Ask Slashdot: Advice On Building a Firewall With VPN Capabilities?

An anonymous reader writes "I currently connect to the internet via a standard router, but I'm looking at bulking up security. Could people provide their experiences with setting up a dedicated firewall machine with VPN capabilities? I am a novice at Linux/BSD, so would appreciate pointers at solutions that require relatively little tweaking. Hardware-wise, I have built PC's, so I'm comfortable with sourcing components and assembling into a case. The setup would reside in my living room, so a quiet solution is required. The firewall would handle home browsing and torrenting traffic. Some of the questions knocking around in my head: 1. Pros and cons of buying an off-the-shelf solution versus building a quiet PC-based solution? 2. Software- versus hardware-based encryption — pros and cons? 3. What are minimum requirements to run a VPN? 4. Which OS to go for? 5. What other security software should I include for maximum protection? I am thinking of anti-virus solutions."

geek or not

[Anonymous Coward]

This will let you connect to vpns and such http://www.buffalotech.com/products/wireless
or for a more geek solution https://www.pfsense.org/

Re:geek or not ~ pfSense

[InitZero]

I love me some pfSense. We use it at the office and it handles everything we can throw at it (including VPN/IPSec between offices to backfeed high bandwidth security video). It is also light weight enough to work in a home environment on minimal hardware.

Their hardware is both overpriced and well-made. For our small branch offices their embedded devices (such as https://store.pfsense.org/VK-T... [pfsense.org]) are better than what we could create on our own in low volume and a lot less work. For larger branch offices we will stick pfSense in virtual machine with whatever else they have running. It does well as a VM, too.

Cheers,
Matt

Re:

[bluec]

I love pfSense, it is superb, but that hardware is very overpriced. I guess it includes a support contract, but still, you could build out one of those appliances for less than half the cost.

Re:

[avgjoe62]

This indeed. I have pfSense running on one of these [amazon.com] with a 60 Gig SSD drive. If it wasn't for the cat trying to hide behind it I wouldn't even know it was there and running.

Re:

[niftymitch]

This indeed. I have pfSense running on one of these [amazon.com] with a 60 Gig SSD drive. If it wasn't for the cat trying to hide behind it I wouldn't even know it was there and running.

The above is a rather nice little box. At half this price I would buy two.

I was going to reply to the original poster that if he had to ask
he could not get there from here. The above system has the
critical two Gig-E network ports. He would have to install
and learn how to administer a linux system or install a pile of odd
things on top of an IMO fragile WindowZ OS. Full blown Win-Server
software that can get the job done costs more than the hardware.

The best bet is to run the router that the ISP gives yo

Re:

[rev0lt]

Full blown Win-Server software that can get the job done costs more than the hardware.

No, not really. Windows has the easiest internet-sharing and vpn configuration wizard you'lll find. And its not half bad, but...

The above is a rather nice little box. At half this price I would buy two.

I have an equivalent box, Instead of pfSense (which, besides the gui and the easy VLAN setup, is a crappy system for everything else), I run FreeBSD 9.2. And I use it everyday to tunnel into my windows machines with RDP via SSH :)

Re:

[niftymitch]

Full blown Win-Server
software that can get the job done costs more than the hardware.

No, not really. Windows has the easiest internet-sharing and vpn configuration wizard you'lll find. And its not half bad, but...

The above is a rather nice little box. At half this price I would buy two.

I have an equivalent box, Instead of pfSense (which, besides the gui and the easy VLAN setup, is a crappy system for everything else), I run FreeBSD 9.2. And I use it everyday to tunnel into my windows machines with RDP via SSH :)

One caution is that Windows is not as secure an OS perhaps because
there is a rich set of stuff that is darn hard to replace or eliminate.

A FreeBSD or Linux based firewall+VPN system can be pruned to an astoundingly
short list of services and binaries. I say this but most Linux system owners
do not do this.... but it is better facilitated if you want to do it.

You open up a good context to make the point that a user should use what
they know best. If the poster knows how to manage one system and not
the oth

Re:

[rev0lt]

One caution is that Windows is not as secure an OS perhaps because there is a rich set of stuff that is darn hard to replace or eliminate.

I haven't seen one single landline direct-connection to the internet since the dialup/adsl days. Most consumers will have a router. The only exception is 3G/4G adapters, but the topic is about firewalling. And unless you're running a DPI appliance to check for binary malware, you're getting those in your windows machines anyway.

A FreeBSD or Linux based firewall+VPN system can be pruned to an astoundingly short list of services and binaries

As can Windows. And you can also take the easy approach of just closing any external port besides the VPN, leaving only potential attacks on the TCP stack and the VPN layer. I actual

Re:

[Anonymous Psychopath]

Yup, pfSense is Good Stuff. On the hardware side it'll run on damn near anything. I run mine on an old Celeron machine with traffic shaping, no issues. I don't know that I'd want more than one or two simultaneous VPN users with that compute capacity, though.

Re:

[LWATCDR]

or smoothwall or moonwall.

Re: geek or not ~ pfSense

[shitzu]

Actually i would recommend m0n0wall. This is what pfsense is built upon - but without the kitchen sink its even lighter. And m0n0 does everything he asks excellently.

Re:

[somenickname]

pfSense works well but Untangle is also worth mentioning (http://www.untangle.com/). It has all sorts of pluggable modules like VPN client/server, ad blocking, intrusion detection, etc. I've been using it for a few years on modest hardware (Intel Atom with 4G of RAM and a 1TB green disk) and it's always worked flawlessly.

Re:geek or not ~ pfSense

[FatdogHaiku]

AskSlashdot is a joke. I mean all you get are jokes, or whatever comes up first in a basic Google search.

We are the Google algorithm...

Re:

[buswolley]

well played sir!

Re:

[mattventura]

I like embedded boards, but most of them are just horrible value. If space/power/etc isn't an issue, grabbing a PC from a junk pile and throwing a couple NICs in it will be far more cost effective. Pretty much the only network-centric embedded board I've seen with truly good value was the Uibiquiti Routerstation Pro but sadly it's discontinued.

+1 pfsense

[gandhi_2]

pfsense is rock solid.
even on shitty hardware, you can do a LOT with pfsense.
the turnkey boxes from their store are pretty neat too.

Re:

[aaarrrgggh]

I've had miserable experience with Buffalotech reliability, and would recommend Asus and the RT-AC-66U in a heartbeat. The custom firmware adds a lot of nice functionality including OpenVPN with GUI.

For non-paranoid, non-geeks, avoid OpenVPN in my book.

Re:

[static0verdrive]

I love my Asus RT-AC66U with Merlin's custom firmware. I use openVPN with it (and Tunnelblick etc on my clients). That being said, if you want the best, pfSense is where it's at. You just need any cheap motherboard and a total of 2 network connections (usually that's one on-board and one add-in card, and they're cheap). I'd use a mobo that had on-board video so you have less generating heat in the case (and also less to buy and supply power to).

Re:

[ottawanker]

I'm fairly certain my pfSense box has no video card in it at all to generate heat. It also has 6 ethernet interfaces, all in a nice mini-itx package.

pfSense is a winner

[Calibax]

I have pfSense running on a Soekris net6501 for my home network firewall. I have set up OpenVPN - configuration took only a few minutes and it has worked perfectly.

The Soekris Net6501 is more than sufficient for my needs but pfSense scales well and will run on many types of hardware. When I was testing it I ran pfSense as a VM without any problems - in retrospect I should have left it that way permanently.

Re:

[Ecks]

Another vote for pfSense on Soekris here. I'll admit that I prefer straight up OpenBSD but for quick and dirty, pfSense is the way to go. Which Soekris is the real question. If you don't mind the spend, the Net6501 is best. It's got well supported gigabit nics so it will handle full speed traffic from Verizon FIOS, Google Fiber, or the top speed of a Docsis 3 modem. Net5501's show up on eBay irregularly in the $150.00 range. It doesn't make sense to buy them new as they are not much cheaper than the big bro

Re:

[houstonbofh]

Also look at the father of pfSense, m0n0wall. Leaner, so it can run on lighter hardware.

Re:

[Dishevel]

100% Agree. If you have the ability to read and understand words then pfSense will work for you.

Re:

[WuphonsReach]

For DYI, the choice really does boil down to either pfSense or IPFire depending on whether you want BSD or Linux underneath.

Personally, I went with a full blown CentOS with Shorewall / OpenVPN on top, but it was definitely not the easiest thing to setup. Next time around I'm strongly considering a firewall distro.

Tinkering not required for simples cases

[Calibax]

I agree. If you don't mind tinkering, pfSense is the way to go

I agree that pfSense is a great solution but I disagree about the tinkering . pfSense fits well in the mantra of "simple things can be done simply but complex things are possible". It needs little tinkering if you have a reasonably standard setup - say an internet connection plus a local network. It has decent defaults.

If you have a more complex setup (I have a LAN interface, a DMZ, a guest network, and a VPN interface as well as several additional software packages) then some tinkering will be needed.

Re:

[viperidaenz]

An old CPU that has to manage two usb ethernet devices on a single usb port? That'll be great performance. It will totally handle VPN and torrenting.

Linux or not (Re:geek or not)

[mi]

My OpenVPN/Raspberry Pi proxy was a miserable failure...

Dare I raise the suspicion, that the underlying Linux is to blame? pfSense [pfsense.org], on contrast, is based on FreeBSD and is — as mentioned by numerous people here — quite usable even on old celerons...

Re:

[viperidaenz]

It's probably more to do with the CPU in the raspberry pi being a very old arm architecure and only a single usb port that needs to handle multiple ethernet devices with the under powered cpu running both ethernet -> usb drivers.

Re:

[mi]

So underpowered, the responsiveness of the console was affected by light web-browsing? Well, maybe...

Re:

[viperidaenz]

Apparently it does work well as a media player running xbmc. It actually has a half decent GPU with hardware 1080p h264 decoding. Doesn't really do much else well though.

Why VPN?

[Anonymous Coward]

Do you regularly remote in to your home network? Do you connect out to a server somewhere? If not, then setting up a VPN isn’t going to give you much (well technically it won’t give you anything). If so, your specific use case (which was not provided) matters.

As for software, one of:

- Throw your linux on there (I like Gentoo hardened) and roll your own with OpenVPN and other assorted tools (I like shorewall as an iptables frontend).
- pfSense if you’ve got a decent box and want bells and/or

Re:

[aaarrrgggh]

One big reason is to avoid all the "cloudy" ways to allow remote access to things like cameras, storage, security. Another incentive might be to route all (say) netflix traffic to a VPN so that it doesn't get throttled by your ISP.

Re:

[DarwinSurvivor]

Another incentive might be to route all (say) netflix traffic to a VPN so that it doesn't get throttled by your ISP.

Or routes out through a country that doesn't have shit for selection.

Re:

[twistedcubic]

Do you regularly remote in to your home network? Do you connect out to a server somewhere?

Have you ever met anyone considering a VPN who does neither? But anyway, there are many other good reasons for using a VPN.

Re:

[Anrego]

Have you ever met anyone considering a VPN who does neither?

Honestly, some people will hear these kind of terms referenced a lot in relation to security and decide they should have them without any understanding of what they actually provide (beyond security of course, which is what they want!).

Re:

[NotSanguine]

Do you regularly remote in to your home network? Do you connect out to a server somewhere? If not, then setting up a VPN isn’t going to give you much (well technically it won’t give you anything). If so, your specific use case (which was not provided) matters.

As for software, one of:

- Throw your linux on there (I like Gentoo hardened) and roll your own with OpenVPN and other assorted tools (I like shorewall as an iptables frontend). - pfSense if you’ve got a decent box and want bells and/or whistles - m0n0wall if you want something light but functional

You might also want to consider routerboard, it’s cool shit and reasonably priced.

I agree. I've been running a similar set up on a PIII-100 (remember those?) with 96MB RAM and a 200MB disk for almost twenty years. The most important part is hardening the kernel, stripping out unneeded software and having a sane set of IPTables rules. Works like a champ!

Re:

[Wolfrider]

> I agree. I've been running a similar set up on a PIII-100 (remember those?) with 96MB RAM and a 200MB disk for almost twenty years.

--Dude, how high is your electric bill? o_O

--If you hook up a kill-a-watt to that beast, you might want to consider replacing that ancient machine with something like a Raspberry Pi / Cubietruck / Atom box - it will likely pay for itself within a year due to the power savings...

TS-836A Plug Power Meter = ~$16 on Amazon

Re:

[NotSanguine]

> I agree. I've been running a similar set up on a PIII-100 (remember those?) with 96MB RAM and a 200MB disk for almost twenty years.

--Dude, how high is your electric bill? o_O

--If you hook up a kill-a-watt to that beast, you might want to consider replacing that ancient machine with something like a Raspberry Pi / Cubietruck / Atom box - it will likely pay for itself within a year due to the power savings...

TS-836A Plug Power Meter = ~$16 on Amazon

Just to clarify, it's actually a Pentium Pro-200, not a PIII-100.

My electric bill is between me and the electric company. Thanks for your concern, though.

That said, I appreciate the suggestion, but my bill is already bit lower since I got rid of the Dell PowerEdge 6400 [dell.com] I was running for many years. What is more, when it's hot in the summer, my AC unit uses more power than all the other electric devices in my house. If I was really concerned, I'd sweat more. :)

Compared to the AC and the other systems I ru

Re:

[NotSanguine]

Except a PIII-100 did not exist. at 100mhz you would have been talking about a 486dx4 or a Pentium 100mhz machine. PIII ran from 450mhz-1.4ghz IIRC. However, if you are talking about bus speed, then yes, P3 did use a 100mhz-133mhz bus speed. However, when talking about a P3 (or even Pentium 1), a 200mb hard drive would have been tiny. When I bought my Pentium 166mhz machine it came with a (pricey) 4.3gb scsi drive. I believe I even had a 500MB drive hooked up to my 386. And I sure did not have 96MB of RAM, more like 4MB. Those were the days, just not quite like how you remember them...

You're right. I was incorrect. It's a Pentium Pro-200, not a PIII-100. And it's not about *remembering* It's right here, under my desk. Purchased new (Dell Dimension XPS) in 1995, IIRC.
$ cat cpuinfo
processor : 0
vendor_id : GenuineIntel
cpu family : 6
model : 1
model name : Pentium Pro
stepping : 9
cpu MHz : 199.434

$ cat /proc/meminfo
total: used: free: shared: buffers: cached:
Mem: 96964608 94928896 2035712 0 3387392 1329152

Re:

[NotSanguine]

That's awesome! I think my 386 came with a really large 40MB drive and I wanted so badly get a CDROM until I found out you still needed drive space to run the games on them. I only remember because that was really when I started to get into computers on my own. I was quite a hardware geek back in those days. I bought that p166 back in 1996 I think, and it was a really expensive rig looking at hardware nowadays.

Yeah. The leaps in performance and capacity have been so huge. I remember back in the late 80s (before IDE/ATA) how awesome it was to get an 80MB (RLL format vs 40MB MFM) disk for my PC XT. Ahh, the joys of INT13 calls under DOS 3.3 :)

Re:

[NotSanguine]

Yes, you've forgotten your fucking manners. No reason to be a doooooooosh.

I assume that's meant to be humor. If not, I'm guessing you didn't take your medication today. Oh, and it's spelled 'douche'. Have a wonderful day, my rude, spelling-challenged friend.

DD-wrt

[everett]

That was easy.

Re:DD-wrt

[michrech]

You realize that DD-WRT runs on far more hardware than the WRT-54x series of routers, right? In fact, I'm running it on a Netgear WNDR3700 V4 (a *far* more capable router than the WRT-54G). I'm barely using any of its features, however, it's interface is far more responsive than the Netgear "genie" interface, and it no longer randomly resets its network connections.

In this case, I'd say a little *research* into a particular topic, before you comment, goes a long way... ;)

Re:

[michrech]

I'm pretty sure that I never mentioned anything about how old / new DD-WRT's software is. That said, the current version I'm running was released in June of this year.

You were saying?

OpenWRT

[Anonymous Coward]

Get a router compatible with OpenWRT (Netgear WNDR3800 is a good choice) and install OpenVPN.

OpenWRT

[mathew7]

Just as a heads up, I measured 18Mbps (that is 1.8MB/s) with my OpenWRT TP-link WDR4300 (with AR9344 @ 560MHz) . I don't think off-the-shelf routers have any openVPN support, so no HW encryption engines.
If you need higher speeds, forget off-the-self routers (at least for the VPN end-points).

What are you trying to do?

[RobbieCrash]

A VPN? To connect to where, from where? Are you doing this for something to do, or because you want to implement the best solution? Do you just want better router software?

Install Tomato [tomatousb.org] or DD [dd-wrt.com] or OpenWRT [openwrt.org] or any one of their variants on your existing router.

Building your own in the name of security isn't going to work unless you really know what you're doing, which you said you don't in your summary. That sounds like a dick thing to say, but it's not. Security is difficult for people that know what they're doing, when people who don't try to DIY it, it's almost universally bad.

Re:

[mpthompson]

I can second going the Tomato route. I've used this for nearly 10 years now and have been very happy with the results. Heard good things about DD and OpenWRT, but haven't tried them myself.

New hardware capable of running Tomato can be had on Amazon for less than $50 and are very low in power consumption. Tomato is a small enough sandbox that you're less likely to screw up security, but has enough options and add-ons to do whatever you are likely to want to do with it. There is also an active community t

Re:

[Nimey]

I've got an Asus RT-N16 with Shibby's mod of Tomato Firmware. OpenVPN is available in certain builds thereof and I've used it successfully, though it takes a bit of setting up (and trial & error in my case).

Re:

[Necroman]

Exactly. "Firewall" is somewhat of an overused word at this point that can mean so many different things. And the capabilities of said firewall will vary highly from product to product.

A stateful firewall will keep track of all connections going through it. A good one can help detect malformed packets and drop those. It can also detect some fun attacks people use to fake initiating a TCP connection.

Beyond the basics of looking at port/ip/protocol data, you can start getting into more packet analysis to

Buy a Ubiquiti EdgeRouter Lite.

[FictionPimp]

Buy a Ubiquiti EdgeRouter Lite.

IPFire

[BarneyRabble]

You will not find a more dedicated firewall system like IPFire, (http://www.ipfire.org). Requires a PC with at least two network interface cards to route traffic, an easy to configure web based front end, back end through the command line, with firewall rules that include VPN, GIve it a go.

Re:

[junkgoof]

I've found openwrt to be a little more flexible than dd-wrt for VPNs. I used openvpn with good results a few years back.

A straight linux server running openswan can connect to almost anything but it takes a bit of doing. I haven't used it in the last few years but it worked last time I tried. Multiple NICs are helpful and considering negligible cost (if you don't have a pile, I have a drawerful around somewhere) easy to justify.

Re:

[krammit]

Another vote for IPFire. Excellent little distro.

IPTables and OpenVPN

[MightyMartian]

I build these critters all the time. Our entire multioffice infrastructure is based on Debian-based routers with OpenVPN. OpenVPN is pretty simple to get running, and I use Webmin to build my iptables rules.

Re:

[aaarrrgggh]

Do you use OpenVPN from iPhone/iPads in your environment? Can't stand the client I have from OpenVPN.com.

Re:

[MightyMartian]

The client isn't great, but it does work. We have a few Android and iOS devices that use the apps, and it works once you get it configured.

Re:

[aaarrrgggh]

Ironically, it is the licensing of openvpn (not that open) that makes the problem.

That's old school...

[__aaclcg7560]

The last time I built a dedicated firewall computer for my home network was for DSL in the late 1990's. I had a Cyrix MediaGX CPU/motherboard (freebie from work), a pair of network cards, and SuSE Linux for the firewall. Most DSL modems back then didn't support sharing multiple computers. Tech support wouldn't speak to you if you didn't have a "abby-normal" computer (i.e., Windows) connected directly to the modem.

Get a better router?

[goldcd]

I picked up an Asus ac66u last year (there are later models and I suspect cheaper ones in the range that are similar) - and it supports VPN (amongst all manner of other stuff).
Just have an extra page on the GUI to allow you to generate an openVPN cert and account privs. Pretty useful as means when I'm travelling I can just seamlessly add my phone to the home network.
I'd thought about buying something dedicated (well was more a NAS project, I thought I could add this to) - but unless you've got some complex needs or high volume - I strongly suspect I'd make more of a mess (both function and security) trying to set it up myself.

I don't think so - although never tried

[goldcd]

Quite helpfully if you want to have a look, at what it supports, they've put the UI online:
http://event.asus.com/2012/nw/... [asus.com]

Mikrotik

[PsychoSlashDot]

Grab a cheap Mikrotik RB750 or similar and you'll find you have an out-of-the-box solution that's feature-rich, supported, and easy to use.

Re:

[jeffstar]

I have deployed about 30 mikrotiks and I disagree with "feature rich, supported and easy to use"

feature-rich: so many features are half baked. Like openVPN only supports TCP for transport, so you end up running TCP on TCP, which is bad.
supported: the documentation is poor (although getting better now that they have a wiki), working examples are hard to come by since there are so many versions of RouterOS and each introduces different bugs and breaks different bits of functionality. The mikrotik people on th

Re:

[Fencepost]

We've started putting Mikrotik routers in some small offices as replacements for older Linksys/Cisco VPN routers, and while they're powerful I'd definitely dispute the "easy to use" for anyone not a networking pro.

Some of the issue is that there are so many things you can change, unless you're very knowledgeable you're not going to know what to do (or refrain from doing) in a bunch of areas. You can go down the path of "I have a recipe and I will follow it exactly!" and basically copy/paste commands while c

Software answer

[B5_geek]

The hardware is easy:
Either get a router that you can add DD-WRT/tomato to or build your own PC.

Software answer:
OS = OpenBSD
VPN = OpenVPN

BUT you are not asking the right questions.
VPN's only work when 2 ends connect. So what VPN server/client will the other end of your connection use? What are you actually trying to do? Does your work have a fat-connection that they will let you use? Are you planning on paying for VPN service from a 3rd party? Do you want to create a VPN between your home and your laptop while you travel?

If you want to build yourself a solid, dependable, 'solution' follow this guide:

http://www.bsdnow.tv/tutorials... [bsdnow.tv]

Consumer routers suck

[xtal]

Buy a good switch and a low power PC with some ram. Virtualize it all.

Smoothwall is a good choice, there are lots out there.

Makes it easy to do other things like IDS as well later.

eBay a Cisco ASA 5505

[LostMyBeaver]

Or a checkpoint UTM-1 or a Juniper SSG...

Get a small premade solution and skip the DIY thing. It's minimal power and unless you happen to like pain and suffering, a simple SSL VPN with a decent Web UI is much nicer than spend in half your life building one.

Re:

[aaarrrgggh]

I love our work ASA5505, but it is a bear to configure properly unless you know what you are doing. High point with me is the ease of connecting on the client end.

Re:

[labnet]

Got to agree. We use a cyberoam appliance and ssl VPN. Does all firewall and av duties as well as VPN.

pfense

[DaMattster]

I really like pfsense. It is FreeBSD based and very easy to setup. See http://www.pfsense.org/ [pfsense.org]

Zyxel Zywall USG line

[trentfoley]

Since your question was not clear as to whether you wanted to connect to a vpn for outgoing traffic encryption, or to provide secure access to your home network, I will assume that you want both. I've got a zyxel usg50 at home and a usg100 at my office and they have been able to handle everything I have thrown at them. http://www.amazon.com/dp/B0042... [amazon.com]. I was also pleased that when the whole Heartbleed fiasco appeared, the zywall firmware was not vulnerable at all. Dual WAN connections are supported whi

Re:

[account_deleted]

Comment removed based on user account deletion

A few options

[dvNull]

There are a few affordable solutions out there. Here are 3 options with support for IPSec, OpenVPN and PPTP.

1. Ubiquiti Edge Router, The Lite model retails around $99. The gui is intuitive and easy to use. The latest update makes setting up site to site IPSec tunnels pretty simple. Don't like the GUI? No problem, It has ssh and serial support and is based on the excellent vyatta fork VyOS.
2. Mikrotik, I recommend the RB2011 series as they have 10 ports ( 5GigE and 5 FastE ), plus the $129 model has wifi and

Vyattat

[brunes69]

Just download and install VyOS (fork of Vyatta) if you're building your own firewall.

http://vyos.net/wiki/Main_Page [vyos.net]

+1 for parent Re:Vyatta

[Fubari]

+1 for parent; I'm just learning about Vyatta. If you want to build your own as a research project, cool. Otherwise read up on this: vyatta [wikipedia.org] and see if it might do what you want.

Just download and install VyOS (fork of Vyatta) if you're building your own firewall.

http://vyos.net/wiki/Main_Page [vyos.net]

Re:

[kobaz]

Or, buy a box that already runs vyatta. The Ubiquiti EdgeRouter

http://www.ubnt.com/edgemax/ed... [ubnt.com]

At less than $100, with build in switching, embedded linux and apt-get support, you can't go wrong.

http://www.newegg.com/Product/... [newegg.com]

Oh, and it's quiet. (No fans)

And wait, there's more! Their $175 version the Edgemax Pro has 5 ports and 24/48v poe. (You'll need to buy a third party power brick for 48v poe, but it's worth it)

hmmm

[Espectr0]

somehow i think he is just trying to hide behind a VPN to do some "torrenting"

Re:

[SeaFox]

somehow i think he is just trying to hide behind a VPN to do some "torrenting"

So... what's he really doing behind the VPN if he's not torrenting?

*cough* [purdue.edu]

Cisco Rv042

[visionsofmcskill]

Hands down the most reliable and easy to use dual wan, VPN enabled Router for quick deployments, silent, low power consumption, handles PPTP, ipsec, etc...

I am no fan of their quickVPN software (a third VPN option included with this router), but it works as well if you dont like pptp or if you find IPSEC too much of a pain to setup.

Plus it has DUAL WAN connections, so you can use a hotspot or DSL, or the neighbors connection as a failover (or you can load balence them, or bind stuff, etc...).

Im blown away n

Cisco ASA

[paysonwelch]

I think the question is do you want to constantly be fixing your firewall and routing rules and also troubleshooting problems that might cause you to tear your hair out? Or do you want to do this in a weekend or a few hours and have something that is pretty solid and stable? I see already that everyone is recommending their favorite firewalls. What you want to get is an enterprise grade firewall. For this reason you should look at the Cisco ASA line (You can get one eBay for about $300), or a Dell Sonicwal

Smoothwall

[niks42]

http://www.smoothwall.org/ [smoothwall.org]

Sophos UTM - Turn Key - Free for Home Use

[Kagato]

By far the best solution I've come across. It's a enterprise class product you can use at home for free. All you need is a PC with a couple NICs. I use a cheap fanless Dual Core 2GHZ Atom machine with a couple gig of RAM. It's a turn key solution with a lot of options.

It has all the whiz bang VPN and firewall features you'd want. Plus a bunch of intrusion detection, malware and virus features. Really the list feature list is huge. The only limit is the home edition is limited to 50 active devices.

Out of the question

[CosaNostra Pizza Inc]

I guess OpenVPN would be out of the question. I'm installing mine on a Rasberry Pi running Rasbian.

sophos utm

[crakbone]

Sophos software utm with a home license. the license is free. you will have free ssl clients and web filtering.

Untangle?

[dickens]

What do you think about Untangle? (untangle.com) You can buy appliance version of it too.

Options

[pak9rabid]

Oh man, this is totally my area of expertise.

Hardware:

• APU 1C [netgate.com]
• APU 1C4 [netgate.com] (same as above but with 4 GB of ram instead of 2)

Software:

• Voyage Linux [voyage.hk] This is a Debian-based Linux distribution that's tweaked to run on x86-based embedded systems (like one of the APU systems above). This is a good option if you're a Linux power user and prefer to set things up yourself manually.
• pfSense [pfsense.org] You can flash this onto an SD or mSATA card and boot straight into it. This is good for those that want a more turn-k

O'Reilly to the Rescue

[shking]

Get The Book of PF [oreilly.com]

Why a full PC?

[thatkid_2002]

Why not get just a router (I've been contemplating a Netgear WNDR-4300) and load it with OpenWRT or even DD-WRT?

If OP wanted to do video transcoding/HTPC duties I could see the use for a full PC but otherwise it is just a nuisence compared to a small, efficient, embedded system.

The main advantage of OpenWRT over $OTHER is it's packaging system and ability to install updates without reflashing. It has good documentation and a great community too.

Re:

[BabaChazz]

Second Untangle. On a little Atom-based machine it will do home service quite well, and I even have two Atom-based industrial locations.

Re:

[wonkey_monkey]

I too liked the look of Untangle, but I couldn't bring myself to use it after I discovered a probably-never-happens-in-real-life bug that causes emails to be dropped without a trace. I'd always be wondering...

Re:

[trentfoley]

Probably not an issue for 99.99% of the population, but last time I checked, Untangle does not support IPv6 and has no plans on doing so. Also, Most of the interesting modules require a monthly subscription. I ran Untangle as a vm on an vsphere 5 hypervisor for a couple of years and it did the job ok. However, it is a cpu and memory hog which is surprising for being a firewall/security appliance. And probably the most annoying is the horrible user interface. They tried to make it look like a rack which

Re:

[datapharmer]

Isn't it a little questionable to be suggesting a solution that has essentially be taken closed source? Vyatta is great, but unless the vyos community gains some strength it could end up as a dead end in a couple years. That aside, vyatta is a solid solution, so I'm only bringing up the potential negatives here since the vyos maintainers don't seem to have a lot of development/maintenance resources.

Re:

[rcw-home]

I've used Soekris hardware extensively with Strongswan IPSec at work. I love the boards, but a large number of our Internet circuits are now faster than the net5501 and net6501 can soak with AES IPSec. The net5501 is good for about 8Mbit/sec and the net6501 is good for about 25Mbit/sec with our firewall ruleset and some dynamic routing thrown into the mix. I'm looking forward to the net6801 when it comes out, but in the meantime for those circuits I've been building whitebox 1U routers that have CPUs with A

Re:

[datapharmer]

I love (and use) endian, but I can't recommend it to a newbie. Once built it is solid as a rock, but Endian always seems to have some bugs out of the box that can be really frustrating, and the vpn setup is not very user friendly in my experience (but as simple as anything else if you are familiar with open vpn). It has gotten better lately with some long existing bugs being fixed, but it can still be painful out of the box and moving between versions can be hazardous (prepare to install from scratch as a b

Re:

[twistedcubic]

Given a choice between "do a Google search" and "ask an expert (Slashdot?)", any reasonable person would choose...both. Is that really so bad?

Re:

[DittoBox]

This. I have one at home, and install them for clients who need to replace SonicWalls and the like. Very hackable, very stable, very fast.

Re:

[Kagato]

I've been using since it was a German Company called Astaro. Good stuff.

Re:

[c0d3g33k]

I'll second this - currently running OpenWRT flashed on to a TP-Link WDR-4300. It replaced a very old beige-box PC running IPCop and has been doing very well for the past year.

Re:

[dickens]

A "Full Computer" isn't what it used to be. We like this kind of thing [logicsupply.com].

Re:

[Barny]

Only reason my 15 year old m0n0wall setup was replaced recently was how hard it became to find modern DSL PPPoE modems in retail outlets and the hard drive just stopped spinning. Still, 15 years out of one router (was a VIA integrated CPU + MB with a few gig of ram) is fairly good.

One downside I noticed recently is the silly change that makes the WAN (in my case DSL) password blank out once entered. I really don't see a point in that.