Slashdot Mirror

Is Latvia close enough?

I think I found what you are referring to, which was linked to from their forums

Mention of busting some hacker by using a backdoor in the MikroTik product he was using. No other mention of how it was done. Was it a deliberate backdoor? Was it just a coding bug that hadn't been fixed yet and now is? Was it a default user account that wasn't secured? Did "The Fixer" work for MikroTik, or did they work for the mentioned ISP that happened to use MikroTik and the backdoor was something set up by the ISP?

All very suspicious...

Here are some... http://wiki.mikrotik.com/wiki/...

Picking AROS or Minix 3.

There is also RouterOS?

Just realize that whatever you do you will suffer some disadvantage.

"Communications Assistance for Law Enforcement Act requires the routers in USA to have ability to intercept and log network traffic." http://wiki.mikrotik.com/wiki/... ISPs are actually required by law to provide wiretap access into the network traffic. This is done by storing all network packets on an extra CALEA server on the network. While it would be reprehensible for an ISP to do this for data mining, it's required that the ISP do this for the government. Failure to comply means facing some hefty fines.

Sorry, but I'd have to downvote the Mikrotik -- at least the RB751G-2HnD and RB951G-2HnD. I bought the 751 for my small place (~130 m^2) and it was DOA out of the box, with the "all LEDs flashing" symptom described here. (Apparently this problem was somewhat widespread.) Contacted MT support, and was instructed to return the unit as DOA even though I eventually got it working with a different power brick.

The US distributor from which I got both of those MT boxes said that their normal return policy would require sending the unit back to Latvia, and could take up to two months. I responded that this was far too long to be without a router, and that I'd have to just go buy some other brand instead. Eventually they processed the warranty claim by sending me an "upgrade," the 951.

The 951 didn't have the same power supply issues, but its radio coverage is still extremely spotty, and it doesn't play nice with my networked stereo receiver (some streaming stations suffer frequent dropouts; the DNS caching server on the MT confuses the receiver; etc.).

Also, understand that the MT is not really a good choice for novice home users. RouterOS exposes a ton of options, many of which would be totally cryptic to all but those who have serious TCP/IP networking experience.

Bottom line: my MT works, but the only reason I still have it is that I've been too busy to find a good replacement.

Just my $0.02,

--CF

You can load it on your PC:

http://www.mikrotik.com/softwa...

It can also be installed on a PC and will turn it into a router with all the necessary features - routing, firewall, bandwidth management, wireless access point, backhaul link, hotspot gateway, VPN server and more.

Yes it's a nightmare for newbies, however RouterOS is more feature packed than everything else I've seen on the opensource front. http://www.mikrotik.com/softwa...

Depending on your level of trust/paranoia, you should consider the security boundary to be your app and the libraries statically linked into it. By the time it gets anywhere close to the NIC, it is out of your control.

Not necessarily. If you can't trust your computer, then as soon as you touch it, your information is out of your control.

Your home intranet isn't likely to contain much (if any) data that isn't going to the public Internet, and assuming your switches are working properly, it should not be possible for your router to see non-broadcast traffic directed towards a different device anyway. Obviously, that reasoning fails if your switch is a managed device that can be potentially reprogrammed to change the switching behavior, but that's atypical for home networks, which I thought was the main point of discussion in this thread.

Well, my home intranet has plenty of data that aren't going on the Internet.

But back to the original problem. My $50 home router does indeed have a built-in managed switch, and can be reprogramming to do port mirroring. My home router can be reprogrammed to do a lot. But that doesn't even matter. You can tell a lot from a network by using broadcast packets, such as Microsoft NetBIOS and Apple Bonjour.

The point is that a router is not just a hardware device. They're general-purpose computers. I'm in control of my router, like I'm in control of my computer. Most people aren't. The OP asked, Can Commercial Hardware Routers Be Trusted? The answer is No, and it was naive to assume otherwise.

I use hostapd running on Slackware on a FitPC2i. It has far more processing power than any ARM or MIPS based router, more RAM, dual GigE, and takes a 2TB 2.5" SATA HDD (it came with a 16GB SSD) so it doubles as a file server and darknet node. Also it's fanless and low power.

I guess I might use OpenBSD if I was going to do it again, other than that, I would do everything the same.

If I just needed a minimal and cheap access point or client access router, or had to deploy lots of routers, I would use many of the fine products Mikrotik make. They are easy to setup, with an IOS like (but more intuitive, type-completey, self-documenting) commandline interface, and have a good feature set, and extremely good performance for the price.

If I was building an datacenter Layer 3 fabric, I would evaluate the currently available Openflow compatible switches, and setup a few servers as Openflow directors.

Google is your friend (I hope you're not spamming).

If you need Jumbo frames, then you just have to pick a different model that supports it.

http://wiki.mikrotik.com/wiki/Manual:Maximum_Transmission_Unit_on_RouterBoards

Well I installed linux when I got my current laptop in October 2010. Everything just worked.

I'm sure windows is fine too, I'm just happy with linux, been using it exclusively on my main computer for 13 years.

I do have a small windows desktop now, I use it to run a program called the dude, which gives me real time network monitoring of my offices from my desk at home.

I'd love something a bit better, with a better name, but aside from a bash script wrapped around snmpwalk, I haven't found anything

cough The Dude cough

Try The Dude

http://www.mikrotik.com/ devices might have what you want. They are inexpensive, very flexible and have interesting mesh modes I have yet to try out and will run directly off your fire engines battery system with some power filtering and clamping. Whatever you do in general you should have a play, write a clear specification with all sorts of test cases and run a small trial for a while. Make the devices/solution meet your requirements, not the other way around or you will be sorry.

Mikrotik can also run on PC based hardware, so if you have some task that requires a pile of power, you can find the hardware to do it.

http://mikrotik.com/

If you're willing to spend a little bit more money then Mikrotik is the answer. You'll have to try very hard to find the feature that is missing in RouterOS. Rock solid hardware. http://www.mikrotik.com/

I've used Mikrotik Routerboards for years and have been very happy with them. They're very flexible, relatively cheap, and I've not had any issues with reliability. I don't think they run anything like DD-WRT, but their supplied OS is very powerful. Has ssh login for admin and a Cisco IOS like interface.

The following RB435G should fit your needs:

3 x GigE ports
3 x miniPCI slots for wireless (R52nM for 802.11n)
DynDNS Updates: [Yes]
DHCP Sever with Option 66: [Yes]
Static IP based on MAC: [Yes]
Port forwarding: [Yes]
QoS support: [Yes]

I've used Mikrotik Routerboards for years and have been very happy with them. They're very flexible, relatively cheap, and I've not had any issues with reliability. I don't think they run anything like DD-WRT, but their supplied OS is very powerful. Has ssh login for admin and a Cisco IOS like interface.

The following RB435G should fit your needs:

3 x GigE ports
3 x miniPCI slots for wireless (R52nM for 802.11n)
DynDNS Updates: [Yes]
DHCP Sever with Option 66: [Yes]
Static IP based on MAC: [Yes]
Port forwarding: [Yes]
QoS support: [Yes]

I've used Mikrotik Routerboards for years and have been very happy with them. They're very flexible, relatively cheap, and I've not had any issues with reliability. I don't think they run anything like DD-WRT, but their supplied OS is very powerful. Has ssh login for admin and a Cisco IOS like interface.

The following RB435G should fit your needs:

3 x GigE ports
3 x miniPCI slots for wireless (R52nM for 802.11n)
DynDNS Updates: [Yes]
DHCP Sever with Option 66: [Yes]
Static IP based on MAC: [Yes]
Port forwarding: [Yes]
QoS support: [Yes]

I've used Mikrotik Routerboards for years and have been very happy with them. They're very flexible, relatively cheap, and I've not had any issues with reliability. I don't think they run anything like DD-WRT, but their supplied OS is very powerful. Has ssh login for admin and a Cisco IOS like interface.

The following RB435G should fit your needs:

3 x GigE ports
3 x miniPCI slots for wireless (R52nM for 802.11n)
DynDNS Updates: [Yes]
DHCP Sever with Option 66: [Yes]
Static IP based on MAC: [Yes]
Port forwarding: [Yes]
QoS support: [Yes]

I've used Mikrotik Routerboards for years and have been very happy with them. They're very flexible, relatively cheap, and I've not had any issues with reliability. I don't think they run anything like DD-WRT, but their supplied OS is very powerful. Has ssh login for admin and a Cisco IOS like interface.

The following RB435G should fit your needs:

3 x GigE ports
3 x miniPCI slots for wireless (R52nM for 802.11n)
DynDNS Updates: [Yes]
DHCP Sever with Option 66: [Yes]
Static IP based on MAC: [Yes]
Port forwarding: [Yes]
QoS support: [Yes]

If you _must_ have OpenWRT, you can stop reading.

If not, consider Mikrotik. I used OpenWRT, DD-WRT and the rest, but none of them was as good as Mikrotik. It's simply an incredible list of features the box and OS gives you, and you can easily configure it via WinBox (Wine or Windows) or simply via SSH. They have a range of products from 10/100 routers to a 9-port 10/100/1000 router/switch (see link below), where you can attached up to three wireless-cards.

See http://www.mikrotik.com/ and http://www.roc-noc.com/mikrotik/routerboard/rb493g-complete.html

(I do not live in the US, so I do not know the prices, but it's defiantly a big bang for the buck :-))

http://forum.mikrotik.com/viewtopic.php?f=2&t=31711

Most of these are remote hotspots to bounce a wireless signal accross Europe, but even in the middle of nowhere there should be standards.

Buy a mikrotik router. I have a RB433UAH and a R52N card (I think), you can get views like this:
http://wiki.mikrotik.com/wiki/Manual:Spectrum_analyzer

It has various other tools to do AP scans etc and could perhaps to be used to triangulate the source with a directional antenna.

Cantennas can have a range of over 1 kilometer even if you build one yourself. The engineered commercial model should do better than that. How remote is your area? There should be a friendly person somewhere in that range unless you're way out in the sticks. You do have to spend some time aiming it though. You run the antenna cable through a wall to an exterior mount (grounded!) that holds the cantenna. Scan for networks, turn it a couple degrees and try again and mark the finds on the base. Engineering geeks would of course put the thing on a remote antenna rotator. You can also use an antenna amplifier, a high-gain parabolic directional antenna or high-gain omnidirectional antenna to extend the range to several kilometers. The record is 304 kilometers, but that requires special equipment and cooperation at both ends.

Me, I can get three open WAPs from inside my house with the standard laptop wifi but that's not anonymous enough.

If you just need to point default, a few routes for your networks and go, then great.. otherwise...

quite a bit better than using commodity desktop components..

However not without issues

Depending on the nature of the ISP... most will want multi-homing, and that ultimately means taking full routing tables.

So forwarding at a max of 400,000pps alone is not enough.

There's also a need to take and have full routing tables at the same time as forwarding at that rate, at the same time as providing things like redundancy.

If taking the table alone brings CPU to 100%, on an ISP border router (not that Cisco gear is entirely free of that either -- esp. when it comes to old/low-end), then.. houston we have a problem...

Mikrotik Routers, despite some bad press, are good. They are inexpensive, can be build with commodity hardware, and easily handle that level of traffic.

hardware specs on mine: 2.4Ghz P-IV, 512MB Rambus RAM, 1 * T100 Ethernet port (motherboard)connected to modem, 5 * 10/100/1000 ports (NICs) connected to home network and one 802.11g wifi NIC (operating as a hotspot), 1 256MB flash card in IDE adapter.

FIOS connection gives me 60*5 with one IP, and regularly sustains that with as many as four separate machines running BT at any given time, 2 public game servers, as well as various other uses. 60+ firewall rules, full NAT with 20+ port forwarding rules, it runs like a champ.

http://www.mikrotik.com/

If you already have the hardware laying around doing nothing, go ahead and give them a look.

Looking forward to IP6 also (though I'll have to get rid of my $100 cheap router for a "real" one)

My router was only $100 plus $50 shipping(4U computer) plus $40 for the OS, but could have been only $100 and done the same in a smaller space(routerboard.com). It has BGP, OSPF, RIP, IPv6, Bandwidth Queues, NAT, and more.

has anyone ever used The Dude?
http://www.mikrotik.com/thedude.php

i just got a work-study job with the campus adming at the community college i attend. hes been there almost a decade and has no network monitoring system, so he has no idea when something goes down until he gets a complaint or cant get something to work himself. i thought an interesting project during my time with him might be to see if hed let me help implement a network monitoring system, and ive seen a couple of people use The Dude before and it seems pretty capable.

Mikrotik will do everything you need and more.

You would need build your own using a RB/411A, CA/411, R52H, AC/SWI and a 12-24volt power supply and you would be all set.

http://www.mikrotik.com/
http://forum.mikrotik.com/

The guys over at http://www.quicklinkwireless.com/ sell preassembled AP's and will even walk you through configuring it.

Mikrotik will do everything you need and more.

You would need build your own using a RB/411A, CA/411, R52H, AC/SWI and a 12-24volt power supply and you would be all set.

http://www.mikrotik.com/
http://forum.mikrotik.com/

The guys over at http://www.quicklinkwireless.com/ sell preassembled AP's and will even walk you through configuring it.

I would recommend a Mikrotik, fairly cheap for all the options you get on then. I got one of the 450 models, and the board, case, and power supply will hit you for around ~100. It has a nice GUI interface for configuring everything.

Mikrotik Website
Router Boards

I'm just about to the point where I hate wireless, but for a non-commercial shot like this, mikrotik should work well. You could get into it for 300.00 - 600.00 for a couple of units configured as a wireless bridge.

I recommend using Ubiquity sR2 or SR5 mini-pci cards...and ground everything especially well.

Mikrotik boards run Linux and are extremely roboust and feature rich. But you can follow this wiki and have a transparent bridge running in no time flat:

http://wiki.mikrotik.com/wiki/Transparently_Bridge_two_Networks

We use mikrotik a lot in a wireless WISP situation. If someone thinks they are going to throw a bunch of this stuff hundreds of feet in the air and make a lot of money doing wireless Internet, they are in for a wild ride...that ends somewhere between hairloss and a straight jacket...but I do something almost exactly like what you are wanting to do with your father using Mikrotik, and it has worked very well and wasn't super expensive.

Again, ground everything as best you can, and use directional, not omni antennas (cheap omni antennas often have grounding issues than can pop the radio card really easy).

See also: wisp-router.com

Transporter_ii

RouterOS is linux based with a very nice console interface as well as a windows client.

It does all the usual linux fw stuff, as well as traffic shaping, connection rate limiting, traffic identification, rip/ospf/bgp, vpns, lots more.

Unique features include a scripting host and cron-jobs. Very cool, indeed.

They also make their own hardware (expandable sbc's, wifi) with their routeros embedded in flash.

http://www.mikrotik.com/

Other than access lists, IOS is horrible. I see no reason why, on good hardware, a Linux-based router can't do just as good a job. Mikrotik is a good example of Linux-based routing software in this regard, though I prefer the roll-your-own method.

Yeah, WRAP boards are great liitle platforms, and you can run a variety of open source stuff on them. I also like the RouterBoards running Mikrotik RouterOS; awesome affordable, extremely flexible platform.

Check it: http://www.routerboard.com/products.html
http://www.mikrotik.com/

Fun stuff! I've got a bunch deployed as firewalls, VPN appliances, and Access Points. Currently experimenting with dual radio access points (900mhz or 5.8ghz for backhaul & 2.4ghz for local hotspot)

Why not just go get a nice embedded system with a flash card? Doesn't produce much heat, doesn't have any moving parts. Just get one, toss linux or whatever on it, and poof. Insta whatever server for
http://www.soekris.com/
http://www.mikrotik.com/

I use these for small low-power wireless APs and routers, but they are being used for low-power servers of all kinds as well. Why /. people always want to over-engineer is beyond me. ;)

Today, however, the story is different. In particular, using an inexpensive small form-factory PC (especially one with no moving parts, even a fan), you can have a router for $500 that outperforms a Cisco router costing ten times as much -- and has more features!

MikroTik RouterOS has replaced Cisco as the routing core for my network here in Honduras, where price is much more important than it was back in the States. It handles peer-to-peer throttling, per-IP bandwidth management, MRTG support, nice GUI and command-line interfaces, cool scripting language, and includes all the cool stuff that Cisco does -- policy-based routing, OSPF, various queueing strategies, etc.

Purchased

Free

Secure


Any combination of the above three.

You can download a series of floppy disk images and turn just about any old PC with two NICs into a router with all sorts of limits, including P2P Filtering! www.mikrotik.com

and they seem to be doing pretty well. I went looking for weird NIC hardware and came across Imagestream. They make big routers with Linux at the core, on x86 hardware in industrial form factors. Definitely worth a look.

Also on the thread of interface cards, try Mikrotik. If you're doing wireless, the MiniPCI carrier boards will make your day.

Full disclosure: I'm not related to or affiliated with either of those companies in any way. I've never even bought anything from either of them. I just came across them while searching and thought they were bookmark-worthy.

There's a whole niche market for "stripped-down versions of Linux" that handle things like this.

Currently, I'm using Mikrotik RouterOS as a core router. It's at a small ISP -- 400 or so high-speed customers, 3000 dialup customers (400-500 of which are connected during peak times). Standard routing stuff (30 or so internal static routes, big deal). Couple hundred firewall rules (some for stopping Windows worms from spreading, some for general network security, some to help keep the nastier spammers in check). And BGP, taking a full BGP feed from our upstream, plus a couple multihops from places like Cymru's bogons project. And it doubles as a PPTP server so I can securely work from home (in a gesture of supreme irony, I can't get Internet connectivity from the company I work at).

And some other stuff I can't think of right now.

All this is running in a 1U system I got from eRacks (they make good cheap stuff), except for the hard drive, which I yanked and replaced with a 64MB IDE-flash drive from these guys. Celeron 1.3GHz, 512MB RAM. The system never ever, even during peak times, goes over 10% CPU load.

This isn't quite up to the specs the original author was looking for, mainly because this hardware isn't also doing the T1 stuff. (It's got plain old boring Ethernet to an older Cisco router, to which our four T1s are connected, but the Cisco is basically just a really big media converter.) But given how low the hardware utilization is on this unit, and how underpowered this system is as compared to current hardware, I think it shows that the notion is quite feasible.

While you could always roll your own solution, what you want is essentially all put together here: Mikrotik OS.

You can download the free version, or buy the whole thing installed on an IDE flash disk. You can also buy the flash disk/OS preinstalled on a SBC. Not quite free, but not badly priced either.

I work for an ISP that sells broadband wireles. In designing our network, I chose to use almost the exactly same setup as you described. PPPoE gives us a lot more flexibility than any other access control method. You can back it with RADIUS for simple user management, and there are a lot more client solutions out there, ranging from free to licensed. We've been running with few problems for over 6 months now with our current hardware setup. I'd suggest checking out MikroTik RouterOS. It's a linux-based OS that supports everything mentioned thus-far in this thread.. from PPPoE to PPTP and even IPsec. You can even toss a pci/pcmcia card in it and make it an access point which removes another device from the network.

I NEVER let anyone install any software on my company computers or my home computers that deal with broadband.

This approach may get you permanently relegated to the slow lane of the Internet, if that (hint: what do you think your AOL or Earthlink connection does, especially upstream? Do you think they ignore all that nifty consumer buyer profile data they see pass through web proxies and such?)

As a Cox.net consumer and manager of a regional broadband service provider (not cox - we service flyover country:-) ), I'd suggest a better alternative:

- supply a stock Wintel PC next to your cable modem/DSL/wireless DSL termination. Win2K or WinXP are probably necessary.
- use the stock machine for the installer to load his garbage on
- use the machine for customer support calls
- let it crunch keys or run some other distributive application
- replace it in the link for normal operation using your router/internet sharing device of choice (e.g. RouterOS, Linux dual-nic, Linksys firewall router, etc)

Just make sure you get the details down of how your service provider authenticates you and let you on his network - PPPoE, DHCP, MAC-based authentication, etc. and make sure your router solution is configured to do the same.

Yea, I hate spyware and won't use it on my network either...

*scoove*

And yet some broadband companies go out of their way to prevent Linux users from signing up.

Isn't that amusing? We're fortunate to have a young enough company culture (and use Linux - Redhat and Debian - inside for most of our systems except desktops, which run Win2K).

UNIX customers in general (Linux/BSD/etc) can be a real blessing, even though they occasionally consume resources like an entire school district. They represent another intelligent pair of eyes on your network looking out for potential problems - give them a good way to talk to you and you've got volunteer help!

On the other end of the spectrum...

My home broadband connection goes through a cox.net connection. As I run a Mikrotik-based VPN between home and the office (mostly so I don't have to drive in when I need to see the private network at 3AM), I have a few suggestions for other non-Windows broadband customers of larger providers:

- keep a Windows box handy next to the cable modem drop, and ready to run as the sole broadband device. This makes the installer people feel better when they come by - I had one drop by and see the 48-port patch panel, 5' rack, switches, routers, hubs, etc. and he got worried. (I told him it was an amateur radio project and he felt better)

- run your Windows box when you call in a trouble report; their people are trained to walk you through the basics (e.g. determining if your computer is turned on, if your network card is active, etc.) and even though you may know what the problem really is, you won't get to that point in their script unless you're able to work along with them in their "have to make sure the customer isn't doing something idiotic" checklist.

I once made the mistake of whispering the word "Linux" when on the phone with my provider when there was a problem.

Yea, platform bigotry is a problem - even for smarter folks like network engineers. I've had similar issues with Sprint dealing with our upstream circuits. We had a Sprint circuit bouncing every 70 seconds (even with a loopback plug in the smart jack... clue!) but when I accidentally mentioned our router was Mikrotik (with a slew of Cyclades T1 cards, a DS3 card, and misc other stuff), that immediately became the problem. It wasn't Cisco.

"That's the problem. You're set for HDLC and only Cisco does that. Your router won't work." He wouldn't listen to me tell him that Cyclades supports HDLC, nor would the loopback but still bouncing status help (and trust me, Mikrotik on a redundant P4 with this architecture kicks a Cisco 7500 - without the $100K price tag). We had to drag a Cisco back in and terminate the circuit there before Sprint would buy off that they had a problem. Oh well, it only cost them another two weeks of credit on the SLA... their money, not mine.

*scoove*