Linux Routers

Sitting at your average Linux box is becoming simpler by the day, but the complexity and volume of information that that machine is likely to transmit and recieve is only getting greater. Reader Martin Barry contributed this review of Linux Routers. This book promises to unravel that complexity for the reader willing to trade some time and effort for a custom solution to their own routing requirements.

Linux Routers author Tony Mancill pages 329 publisher Prentice Hall rating 7 reviewer Martin Barry ISBN 0-13-086113-8 summary Fundamental look at replacing brand name routers with ones based on generic hardware and Linux. Develops concepts of core routing features and relevant extensions in the context of six router applications including LAN, WAN and Internet.

Overview Linux Routers is an interesting little book that pulls together the kind of information that one could find browsing various HOW-TOs and guides into a concise narrative explaining the tasks required to build and operate Linux-based routers.

Opening the book is a discussion on the fundamental theories underlying routing and the infrastruture required to implement routing solutions. For those (like myself) who have little exposure to network administration this will be particulary helpful as a lead in to the following chapters.

There is a chapter to further build on the basics of IP (addresses including RFC1918, subnetting, routing tables), ethernet (MAC addresses, ARP, switching) and wide area networks (types of links, integrating with telco hardware, billing).

The detail increases as the book progresses. It starts with the simplest installation, routing between two ethernet segments covering the basics of setting up Linux networking and routing. Methods of IP accounting are also introduced. Mention is also made of the Linux Router Project and the single floppy distribution they have developed.

Moving onto WAN routers introduces the telco issues and ways to preserve bandwdith (http proxy, caching dns). IPchains is introduced in the context of masquerading otherwise unroutable addresses. Various tools are listed in a section that demonstrates how to view traffic on the network for educational and debugging purposes. Monitoring of traffic over a router is also described, using MRTG to collect and beautify data. Chapter 7 includes methods of reducing said traffic such as http caches and a DNS slave at the remote site.

A border router to the Internet is used to raise related security issues and the use of proxy servers to screen access from the outside in or the inside out. This information bridges across chapters 6 and 8 and includes topics like packet filtering firewalls, port redirection and proxies. The flexibility of Linux is demonstrated by the ability to integrate routing and Internet servers on a single box. With obvious reservations about how wise that is, it is pertinent that failure detection, notification and recovery are all covered.

What's to like The information starts out simple and builds on itself in cyclical nature as the book progresses. The six scenarios are the ones likely to be encountered in a production environment and illustrate the benefits of using Linux routers.

The issues of choosing Linux as a router are well addressed, including discussions on thorny topics like "Total Cost of Ownership," and provide a framework for you to assess your own situation. The writer's style is clear and easy to read.

Different WAN and Internet telco links are discussed (POTS, frame relay, dedicated digital access circuit) including how to configure the link and what protocols to run over it.

Peripheral issues, such as troubleshooting tcp or proxy servers, are dealt with well. Information is provided to allow you to understand the integration with the routing infrastructure you are deploying. When the topic starts to drift from the task at hand the author makes good use of redirecting people interested in more detail to other references (Web sites, books).

What's annoying The author is a part of the Debian project so some things have a bit of a Debian slant on them (this includes the file system layout referred to and the config files). This shouldn't be too much of an issue for most people, though it will require a thorough understanding of one's own system or problem-solving via your distribution's manual. WAN hardware and software discussions are limited by the author's experience, with a particular brand of card and one software package (wanpipe -- of which the author is the Debian maintainer) being focused on.

Alternatives are mentioned, but not in great depth, and the examples therefore might not be portable to your choice of card or software.

Summary If you are comfortable with enabling routing, IPchains, proxy servers and troubleshooting tcp/ip on Linux, this book will be of little use other than to provide a step-by-step approach. On the other hand, if you currently use brand-name routers but have sometimes wondered whether that 486 in the corner could be put to good use, this book will certainly guide you on your travels.

Table of Contents Note: the author uses the elements to name boxen, hence the names of the chapters.

1. Routing Building Blocks (Hardware, Environment, Software)
2. IP, Ethernet and Telephony Basics (Routing, Ethernet, WAN)
3. Silicon - LAN Router (LAN Routing, IP Aliasing and Accounting)
4. Erbium - an Extranet Router (IP Masq, IP Monitoring)
5. Zinc - Frame Relay Router (WAN Hardware and Software, MRTG)
6. Oxygen - Internet Router (Security, Firewalling, Failure Detection)
7. Californium - Satellite Office Router (Caches and Slaves, Multifunction Routers, Remote System Support)
8. Hafnium - Internet Services Router (Proxying, IP Redirection, Routing Daemons, Emergency Recovery)

Appendices

• A) Links
• B) Compiling a Kernel
• C) Testing Strategies
• D) Ethics and Other Considerations
• E) GPL

You can purchase this book from ThinkGeek.

Freesco

Just make your own box with www.freesco.com they work wonders.

Re:Freesco

[killbill]

I second the motion.

Freesco is by far easiest and most flexible out of the box router I could find... it supports just about every type of bridge you may need (ethernet dialup, ethernet ethernet, dial in server). It has a built in DHCP server, print server, dns server, web server, and web based control panel. Further, it all fits on a floppy.

I can set one of these things up on site in less then half an hour. I threw a couple of web based security audit tools at it, including running a version of Saint against it, and it scored as near to perfect as possible in every case (I left a trivial web server running and open to the outside so it could not get a perfect score).

The only drawback is the fact that they insist on trying to keep everything on a floppy, so they miss a couple of nice tools that would help me. This is a bad idea (IMHO), as I have stacks of 100 - 500 MB hard drives (that no one can use) laying around, but extra floppy drives are harder to come by (as people still use them in current systems). 100 MB hard drives are arguably cheaper (i.e. free) then 1.44M floppy drives ($19 or so)!

Anyway, I have two subnets behind my firewall, one traditional 10/t ethernet, and one wireless ethernet (based around webgear aviator 2.4 Ghz PCMCIA cards with ISA adapters if necessary).

Because they want it on a floppy, there is no room for the PCMCIA support, which means I have to have my other server do a little more complicated routing, and DHCP serving (a non-routable protocol) gets messy. It would be easier if all my subnets were anchored directly into the firewall... but I digress.

Anyway, if you want a very secure and easy to set up firewall, then take a good look at freesco. Run a setup script and answer 20 or so questions (all with reasonable defaults) and you have a great little full featured server on your old 486 (with 16 MB ram). The documentation is very good as well.

Personally, I think a dedicated firewall product like this is much more secure then trying to lock down a full distribution and using that... there are just fewer doors and windows for people to poke at and pry open, and much fewer tools to exploit if they do get in... not to mention that the entire OS partition gets mounted read only...

Bill

Re:So with old machines...

[drsoran]

Well, if you had enough old boxes you could make a nice Beowulf cluster. Ooh shit, I'm going to get moderated down for that one. Seriously though, you can do a lot of things with an old box. Low cost X terminal, personal mail server, squid proxy cache, etc. You're obviously not going to be playing a lot of 3D games like Quake on a 486 but it's fine for text browsing the web with lynx or read mail with mutt. :-)

Virtually No Coverage of Dynamic Routing

[Monkius]

I liked the book, and certainly felt it would be very helpful to folks doing the most common 85% or so of network device setup tasks.

On the other hand, I felt the title of the book constituted a promise that it would include good coverage of dynamic routing protocols like OSPF, RIP2, and others--all of which are available in strong Linux implementations.

This book covers the entire concept of dynamic routing in about 4 pages, in section 8.4--and the coverage is completely inadequate. There isn't usable information on setting up ANY dynamic routing protocol--OSPF isn't even in the index of the book. (It's on mention is in the glossary.)

Re:Virtually No Coverage of Dynamic Routing

[Cato]

An implicit assumption of the book seems to be that you are setting up an edge router that provides Internet access - this is probably quite reasonable for 99% of cases, as I've yet to see anyone use a Linux router in the core of their network.

Imagestream and Nbase-Xyplex do make heftier core-style Linux routers / layer 3 switches, but they aren't very widely deployed.

Some other points in the book

[djweis]

I got a copy of the book at the Atlanta Linux Expo from a Sangoma rep. It does a relatively good job of explaining T1 circuits and how frame relay works. This was one of the first things I had to learn a while ago and the book would have saved some time for me.
I liked the book, it's pretty easy reading and was definitely worth the time spent reading it.

Re:I chose the webramp (aka, sonicwall) box

[mpe]

I WANTED a closed-source security box.

Closed source and security tends not to go together. By definition it means that no independant expert can possibly have audited the software.

Re:I chose the webramp (aka, sonicwall) box

[Tower]

I just got the Linksys router/nat box, replacing that function in my linux box. I must say, even having run ip masq for the last couple years, the little Linksys does a great job. It has all the VPN behind NAT support built in (can be a pain with IPChains), port forwarding, DMZ option for a system, DHCP, web-interface. Not to mention that it is quicker at routing the IPSec VPN traffic than the linux box was (a K6-2 500 with 2 3c509s). Some models have a built in 10/100 switch, so you don't even need another hub (though I seem to be in no short supply of those).

It is small, makes no noise (not an issue for where I use it - 10krpm scsi drives and fans take care of that), works well and is easily configured. All for ~$130... saves on power, if you had a system dedicated to only the masq/firewalling, too.

There's no client license or anything - just use up all the IPs you want. Good stuff.
--

MTBF?

[[amorphis]]

one of the biggest advantages of "normal" routers is that they're solid state. there aren't any moving parts (fans/spindles/etc) to wear out.

Amorphis

Re:MTBF?

[TheGratefulNet]

there aren't any moving parts (fans/spindles/etc)

are you high? ALL decent routers (aside from home access boxes) have MEGA fans inside! there is QUITE a bit of heat generated from silicon based forwarding (I work for a router company, I have some insight here).

more and more routers even have hard drives inside to save state, config files and event logs.

--

Re:MTBF?

[TheGratefulNet]

and speaking of wearing out, most real routers have hot swappable redundant power supplies, fan trays (not redundant but usually hot swappable) and sometimes even hot swappable line cards.

having managed many top-brand routers and switches in my career, I can say that these things (ALL of the above) do fail from time to time. that's one major reason why they are swappable.

unless you go with compactPCI or pcmcia, there's nothing hot swappable about the x86 platform - which is what most linux routers are based on. and even with c-PCI, I believe the hot-swap standard is not supported under linux (last time I checked was about a year ago and support wasn't there).

for anything approaching an enterprise router, you NEED to have hot-swap support and shelf spares. its easy to have shelf spares with pci ethernet cards but the hot swap trick on a regular x86 motherboard will just get you a fried system. well, at least you won't have to worry about system breaks - a fused motherboard is the most secure gateway I can think of ;-)

--

I have done this several times for clients...

[Fleet+Admiral+Ackbar]

but beware, whenever you provide a GNU/Linux box for routing and/or firewall services, you will be asked over and over again, "Does this work just like a Raptor?" and "How's this compare to a Checkpoint?"

My answer: it runs EMACS.

Re:Routing

[MikeBabcock]

It would be nice to have an updated "Advanced Routing Howto" that includes more information on the options for and configuration of such things as:

Secure IP (FreeS/WAN)

Routing daemons (Gated, Routed, Zebra, etc.)

(Layer 2) Bridging (also with firewalling, etc.)

Port / service redirection

... etc.

IPv6 ?

[selectspec]

Does it cover IPv6 routing?

Re:I chose the webramp (aka, sonicwall) box

[StandardDeviant]

I think that you can define a DMZ host in addition to the NAT range. Admittedly that's just one host, but...

Besides, who says you can't do port forwarding of 53, 25/110, and 80/8080/443 from the outisde to static inside ips? You can disable dhcp on the inside you know...

Well, it is a moot point if you already got the sonicwall :-)

--

Re:I chose the webramp (aka, sonicwall) box

[TheGratefulNet]

and by the same token it also means that no one is privy to the exploits just by reading the code. they have to break into your box the old fashoined way.

--

Re:I chose the webramp (aka, sonicwall) box

[TheGratefulNet]

I first tried that linksys box and found that it didn't do port forwarding with enough flexibility. I don't think you can define 'public lan servers' (using real IPs) and mix that with nat-based IPs. for static presences (when you have to have a public DNS, mail and web) yet a good portion of your lan is for private-use only, the linksys box doesn't have enough smarts.

for an extra $50, I went with the webramp/sonicwall. it DOES allow a mix of public and private addresses. its not a "all nat or no nat" choice, which I find very limiting.

--

I chose the webramp (aka, sonicwall) box

[TheGratefulNet]

for $200, you get a small fanless (quiet) plastic box with 2 ethernet and a serial port.

it does nat (for 5 clients at the current licensing price; upgradable), all the usual stateful firewalling, routing, port forwarding, etc.

I'm a linux guy (by hobby and profession) yet I chose this standalone box. why? well, I WANTED a closed-source security box. I still run openbsd as my main access point but I wanted a 2nd level of protection. using linux for security is pretty laughable for 99% of the users out there. I think I have peace of mind now with one of these boxes in series with an openbsd box.

yeah, it wasn't free. but the ultra small footprint, the total lack of fan noise and the very usable web mgmt front-end made it an easy decision.

there are things that linux wins in. being a quiet and small footprint access router device isn't one of them.

--

Re:So with old machines...

[shippo]

I first built a Linux router 5-6 years ago. I was responsible for training courses, and we needed to route a pair of IP networks together, but had no box spare. The lab was fitted out with 486SX/25s with very little disk space.

I installed UMSDOS Slackware from the A and N floppies (around 10 in those days) on one of the PCs in the lab, then installed a kernel I compiled at home in my spare time - the kernel having routing enable. Then I added a spare NIC to this machine.

Re:So with old machines...

[SquadBoy]

This is one of the things they are very usefull for. In particular this makes a very good option for SOHO type setups. I do a bit of side work setting up SOHO types with this. The other thing older boxes are good at is a simple static web server. For example one Dr. I worked for wanted to put a simple static schedule for this office and have a browser front end for it. An old Pentium is doing fine in that role. Print servers using Samba is something else they do quite well.

So with old machines...

[AntiPasto]

is this all they're good for? I mean, this is the only thing I've ever seen for old machines. Make a router. You can almost get a nice simple NAT for around $200 or less, so I can see the benefit, but I can see also that perhaps people are doing this because there's nothing else to do with old boxes.

Okay, it's cliche, but has anyone ever made a cluster of old boxes? Perhaps even for scalable routing?

----

Re:So with old machines...

[disenfranchised]

When I was inventorying asbestos restricted spaces at the university of washington (another wacky stage in my career spiral) I stumbled across an interesting closet. I don't know what the researcher was working on, but he/she'd taken a huge stack of surplus Gateway desktops and lag-screwed them together with 2x4s for a poor man's rack mounted array. With University surplus machines practically free to internal users, I'm surprised there aren't more people doing this.

Routing

[buttfucker2000]

If you want to save your money, you could read the advanced routing howto instead.

The people who wrote it really know what they're talking about.

Also, Linux router is a router on a floppy disk with most of the hard work done for you, so a lot of the information in the book will be redundant.

And just as a point, software routing is not really appropriate for large networks, so you're not going to throw away those Cisco boxes any time now.

ahh, yes... the typical trouble...

[tewwetruggur]

The author is a part of the Debian project so some things have a bit of a Debian slant on them

Well, this seems to be one of the biggest damn challenges, doesn't it... people cannot get past their biases to write something more universal. Now, before someone goes off and tries to kill me for this, let me continue...

Yes, I know that you need to give examples in such texts. Yes, I know there are many differing distributions, and many have their little nuances and quirks. I realize that it's not feasable to cover all of these subtleties - BUT that doesn't give an author an excuse to not acknowlege those subtleties. Yes, its hard to do, but in all fairness, if you write such a text for other, completely non-related topics/subjects, you cannot get away with heavy bias - without flat-out saying so - particularly in the title, or at least on the front cover. Its only fair to the reader.

Again - I don't want to start one of those oh-so-fun flame wars over who's distro is better than who's, or why YOU think the bias must be there. I'm simply saying that the bias doen't HAVE to be there, and I'd really like to see someone take the initiative and put some effort into working around this.

And, yes, I'm sure there are some level-headed individuals, and maybe even groups, trying to do this. I (we - see the bio) do not live within the "geek" culture... we're linux fans, we're BSD fans, we're gamers, we're fairly unusual users... but it does not permeate our lives - its only a small part of what we do. And sometimes, we're the ones who need to get a book like this, and make it work for us...

Just some food for thought