Slashdot Mirror
Choosing a Router/Firewall for the Home LAN
Dr. Zowie asks: "How should one choose a router for a home LAN? We just added a few hosts on our home ethernet, which is connected via DSL. There are an amazing
number of new entries into the market for routers and even stand-alone
firewalls. NetGear,
Linksys,
SMC, and even Panasonic
all have boxen in the $99-$300 range, each of which will do some
combination of NAT, routing, source-IP filtering, port filtering, and
content filtering."
"It's not at all obvious from the packaging, the web sites, or the drool-proof pamphlets in the boxes which routers will do what. For example, we'd like to pass through packets for our two server machines, and use NAT/DHCP on a third address for the rest of the LAN. Nearly all the boxes advertise that they can do NAT routing, but many don't support NAT and static-IP routing simultaneously.
Die-hards will insist that one should run a standalone box with dual ethernet cards and the appropriate routing goodies -- but these standalone boxes, at 5-15 watts and a couple hundred bucks, seem like comparatively hassle-free solution. Which one do you use?"
Find an old, cheap PC, get two old netcards, and put OpenBSD on it. Plus you'll need a hub or switch. Simple and secure.
Practically Networked
All kinds of good information and reviews on exactly what you're looking for.
Linksys are OK but quite limited in their functionality. I am usuing it and quite happy.
SOHOWARE sucks big time - buggy and unreliable. Do not beleive words about "Stateful Packet Inspection" - even if it does it you could not use it.
What I really want to see is SNMP management for
such devices. Unfortunalty, best they could do
is read-only SNMP access.
It depends on what you need the most. I like having a full machine with 2 NIC's as my firewall as it is the most configurable and can be modified to meet my needs. I run a little webserver with database and I can open up pop, and other services on a whim. Once you get a firewall box, you are limited somewhat by what you can do, and if you want to put up any other services, you will need to tunnel to another machine anyway..
I expect for the average SOHO, all they want is connectivity, rather then the ability to do everything...
http://www.smoothwall.com should get you to the main product page. It's a freeware GPL firewall running Linux, but designed for ease of installation and administration via a web browser afterwards. The new version 0.99 is due for release any day now, and the beta of 0.99 works quite well for me.
Since most people have an old 486 or Pentium lying around, the cost to set this up is next to nothing - and it has features the hardware firewall/router boxes don't include. (EG. Ability to auto-update your dynamic IP with the dyndns.org service and "snort" to log hack attempts with details on what was attempted.)
I have 5 computers connected to the internet in my in-home LAN right now. My router/firewall/gateway is a 166MHZ linux box running redhat 6.0. I've been running this setup for about two years, upgrading as necessary. Using IP masquerading this is all very simple and with IP Chains, you can setup any firewall rules you want. I recently installed redhat 7.1 and it has a firewall wizard type thing that makes this all even easier! Take an old box and put linux on it, you won't be dissappointed.
mp3's are only for those with bad memories
> I can go and tweak out my iptables stuff but too
> many admins would prefer not to. Is there any
> good solution?
Try Firewall Builder: http://www.fwbuilder.org/
This works great for me -
www.smoothwall.org
And when I had some problems with setup they were extremely helpful on irc.
The linux router project is one of the best sources of info on getting that old 486 to work as a router. I had mine running fine until about two months ago when I was able to get a Netgear router for $30 (easier for parents as I was leaving for college).
See www.linuxrouter.org for more information.
Steinkuehler's EigerStein was the distro I used - worked very well.
-Doughnuthole
I personnaly gave a try to SmoothWall, here :http://www.smoothwall.org/gpl/
An amazing number of features in a so little Linux distribution. Well, find an old PC (almost any might be enough), install SmoothWall on it, then you've got your personal router/firewal/NAT/almost-whatever-you-want.
All being controlable through a web browser.
My 2c
I have a SonicWall SOHO/10 that works great. It supports the tricky protocols (NetMeeting, for instance), that Linksys models can't handle, and has lots of configuration possibilities (static NAT tied to ethernet address, for example). There's a model with a DMZ port if ya need it, and you can do VPN between SonicWalls if you need that.
Nice box. It was pricey, though, at about $400.
-glenn
I love the IP forwarding of the linksys. All connections to port 80, 443, 21 and 22 are reditected to my Linux box, and all other ports that involve games and *apster clones are redirected to my Game box. Remaining ports are blocked.
I use an old P133 (overkill, I know) running OBSD as my firewall/gateway/ntp server/dhcp server. I could have gone out and spent money on a nice compact unit, but I like the fact that I can upgrade my OS, tweak my filters and above all: learn more about OBSD, networking and OS hardening.
Wooden armaments to battle your imaginary foes!
You don't need a hard drive for a firewall/router made from an old machine. Check out the LRP for a solution that fits on a single 1.44 mbyte floppy that can be write-protected and just needs to be power-cycled to be reboot.
I do not have any servers, but this works well and has the following features...
- DHCP server
- NAT
- RJ-45 for connection to Cable/DSL and a DB-9 for connection to a modem.
I particularly like the fact that it can do Cable/DSL and Dial-up. Since I am moving a lot, I never know what is going to be available. You can even use the dial-up as a backup, should the Cable/DSL fail. Web based administration is straightforward. But I can't comment on that beyond the basics.
Power consumption is low (22W I think) and it is a lot quieter and much smaller than a PC.
It is good for my simple needs, but you may need more for your servers.
Here is a link to the product page. You can download the product brochure and check it out for yourself.
Remember, You are unique...just like everyone else.
I have a netgear router myself, and have locked it down pretty well with the advice I found.
The above post is an editorial, the poster cannot and will not be held responsible for all or in part for it's contents
i have, in turn, purchased a RT311 and a Linksys 1-port router (okay, so it's two ports, whatever). It turns out that they're pretty much the same hardware, and completely different ROMs.
Ups: The Linksys product was by far the simplest to configure. easy, embedded HTTP server makes config chores simple and fast. It's easy to screw up the password, tho, however recovery is easy. I thought that even though the Netgear was significantly more difficult to use (relying on CLI-based menus and a powerful yet byzantine trigger-based rule system), it had the most configurability.
Downs: This is why I'm using an OpenBSD box to do my NAT. Both routers rely on similar hardware, which, unfortunately, isn't up to the task of a 10Mbit cable modem or a 6Mbit DSL link. The peak rates I got out of each box was south of 490KBps, or right about 5 megabit. On my cable modem, it seriously throttled my downstream bandwidth, and I found it simpler to just take the time to really lock down my workstation and plug it straight into the cable modem.
My $.02
I previously had a netgear rt311 on my network in my apartment at school..and when I graduated, I decided I wanted a wireless router, since I've got a couple of laptops, and my girlfriend has one as well. I looked at all the wireless offerings, and it came down to the D-link and the SMC..they're made by the same manufacturer..but the SMC has both a lifetime warranty and mac address restriction of the wireless network.
0 4awbr.asp
In one $200 box, I get:
o wireless access point supporting, i believe, 255 users.
o 3 port 10/100 switched hub, plus the wan port.
o firewall/router with plenty of configurability
o print server, which works in both linux and windows.
the administration interface is easy to use, can keep pretty good logs if you want, and allows for the network to be buttoned up pretty tight.
it'll even hook up to a modem via a serial port, if you want to share a modem connection..
here's a review at practicallynetworked:
http://www.practicallynetworked.com/reviews/smc70
Try smoothwall at www.smoothwall.org. It is a sweet linux based firewall and is configured through a really nice web interface.
Wow, its amazing how many people suggested that you should use an old PC. I guess no one read your whole post, or the 57 posts that said the same thing before they posted.
First off, I've done the old PC thing myself. It was very flexible and I really liked having a linux box I could tunnel to. OTOH, it also sucked electricity and space which are 2 precious commodities here in California.
I eventually switched to the BEFSR41 from linksys. I picked it up for $100 (BestBuy just had them for $79) and its worked out wonderfully. Low power, silent, and very, very small.
One word of warning: if you intend on hosting any type of game server (quake, half-life, etc...) you should do a search on google first to make sure there aren't any weird problems with the device you decide on. For instance, I can run a half-life server behind the box, but it tends to kick people randomly.
http://www.masturbateforpeace.com/
Being a Cisco guy myself, I'd have to say if money isn't an issue, and security is the main idea, go with Cisco's PIX Firewall. It's actually not that bad if you compare it to their higher end gear (small office 506 is $2K, 515R is at least $3K, and it goes up real fast from there). Plus, you can run IPSEC and connect to anything else running the same (or even PPTP/L2TP). The thing I like is that all of the PIX line runs the same code, so anything you can do on a big ISP-size 535 you can do on 501. Plus, the new 6.0(1) code adds the ability to load the new PDM code (PIX Device Manager) which is a Java-based SSL web interface to allow easier programming in an interface very simular to Checkpoint's Firewall-1, etc.
Any Cisco security engineer-wannabees should really consider this option, since it's a cheap way to practice with the exact same interface as the high-end gear.
"Performance
The Cisco PIX 501 Firewall provides competitive performance in a compact form-factor:
* 10 Mbps cleartext firewall throughput
* 6 Mbps DES VPN throughput
* 3 Mbps 3DES VPN throughput
* Supports 3,500 concurrent connections
* Supports up to 5 VPN/IKE peers concurrently
PIX 501 10 User/DES Bundle, PIX-501-BUN-K8, $595
PIX 501 10 User/3DES Bundle, PIX-501-BUN-K9, $695
"
Oh, and compared to some of the "Cable/DSL" routers out there like Linksys, this is a huge step up. You can do NAT/PNAT from multiple external pools to specific internal ranges, or even port redirection so that multiple global addresses forwards different ports to multiple internal servers, or one-to-one static NATing if you require, or even "NAT 0" (internal and external addresses are the same) but still firewalled. Built-in DHCP, basically everything and anything you could want or expect from a firewall middle-box is here.
http://cisco.com/go/pix
Sure, you can build one out of an old computer and spare parts. But, think about the physical size, noise of the fans, and electrical consumption. Plus, you could use that old computer for something else. I got a D-Link DI-804 for $51 from Amazon.com this week. $80.00 - $30.00 rebate - $10.00 online coupon + 11.00 S/H. It seems to have all the features you want. It has a simple web interface for basic stuff but it also has a telnet interface for more advanced features. Look at the D-Link site for the product (http://www.dlink.com/products/broadband/di804/).
Note: The picture on the D-Link and Amazon.com websites is of an older design where the four switch ports are on the front, and the WAN port is on the back. On the one I received yesterday, all ports are on the back (much less messy). I emailed them telling them that the picture didn't look anything like the actual product and so they apparently pulled the webpage for the product temporarily.
The setup was painless (basically, just plugged it in, attached network cables, renewed my IP leases, and changed the admin password). I even upgraded the firmware in less than a minute. It is also silent (no fan) and it is about the size of the area of a keyboard between the [ESC] and the right-alt key. It is working great.
It has four ports in the built-in switch. Port one can be used either as a normal switch port or as an uplink. It also has a serial port that you can attach an external modem to share as a backup for then your cable/dsl connect goes out.
For $51, it is basically the same price as the 486 solution that someone else cited as $45, and it even comes with a one-year warrenty (apparently, D-Link used to have a lifetime warrenty but I guess they don't do that for the consumer stuff any more).
CPU 32bits ARM RISC CPU
Memory 512 Kbytes Flash Memory
4 Mbytes SDRAM
Standards IEEE 802.3 10Base-T Ethernet
IEEE 802.3u 100Base-TX Fast Ethernet
IEEE 802.3x Flow Control
ANSI/IEEE 802.3 NWay Auto-Negotiation
Protocols Supported
TCP/IP
NAT
DHCP
UPD
PAP
CHAP
MSCHAP
RIP1/RIP2
PPPoE
Virtual Server
VPN Pass Through Function*
PPTP
L2TP
IPSec
Firewall Protection: Built in NAT firewall using stateful packet inspection
Management: Web-Based - requires a PC, Mac, or Linux based computer with a Web Browser capable of running Java script.
Firmware Upgrade: Web-Based - requires a PC, Mac, or Linux based computer with a Web Browser capable of running Java script.
Ports:
4 x NWay 10BASE-T/100BASE-TX Fast Ethernet LAN
Port 1 has Uplink/Normal switch
1 x 10Base-T WAN
1 x RS-232 (230 Kbps, male DB-9) - for back-up analog modem connection
LED's
Power
WAN
Console
Link/Act. (Link / Activity)
10/100 Mbps
Power DC 5V 2A
Operating Temperature 0 C ~ 40 C
Storing Temperature -20 C ~ 70 C
Humidity Max 95% Non-condensing
EMI Certification FCC part 15 Class B in US
If you are planning on having multiple people running networked games in your house, I would recommend caution when thinking about a hardware router. For example, Linksys (among others) has problems when two people in a household play Q3 and want to connect to the same remote gameserver. As was said before, PracticallyNetworked.com is a good place to investigate before buying.
Alternatively, an old Mac IIcx makes a great router. Two NICs and a video card, old 20mb drive, IPNetrouter software, and there you go! Pretty much unhackable, because with System 7.5.5, you can't even address the Mac's file sharing via tcp/ip. I've got just such a beast running our office because our Linksys died. And I'm really cheap.
Looking at the specs of the LinkSys BEFSR41, it uses an external power supply at 5V and 3A, which is 15 watts. It will use 131.4 kw-hours in a year if on 24x7x365.
Your average PC probably has a 250w power supply. It will use 2190 kw-hours in the same time.
I don't know what the average price of electricity is, but I think it's around $0.09 for me in Texas. So it'd cost ~$12 to run the LinkSys router and ~$197 to run the computer for the same amount of time.
The computer estimate may be on the high end since I don't know if a 250w power supply will always pull 250w or if it pulls what is required up to 250w.
"People that quote themselves in their signatures bother me" - athakur999
There has been much discussion on some of our internal mailing lists about the best router. Some involve setting up an older computer or puchasing a new router. Well, I didn't want to clutter up my house with another PC, and I didn't want to spend $110+ on a router, so I used my existing Windows 2000 PC. It's easy to set up. Here are the details:
;)
You will need:
-- Ethernet cards for each of the computers
-- At least one computer running Windows 2000 (recommended for stability)
-- A crossover cable or (preferably) a 10/100 Ethernet hub
Here is the easiest way to do this.
Install Ethernet cards into both of your computers.
Connect one PC to the modem. (If you have an Ethernet-based modem, you'll need two Ethernet cards in the computer connected to the modem.)
Connect both computers to the hub, or, if you're using a crossover cable, connect them together using that.
Make sure your Internet connection is up and running on the computer connected to the modem.
Assuming you're using Windows 2000, the next steps follow like this:
Right-click on My Network Places and click Properties. Right-click on your ethernet adapter and hit Properties. Click the tab labeled "Sharing" and click "Enable Internet Connection Sharing". (If you're using dual Ethernet cards in this system, you should right-click on the adapter connected to the outside world. TIP: rename your adapters so you know which is which; "External" and "Internal" are good choices.
That's it! Both your computers should now be connected to the Internet. Total cost: two ethernet cards at $10-$20 each and a Netgear 4-port 10/100 hub at $40 for $80 maximum.
I recommend installing Windows 2000 (or heck, Windows XP Pro) if you're going to be doing file/print sharing and networking. Windows 2000 in general is a much better product than Windows 9x for network-intensive applications. Whatever you do, if you enable file/print sharing, do yourself a favor and make sure that both computers have the same OS, as you'll save yourself a lot of trouble in the long run. (It is possible to do it with 2000 and 98, but it's a lot more of a hassle than with both computers running the same variety of Windows.)
You can also do the above using Linux, but I already had the Windows 2000 computer, and Linux's version of ICS isn't that easy to set up. Windows 98 and ME also have the Internet Connection Sharing option.
If you want to do specific routing such as setting internal static IPs or setting up network printers, you're much better off going with a server OS. I've used Windows 2000 Server to do this. However, for your basic home networking setup, W2K Pro works wonderfully.
Overall, I love it. No problems with Quake III Arena, easy to set up, works flawlessly. The reasons the above poster listed are also true: with 8 ports, you can always plug in a laptop; port forwarding works well, and Netgear also has a great reputation.
Here is the product information page at Netgear. It can be had from buy.com for $155.
Every once in a while I like to masturbate a new word into my vocabulary, even if I don't know what it means.
Why screw around? If you are serious about this spend $50 extra and get a used router off e-bay. You can get a 1600 series with 2 ethernet ports of around $225 plus shipping. You get a real router, a little experience with cisco kit and with the GUI config even my dad could set this up.
- Cheap ($120 6 months ago)
- Virtually impenetrable
- It DOES support dyndns
- Easy to configure filtersets
- DHCP client and server
- Fast
- Low power consumption
- Solid firmware
- Small footprint
- Cool metallic blue
Seriously, it's virtually flawless.
Also my Linux server and dual-boot linux/win2k dev machine and wife's windows laptop all are happily easily connected simultaneously without any hassle.
I'm not a sysadmin by nature; having an appliance that is secure and easy has allowed me to keep focusing on the stuff I'm interested in.
http://www.netgear.com/product_view.asp?xrp=4&yrp
La via sola al paradiso incommincia nel inferno
On the strength of a Practically Networked review, I had good luck with an SMC Barricade router with 4 ports and a built-in firewall a year ago, but things may have changed a lot since then. It took me only about 15 minutes to install (not counting network setup on the computer) and cost ~$100.
I learned about related topics from
How to set up a network at home: MIT guide with Linux focus.
World of Windows Networking: If Windows networking is screwing up (as it often does), go here.
homePCnetwork forum: Configuration questions answered, mostly by guy who runs the forum.
Technocopia: Overview articles on home networking.
Grant's Closet: Home LAN wiring.
Steve DeRose's guide: CAT5 wiring.
Telecom wiring: links to HOWTO and info articles on wiring.
Patriotism is the conviction that your country is superior to all others because you were born there. (GBS)
Linksys BEFSR11 Easy to install, fast, very nice web-based control UI. I had significant ongoing problems with this unit, where it would get "blocked up" (where it would become largely unresponsive, even to pings). With sufficient perseverance once could get through to the webUI and manually force it to drop and reconnect its PPPoE connection, after which it was generally okay. There seemed to be a strong correlation between this happening and my roommate using her (darn) win95 box. The box also went similarly nutzo when the DSL connection had occassional "issues" - when the DSL was down, the box itself became mostly unresponsive, even to internal traffic. I have a two friends who also have this unit - one has perfect results, another has even worse results (all, including myself, using the latest Linksys firmware).
NetGear RP114
Doesn't have the same reliability issues that the NetGear did. Its web interface is terrible, but they do have an excellent telnet based interface, which has a lot more real-time technical info than did the Linksys' UI. Webpage performance seems (subjectively) a bit more sluggish, but raw DSL speed tests are still nice and fast. Includes a DNS server, which the Linksys didn't. Less non-techie friendly than the linksys.
## W.Finlay McWalter ## http://www.mcwalter.org ##
My bandwidth is considerably higher than 180KBytes/sec (testing by grabbing a 10MB files from RR's local FTP server shows 247KBytes/sec), and there doesn't seem to be all that much drain on the box. I think it's capable of handling much higher throughput.
I'm even using two no-name ISA NICs (older NE2000 clones with jumpers).
Mainframe/UNIX Bit Twiddler and long time Windows/Linux Hobbyist.
The Theorem Theorem: If If, Then Then.
I always had great experiences with my old ISDN Netgear router. Easy to configure, easy to open-close ports... just a nice little box sitting there tossing my packets. No real issues to speak of.
I had the Linksys DSL Router (BEFSR1 I believe is the model number) and absolutely loved it. Again very easy to configure, this time due to a web interface that was even easier than the Netgear's text based menu system.
There's just one thing. The Linksys supports PPPOE, but unless they've fixed it in the last 7 months or so their support for it is horribly broken. I had DSL through Bellsouth via PPPOE and was having to constantly reset my Linksys due to it going into Lala-Land constantly. Except for that though it was a great little box, and probably would be my pick if I hadn't been on that PPPOE connection. It does however have a DMZ option which allows you to do static routing to one machine without it performing NAT translation, btw. Don't know about the Netgear.
After I gave up on the Linksys, I decided to "do it right" and slap Linux on a 400mhz I had sitting around. I ran that option for about 6 months or so with only one small problem. (I forgot to change my device for my firewall when I went from DSL to Cable and ran wide open for a few weeks. Got hacked and had to reload. Ooops.) It works great except for a few things... takes a while to reconnect if you lose power, Ipchains/Tables is a pain to configure (Yes there are GUIs, yes, yes, yes to everything else. Blah blah blah), if you decide you want to do something like port forwarding later it's a pain to configure / recompile the kernel for that, and whatnot.
Finally said "ta heck with it" and picked up another Linksys to run on my cable. It's been plugging away for about two weeks now and I'm loving it.
(Btw, I'm not knocking Linux. I have it on my secondary workstation at work, and on my alternate system here at home. But, like the guy originally said, "Die-hards will insist that one should run a standalone box with dual ethernet cards and the appropriate routing goodies -- but these standalone boxes, at 5-15 watts and a couple hundred bucks, seem like comparatively hassle-free solution". He's right. The standalone boxes _ARE_ a nice hassle free low-power low-maintanance solution. Linux for a simple router is like using handgrenades to dig holes for potted plants)
The Cisco 1720 is a good router also, though it'd probably be a bit pricier than what you're looking for. A complete pain in the ass to configure, but it'll let you do just about anything you want to do. You could configure a pool of IPs for static access, another for DHCP, and another for NAT.
'Life is like a spoonful of Drain-O, it feels good on the way down but leaves you feeling hollow inside'
I use a Linksys as my hardware solution. Works great. I then use Tiny Personal Firewall or ZoneAlarm for my PC's. I like either of these products because I'm alerted about outbound connections (trojan protection and in one case it alerted me to the fact I didn't have NAV enabled for a mail account). I previously ran a FreeBSD firewall on an old laptop. I switched to the LinkSys to reduce clutter and simplify life (I have twins and don't really have time to mess with keeping up-to-date on FreeBSD patches/etc.). I like the PPTP pass-through on the LinkSys. Previously I hung the company laptop docking station on my DMZ (I have two statics) and relied on the laptop firewall software. If I wanted to do anything internally I had to plug in the PC Card Ethernet to my network (major pain). Now, I don't need to do that. For me it was a matter of simplifying things.
Have a look at the linux router project (lrp). http://www.linuxrouter.org. I have had it running 24/7 for about 6 months now, and not once has it crashed (not surprising, since it's based on linux). However, it also runs directly off a floppy, which means the PC you run it on is virtually silent.
I have it running on a 486-66, 16MB, no hdd, to connect my cable modem to my LAN. Of course, you can also use it with Tx/DSL/ISDN/analogue.
Sorry, this reads like an ad, but I really love this distro - it has made life so much easier.
SpamNet - a spam blocker that really works
I purchased the WatchGuard Soho over a year ago and it's been so-so. It tends to lock-up from time to time and when I contacted tech support they told me that it would be fixed in a future rev of the firmware. Unfortunately my one-year of firmware upgrades has now expired and I still have the problem. I could re-up with them but having a gun put to my head doesn't make me very happy. I'm now looking at the Sonicwall Soho which has the same features as the WatchGuard but includes a lifetime firmware subscription. PPPoE is critical for most DSL and NAT allows you to use one DHCP assigned address for many machines on your home network, something that most ISP's frown upon. Setup for the WatchGuard was easy through the browser and the Sonicwall offers the same. If you're real clever you could dust off one of those old P75's in the basement and install a stripped down Linux distro to perform the PPPoE, NAT and Firewall functions.
Also, and I cannot overemphasize this, set the password. Not only are Linksys routers administered via a web interface, and attackable that way, they accept firmware downloads via TFTP, and will accept a firmware download from the WAN side. So an attacker can patch the thing remotely if it's not secured.
Allow me to enter mine:
I have an SMC Barricade (8 port), and it works beautifully. In addition to all the cable/DSL firewall/Router features you could want, it also does print serving and even dial-up. It is nice to be able to fail-over to dialup when the good ol' reliable @home goes down, as it often does.
The SMC will allow port mapping to static IP's in addition to DHCP on the LAN (as the poster had wanted). In addition to that, it can be configured to block out certain IP's or networks; it can be configured to "open up" a range of incoming ports when a connection is started on a specific outgoing port from behind the firewall (good for kludging support for unsupported protocols); it can be configured to allow for ftp connections to work through the firewall on a non standard port (that kind of thing usually would break ie's ftp client, for example); it can do PPPoE out of the box (for certain DSL providers), supports hostname configuration and MAC address cloning (for certain Cable providers), supports dialup through an external modem, has a built-in print server, etc., etc... very full featured.
It works with my company's VPN (I don't know which protocol it uses, but did not work with WinRoute on a PC as a firewall). It also works with Quicktime streaming (the preffered RTTP over UDP method), which again broke with WinRoute on a PC.
In addition to all that, the unit is fairly small and unobtrusive and it does not use a power brick, instead it has a built-in power supply and takes a standard computer power cord! yeah! That's one fewer wall-wort to deal with on the power strip.
IPNetRouter will run on relatively underpowered Macs, which gives you an extra level of protection, since the MacOS (before MacOS X) doesn't have many ports/services open for attack by default.
I am a CCNA and CCNP, I work with networking equipment for a living.
A friend recently bought a Netgear MR314. It seemed okay. I rather like using my unix box to do filtering, mail, and other stuff, so I would never use one of these boxes. The http interface was fairly nice and easy to follow. Easy is good for networking novices.
One problem that I encountered was the telnet support. This one had me calling their support department, not that they helped any. They command line will only accept 8 character hostnames. My friend had a 10 character @Home hostname for his authentication, and the only way to enter it was through the http interface. That sucked. Telnet is not intuitive, like Cisco IOS, but not horribly horrible.
The MR314 is overall a good router, but I like more powerful stuff. The wireless interface was good. The construction of the box was very nice -- we took it apart. I think that it was using a Motorola processor.
I have also dealt with the Cisco 600, 700, and 800 series routers in my time. They are pretty decent. I wish that the CBOS would allow for access lists greater than 18 (or is it 16?) lines. They take set, show, and debug style commands. Pretty intuitive. Upgrading the OS on them is easy. They can do NAT and PAT very well.
Efficient Networks, formerly Flowpoint, routers are decent. They are command line based, and while help and documentation is really poor, they take some pretty good commands, do good syslogging, and a few other really neat things in their operating system. unfortunately, the commands are cryptic and you have to be a real networking pro to know what they are talking about.
Netopia routers are really great. One of the fantastic features about them is that they do IPSec (DES only, no 3DES)! That is incredible for a router of it's type. They also do GRE tunnels. The next thing up if you want to do IPsec is a small Cisco router or PIX firewall, or a unix box. Netopia's do great system logging and SNMP. Their are configured through a telnet menu interface -- no telnet. They do excellent filtering, but entering filters is sort of a pain. Good construction of the boxes.
A word about Qwest DSL. They only use DMT these days for DSL -- NO CAP. That means that you can no longer use the Cisco 675 on their networks. Use the 678 instead. If you own a 675 and move, you are fscked. I bought a 675 about a year and a half ago, recently moved, and was screwed for $300. I managed to hassle a poor Qwest tech into sending me a 658 at a very steep discount, nearly free -- it took a lot of work and insider knowledge to pull off though. CAP, DMT, and G.lite are like line codes or modem modulation types. They are the analog modulation codes that the DSL interface uses to get it's data across the line. Wrong modulation = no workie.
BTW: Are there linux 2.4 kernel driver for the Intel 2200 DSL NIC? I have two of these things that Qwest sent me, and I would love to use them in my boxen. I do not know of drivers existing though. I need to google that.
Cisco product information is here.
I have had very good luck so far with my Netgear fr314. It has excellent logging capabilities and periodically sends all logs and alerts by email. It was easy to set up and allowed me to set up a web server behind the firewall. My main reason for getting it was that I have several computers and don't want to dedicate a computer to just being a firewall.
The Netgear allows me to block all Active X, java, and many cookies (I have Active X blocked for most sites for my roommate's windows computer).
Performance wise it seems pretty good. I havn't noticed any degredation in performance, often downloading at over 400KBps (Kbytes/sec).
It has the option of content filtering, but that's not something I want (except for things like doubleclick.net).
It has many common services already configured and allows for more to be added quite easily.
I wish it allowed some more complicated rules, however. For example, I want to allow some ports to only be accessed from certain IP addresses. I can configure the ports allowed or denied and the IP addresses allowed or denied, but not combinations of both. To handle that I run a secondary firewall on the server which allows more options.
Also, the Netgear is limited to 8 clients without buying an upgrade.
In terms of logging, I am quite impressed. It logs all port scans, attempted accesses to known trojans like netbus, pings of death, and other malicious behavior. It also classifies port scans as either possible or probable.
It also draws only around 10 watts, and here in CA where my electric rate is hitting upwards of 0.20$/kwh,
This post is encrypted twice with ROT-13. Documenting or attempting to crack this encryption is illegal.
If the monitor isn't running, a computer shouldn't use more than about 10-20W. A hefty power supply is only necessary for an AGP graphics card that uses a lot of power, or when spinning up the disk drives.