Choosing a Router/Firewall for the Home LAN

Dr. Zowie asks: "How should one choose a router for a home LAN? We just added a few hosts on our home ethernet, which is connected via DSL. There are an amazing number of new entries into the market for routers and even stand-alone firewalls. NetGear, Linksys, SMC, and even Panasonic all have boxen in the $99-$300 range, each of which will do some combination of NAT, routing, source-IP filtering, port filtering, and content filtering."

"It's not at all obvious from the packaging, the web sites, or the drool-proof pamphlets in the boxes which routers will do what. For example, we'd like to pass through packets for our two server machines, and use NAT/DHCP on a third address for the rest of the LAN. Nearly all the boxes advertise that they can do NAT routing, but many don't support NAT and static-IP routing simultaneously.

Die-hards will insist that one should run a standalone box with dual ethernet cards and the appropriate routing goodies -- but these standalone boxes, at 5-15 watts and a couple hundred bucks, seem like comparatively hassle-free solution. Which one do you use?"

A Good Source of Info

[rcatarella]

Practically Networked
All kinds of good information and reviews on exactly what you're looking for.

My experience

[krokodil]

Linksys are OK but quite limited in their functionality. I am usuing it and quite happy.

SOHOWARE sucks big time - buggy and unreliable. Do not beleive words about "Stateful Packet Inspection" - even if it does it you could not use it.

What I really want to see is SNMP management for
such devices. Unfortunalty, best they could do
is read-only SNMP access.

Take a look at Smoothwall, perhaps?

[King_TJ]

http://www.smoothwall.com should get you to the main product page. It's a freeware GPL firewall running Linux, but designed for ease of installation and administration via a web browser afterwards. The new version 0.99 is due for release any day now, and the beta of 0.99 works quite well for me.

Since most people have an old 486 or Pentium lying around, the cost to set this up is next to nothing - and it has features the hardware firewall/router boxes don't include. (EG. Ability to auto-update your dynamic IP with the dyndns.org service and "snort" to log hack attempts with details on what was attempted.)

Re:Take a look at Smoothwall, perhaps?

[Telecommando]

I think you mean http://www.smoothwall.org

www.smoothwall.com is a real estate site.

Here's what I have.

[The+Slashdolt]

I have 5 computers connected to the internet in my in-home LAN right now. My router/firewall/gateway is a 166MHZ linux box running redhat 6.0. I've been running this setup for about two years, upgrading as necessary. Using IP masquerading this is all very simple and with IP Chains, you can setup any firewall rules you want. I recently installed redhat 7.1 and it has a firewall wizard type thing that makes this all even easier! Take an old box and put linux on it, you won't be dissappointed.

Re:and the winner still is

[krokodil]

> I can go and tweak out my iptables stuff but too
> many admins would prefer not to. Is there any
> good solution?

Try Firewall Builder: http://www.fwbuilder.org/

I got the Linksys

[Delirium+Tremens]

I chose the Linksys (3 RJ45 + 1 USB connections) over a custom PC running Linux/*BSD because:

• For $160, I couldn't have built a cheap computer(I don't own enough spare parts yet).
  
• Its power consumption is so much lower than any custom computer I (=limited skills) could build.
  
• It is completely silent.
  
• If a friend visits me with his/her laptop, we can connect it without any extra hardware to the net via the USB connection (albeit, the laptop must run Windoze 2000 ... last time I tried, none of the Linux USB network drivers worked)
  
• 
  I love the IP forwarding of the linksys. All connections to port 80, 443, 21 and 22 are reditected to my Linux box, and all other ports that involve games and *apster clones are redirected to my Game box. Remaining ports are blocked.
  
• And then I choose Linksys over other brands because ... well ... it's Linksys, after all!
  

OpenBSD

[don_carnage]

I use an old P133 (overkill, I know) running OBSD as my firewall/gateway/ntp server/dhcp server. I could have gone out and spent money on a nice compact unit, but I like the fact that I can upgrade my OS, tweak my filters and above all: learn more about OBSD, networking and OS hardening.

Harddriveless

[dasunt]

You don't need a hard drive for a firewall/router made from an old machine. Check out the LRP for a solution that fits on a single 1.44 mbyte floppy that can be write-protected and just needs to be power-cycled to be reboot.

Re:Harddriveless

[Tim+Doran]

Right - which reduces the power consumption and noise.

What I'd *really* like to see is a fanless power supply for such an application. It'd probably have to be limited to, say, 100W but that could cover such a box easily, especially if permitted to overload slightly at boot-up.

Anybody know of such a thing? I have the perfect little 486 that I'm not using as a router because I don't want to consume any more power than I have to. But if all I had to run was the solid-state components and the floppy at power-up, I'd be much more willing...

SMC 7004ABR

[saider]

I do not have any servers, but this works well and has the following features...

- DHCP server
- NAT
- RJ-45 for connection to Cable/DSL and a DB-9 for connection to a modem.

I particularly like the fact that it can do Cable/DSL and Dial-up. Since I am moving a lot, I never know what is going to be available. You can even use the dial-up as a backup, should the Cable/DSL fail. Web based administration is straightforward. But I can't comment on that beyond the basics.

Power consumption is low (22W I think) and it is a lot quieter and much smaller than a PC.

It is good for my simple needs, but you may need more for your servers.

Here is a link to the product page. You can download the product brochure and check it out for yourself.

A bevy of information on configuring your routers

[Typingsux]

Here!

I have a netgear router myself, and have locked it down pretty well with the advice I found.

Re:Old PC

[Luke]

OpenBSD Networking Setup

OpenBSD has excellent documentation and FAQs. Just be sure to read, and re-read so you understand what's going on.

My experience...

[jasno]

Wow, its amazing how many people suggested that you should use an old PC. I guess no one read your whole post, or the 57 posts that said the same thing before they posted.

First off, I've done the old PC thing myself. It was very flexible and I really liked having a linux box I could tunnel to. OTOH, it also sucked electricity and space which are 2 precious commodities here in California.

I eventually switched to the BEFSR41 from linksys. I picked it up for $100 (BestBuy just had them for $79) and its worked out wonderfully. Low power, silent, and very, very small.

One word of warning: if you intend on hosting any type of game server (quake, half-life, etc...) you should do a search on google first to make sure there aren't any weird problems with the device you decide on. For instance, I can run a half-life server behind the box, but it tends to kick people randomly.

Re:Old PC

[Zwack]

"A decent 3COM or Intel NIC can not be found (easily) for $10."

I won't argue as to whether 3com NICS are decent, but I have bought second hand 3com cards before for much less than ten dollars.

As an AC posted a non decent network card can easily take the load of a T1... A T1 is nowhere near the bandwidth of a 10BaseT network.

Not every packet will travel through the firewall anyway. Some will be locally routed. Some will be stopped by the firewall.

Most importantly, the poster was looking for a way of doing NAT on some addresses and passing others through. I haven't seen one of these little boxes allow that from the ones I've used/looked at. That's not to say that there aren't any... But if there aren't then for the features that we are talking about a cheap 486 WILL outperform a standalone box that can't do what is being asked for.

Z.

For $51, just get a router!

[briansmith]

Sure, you can build one out of an old computer and spare parts. But, think about the physical size, noise of the fans, and electrical consumption. Plus, you could use that old computer for something else. I got a D-Link DI-804 for $51 from Amazon.com this week. $80.00 - $30.00 rebate - $10.00 online coupon + 11.00 S/H. It seems to have all the features you want. It has a simple web interface for basic stuff but it also has a telnet interface for more advanced features. Look at the D-Link site for the product (http://www.dlink.com/products/broadband/di804/).

Note: The picture on the D-Link and Amazon.com websites is of an older design where the four switch ports are on the front, and the WAN port is on the back. On the one I received yesterday, all ports are on the back (much less messy). I emailed them telling them that the picture didn't look anything like the actual product and so they apparently pulled the webpage for the product temporarily.

The setup was painless (basically, just plugged it in, attached network cables, renewed my IP leases, and changed the admin password). I even upgraded the firmware in less than a minute. It is also silent (no fan) and it is about the size of the area of a keyboard between the [ESC] and the right-alt key. It is working great.

It has four ports in the built-in switch. Port one can be used either as a normal switch port or as an uplink. It also has a serial port that you can attach an external modem to share as a backup for then your cable/dsl connect goes out.

For $51, it is basically the same price as the 486 solution that someone else cited as $45, and it even comes with a one-year warrenty (apparently, D-Link used to have a lifetime warrenty but I guess they don't do that for the consumer stuff any more).

CPU 32bits ARM RISC CPU
Memory 512 Kbytes Flash Memory
4 Mbytes SDRAM
Standards IEEE 802.3 10Base-T Ethernet
IEEE 802.3u 100Base-TX Fast Ethernet
IEEE 802.3x Flow Control
ANSI/IEEE 802.3 NWay Auto-Negotiation
Protocols Supported
TCP/IP
NAT
DHCP
UPD
PAP
CHAP
MSCHAP
RIP1/RIP2
PPPoE
Virtual Server

VPN Pass Through Function*
PPTP
L2TP
IPSec

Firewall Protection: Built in NAT firewall using stateful packet inspection

Management: Web-Based - requires a PC, Mac, or Linux based computer with a Web Browser capable of running Java script.

Firmware Upgrade: Web-Based - requires a PC, Mac, or Linux based computer with a Web Browser capable of running Java script.

Ports:
4 x NWay 10BASE-T/100BASE-TX Fast Ethernet LAN
Port 1 has Uplink/Normal switch
1 x 10Base-T WAN
1 x RS-232 (230 Kbps, male DB-9) - for back-up analog modem connection

LED's
Power
WAN
Console
Link/Act. (Link / Activity)
10/100 Mbps

Power DC 5V 2A
Operating Temperature 0 C ~ 40 C
Storing Temperature -20 C ~ 70 C
Humidity Max 95% Non-condensing
EMI Certification FCC part 15 Class B in US

Re:Old PC

[Zaknafein500]

NAT on some addresses and passing others through. I haven't seen one of these little boxes allow that from the ones I've used/looked at

It sounds like what the poster was needing is just something to do portforwarding. For most server applications, except DNS and possibly passive FTP, just forwarding whatever service you are needing to run on the internal machines from the firewall works extremely well. I know every Netgear Cable/DSL router I have ever used has this ability, and I assume the Linksys boxes will as well. These boxes will also allow you to assign some boxes via DHCP and some static.

Now, if you need routable addresses to internal machines, you are going to have to look beyond home routers. I have yet to see any that will allow you to do a combonation of 1:1 NAT/IP masq. Of course, this setup shouldn't be difficult to accomplish with a small *nix router.

My Suggestion: Netgear RO318

[dhamsaic]

I personally recommend the Netgear RO318. I used to have the Linksys BEFSR41, but I dumped it because it was causing problems playing Quake III Arena online. I did a lot of research, and found the the RO318 best suited my needs. Here's why:

• Price: In the $150 range, it's not cheap, but not expensive. However, its other features quickly make it worth every penny.
• 8 port switch: more than I've seen for this price. This is good, seeing as I have an obscene number of computers in my house.
• Web-based setup: I really didn't want to telnet into the router and set it up, so I made sure this one has web-based setup. It does, and it's easy to configure. It took me about 5 minutes to get it set up with my DSL (Verizon).
• Stateful Packet Inspection: The RO318 is a real firewall, not just NAT (although it does do NAT).
• Web-access policies: You can block certain computers from going to websites containing keywords, etc. This is useful if you don't want your kids to be visiting teenieporn.com
• Email reports: The router will email you and let you know if a) you are being attacked (automatically detects portscans, etc) and b) if sites are being visited that shouldn't be (of course, you set this all up).
• Design: It's flat and sturdy, which means I can put my other switches on top of it. Couldn't do this with the Linksys due to its design.

Overall, I love it. No problems with Quake III Arena, easy to set up, works flawlessly. The reasons the above poster listed are also true: with 8 ports, you can always plug in a laptop; port forwarding works well, and Netgear also has a great reputation.

Here is the product information page at Netgear. It can be had from buy.com for $155.

Cisco 1600

[KenFury]

Why screw around? If you are serious about this spend $50 extra and get a used router off e-bay. You can get a 1600 series with 2 ethernet ports of around $225 plus shipping. You get a real router, a little experience with cisco kit and with the GUI config even my dad could set this up.

Re:Old PC

[Rick+the+Red]

From a cost standpoint, I just bought a 99 dollar linksys router for about 45 after some clever rebates and amazon coupons.

I may be dead wrong here, because I set up my 486/133 Coyote Linux/Seawall box over a year ago and haven't looked at dedicated firewalls since, but at that time the old PC was far cheaper for one simple reason: no upgrade costs to add more PCs to your local network.

The dedicated firewalls of one year ago served you 3 or 4 local IP addresses and charged big bucks for the "right" to use additional local IP addresses. They were going for the 'service subscription' business model over 'make money on the hardware'. That sucks. I'll be damned if I'll pay $250 or even $50 for a firewall that doesn't cover 255 local IP addresses (reserving one for itself). I hope you bought a model without such artificial limitations, and if you did then you got a great deal. Which Linksys did you buy?

But get the current firmware and set the password

[Animats]

The Linksys home-sized routers aren't bad if you have current firmware, but firmware from the first half of 2000 crashes frequently.

Also, and I cannot overemphasize this, set the password. Not only are Linksys routers administered via a web interface, and attackable that way, they accept firmware downloads via TFTP, and will accept a firmware download from the WAN side. So an attacker can patch the thing remotely if it's not secured.

Experiences

[lanner]

I am a CCNA and CCNP, I work with networking equipment for a living.

A friend recently bought a Netgear MR314. It seemed okay. I rather like using my unix box to do filtering, mail, and other stuff, so I would never use one of these boxes. The http interface was fairly nice and easy to follow. Easy is good for networking novices.

One problem that I encountered was the telnet support. This one had me calling their support department, not that they helped any. They command line will only accept 8 character hostnames. My friend had a 10 character @Home hostname for his authentication, and the only way to enter it was through the http interface. That sucked. Telnet is not intuitive, like Cisco IOS, but not horribly horrible.

The MR314 is overall a good router, but I like more powerful stuff. The wireless interface was good. The construction of the box was very nice -- we took it apart. I think that it was using a Motorola processor.

I have also dealt with the Cisco 600, 700, and 800 series routers in my time. They are pretty decent. I wish that the CBOS would allow for access lists greater than 18 (or is it 16?) lines. They take set, show, and debug style commands. Pretty intuitive. Upgrading the OS on them is easy. They can do NAT and PAT very well.

Efficient Networks, formerly Flowpoint, routers are decent. They are command line based, and while help and documentation is really poor, they take some pretty good commands, do good syslogging, and a few other really neat things in their operating system. unfortunately, the commands are cryptic and you have to be a real networking pro to know what they are talking about.

Netopia routers are really great. One of the fantastic features about them is that they do IPSec (DES only, no 3DES)! That is incredible for a router of it's type. They also do GRE tunnels. The next thing up if you want to do IPsec is a small Cisco router or PIX firewall, or a unix box. Netopia's do great system logging and SNMP. Their are configured through a telnet menu interface -- no telnet. They do excellent filtering, but entering filters is sort of a pain. Good construction of the boxes.

A word about Qwest DSL. They only use DMT these days for DSL -- NO CAP. That means that you can no longer use the Cisco 675 on their networks. Use the 678 instead. If you own a 675 and move, you are fscked. I bought a 675 about a year and a half ago, recently moved, and was screwed for $300. I managed to hassle a poor Qwest tech into sending me a 658 at a very steep discount, nearly free -- it took a lot of work and insider knowledge to pull off though. CAP, DMT, and G.lite are like line codes or modem modulation types. They are the analog modulation codes that the DSL interface uses to get it's data across the line. Wrong modulation = no workie.

BTW: Are there linux 2.4 kernel driver for the Intel 2200 DSL NIC? I have two of these things that Qwest sent me, and I would love to use them in my boxen. I do not know of drivers existing though. I need to google that.

Netgear

[AaronW]

I have had very good luck so far with my Netgear fr314. It has excellent logging capabilities and periodically sends all logs and alerts by email. It was easy to set up and allowed me to set up a web server behind the firewall. My main reason for getting it was that I have several computers and don't want to dedicate a computer to just being a firewall.

The Netgear allows me to block all Active X, java, and many cookies (I have Active X blocked for most sites for my roommate's windows computer).

Performance wise it seems pretty good. I havn't noticed any degredation in performance, often downloading at over 400KBps (Kbytes/sec).

It has the option of content filtering, but that's not something I want (except for things like doubleclick.net).

It has many common services already configured and allows for more to be added quite easily.

I wish it allowed some more complicated rules, however. For example, I want to allow some ports to only be accessed from certain IP addresses. I can configure the ports allowed or denied and the IP addresses allowed or denied, but not combinations of both. To handle that I run a secondary firewall on the server which allows more options.

Also, the Netgear is limited to 8 clients without buying an upgrade.

In terms of logging, I am quite impressed. It logs all port scans, attempted accesses to known trojans like netbus, pings of death, and other malicious behavior. It also classifies port scans as either possible or probable.

It also draws only around 10 watts, and here in CA where my electric rate is hitting upwards of 0.20$/kwh,

Re:Priceless -- not quite

[Electrum]

If the monitor isn't running, a computer shouldn't use more than about 10-20W. A hefty power supply is only necessary for an AGP graphics card that uses a lot of power, or when spinning up the disk drives.