OS X behind AirPort express/extreme

Discussion in 'Mac OS X Server, Xserve, and Networking' started by cpuin, Jan 24, 2014.

  1. cpuin macrumors member

    Feb 3, 2013
    After many tires with built-in PF firewall and the GUI IceFllor i decided to replace the software firewall with hardware one.I like AirPort Express because it integrates wiry well with the Server.app, but from what i read


    i'm not abale to measure the risk.Are there people using AirPort Express/Extreme before OS X Server for long time without problems.I'm using mainly for web server and mail server.

    Cisco (rv220w) or AirPort Express - this is the question.I need only NAT firewall.
  2. mvmanolov macrumors 6502a

    Aug 27, 2013
    i've been doing so for a while now without any issues. I like the integration and am ok with giving up some control (as you have more with a non apple router)

    The only other thing to consider however is that actual LAN throughput of the AE/TC is actually rather slow 30-40MB/s ( http://www.smallnetbuilder.com/lanwan/router-charts/view )so what you can do (what i've done) i just buy a gigabit switch and connect all your ethernet devices through that rather than directly to the AE/TC. a simple unmanned switch will do TP links will run you about $30-40 for 5-8 port one. This way you can have your full 100MB/s in your home LAN for file transfers etc :D
  3. Alrescha macrumors 68020

    Jan 1, 2008
    To the best of my ability to tell, that site measures LAN to WAN or WAN to LAN throughput, but does not measure LAN-LAN throughput (which several people have reported as being in excess of 700Mb/sec on the new Airport Extreme.

  4. mvmanolov macrumors 6502a

    Aug 27, 2013
    yes, you are correct, i did not realize that, nevertheless, i test on my own network and the same conclusion holds however :(
  5. cpuin thread starter macrumors member

    Feb 3, 2013
    all of you mention "home" usage .
    I use my Mac mini server for serious web server, vpn server, file server.
    i have to choose between cisco rv220 and AirPort Express, but for time being everything points to cisco.
  6. mvmanolov macrumors 6502a

    Aug 27, 2013
    the cisco will give you a lot more flexibility... so if you want to be able to control more things on your router don't go with AE.

    The AE will integrate a lot better with the server app, this will make it a lot easier to configure the firewall to let through the services you want. (that being said, it will not be exceptionally hard to identify which ports you need to forward in the cisco in order to make sure that your services work...)

    on the performance note, you will not see any real difference. the external speed that you get (the one provided to you by the ISP) is more than unlikely to saturate either the AE or the cisco... so from that perspective there really is no difference.

    so recap: what do you want?

    Full control over your routing? - then Cisco!

    Ease of use and integration? - then AE!
  7. cpuin thread starter macrumors member

    Feb 3, 2013
    Regarding the speed: our country Bulgaria is in first 6 country with super fast internet, so the speed is important!

    I want ease of use like AE offer, but not in cost of the security!!! I'm telling this because AE/TC don't offer stealth mode!
  8. mvmanolov macrumors 6502a

    Aug 27, 2013
    lol, funny. Zdraveite :D Kkakva skorost mislite che shte poluchite ot ISP? kolkoto i da e burza vunshta vi vruska (da rechem 100/100 ili 200/200) tova e okolo 10-20MB/s pri tezi skorosti niam da vidite niakva rezalima mezdu davata routera.

    pri uslovie che iskate da mojede da imate pulen control az bih preporuchal da vzemete cisco-to!

    ot gledna tochka na sigurnosta: kakvo razbirate pob stealth mode? sus AE-to bihte mogli na napravite WiFi network, koiato da ne broadkastva SSID-to.
  9. cpuin thread starter macrumors member

    Feb 3, 2013

    ISPto mi dava 100MBit v ednata posoka, toest 200 obshto!
    Otnosno "stealth" mode, i don't mean WiFi broadcast!My WiFI is disabled.
    I mean when somebody perform port scan, to not answer with open/closed , but with nothing.This option is very important for DoS attacks.And this option is available in most routers, but not in AE/TC.
  10. mvmanolov macrumors 6502a

    Aug 27, 2013
    Pri 10/10 MB/s pak niama da ima razlika vuv vunshnata scorost na routera. AE-to po princip (default configuration) e stealth. to est ako ne otvariash portove za drugi prichini - kakto na primer VPN access ili web hosting - togava ako si scanirash ip-to vsichki portove she sa pocazani ili blocked ili stealth. pri uslovie obache che iskas da otvorish niakoi portve togava AE ne moje da gi maskira. Az ne znam dali cisco-to moje. ako moje togava, reshenieto vi e lesno... :D
  11. cpuin thread starter macrumors member

    Feb 3, 2013
    I keep in english, because it's an english forum and they can ban us.

    I can't agree with you.I have performed three independent test with AirPort Express, AirPort Extreme, TC.I've made test using https://www.grc.com/x/ne.dll?bh0bkyd2

    which is a standard in security audit.It shows in there cases "closed" in blue all ports, but not "stealth" in green as with cisco for example!!!

    In Apple routers ports are note stealth!There is also no option to make them stealth!!This is the problem.Try this by your self!
  12. mvmanolov macrumors 6502a

    Aug 27, 2013
    yes, that is true, my point wasn't that all ports are stealth by default only that some are. So i think we not in any particular disagreement. And as i suggested if that is important for you then simply get the Cisco router and be done with it :D
  13. cpuin thread starter macrumors member

    Feb 3, 2013
    After detailed test AirPort Extreme/Express didn't pass DoS attack.
    We performed UDP flood attack and the internet just stopped.Obviously there is no built in protection for this kind of attack which makes AirPort Extreme/Express/TC not reliable device for securing your server!

    Cisco rv220 passed successfully DoS attack and it was the reason it's now before my server.
  14. mvmanolov macrumors 6502a

    Aug 27, 2013
    That only makes, sense, the AE/TC is hardly a enterprise level tool. All of that being said however, they are quite good when it come to WIFI range and throughput :D But since you don't need that, than...

    one more thing though... check this out:

    if you have not yet bought the cisco or if you can return it (i know in .bg that's hard) then this may be a nice option...
  15. cpuin thread starter macrumors member

    Feb 3, 2013
    :) It's not hard to return a product in BG if you keep the rules written in the law.

    I have the Cisco for 2 years, it's still in warranty and works super.The reason i wanted to use AirPort E/TC was because it's integration with OS X server.Nothing more.I could not scarifies security for ease of use.

Share This Page