iXBT Labs - Computer Hardware in Detail






OfficeConnect Secure Router and OfficeConnect VPN Firewall – Screening Router and Firewall from 3Com

Testing Traffic Shaping

This feature is supported only in 3CR870. The company claims that the device can limit incoming as well as outgoing traffic.

That's why we set the incoming/outgoing traffic limits to 1024/512 and started traffic generators.

4.1 Limiting the entire band of outgoing traffic.

Traffic shaping, upload only, NetIQ Chariot, Throughput.scr

Yes, the outgoing Internet traffic is limited, but the average speed is a little higher (~70Kbit) than it's required.

4.2 Limiting the entire band of incoming traffic.

Traffic shaping, download only, NetIQ Chariot, Throughput.scr

The download traffic is also limited, but the average speed exceeds the required one approximately by 100Kbit.

4.3 Limiting the outgoing traffic by ports (creating queue groups).

Overall limitation of the incoming/outgoing traffic is a good thing, but sometimes you need to limit the traffic for certain protocols/applications. Unfortunately 3CR870 does not have a comprehensive system for such configuration. You can only limit the traffic through a certain port (it's not clear if it's for incoming or outgoing) and set one of the two priorities to this limit.

Thus, we set the general download/upload limit to 2048/768 and created several traffic classes (see the above screenshot). I repeat that in this case we test the outgoing traffic model, that is in reality this traffic would be generated (in Internet) by computers in LAN behind the 3Com router (registered as virtual servers).

Traffic shaping by source port, upload only, NetIQ Chariot, Throughput.scr

Traffic shaping by distination port, upload only, NetIQ Chariot, Throughput.scr

On the first diagram the traffic was going out from Ports 80,23,110,25 (testing traffic filtering by outgoing ports), on the second diagram – vice versa, the traffic was going out from a random port to specified Ports 80,23,110,25 (testing traffic filtering by destination ports). It's clear that the rules intercept traffic by destination ports, but they do not react to traffic by outgoing ports. And again the overall traffic limit is a tad higher than it should have been.

When the rules snap into action (filtering by destination ports) everything is just fine – high priority protocols seize most of the band, and at these moments the low priority protocols slump, that is everything is working as it should. But this is the case only with filtering traffic by destination ports. For outgoing traffic it is hardly useful at all (strictly speaking, its usage is very limited, e.g. this rule can be used to limit the outgoing mail traffic to an external smtp server).

4.4 Limiting the incoming traffic by ports (creating queue groups).

Of course the outgoing traffic shaping is not necessary to everybody (not everyone has servers generating heavy Internet traffic), but the option to cut down the incoming Internet traffic and sharing by priorities is needed by many people.

So we shall repeat the previous test, but now the incoming traffic goes from Internet.

Traffic shaping by source port, download only, NetIQ Chariot, Throughput.scr

Traffic shaping by destination port, download only, NetIQ Chariot, Throughput.scr

On the first diagram the traffic comes to LAN from Ports 80,23,110,25. On the second diagram, vice versa, the traffic is coming from a random port to specified Ports 80,23,110,25.

The situation is similar to that in the previous test. The rules react only to traffic by destination ports. And the the upper limit of the traffic is again higher than required.

Let's sum it all up. Outgoing/incoming traffic shaping by custom rules works great, but the rules can react only to traffic by destination ports. It means that the existing traffic shaping method (or creating queue groups) will be of little use, most users need tools to filter the traffic into queues by outgoing ports.

3CR860 and 3CR870 security tests

The tests were carried out according to this technique.

All the settings of the device were set to default (firewall enabled) before scanning. Enabling/disabling ICMP ping in the WAN interface did not have any impact on the results, so we left the ping option enabled.

Nessus reports (identical in both devices):

Note that it was very difficult to scan the devices – both routers often lighted the Alert LED and added records to the log saying that so-and-so IP had been trying to scan or attack and was blocked. However Nessus scanned the ports in the careful mode (rare attempts) and its scans didn't alert the guard, but we didn't manage to scan the device anyway.

Thus, the Nessus report is almost empty (that is everything is fine), however we managed to find one critical security breach. Theoretically it allows to freeze or reboot the device. I hope that this breach will be fixed in the new version of firmware.


When this review was written, both devices couldn't be found on sale.


Both devices are thorough revisions of 3Com OfficeConnect Cable/DSL Secure Gateway. Both possess good performance and fairly good (except for the found breach) security level. Support for a productive VPN server IPSec/PPTP/L2TP allows to establish secure connections between the networks.

But as always, there is a fly in the ointment. There is no remote administration feature (via the web interface at WAN port) and the embedded firewall is far from flexible.

Pros and cons common for the both devices.


  • High routing performance (transfer between the LAN and WAN segments)
  • VPN server IPSec/L2TP/PPTP
  • High performance of the embedded VPN server supporting IPSec
  • IPSec/L2TP/PPTP pass-through support
  • Fairly good security level with an option to auto-detect attacks and block intruders
  • There is an option (though primitive) to limit the incoming and outgoing traffic
  • Detailed logs, which can be stored on the external syslog server
  • Filtering web-servers by content (by subscription to special services)


  • No certificate support in IPSec (works only with pre-shared keys)
  • Impossible to set up different encryption modes in IPSec for the first and the second stages of connection establishment
  • IPSec encryption speed (in the 3DES mode) between two 3Com routers is lower than in case of a Linux host connection
  • (Only in 3CR870) buggy traffic shaping – upper traffic limits are not observed, outgoing traffic shaping by selected ports does not work (it works only by destination ports), primitive shaping criteria
  • Poor means to set up rules for the on-board firewall
  • Telnet control is not supported
  • SNMP is not supported


The devices are kindly provided by the 3Com representative.

Eugene Zaitsev (eightn@ixbt.com)
9 August, 2004
Updated on 19 August, 2004

Write a comment below. No registration needed!

Article navigation:

blog comments powered by Disqus

  Most Popular Reviews More    RSS  

AMD Phenom II X4 955, Phenom II X4 960T, Phenom II X6 1075T, and Intel Pentium G2120, Core i3-3220, Core i5-3330 Processors

Comparing old, cheap solutions from AMD with new, budget offerings from Intel.
February 1, 2013 · Processor Roundups

Inno3D GeForce GTX 670 iChill, Inno3D GeForce GTX 660 Ti Graphics Cards

A couple of mid-range adapters with original cooling systems.
January 30, 2013 · Video cards: NVIDIA GPUs

Creative Sound Blaster X-Fi Surround 5.1

An external X-Fi solution in tests.
September 9, 2008 · Sound Cards

AMD FX-8350 Processor

The first worthwhile Piledriver CPU.
September 11, 2012 · Processors: AMD

Consumed Power, Energy Consumption: Ivy Bridge vs. Sandy Bridge

Trying out the new method.
September 18, 2012 · Processors: Intel
  Latest Reviews More    RSS  

i3DSpeed, September 2013

Retested all graphics cards with the new drivers.
Oct 18, 2013 · 3Digests

i3DSpeed, August 2013

Added new benchmarks: BioShock Infinite and Metro: Last Light.
Sep 06, 2013 · 3Digests

i3DSpeed, July 2013

Added the test results of NVIDIA GeForce GTX 760 and AMD Radeon HD 7730.
Aug 05, 2013 · 3Digests

Gainward GeForce GTX 650 Ti BOOST 2GB Golden Sample Graphics Card

An excellent hybrid of GeForce GTX 650 Ti and GeForce GTX 660.
Jun 24, 2013 · Video cards: NVIDIA GPUs

i3DSpeed, May 2013

Added the test results of NVIDIA GeForce GTX 770/780.
Jun 03, 2013 · 3Digests
  Latest News More    RSS  

Platform  ·  Video  ·  Multimedia  ·  Mobile  ·  Other  ||  About us & Privacy policy  ·  Twitter  ·  Facebook

Copyright © Byrds Research & Publishing, Ltd., 1997–2011. All rights reserved.