessions Supported?
Terminal sessions (for example, via telnet or ssh) are not supported.*

*Documentation written by Kafka.

ARE YOU KIDDING ME?

The craziest part is that I haven’t even tried playing with most of the other settings. I can’t imagine how many complaints I’d have if I actually delved into this!

Even just trying to navigate between the settings that I do need is counter-intuitive. Let’s look at the left navigation bar:

You want to change the password to the router. Quick, which menu item do you click on!? Nope, I would’ve thought it was Security as well. But it’s under Settings.

And what about dynamic DNS settings? NOPE! That’s in Security.

When you do go into Settings there are four tabs from which to choose:

General is fair enough, but Network actually means “WAN / Cellular” and Router actually means “Basically Whatever”. Manage VPN is refreshingly self-explanatory.

Here’s the sub-menu under the Router tab:

Most of this is just… wrong.

• Even though there’s a section for “Port Forwarding”, the DMZ port forwarding setting is under “Basic”.
• Port filtering is here instead of under the Security menu.
• “MAC Address Cloning” only specifies that it’s the “Router MAC Address”. BUT THIS ROUTER HAS SEVEN INTERFACES! Does this apply to any one of the four WiFi interfaces, the LAN interface, or one of the two WAN interfaces? (The documentation makes it seem like it applies to the hardline WAN port — but all the other settings for the hard WAN interface are under the Network tab. So why is this here??)
• “File Sharing” should not be under the Router tab. It shouldn’t even be a feature on this device.

Hence, Complaint 19: Poor organization of the menus.

Thanks for hanging in there! I know it’s been a long ride, but let’s round this out to an even twenty:

Complaint 20: By default this thing suckles at your data plan.

It’s constantly in communication with various servers in the sprint.com and netgear.com domains. I can see this in the system logs. The requests appear to be for data usage information and NTP synchronization respectively. By default it also checks for system updates (I am up to date, BTW).

I haven’t done any “scientific” testing, but look at this:

In the last 50 minutes it’s used 0.12MB of data. My router is not pushing traffic to the 6100D, and I currently have no publicly addressable services served by it. I’m administering it over the LAN port.

That’s just “idle” utilization.

So, that’s 0.0024MB per minute. Assuming that’s an average level of utilization then it uses 104MB per month at idle.

That’s over 10% of my data cap just gone! Sprint actually sells a 100MB/month plan for this device. Imagine your face when it uses up your entire data cap (and then some) on trivial, unwanted, unnecessary data!

OK, to be fair I can disable NTP or point it to local (LAN-connected) servers. And maybe (maaayyybe) Sprint doesn’t actually bill for the data going to/from sprint.com. But are most users going to know this?

And remember that even (possibly) unbilled data to/from sprint.com will spawn DNS requests. Are you using Sprint’s DNS servers? Do they charge for that traffic?

But what about unsolicited requests on blocked ports? Does every TCP SYN count against my data plan? Does every UDP packet destined for my IP count against it?

Moreover, since I can’t set up custom firewall rules and don’t want to use “port forwarding” the 6100D is going to happily SYN/ACK any TCP connection and forward the packets right along to my DMZ host! So someone could rack up huge charges on my connection just by spamming my IP with large packets, even if I don’t reply!

In conclusion: The Netgear 6100D LTE Gateway is not ready for prime time. I couldn’t even recommend it for home use due to gaping security holes, let alone in a business environment as Sprint suggests:

What about me? I’m going to keep it. It’s my only reasonable option. Sprint has the most competitive pricing of any of the major providers, and this hardware appears to be the best available (at prices I’m willing to pay). I have found workarounds for all of the complaints that are strictly relevant to my environment. The security holes are acceptable to me because I’m using a one-off password and my LAN interface is firewalled off from being accessed by all but my own workstation.

It’s still the worst networking device I’ve seen since the “Cisco” (Linksys) RV042.

I’ve been doing this long enough to know that rants about a device that I’ve only owned for a few days may contain some inaccuracies. I may even be dead wrong about some of my overarching complaints and assumptions.

As of today (August 25, 2014) comments are closed on this site due to an extraordinary number of spammers. But please contact me by email if you have any comments or corrections: scott[at]s.co.tt

Update (2014-08-26)

Complaint 21: The 6100D runs a DLNA server, and there’s no way to turn it off. (Well, there is.)

Complaint 22: The 6100D listens on port 3457 on all interfaces and port 9000 on the LAN interface. They both appear to be HTTP servers, but I have no idea what they do or why they’re there. The documentation doesn’t mention them.

This isn’t a complaint about the device itself, so I’m not going to number it:

I posted a link to this review on both Netgear’s and Sprint’s timelines. Netgear hasn’t replied, but even worse Sprint did reply:

That’s just disgraceful. Am I talking to a bot?

I don’t expect Sprint’s social media rep to read the entire 3,500 word blog post. I’m not that self-important. But look at that last comment:

Sprint: What kind of device are you using? Have you tried to call the manufacturer of the device? Are you eligible for an upgrade? Let me know. – Brenda

The manufacturer and model number are both right in the title! And no, I’m not eligible for an upgrade. It says right in the blurb that “I recently obtained a Netgear LG6100D LTE Gateway from Sprint”. Not two years ago.

But that is completely irrelevant in the first place, because this device is not sold with a contract. You simply buy it. Now that is something their reps should know.

And this sounds like a classic ELIZA response from the 1960s:

Sorry that you feel this way. What’s going on to have you feel like this? – Fernendez

Get it together, Sprint.

Update (2014-08-28)

Man, I just keep finding more and more stuff about this device that is just stupid or downright buggy.

Complaint 23: The device seems to, without obvious reason, occasionally flood the LAN with multicast messages from the igmpproxy. That process uses about 75% CPU, with the remaining available CPU going to IO. It freezes the GUI, but it stops after a few minutes.

Complaint 24: IP forwarding seems to be based upon MAC address in some convoluted way, rather than the IP address you actually enter. This may actually be the cause of the DMZ problems I was having (discussed above), but in this case I’m specifically talking about “Port Forwarding”, not the DMZ setting.

Complaints 23 & 24 are discussed in more detail in my post on the native Netgear GUI, and some of the problems it solves.

Complaint 25: Another simple example of stupid design. Let’s look at yet another screencap:

Click on the image for a full-sized version.

The 6100D tracks data usage both by billing cycle and by session.

(I think “month” in this interface means “billing month”, but now that I look at it I’m not sure. It may mean “calendar month”. Who knows?)

Tracking data usage right in the router is a big plus! The billing usage data comes from Sprint’s servers (I can see that in the logs), so even though it says that it’s “approximate and may vary”, it should be a pretty good indication of billable usage. Hopefully.

So, what do you think that “Reset” button does? It’s right there tucked to the lower-right of the session data usage.

It should reset the usage counter for the session, wouldn’t you think? That would be really useful if, let’s say, you were playing Call of Duty and were curious as to how much traffic that game was pushing through the WWAN. You could reset it, play away, and then take a look.

It would be absolutely stupid and pointless if that button reset the statistics for your billing cycle. I mean, it wouldn’t actually reset your billing, right? It wouldn’t turn back time and start the month over, right?

WELL THE RESET BUTTON RESETS THE BILLING CYCLE USAGE STATISTICS, NOT THE SESSION STATISTICS.

You can see this evidenced in the screepcap, wherein I have 24 days left in my billing cycle and yet have used no data. Even though in my current session I have used 0.57MB!

This boggles my mind more than even the unsecured telnet interface. The telnet thing was clearly an accident. I’m giving them the benefit of the doubt that they probably just forgot to comment out the telnet daemon start command in the init script(s) before releasing to manufacturing. (Though it should have been caught in QA, but what do I know?)

But this reset button seems to be part of an intentional design decision. It’s so vastly illogical and pointless that I can’t imagine how it made it into this device. Unless the device is wholly under-planned, under-engineered, and under-tested. And it does indeed seem to be all those things at once.

Update (2014-08-28) – I’m just about done with Sprint

Today’s complaint is a bit of a tangent, as it doesn’t pertain to the device. It’s about Sprint’s website.

Specifically the bill payment section of their website. You know, the one that has to do with my hard-earned money and their revenue (something for which shareholders have a great concern — I’m glad I’m not one). This is the section of the site that should be absolutely reliable and well designed.

This is what I was treated to when I paid my bill:

Looks perfectly normal, right? But see that grey button in the lower-right? The one that says “Authorize”? The one I’m only supposed to click once to avoid duplicate charges? Well, I’ve already clicked it. It was yellow before, and now it’s grey.

It’s been grey like that for 75 minutes and nothing has happened. No “payment successful”, no “sorry, payment unsuccessful”, no timeout. No response at all.

And I’m sure that Sprint would be happy to tell me that it was the fault of my internet connection, except that I seriously doubt it because I wasn’t using their horrible device. Plus I paid four other bills while waiting for them to process my payment. Then I went to lunch.

So now here I am. I decided to go back to view my payment history, and there was nothing there. I checked my credit card online and there was no charge from Sprint. Fine. I’ll try again.

On my second try the payment went through in about 10 seconds. (Which in this day and age is an eternity.) Success!

But I don’t really trust these guys, and so I wanted to make sure it actually did go through properly. I went into the “Payment activity” tab and found this:

That’s right, no payments scheduled even though I did get a confirmation screen saying that my payment was scheduled successfully.

The one item in my “Payment history” is dated 11 days ago; That had to do with my account activation and etcetera.

It’s now been about 15 minutes since my payment was “successful”. I still don’t see it as scheduled or processed in my account on Sprint’s website. I haven’t received a confirmation email, either.

But I guess all is well for them: They got their money, as evidenced by my bank’s website. It would just be nice if they would let me know that it was applied to my account.

30 minutes later…

“Don’t worry guise! Teh sights are now down complerply!”

… My first time using it, and the entire f**king customer portion of their site is down. What a pile of s**t.

And how dare they say “We are enhancing this section of our site”. What nerve.

Hey Sprint: Your site broke and you lie to your customers about it? Unless you consider “basic f**king functionality” to be an “enhancement”. If that’s the case, I ask you to please post that opinion publicly. I dare you.

“We here at Sprint believe that a functional site is an enhancement over a non-functional site. That’s why we do our best to keep our site functional most of the time. Because we at Sprint care about our customers and their occasional access to such great features as online bill pay, viewing usage history, and letting them sometimes buy, you know, phones and stuff.”

I’ve been using Verizon Wireless for almost 15 years (since they were Bell Atlantic). And though they’re by no means perfect I’ve yet to see a catastrophic failure of their ability to process payments.