Choosing a Router/Firewall for the Home LAN 666
"It's not at all obvious from the packaging, the web sites, or the drool-proof pamphlets in the boxes which routers will do what. For example, we'd like to pass through packets for our two server machines, and use NAT/DHCP on a third address for the rest of the LAN. Nearly all the boxes advertise that they can do NAT routing, but many don't support NAT and static-IP routing simultaneously.
Die-hards will insist that one should run a standalone box with dual ethernet cards and the appropriate routing goodies -- but these standalone boxes, at 5-15 watts and a couple hundred bucks, seem like comparatively hassle-free solution. Which one do you use?"
Old PC (Score:2, Informative)
Re:Old PC (Score:2, Troll)
openbsd will allow you to have a firewall, and it will handle dhcp/nat/etc for you, but you'll have to configure it. That isnt hard, espescially for people who read this site, but its harder than plugging in a router and configuring it via web interface...
From a cost standpoint, I just bought a 99 dollar linksys router for about 45 after some clever rebates and amazon coupons. Go ahead and tell me what kind of hardware you can buy to run a *bsd router for that much money. I dont think you can even get a small hard drive for that price.
So, yes, congratulations on your first post, but you're wrong. typical.
Re:Old PC (Score:2)
"So, yes, congratulations on your first post, but you're wrong. typical."
Hmmm... $45 for a machine... let me see... Cheap network cards can be had new for around $10... I can get a working 486 from the goodwill down the road from me for anything from $5 to $30...
So I guess I could get a 486 with two network cards for $45 or under. Possibly even in a slimline case
Not new equipment, but it's up to the task.
Z.
Re:Old PC (Score:2)
Re:Old PC (Score:3, Informative)
"A decent 3COM or Intel NIC can not be found (easily) for $10."
I won't argue as to whether 3com NICS are decent, but I have bought second hand 3com cards before for much less than ten dollars.
As an AC posted a non decent network card can easily take the load of a T1... A T1 is nowhere near the bandwidth of a 10BaseT network.
Not every packet will travel through the firewall anyway. Some will be locally routed. Some will be stopped by the firewall.
Most importantly, the poster was looking for a way of doing NAT on some addresses and passing others through. I haven't seen one of these little boxes allow that from the ones I've used/looked at. That's not to say that there aren't any... But if there aren't then for the features that we are talking about a cheap 486 WILL outperform a standalone box that can't do what is being asked for.
Z.
Re:Old PC (Score:3, Informative)
It sounds like what the poster was needing is just something to do portforwarding. For most server applications, except DNS and possibly passive FTP, just forwarding whatever service you are needing to run on the internal machines from the firewall works extremely well. I know every Netgear Cable/DSL router I have ever used has this ability, and I assume the Linksys boxes will as well. These boxes will also allow you to assign some boxes via DHCP and some static.
Now, if you need routable addresses to internal machines, you are going to have to look beyond home routers. I have yet to see any that will allow you to do a combonation of 1:1 NAT/IP masq. Of course, this setup shouldn't be difficult to accomplish with a small *nix router.
the router / firewall I use (Score:3, Interesting)
IIRC it will forward up to 10 (maybe it's 20) ports to any computer internally. It is fairly configurable. Allows for static or DHCP internally (as a server and a client). And for $99 it is tough to beat. Sure you can get a POS Linux / *BSD box, but this worked for me literally out of the box. DISCLAIMER: I don't claim to be a huge power user, but for what I use it for (firewalling and fowarding of web, mail and ftp ports) it is ideal and it is simple. Here at my office, I wouldn't think of using something like this on our network, but it does quite nicely for a home user who is concerned about security and just wants more blinking lights
Re:Old PC (Score:2)
Right. A full T1 is only 1.5 Mbps, remember. At best, cable is about that downstream and no more than half that upstream. It doesn't take a whole lot of horsepower to route at that speed.
I did notice a speed improvement when I upgraded my firewall machine from a 386/33 to a Pentium/133. But that was just from the CPU increase; the NICs were just moved over to the new machine.
All hail the NE2000 clones! I had at least one honest-to-goodness Novell NE1000 (yes, one thousand) on my network too. Now I have a box full of these old, cheap cards. Wonder what I'd get for them on eBay?
Re:Old PC (Score:2)
If he doesn't have a switch/hub yet then he probably doesn't need one (coax?) If he does have a switch/hub then he doesn't need to buy one either.
So, given that he has ethernet out of his DSL router (one port) and a cross over cable (most DSL routers come with one included) and a hub then all he needs to do is plug the cross over cable into the DSL router. Plug the other end into the 486 firewall, and plug the other card of the 486 into the hub he already has.
Z.
Re:Old PC (Score:2, Informative)
There is a place in my town where the local state and university departments drop off their old equiptment. I picked up a P133 (32 MB RAM, 2.1 GB hard drive, AWE sound card) for $35, and they were selling 10/100 NICs for $3 apeice. That is $41 for a computer which is way more powerful then what is needed here.
Note that this same place went through some restructurings a few months ago; before that they were much cheeper. I have a complete 486 DX/4 100 system (8 MB RAM, 200 MB hard drive) which was $5. It came in one of those massive full-tower cases, which I then sold on eBay (the case alone) for around $50. Ten to one profit margins are nice :)
Re:Old PC (Score:3, Informative)
I may be dead wrong here, because I set up my 486/133 Coyote Linux/Seawall box over a year ago and haven't looked at dedicated firewalls since, but at that time the old PC was far cheaper for one simple reason: no upgrade costs to add more PCs to your local network.
The dedicated firewalls of one year ago served you 3 or 4 local IP addresses and charged big bucks for the "right" to use additional local IP addresses. They were going for the 'service subscription' business model over 'make money on the hardware'. That sucks. I'll be damned if I'll pay $250 or even $50 for a firewall that doesn't cover 255 local IP addresses (reserving one for itself). I hope you bought a model without such artificial limitations, and if you did then you got a great deal. Which Linksys did you buy?
Re:Old PC (Score:2, Interesting)
I recently bought a $35 no-name P100 PC at auction on EBay thinking I'd create a low-ball Linux-based router/firewall. The PC already had one NIC, 32 MB RAM, and a 500 MB HD. I had a spare NIC in my junk box as well as an unused 15" monitor. Ready to roll, right?
Well, no. The PC turned out to be a 100 MHz 486, not a Pentium. It'd cost more to ship the damn thing back to the seller than to keep it, so I pressed on. I tried to install Red Hat Linux 7.1 on the system, but Anaconda consistently failed due to a thrown Signal 11. Suspecting some sort of memory problem as the culprit, I tried disabling the processor's external cache, turning off hidden refreshes, and several other things before giving up. A year-old copy of Storm Linux almost installed, but the system consistently froze up at the very end of the install process.
Yes, I guess I did 'learn' something by this experience. If you intend to run Linux, stay away from old, cheap, no-name hardware. And if you're in a hurry to get something done - like install a firewall - as opposed to fighting hardware/software issues, buy an appliance.
Re:Old PC (Score:5, Interesting)
Re:Old PC (Score:2)
If I hadn't had the hardware, I'd probably have sprung for a dedicated device, but mostly due to convenience, not the other issues you raise. It is easier to manage a box with a browser than command line editors (Coyote doesn't even include vi :-).
Re:Old PC (Score:5, Interesting)
Other than IPv6, all the rest can be done with a separate 24/7 machine behind a linksys, but IPv6 tunnels do not work through a linksys on a dynamic IP, at least not with freenet6 or any other IPv6 tunnel service I know. Because of this I've personally been forced to stop using my linksys completely. What we need is an open-source linksys with a bios that can be programmed by the end user. I'd pay $100-200 for such a device.
Dynamic DNS with Linksys router howto... (Score:3, Interesting)
Just set it up to run with a cron job, and if your IP has changed, it will be updated. With the linksys router, it doesn't even need an external CGI to detect your IP address-- it can query the router. I'm sure some of the other units have similar functionality, too, but my experience is only with the linksys.
Re:Old PC (Score:2)
Not much heat. Remember, that D-Link thing uses a transformer which gets good and toasty.
Not much more noise. Put some dynamat on the inside of the case or some other sound insulation. And remember, you are underclocking/using an old chip, so passive cooling is okay. The only moderate noise is from the HD.
I will grant you the space. But it's possible to find dinky cabinets.
Still, if the firewall portion is good, it might be a better bet to get one, because while the issues you raise can be overcome, unless you like to tinker, it's easier to just buy the little box and be done with it.
Re:Old PC (Score:2)
plus, it was a box rescued from the trash heap with spare parts from other dead boxes, making it 100% free - with the exception of the time I put into putting it together.
Re:Old Laptop (Score:5, Interesting)
Built in battery backup
Low power consumption
Few (if any) noisy fans
Small, and fit nicely in a rack shelf
Built in collapsible console
Look around and you can find one for about the same price as the small NAT routers. The only real shame is they only have typically two PCMCIA slots, so you can't have a DMZ or wireless net interface seperate from the internal and external interfaces.
Re:Old PC (Score:2, Interesting)
I have used a linksys before and it was darn easy. Don't know about the NAT/Static simutaneous issue though.
Re:Old PC (Score:5, Insightful)
There are also people who do not want to, or do not know HOW to assemble a cheap PC from parts. There is no shame in a "black box" solution.
Re:Old PC (Score:5, Insightful)
How is it so many smart people have so much trouble reading?
Re:Old PC (Score:2)
I don't recommend that if you have high-speed access like a Cable modem. I run Linux on a P/II 266 using NAT, and I get 300 KBytes/second on the Linux box, and about 180 KBytes on the rest of my network. This is one of the major reasons I'm planning on upgrading my Linux box.
Re:Old PC (Score:2)
if they're worried about performance get a P-100, which will probably be just as cheap. but that's overkill, really.
Re:Old PC (Score:2, Insightful)
Re:Old PC (Score:2)
Harddriveless (Score:5, Informative)
You don't need a hard drive for a firewall/router made from an old machine. Check out the LRP [linuxrouter.org] for a solution that fits on a single 1.44 mbyte floppy that can be write-protected and just needs to be power-cycled to be reboot.
Re:Harddriveless (Score:3, Informative)
What I'd *really* like to see is a fanless power supply for such an application. It'd probably have to be limited to, say, 100W but that could cover such a box easily, especially if permitted to overload slightly at boot-up.
Anybody know of such a thing? I have the perfect little 486 that I'm not using as a router because I don't want to consume any more power than I have to. But if all I had to run was the solid-state components and the floppy at power-up, I'd be much more willing...
Re:Harddriveless (Score:2, Interesting)
Re:Old PC (Score:3, Informative)
OpenBSD Networking Setup [openbsd.org]
OpenBSD has excellent documentation and FAQs. Just be sure to read, and re-read so you understand what's going on.
Re:Old PC (Score:2, Informative)
This would have been a very short post except for the stinking lameness filter which has forced me to add this text in an effort to overcome the stinking lameness filter. I thought that was what moderators were for.
A Good Source of Info (Score:5, Informative)
All kinds of good information and reviews on exactly what you're looking for.
Personally... (Score:2, Interesting)
my room-mate and have just what you describe at the end,.. a P90 running slackware, with telnetd, et al disabled, and two cheap ethernet cards.
it works amazingly well, had two months of constant service until a power blip caused it to reboot the other day (yeah yeah, i need to get a UPS.)
it's amazingly cheap (read: nigh-unto free) and quite hassle free in its own right. not only that but it's breath-takingly easy to configure and maintain for anyone who probably reads
...dave
I personally (Score:2)
and the winner still is (Score:2)
That being said, is there any sort of config utility fopr IPtables that runs on Apache? These stupid little Linksys/Netgear/etc firewall thingies have web interfaces. People like them. I can go and tweak out my iptables stuff but too many admins would prefer not to. Is there any good solution?
Re:and the winner still is (Score:4, Informative)
> many admins would prefer not to. Is there any
> good solution?
Try Firewall Builder: http://www.fwbuilder.org/
Re:and the winner still is (Score:2, Informative)
Re:and the winner still is (Score:2)
That 486 in the corner gathering dust is also a huge amperage sink, and is more likely to have bizarro hardware that has really crummy driver support.
Plus, you now have to learn the intricacies of firewalling -- and if you get rooted, you now have to spend some more time trying to figure out what went wrong.
I'd rather pay some company $100 or so and let them figure it out -- all I have to do is keep the firmware updated.
Re:and the winner still is (Score:2)
486? Mine is a 386. bought in augest of 91. Still boots from the orginional 80 mb harddrive. (everyone else was buying 40 mb harddrives at the time and finding them too small, so we went with 80)
Works great, survived y2k. I keep waiting for it to die and wondering if it will be worth the bother of fixing. I hope it keeps running though. I have better things to spend money on.
My experience (Score:4, Informative)
SOHOWARE sucks big time - buggy and unreliable. Do not beleive words about "Stateful Packet Inspection" - even if it does it you could not use it.
What I really want to see is SNMP management for
such devices. Unfortunalty, best they could do
is read-only SNMP access.
What do you need the most? (Score:2, Informative)
I expect for the average SOHO, all they want is connectivity, rather then the ability to do everything...
old pc is the way to go (Score:2, Insightful)
the old pc offers the most flexibility. our's has been running in a closet for over a year now.
Take a look at Smoothwall, perhaps? (Score:5, Informative)
Since most people have an old 486 or Pentium lying around, the cost to set this up is next to nothing - and it has features the hardware firewall/router boxes don't include. (EG. Ability to auto-update your dynamic IP with the dyndns.org service and "snort" to log hack attempts with details on what was attempted.)
Re:Take a look at Smoothwall, perhaps? (Score:5, Informative)
www.smoothwall.com is a real estate site.
Linksys support is iffy (Score:2)
As for the suggestion that you run an old box, please, give it up. If it works for you, great, but I switched from a box to a hub because of power consumption, noise, floor space, etc. Except for those hassles with javascript, I haven't regretted this decision.
Re:Linksys support is iffy (Score:2)
Of course, I live in a large house in an area with cheap electricity, so someone else might not use this solution. Getting some good use out of my old, perfectly functional Compaq Presario 486, though.
Here's what I have. (Score:3, Informative)
Try this out (Score:2, Informative)
www.smoothwall.org
And when I had some problems with setup they were extremely helpful on irc.
"boxen" (Score:2, Funny)
if you are going to call a computer a 'box', at least pluralize it like a regular english speaking human.
LRP (Score:2, Informative)
See www.linuxrouter.org [linuxrouter.org] for more information.
Steinkuehler's [steinkuehler.net] EigerStein was the distro I used - worked very well.
-Doughnuthole
Check SmoothWall (Score:2, Informative)
An amazing number of features in a so little Linux distribution. Well, find an old PC (almost any might be enough), install SmoothWall on it, then you've got your personal router/firewal/NAT/almost-whatever-you-want.
All being controlable through a web browser.
My 2c
SonicWall (Score:2, Informative)
Nice box. It was pricey, though, at about $400.
-glenn
I got the Linksys (Score:5, Informative)
I love the IP forwarding of the linksys. All connections to port 80, 443, 21 and 22 are reditected to my Linux box, and all other ports that involve games and *apster clones are redirected to my Game box. Remaining ports are blocked.
I've Used Snapgear and Linksys (Score:2)
I now use a Linksys DI-704; good feature set, built-in 4-port hub, inexpensive at $99, but somewhat lacking in remote logging capabilities. Still, I recommend both units.
OOPS. Make that Snapgear and D-Link (Score:2)
My Suggestion: Netgear RO318 (Score:4, Informative)
Overall, I love it. No problems with Quake III Arena, easy to set up, works flawlessly. The reasons the above poster listed are also true: with 8 ports, you can always plug in a laptop; port forwarding works well, and Netgear also has a great reputation.
Here is the product information page [netgear.com] at Netgear. It can be had from buy.com for $155.
OpenBSD (Score:3, Informative)
I use an old P133 (overkill, I know) running OBSD as my firewall/gateway/ntp server/dhcp server. I could have gone out and spent money on a nice compact unit, but I like the fact that I can upgrade my OS, tweak my filters and above all: learn more about OBSD, networking and OS hardening [geodsoft.com].
Priceless (Score:5, Funny)
2 old NICs sitting on shelf: Free
OpenBSD: Free
Laughing at hax0rs trying to hack your Bridge Firewall: Priceless.
Re:Priceless (Score:2)
Laughing at hax0rs trying to hack your Bridge Firewall: Priceless.
Yeah, sit on irc sometime. Back when winnuke was getting a bunch of hosts he used to love watchign people winnuke him. - he had a mac sitting behind my linux firewall.
And the sad part is, my linux firewall hadn't seen an update in 3 years (at that time)! but winnuke is so easy for the script kiddies that they don't even think to try to attack it.
Electricity Costs (Score:3, Insightful)
Re:Priceless -- not quite (Score:3, Informative)
SMC 7004ABR (Score:5, Informative)
- DHCP server
- NAT
- RJ-45 for connection to Cable/DSL and a DB-9 for connection to a modem.
I particularly like the fact that it can do Cable/DSL and Dial-up. Since I am moving a lot, I never know what is going to be available. You can even use the dial-up as a backup, should the Cable/DSL fail. Web based administration is straightforward. But I can't comment on that beyond the basics.
Power consumption is low (22W I think) and it is a lot quieter and much smaller than a PC.
It is good for my simple needs, but you may need more for your servers.
Here [smc.com] is a link to the product page. You can download the product brochure and check it out for yourself.
A bevy of information on configuring your routers (Score:5, Informative)
I have a netgear router myself, and have locked it down pretty well with the advice I found.
Another Old PC post! (Score:2, Interesting)
Since the poster seemed concerned about power, does anyone know details about how to reduce power consumption on a motherboard? One would assume that, since it is being used as a router, APM Sleep/Suspend is out of the question.
I recently upgraded the Motherboard in my router (an old 486 w/ Pentuim Overdrive) because I eventually want to run Apache on it (and 4MB 30-pin SIMMS are expensive compared to SDRAM!) I got my hands on an AT motherboard with USB (I had to make some "creative modifications" to the case, since the new MB had higher heat-sinks.) I got the lowest-frequency K6 chip I could find, and a cheap 64MB Memory stick. I have no clue how much power Its wasting while I'm here at work, and would be interested in knowing how to reduce it further.
Cisco 827 (Score:2)
netgear 311RT (Score:2, Insightful)
None of the various home routers ship with a real manual--you have to download it off the manufacturer's website. That should answer more pre-purchase questions about functionality than reading the outside of the box.
You know what we're going to say ;-) (Score:2)
It's what I've done at my home - and it works great. I took a spare Pentium 166 I had and underclocked it to 120 then put a fanless heatsink on it. I then clipped the leads to the fan in the power supply. The hard drive is set to spin down after a few minutes. Result: a totally quiet, fairly low wattage (35-45 watts I think) router/firewall.
As far as software goes, after much deliberation, I finally settled on Debian GNU/Linux. The main reason I chose Debian is because you can't beat "apt-get update; apt-get upgrade" for pure ease of system management.
I know you'd prefer an "off the shelf" solution, but when you use an old PC you get so much more. Not only can it do all the routing functions you require, but you also get a print server, a file server (MP3 shares anyone?), a Freenet node, etc.
It's more work, but it's fun and it's worth it.
two words (Score:2)
Old hardware (Score:2)
Using old computers for a rounter/firewall really doesn't take as much power as the above suggests. Recently, my local newspaper had an article on power consumption. It noted that a modern PC takes about as much power as an alarm clock; not much at all. Older equiptment (486 or Pentium) will probably do better, especialy if you can find a low-end power supply to go with.
For what you want, I suggest two boxes. Both can be between a 486 DX 50 to around a P100. You could even do a 386 DX if need be, but I've found that 486s go for around the same price anyway. I suggest the DX processors because I simply don't like the idea of math coprocessor emulation having to sit in my kernel. Give them both a floppy drive and an old hard drive (You can squeeze a good GNU/Linux distro into 40 MB if need be, but be careful of bloated distros like Red Hat; use Debian or even some form of BSD). If you don't want to waste those good 10/100 NICs on this, don't. A simple 10 Mbps NIC has more then enough bandwidth for a cable modem or DSL (except for the very very high speed DSL solutions, which nobody has yet anyway). The second box only needs one NIC (can also be 10 Mbps), but should have a larger hard drive. From this one, run stuff like DHCP, caching DNS, etc.
Personly, I have a 486 DX/4 100 with a 200 MB drive running Debian 2.2r2 and a Linux 2.4 kernel and an IPTables NAT firewall. This has two 10 Mbps NICs and a modem (I'm currently on dial-up, but the second NIC is there for when I finaly get cable or DSL). Another box runs a DHCP and DNS server. Yet another box is a small file server (using Samba) and also runs an FTP and HTTP server.
Efficient SpeedStream (Score:3, Interesting)
It's got probably everything you're looking for: NAT, DNS, port forwarding, hardware firewalling, and support for everything from PPPoE to static IPs on the ISP side. Plus it's got a nice HTML interface plus a UNIX-style Telnet interface (with lock-down support, of course) and even support for a serial cable so you can Telnet to it as a dumb terminal if the Ethernet's down. And the documentation, while not super-thorough, isn't drool-proofed. The only real complaint that I have with it is the way the firewall works; it blocks unopened ports if there's no outgoing packet to correspond with incoming ones. This is only a problem if you're serving something, but more software works like a server (as far as the router's concerned) than you may expect; it was a little weird having to manually open up AIM's port so my little brother could use AIM without having to initiate the conversation.
The main disadvantage is price and availability -- I don't know how easy these are for end users to get their hands on these, and it'll probably run upwards of $300. If you're lucky, your ISP might have some, but I've heard of ISPs giving out these routers and with the remote administration password-locked so people don't (ahem) accidentally enable NAT without paying for a static IP first.
My results for the LinkSys and NetGear products (Score:2, Informative)
Ups: The Linksys product was by far the simplest to configure. easy, embedded HTTP server makes config chores simple and fast. It's easy to screw up the password, tho, however recovery is easy. I thought that even though the Netgear was significantly more difficult to use (relying on CLI-based menus and a powerful yet byzantine trigger-based rule system), it had the most configurability.
Downs: This is why I'm using an OpenBSD box to do my NAT. Both routers rely on similar hardware, which, unfortunately, isn't up to the task of a 10Mbit cable modem or a 6Mbit DSL link. The peak rates I got out of each box was south of 490KBps, or right about 5 megabit. On my cable modem, it seriously throttled my downstream bandwidth, and I found it simpler to just take the time to really lock down my workstation and plug it straight into the cable modem.
My $.02
SMC Barricade Wireless Router SMC7004AWBR (Score:2, Informative)
In one $200 box, I get:
o wireless access point supporting, i believe, 255 users.
o 3 port 10/100 switched hub, plus the wan port.
o firewall/router with plenty of configurability
o print server, which works in both linux and windows.
the administration interface is easy to use, can keep pretty good logs if you want, and allows for the network to be buttoned up pretty tight.
it'll even hook up to a modem via a serial port, if you want to share a modem connection..
here's a review at practicallynetworked:
http://www.practicallynetworked.com/reviews/smc70
My experience... (Score:4, Informative)
First off, I've done the old PC thing myself. It was very flexible and I really liked having a linux box I could tunnel to. OTOH, it also sucked electricity and space which are 2 precious commodities here in California.
I eventually switched to the BEFSR41 from linksys. I picked it up for $100 (BestBuy just had them for $79) and its worked out wonderfully. Low power, silent, and very, very small.
One word of warning: if you intend on hosting any type of game server (quake, half-life, etc...) you should do a search on google first to make sure there aren't any weird problems with the device you decide on. For instance, I can run a half-life server behind the box, but it tends to kick people randomly.
WatchGuard (Score:2)
Sure, an old PC with *nix on it is cheaper, but this is quieter and requires less power. It's got a browser configurable setup, serves DHCP, allows for 10 users expandable to 50 users (4 ports, but you can daisy chain another hub off it) and is self updating.
A pretty cool unit for a home network. They also sell units for 100+ users, for small to mid size offices.
The Linksys is nice (Score:5, Troll)
I have the BEFSR41 [linksys.com], which is the router plus a 4-port 10/100 switch. It was about $100 from CompUSA.
Dislikes: the web-based interface is a bit wonky with Netscape 4.7 on *nix. It works, but has some weird errors on occasion.
Likes: it works as advertised. I fought with PPPoE on an OpenBSD box for several hours -- I could not figure out why it wasn't working, and none of the so-called "How-tos" helped.
So, I went and bought the Linksys, and within one hour (including the time it took to buy the thing), I was passing bits around the Internet.
The web-based interface does work somewhat with Lynx, but is very cantankerous when used so. I have ssh'ed into my server and then used Lynx to reconfigure the router.
You can forward ports to particular internal IPs, i.e. "all requests for port 80 goes to the computer at 192.168.1.100", and can even put one computer (one IP address) in a "DMZ", where it is completely open (all ports are available to answer).
If you want to do complex filtering or firewalling, it doesn't do such. If your needs aren't really complicated, it will work for you.
Re:The Linksys is nice (Score:2)
What's cool, is that you can use cURL and wget to skank the various pages and things. There's a file called Gozila.js which contains all the javascript functions, and you can use that to basically figure out how the guts work.
For example, I use it as my DHCP server for my home lan. I have a dual-boot (win98/Linux) desktop, and a Linux laptop. Let's say I'm on my laptop, and my desktop (downstairs, in the other room, etc) is booted into windows, and gets a dynamic IP. Well, each of my roommates has various machines on, too. So, I would look at the client table page, and figure out which machine was mine. then I'd VNC into it, reboot, and Linux is the default. the Linux side of things uses a fixed IP.
So, after some experimentation, I learned that you can use cURL/wget to pull the DHCP table out. Then, some grepping, and you have your machine. A simple click on my desktop, and I can reboot the machine into Linux. *I* was proud of myself.
Perhaps it's an overly geeky solution, but I was impressed at the "openness" of the device for simple tasks like this.
Score -1, Flamebait (Score:3, Insightful)
God help us when you all have actual beowolf clusters in your basements to brag about at every opportunity...
Which "home router" do I choose? (Score:5, Interesting)
Certainly the first suggestion I have when I see a home business paying for extra ips, is to take an old machine and setup ip masqurading on a linux box. However, I have found that many people are "scared" of linux, and some don't have dedicated machines. Others want a firewall, public servers, and of course the full web/email site setup. While some businesses look at this as opportunities for recuring fees to unknowledgeable users, I try to lay it all out for the customer. Advantages and disadvantages, ease of administration, power consumption, maintenance. In most cases, customers LOVE the all-in-one solution devices.
For power users that want to control all aspects of filtering, routing, port forwarding, and hosting, this is not the best option. However, it can be a *good* solution. I have up until recently been a Linksys advocate. It is actually a great product, and can perform NAT, DHCP (may toggle off and use an internal DHCP server), "DMZ" port forwarding, and flashable firmware. However, don't be fooled by the claim that it is a "switch". I spent many hours trying to find out directly from Linksys what some specifications were on the advertised "switch". First of all, it does not have a backplane. Anyone that knows what to look for in a switch, will first want to know how much data can be shared. When there is no backplane in any specs, and the "engineers" at Linksys don't seem to know what you are talking about, one tends to rethink their purchase. There is no mac table, nor is there anyway I have seen to find any specifics about how it "switches". Does anybody know what these devices really are? They have to be some sort of "smart" hub. What i have ended up doing, is purchasing NAT/router devices, and separate switches that perform like switches. I have found some D-link and Addtron switches with backplanes and viewable mac tables.
Also, the only way to configure any options on a Linksys device, is through a web browser. I have been able to use lynx before, but this one particular 8-port switch/router had broken tags in the config. I flashed the firmware, and tried just about every browser, but each time I would get java erros and broken tags. When I called tech support, they told me to take it back to my retailer. What they don't know, is that I had just replaced it, because the firmware flash died halfway through, and fried the device. This is not very reliable IMHO.
Netgear, however, allows you to telnet in and configure via command-line, which IMHO, is the most important feature of a configurable network device. JetAdmin or telnet for managing HP printers? Are you kidding me? I'll take command-line anyday. We need a low-end cisco device is what we need.
Are there any other command-line configurable NAT/routers that have actual backplanes for the switching component and has flashable firmware (other than a cisco switch) aimed at this market?
Free NetBSD based firewall (Score:2)
If my web logs are any indication, it has been installed by over 7000 cable and ADSL owners so far, and the amount of tech support I have to do is very minimal. If you have an old PC and two ethernet cards, you're half-way there.
Check it out and let me know what you think..
-John
better url (Score:2)
Cisco PIX 501 Firewall (Score:2, Informative)
Any Cisco security engineer-wannabees should really consider this option, since it's a cheap way to practice with the exact same interface as the high-end gear.
"Performance
The Cisco PIX 501 Firewall provides competitive performance in a compact form-factor:
* 10 Mbps cleartext firewall throughput
* 6 Mbps DES VPN throughput
* 3 Mbps 3DES VPN throughput
* Supports 3,500 concurrent connections
* Supports up to 5 VPN/IKE peers concurrently
PIX 501 10 User/DES Bundle, PIX-501-BUN-K8, $595
PIX 501 10 User/3DES Bundle, PIX-501-BUN-K9, $695
"
Oh, and compared to some of the "Cable/DSL" routers out there like Linksys, this is a huge step up. You can do NAT/PNAT from multiple external pools to specific internal ranges, or even port redirection so that multiple global addresses forwards different ports to multiple internal servers, or one-to-one static NATing if you require, or even "NAT 0" (internal and external addresses are the same) but still firewalled. Built-in DHCP, basically everything and anything you could want or expect from a firewall middle-box is here.
http://cisco.com/go/pix [cisco.com]
Cable Routers are cheap and easy (Score:2)
I've been using a Netgear RT314 for almost a year now and it works great. NAT features, port-range forwarding, etc. It doesn't have a "true" firewall but the NAT does offer some protection.
I'd recommend getting the FR314 that has firewall capabilities. Check out Practically Networked [practicallynetworked.com] for reviews on hundreds of models.
Go with a LinkSys (Score:2)
But, even if it doesn't, why not just have one of your dedicated servers be the DHCP server too? Once a box is handed an IP address, everything will work just as well as if it had a fixed one.
Me, I didn't bother - all my boxes have fixed IP addresses, but I'm guessing you have a notebook you want to shuttle from work to home.
Anyway, that's my $0.02 - just make sure you use a switch instead of a hub if you move good volumes of data around.
But get the current firmware and set the password (Score:5, Informative)
Also, and I cannot overemphasize this, set the password. Not only are Linksys routers administered via a web interface, and attackable that way, they accept firmware downloads via TFTP, and will accept a firmware download from the WAN side. So an attacker can patch the thing remotely if it's not secured.
For $51, just get a router! (Score:5, Informative)
Note: The picture on the D-Link and Amazon.com websites is of an older design where the four switch ports are on the front, and the WAN port is on the back. On the one I received yesterday, all ports are on the back (much less messy). I emailed them telling them that the picture didn't look anything like the actual product and so they apparently pulled the webpage for the product temporarily.
The setup was painless (basically, just plugged it in, attached network cables, renewed my IP leases, and changed the admin password). I even upgraded the firmware in less than a minute. It is also silent (no fan) and it is about the size of the area of a keyboard between the [ESC] and the right-alt key. It is working great.
It has four ports in the built-in switch. Port one can be used either as a normal switch port or as an uplink. It also has a serial port that you can attach an external modem to share as a backup for then your cable/dsl connect goes out.
For $51, it is basically the same price as the 486 solution that someone else cited as $45, and it even comes with a one-year warrenty (apparently, D-Link used to have a lifetime warrenty but I guess they don't do that for the consumer stuff any more).
CPU 32bits ARM RISC CPU
Memory 512 Kbytes Flash Memory
4 Mbytes SDRAM
Standards IEEE 802.3 10Base-T Ethernet
IEEE 802.3u 100Base-TX Fast Ethernet
IEEE 802.3x Flow Control
ANSI/IEEE 802.3 NWay Auto-Negotiation
Protocols Supported
TCP/IP
NAT
DHCP
UPD
PAP
CHAP
MSCHAP
RIP1/RIP2
PPPoE
Virtual Server
VPN Pass Through Function*
PPTP
L2TP
IPSec
Firewall Protection: Built in NAT firewall using stateful packet inspection
Management: Web-Based - requires a PC, Mac, or Linux based computer with a Web Browser capable of running Java script.
Firmware Upgrade: Web-Based - requires a PC, Mac, or Linux based computer with a Web Browser capable of running Java script.
Ports:
4 x NWay 10BASE-T/100BASE-TX Fast Ethernet LAN
Port 1 has Uplink/Normal switch
1 x 10Base-T WAN
1 x RS-232 (230 Kbps, male DB-9) - for back-up analog modem connection
LED's
Power
WAN
Console
Link/Act. (Link / Activity)
10/100 Mbps
Power DC 5V 2A
Operating Temperature 0 C ~ 40 C
Storing Temperature -20 C ~ 70 C
Humidity Max 95% Non-condensing
EMI Certification FCC part 15 Class B in US
Answer: none of the above (Score:3, Interesting)
I use Freesco. See other posts for why it's great.
Linux 2.4 iptables... (Score:3, Interesting)
The biggest advantage to using Linux or even BSD or any other UNIX is that you can configure the firewall as an actual gateway/router/firewall, DMZ whatever you want to make you feel safe on the net.
iptables is pretty easy and if you already understand ipchains going to tables makes things easier. As you can specify an interface to forward from to. -i eth0 -o eth1 kinda thing...
Cisco 1600 (Score:4, Informative)
Experiences (Score:4, Informative)
A friend recently bought a Netgear MR314. It seemed okay. I rather like using my unix box to do filtering, mail, and other stuff, so I would never use one of these boxes. The http interface was fairly nice and easy to follow. Easy is good for networking novices.
One problem that I encountered was the telnet support. This one had me calling their support department, not that they helped any. They command line will only accept 8 character hostnames. My friend had a 10 character @Home hostname for his authentication, and the only way to enter it was through the http interface. That sucked. Telnet is not intuitive, like Cisco IOS, but not horribly horrible.
The MR314 is overall a good router, but I like more powerful stuff. The wireless interface was good. The construction of the box was very nice -- we took it apart. I think that it was using a Motorola processor.
I have also dealt with the Cisco 600, 700, and 800 series routers in my time. They are pretty decent. I wish that the CBOS would allow for access lists greater than 18 (or is it 16?) lines. They take set, show, and debug style commands. Pretty intuitive. Upgrading the OS on them is easy. They can do NAT and PAT very well.
Efficient Networks, formerly Flowpoint, routers are decent. They are command line based, and while help and documentation is really poor, they take some pretty good commands, do good syslogging, and a few other really neat things in their operating system. unfortunately, the commands are cryptic and you have to be a real networking pro to know what they are talking about.
Netopia routers are really great. One of the fantastic features about them is that they do IPSec (DES only, no 3DES)! That is incredible for a router of it's type. They also do GRE tunnels. The next thing up if you want to do IPsec is a small Cisco router or PIX firewall, or a unix box. Netopia's do great system logging and SNMP. Their are configured through a telnet menu interface -- no telnet. They do excellent filtering, but entering filters is sort of a pain. Good construction of the boxes.
A word about Qwest DSL. They only use DMT these days for DSL -- NO CAP. That means that you can no longer use the Cisco 675 on their networks. Use the 678 instead. If you own a 675 and move, you are fscked. I bought a 675 about a year and a half ago, recently moved, and was screwed for $300. I managed to hassle a poor Qwest tech into sending me a 658 at a very steep discount, nearly free -- it took a lot of work and insider knowledge to pull off though. CAP, DMT, and G.lite are like line codes or modem modulation types. They are the analog modulation codes that the DSL interface uses to get it's data across the line. Wrong modulation = no workie.
BTW: Are there linux 2.4 kernel driver for the Intel 2200 DSL NIC? I have two of these things that Qwest sent me, and I would love to use them in my boxen. I do not know of drivers existing though. I need to google that.
Netgear (Score:3, Informative)
The Netgear allows me to block all Active X, java, and many cookies (I have Active X blocked for most sites for my roommate's windows computer).
Performance wise it seems pretty good. I havn't noticed any degredation in performance, often downloading at over 400KBps (Kbytes/sec).
It has the option of content filtering, but that's not something I want (except for things like doubleclick.net).
It has many common services already configured and allows for more to be added quite easily.
I wish it allowed some more complicated rules, however. For example, I want to allow some ports to only be accessed from certain IP addresses. I can configure the ports allowed or denied and the IP addresses allowed or denied, but not combinations of both. To handle that I run a secondary firewall on the server which allows more options.
Also, the Netgear is limited to 8 clients without buying an upgrade.
In terms of logging, I am quite impressed. It logs all port scans, attempted accesses to known trojans like netbus, pings of death, and other malicious behavior. It also classifies port scans as either possible or probable.
It also draws only around 10 watts, and here in CA where my electric rate is hitting upwards of 0.20$/kwh,
Best deal - most features - lowest price (Score:3, Insightful)
It includes:
1 port WAN (DSL/Cable Modem)
4 port 10/100 Switch
Parallel port with Print server
Serial port with FAX and dialout sharing support.
Why so cheap? It's a discontinued model.
BUT... the insides are exactly the same as models sold by SMC, D-LINK and others, and you can use the drivers and firmware upgrade from the original maker (AMIT) in Taiwan which you can find here:
http://www.amit.com.tw/download/firmware/
The printer server works with standard LPD support in Linux.
Re:Power? (Score:2)
Some problems (Score:2)
Re:Linksys Wireless Cable/DSL Router (Score:2)
Re:The one job Windoze seems to do well.... (Score:2)
Re:NAT box - my setup (Score:2)
And you haven't put your public facing machines behind the OpenBSD firewall why?
Re:What's next? (Score:2)
I know the asking party mentioned the power requirements of an old (or, I guess, new) PC as a NAT/Router/etc., but the power drain ain't too bad (unless you leave a monitor on for this server...). Besides, not only can you easily set up (see the How-Tos at Linux Documentation Project [linuxdoc.org]) a server to do NAT (great for multiple boxes sharing a "one connection only" xDSL/Cable modem connection), DHCP, cipe tunneling to secured office computers, but also to enable a web server (it's actually a last-hope backup server to one of our production systems), SSH "telenet" server for remote access, FTP daemon. With a little care a simple PC will give you tremendous network services that far surpass the capabilities of these network devices. And the investment in terms of $$$s may be much less (in time, more, but what's the fun of not learning?).
Re:Linksys and NT (Score:2)
Re:My experience with linksys (Score:2, Interesting)
My 4 port job failed in June, shutting down what was supposed to be a day of building websites at home for a client. No router/DHCP box = no network. Yeah, I could of configured a Win2k network by hand, but who really wants to do that just to hack up some quick and dirty asp pages?
So I went to their web site, where most support questions refer to the practicalnetworking site. Cute.
First Linksys jealously guards the tech support number. You have to look for a long time to find it. Then when you call either
1) it just rings and rings
2) the phone tree (push 1 for sales, 2 for support) disconnects every time you select support
3) if the phone tree doesn't just disconnect, it starts over when you select something
4) if you do talk to someone, you don't get a tech, but someone in the outsourced office in Bangalore, they haven't been trained, they don't know anything about your product, they can't troubleshoot it, the database is down so they can't check on any previous calls you have made about that sorry light blue piece of crap, but they will take your number and they promise that someone from tech support will never, ever call you back.
In my case, I just bought another one and sent the original c/o of the ceo with a note instructing what orifice it should be inserted into and with what degree of force.
Were these boxes not handy and cheap, they would have no repeat business. I hated doing it, but just buying another one was the fastest way to get me back up and running (and billing).
Re:My experience with linksys (Score:2)