Linux Routers

Sitting at your average Linux box is becoming simpler by the day, but the complexity and volume of information that that machine is likely to transmit and recieve is only getting greater. Reader Martin Barry contributed this review of Linux Routers. This book promises to unravel that complexity for the reader willing to trade some time and effort for a custom solution to their own routing requirements.

Linux Routers author Tony Mancill pages 329 publisher Prentice Hall rating 7 reviewer Martin Barry ISBN 0-13-086113-8 summary Fundamental look at replacing brand name routers with ones based on generic hardware and Linux. Develops concepts of core routing features and relevant extensions in the context of six router applications including LAN, WAN and Internet.

Overview Linux Routers is an interesting little book that pulls together the kind of information that one could find browsing various HOW-TOs and guides into a concise narrative explaining the tasks required to build and operate Linux-based routers.

Opening the book is a discussion on the fundamental theories underlying routing and the infrastruture required to implement routing solutions. For those (like myself) who have little exposure to network administration this will be particulary helpful as a lead in to the following chapters.

There is a chapter to further build on the basics of IP (addresses including RFC1918, subnetting, routing tables), ethernet (MAC addresses, ARP, switching) and wide area networks (types of links, integrating with telco hardware, billing).

The detail increases as the book progresses. It starts with the simplest installation, routing between two ethernet segments covering the basics of setting up Linux networking and routing. Methods of IP accounting are also introduced. Mention is also made of the Linux Router Project and the single floppy distribution they have developed.

Moving onto WAN routers introduces the telco issues and ways to preserve bandwdith (http proxy, caching dns). IPchains is introduced in the context of masquerading otherwise unroutable addresses. Various tools are listed in a section that demonstrates how to view traffic on the network for educational and debugging purposes. Monitoring of traffic over a router is also described, using MRTG to collect and beautify data. Chapter 7 includes methods of reducing said traffic such as http caches and a DNS slave at the remote site.

A border router to the Internet is used to raise related security issues and the use of proxy servers to screen access from the outside in or the inside out. This information bridges across chapters 6 and 8 and includes topics like packet filtering firewalls, port redirection and proxies. The flexibility of Linux is demonstrated by the ability to integrate routing and Internet servers on a single box. With obvious reservations about how wise that is, it is pertinent that failure detection, notification and recovery are all covered.

What's to like The information starts out simple and builds on itself in cyclical nature as the book progresses. The six scenarios are the ones likely to be encountered in a production environment and illustrate the benefits of using Linux routers.

The issues of choosing Linux as a router are well addressed, including discussions on thorny topics like "Total Cost of Ownership," and provide a framework for you to assess your own situation. The writer's style is clear and easy to read.

Different WAN and Internet telco links are discussed (POTS, frame relay, dedicated digital access circuit) including how to configure the link and what protocols to run over it.

Peripheral issues, such as troubleshooting tcp or proxy servers, are dealt with well. Information is provided to allow you to understand the integration with the routing infrastructure you are deploying. When the topic starts to drift from the task at hand the author makes good use of redirecting people interested in more detail to other references (Web sites, books).

What's annoying The author is a part of the Debian project so some things have a bit of a Debian slant on them (this includes the file system layout referred to and the config files). This shouldn't be too much of an issue for most people, though it will require a thorough understanding of one's own system or problem-solving via your distribution's manual. WAN hardware and software discussions are limited by the author's experience, with a particular brand of card and one software package (wanpipe -- of which the author is the Debian maintainer) being focused on.

Alternatives are mentioned, but not in great depth, and the examples therefore might not be portable to your choice of card or software.

Summary If you are comfortable with enabling routing, IPchains, proxy servers and troubleshooting tcp/ip on Linux, this book will be of little use other than to provide a step-by-step approach. On the other hand, if you currently use brand-name routers but have sometimes wondered whether that 486 in the corner could be put to good use, this book will certainly guide you on your travels.

Table of Contents Note: the author uses the elements to name boxen, hence the names of the chapters.

1. Routing Building Blocks (Hardware, Environment, Software)
2. IP, Ethernet and Telephony Basics (Routing, Ethernet, WAN)
3. Silicon - LAN Router (LAN Routing, IP Aliasing and Accounting)
4. Erbium - an Extranet Router (IP Masq, IP Monitoring)
5. Zinc - Frame Relay Router (WAN Hardware and Software, MRTG)
6. Oxygen - Internet Router (Security, Firewalling, Failure Detection)
7. Californium - Satellite Office Router (Caches and Slaves, Multifunction Routers, Remote System Support)
8. Hafnium - Internet Services Router (Proxying, IP Redirection, Routing Daemons, Emergency Recovery)

Appendices

• A) Links
• B) Compiling a Kernel
• C) Testing Strategies
• D) Ethics and Other Considerations
• E) GPL

You can purchase this book from ThinkGeek.

Virtually No Coverage of Dynamic Routing

[Monkius]

I liked the book, and certainly felt it would be very helpful to folks doing the most common 85% or so of network device setup tasks.

On the other hand, I felt the title of the book constituted a promise that it would include good coverage of dynamic routing protocols like OSPF, RIP2, and others--all of which are available in strong Linux implementations.

This book covers the entire concept of dynamic routing in about 4 pages, in section 8.4--and the coverage is completely inadequate. There isn't usable information on setting up ANY dynamic routing protocol--OSPF isn't even in the index of the book. (It's on mention is in the glossary.)

Re:Virtually No Coverage of Dynamic Routing

[Cato]

An implicit assumption of the book seems to be that you are setting up an edge router that provides Internet access - this is probably quite reasonable for 99% of cases, as I've yet to see anyone use a Linux router in the core of their network.

Imagestream and Nbase-Xyplex do make heftier core-style Linux routers / layer 3 switches, but they aren't very widely deployed.

Re:Freesco

[killbill]

I second the motion.

Freesco is by far easiest and most flexible out of the box router I could find... it supports just about every type of bridge you may need (ethernet dialup, ethernet ethernet, dial in server). It has a built in DHCP server, print server, dns server, web server, and web based control panel. Further, it all fits on a floppy.

I can set one of these things up on site in less then half an hour. I threw a couple of web based security audit tools at it, including running a version of Saint against it, and it scored as near to perfect as possible in every case (I left a trivial web server running and open to the outside so it could not get a perfect score).

The only drawback is the fact that they insist on trying to keep everything on a floppy, so they miss a couple of nice tools that would help me. This is a bad idea (IMHO), as I have stacks of 100 - 500 MB hard drives (that no one can use) laying around, but extra floppy drives are harder to come by (as people still use them in current systems). 100 MB hard drives are arguably cheaper (i.e. free) then 1.44M floppy drives ($19 or so)!

Anyway, I have two subnets behind my firewall, one traditional 10/t ethernet, and one wireless ethernet (based around webgear aviator 2.4 Ghz PCMCIA cards with ISA adapters if necessary).

Because they want it on a floppy, there is no room for the PCMCIA support, which means I have to have my other server do a little more complicated routing, and DHCP serving (a non-routable protocol) gets messy. It would be easier if all my subnets were anchored directly into the firewall... but I digress.

Anyway, if you want a very secure and easy to set up firewall, then take a good look at freesco. Run a setup script and answer 20 or so questions (all with reasonable defaults) and you have a great little full featured server on your old 486 (with 16 MB ram). The documentation is very good as well.

Personally, I think a dedicated firewall product like this is much more secure then trying to lock down a full distribution and using that... there are just fewer doors and windows for people to poke at and pry open, and much fewer tools to exploit if they do get in... not to mention that the entire OS partition gets mounted read only...

Bill

Re:I chose the webramp (aka, sonicwall) box

[Tower]

I just got the Linksys router/nat box, replacing that function in my linux box. I must say, even having run ip masq for the last couple years, the little Linksys does a great job. It has all the VPN behind NAT support built in (can be a pain with IPChains), port forwarding, DMZ option for a system, DHCP, web-interface. Not to mention that it is quicker at routing the IPSec VPN traffic than the linux box was (a K6-2 500 with 2 3c509s). Some models have a built in 10/100 switch, so you don't even need another hub (though I seem to be in no short supply of those).

It is small, makes no noise (not an issue for where I use it - 10krpm scsi drives and fans take care of that), works well and is easily configured. All for ~$130... saves on power, if you had a system dedicated to only the masq/firewalling, too.

There's no client license or anything - just use up all the IPs you want. Good stuff.
--

MTBF?

[[amorphis]]

one of the biggest advantages of "normal" routers is that they're solid state. there aren't any moving parts (fans/spindles/etc) to wear out.

Amorphis

Re:I chose the webramp (aka, sonicwall) box

[TheGratefulNet]

I first tried that linksys box and found that it didn't do port forwarding with enough flexibility. I don't think you can define 'public lan servers' (using real IPs) and mix that with nat-based IPs. for static presences (when you have to have a public DNS, mail and web) yet a good portion of your lan is for private-use only, the linksys box doesn't have enough smarts.

for an extra $50, I went with the webramp/sonicwall. it DOES allow a mix of public and private addresses. its not a "all nat or no nat" choice, which I find very limiting.

--

I chose the webramp (aka, sonicwall) box

[TheGratefulNet]

for $200, you get a small fanless (quiet) plastic box with 2 ethernet and a serial port.

it does nat (for 5 clients at the current licensing price; upgradable), all the usual stateful firewalling, routing, port forwarding, etc.

I'm a linux guy (by hobby and profession) yet I chose this standalone box. why? well, I WANTED a closed-source security box. I still run openbsd as my main access point but I wanted a 2nd level of protection. using linux for security is pretty laughable for 99% of the users out there. I think I have peace of mind now with one of these boxes in series with an openbsd box.

yeah, it wasn't free. but the ultra small footprint, the total lack of fan noise and the very usable web mgmt front-end made it an easy decision.

there are things that linux wins in. being a quiet and small footprint access router device isn't one of them.

--