Slashdot Mirror
Choosing a Router/Firewall for the Home LAN
Dr. Zowie asks: "How should one choose a router for a home LAN? We just added a few hosts on our home ethernet, which is connected via DSL. There are an amazing
number of new entries into the market for routers and even stand-alone
firewalls. NetGear,
Linksys,
SMC, and even Panasonic
all have boxen in the $99-$300 range, each of which will do some
combination of NAT, routing, source-IP filtering, port filtering, and
content filtering."
"It's not at all obvious from the packaging, the web sites, or the drool-proof pamphlets in the boxes which routers will do what. For example, we'd like to pass through packets for our two server machines, and use NAT/DHCP on a third address for the rest of the LAN. Nearly all the boxes advertise that they can do NAT routing, but many don't support NAT and static-IP routing simultaneously.
Die-hards will insist that one should run a standalone box with dual ethernet cards and the appropriate routing goodies -- but these standalone boxes, at 5-15 watts and a couple hundred bucks, seem like comparatively hassle-free solution. Which one do you use?"
my room-mate and have just what you describe at the end,.. a P90 running slackware, with telnetd, et al disabled, and two cheap ethernet cards.
it works amazingly well, had two months of constant service until a power blip caused it to reboot the other day (yeah yeah, i need to get a UPS.)
it's amazingly cheap (read: nigh-unto free) and quite hassle free in its own right. not only that but it's breath-takingly easy to configure and maintain for anyone who probably reads
...dave
Think different? I'd be happy if most people would just think...
Java is the blue pill
Choose the red pill
But for 100-200 bucks it might be a lot less hassle (or time consuming atleast) for a home LAN to grab one of these boxes.
I have used a linksys before and it was darn easy. Don't know about the NAT/Static simutaneous issue though.
$sig=$1 if($brain =~
Since the poster seemed concerned about power, does anyone know details about how to reduce power consumption on a motherboard? One would assume that, since it is being used as a router, APM Sleep/Suspend is out of the question.
I recently upgraded the Motherboard in my router (an old 486 w/ Pentuim Overdrive) because I eventually want to run Apache on it (and 4MB 30-pin SIMMS are expensive compared to SDRAM!) I got my hands on an AT motherboard with USB (I had to make some "creative modifications" to the case, since the new MB had higher heat-sinks.) I got the lowest-frequency K6 chip I could find, and a cheap 64MB Memory stick. I have no clue how much power Its wasting while I'm here at work, and would be interested in knowing how to reduce it further.
It's got probably everything you're looking for: NAT, DNS, port forwarding, hardware firewalling, and support for everything from PPPoE to static IPs on the ISP side. Plus it's got a nice HTML interface plus a UNIX-style Telnet interface (with lock-down support, of course) and even support for a serial cable so you can Telnet to it as a dumb terminal if the Ethernet's down. And the documentation, while not super-thorough, isn't drool-proofed. The only real complaint that I have with it is the way the firewall works; it blocks unopened ports if there's no outgoing packet to correspond with incoming ones. This is only a problem if you're serving something, but more software works like a server (as far as the router's concerned) than you may expect; it was a little weird having to manually open up AIM's port so my little brother could use AIM without having to initiate the conversation.
The main disadvantage is price and availability -- I don't know how easy these are for end users to get their hands on these, and it'll probably run upwards of $300. If you're lucky, your ISP might have some, but I've heard of ISPs giving out these routers and with the remote administration password-locked so people don't (ahem) accidentally enable NAT without paying for a static IP first.
Other than IPv6, all the rest can be done with a separate 24/7 machine behind a linksys, but IPv6 tunnels do not work through a linksys on a dynamic IP, at least not with freenet6 or any other IPv6 tunnel service I know. Because of this I've personally been forced to stop using my linksys completely. What we need is an open-source linksys with a bios that can be programmed by the end user. I'd pay $100-200 for such a device.
ok then your [sic] infringing on my copyright! Could you as [sic] me next time before STEALING my comments for your own?
Well, doing consulting and having setup a lot of NAT environments across many platforms, I would say that these "all-in-one" solutions are a great idea. That is, however, if you get the right one.
Certainly the first suggestion I have when I see a home business paying for extra ips, is to take an old machine and setup ip masqurading on a linux box. However, I have found that many people are "scared" of linux, and some don't have dedicated machines. Others want a firewall, public servers, and of course the full web/email site setup. While some businesses look at this as opportunities for recuring fees to unknowledgeable users, I try to lay it all out for the customer. Advantages and disadvantages, ease of administration, power consumption, maintenance. In most cases, customers LOVE the all-in-one solution devices.
For power users that want to control all aspects of filtering, routing, port forwarding, and hosting, this is not the best option. However, it can be a *good* solution. I have up until recently been a Linksys advocate. It is actually a great product, and can perform NAT, DHCP (may toggle off and use an internal DHCP server), "DMZ" port forwarding, and flashable firmware. However, don't be fooled by the claim that it is a "switch". I spent many hours trying to find out directly from Linksys what some specifications were on the advertised "switch". First of all, it does not have a backplane. Anyone that knows what to look for in a switch, will first want to know how much data can be shared. When there is no backplane in any specs, and the "engineers" at Linksys don't seem to know what you are talking about, one tends to rethink their purchase. There is no mac table, nor is there anyway I have seen to find any specifics about how it "switches". Does anybody know what these devices really are? They have to be some sort of "smart" hub. What i have ended up doing, is purchasing NAT/router devices, and separate switches that perform like switches. I have found some D-link and Addtron switches with backplanes and viewable mac tables.
Also, the only way to configure any options on a Linksys device, is through a web browser. I have been able to use lynx before, but this one particular 8-port switch/router had broken tags in the config. I flashed the firmware, and tried just about every browser, but each time I would get java erros and broken tags. When I called tech support, they told me to take it back to my retailer. What they don't know, is that I had just replaced it, because the firmware flash died halfway through, and fried the device. This is not very reliable IMHO.
Netgear, however, allows you to telnet in and configure via command-line, which IMHO, is the most important feature of a configurable network device. JetAdmin or telnet for managing HP printers? Are you kidding me? I'll take command-line anyday. We need a low-end cisco device is what we need.
Are there any other command-line configurable NAT/routers that have actual backplanes for the switching component and has flashable firmware (other than a cisco switch) aimed at this market?
"The more you suffer, the more it shows you really care, right?" -Offspring
My experience is that if you ever have any kind of technical problems, like the box suddenly not doing anything, forget calling Linksys.
My 4 port job failed in June, shutting down what was supposed to be a day of building websites at home for a client. No router/DHCP box = no network. Yeah, I could of configured a Win2k network by hand, but who really wants to do that just to hack up some quick and dirty asp pages?
So I went to their web site, where most support questions refer to the practicalnetworking site. Cute.
First Linksys jealously guards the tech support number. You have to look for a long time to find it. Then when you call either
1) it just rings and rings
2) the phone tree (push 1 for sales, 2 for support) disconnects every time you select support
3) if the phone tree doesn't just disconnect, it starts over when you select something
4) if you do talk to someone, you don't get a tech, but someone in the outsourced office in Bangalore, they haven't been trained, they don't know anything about your product, they can't troubleshoot it, the database is down so they can't check on any previous calls you have made about that sorry light blue piece of crap, but they will take your number and they promise that someone from tech support will never, ever call you back.
In my case, I just bought another one and sent the original c/o of the ceo with a note instructing what orifice it should be inserted into and with what degree of force.
Were these boxes not handy and cheap, they would have no repeat business. I hated doing it, but just buying another one was the fastest way to get me back up and running (and billing).
This is one of those ideas that sounds real good but often fails in execution.
I recently bought a $35 no-name P100 PC at auction on EBay thinking I'd create a low-ball Linux-based router/firewall. The PC already had one NIC, 32 MB RAM, and a 500 MB HD. I had a spare NIC in my junk box as well as an unused 15" monitor. Ready to roll, right?
Well, no. The PC turned out to be a 100 MHz 486, not a Pentium. It'd cost more to ship the damn thing back to the seller than to keep it, so I pressed on. I tried to install Red Hat Linux 7.1 on the system, but Anaconda consistently failed due to a thrown Signal 11. Suspecting some sort of memory problem as the culprit, I tried disabling the processor's external cache, turning off hidden refreshes, and several other things before giving up. A year-old copy of Storm Linux almost installed, but the system consistently froze up at the very end of the install process.
Yes, I guess I did 'learn' something by this experience. If you intend to run Linux, stay away from old, cheap, no-name hardware. And if you're in a hurry to get something done - like install a firewall - as opposed to fighting hardware/software issues, buy an appliance.
I found old Pentium laptops to make excellent firewalls. They are a little more pricey than the old PC but they have a few advantages:
Built in battery backup
Low power consumption
Few (if any) noisy fans
Small, and fit nicely in a rack shelf
Built in collapsible console
Look around and you can find one for about the same price as the small NAT routers. The only real shame is they only have typically two PCMCIA slots, so you can't have a DMZ or wireless net interface seperate from the internal and external interfaces.
Just open the PS and cut the fan wire. Or immobilize the fan with a cable tie. The fan is not needed when there is no hard disk.
I use Freesco. See other posts for why it's great.
The biggest advantage to using Linux or even BSD or any other UNIX is that you can configure the firewall as an actual gateway/router/firewall, DMZ whatever you want to make you feel safe on the net.
iptables is pretty easy and if you already understand ipchains going to tables makes things easier. As you can specify an interface to forward from to. -i eth0 -o eth1 kinda thing...
Only 'flamers' flame!
Granted, I had a lot of old hardware, but it cost me next to nothing either way. As for power consumption, there's no floppy, no cdrom, no keyboard or mouse or monitor connected, bupkus. There's not much power consumption there. It may not be as little as 15 or 30 watts, but its a small enough amount that I'll use this happily.
Do not meddle in the affairs of dragons, for you are crunchy, and taste good with ketchup.
LEAF, the Linux Embedded Appliance Firewall project is pretty sweet.
I built one in about an hour using old pc pieces that I had
lying around, (p75, 48mb of RAM, 2 NICs, and a floppy drive.)
Check out the site on sourceforge.
--Andy
http://www.linksys.com/products/product.asp?prid=1 42&grid=5
:)
IIRC it will forward up to 10 (maybe it's 20) ports to any computer internally. It is fairly configurable. Allows for static or DHCP internally (as a server and a client). And for $99 it is tough to beat. Sure you can get a POS Linux / *BSD box, but this worked for me literally out of the box. DISCLAIMER: I don't claim to be a huge power user, but for what I use it for (firewalling and fowarding of web, mail and ftp ports) it is ideal and it is simple. Here at my office, I wouldn't think of using something like this on our network, but it does quite nicely for a home user who is concerned about security and just wants more blinking lights
Please give your mod points to others, Im at the cap. They will appreciate it more
I'm doing dynamic DNS with the Linksys 4-port router. There's a python script called ipcheck for this that supports devices from Linksys, Netgear, Draytek, Netopia, HawkingTech, Watchgard, Cayman, Nexland, ZyXEL, SMC, Compex, UgatePlus, DLink and Cisco. That should about cover it...
Just set it up to run with a cron job, and if your IP has changed, it will be updated. With the linksys router, it doesn't even need an external CGI to detect your IP address-- it can query the router. I'm sure some of the other units have similar functionality, too, but my experience is only with the linksys.