Slashdot Mirror

The purists hate NAT, but for SOHO, NPt can help with that.

http://doc.pfsense.org/index.php/Multi-WAN_for_IPv6

We started with some cheesy radio links and have moved up in speed over the years to where we now have a direct fiber connection to a local ISP. We are currently buying 50MB symmetrical service for data, and that is sufficient to allow widespread streaming of Netflix for our residents (we don't have access to cable TV here, but a few folks have satellite). We added VOIP phone service a few years back, which the same ISP sells us over a separate set of fibers to avoid call quality issues. We have local servers for email, community website stuff and for the VOIP service (using the excellent SIPx open source software). We use open source PFSense software running on a low-power ALIX box as our central firewall & DHCP server.

We charge $30 for Internet and $30 for phone, with unlimited domestic long distance, which includes a small margin that allows us to accumulate funds for maintenance and improvements. These prices are considerably lower than people here would pay for equivalent services, and people are pretty happy with the quality. The system is maintained by a small team of volunteer geeks, and our residents understand that we won't necessarily jump out of bed to fix a problem--we'll do the best we can, but don't guarantee 100% service levels. We don't enforce any bandwidth caps per-household, and that has not been a problem.

This kind of thing is entirely feasible, as long as you have a core group of geeks that consider it something they are interested in putting some time into. We have saved our residents many tens of thousands of dollars over the years, keeping that money circulating in our local community instead of shipping it off to some corporate behemoth. And for those of us who do the work, we generally find it an engaging and enjoyable use of our time, and find it satisfying to provide a useful service to our neighbors.

Oh, and I concur with an earlier poster--if you do it, do it wired. Provide one jack to each condo, and let the owners distribute around their rooms as they see fit. You might provide some wireless access in common spaces.

I dunno, I'm the father of an eight month old, work in computer security field professionally. When it comes to computer security, My rule-of-thumb is: It's not whether your paranoid or not, it whether you're paranoid enough. That being said, When my son is of an appropriate age to start being exposed to the inter-tubes, I'm either going to setup http://www.pfsense.org/ and/or http://dansguardian.org/ . When he gets to the age where he can start circumventing that stuff, I'm going to pat him on the head and say "Use your new-found powers for good."

And it's free. Does Captive Portal with ease and runs on almost anything, so long as it has 2 Ethernet cards. Runs on top of BSD and uses the pf routing module. Uses a web interface to set up.

I have an office with 40 PC's being served by an P3 something with 512mb ram running PfSense with 3 network cards (balancing dual ADSL2 connections) and a gigbit out to the switch and it works a treat and never dies. It's a sinch to setup and I also have setup captive portal and again, it is DEAD EASY.

http://www.pfsense.org/index.php?option=com_content&task=view&id=71&Itemid=81 This should answer most of your questions.

Oh, and don't be detered by the BSD logo (Beastie!) since I am pretty sure the fella has nothing against Christianity as he is, you know, a cartoon! As for me, whatever floats your boat I say...

Personally I've had huge success with pfSense running on either cheap Dell servers for high WAN throughput or embedded devices for lower requirements. The hardware is dirt cheap, the software free, and for me it has a far better feature set than any of the router firmwares you mentioned. It is FreeBSD based and absolutely rock solid in my experience (I've never had to reboot one in over 3 years). The out-of-the-box feature set is incredibly impressive but this can be supplemented by a huge choice of plugins too. Example hardware: http://linitx.com/product/12647 pfSense: http://www.pfsense.org/

pfSense does support IPv6 in the 2.1 branch, see here and here.

pfSense does support IPv6 in the 2.1 branch, see here and here.

My biggest issue is trying to find a router can that run DD-WRT/Tomato/etc, is trying to find a router that can handle 400mpbs+ of WAN LAN Performance.

Are there any high performance routers that support open source?

I certainly do not know of a commercial one, however you can build one.

http://www.pfsense.org/

I completely agree: I've got an old PC running pfSense as our main firewall/NAT box for our public wi-fi network at our motel, and it runs rock-solid. They also give some guidelines at:

http://www.pfsense.org/index.php?option=com_content&task=view&id=52&Itemid=49

Combine that with a good dual-band N card or AP, and your requirements are met.

One last thing, keep in mind we're talking routing, not switching: I don't see *ANY* cheapo ARM, MiPS, ATOM, etc box ever keeping up, even with just simple NATing. You can do switching in hardware, but routing--by definition--must be done in software, and at those speeds you're starting to talk serious horsepower, even more if you start running Snort, ntop, etc.

FWIW, I really do wonder if whatever your CPE is (the device from the ISP you plug in to) can actually handle all that data itself--I wouldn't be surprised if it starts choking, too.

I didn't read through the bazillions of comments, but after playing with a ton of the 3rd party firmwares that run on the old Linksys WRTG routers like Tomato and OpenWRT, etc., I just finally built a cheap and tiny ITX atom based box and put pfsense on it. I would never go back.

You could block the requests by port not by IP address. E.g.

http://forum.pfsense.org/index.php?PHPSESSID=acve3puv31mdfooc1b4ckuvq94&topic=9396.msg62747#msg62747

Of course you could avoid that by setting up a VPN tunnel and doing everything over that.

At that point they'd need to block all VPN connections to stop you getting at bad content and that does seem to be non trivial.

Some suggestions for you:
Watchguard firewalls are all multi-wan capable and are nice units.

If cash is an issue and you have an old box lying around, run PFSense

Alternatively, you could just get 2 cheap internet connections and a router that supports active fail-over/load balancing, however now half your address-space on the other ISP is unreachable. Not to mention that those routers cost thousands of dollars if you don't enjoy hours of BSD hacking...

pfSense is your friend here.

[Disclaimer: I am a pfSense developer, so I'm a bit biased. For those of you who don't know what pfSense is, it's a BSD-based firewall distribution.]

pfSense 2.0 won't officially support IPv6, but there is a branch available that does IPv6 which will later become 2.1. I'm running it on my home router with a GIF tunnel to Hurricane Electric ( http://he.net/ http://tunnelbroker.net/) to get IPv6 even though my ISPs do not have any native IPv6 support yet. The IPv6 support is a work in progress but is complete enough that it will do what most people want/need.

Instructions for the setup and more info can be found on the pfSense IPv6 board here: http://forum.pfsense.org/index.php/board,52.0.html

I get a 10/10 on the IPv6 tests from http://test-ipv6.com/ on all my PCs as well as my Droid X running 2.3.3. If you're already using pfSense 2.0, give the IPv6 code a try, setup a tunnel to he.net, and enjoy. Doesn't take too long at all to setup.

Yesterday I followed a few links here and there, but whenever I find an IPv6 router setup it ends up being horrendously complicated, with acronyms flying around unchecked. One can understand this only if he already knows it all.

What I need is a simple thing that can be plugged into an existing IPv4 router (taking a routable static IP address or - even better - not doing that.) I want to have IPv6 on the other side of the thing. The box should have an IPv6 firewall, a DHCP server (if required) and perhaps a DNS server for the LAN.

With such a device it becomes trivial to augment existing IPv4 networks with IPv6. However I don't know if anything like that exists. I'm honestly unwilling to go too deep into the IPv6 networking maze myself. Networking is just one small aspect of software development, and software development is just one aspect of product development... and I develop products. I can't afford to spend much time on fiddling with bits, and I certainly aren't going to learn all about IPv6 just to visit Google. IPv6 was sold to the public as largely self-configuring, and I'd like it to really be that way. All the tunnels that I see on the Net are intended for experienced developers, not for users.

See my comment later in the post here. You can get a free IPv6 tunnel from http://tunnelbroker.net/ if you have a router/firewall capable of establishing a GIF tunnel. pfSense (2.0 with the IPv6 code branch), m0n0wall, and DD-WRT and friends can do this.

I posted a comment much like this in the last IPv6 thread, but here it goes again. :-)

[Disclaimer: I am a pfSense developer, so I'm a bit biased. For those of you who don't know what pfSense is, it's a BSD-based firewall distribution.]

pfSense 2.0 won't officially support IPv6, but there is a branch available that does IPv6 which will later become 2.1. I'm running it on my home router with a GIF tunnel to Hurricane Electric (http://he.net, http://tunnelbroker.net/) to get IPv6 even though my ISPs do not have any native IPv6 support yet. The IPv6 support is a work in progress but is complete enough that it will do what most people want/need.

Instructions for the setup and more info can be found on the pfSense IPv6 board here: http://forum.pfsense.org/index.php/board,52.0.html

I get a 10/10 on the IPv6 tests from http://test-ipv6.com/ on all my PCs as well as my Droid X running 2.3.3.

[pre-comment disclaimer: I am a pfSense developer]
I am running the IPv6 branch of pfSense 2.0 on my home router and I have v6 connectivity via he.net's tunnelbroker service. It works nicely, most devices on my LAN are happily preferring v6 over v4 for connections where it's possible, though it is rather limited at the moment. While the IPv6 code won't be included in the 2.0 release when it ships, it's easy to overlay on top and run it now. It will make it into the 2.1 release for sure. It's making great progress but it's not yet 100%.

Checking my RRD graphs I see that on one graph it showed a total of around 2GB of IPv4 transferred and for the same period, 30MB of IPv6, so somewhere near 1.5% of my traffic is ipv6 for that period.

Check the pfSense IPv6 board for more info and a howto.

I used to use DD-WRT or Tomato, but I wanted a faster router/firewall with more features. so I built a Mini ITX router with the following.....

http://www.ipcop.org/ - a great high end firewall package.

http://m0n0.ch/wall/ --BSD based and solid as a rock.

http://www.pfsense.org/ if you want gobs and gobs of plugins and features. it's a fork of Monowall with more plugin support.

NOTE: some people consider plugins to be evil for a firewall. I find having to run 3 servers for a home network to be silly. So I run pfsense with a gajillion plugins for the features I want and a fileserver/app server on the inside.

If you are willing to replace your router, I highly reccomend the FreeBSD-based router software "PFSense". It runs on any X86 hardware, and combines the ease of use of a commercial router, with the highly advanced networking features of expensive routers, while running on any hardware you have (so if it breaks, you can just move your config files to another machine, boot it up, and begin running again). I am so confident in it, I deployed it at my workplace, a multi-million dollar business with about 75 users, and several WAN Connections. Recommending it because it includes a bandwidth meter, is like recommending an airplane because it has a reading light; That is only one of its many features and uses. http://www.pfsense.org/

This may be overkill for many home networks, but we use pfSense running on an about-8-year-old computer.
Besides for firewall, NAT and bandwidth reporting (per-IP and aggregate), we are running Squid/SquidGuard and a VPN connector.

CPU: Intel(R) Pentium(R) 4 CPU 2.80GHz (2793.01-MHz 686-class CPU)
RAM: 512 MB

pfSense. Been running it on ALIX board for years. Love it.
http://www.pfsense.org/

I believe all of this is possible (even multiple SSIDs with one router) with OpenWRT or DD-WRT on certain hardware, but I never got it working right. I just ended up using an two Linksys routers (one with open wifi, one encrypted) and pfSense as a router. You can even do this with just pfSense and couple wireless cards. Private wifi bridges to the local network, public is on an isolated subnet. pfSense traffic shaping keeps users in check. I have a QOS class for "public" traffic which is limited to a couple mbit/sec down and few dozen kb/sec up. Rock solid, more than I can ever say for either of the Linksys routers.

I found pfSense: The Definitive Guide to be a decent dead trees source for getting started with pfSense.

I believe all of this is possible (even multiple SSIDs with one router) with OpenWRT or DD-WRT on certain hardware, but I never got it working right. I just ended up using an two Linksys routers (one with open wifi, one encrypted) and pfSense as a router. You can even do this with just pfSense and couple wireless cards. Private wifi bridges to the local network, public is on an isolated subnet. pfSense traffic shaping keeps users in check. I have a QOS class for "public" traffic which is limited to a couple mbit/sec down and few dozen kb/sec up. Rock solid, more than I can ever say for either of the Linksys routers.

I found pfSense: The Definitive Guide to be a decent dead trees source for getting started with pfSense.

You really just need something that either has an extra interface for your wireless network, or can do 802.1Q vlan tagging and a vlan capable switch. I think even with a LInksys and DDWRT, you can put the built-in wireless AP on it's own VLAN. THen you just give the wireless it's own subnet, disallow traffic from the wireless subnet to your personal subnet. I think you can even do multiple SSID's and put each SSID on it's own VLAN, one for the public and one for you. Then just allow egress traffic on port 53,80, and 443 for your guest subnet, set up the traffic shaping queues with whatever amount of traffic you want to donate, and set it and forget it.

Of course, this doesn't address the issue of people using the connection to do illegal things, but I've been doing exactly what I described above in a very densly populated are of San Diego since 2002 and haven't had any problems yet *knock on wood*

Also, keep in mind, that this violates the TOS of most ISP's. I have a business class cable connection at home, which has a much less restrictive TOS, which makes it legal. I also have multiple public IP addresses, and run all my guest wireless traffic over it's own IP, so if anyone gets banned from say Ebay or something for fraud, it won't effect me.

But to answer your question, no, I don't think you can do this on many consumer grade router/AP's without flashing the firmware with DDWRT, and not all consumer routers are flashable. I think Buffalo sells a model that comes with DDWRT preloaded.

If you wanted to make a project out of it, you could buy a used Cisco Aironet for $50 and pair it up with an old PC with multiple NICs and install PFSense on it and have yourself a grand old time. The tools in PFSense can actually be quite entertaining when you collect anonymous statistics about what sort of things your neighbors do with your connection. NTOP will entertain you for hours :)

We've got lots of good suggestions up here:

http://doc.pfsense.org/index.php/Boot_Troubleshooting

There are some problems with certain equipment, but it can usually be sorted out.

You can get an ALIX with no moving parts and only draws about 5W of power for under $200, but probably couldn't run snort. They make great firewalls though for most cases. An atom 330-based 1U Supermicro server barebones kit can be found at Newegg for about $280 or so. Those only draw about 35W.

A lot cheaper than replacing them with a desktop-class PC, unless you have spare parts laying around. :-)

You're probably paying more in electricity to run that old box than it's worth :-)

There are DNS rebinding attack protections in pfSense 2.0, but it's still in beta. The changes may be backported or at least show up as a "package" that can be installed, but that would still require being on at least 1.2.3.

More info in the forum: http://forum.pfsense.org/index.php/topic,26368.0.html

The BSD 'pf' packet filter is pretty good. There is even a FreeBSD-based project known as pfsense which you might want to take a look at, as it offers a pretty-much drop-in solution for packet filtering, as well as NAT, load balancing, VPN connectivity, etc. There is a web-based administration GUI as well. It looks pretty sweet, but I haven't played with it much in any serious deployment personally.

Pfsense would be helpful. It's a handy router distribution that can be used for various relevant things, including seeing what DHCP leases are active and also be scheduling when the router will route traffic.. http://www.pfsense.org/ - I expect others have referenced it thus far??

The act of building your own CD or install image is covered here:

http://devwiki.pfsense.org/DevelopersBootStrapAndDevIso

If you're just interested in the tools, patches, and scripts that build the system, they can be found in the pfSense "tools" repo here:

https://rcs.pfsense.org/

The code for the different pfSense branches is also there, as well as the code for the livecd repo based on freesbie2.

If you have a spare FreeBSD box (or a VM) it isn't too hard to follow the how-to and make an image, but the instructions only cover a fraction of what it is capable of doing. That one tools repo contains the scripts to build everything: LiveCD ISOs, Firmware update files, Embedded images, you name it.

If you want to know more, check out the forums or ask on freenode, someone is usually around who is familiar with the process.

The act of building your own CD or install image is covered here:

http://devwiki.pfsense.org/DevelopersBootStrapAndDevIso

If you're just interested in the tools, patches, and scripts that build the system, they can be found in the pfSense "tools" repo here:

https://rcs.pfsense.org/

The code for the different pfSense branches is also there, as well as the code for the livecd repo based on freesbie2.

If you have a spare FreeBSD box (or a VM) it isn't too hard to follow the how-to and make an image, but the instructions only cover a fraction of what it is capable of doing. That one tools repo contains the scripts to build everything: LiveCD ISOs, Firmware update files, Embedded images, you name it.

If you want to know more, check out the forums or ask on freenode, someone is usually around who is familiar with the process.

There are several reasons to go with FreeBSD (Though OpenBSD is great in its own regard).

The reasons given by the pfSense project are here:

http://doc.pfsense.org/index.php/Why_did_you_choose_FreeBSD_instead_of_%27insert_OS_here%27%3F

You can have low-cost commercial grade services run using off-the-shelf hardware.

pfSense includes support for CARP, which lets you build high-availablity failover clusters. You can have two (or three or four...) cheap systems and if one dies, just fix/replace it as needed. The backup system(s) automatically take over and nobody would likely even notice the changeover.

When it's cheap, that is much easier to consider.

If you want no moving parts, you can use an ALIX box, Soekris, or perhaps even some atom-based boards. If you want to use server-grade boxes to make yourself feel warm and fuzzy, you can do that too. Supermicro even has a server-class atom board in a 1U rack which runs pfSense very well for us.

Give pfSense a try. http://www.pfsense.org/ Also a VERY active user forum at http://forum.pfsense.org/

Give pfSense a try. http://www.pfsense.org/ Also a VERY active user forum at http://forum.pfsense.org/

Why does it have to be linux? Use pfSense

It's got everything you'll need for Multi-WAN load balancing and failover, and supports many platforms.

pfSense Multi WAN / Load Balancing

Iridum is a good start. But take that, a generic WIFI card, whatever 3G service you like, and heck, anything else you can think of, and glue it all together with pfSense. Only time you'll have trouble is if you're actually in motion and have a secure connection established (e.g. VPN or SSL), and you lose the active connection, the other end will see you on a different IP and you'll have to re-authenticate. (Oh, did I mention that pfSense is awesome? :)

How about HAVP? Scans all your traffic in and out. It won't stop the bug catching a ride on a USB stick until it actually hits the wire, but heckuva thing being able to monitor the pipe from a single seat. Also available as a PFSense package.

What I think you're looking for is "carp" and all flavors of bsd do it. You may want to check out pfsense: http://www.pfsense.org/. I've used it for years. Depending on requirements, just throw the appropriate amount of hardware together. You can fail-over ipsec tunnels with it. Suitable for all enterprise uses.

I've used Geode systems in tiny little ALIX boxes that measure about 6"x6"x1" and then installed pfSense on them for firewall duties.

They work great and have enough grunt to push 50-80Mbps. More than enough for your typical internet connection. With better NICs (the ones embedded on the ALIX don't do much in the way of CPU offload or interrupt mitigation) it could push more. And they do this while drawing about 4 watts. Yeah, seriously!

CPU power is a bit lacking if you need to push a bunch of VPN traffic, but if you do, a cheap Sempron based system will push a lot of VPN traffic while drawing only about 30w total if you build it right.

I've used Geode systems in tiny little ALIX boxes that measure about 6"x6"x1" and then installed pfSense on them for firewall duties.

They work great and have enough grunt to push 50-80Mbps. More than enough for your typical internet connection. With better NICs (the ones embedded on the ALIX don't do much in the way of CPU offload or interrupt mitigation) it could push more. And they do this while drawing about 4 watts. Yeah, seriously!

CPU power is a bit lacking if you need to push a bunch of VPN traffic, but if you do, a cheap Sempron based system will push a lot of VPN traffic while drawing only about 30w total if you build it right.

I myself unfortunately bought a Intel Core2Quad a little over a year ago, and regret big time I did not wait for the AMD quad instead. The reason is that Intel only allow real Virtualization in crippled protected mode!!! That essentially destroyed my objective for buying a Quad core... For virtualization, AMD has a much better design that avoids these problems. If you intend to run separate systems such as Windows and Linux sharing resources such as the network card and so on without loosing power, you better choose AMD over Intel! I know - it is supposedly a solution in Linux kernel 2.6.27 to bypass some of the inherit problems with the Intel chips with virtualization, but that is yet not supported by many distributions such as CentOS, which still is my OS of choice...

It appear many people have ran into similar problems when incorrectly believing Intel would be best:
http://forum.pfsense.org/index.php?topic=3294.msg44574

I certainly trade a little speed for real virtualization any day!

I agree, I don't look at it as one but I also have the firewall configured on my pfSense box.

I apologize if my post gave the idea that I looked at it as one.

There are a great number of tools, thanks for that recommendation for Windows. I personally recommend doing this at the gateway level using a Linux firewall or pfSense and bandwidthd.

While it's fine and dandy to monitor your own bandwidth, what happens when Comcast says you hit 250GB and bandwidthd is showing 150GB? With no official, transparent meter from the service provider the customer is never right.

Sounds like something that pfSense might be able to do, between squid and maybe the captive portal.

A "pro-sumer," in my mind, would be the kind of person who likely has some older hardware laying around, or money that they're willing to spend on new hardware, and a bit of intelligence; at least enough to read a manual if they have trouble.

If we can assume that definition to be true, I'd suggest that they use their old hardware/cash flow to set up a small system to run pf, which would be my choice, or iptables on.

pfSense is free and would be great for someone with the hardware but who wanted an easy way to deal with configuration.

look for the Linux Advance Routing Howto

:^D

Somewhere in that site it talks about some of the problems of having 2 IP addresses, like confusing game servers and the like, but with a bit of tweaking you could get it functional. I don't think this solution explicitly provides failover functionality, but I suppose that could be scripted in somehow.

pfsense is a nice turnkey solution for this too, if you're not into spending a couple weeks solid trying to make your debian or lfs distro act like a router.

db

The problem I have ran into time and time again is the WRT54G just doesn't have enough CPU power and RAM to handle the mess torrents make. Throw VOIP into the mix everything comes to a stand still.

I used pfSense but several distros as supported by some micro pc manufactures.
http://www.pfsense.org/index.php?option=com_content&task=view&id=44&Itemid=50

I'm currently running a NetGate device with a 500MHz AMD Geode processor and 256MB of RAM. $200 is a little bit on the pricey side, but it is tiny and fanless.

Maybe you should just use:

http://www.pfsense.org/

It doesn't have IPv6 yet, but that's still months/years away.