Slashdot Mirror

The problem was not people selling hardware including an unmodified version of pfSense. That's fine and always has been. The problem was people taking pfSense, modifying it in unknown ways, building their own copy and selling the result as still being pfSense, which it wasn't at that point. It was a trademark violation to do that. That and some others were using the trademark inappropriately in various ways on their web sites. See http://m0n0.ch/wall/list/showm... for some more background (it's been posted elsewhere but I had that link handy)

That's like someone buying Coke, adding their own unknown ingredients, re-bottling it, and selling it as Coke. I doubt Coke would be very happy about that, either. Same thing with Mozilla and Firefox vs Iceweasel. The same resolution there applies here as well. Name the product something different and clearly distinct, removing the name "pfSense" and logo, but keeping the copyright/license notices, and then there would not have been a trademark issue.

We had some vendors that were making some really weird changes and then people were coming to us for support on things we didn't do, questioning why things were broken, etc. Since it was still called "pfSense" and it had code we didn't write and wasn't in our repository, there was a lot of confusion even outside the legal problems...

See here: http://m0n0.ch/wall/list/showm...

They didn't earn the endorsement, they bought it.

Hello,

as announced earlier, the m0n0wall mailing list and forum are now frozen. This is the final message, and I would like to take the opportunity to thank all those who have sent me emails with kind words and expressions of gratitude. They were too numerous for me to reply to individually, but they were all very much appreciated!

There have been some questions on what the way forward is for current m0n0wall users. If you are happy with the current feature set of m0n0wall and just need a security patch, bug fix, hardware compatibility update or minor improvement now and then, there are two nascent projects started by former m0n0wall developers/users that may have something for you: SmallWall and t1n1wall.

For a more feature-rich alternative that is still based on FreeBSD and has the same roots, both pfSense and OPNsense (which is a fork of the former) are excellent choices. They have higher hardware requirements than m0n0wall, but on the other hand, a lot of new embedded hardware has recently become available, with 2 GB or more of memory and 1 GHz or faster CPUs, at a similar price as earlier platforms. It makes sense (pun intended) to use these additional resources - something that m0n0wall hasn't been particularly good at in recent times. Just keep that in mind for your next hardware upgrade.

Farewell, fellow m0n0wall enthusiasts.

- Manuel
28 February 2015

Both SmallWall and t1n1wall.com are lean, and purpose built firewalls that do only one thing. They are not kitchen sink applications. They are meant to plug into web filters, not to be web filters.

pfSense, and OPNsense are extensible firewalls with a plug in architecture. While expandable, they are more complex and heavier weight. A good example is to compare traffic shaping between them... M0n0wall, SmallWall and t1n1wall will win that contest hands down!

To be honest I haven't used it, but I recall people speaking highly of m0n0wall in the past.

• APU 1C
• APU 1C4 (same as above but with 4 GB of ram instead of 2)

Software:

• Voyage Linux This is a Debian-based Linux distribution that's tweaked to run on x86-based embedded systems (like one of the APU systems above). This is a good option if you're a Linux power user and prefer to set things up yourself manually.
• pfSense You can flash this onto an SD or mSATA card and boot straight into it. This is good for those that want a more turn-key solution. pfSense is based on m0n0wall.

I've been very happy with m0n0wall running on Soekris hardware.

Sure, that's why you sign your updates with decent (open source!) cryptography and embed your public key into the router's firmware.

Yes, but if the people writing the factory firmware were that competent, routers wouldn't need updates every week to remain secure.

How many show-stopper bugs are found in the open source firmwares? How many in firewalls like m0n0wall?

The underlying problem is that 99% of electronics firmware is crap. This isn't limited to routers – the hardware design is usually the primary focus of engineering, and firmware is something slapped together at the last minute to get it out the door. Until that attitude changes, these problems will persist.

Where in the world is serious stuff being done on any of these platforms? Just asking...

Firewall and NAS solutions are often based off of FreeBSD. See, for example, m0n0wall and its derivatives, as well as the popular FreeNAS.

One big advantage of BSD for NAS applications is that it can support ZFS. (Linux attempts have been half-assed, largely due to licensing conflicts.) You really want ZFS if you are building a robust, reliable NAS device.

Also SmoothWall but of the three I'm happiest with pfSense.

http://www.pfsense.org/ (BSD)

http://www.smoothwall.org/ (Linux)

http://m0n0.ch/wall/ (BSD)

Have a look at m0n0wall. It's based on FreeBSD and is configured using a PHP web GUI to configure the NICs and firewall.

Back in the day I used is as a wireless access point running on a Pentium 1 system with 48 MB RAM, booting off a 16MB compact flash card.

  http://m0n0.ch/wall/

I have used m0n0wall, and have been very happy with it. In fact, I think I'm going to revisit it this weekend.

http://m0n0.ch/wall

I've done this with m0n0wall. http://m0n0.ch/wall/
A computer with 2 network card. One network card plugs into your network. The other network card goes to your guest wireless AP.
In order to block access from the guest wifi to your internal network, you can put in a Firewall ACL to block access to your internal network.
For example, if your internal network is 10.10.1.0/24:
Setup the second interface as 192.168.1.0/24 (or take your pick). On that interface set a block Firewall rule for all traffic with a destination of 10.10.1.0/24. The guest Wireless can still get to the internet, but not to anything on your internal network.

With either m0n0wall or pfsense, you can setup captive portal. This will block outgoing connections until the user registers or logs in.
http://doc.m0n0.ch/handbook/captiveportal.html

I've done this with m0n0wall. http://m0n0.ch/wall/
A computer with 2 network card. One network card plugs into your network. The other network card goes to your guest wireless AP.
In order to block access from the guest wifi to your internal network, you can put in a Firewall ACL to block access to your internal network.
For example, if your internal network is 10.10.1.0/24:
Setup the second interface as 192.168.1.0/24 (or take your pick). On that interface set a block Firewall rule for all traffic with a destination of 10.10.1.0/24. The guest Wireless can still get to the internet, but not to anything on your internal network.

With either m0n0wall or pfsense, you can setup captive portal. This will block outgoing connections until the user registers or logs in.
http://doc.m0n0.ch/handbook/captiveportal.html

In addition to this you can setup m0n0wall or pfSense using captive portal where users are presented with the TOS and a login when they first connect. I think from a legal point of view this is very important. But IANAL so TIFWIW.
The login can be a shared account that is changed how ever often the hotel staff feels is necessary (unusual traffic in the parking lot). Or they can issue vouchers that expire after a period of time. The latter will of course have more overhead.

I use a few m0n0wall captive portal setups for real estate market centers where hundreds of agents need their own credentials and clients need vouchers. It is incredibly simple, reliable, and free. I use this embedded pc and they work great with 100mb connections.
If you want better reporting and and many more features look into pfSense. I find m0n0 to be sufficient for my needs, if you are look in for a good starting point this would be my first choice.

I used to use DD-WRT or Tomato, but I wanted a faster router/firewall with more features. so I built a Mini ITX router with the following.....

http://www.ipcop.org/ - a great high end firewall package.

http://m0n0.ch/wall/ --BSD based and solid as a rock.

http://www.pfsense.org/ if you want gobs and gobs of plugins and features. it's a fork of Monowall with more plugin support.

NOTE: some people consider plugins to be evil for a firewall. I find having to run 3 servers for a home network to be silly. So I run pfsense with a gajillion plugins for the features I want and a fileserver/app server on the inside.

1. Buy one of these: PC Engines WRAP (1e203)
2. Install this on it: m0n0wall
3. ...
4. Profit

Seriously, though, all you have to do is hook up your wireless access point to the DMZ port and enable traffic shaping on that network interface. There are apparently fancier things you can do, but I just configure inbound/outbound bandwidth limits). Quite simple, and it's all through a friendly web GUI!

Here's the documentation (sorry, no screenshots) that describes how to configure the shaping: http://m0n0.ch/wall/list/showmsg.php?id=35/88

1. Buy one of these: PC Engines WRAP (1e203)
2. Install this on it: m0n0wall
3. ...
4. Profit

Seriously, though, all you have to do is hook up your wireless access point to the DMZ port and enable traffic shaping on that network interface. There are apparently fancier things you can do, but I just configure inbound/outbound bandwidth limits). Quite simple, and it's all through a friendly web GUI!

Here's the documentation (sorry, no screenshots) that describes how to configure the shaping: http://m0n0.ch/wall/list/showmsg.php?id=35/88

From the website:

m0n0wall is probably the first UNIX system that has its boot-time configuration done with PHP

Remind me how this was mistaken for an advantage.

Not really... Basic Desktop support, and a more sophisticated gateway. Something like m0n0wall http://m0n0.ch/wall/ has very good access control with a voucher system, you user based control built in. It also has a very good traffic shaper so one kid downloading won't cause a fight with the other kid gaming. However, no web filtering.

Untangle http://www.untangle.com/ has some very good filtering on content and viruses, as well as some ads. The captive portal is not as strong, but getting there. No real traffic shaping last time I checked.

Both are open source projects. Monowall will run on any old P3 with 128 meg of ram. Untangle will need a bit more power behind it.

Good options. He could also try ClearOS. After it is set up it should be rather low maintenance. The download link is on the page. I have one at home and it is a win.

Not really... Basic Desktop support, and a more sophisticated gateway. Something like m0n0wall http://m0n0.ch/wall/ has very good access control with a voucher system, you user based control built in. It also has a very good traffic shaper so one kid downloading won't cause a fight with the other kid gaming. However, no web filtering.

Untangle http://www.untangle.com/ has some very good filtering on content and viruses, as well as some ads. The captive portal is not as strong, but getting there. No real traffic shaping last time I checked.

Both are open source projects. Monowall will run on any old P3 with 128 meg of ram. Untangle will need a bit more power behind it.

I don't understand why Linux is a requirement but the FreeBSD based m0n0wall does a great job for many uses.

Exactly. We got one of these for work: Supermicro Flex Atom 330+ Intel 945GC

Draws about ~16W of power with a laptop 2.5" sata harddrive and full ram slots. Pair it with either CentOS or a prepackaged firewall setup like Clarkconnect, M0n0wall, shorewall, or firestarter (IP tables gui for full linux install). You can even setup something like Asterisk NOW! and pair in an IP Tables firewall and OpenVPN support for a very robust, small, silent, and low power solution.

I don't know about the VIA chips, but you should be able to handle that kind of traffic on a Pentium III without too much trouble. Here's what m0n0wall has to say about it:

http://doc.m0n0.ch/handbook/hardware-sizing.html

I've hit over 60mbps on a P3 600Mhz / 64MB* using Intel NICs. At that point, things like what NICs you're using is going to start making a big difference.

*m0n0wall really doesn't care much about ram you have. It'll run equally as well on 64MB as it will 512MB.

Pretty much any home router in a box that you can buy is going to be rubbish. To be fair, it is pretty impressive what you can get for $30-$50; but intense price sensitivity and competition have pretty much leveled the home router field. You can either get the (impressive for the money; but not good enough) basic model, or you can go cry.

The Ciscos and Junipers of the world will probably cut it(with the distinctly possible exception of older used ones. If you get something from the era where routing a 10Mb lan into a T1 line was Real Serious Stuff, bittorrent over a 30Mb line is going to make it cry expensive enterprise tears); but they are expensive, even used, and many of their features are probably overkill for home applications.

Your best bet might be to run m0n0wall or pfsense. Depending on your tolerance for fan noise, you can either get a basic intel atom board for ~$80 or an embedded x86 board from soekris or pcengines or similar.

That combination will be pretty featureful, quite a bit more powerful than your basic home box, and cheaper than any business box that isn't seriously antiquated.

m0n0wall has ipv6 support. Just get a cheap router like Alix

http://m0n0.ch/wall/
http://www.pfsense.com/

haven't had to reboot my m0n0wall ever, except for firmware updates.

Due to the increasing trend to cut corners to maximize profits, it's no surprise that most (if not all) consumer-level routers are complete garbage (yay capitalism! ). The solution? Make a fun weekend project out of building your own. All it takes is an old functional computer, Linux (or BSD), a few NICs, and a good Linux (or BSD) router/firewall howto. Or, if you don't want to bother with configuring it yourself, check out projects like m0n0wall. If you really want something slick, check out using one of the many embedded systems on the market. It'll cost you a little more, but you'll have one slick little router. I personally like the Soekris systems for building a router out of. I've been running the Soekris net4521 with Pyramid Linux on it and have never had any issues with stability or lockups.

I only reboot my router when the power goes out in my house (a few times a year?). I use a PC Engines WRAP board running monowall and it is rock solid. It is pretty green using only ~1.5W. http://www.pcengines.ch/ Soekris makes similar boards. http://soekris.com/ Monowall rules. http://m0n0.ch/wall/

m0n0wall

What about http://m0n0.ch/wall/

I use monowall and it works well with the following caveats:
1. It takes a bit of knowledge to learn to setup the qos, but this is true of any effective qos router.
2. It takes a bit of playing to get the pipe size right. Set it too high and it's ineffective. Set it too low and you're not utilising your bandwidth.
3. Your internet connection speed should be fairly consistent, otherwise you will be tweaking #2 all the way to an early grave. ADSL and cable are consistent in my experience, wISPs are not.
4. Your ISP can't be throttling you, as was mentioned by some others in this discussion, for that would effectively bring you back to the problem of #2 & #3.

I've used a debian gnu/linux install on old PII hardware as a router and I actually found the QoS to be unequalled. Once you learn the syntax of iptables (and a dozen other sysadmin skills) it works pretty much perfectly to preserve voip quality. For somebody that doesn't mind getting his hands dirty I recommend a linux router/shaper as your best solution

But, as the OP mentioned, linux is a bit dreadful to set up as a router for the uninitiated. (I haven't tried IPcop or any of the dedicated solutions so I can't speak for those.) For somebody that likes a nice shiny push-button interface, you can't beat m0n0wall, and like I said, with a bit of playing around it too can be very effective at preserving voip quality.

And to those who recommend limiting your torrents to 15% of your max bandwidth: your heart's just not in it. I want my torrents now. I don't want to have to run turn down my torrents every time the phone rings, and I sure as heck won't remember to turn them up again when the call's done. It's a beautiful thing to watch a torrent upload at a steady 100% of your uplink speed, get on the phone, and see your torrent continue at 100% minus 86 kbps while enjoying a phone call with flawless audio, then see the torrent fill up the gap as soon as you hang up. Geek's paradise.

db

I would recommend pfSense or m0n0wall, but I would stay away from the Atom.. I would use one of the Intel D201GLY2 mini-itx boards with the Celeron processors, as the boards use about the same amount of power, and the Celeron will be much aster (the Atom has a terrible northbridge that results in both boards using the same amount of power).

I use m0n0wall at home with my cable modem running VOIP, lots of NNTP, and lots of torrents, without any problems. It also means that web pages load as quickly when maxing out the bandwidth as when no ones doing anything, and that ping times generally stay pretty low. My m0n0wall box also has an uptime of over 300 days, way better than I've ever been able to do with my Linksys router.

What about http://m0n0.ch/wall/

FreeBSD doesn't fit the profile

Why not take a look at m0n0wall http://m0n0.ch/wall/ it provides many features only available on commercial routers and has an excellent traffic shaping tool. The traffic shaper can be setup using the simple wiziard or by creating advanced pipes and queues. Screenshots of the traffic shaper can be found on this page http://m0n0.ch/wall/screenshots.php

Why not take a look at m0n0wall http://m0n0.ch/wall/ it provides many features only available on commercial routers and has an excellent traffic shaping tool. The traffic shaper can be setup using the simple wiziard or by creating advanced pipes and queues. Screenshots of the traffic shaper can be found on this page http://m0n0.ch/wall/screenshots.php

Both Monwall and Pfsense have excellent traffic shaping as well as easy to use GUI wizards to help you throttle P2P. Unfortunately they won't load on your Linksys but they are so much more powerful than even DD-WRT.

http://m0n0.ch/wall/
http://www.pfsense.com/

Both Monowall and Pfsense have packet shaping with GUI configuration wizards which is perfect for throttling P2P. It won't load on your Linksys but you can use an old PC.

While I agree with your point let's not forget that it can be all things to all people. M0n0wall (and forks like PFsense and FreeNAS) uses PHP for shell scripting like startup and configuration scripts which I thought was pretty cool.

db

Get a grip. You have the means to secure the wireless network, but you don't. Even the coffee shops around my neighborhood are starting to use encryption or a capture portal (like m0n0wall). Jeez, even WEP is better than no security on your wireless network because then someone has to break into your network (no matter how trivial); like putting a hook lock on your screen door someone has to break into your network. Mmm, I would think that it would be a lot less painful to have the law confiscating your neighbor's computers because your neighbor's network wasn't secured and yours was.

Another thing to try if you have an old PC around (Pentium or better) is m0n0wall, which is a BSD based firewall that can be configured through a web interface much like other home routers, but still offers power features like traffic shaping - which I make plenty of use out of.

I recommend you look at Monowall for a boots from CD OpenBSD firewall router, or I prefer pfsense because it allows you to install to a hardrive and has more features.

I think it had an article a year or so back, but those who have an old P2 or something collecting dust in their closet may want to consider m0n0wall, a FreeBSD based LiveCD that can turn your old PC into a commercial-grade router complete with firewall, traffic shaping, PPTP/IPSec, wake on LAN, and more. You don't need any experience with BSD to set it up, as pretty much everything can be done from the WebGUI it uses, no HDD is needed, you only use the LiveCD, and a floppy disk to store configuration data in xml, and using thumb drives instead of a floppy is planned for the next release (finally a use for that old 32 meg one in my junk drawer).

I'm extremely happy with it, I can game while my server is seeding a torrent, and my pings never suffer.

Might I suggest m0n0wall. Runs on embedded platforms such as the Soekris or WARP as well as standard PCs. One interesting feature is their CD build. The "firmware" is read-only on the CD and only the settings are stored on a floppy disk. Rumor has it storage on a USB key is coming soon.

Without going into business grade routers I've found one so far that seems well above any other solutions. I've tried many different brands and models but this is what I finally decided on and have running (and love).

http://games.dlink.com/products/?pid=370 DLink Wireless Gaming router
http://games.dlink.com/products/?pid=371 DLink Gaming router (same but no wireless)

I've never been a fan of DLink at all but these routers make up for it in spades. Firstly, the switch ports are gigabit and the WAN port is 10/100, not just 10. Also, with all the other "home grade" routers I never had enough port forwards (for hosting servers etc.). Those two DLink routers don't have that problem. So far I don't think there is a limit to the number of forwards you can have. My ping times have also been drastically reduced compared to other routers. It also has fairly robust QoS settings (for a home router anyway). The other big thing is that it can handle thousands of sessions at once. No more firing up Bittorrent and having to hard reset the router an hour lately because it's frozen and has stopped routing. The only things so far that I see that could even be improved would be better logging (so I could get bandwidth reports from it with Wallwatcher http://sonic.net/wallwatcher/). Currently it just does plain old syslog logging. My only other complaint is that the Dynamic DNS feature only will keep track and update one name for you. So if you have multiple domains pointing to your dynamic address you'll have to have another solution to update all but one.

I believe they do themselves a disservice by advertising this exclusively as a gaming router. This thing could handle most small (and even some not so small) business without any kinds of problems. It does cost more than the Linksys you can get at Walmart but, at least to me, it has been more than worth it. I personally use the wireless version since I prefer to keep my AP and router as 2 separate pieces of equipment (both for security and if my router breaks I don't wanna be out an AP or vice-versa.) I can tell you that I've put mine through the paces and it has not locked up or had to be reset once thus far.

The other option that I would have chosen would have been M0n0wall http://m0n0.ch/wall/ on a Soekris http://www.soekris.com/ board. In particular I was going to go with one of the bundles found at http://www.soekris.com/bundles.htm. I wanted the Net4801 with the Lan1641 4 port NIC expansion. That would have given a total of 7 ethernet ports. The only reason that I didn't end up going in that direction was because they offer no gigabit options. Otherwise that would have been an awesome setup.

My .02.

The website of this wonderul "Super Router" is http://www.openlinuxrouter.com/

It's a bullshit news - there is NOTHING DONE YET. The project is IN PLANS and I don't know how it could be better than e.g. m0n0wall [1] or Lintrack [2]

[1] http://m0n0.ch/wall/
[2] http://www.lintrack.org/

• mOnOwall - firewalling
• IPCop - firewalling
• Metadot - CMS
• Apache - web server
• Bind - Name Server
• asterisk - telephony/voip
• Sendmail - cussed but stable MTA
• SpamAssassin - spam filtering
• MIME-Defang - email content filtering/manipulation
• ClamAV - Virus filtering
• Freebsd - the best OS since sliced bread (IMHO)
• Centos - Not to shabby an OS either
• ...

Then I guess M0n0wall is not far off from release either.

The next version of m0n0wall will be based on FreeBSD 6.2 release.

For the curious:

http://m0n0.ch/wall/beta-1.3.php

Personally, I've always used m0n0wall since it can be run from a CD/floppy/flash drive, and the only experience I've ever had with IPCop was a bad one. I was working on a small project with a tight deadline, and it just completely failed at a crucial moment and I didn't give it a second look. Admittedly, it was configured by an idiot, so I am wondering:

What does IPCop offer that other options (m0n0wall, Smoothwall) don't?

What is the most barebones setup you can manage with it? By that I mean the smallest system requirements to get decent performance?

Not rely on software firewalls?

I've run Freesco and later MonoWall firewalls on mostly-free hardware (Asus P255T2P4/128MB/P233 with super-glued passive heatsink) almost 24/7 since 1999. Neither have been difficult to set up, and Freesco is very noob-friendly. Freesco needs minimal resources and will even run on a 486.
Both have performed with boring, appliance-like reliability. I run from a Compact Flash card in an IDE adapter instead of a hard disk. Those parts are dirt cheap nowadays.

http://www.freesco.org/

http://m0n0.ch/wall/index.php

http://pigtail.net/LRP/printsrv/ Get ideinfo.exe from here to check CF card parameters.

http://www.pfsense.com/ I haven't tried this yet, but it's a popular fork of MonoWall so I'm mentioning it to save someone else the trouble. :)