Slashdot Mirror

Last time I tried DD-WRT, getting IPv6 on there was a CLI bitch, and I don't think it supported PD at that time.

I'm using pfSense now & never looked back to a SOHO router again. If you have an old P4 lying around with 512 ram, throw an extra 10/100 NIC in there & give it a spin. If you like it, you can roll your own fanless case & get the power consumption back down to an appliance level.

For a while I used the linksys I had as an access point, then swapped it out for a UniFi & again, couldn't be happier for the price.

Back to the topic, you'll find that the current state of IPv6 is not only an ISP issue, but also a hardware & software issue. Even pfSense only recently really supported IPv6 properly with 2.1, and many other devices I've tried have varying levels of support.
Ironically, the most IPv6-complete item I've found is Windows 7/Server 2008R2.

While I'm on a kick recommending stuff, check out ipvfoo for Chrome once you get IPv6 working. It is helpful to see how many sites still don't support IPv6 native: https://code.google.com/p/ipvf...

In addition to this you can setup m0n0wall or pfSense using captive portal where users are presented with the TOS and a login when they first connect. I think from a legal point of view this is very important. But IANAL so TIFWIW.
The login can be a shared account that is changed how ever often the hotel staff feels is necessary (unusual traffic in the parking lot). Or they can issue vouchers that expire after a period of time. The latter will of course have more overhead.

I use a few m0n0wall captive portal setups for real estate market centers where hundreds of agents need their own credentials and clients need vouchers. It is incredibly simple, reliable, and free. I use this embedded pc and they work great with 100mb connections.
If you want better reporting and and many more features look into pfSense. I find m0n0 to be sufficient for my needs, if you are look in for a good starting point this would be my first choice.

If you can spare/build/whatever a machcine (and really it could probably be anything from the last decade), download pfsense, the installer pretty much works, the how-to's are very detailed. It's a mature stable product. It'll let you load balance your outbound connections as well as do everything a modern firewall does (you might, for instance, find being able to setup VPN on the box highly useful).

If you don't know anything about networking it might be a bit daunting, but probably still within the realm of possibility given it's all gui based and the docs are detailed.

You mis-pelled pfsense.

Seriously, pix is obsolete garbage, the new one is ASA, but why buy that when you can put your money toward supporting pfsense, or use it for free.

Not seen this one mentioned yet. pfsense is by far my favourite specialised linux distro.

PfSense is where it's at. Affordable support, top notch, their support is really great and you often talk to the developers. Even if you don't pay, they have an excellent community with a forum and mailing list. Use a server, an old PC, or slap it into an embedded system from hacom or netgate. Your customers will never even suspect it is just an x86 computer.

I have never had better support then I got from all of these companies. They work with you to solve all issues and you talk to people who know what they are doing. Hacom even sent an identical hardware platform to pfsense so they could troubleshoot an issue they were having trouble replicating. It turned out to be an issue with large SATA drives, so they replaced the SATA w/ ATA.

or pfSense http://pfsense.com/

... and use pfsense. My Intel CPU mini-itx board, with processor and ram was $100 and it works better than any consumer grade, BestBuy special router.

pfSense is better than m0n0wall, but still can't handle more than 35Mbps symmetric over a 100Mbps link (at least not with only a 2GHz processor and 512MB of RAM) when the "traffic shaper" is turned on.

With it off, it can handle over 70Mbps, but then you lose all those great features (like prioritizing VoIP, etc.).

Go buy the cheapest 1U Hacom box here
It's even cheaper if you get the box bare-bones and get the memory, CF card, etc... from newegg.
Then go load pfSense on the flash card and turn it on.

The setup is easy and you get more of a commercial-grade firewall than a home firewall. It'll handle gigabit speed easily.

I've given up hope on those cheap routers. Sure, DD-WRT and Tomato are decent products, but they don't come close to a box with pfSense. Just pick up the smallest, cheapest and least power consuming ITX box you can find and install pfSense on it. You can control it all from the web browser. Best of all, it's based on FreeBSD.

Pretty much any home router in a box that you can buy is going to be rubbish. To be fair, it is pretty impressive what you can get for $30-$50; but intense price sensitivity and competition have pretty much leveled the home router field. You can either get the (impressive for the money; but not good enough) basic model, or you can go cry.

The Ciscos and Junipers of the world will probably cut it(with the distinctly possible exception of older used ones. If you get something from the era where routing a 10Mb lan into a T1 line was Real Serious Stuff, bittorrent over a 30Mb line is going to make it cry expensive enterprise tears); but they are expensive, even used, and many of their features are probably overkill for home applications.

Your best bet might be to run m0n0wall or pfsense. Depending on your tolerance for fan noise, you can either get a basic intel atom board for ~$80 or an embedded x86 board from soekris or pcengines or similar.

That combination will be pretty featureful, quite a bit more powerful than your basic home box, and cheaper than any business box that isn't seriously antiquated.

pfSsense has a good interface and support for built in wireless if you want. It'll take up more space and use more power, but the feature set is immense. If you don't want to get something big and power hungry, you can put together a smaller ALIX box that runs pfSense too. But those are 10/100 ethernet jacks, so there's less room for growth.

IPCop is also good, I just switched to pfSense because we use it at work. And we use it at work because IPCop doesn't do multiple WAN interfaces which wouldn't really matter for home use anyways.

... and use pfsense. My Intel CPU mini-itx board, with processor and ram was $100 and it works better than any consumer grade, BestBuy special router.

I moved to alix 2d3 with pfSense.
http://www.pcengines.ch/alix2d3.htm and http://www.pfsense.com/

The thing can run circles around a wrt54g without sweating.

Yah 54g is great, I used it for a long long time, however 3 boxes I had always had some kind of issues with 3rd party firmwares dd-wrt, openwrt even tomato. From hanging to dropping WAN on DSL, I stayed frustrated. In due time, I figured my frustration had nothing to do with me living in my mom's basement.

pfSense + alix has been rock solid.

The best part about my alix board based router... its fully supported by lots of opensource initiatives (monowall, pfsense, zeroshell etc) and come time for N, I just replace the minipci card on it.

I've got a Soedris Net4501 running OpenBSD which I am happy with. I don't mind editing the config file by hand, but you could easily use something like pfSense as well. Some of the other models they have do wifi too.

http://m0n0.ch/wall/
http://www.pfsense.com/

haven't had to reboot my m0n0wall ever, except for firmware updates.

http://www.pfsense.com/ ftw

http://www.pfsense.com/

I would recommend pfSense or m0n0wall, but I would stay away from the Atom.. I would use one of the Intel D201GLY2 mini-itx boards with the Celeron processors, as the boards use about the same amount of power, and the Celeron will be much aster (the Atom has a terrible northbridge that results in both boards using the same amount of power).

I use m0n0wall at home with my cable modem running VOIP, lots of NNTP, and lots of torrents, without any problems. It also means that web pages load as quickly when maxing out the bandwidth as when no ones doing anything, and that ping times generally stay pretty low. My m0n0wall box also has an uptime of over 300 days, way better than I've ever been able to do with my Linksys router.

Exactly, that or http://www.pfsense.com/

Both Monwall and Pfsense have excellent traffic shaping as well as easy to use GUI wizards to help you throttle P2P. Unfortunately they won't load on your Linksys but they are so much more powerful than even DD-WRT.

http://m0n0.ch/wall/
http://www.pfsense.com/

Both Monowall and Pfsense have packet shaping with GUI configuration wizards which is perfect for throttling P2P. It won't load on your Linksys but you can use an old PC.

I have to answer this seriously, as I recently started using FreeBSD for two specific projects, and I'm loving it. First and foremost, it's great when you know EXACTLY what you need to do. I'm speaking here of FreeNAS and pfSense. Both are designed to be embedded and run on FreeBSD, and both were designed to do very specific tasks. Both will install entirely on and boot directly from any garden variety USB flash drive. Because the memory footprint is so small, they run by loading the entire OS into a RAMdrive, eliminating the need for a noisy and failure-prone hard drive. This results in a quick boot and very speedy application. The base configuration of FreeNAS (at the most recent release) is like 54MB installed and will run (literally) on a first-generation XBOX. From these measly specs, you can get a fully functional device, complete with NFS, Samba, FTP server, full Active Directory integration, iSCSI target, SMART, Software RAID, and many other file-server specific features, all of which are configured through an easy to use WebGUI. The Linux equivalent of the same file server distro is Openfiler, and having downloaded and tried that out, I can say that FreeNAS is light years ahead. Much easier, faster, smaller footprint, etc. Much of these same comparisons can be made with pfSense vs. IPCop. The Linux equivalents are generally larger, heavier and well suited for more general use, whereas the BSD versions are extremely light.

Strangely enough, I had many more hardware compatibility problems with the Linux equivalents as well, which is where I thought Linux should really shine. The BSD versions detect all hardware at bootup, and only load the specific driver modules for the hardware that they actually use. Compiling and installing additional modules, while tricky at first, is actually easier than I've ever experienced in Linux. I actually got my hardware RAID card working out of the box on FreeNAS, and after weeks of fighting, have yet to get the same card working on a separate install of CentOS for a different server. It should be said that I put absolutely no effort into choosing BSD-specific hardware. It may have just been blind luck.

Now, despite all this gushing over these apps, they are clearly designed for a specific purpose. I wouldn't want to use my FreeNAS box as an email server, or run my company knowledgebase off of pfSense. But if you want to dust off an old PC, slap a couple of hard drives in there and make a file server, you can do no better than FreeNAS.

I recommend you look at Monowall for a boots from CD OpenBSD firewall router, or I prefer pfsense because it allows you to install to a hardrive and has more features.

isn't that what http://www.pfsense.com/ is for?

I'd personally go with WRAP instead of Soekris, much cheaper; unless of course you have the money to throw away or a good reason to choose Soekris (expensive) over a WRAP?

I'm running a full install of OpenBSD 4.0-STABLE (from release(8)) on one of mine with OpenSSH for RSync and SSHd, IPSec, PF + CARP + PFSync + AltQ, trunk, ifstated(8) (for ISP failover DDR), etc. etc. All file systems are created in an MFS and 'only' /usr is via flash (mounted read-only) (/usr in flash being optional too) - system right now runs using less than 10M RAM with only a 256M Compact Flash. Simply amazing what can be done with OpenBSD...

Another one does other things, but also has X for some things I use on it, in which I connect via XDM using the X-Server from Cygwin on my WinXP Desktop...

And of course, another one that runs only in MFS without any Flash Card installed, which does some really nifty things too.

If anyone's interested in knowing how - let me know... It's really easy to do, but I'm working on releasing a script to automate these types of setups - not limited to Soekris or WRAP though, but any Flash based media (USB, CF-IDE, CF, SD, etc.).

For those with little knowledge or who don't want to learn more, or who just prefer web based front ends for whatever odd reason, there's also http://www.pfsense.com/ that's worth mentioning - aside from M0n0wall and others...

I do firewall/VPN/security work for a living; I've tried/used Ipcop and nearly all of the products mentioned below and dozens more (m0n0wall, cisco PIX, cisco ASA, checkpoint, juniper, smoothwall, proxy bases firewalls, sonicwall, guarddog, watchdog, hommade linux/freebsd/openbsd/etc etc).
I personally vastly prefer PfSense over any of them for nearly all applications. http://pfsense.com/

Not rely on software firewalls?

I've run Freesco and later MonoWall firewalls on mostly-free hardware (Asus P255T2P4/128MB/P233 with super-glued passive heatsink) almost 24/7 since 1999. Neither have been difficult to set up, and Freesco is very noob-friendly. Freesco needs minimal resources and will even run on a 486.
Both have performed with boring, appliance-like reliability. I run from a Compact Flash card in an IDE adapter instead of a hard disk. Those parts are dirt cheap nowadays.

http://www.freesco.org/

http://m0n0.ch/wall/index.php

http://pigtail.net/LRP/printsrv/ Get ideinfo.exe from here to check CF card parameters.

http://www.pfsense.com/ I haven't tried this yet, but it's a popular fork of MonoWall so I'm mentioning it to save someone else the trouble. :)

I do. What is 'small' ? To me, it is P75 / P300 and 128 MB of RAM. Your turn to run a VM on it and said pfSense.
Have you read http://wiki.pfsense.com/wikka.php?wakka=ReleaseCav eats ? I am running a P233 with 64 MB RAM and get around 40 Mbits. Not as VM, of course, but plain OpenBSD.
On my Soekris 4801 I get a good 24 Mbits with http://www.zelow.no/floppyfw/ inclusive TC; from a floppy (if I so wanted).

And when I start looking at my production stuff, I don't want GUI; I don't want Live-CD and I don't want USB. And - of course - I don't want any off-the-shelf PC. And production seems what these guys are going for. Call me a wet blanket, but I seriously don't see what this whole thing is supposed to deliver. Seriously.

According to this pfSense wiki http://wiki.pfsense.com/wikka.php?wakka=WhichVersi onIsRightForMe the embedded version is console-only, of course.

> So why do they release a new distro, instead of contribing to mWall?

Because they have "radically different goals" than monowall. This is in the second sentence in http://www.pfsense.com/

We are in the similar situation having Exchange in-house behind a (quite stable) DSL line. Thankfully the DSL has been out only about 30 minutes total in our first year, but unfortunately our Exchange server can't say the same. We've gotten an amazing value using a backup mx service, which silently queues mail for us until our server returns. It works amazingly well-- once our server is back up, the queued mail comes flowing in. Its a beautiful thing.

We specifically use EasyDNS's DNS service which includes the backup MX service. We use their DNS Plus service which only costs about $40/year, and allows us to use their CLUSTER of backup MX servers (How cool is that!?)! Its also available on their DNS-only service (~$20/yr). I don't work for EasyDNS (just a happy customer). You can also get the same service from lots of other places as well.

Realistically, I think you need to use an external DNS service to do this for network outages (since other mail servers will need access to your domain's MX records to find to the backup MX servers). For us, this meant we needed to use a different DNS server inside our local network. The external dns points people to our mail server's public IP. The internal dns points to our internal ips.

Another note, we use PFSense as our firewall (great product!). Recently, I think I saw support for NAT Reflection was added (allowing internal machines to contact internal servers using a public IP address), which might negate the need for the "split" dns described above. Haven't tried that yet, though.

Check it out, it's Linux! The OS that never crashes!

http://jegog.phys.nagoya-u.ac.jp/~tkonishi/cn/T4/i mages/kernel-panic.jpg
http://www.unix-scripts.com/shaun/host-screenshot- 1.png
http://www.openlabs.it/images/kernel_panic_2004031 4.jpg
http://www.pfsense.com/screens/kernel_panic.GIF

Try http://www.pfsense.com/ which is a m0n0wall fork based on freebsd 6.

if you're gonna run it on a PC, check out pfSense instead... it forked from m0n0wall awhile ago and is doing some great stuff.

Check out PfSense, originally based off M0n0wall, I've found it to have the best balance between features, stability and ease of use.

Right now it offers both Live CD or HD install option, and it's nearing a stable (1.0) release, try it...

http://www.pfsense.com/

If you're interested in m0n0wall take a look at pfsense (http://www.pfsense.com/), it's a m0n0wall derived os, on freeBSD 6.x with quite some more features than m0n0... ^_^

also look at this:
http://www.routerdesign.com/modules.php?name=News& file=article&sid=250

So what does the Slashdot crowd use when they need to secure their Linux and Windows servers? Does it cost less than US$100?"

Why not m0n0wall? It works very well.
Right now I'm testing pfSense as it uses pf. pfSense is still aplpha code, but the critical parts work very well.
Check them out:
http://m0n0.ch/wall/
http://www.pfsense.com/

m0n0wall is good, but I prefer pfsense:

http://www.pfsense.com/

"pfSense is a m0n0wall derived operating system platform with radically different goals such as using Packet Filter, FreeBSD 6.X (or DragonFly BSD when ALTQ and CARP is finished) ALTQ for excellent packet queueing and finally an integrated package management system for extending the environment with new features."

Better yet, use PFSense which is a fork of m0n0wall, but with a goal of higher level functionality.

After you use the latest installer, go to http://www.pfsense.com/updates/ and grab the latest version, then update via the 'firmware' tab on the web interface.

Better yet, use PFSense which is a fork of m0n0wall, but with a goal of higher level functionality.

After you use the latest installer, go to http://www.pfsense.com/updates/ and grab the latest version, then update via the 'firmware' tab on the web interface.