Router comparison: Nexland Pro100 Internet Security Box versus SnapGear PRO+

Review date: 23 October 2002.
Last modified 03-Dec-2011.


"Broadband router" or "connection sharer" boxes are quite popular these days, because they provide a really simple way to do several useful things.

These gadgets all work in basically the same way. You connect them to the Internet as if they were your computer (via a broadband connection or via a modem), they log in to your ISP as if they were your computer, and they then share the connection with your network. They all provide firewall features - as much security as a home or small office network is ever likely to need - and they make it easy for multiple PCs to use the same Internet connection. Some of them can do fancier tricks, which I'll get to in a moment, but that's the core functionality.

Anybody who can connect a PC to the Internet and who deigns to read the manual should be able to get one of these standalone devices set up in an hour or so, tops. And some basic models cost less than $US50. Hence, popularity.

You don't have to use a router box to share an Internet connection. It's easy for multiple PCs share a connection without a purpose-built router; you can use one of the PCs as the sharer. All Windows flavours since Win98SE have come standard with perfectly serviceable Internet connection sharing software, inventively called "Internet Connection Sharing" by Microsoft.

Using Windows to share your connection is perverse, of course; it's like pulling a plough behind a steamroller. If you're sufficiently hip, there are various teeny weeny Linux/BSD distributions that you can use to do the same job, on old and cheap hardware.

Setting up a non-Windows PC-based router if you haven't done it before may be easy, or it may not, but the main problem with this idea is that the sharer PC has to be on and un-crashed for the connection to be shared. That's a big problem for Windows-based sharing; you have to run Windows NT, 2000 or XP on the sharer box so it doesn't fall over of its own accord three times a day, and keep other users off it too. Router boxes running one or another PC Unix flavour are far less likely to crash for software reasons, but old crusty PC hardware, such as is normally used to create such boxes, isn't renowned for its reliability either.

Hence, simple plastic-box router/sharer widgets. No moving parts, no complex software installation, nothing more to buy.


You're looking at a couple of contenders in this market, both of them more featureful than the average. The purple one on top is Nexland's Pro100 Internet Security Box ("ISB"); the beige and blue one on the bottom is SnapGear's PRO+.

They both have "Pro" in their name, but they're aimed at different market segments. The Nexland Pro100 is currently selling for less than $US200; Nexland's store lists it for $US209, but a quick Price Watch search turned up one dealer stocking it for $US169.

SnapGear, in contrast, sell the Pro+ direct to US customers for $US749. Here in Australia, Visual Computing Solutions stock it for $AU1249, which is about $US690, as I write this.

There's a reason why the PRO+ costs more. It's SnapGear's top-of-line product, with various bells and whistles. Most users would be perfectly happy with one of SnapGear's cheaper products, or with the Pro100, or with something even cheaper, though. To see why, read on.

The Pro100 inside and out

Nexland Pro100

In their feature list for the Pro100, Nexland have employed the time-honoured strategy, beloved of graphics card makers, of listing some stuff that any product of this type can do, as well as the things that genuinely make the Pro100 different (to be fair, SnapGear do pretty much the same thing).

Some of the standard home-router-box features sound pretty impressive if you don't know that without them, the box wouldn't actually work at all. It's like people who put "graphics controller" on the feature list in a laptop advertisement. Well, fair enough; those laptops where the screen just stays black all the time are really hard to use.

Anyway, I'll get to the Pro100's unremarkable features in a moment. First, the stuff this box can do that every sharer can't.

Pro100 front port

First up, this. You're looking at the front of the Pro100, which has two serial-port-sized holes, one of which has a little plastic cover on it that I've popped off for this picture. Behind the cover is a whole bunch o' nothing, but you'll be pleased to know that the port to the left actually works.

The serial port has two functions. Firstly, and most importantly, it lets you connect a modem or serial ISDN adapter (it supports speeds up to 230 kilobits per second), to use as a "failover" connection.

Pro100 rear panel

Here are the Pro100's rear connections - one for the local network, one "WAN" port for your 10BaseT-equipped cable modem or DSL adapter or what have you, plus the power socket, a reset button that reboots the router, and some DIP switches that I'll get to in a moment.

The serial port's failover function means that if whatever's connected to the 10BaseT port stops working, the router can seamlessly flip to the fallback connection, dialling up and logging in if necessary. That means your Internet connection, while probably now a great deal slower, is back. The Pro100's modem setup interface lets you input up to three phone numbers to try, but only one username and password. That ought to do you, though.

You can also set the Pro100 up to only use the serial port to connect to the Internet, so you can buy a Pro100 while you have nothing better than a dial-up modem connection, and still use it if you later get broadband.

The serial port can also be used for setup. Plug the Pro100 into a PC using the included null modem cable, and you can do basic configuration tasks without using the router's normal setup system, which is a Web interface. Web interfaces are the norm for these sorts of devices, and they generally work very well; the routers have bonsai Web servers built in that can be accessed from the local network or, optionally, over the Internet. You can access the form-based setup interface from any normal Web browser, no matter what kind of computer it's running on.

If you can't do that for some reason, though - if, for instance, there's already a machine on your local network using the Pro100's default IP address, - then the serial setup option is handy. The Pro100 also comes with a crossover 10/100BaseT cable, though, which is mainly there to let you connect it to a normal (non-"uplink") port on a hub or switch, but which also lets you connect the router to one PC in a little two-node no-hub LAN; that's another way to set the thing up without bothering an existing box.

The Pro100 has no Telnet setup interface, by the way; it's Web-page, serial, or nothing. This isn't likely to bother most people, but hard core command line users may be irritated.

The DIP switches on the back of the Pro100 are another feature that most people won't need, but they could be very handy for a few users. One of them turns the router's DHCP server on and off, one of them turns on and off the serial setup interface, and one of them turns the firmware update feature on and off. The router allows you to dump its current state to a file and write that file back later, so you can easily back up the configuration before you try some... adventurous... setup changes. One DIP switch resets the router completely, to its factory defaults; handy for people with a poor memory for passwords.

If you're a DSL user stuck with PPPoE, the Pro100 supports it. Not every sharer box does, though with the burgeoning popularity of DSL, this is now pretty much a standard feature.

There's also a built-in Dynamic DNS client. Dynamic DNS lets you point a constant domain name to a server on your network, even though your ISP doesn't give you a static IP address. Most ISPs that don't provide static IPs also don't permit you to run servers of any kind, of course. But if your ISP does, or if they don't notice, it's rather nice to have a router box that can do the deed itself, without forcing you to open more ports and run a DDNS client on a computer.

And, to complete the list of Pro100 features that I can talk about in fewer than ten paragraphs, the LAN port is capable of full duplex operation. Full duplex mode - where data's sent at the same time as it's received - is only possible on 10/100BaseT network segments that contain only two nodes (I explain this in more detail in my old Ethernet networking piece), but that's what you've got when you connect the Pro100's LAN port to a single PC, or to a port on a switch.

The full duplex feature isn't actually that big a deal, though. Even if you've got a broadband connection that isn't highly asymmetrical (most broadband connections give you much lower upload speed than download speed, and both speeds put together don't come close to even full 10BaseT bandwidth, let alone 100BaseT), most Internet tasks, like most LAN tasks, are themselves very asymmetrical. Far more data goes one way than the other. If this is the case, then half-duplex (allowing data to only go one way at a time) will have pretty much no performance deficit at all compared with full duplex.

If you share a really fast symmetrical Internet connection with lots of users, and lots of data is being sent and received at the same time, then duplex can make a difference. You probably don't, though.

And then, there's VPNs.

The Pro100's Virtual Private Network support is good, but not as special as Nexland want you to think.

The Pro100 has a circular logo-thing in the corner of its lid that says "IPsec Enforced", which indicates its IPsec/PPTP (IP Security/Point-to-Point Tunneling Protocol) passthrough functionality (with "Unlimited IPsec Tunnels"!). It also has single session L2TP (Layer Two Tunneling Protocol) passthrough.

IPsec is a high-security data encryption system that can be used to give you a seriously, industrially secure Virtual Private Network over the public Internet. Classically, though, passing multiple IPsec tunnels through a router box like this (so that multiple computers on your side of the firewall can connect to a VPN server somewhere out there on the Internet) should be impossible.

Getting multiple IPsec tunnels through NAT routing (which all current home router appliances use, and of which more in a moment) means the router has to change the packets in order to get them where they're meant to go. And IPsec explicitly does not work if you change its packets en route. You can apparently get around the problem by encapsulating the IPsec packets in some other, routable packet format, but the Nexland box doesn't require you to do that. There's a little bit of configuration needed to make it work with different flavours of VPN, but it's all configuration of the Nexland box, not of the VPN client or server. Things can connect to IPsec-secured VPNs through the Pro100 as if it was not there.

All this seems to work well (though I haven't shoved a ton of IPsec tunnels through the Pro100 myself), but it's not a big deal.

Passthrough, for a start, means what it sounds like it means - the Pro100 can pass through IPsec/PPTP Virtual Private Network traffic. So if you've got a VPN client at one end and a VPN server at the other, both running on PCs or some other piece of hardware, the Pro100 won't get in the way.

That's good; it lets you firewall your home network and still connect to the office virtual network, for instance, or hook up to your Internet-connected friend in a far distant land as if you were both on the same (rather slow) LAN, if one of you runs the server and the other one connects to it.

VPN-ing through a firewall is a good thing because there's not much point using an encrypted VPN protocol to connect two networks together if one or both of them are un-firewalled against the public Internet. Such a setup is, to quote the man, not unlike arranging an armoured car to deliver credit card information from someone living in a cardboard box to someone living on a park bench. Attackers don't have to crack the VPN encryption if they can just pretend to be a client on the LAN at one end.

But lots of cable router widgets can pass through VPN traffic.

Passing multiple IPsec tunnels is more unusual; many routers can only pass one tunnel of any VPN protocol, which means that only one computer can connect to a VPN through them.

Nexland say that their boxes' ability to pass multiple - indeed, unlimited - IPsec tunnels is part of their "technology advantage"; according to them, this wasn't possible at all before they did it.

This claim is, um, not universally believed. Multi-tunnel passthrough is certainly a tricky problem, but there are other solutions.

Nexland have been saying their particular solution is "patent pending" for at least two and a half years, now. It would appear the patent process is taking longer than they thought.

Anyway, there are lots of router boxes that can pass through one VPN tunnel - IPsec, PPTP or L2TP - which is all your average telecommuter needs. There's also no serious shortage, these days, of routers that can handle multiple VPN tunnels, regardless of what Nexland say. The Nexland boxes do it just fine, as far as I can see, but they're certainly not the only horse in the race. SnapGear, for instance, have multiple IPsec tunnel passthrough in all of their products (see the comparison table here); the PRO+ can pass 100 tunnels.

Nexland's technology allows unlimited IPsec tunnels to pass through, but I doubt that's going to make much of a difference to most users. There's only so much data you can push through one of these routers; their peak bandwidth on the WAN side is limited, usually by your Internet connection.

Any old broadband connection is likely to be more than fast enough for several VPN users, provided they aren't trying to do seriously network-intensive tasks, which you really ought to try not to do over VPN anyway. But with more than a hundred users, each one will get a hilariously small slice of the pie, unless they're all very easy on the network.

The Pro100's software CD, by the way, contains Symantec's RaptorMobile VPN Client v6.5.3, which is a more capable VPN client than the one Microsoft include with current Windows flavours. RaptorMobile is easy to install, as long as you don't have Windows XP, on which it won't work at all. Apparently commercial RaptorMobile customers can upgrade to Symantec's Enterprise VPN v7.0, which does support XP, but I don't think this bundled version qualifies.

Aaanyway, the bundled software is only a VPN client at best; if you want to host a VPN, you'll need to do it with Windows' built-in VPN functionality, or more third party software. The Nexland box doesn't do any VPN stuff of its own; it just passes through what computers on the other side of it do.

SnapGear's boxes, in contrast, all have VPN client and server functionality built in. This is a big difference. It's not hugely important for telecommuters who just want to connect to the existing office network, but if you want to set up your own VPN from scratch, it comes into its own.

The usual solution in this low-budget situation is to use PCs running VPN software, often the built in Windows implementation. Which works (well, which ought to, at any rate), but which is subject to the same problems that beset people using PCs as router/firewalls. There's dedicated VPN hardware out there, of course, but it tends to be the "enterprise" stuff where a pricing inquiry results in a couple of chaps in suits dropping around to discuss whether you really want to know how much you'll pay.

A couple of SnapGear boxes - the cheaper little ones will do for many purposes - will get all this happening for you more easily, and more reliably, than any PC solution. And far more cheaply than pretty much any "enterprise" gear, which is likely to have more hair than you need.

Back to the Nexland box. Now, here are the things it can do that everything else can too.

First, the "NAPT firewall".

A NAPT firewall is what any NAT-based connection sharer provides. NAPT (Network Address Port Translation) is the most long-winded name for what usually, these days, just gets called NAT (Network Address Translation). Technically, NAPT can be said to be NAT plus PAT (Port Address Translation), but in normal usage, NAT and NAPT mean the same thing - the technology whereby multiple clients on one side of a router box have all of their Internet traffic re-jiggered by that box so that, as far as they're concerned, they're connected to the Internet perfectly normally as far as common Net tasks go, but as far as the Internet's concerned, all of the traffic is coming from and going to the NAT box itself.

Purists don't like NAT in the general sense, but there's no denying that the punters have voted with their wallets. NAT is a dead easy way to share Internet access; you don't need to do any special setup tricks on the client machines. And since it doesn't interfere with the Internet tasks that most people do (Web browsing, e-mail, Usenet, games...), sharer systems that use it have spread like wildfire.

If you want to host servers on local machines then you'll have to specifically poke holes in the NAT firewall to do it, telling the router where to send incoming traffic on the appropriate port. The flipside of that, though, is that if you haven't specifically opened and directed a port, it doesn't matter what servers some clueless person on your LAN may be running; they won't be visible to the Internet. A NAT-based sharer will thus work as a highly reliable firewall against ordinary bog-standard port-scanning script kiddie attacks, even if the sharer's installed by someone with not the slightest idea about Internet security.

The Pro100's setup options, including its firewall configuration, cover pretty much everything its target market's likely to want. It's got an actual configurable routing table, so you can use it with other routers on the network if your LAN's less than basic. There's also access filtering, allowing you to block some or all of your LAN from accessing particular Internet server types, so you can stop people wasting time and bandwidth on RealAudio/Video streams, for instance, or lock out everything but HTTP access for a public Web terminal machine. Conversely, you can forward ports as you like to make local servers visible to the Internet.

The Pro100 has configurable host and domain names, which are used for authentication by some broadband connections; it's also got a configurable MAC address, in case your broadband provider uses the MAC address of the network adapter they give you for authentication.

There is, as usual, DHCP support on both sides of the thing, so it can get its TCP/IP settings from your ISP, and dole out TCP/IP settings on the LAN as well. You can bind particular LAN IP addresses to particular network adapter MAC addresses, if you for some reason want to make sure a given machine always has the same IP.

The Pro100 comes with a decent bundle. You get a normal CAT5 network cable, and a crossover cable, so you can connect the Pro100 to a single PC or to any kind of 10/100BaseT hub or switch without buying extra wires. There's also the null modem cable for serial setup (which you probably won't need), the nine volt plugpack power supply, the software CD, and a comprehensive manual.

It's also got a five year manufacturer's warranty.

I could, at this point, show you some screenshots of the Pro100's Web configuration interface, but this comparison's going to be long enough as it is. The interface looks fine and works fine. The docs seem to correspond well to what's actually going on. So there.

Pro100 circuit board

Here's something less bland.

On the Pro100's circuit board, everything's tied together by a Lattice Semiconductor ispMACH 4A3 Complex Programmable Logic Device, which is as much of a CPU as this thing needs. Other chip highlights are the big Samsung S3C4510B network controller, as seen in a number of other router boxes, an Intel LXT972A Fast Ethernet transceiver, one of Realtek's ubiquitous RTL8019AS Ethernet controllers, an AMIC A29400 flash RAM chip (PDF data here), and a couple of EliteMT M12L16161C RAM chips, for a total of four megabytes of RAM. There are a few unpopulated component locations as well; they're presumably associated with the empty second front port spot.

And now, the expensive box.

SnapGear's PRO+

SnapGear PRO+

By enterprise network hardware standards, $US749's pocket change. By cable router standards, it's a lot. Fortunately, the PRO+ has sufficient extra stuff to justify its price tag.

The PRO+ can, of course, do pretty much everything that the Nexland Pro100 can do, as you'd darn well expect it to, for the money. It even has a Dynamic DNS client built in, as do all of the other SnapGear gadgets, though they didn't when I first reviewed the LITE+. SnapGear regularly release new firmware versions, and one of the updates since my first SnapGear review has been Dynamic DNS support across the whole range. The new firmware can easily be flashed to your SnapGear box across the LAN; you don't need to do anything weird.

In fact, about the only thing the PRO+ lacks compared with the Pro100 is the DIP switches on the back.

Nexland would have you believe that the Pro100's IPsec-routing features are clearly superior; I imagine that SnapGear, in response, would pat Nexland on the head and smile indulgently.

Now for the stuff the PRO+ can do that regular sharer boxes, even relatively fancy ones like the Pro100, can't.

SnapGear back panel

A look at the PRO+'s back panel reveals a LAN port, a WAN port, a serial port and a DC input, as on the Pro100. The PRO+ has an outboard power supply like the Pro100, but at least it's the laptop-style lump-in-a-wire type that plugs in with a standard IEC lead, not the plain old wall wart the Pro100 uses. You get regular and crossover network cables with the PRO+, and an RJ-11 phone cable too, but no serial cable.

The PRO+'s WAN port is capable of 100BaseT as well as 10BaseT operation; the total throughput the PRO+ can manage is quoted at 18 megabits per second. That's a bit less than half of a DS3 ("T3") connection's bandwidth.

Since practically all broadband connections have bandwidth way lower than that, it's unlikely to be relevant for most users. Buying a fat enough pipe to use most of the Pro100's bandwidth is going to cost you a staggering amount of money pretty much anywhere in the world. Here in Australia, where the just-leave-your-wallet-here-sir brigade at Telstra have a stranglehold on serious connectivity, any small business whose activities do not involve the import and distribution of well-wrapped parcels of white powder simply need not apply.

There's some justification for large network bandwidth capability, though, because router boxes need to look at all of the LAN traffic that makes it to their network segment, not just the traffic that's actually aimed at the Internet. You can isolate a router from irrelevant local traffic with a bridge of some sort if you like, but if you don't, heavy LAN traffic can apparently seriously hurt the performance of budget sharer boxes, as they struggle to sift through it all to see what they need to act upon.

Getting back to the back of the PRO+, there's also an RJ-11 modem port. The PRO+ can do dial-up modem failover, like the Pro100, but it has an internal V.90 modem.

Your fallback device can be connected to the serial port as well, of course; the PRO+ will work with ISDN adapters that way. Or you can use that port for another modem, and use either or both of the two modems you now have connected for dial-in connections to the PRO+, using it as a Remote Access Server.

This means that your road-warriors or telecommuters don't have to establish an Internet connection and use VPN to access your local network. Hooking up via the Internet is not going to give a dial-up user a fast connection; VPNs, even over short-hop uncongested Internet connections, aren't lightning fast at the best of times. Rather than put up with that, your remote users can just dial straight into the PRO+, and get better performance. It still won't be terribly exciting, of course; "56K" modems connected to each other can only manage bandwidth of about three kilobytes per second each way at once, and that ain't much for LAN access. But it'll be better, at least.

The PRO+ can't give you more than two dial-in connections, and dial-in isn't very economical for long hookups from people far, far away. But for some customers, dial-in will nonetheless be a major feature.

One important feature of the PRO+ is that, like the other SnapGear appliances, it runs uClinux, and is thus highly configurable. Anybody who groks Linux (or other Unix flavours, with a bit of a refresher course) can get at all of the PRO+'s config and log files, see what it's doing, and tune its performance, without having to hunt through a Web interface to see if there's a radio button to turn on or off the particular thing they want.

This feature is, for the home-router market, almost totally pointless. Home users, and anybody else to whom Linux is incomprehensible, won't go past the Web setup interface; they might as well have a less flexible router, which'll probably do everything they need to do anyway. People who want the extra flexibility of uClinux, though, will get it from SnapGear.

And yes, you can Telnet in to the PRO+, and to every other SnapGear box; the Telnet interface lets you set up everything you can do via the Web interface, plus a few extras like setting the (largely irrelevant) internal clock.

The PRO+ comes with a quick setup guide, but its full manual is in PDF format on the software CD. The manual's fine, but could be better; it covers the entire SnapGear range, and never actually specifically mentions the PRO+ at all. This doesn't actually make the manual confusing, as such, but it does mean it's got more pages in it than it needs.

Apart from the documentation, there's not much on the CD. A couple of utilities to set the PRO+'s IP address over the network (one Windows, one Linux), a little Windows auto-setup program that'll get you to the point where you can start using the Web config interface, and that's it. The PRO+, like SnapGear's other boxes, doesn't come with an IP address set at all, so it's impossible for it to clash with something else on the network when you first plug it in. The setup utility can find the addressless router and give it any address you choose; you can also use the serial-link setup method to get past this hurdle.

In the VPN department, as previously mentioned, SnapGear's products can actually make the connection themselves, rather than just pass through VPN data from PCs behind their firewall. IPsec or PPTP, with 100 or 33 tunnels respectively for the PRO+. Which ought to be enough that a really seriously large office can be connected through this (relatively) dinky plastic box.

You don't have to use a SnapGear box at each end of the VPN connection, mind you; you can use the PRO+ as client or server in a VPN with a non-SnapGear device at the other end. The several firmware revisions since I checked out the LITE+ have enhanced the SnapGear boxes' VPN compatibility; unless I'm missing something, they really ought to be able to connect to anything that's got IPsec or PPTP on the label, now, even if it's quite quirky.

Along with this other enterprise-hardware-ish VPN functionality, the PRO+ also has SnapGear's standard unlimited-users license. Well, it's not a license at all, really; it's a lack of one.

The cheaper SnapGear boxes have limits, imposed by their hardware capabilities, on how many IPsec and PPTP tunnels they support. Those limits rule them out for everything but small office use, if VPN tunnels matter to you. If you just want to connect an office of 100 terminals to the Internet, mind you, a piddly little SnapGear box would probably be perfectly up to the task, provided the pipe you want to connect it to isn't a heck of a lot fatter than a consumer broadband link.

None of SnapGear's products, however, have artificial user number limits, which is a bit unusual. Enterprise networking hardware and software is renowned for having Draconian license conditions, which can add tens of thousands of bucks to the price if you want to connect every desk in a large office. SnapGear don't work that way. They do charge for support services, but seeing as enterprise network hardware companies generally charge for that as well, it's not as if you're losing anything.

And now, the giblets.

SnapGear circuit board

Like the Pro100, the PRO+ has one circuit board inside it. Well, one and a bit, actually...

SnapGear sub-board

...because the Multi-Tech-powered modem sits on its own little sub-board.

SnapGear CPU

The PRO+ is powered by an AMD SC520 microcontroller, which is built around a 133MHz 80486-class core and consumes a mere 1.6 watts, peak.

The PRO+ also has 16 megabytes of RAM, which is a lot more than a simple small-office router box needs. The extra RAM allows the PRO+ to accommodate heavy traffic loads; router boxes have to hold data about connections, and temporarily hold actual traffic data, for every user. I don't know whether the 4Mb Nexland box would actually have RAM issues if you started trying to see just how "unlimited" its "unlimited IPsec tunnels" feature is, or whether it'd just choke on all of the traffic first, but the PRO+ is clearly superior.

SnapGear chips 1

A couple of Realtek RTL8139C Fast Ethernet controllers, and a Hifn 7951 security processor, which is what handles the PRO+'s IPsec encryption workload.

SnapGear chips 2

What this Linux box has instead of a hard drive. The two nearest ICs are eight megabyte Intel 28F640 flash RAM chips; they make up the PRO+'s 16 megabytes of non-volatile flash memory, on top of its 16 megabytes of normal volatile RAM. The smaller chip behind the Intel ones is an AMD Am29LV flash RAM chip, which if I'm reading it right has 1Mb capacity. I'm not sure what it's used for, as it's not counted towards the PRO+'s memory capacity on SnapGear's spec sheet.


There's more that can be said about the PRO+'s functionality, but I've already said it in the Pro100 section.

The Nexland Pro100 is a good product. Solid, easy to set up, amply warranted (the PRO+ only has a one year warranty), well documented; it's a straightforward way to add shared broadband to a LAN, with modem/ISDN fallback as a bonus. Its IPsec VPN passthrough ability may be just what you want, provided you take the "unlimited tunnels" claim with a grain of salt.

The PRO+ does pretty much what the Pro100 does, plus more. If that "more" part - VPN client and server, modem-plus-serial-port, Remote Access Server, lots of throughput capability, uClinux, no user limits on all the "enterprise" features - matters to you, then the PRO+ seems likely to be a solid gold unquestionable can't-miss-it product, for you. Seriously - it's going to be so spectacularly superior on a dollars-per-feature basis to the heavy corporate hardware you'd otherwise have to buy that you're likely to think there has to be a catch.

Well, so far as I can see, there isn't.

You might have to put a Pro100 inside a big rack cabinet with lots of flashing lights on it, to persuade your glorious leaders that you're not connecting the company to the Internet through some little plastic toy. But unless you need some extra functionality that multi-kilobuck gear has and this box doesn't, the PRO+ (or, perhaps, a slightly cheaper SnapGear box) could save you some major dollars.

Many of the features of SnapGear's products, right down to the basic LITE, are superfluous for almost the whole of the plastic-router-gadget market. Most people buying these things don't have any use at all for VPNs or accessible config files, and wouldn't use a squillionth of the PRO+'s processing power. Those people don't need a Pro100, either; they'll be happy with pretty much any super-cheap anonymous sharer box, as long as its Web interface doesn't stink, it supports the authentication system their ISP uses, and its wall-wart power supply doesn't catch fire.

Is the PRO+ a better product than the Pro100? Well, yes, if you're just talking feature lists. Whether you're likely to want one, or the other, or neither, though, depends on your application.

The Pro100 is quite impressive, if you need it; the PRO+ is very impressive, if you need it. With that proviso, both of them get a Recommended stamp from me.

Nexland Pro100 Internet Security Box kindly provided by Nexland.

SnapGear PRO+ kindly provided by SnapGear.

Little brother

SnapGear LITE+

Here's my review from last year of the SnapGear LITE+, and some other... less satisfying... router options.

Give Dan some money!
(and no-one gets hurt)