Slashdot Mirror

I'm actually doing the exact same thing on a Soekris net4801. It's a bit bigger and more expensive, but I think it's a good deal for what I can do with it. I use links and mutt (with imap and smtp kludge and local mail disabled) from it. I wonder how much electricity I save using that as my "IRC from anywhere" box over a regular PC just sitting around 24/7.

The whole thing runs debian from a cheap 1GB CF card I picked up from Fry's. / is mounted read-only with a few tmpfs mounts for the logs, /tmp, and various parts of /var. 128MB of ram, 266mhz geode, three ethernet ports, one PCI, one mini-PCI slot and USB and a serial port. It also has a really nice case.

Right; esp. when people are novices. But for experienced sysadmins, a "fat router" is quite useful, especially at home where you want to keep your electricity bill unter control.

A typical setup on any low-power 24/7 device, like some routers, or general purpose boards a la net4801 includes OpenBSD or FreeBSD with userland-ppp, pf and BIND, plus, if needed, postfix, lighttpd, cyrus-imap, etc...; all running tightly within their jail(8)s and closely monitored.

This would be the maximum, and from a security point of view, still somehow manageable. You definitely don't want to add stuff like NFS (despite airtight good pf settings) at such an exposed place though... But running ctorrent every now and then (again, in its own jail) should be fine...

Currently WiFi is the best technology we got for broadband internet access in remote regions. It is the only mass-produced high-bandwidth wireless standard around. And of course any mass-produced complex consumer grade electronics will have a low MTBF. But you have to pick and choose your hardware carefully whatever your project is and plan your maintenance strategy accordingly.

Seems like you've had trouble with 'MESH networks'. MESH network is just a concept - you need to make an efford and have the engineering skills to apply it in reality. And quit whining about FCC limitations on channels and powerlevels. You have to plan around those. For example having multiple radio-interfaces in one accesspoint/router with sector antennas for clients and line-of-sight antennas for trunking will give you managable and predictable performance.

I would start with something like Soekris embedded-linux board with mPCI/PC-card radio-interfaces and custom antennas for each purpose. One radio acts as the accesspoint with omni-antenna and other two are used for trunking with parabolic antennas. That'll give you a basic building block for your network. Then you just loop them around the area you need coverage for and at junctions and high-traffic areas you co-locate a couple hooked together via the eth0 - its all flexible and managable with linux running on the boxes. This wont exactly be a 'MESH-network' (more like a semi-hierarchical mobile-phone tower network) but it will have the same flexibility of coverage and reliability (because of the looping).

You have a better idea?

I wouldn't be surprised if a lot of their customers were BSD users. It's quite a common OS in the sort of application this chip is designed for.

HiFn chips are used in the crypto accelerators made by Soekris Engineering. OpenBSD running on one of their embedded PC boards along with one of their crypto accelerator cards is quite a popular combination.

Use FreeBSD and GELI: Disk Encrypting and Swap Encrypting using GELI.

Buy a crypto card from Soekris, like the vpn1401. FreeBSD's crypt framework will autodetect the card and use it. Note that this isn't a controller, and I don't believe it can be used with a RAID setup.

There are a lot of issues to deal with. If your swap isn't encrypted, then you'd might as well not bother if you're messing with a huge document. Also, you should find a way to encrypt your home directory as data could get dropped into temporary files. Encrypt the /tmp directory as well. The /tmp and swap keys can be one-time, but you'll want to use different passphrases for different drives. The problem you'll have is with key management. The theoretical crypto chain these days is sound (dunno about GELI specifically, as it's not been analyzed), but there's always a chance for an implementation error. Even so, you are the weakest link in your crypto chain.

Also remember that you can be compelled to give over your keys by law enforcement (legally). The crypto is so good though that if they want your keys, they'll likely install a key logger instead of bothering with asking you.

Use FreeBSD and GELI: Disk Encrypting and Swap Encrypting using GELI.

Buy a crypto card from Soekris, like the vpn1401. FreeBSD's crypt framework will autodetect the card and use it. Note that this isn't a controller, and I don't believe it can be used with a RAID setup.

There are a lot of issues to deal with. If your swap isn't encrypted, then you'd might as well not bother if you're messing with a huge document. Also, you should find a way to encrypt your home directory as data could get dropped into temporary files. Encrypt the /tmp directory as well. The /tmp and swap keys can be one-time, but you'll want to use different passphrases for different drives. The problem you'll have is with key management. The theoretical crypto chain these days is sound (dunno about GELI specifically, as it's not been analyzed), but there's always a chance for an implementation error. Even so, you are the weakest link in your crypto chain.

Also remember that you can be compelled to give over your keys by law enforcement (legally). The crypto is so good though that if they want your keys, they'll likely install a key logger instead of bothering with asking you.

oh, and you may also wish to check out Soekris gear - highly secure (run the OS from a RAM filesystem, set your CF media to read-only), very small, 12W power requirements, the net4801 (for example) ships with 3 fxp(4) interfaces and a miniPCI slot that can take either a wireless card or a hardware crypto accelerator (200Mbps AES-256 at line speed with near zero CPU overhead). Search the archives for Soekris and you'll get quite a few results.

Running it now on Soekris Net-4801 device http://soekris.com/. Sweet. Smooth.

I can think of one area today that does compile software for 486s, 386s, and older chips: embedded devices. Here are new 486 based PCs that can be a firewall or any similar device, or can just run Linux for general purposes. There are even new 6502 and 8086/8088 based chips available. But yeah, that's a specialized area. You're right, most general purpose distros make the Pentium the minimum target. Have to go for an ancient or minimalist distro to get 386 compatibility.

It may not be a retail product, but you can always get a Soekris kit that has multiple Ethernet interfaces, 128 or 256MB of RAM and supports CF for additional storage for around $300 (net4801-50, 128MB version, with a total of 5 Ethernet interfaces).

http://www.soekris.com/net4801.htm

It runs off of a 586-class processor and with all of the fixins, would only draw around 20-25W. Not bad for something that can run Linux or *BSD. I haven't messed with one yet, but they do look pretty good even for a small server that can provide: SSH, FTP, web, NTP, DNS, DHCP, etc. Heck, it may replace my Sun Blade 100 one of these days ;)

If you're looking for low power firewall machine, you should really look at Soekris: http://soekris.com/

They are fantastic small machines/boards that are perfect for that kind of job and they works great with *BSD and Linux.

What next?

Open Hardware to go with our Open Source Software?

I imagine the smaller hardware shops like Soekris will become more popular and be able to ramp up production, become cheaper and more viable. I realise that Soekris make stuff for embedded and router type hardware, but surely there will always be desktop and laptop machines available without built in DRM?

Hmm, maybe some motherboards put out with some powerful FPGA's for the CPU and maybe some other parts for controllers and graphics.

Surely the people can take the power back!

I believe Soekris boxes will run off of a power brick. Compact Flash is typically used but a laptop hard drive might be used on them.

I've been looking for small cheap headless computers for a long time, but they are hard to search. Want to use them as servers. Found Soekris, which does the job, but took a while to set up. Had to figure out how to net boot, cross compile, and work around various limitations. Meanwhile, the distro I used (uwoody from ucLibc) has vanished, so if I want to update, I'll have to start from scratch. Would prefer something easier to set up, and these don't sound like they are any easier. Still, glad to know about Waysmall and BlackDog. Anyone know of others?

Go with the 4801 from this site. http://www.soekris.com/ It uses an amd chip, can boot from flash drive or ide and you can add an atheros minipci card with external antenna, which can use hostap. I'm replacing my wrt54g with one of these and may build a couple more for work. Oreilly's web site has a couple of article on using openbsd and pf with this board. I need more control of my firewall than the linksys could do. More expensive, but you get more power than cisco and incredible security.

Here at my work at an small local ISP we use small Soekris boards running Freebsd. Not only is this hardware rock solid but running a fully featured distro gives us the ability to easily remotely trouble shoot network connectivity issues or firewall rules, or routing tables from here in the office.

We mount them in outdoor enclosures for use as access points or as small deployable routers/firewalls for fiber set ups.

However they are rather pricey (250 - 450 dollars a pop) so still a lot less than comparable cisco hardware, but still too expensive to drop on the porch of a customer.

The question I've had for a while is whether or not I can as a distributor legaly hack a linksys router and drop our own distro on it, and give those out to customers. At a much more affordable price.

I called linksys the other day but the lady I talked to had no idea and never called me back :)

~Anders

you may want to look into a soekris net4501 for the pc. it comes with everything but the "hard drive" (in quotes because it's a cf card)

In shine runners, you're competing to pick up shines (from Mario Sunshine). You can knock shines loose from other players with shells, etc. Every 20 seconds or so, whoever has the fewest shines gets dropped off until one person is left.

Unfortunately, neither of those modes are available online.

I was disappointed when I saw that shine runners wasn't available via WiFi. And I was also wondering if it would be something that might be added to the WiFi network at a later date? The main racing game is tons of fun, but I really like shine runners as well.

Also, I have a non mainstream Wireless Access Point and I had no problem getting online with Mario Kart DS. My WAP is a Soekris net4801 running m0n0wall.

Can't wait for Metroid Prime: Hunters!

I mean, nobody has ever built a small low-powered PC based on a Geode chip before...

The only thing that's really novel about this is the integrated video, and having some (possibly lobotomized version of) Windows pre-installed. Otherwise, this isn't exactly a remarkable technological development.

Also seconding the "how could they make this and not include a display" question. The boards I cited above are intended for embedded development, and I've never used a monitor on any of them. (I've got probably fifty of them, all running various customized Linux and BSD distributions, scattered over four counties in my network. They're intended to be used that way, which is why they don't even have a VGA port.)

Seriously, once you add a monitor, you're pretty close to low-end Dell pricing, which gives you a computer with roughly 20 times the raw horsepower, and a lot more versatility, so I suppose they're marketing this to the "omg computers are scary" crowd. Best of luck on that. I'd like to think at this point the American public is smarter than this, but I'm probably setting myself up for another disappointment.

They are completely headless AMD Geode machines... 266mhz Pentium class, with 128mb of RAM. They're primarily meant as routing devices for wireless networks (they have three network ports, and 1 3.3v PCI and 1 miniPCI slot). They are completely fanless, and have a socket for a Compact Flash, which is the normal boot device. They also have a connection for a laptop-style hard drive, and a USB 1.1 port.

Now, these little guys can really be a chore to get set up, because they have no true video... they route the BIOS text-display calls out through the serial port. And they have no floppy to boot from, so you must either set up a PXE boot environment (what I did the first time... NOT a trivial process for someone who isn't very familiar with Linux and/or the BSDs), or build a bootable CF or laptop drive on another system.

If you can muscle past the installation difficulty, the boards themselves are absolutely silent, with no moving parts at all. For your application, you'd probably boot off a laptop IDE drive. Most of these small drives aren't designed to be on 24x7, so be sure to look around for one that supports a long duty cycle, and even at that, take regular backups.

This would give you a small, very low-power solution. The Geode is extremely efficient. I'd have to look it up, but from memory I think it's like 7.5 watts. You could spend more running a nightlight. The drive will add some to that, but it'll definitely stay under 15w, and maybe under 10. It's reasonably powerful, with a decent amount of RAM, and will make very little noise and take up very little space.

I'm using one of these boxes as a router/firewall, and I like it very much. I hate noise, and with a CF, it is both silent and should last many, many years... no moving parts at all. Folks on the mailing list have claimed that it can sustain 10 megabits comfortably with moderately complex firewalling, and as much as 30 megabits if it's just routing between interfaces. It's not a speed demon, but it's really not bad.

Another possibility might be the Linksys NSLU2, which is a NAS device that runs Linux, and is apparently pretty hackable. It would be even harder than the Soekris to get going, though...and it's not X86, if that matters. I don't know much about them, but others may chime in with more data.

That's why I built my own router.

http://www.soekris.com

Well, that's not the real reason but it's a nice fringe benefit.

DSL modem could still be bugged, but that's why I encrypt everything.

Just because you're paranoid doesn't mean they're not out to get you.

(only half-joking)

Well, maybe you could just use one of these:

http://www.soekris.com/net4511.htm

Works great, I'm using one right now, and m0n0wall reportedly works just as well on it.

You don't need to use a full blown PC and consume heaps of power.

I bought a Soekris net4801 close to 2 years ago now specifically to run m0n0wall on. Best computer decision I ever made. The power consumption is somewhere around 20W.

On my 1526/256kbps connection it works an absolute treat. I have 1 machine that is used solely to play games. All traffic from this machine is fed into a seperate queue from the rest of the LAN. Downloading at 140K whilst playing Battlefield 1942 with no lag is a blast and I never have to give a thought as to what might be downloading (or uploading) on the network. Prior to using m0n0wall and despite my best attempts with Smoothwall, CC and Mandrake with some scripts - the best I could do was around 60KB/s download before lag became an issue.

After seeing my setup a mate didn't want to fork over the cash for a net4801 but wanted to do the same thing. He uses a fanless 486 with 8MB RAM which boots from a CDROM and loads the config from the FDD. Once the machine boots the only moving part is the PSU fan. That's about the 2nd lowest amount of power you could consume for this kind of set up. Images for the net4801/4501, CDROM, WRAP boards etc are all available from the m0n0wall website. Battlefield 1942 for example needs 4 rules. 3 outgoing and 1 incoming.

If you want to route specific gaming traffic from your PC, just start the game, ALT+TAB and run netstat -a to find out what is going where. For Windows users, I found TinyPersonalFirewall v2 to be very helpful. It will show you specifically which apps are using which protocal and to which port is came from and/or is going to.

As a bonus, m0n0wall supports a bunch of wifi cards, VPNing, SNMP, Captive Portals, DMZs and multiple NICS. My net4801 for example has 3 onboard ethernet interfaces (modem, lan & dmz for web server), 2 addon ethernet ports. 1 for my local wifi lan & 1 for an AP on the roof to a local mesh network. Both use VPN. To help with this it also has a TypeIII Mini-PCI hardware accelerator to offload work from the CPU for VPN encryption. Best free router OS ever!

You don't need to use a full blown PC and consume heaps of power.

I bought a Soekris net4801 close to 2 years ago now specifically to run m0n0wall on. Best computer decision I ever made. The power consumption is somewhere around 20W.

On my 1526/256kbps connection it works an absolute treat. I have 1 machine that is used solely to play games. All traffic from this machine is fed into a seperate queue from the rest of the LAN. Downloading at 140K whilst playing Battlefield 1942 with no lag is a blast and I never have to give a thought as to what might be downloading (or uploading) on the network. Prior to using m0n0wall and despite my best attempts with Smoothwall, CC and Mandrake with some scripts - the best I could do was around 60KB/s download before lag became an issue.

After seeing my setup a mate didn't want to fork over the cash for a net4801 but wanted to do the same thing. He uses a fanless 486 with 8MB RAM which boots from a CDROM and loads the config from the FDD. Once the machine boots the only moving part is the PSU fan. That's about the 2nd lowest amount of power you could consume for this kind of set up. Images for the net4801/4501, CDROM, WRAP boards etc are all available from the m0n0wall website. Battlefield 1942 for example needs 4 rules. 3 outgoing and 1 incoming.

If you want to route specific gaming traffic from your PC, just start the game, ALT+TAB and run netstat -a to find out what is going where. For Windows users, I found TinyPersonalFirewall v2 to be very helpful. It will show you specifically which apps are using which protocal and to which port is came from and/or is going to.

As a bonus, m0n0wall supports a bunch of wifi cards, VPNing, SNMP, Captive Portals, DMZs and multiple NICS. My net4801 for example has 3 onboard ethernet interfaces (modem, lan & dmz for web server), 2 addon ethernet ports. 1 for my local wifi lan & 1 for an AP on the roof to a local mesh network. Both use VPN. To help with this it also has a TypeIII Mini-PCI hardware accelerator to offload work from the CPU for VPN encryption. Best free router OS ever!

letsee.... sub $200 x86 hardware to run debian. http://soekris.com/ .... have fun...

You should have bought a gumstix insead. Or maybe a soekris.

The NSLU2 doesnt really have enough CPU for asterisk.

Seeing as I am still working out Linux, and I know my Windows pretty darn well, I did this interesting thing.

The specs:
- Pentium II 233MHz
- Intel Desktop Board (isn't their slogan "built on reliability")
- 96MB RAM
- 3GB Hard Disk
- OS: Windows 2000 Server Standard

For readers to understand fully why I did this, until about a month ago, South Africa had only one decent ADSL account offering, a 3GB account. These 3GB accounts allow you to browse any site at full speed until you generate 3GB of traffic (that's g/bytes), and after the DSLAM kills your session (happens approximately every 24 hours) and you reconnect you get worse than 9600bps modem speeds when connecting to overseas servers/peers, but local speeds are still 100%. At the beginning of each month the counter is reset.

So, what I do is use OpenVPN (http://www.openvpn.org/) to tunnel to my office for the international bandwidth which we get through a 2mbit/s leased line, however, I have managed to configure my box in such a way that local traffic goes straight over the ADSL.

Using Windows 2000 Routing and remote access on my machine at home, I create the tunnel, and also create a ppp connection using RAS PPPoE (http://www.raspppoe.com/) - seeing as Windows 2000 doesn't have it natively. I then set up NAT routing, make the OpenVPN TUN/TAP adapter and the ppp interface external interfaces, and the LAN card the internal interface.

Then for routes, I set my default route to go down the tunnel, and I natuarlly set up the IP address of the remote end of the tunnel to go down the ppp interface. Now, South Africa has relatively few ASNs, so I also manually added a whole lot of those blocks to my routing table to go down the ppp interface. The net result (excuse the pun) was that local traffic went straight over the ADSL, and international traffic via the tunnel.

This all runs perfectly on Windows 2000 Server on that old box. Unlike the author of the article, I don't ever "work" on the machine per se, so for security reason's it does all it's Windows Updates, while I installed no extra services like IIS, I haven't bothered to disable any default services, I have however turned off Active Desktop, sliding menus and the Activity Pane for Windows Explorer, I discovered a long time ago that turning these off was the simplest way to more than double the responsiveness of their systems. What I have also done is enabled Terminal Services in remote administration mode, so the machine needs no screen keyboard and mouse. I add that I am no security expert however, with the box fully patched and a strong password set, I have had NO security incidences, well, at least none that I am aware of, I also do not run any kind of firewall.

Now my routing works well and causes *almost* no problems, it does have issues nevertheless. Because my box has two external IP addresses, certain things have issues, the problem arises when an application registers on an international server, and other peers from South Africa try connecting to my tunnel interface IP address, this doesnt work because my Windows 2000 box ends up trying to send the packets back over the PPP inteface. I notice this the most with Source and Steam. I cannot connect to any local servers when my tunnel IP address is the one registered with the Steam server, it just keeps on asking for my Steam username and password. Top get around this, when I want to play, I merely end up doing a PPPoE direct from my desktop, and while it takes a while for Steam to sign in, it does work. While I know that I could manually setup the steam server IPs to route over the ppp, I just havent bothered, also this way when an update comes down, it always comes down the fastest.

I am experimenting with Linux, and especially along with Soekris (http://www.soekris.com/) boards, to replace this solution, just a little more time and I will have it worked out - but I am not rushed as my Windows 2000 Server solution works just as well - and is up and running already.

Last I saw, what Junxion was shipping was 95% COTS.

The board inside it is a Soekris Engineering 486 class [link], they boot off of a small CF, and the Linux distro the box runs is a very close derivative of LEAF [link]. (Think it's actually a derivative of WISP-Dist[link], which was sprung from and then rolled back into the LEAF project.)

They wrote the pretty front end and provide pretty good support for them.

If you're willing to support it yourself, go buy a $200 Soekris machine and rig one up.

"I'm just tired of having to /work/ to get my system to behave properly. This is something I shouldn't have to be wasting my time on."

You have a very good point. However, I just hope to provide some very good counter-points :).


About year to a year and a half ago, I knew someone who started his own web hosting business. When I say this, I mean he bought a reseller account from rackspace, charged people money, and then clicked around in cPanel to spawn their sites. It made him money, it worked.

He also knew jack NOTHING about what cPanel actually did. He would tell me how literate he was in linux, and look at me do X in Y seconds, and hey look at this I just added some anti-spam plugin to my mailserver. Every time he'd show off, I'd ask him, "cool, so, how'd you do this?" His reply was always "I clicked here, then here, and then here."

This is the ideal end-user experience, I agree with you completly. But, that doesn't mean that you should just know how to do it in the GUI, you also need to know how to dig way down in depth, bypass all of the nice check marks, and make it work. Why?

So, what happens when your nice point and click interface that just works, well, doesn't work? Are you stuck contacting tech support because you can't fix the problem without a shiny nice GUI and a configuration wizard? As I said, point-click-"hay it works" ('hay' being intentional ;)) is what it should be.

But that doesn't make up for knowing HOW the system works, how to make it work for you, how to repair things when it breaks, and it definitely doesn't mean you can make the system work. It means you can use a system to make the underlying system work, but what happens when the underlying system breaks and your magic "it just works" GUI no longer works?

There is an advantage to mucking around in obscene config files for hours on end with little to no documentation. It's just that far too few people care to do so, and Aunt Tillie isn't going to. Aunt Tillie needs the cPanel, but Technician Bob needs to know how to fix it, should it ever break.

That's half the reason that I run gentoo, half the reason why I bought a soekris board, and half the reason why out of the 7 computers I own, only one runs X. If you want to be able to hold your ground when it comes to fixing Aunt Tillie's computer, you need to know a little more than point-click-tada. Personally, I can't think of a better way to learn How Stuff Works(TM) than by trying to configure squid over SSH using nothing more than the squid.conf comments.

The other half of the reason I did all of that is to keep myself entertained in my 60+ hours of free time per week :D

Here's another approach: put Linux on a CompactFlash card instead of a hard drive. Keep the filesystem mounted read-only for normal operation. Test upgrades on a different computer and CF card. Upgrade by swapping out CF cards. If you can build a PC that doesn't need fans, then you've removed all moving parts from the equation. For smaller installations, single-board computers such as the Soekris are very reliable. For larger installations, you can usually find a 1U system with the level of performance you need.

It was always just so much simpler to get a more expensive Cisco box in the long run due to its design, documentation, an performance.

It always depends on what you're doing, of course, and also what you're familiar with, but for my routing/firewalling/VPN/load balancing/ etc needs I've simply found Linux to be more flexible.

Why not just go get a nice embedded system with a flash card? Doesn't produce much heat, doesn't have any moving parts. Just get one, toss linux or whatever on it, and poof. Insta whatever server for
http://www.soekris.com/
http://www.mikrotik.com/

I use these for small low-power wireless APs and routers, but they are being used for low-power servers of all kinds as well. Why /. people always want to over-engineer is beyond me. ;)

mmmm encryption co-processors

I've been thinking of getting one for a long time. SSH, SSL, TLS, they all use AES as their strongest chipher. I also have IPsec and loop-aes setup, so I have even more reason to have one of those cards.

Well, there are a couple of options I can think of off-hand that will run on 12V and would be convenient to power, but they aren't powerful and probably wouldn't be suitable for a jukebox application. I'm talking about the WRAP (http://www.pcengines.ch/wrap.htm) and maybe the Soekris net4801 (http://www.soekris.com/net4801.htm). Definitely more suited towards simple applications such as networking, but they do at least have serial ports, miniPCI and compactflash support built-in.

Soekris boxes have had power over ethernet for some time now. http://www.soekris.com/.

The FCC limits 802.11 power so buying expensive access points isn't going increase your range.

soekris boards, if you can afford them, have the advantage of "power over ethernet" and no moving parts, plus they fit nicely into a weather proof boxes so can be mounted high up. If you don't need these advantages any old sub $50 access points should work.

If you're really on a budget you can build your own.

Mostly, it's all about the antennas. In some experimetns I've read about, directional antennas have enabled signals to broadcast and receive across several kilometers (line of site). Check out these guys to see what's available as far as antennas go.

Also, sign up for the bay area wireless mailing list while you're building this. This is one of the better lists I've been on. There are some people that really know their stuff and you'll get lots of help and advice.

Hope that helps.

I'd follow the use the cheap LinkSys gear (or build something fancy with a Soekris box) but also pick up some old 100M MultiMode(MM) transcievers that have a FE on one side and fiber on the other. Since you've got 5 acres (not that big honestly), i'd stick to wired for everything possible, it will also provide you the best reliability. Use some pvc pipe or conduit to keep it weatherproof outside and you'll be done and have reliable networking that can be upgraded in the future to gigabit and faster as needed.

Anybody have experience with building and integrating a hardware random number generator?

Yes. But I can also tell you, a hardware RNG is overkill for these purposes. There is easily enough randomness available through /dev/random based on disk timings and such to make strong 152-bit keys. Alternatively, you can roll a bunch of dice.

If you really, really want a hardware RNG, go for a Soekris card or a C3 processor, or make your own RNG (integrating that would be tougher, though).

I have fast Speakeasy ADSL service: 768 up, 6000 down. I also have their VoIP service, resold from Level3. But my DSL uplink is still slow enough and the buffer in the DSL modem big enough that VoIP packets in the outbound direction will be delayed for over 3 seconds if they have to fight in an ordinary FIFO queue with traffic from my computers. Running Bit Torrent made my VoIP phone unusable, and interactive sessions very painful.

While the Bit Torrent applications have rate limiting, and the VoIP terminal adapter has an internal prioritizer, I wanted a more general and elegant solution. I especially wanted more than two priority levels so I could run Bit Torrent without affecting my interactive network use, which in turn would not affect VoIP.

I brought up Linux on a Soekris Engineering net4801 box and configured it as a dedicated router with QoS. There are four hierarchical token bucket classes, with the aggregate rate to the DSL modem shaped so that no more than 1 packet would ever be queued in the DSL modem. Each class uses stochastic fair queuing to ensure that one connection cannot dominate the whole class; the connections have to take turns.

Packets from the VoIP adapter go into the top priority class, followed by two intermediate priority classes for routine traffic, and that in turn is followed by a low priority class for Bit Torrent traffic.

The hard part was in finding all the right tuning numbers. I found that by limiting my aggregate outbound traffic to 626 kb/s, I avoided queue growth in the DSL modem. (My link is nominally 768 kb/s, but the modem won't necessarily train to full rate, and you also have to deduct the 5/53 = 9.4% ATM "tax".) Since Speakeasy's VoIP service uses uncompressed 64kb u-law PCM in 172 byte packets, I guaranteed 88 kb/s to VoIP. This can be "borrowed back" by the lower priority classes when VoIP is inactive so it doesn't go to waste.

Bit Torrent gets a guarantee of only 10 kb/s, so if I have anything else that needs the whole link, it will drop way back without actually halting.

When I did all this, I found to my satisfaction that there's basically nothing I could do to upset VoIP calls. They always got first priority on the DSL uplink, and queues never build there -- they're pushed back to the router. SSH sessions are nice and fast even with multiple uploads in progress.

Naturally, I can't do anything to affect how my downstream packets are queued, as that's the job of Speakeasy's router. But I figure they must give priority to VoIP packets, as I've never noticed any voice latency even when I try to saturate the downlink with data. In any event, that link is so much faster than my uplink that it rarely saturates.

So basically, with a well-tuned QoS router on just your DSL modem, you can get excellent VoIP quality without having to manually stop or restrict your computer file transfers. It really does work!

I do have one unsolved problem. Currently, I identify and mark Bit Torrent traffic by its use of one of the "standard" TCP ports starting at 6881. But many Bit Torrent users use non-standard ports, presumably to evade filters, and I flag their traffic as normal computer traffic. This doesn't bother VoIP, since VoIP always gets top priority, but it isn't given the low priority that I'd prefer. My Bit Torrent client, Azureus, recently added a feature to allow setting a Differentiated Services Code Point in the IP header that I could use as a flag, but the Java network stack on which it runs doesn't seem to implement application-specified DSCP settings. Anyone have a solution for this?

http://soekris.com/

They make little x86-compatible systems, and they run awesomely with NetBSD. You can get premade boxen with these boards in them, or simply BYO enclosure. They've got 1-3 Ethernet connections, and some have PCI and miniPCI slots.

"Stability is crucial, so I'm leaning toward a Linux-based system"
You should be looking at embedded operating systems, such as VxWorks which is what some of the real car manufacturers actually use
I would consider the display of a car a fairly mission critical application, and you want a system that's designed for these kinds of tasks. This isn't something you can bodge up and whack on a small PC with an operating environment that hasn't been designed to do such things.
Linux is far too complex for something like running your car's display, there is simply too much that can go wrong.
It would also be well worth checking out what the laws are like in your part of the world, I know that where I am, if I replace my (airbag equipped) steering wheel with an aftermarket one that doesn't have airbags, my car is no longer roadworthy.
I sure hope you've got some deep pockets if you truly want to get this project rolling
Kai

This looks like a nice SBC, but I am really happy with my little Soekris'. With case, the 4501 is cheaper than this ARM board (the board alone is more expensive) and has three ethernet interfaces.

I have a setup with a few 7960's, and a cisco 2610 with NM-2V, VIC-2FXO-M1= and VIC-2FXS. These handle taking my PSTN service (which is actually ISDN going through a Motorola BitSurfr Pro) and passing it out the FXS ports to ring throughout my house, as well as using asterisk I have it ring some of the IP phones as well.

This allows me to:

Use my own caller-id database in asterisk

Buy unlocked ata-186's for family so they can call me and my wife for free

Use nufone for outbound LD

Be dependent upon electricity for my phone service (get a small UPS and you can keep yourself up for a day or so powering the BitSurfr, since that's all i need to be able to call 911, etc..)

Route calls the lowest cost (local goes out one of the POTS/Bitsurfr ports)

Log both outbound and inbound call times, so you know exactly when you ordered that pizza

Be geeky and increase my slashdot karma ;-)

Now, this is an overly complicated setup, but the point is that it's possible to set up a functional SIP/Asterisk solution for your home. You may be able to get one of the Soekris PCs and install your favorite free unix (yes, Asterisk even works on the dying *BSD ;) and keep your power requirements a lot lower (so you can do all that E911 foo).

Nufone works nicely for my setup, and i cancelled my vonage (and gave the ata-186 to my wifes sister for christmas after paying $40+$15) so my overall costs are lower (except for the geeky maint part, and i still need to stick the cdrs into a database so they can be viewed on a webpage).

YMMV if you do something like this, since most carriers are transporting the calls as IP on their own networks, expect the quality to be the same or only slightly degraded (watch the codec being used, you really want something like g711ulaw for the best quality sound) for your calls prior to reaching the foreign countrys PSTN.

I think it would be cool to setup a Nintendo DS server (if such a thing existed) here in my house on my spare Soekris box. I could stick a miniPCI wireless card in it, hook it up to an antenna that I could mount on my roof, and then host a 24/7 Metroid Prime Wireless LAN party to all the people in my area.

One solution that I've used that works well is to setup a netscreen box at the main office, and then use a snapgear at the remote sites. Both the netscreen and the snapgear run Linux underneath, so technically they are both as capable, but the netscreen tends to be versital (and slightly more complex to set up) then the snapgear. Making it the more logical choice for the main office.

I haven't tried this, but Linksys does make a VPN router or you could build your own using a Soekris Net4511 and M0n0wall. M0n0wall is a FreeBSD based VPN configured via the web with an interface that is very similiar to a SnapGear. (The netscreen is also setup via the web, but significantly different then the other two) If you used one, you'll feel right at home with the other (I have no idea if this is intentional or not. And the screens are not layed out the same, they just are catagorized the same, with a similiar layout)

Anyway, all the above solutions will let you set up a VPN, either with IPSEC (complete with your choice of SHA, DES, 3DES etc encryption), or the older, less secure Microsoft Point-to-Point tunneling protocal (which I can't think of the proper name of right off hand, heck maybe P2PTP was it), and once set up they run pretty much error and maintence free (Except maybe the linksys, I've used the others though, and they all work as advertised.)

It's not that hard to do, if you're willing to read a bunch of manpages.

Get a fixed IP DSL and a Soekris net4801 for each site. Add a laptop hard drive or compact flash with OpenBSD on it. Read the man pages for "vpn" and "pf". Implement as appropriate to your site.

Hardware cost is under $500 per site. Ongoing cost is your local DSL price. Add your labor, including the time spent learning about OpenBSD and the cost of maintaining a free OS over time.

If this cost doesn't come in under 75% of the low bid from any three VPN vendors, I'll buy a straw hat and try to eat it. :-)

You really dont need to subcontract this out. Just get m0n0wall. It is a free embedded firewall package that runs beautifully, and supports all the VPN stuff you could ever want.

It is absolutely perfect for site to site VPN's. All you need is a static IP address for each endpoint. I run ours on a Soekris net4501 embedded computer. Total cost of computer + flash card + hardware encryption accelerator chip = $300. This is cheap for what you get.

My alma mater had an 'Intelligent Autonomous Vehicles Lab', which consisted of M680x0 VME machines mounted to a motorized chassis with a bunch of sensors (collision, light, ultrasound, video). I'm pretty sure they were powered by rechargeable lead-acid cells when they were 'off the leash'. I dread to think how much all that must have cost back then. Probably a few grand per robot. :-/

More details can be found in this introductory paper.

I'd suggest going with a similar design, but using slightly less esoteric hardware - a soekris device, perhaps. Unfortunately, that'll probably blow most of your budget alone. :-(

--

just remember that you'll get better quality when you buy quality hardware.

While I can generally confirm this, and I certainly like my Cisco AP, this is an overkill-solution-par-excellence. Of course you can go to work with a comfortable car and of course it's faster than a bicycle and of course it will be more expensive, but when your office is 1km away, this does not make any sense at all. Cisco bridges are great just like Cisco routers/switches etc., but I would not recomment anyone to buy a Cisco router/switch for private and small networks. It's just not worth it and most people cannot use nor do they need all those nice features. In a company, stay away from generic stuff with only web interfaces and get the good, expensive Cisco & Co stuff, but at home it's the opposite way.

I had a similar problem (2 networks to be bridged, albeit shorter distance) and I did this:

• Set the access point on once side of the network (that was the simple part)
• Set a Soekris 4521 with a CardBus WLAN card on the other network
• Let the Soekris connect via WLAN card to AP
• Bridge traffic between ath0 (the WLAN card) and eth0 (the onboard-LAN).
• Use eth1 for connecting to the Soekris for management purposes, but I can easily live without it as it works reliably.

Another option was the purchase of a Ethernet-WLAN bridge (connects to an Ethernet port, has a small computer inside with WLAN on the other side, and it's simply bridging stuff from left to right and right to left, just like the Soekris does). Costs 9000 Yen here in Japan. But it only good for one Ethernet port (1 PC, not a network).

Both beats paying US$3000 for a Cisco bridge set and the former is far more versatile while the latter is easiest to set up (if 1 PC is all you need). Setting up thr Soekris is dead-easy if you've ever set up Linux routing/bridging/WLAN, before.

Consider a modest homenetwork with a games PC, a mailserver/webserver and a firewall. With the exception of the games PC the other systems have to be on 24/7 to be really useful. Run a PC with a 300 watts PSU for one year and it costs you here, in the Netherlands, approx. 150 euros. I would want to change these always-on systems to low power boxes, think EPIA or a Soekris. A Soekris system runs normally on 10 watts. My TranquilPC uses about 25 to 30 watts. Its fanless, it looks cool and I play modest games on it - obviously not FPS games but it runs Linux just fine and functions as firewall.

I'm waiting for the industry to play catchup to my power concerns. Someday I'll be able to play those FPS games on a lowpower system.

Zarn

This is similar to the Soekris net4801, which also uses a GEODE CPU. I'm using one of those boxes @home as an ADSL router, thttpd, postfix, cyrus/imap server, running FreeBSD 5.3-RC using a 2.5" laptop hdd. Works like a charm! And uses less than 10 watt power too.