18 replies to this topic

[tehbizz]

Now, I know a few of you are running your own custom routers based on Linux distros. I started putting one together last week during my hurricane downtime and I'm using IPCop for now and so far it's OK at best. It has a few quirks which are turning me off quickly but it also has a ton of software add-ons that are really nice to have (transparent HTTP/POP3/SMTP/FTP proxingI'm focusing on router/firewall specific distros and will be evaluating Astaro (again).

My question is this: for those of you running your own router, what software(s) are you using, why did you choose it and how easy is the administration (headache) that you need to do upfront on the set up for things like pop3/smtp/AIM/MSN/etc? How easy was it to get set up and running with basic service to the Internet such as HTTP? I'm very comfortable with Linux and whatnot but I'd just like to get some feedback on this subject for those who've already done what I'm about to do.

[liht]

I had use PFSense for a while:
PFSense

It was pretty damn easy to setup and get running...had it going in about an hour with all of our firewall rules and such. Worked rather well.
Nice, easy to use GUI. If I wasn't using a corporate type hardware firewall, i'd probably put another pfsense box in place.

[evoen]

Ive been thinking about building one of these myself. Are there any big advantages(from an administration stand point) in building your own router rather than running a commercial router(D-link, linksys, belkin, etc.)?

[tehbizz]

Ive been thinking about building one of these myself.  Are there any big advantages(from an administration stand point) in building your own router rather than running a commercial router(D-link, linksys, belkin, etc.)?

My current router has served me awesomely for 5 years now but it's lacking things I really want like: utilization graphs, a true DMZ, much finer granularity on traffic rules, better QoS, more extensible firewalling features, add-on or built-in proxying and virus scanning of incoming traffic, and things like that.

[Elzair]

Well the obvious advantage is that you have full control over the running of your system, and you are not constrained by a menu of options. The second big advantage is that you can run more stuff. You would not be able to run a router/firewall and a DHCP/DNS/SMTP/IMAP server and SpamAssasin all on one box (unless it was one of those SonicWall things). Also, it would be easier and quicker to update in case of a vulnerability. Plus it just feels good and leaves you with a sense of accomplishment (especially if you have a shitty ISP that does not know their head from their ass [COUGH]Knology[/COUGH]).

[zraith]

this awoke a spark:

Would it be possible to make a linux box with a wifi card into a wireless router?

Edited by zraith, 07 November 2005 - 11:19 PM.

[riscphree]

yes, very possible. I did it a while ago and also ran no-cat on it. http://nocat.net

since my move, I havent put it back up.

[systems_glitch]

I have an old thin AT&T or NCR (don't remember -- painted it black) pizzabox style 486 DX-2 66 MHz machine that currently serves as my router. I run FreeSCO on it, from the hard disk (81 MB WD Caviar -- boots DOS and uses loadlin to start). It hasn't given me any problems, except that the first setup I had swapped interfaces (i.e. the card it called eth1 was actually the physical eth0). I put some L brackets on the 486's case and mounted it in my rack.

It's pretty easy to administer, as it has menus and such for those who don't want to edit raw configs. You can telnet/ssh into it, use the VGA/Keyboard, or I believe there's an option for serial console. There's also a web interface that runs on the internal network only, but I don't use it very often. It's currently running my router/firewall stuff, dhcp server, dns server (internal) and a NTP server for the internal network.

Pretty good deal for a junk 486 and some spare ethernet cards!

[tehbizz]

I have an old thin AT&T or NCR (don't remember -- painted it black) pizzabox style 486 DX-2 66 MHz machine that currently serves as my router. I run FreeSCO on it, from the hard disk (81 MB WD Caviar -- boots DOS and uses loadlin to start). It hasn't given me any problems, except that the first setup I had swapped interfaces (i.e. the card it called eth1 was actually the physical eth0). I put some L brackets on the 486's case and mounted it in my rack.

It's pretty easy to administer, as it has menus and such for those who don't want to edit raw configs. You can telnet/ssh into it, use the VGA/Keyboard, or I believe there's an option for serial console. There's also a web interface that runs on the internal network only, but I don't use it very often. It's currently running my router/firewall stuff, dhcp server, dns server (internal) and a NTP server for the internal network.

Pretty good deal for a junk 486 and some spare ethernet cards!

I was looking at FreeSCO and it doesn't seem very extensible and it seems most of the available add-ons are simple things like adding midnight commander or coloring vi and not adding useful functionality. Am I wrong in this finding or is this project a strict replacement for something like a Cisco router?

[ph|ber]

one of the companies i admin are using a dual processor box, and trendmicro's IWSS. its really sweet, has virus scanning for http traffic and a url filtering system. its really neat. and general ip masq. with some forwarding port for the proxys..

[systems_glitch]

Yes, you're pretty much correct in stating that FreeSCO is pretty much *just* a replacement for a Cisco router. That is its purpose. The packages that are available for it are mostly related to either enchancing the UI or monitoring stats. However, it is based from Linux, which would allow you to build pretty much anything you could get the source to for it. Whether or not this is more or less worthless, I don't know. Being as how it is a floppy distro, I would imagine that unless it was an insanely simply program, you would have a LOT of dependencies to compile.

[luminaire]

why use a router distro. get openbsd, run PF, you're off to the races. the documentation on the openbsd site is amazing, and a great start. you'll be up and running in no time.

[greendevil]

why use a router distro. get openbsd, run PF, you're off to the races. the documentation on the openbsd site is amazing, and a great start. you'll be up and running in no time.

i agree.
i'm totally new to openbsd and i'm not too familar with linux either, but the documentation is really good when it comes to setting up you system to do certain task like setting up a gateway and quality of service.

[Elzair]

The OpenBSD docs are pretty good. I just wish they had gone into more detail on how to assign Static Internal IP addresses to machines; I just got frustrated and used DHCP. (I am rather new at setting up a network though)

[luminaire]

I'm confused, what are you having problems doing? Assigning a static IP to your routers interface, or assigning a static IP to a device on your network, and having it communicate with the OpenBSD box?

[b8zs]

My question is this: for those of you running your own router, what software(s) are you using, why did you choose it and how easy is the administration (headache) that you need to do upfront on the set up for things like pop3/smtp/AIM/MSN/etc?  How easy was it to get set up and running with basic service to the Internet such as HTTP?  I'm very comfortable with Linux and whatnot but I'd just like to get some feedback on this subject for those who've already done what I'm about to do.

Right now i've got 2 different boxen set up for routing. My newest one is a laptop (screen was broken) that has 2 pcmcia 100Mbit ethernet cards, plus one onboard nic. Right now its running hardened gentoo (grsec, PaX, pie,ssp, selinux) (i was board OK?) and for routing configuration im using the iproute2 suite, iptables, xinetd (kind of related?) but have not gone into traffic shaping or any advanced linux routing functionality.

The second box is an old amd k6-2 running openbsd 3.7 with 5 interfaces. I have pfstat and pf set up on it. I didnt spend too much time setting this up (YET) because I have been really busy with school. I really like openbsd and pf, they are definintly giving linux and netfilter a run for their money.

As far as which one is easiest to setup for services like http etc, well its all about how much you have read about either one.

For PF (im reccomending PF ^^) i would read every article on the onlamp bsd oriley site, starting with these : http://www.onlamp.com/pub/ct/58

if pf is overwhelming and you need a place to start, look at shorewall for linux. In a nutshell, it is a script that looks at configuration files and writes iptables rules based on what information you have in those script. This is a great place to start.

[luminaire]

I have two Soekris 4501's running NetBSD 3.6. I used flashdist, a script used to cut down on "unneeded" components, that got the image size down to 14 meg on flash. It runs PF, as well as uses CARP for high availability, and routes between two subnets. So far, so good, however flashdist ties your hands. For example, I can't run PFstat, or do proper logging due to either features cut out of the install by flashdist, or lack of disk space. I'm currently rebuilding the image with openbsd 3.8, and this time I'm leaving everything in so I can have MRTG, thttpd, as well as pfstat, and proper logging to syslog (maybe using a memory filesystem).

In terms of ease of management, I've never had any problems with it. At several points its been running with over 3000 state table entries without batting an eyelash. Troubleshooting is a breeze with PF, and in terms of applications, I haven't found many that are problematic. OpenBSD doesn't support UPNP, so in theory MSN voice, video and filetransfer should be a pain in the ass, but due to the extrordinarilly good state table tracking I've had no problems, even with modulate state on all rules. The only problem that could be caused by the routers is a problem with Cisco VPN clients disconnecting, however I haven't had time to narrow this down to the router, as there is also a crappy access point in the equation. All in all openbsd is a great platform.

[b8zs]

All in all openbsd is a great platform.

Truth.

[chillmaster]

My first dive into building my own router I decided to go with Free BSD because the documentation on securing and running a router in freeBSD is intense.

I tried some different liveCD routers butI eventually stuck with www.m0n0wall.ch. Then later I replaced that with a gentoo router running a bunch of LAN services with a firewall.


My advise is that the best way to learn is to build your own but a liveCD is nice if you are just looking for a solution. They usually have an easy to use webGUI and good functionality and security options. and install doesnt take near the time.