Choosing a Router/Firewall for the Home LAN

Dr. Zowie asks: "How should one choose a router for a home LAN? We just added a few hosts on our home ethernet, which is connected via DSL. There are an amazing number of new entries into the market for routers and even stand-alone firewalls. NetGear, Linksys, SMC, and even Panasonic all have boxen in the $99-$300 range, each of which will do some combination of NAT, routing, source-IP filtering, port filtering, and content filtering."

"It's not at all obvious from the packaging, the web sites, or the drool-proof pamphlets in the boxes which routers will do what. For example, we'd like to pass through packets for our two server machines, and use NAT/DHCP on a third address for the rest of the LAN. Nearly all the boxes advertise that they can do NAT routing, but many don't support NAT and static-IP routing simultaneously.

Die-hards will insist that one should run a standalone box with dual ethernet cards and the appropriate routing goodies -- but these standalone boxes, at 5-15 watts and a couple hundred bucks, seem like comparatively hassle-free solution. Which one do you use?"

Old PC

[Luke]

Find an old, cheap PC, get two old netcards, and put OpenBSD on it. Plus you'll need a hub or switch. Simple and secure.

Re:Old PC

[b0r1s]

yea, that's secure, but it's nowhere near as simple or as inexpensive ...

openbsd will allow you to have a firewall, and it will handle dhcp/nat/etc for you, but you'll have to configure it. That isnt hard, espescially for people who read this site, but its harder than plugging in a router and configuring it via web interface...

From a cost standpoint, I just bought a 99 dollar linksys router for about 45 after some clever rebates and amazon coupons. Go ahead and tell me what kind of hardware you can buy to run a *bsd router for that much money. I dont think you can even get a small hard drive for that price.

So, yes, congratulations on your first post, but you're wrong. typical.

Re:Old PC

[JamesOfTheDesert]

Perahps, but compared to a dedicated device from D-link or linksys:

• How much more electricity does this use?
• How much more heat does this give off?
• How much more noise does this make?
• How much more space does this require?

Re:Old PC

[BlackSol]

But for 100-200 bucks it might be a lot less hassle (or time consuming atleast) for a home LAN to grab one of these boxes.

I have used a linksys before and it was darn easy. Don't know about the NAT/Static simutaneous issue though.

Re:Old PC

[Reality+Master+101]

I don't recommend that if you have high-speed access like a Cable modem. I run Linux on a P/II 266 using NAT, and I get 300 KBytes/second on the Linux box, and about 180 KBytes on the rest of my network. This is one of the major reasons I'm planning on upgrading my Linux box.

Re:Old PC

[Luke]

your bottlenecks are the internet itself, followed by your Cable ISP, followed by the cable use in your neighborhood since it's shared.

if they're worried about performance get a P-100, which will probably be just as cheap. but that's overkill, really.

Re:Old PC

[Zwack]

"So, yes, congratulations on your first post, but you're wrong. typical."

Hmmm... $45 for a machine... let me see... Cheap network cards can be had new for around $10... I can get a working 486 from the goodwill down the road from me for anything from $5 to $30...

So I guess I could get a 486 with two network cards for $45 or under. Possibly even in a slimline case

Not new equipment, but it's up to the task.

Z.

Re:Old PC

When the packets pass through your linux box, the biggest problem would be ISA nic's (if you have them). Then you have collision, EFI/RFI, and NEXT (specially if you made the cable yourself improperly). Its not that yo uhave a slow machine modifying your headers taht are entering your network, its the hardware youre using. Ive got a P90 w/ 32ram using NAT off a ramdisk booted off a floppy. No significant loss in speed there.

Re:Old PC

[elmegil]

Bah. I have a 486DX100 with two NE2k cards, and a floppy version of Coyote Linux (firewall only, based on the Linux Router Project), and I get full bandwidth with my DSL just dandy. I don't even have a hard drive to make noise and generate heat.

Re:Old PC

[elmegil]

I can't speak for electricity, but I have a 486 running Coyote Linux (based on LRP and in my experience easier to set up). There's no hard drive to generate heat or make noise. The only noises are when the thing boots, which is pretty much only when I have power outages. It does take more space than a dedicated box, but since I had the hardware lying around (except for the network cards, and they weren't expensive) it was pretty much a no brainer.

If I hadn't had the hardware, I'd probably have sprung for a dedicated device, but mostly due to convenience, not the other issues you raise. It is easier to manage a box with a browser than command line editors (Coyote doesn't even include vi :-).

Re:Old PC

[Luke]

OpenBSD Networking Setup

OpenBSD has excellent documentation and FAQs. Just be sure to read, and re-read so you understand what's going on.

Re:Old PC

[tshak]

Okay, so I can get cheap, poor performing, barely compatible $10 NIC's to run EVERY PACKET of traffic through? I thought when you set up a firewall that you wanted both NIC's to be TOP NOTCH. A decent 3COM or Intel NIC can not be found (easily) for $10. I'm sure the performance of these unit's (NIC and system) are much faster than a 486 with two cheap nix as well. I'd rather pay a few bucks more for less power consumption, better performance, and way less hassel.

Re:Old PC

[aozilla]

But with a D-link or linksys:

• Does it support IPv6?
  
• Can you run a dynamic DNS client on it?
  
• Can you create a VPN between it and your parents' house?
  
• Can you call it with a modem for access from anywhere?
  
• Can it act as an answering machine?
  
• Can you run a mail server on it?
  

Other than IPv6, all the rest can be done with a separate 24/7 machine behind a linksys, but IPv6 tunnels do not work through a linksys on a dynamic IP, at least not with freenet6 or any other IPv6 tunnel service I know. Because of this I've personally been forced to stop using my linksys completely. What we need is an open-source linksys with a bios that can be programmed by the end user. I'd pay $100-200 for such a device.

Re:Old PC

[gmhowell]

Not much more electricity if you find a small power supply and underclock the chip.

Not much heat. Remember, that D-Link thing uses a transformer which gets good and toasty.

Not much more noise. Put some dynamat on the inside of the case or some other sound insulation. And remember, you are underclocking/using an old chip, so passive cooling is okay. The only moderate noise is from the HD.

I will grant you the space. But it's possible to find dinky cabinets.

Still, if the firewall portion is good, it might be a better bet to get one, because while the issues you raise can be overcome, unless you like to tinker, it's easier to just buy the little box and be done with it.

Re:Old PC

[hardburn]

There is a place in my town where the local state and university departments drop off their old equiptment. I picked up a P133 (32 MB RAM, 2.1 GB hard drive, AWE sound card) for $35, and they were selling 10/100 NICs for $3 apeice. That is $41 for a computer which is way more powerful then what is needed here.

Note that this same place went through some restructurings a few months ago; before that they were much cheeper. I have a complete 486 DX/4 100 system (8 MB RAM, 200 MB hard drive) which was $5. It came in one of those massive full-tower cases, which I then sold on eBay (the case alone) for around $50. Ten to one profit margins are nice :)

Re:Old PC

[Zwack]

"A decent 3COM or Intel NIC can not be found (easily) for $10."

I won't argue as to whether 3com NICS are decent, but I have bought second hand 3com cards before for much less than ten dollars.

As an AC posted a non decent network card can easily take the load of a T1... A T1 is nowhere near the bandwidth of a 10BaseT network.

Not every packet will travel through the firewall anyway. Some will be locally routed. Some will be stopped by the firewall.

Most importantly, the poster was looking for a way of doing NAT on some addresses and passing others through. I haven't seen one of these little boxes allow that from the ones I've used/looked at. That's not to say that there aren't any... But if there aren't then for the features that we are talking about a cheap 486 WILL outperform a standalone box that can't do what is being asked for.

Z.

Re:Old PC

[tewwetruggur]

my old 486 is simply shoved down in the basement, where heat is not an issue, it doesn't use much power, especially since the monitor is almost never on, its underneath a workbench, so space is negligible, and its not near me, so noise isn't an issue either.

plus, it was a box rescued from the trash heap with spare parts from other dead boxes, making it 100% free - with the exception of the time I put into putting it together.

Re:Old PC

This is one of those ideas that sounds real good but often fails in execution.

I recently bought a $35 no-name P100 PC at auction on EBay thinking I'd create a low-ball Linux-based router/firewall. The PC already had one NIC, 32 MB RAM, and a 500 MB HD. I had a spare NIC in my junk box as well as an unused 15" monitor. Ready to roll, right?

Well, no. The PC turned out to be a 100 MHz 486, not a Pentium. It'd cost more to ship the damn thing back to the seller than to keep it, so I pressed on. I tried to install Red Hat Linux 7.1 on the system, but Anaconda consistently failed due to a thrown Signal 11. Suspecting some sort of memory problem as the culprit, I tried disabling the processor's external cache, turning off hidden refreshes, and several other things before giving up. A year-old copy of Storm Linux almost installed, but the system consistently froze up at the very end of the install process.

Yes, I guess I did 'learn' something by this experience. If you intend to run Linux, stay away from old, cheap, no-name hardware. And if you're in a hurry to get something done - like install a firewall - as opposed to fighting hardware/software issues, buy an appliance.

Re:Old PC

[Zwack]

Nor do I feel that I needed to include the cost of a hub. He talks about having a lan already.

If he doesn't have a switch/hub yet then he probably doesn't need one (coax?) If he does have a switch/hub then he doesn't need to buy one either.

So, given that he has ethernet out of his DSL router (one port) and a cross over cable (most DSL routers come with one included) and a hub then all he needs to do is plug the cross over cable into the DSL router. Plug the other end into the 486 firewall, and plug the other card of the 486 into the hub he already has.

Z.

Re:Old PC

[Chelloveck]

A cheap $10 nic can easily handle a T1 full of traffic with a latency of a few milliseconds, and I doubt you have a T1.

Right. A full T1 is only 1.5 Mbps, remember. At best, cable is about that downstream and no more than half that upstream. It doesn't take a whole lot of horsepower to route at that speed.

I did notice a speed improvement when I upgraded my firewall machine from a 386/33 to a Pentium/133. But that was just from the CPU increase; the NICs were just moved over to the new machine.

All hail the NE2000 clones! I had at least one honest-to-goodness Novell NE1000 (yes, one thousand) on my network too. Now I have a box full of these old, cheap cards. Wonder what I'd get for them on eBay?

Re:Old PC

[donpardo]

Try floppyfw also.

This would have been a very short post except for the stinking lameness filter which has forced me to add this text in an effort to overcome the stinking lameness filter. I thought that was what moderators were for.

Re:Old PC

[IronChef]

But you also need to know OpenBSD. People who are not interested in being sysadmins have a right to NAT too!

There are also people who do not want to, or do not know HOW to assemble a cheap PC from parts. There is no shame in a "black box" solution.

Re:Old PC

[Zaknafein500]

NAT on some addresses and passing others through. I haven't seen one of these little boxes allow that from the ones I've used/looked at

It sounds like what the poster was needing is just something to do portforwarding. For most server applications, except DNS and possibly passive FTP, just forwarding whatever service you are needing to run on the internal machines from the firewall works extremely well. I know every Netgear Cable/DSL router I have ever used has this ability, and I assume the Linksys boxes will as well. These boxes will also allow you to assign some boxes via DHCP and some static.

Now, if you need routable addresses to internal machines, you are going to have to look beyond home routers. I have yet to see any that will allow you to do a combonation of 1:1 NAT/IP masq. Of course, this setup shouldn't be difficult to accomplish with a small *nix router.

Re:Old PC

[Zwack]

It sounds like what the poster was needing is just something to do portforwarding.

Maybe, maybe not...

Imagine this scenario... You have a mail server and a web server on different boxes. You wish to run a web server on your mail server so that you can use some webmail software when you are not capable of using a standalone mail client.

Now, do you portforward port 80 to the web server or the mail server?

There are other solutions, but portforwarding wouldn't help here.

Z.

Re:Old PC

[Manitcor]

I think you are missing the point. Yes it may be the best solution to set up a PC. The person asking the question however wants to know which out of the box solution is best. Not what do-it-yourself solution is best.

How is it so many smart people have so much trouble reading?

Re:Old PC

[DrSkwid]

what a useless idea

old pcs are noisy, big and unreliable

AND you've got to buy a switch!

for £150 get the linksys, 253 dhcp, NAT, DMZ, port forwarding AND it's a 4 port 10/100 switch

jeeps for £125 you can get a 802.11b one!

Re:Old PC

[Oztun]

I share several PC's through my OpenBSD firewall and get 300KB with no problem. Same speed I get if I hook up a machine directly.

Re:Old PC

[ChuckX]

Right. A full T1 is only 1.5 Mbps, remember. At best, cable is about that downstream and no more than half that upstream.

I work for RoadRunner in Kansas City and our modems are capped a 2.0 megabits/sec downstream and 384 kilobits/sec upstream. At least her in KC, downstream you're getting > T1 speeds.

Re:Old PC

[Zaknafein500]

All hail the NE2000 clones! I had at least one honest-to-goodness Novell NE1000 (yes, one thousand) on my network too. Now I have a box full of these old, cheap cards. Wonder what I'd get for them on eBay?

I'll have to agree with you on this point. I have had endless trouble with supposed "plug-and-play" NICs. NE2k clones, OTOH, seem to work almost universally. Just set the hardware jumpers to an IO/IRQ setup that fits in your machine, plug it in, spend about 15 seconds editing config files, and they Just Work. You can't beat NE NICs for universal compatibility, and yes, they are dirt cheap.

Re:Old PC

[Rick+the+Red]

From a cost standpoint, I just bought a 99 dollar linksys router for about 45 after some clever rebates and amazon coupons.

I may be dead wrong here, because I set up my 486/133 Coyote Linux/Seawall box over a year ago and haven't looked at dedicated firewalls since, but at that time the old PC was far cheaper for one simple reason: no upgrade costs to add more PCs to your local network.

The dedicated firewalls of one year ago served you 3 or 4 local IP addresses and charged big bucks for the "right" to use additional local IP addresses. They were going for the 'service subscription' business model over 'make money on the hardware'. That sucks. I'll be damned if I'll pay $250 or even $50 for a firewall that doesn't cover 255 local IP addresses (reserving one for itself). I hope you bought a model without such artificial limitations, and if you did then you got a great deal. Which Linksys did you buy?

Re:Old PC

[Old+Wolf]

Does the routing work well, and support portforwarding?

I've spent dozens of hours trying to get LRP working, and it's still rather scratchy and ipmasqadm doesn't work (2.9.8 with 2.2.16). Nobody is supporting it anymore; and the other similar distros (LOAF, floppyfw, etc.) don't have NAT and portforwarding at all.

I would have thought that LRP etc. was something that more people would have an interest in maintaining..

Re:Old PC

[Tassach]

So, run the second webserver on another port like 1080. You can still access it by specifying the port number in the URL. EG: http://www.myhost.com points to your regular web server, http://www.myhost.com:1080 points to the webmail server. You can also create a cname record (or an A record, for that matter) for webmail.myhost.com, and then use virtual hosting and redirects to have the main web server hand off requests using the webmail prefix to the second web server. In order to have both web servers on port 80, you would need a second IP address from your ISP. If you need more complex routing than basic 1:N NAT and port forwarding, get a real router and not a consumer product.

Re:Old PC

[Zwack]

There are circumstances where this won't work...

You visit a site that doesn't allow anything but port 80... I've worked at one such site.

Imagine I had said allow ssh to both servers from externally. How are you going to do that? saying "use a different port" doesn't always work.

From what was said this guy has 3 IP addresses at least. He wants to use two for servers and one for NAT.

And a PC can be "a real router"...

Z.

Re:Old PC

[ncc74656]

I've heard 386 33Mhz will do the job.

It will...I set up a 386SX-25 with a couple of NE2K clones and an LRP boot floppy for a customer who had the machine collecting dust in a warehouse. It has no problems keeping up with a cable-modem connection. If it goes haywire, all they need to do to get it going is shut it off, turn it back on, and wait 5 minutes for it to start up.

Re:Old PC

[ncc74656]

I've spent dozens of hours trying to get LRP working, and it's still rather scratchy and ipmasqadm doesn't work (2.9.8 with 2.2.16). Nobody is supporting it anymore; and the other similar distros (LOAF, floppyfw, etc.) don't have NAT and portforwarding at all.

Try out Coyote Linux...I had to scratch together a temporary firewall when the motherboard in our normal firewall box crapped out. It has a Windows-based configurator that assembles a boot disk with ipmasq, a DHCP client, and whatever else you might need for your connection. It's much simpler to get going than plain LRP, and it got the job done until the firewall computer was fixed.

Re:Old PC

[Rick+the+Red]

I think you misunderstand. Rather than pay the cable/dsl company for additional global IP addresses, you had to pay the firewall people for additional local IP addresses (192.168.x.x type addresses). Some are still at it (half-way down the page: "Network up to 10 computers together (upgradable to 50)").

Faced with $500 for a solution with a built-in limitation or $200 for an old 486 running Linux, I chose Linux. As I said, things may have changed in the last year and Linksys may now provision up to 255 PCs for no extra cost, in which case I have no idea why anyone would buy the WatchGuard SOHO product.

Re:Old PC

[__aaahtg7394]

that was my point. it should be a bit over that, because it was actually 1.something Mb SDSL. see the "bit" in "megaBIT"? yah... that's what i'm talking about.

i actually know that 56K modems don't connect at full 56Kbps, too!

you need to start on some downers or something... you're edgy.

Re:Old PC

[__aaahtg7394]

it _was_ really good latency for a atime. telocity. 50$/mo. telocity has since gone under, but i also moved out of coverage area.

now on us-worst, er, qwest 640/240, which is a bitch. and it's ~55$/mo iirc.

A Good Source of Info

[rcatarella]

Practically Networked
All kinds of good information and reviews on exactly what you're looking for.

Re:A Good Source of Info

[scruffy]

I agree this is a good site. I ended up getting an SMC Barricade, which has worked pretty well. The only thing that has been flaky is NNTP VPN, but most of the problems with that has been with flaky software and proper configuration rather than the Barricade.

Personally...

[ebbv]

my room-mate and have just what you describe at the end,.. a P90 running slackware, with telnetd, et al disabled, and two cheap ethernet cards.

it works amazingly well, had two months of constant service until a power blip caused it to reboot the other day (yeah yeah, i need to get a UPS.)

it's amazingly cheap (read: nigh-unto free) and quite hassle free in its own right. not only that but it's breath-takingly easy to configure and maintain for anyone who probably reads /. with any regularity.
...dave

I personally

[B00yah]

found a cheap pentium 90 with 100 megs of ram and a 300 meg hardrive...all I had to do was go get a $5 network card (instant rebate), and install a minimal Slackware install, took 2 hours total time...total cost : $25

and the winner still is

[Lxy]

that 486 you have in the corner collecting dust. I think the idea of spending $100+ on a box that does nothing more than firewall is rediculous. Why not spend something like $30 to dig up a small machine with a small hard disk (or use LRP). I've got a LAN set up with any OS you'd want, and a small Debian box that does NAT, ip forwarding, firewalling, the works.

That being said, is there any sort of config utility fopr IPtables that runs on Apache? These stupid little Linksys/Netgear/etc firewall thingies have web interfaces. People like them. I can go and tweak out my iptables stuff but too many admins would prefer not to. Is there any good solution?

Re:and the winner still is

[krokodil]

> I can go and tweak out my iptables stuff but too
> many admins would prefer not to. Is there any
> good solution?

Try Firewall Builder: http://www.fwbuilder.org/

Re:and the winner still is

Try smoothwall at www.smoothwall.org. It is a sweet linux based firewall and is configured through a really nice web interface.

Re:and the winner still is

[rho]

That 486 in the corner gathering dust is also a huge amperage sink, and is more likely to have bizarro hardware that has really crummy driver support.

Plus, you now have to learn the intricacies of firewalling -- and if you get rooted, you now have to spend some more time trying to figure out what went wrong.

I'd rather pay some company $100 or so and let them figure it out -- all I have to do is keep the firmware updated.

Re:and the winner still is

[bluGill]

486? Mine is a 386. bought in augest of 91. Still boots from the orginional 80 mb harddrive. (everyone else was buying 40 mb harddrives at the time and finding them too small, so we went with 80)

Works great, survived y2k. I keep waiting for it to die and wondering if it will be worth the bother of fixing. I hope it keeps running though. I have better things to spend money on.

My experience

[krokodil]

Linksys are OK but quite limited in their functionality. I am usuing it and quite happy.

SOHOWARE sucks big time - buggy and unreliable. Do not beleive words about "Stateful Packet Inspection" - even if it does it you could not use it.

What I really want to see is SNMP management for
such devices. Unfortunalty, best they could do
is read-only SNMP access.

What do you need the most?

[nairnr]

It depends on what you need the most. I like having a full machine with 2 NIC's as my firewall as it is the most configurable and can be modified to meet my needs. I run a little webserver with database and I can open up pop, and other services on a whim. Once you get a firewall box, you are limited somewhat by what you can do, and if you want to put up any other services, you will need to tunnel to another machine anyway..

I expect for the average SOHO, all they want is connectivity, rather then the ability to do everything...

old pc is the way to go

[wagner]

old p90, 3 ethernet cards and one wireless card. 2 hubs, one for my apartment, and the other for the first and third floor apartments. the wireless gw works everywhere in the house.
the old pc offers the most flexibility. our's has been running in a closet for over a year now.

Take a look at Smoothwall, perhaps?

[King_TJ]

http://www.smoothwall.com should get you to the main product page. It's a freeware GPL firewall running Linux, but designed for ease of installation and administration via a web browser afterwards. The new version 0.99 is due for release any day now, and the beta of 0.99 works quite well for me.

Since most people have an old 486 or Pentium lying around, the cost to set this up is next to nothing - and it has features the hardware firewall/router boxes don't include. (EG. Ability to auto-update your dynamic IP with the dyndns.org service and "snort" to log hack attempts with details on what was attempted.)

Re:Take a look at Smoothwall, perhaps?

[Telecommando]

I think you mean http://www.smoothwall.org

www.smoothwall.com is a real estate site.

Linksys support is iffy

[coyote-san]

I like my Linksys hub/router, but the support has been downright hostile once I mentioned I run Linux. Like it matters - it's an entirely separate device configured through web pages. But like many of us, I usually run with javascript disabled and their pages provide no indication of why the router can be nonresponsive.

As for the suggestion that you run an old box, please, give it up. If it works for you, great, but I switched from a box to a hub because of power consumption, noise, floor space, etc. Except for those hassles with javascript, I haven't regretted this decision.

Re:Linksys support is iffy

[Glytch]

Agreed. And being able to install Junkbuster on the firewall box is another plus. All the traffic is going through that box anyway, so might as well kill two birds with one stone.

Of course, I live in a large house in an area with cheap electricity, so someone else might not use this solution. Getting some good use out of my old, perfectly functional Compaq Presario 486, though.

Here's what I have.

[The+Slashdolt]

I have 5 computers connected to the internet in my in-home LAN right now. My router/firewall/gateway is a 166MHZ linux box running redhat 6.0. I've been running this setup for about two years, upgrading as necessary. Using IP masquerading this is all very simple and with IP Chains, you can setup any firewall rules you want. I recently installed redhat 7.1 and it has a firewall wizard type thing that makes this all even easier! Take an old box and put linux on it, you won't be dissappointed.

Try this out

[SiriusRegalis]

This works great for me -

www.smoothwall.org

And when I had some problems with setup they were extremely helpful on irc.

"boxen"

[ravrazor]

i would like to point out that someone who is looking for an pre-packaged alternative to a couple hours spent installing linux on a old computer just used the term "boxen", thus demonstrating that this word is, and never has been "cool" or "with-it".

if you are going to call a computer a 'box', at least pluralize it like a regular english speaking human.

LRP

[doughnuthole]

The linux router project is one of the best sources of info on getting that old 486 to work as a router. I had mine running fine until about two months ago when I was able to get a Netgear router for $30 (easier for parents as I was leaving for college).

See www.linuxrouter.org for more information.
Steinkuehler's EigerStein was the distro I used - worked very well.

-Doughnuthole

Check SmoothWall

[kafka.fr]

I personnaly gave a try to SmoothWall, here :http://www.smoothwall.org/gpl/

An amazing number of features in a so little Linux distribution. Well, find an old PC (almost any might be enough), install SmoothWall on it, then you've got your personal router/firewal/NAT/almost-whatever-you-want.

All being controlable through a web browser.

My 2c

SonicWall

[gcrocker]

I have a SonicWall SOHO/10 that works great. It supports the tricky protocols (NetMeeting, for instance), that Linksys models can't handle, and has lots of configuration possibilities (static NAT tied to ethernet address, for example). There's a model with a DMZ port if ya need it, and you can do VPN between SonicWalls if you need that.

Nice box. It was pricey, though, at about $400.

-glenn

I got the Linksys

[Delirium+Tremens]

I chose the Linksys (3 RJ45 + 1 USB connections) over a custom PC running Linux/*BSD because:

• For $160, I couldn't have built a cheap computer(I don't own enough spare parts yet).
  
• Its power consumption is so much lower than any custom computer I (=limited skills) could build.
  
• It is completely silent.
  
• If a friend visits me with his/her laptop, we can connect it without any extra hardware to the net via the USB connection (albeit, the laptop must run Windoze 2000 ... last time I tried, none of the Linux USB network drivers worked)
  
• 
  I love the IP forwarding of the linksys. All connections to port 80, 443, 21 and 22 are reditected to my Linux box, and all other ports that involve games and *apster clones are redirected to my Game box. Remaining ports are blocked.
  
• And then I choose Linksys over other brands because ... well ... it's Linksys, after all!
  

Re:I got the Linksys

[trcooper]

I have the linksys also, BEFSR11 - (One port). I picked this up for about $50. Since I already had a few hubs lying around, I didn't need a multi-port router anyway. A couple other things worth mentioning about it are:

Firmware upgrades

Multicast Support

Both static and dynamic IP support (Great for my laptop which has static IP at work)

The only problem I have with it is that you can only forward 10 ranges of ports. I haven't had a problem with this yet, but it could be concievably a problem.

Alternately, you can set up a DMZ and make one machine live on the internet.

Check out the manual for full info.

Re:I got the Linksys

[Targetman]

I've got cable modem and a Linksys 5 port hub/firewall. Been on line with 3 PCs for over 6 months. Not a lick of trouble.

And I love watching the lights blink.

OpenBSD

[don_carnage]

I use an old P133 (overkill, I know) running OBSD as my firewall/gateway/ntp server/dhcp server. I could have gone out and spent money on a nice compact unit, but I like the fact that I can upgrade my OS, tweak my filters and above all: learn more about OBSD, networking and OS hardening.

Harddriveless

[dasunt]

You don't need a hard drive for a firewall/router made from an old machine. Check out the LRP for a solution that fits on a single 1.44 mbyte floppy that can be write-protected and just needs to be power-cycled to be reboot.

Re:Harddriveless

[Tim+Doran]

Right - which reduces the power consumption and noise.

What I'd *really* like to see is a fanless power supply for such an application. It'd probably have to be limited to, say, 100W but that could cover such a box easily, especially if permitted to overload slightly at boot-up.

Anybody know of such a thing? I have the perfect little 486 that I'm not using as a router because I don't want to consume any more power than I have to. But if all I had to run was the solid-state components and the floppy at power-up, I'd be much more willing...

Re:Harddriveless

[crucini]

Just open the PS and cut the fan wire. Or immobilize the fan with a cable tie. The fan is not needed when there is no hard disk.

Re:Harddriveless

[stilwebm]

There are lots of external drive boxes that have low wattage power supplies (I've seen 30W-80W for single bay, 70W-125W for dual bay). You'd have to modify the connectors to power an AT motherboard, but I've seen it done. Trying to power an ATX motherboard with one of this is a waste of time. Some of these have fans, some do not. But the nice thing is you can find them at swap meets and surplus/bankrupcy auctions.

Re:Harddriveless

[IronChef]

Here's something. It isn't exactly what you wanted though... not fanless, and I think they are all ATX supplies so they won't work on that 486. But it's a start.

I hear these are good, but caveat emptor.

Re:Harddriveless

[frknfrk]

my router for a long time was a 486 laptop with a sandisk flash IDE drive (128 MB, plenty of space). no fan, no hard drive noise, and build in power backup (battery). the gateway 2000 handbook 486. i have 2 now, mail/dns/etc runs great on them, usually get 'em for under $50 on ebay.

Re:Harddriveless

[twoflower]

Just open the PS and cut the fan wire. Or immobilize the fan with a cable tie.

Bad, bad idea. The fan will produce significant heat if it is immobilized and still plugged in.

The fan is not needed when there is no hard disk.

False. The power supply needs a fan based on the current drawn, not whether a hard disc is plugged in. Some hard drives consume lots of power, some don't. Some CPUs consume lots of power, and would require a fan in the PSU regardless of whether a hard disc is installed.

Twoflower

Re:Harddriveless

[DrCode]

Or, you could tell the BIOS, in the power-saving section, to power down the hard drive after a given number of minutes. My old 486 MB has this option.

Re:Harddriveless

[NullGrey]

I made an adjustment to mine while it was running to eliminate the noise. Here's how I did it:

1.) Take a size 11 Timberland hiking boot.
2.) Put it on your foot
3.) Slam it into the side of the case.
4.) Repeat #3 as necessary.

HTH.

Re:Harddriveless

[ncc74656]

There are lots of external drive boxes that have low wattage power supplies (I've seen 30W-80W for single bay, 70W-125W for dual bay). You'd have to modify the connectors to power an AT motherboard, but I've seen it done.

These typically provide only +5 and +12. How would you get -5 and -12 out of them, as an AT motherboard needs those as well? (ATX also requires +3.3, but ATX didn't come along until near the end of the "P5 era," so any ATX motherboard would be extreme overkill for a router or firewall.)

Priceless

[DigiBoi]

Compaq 486/66: Free
2 old NICs sitting on shelf: Free
OpenBSD: Free

Laughing at hax0rs trying to hack your Bridge Firewall: Priceless.

Re:Priceless

[bluGill]

Laughing at hax0rs trying to hack your Bridge Firewall: Priceless.

Yeah, sit on irc sometime. Back when winnuke was getting a bunch of hosts he used to love watchign people winnuke him. - he had a mac sitting behind my linux firewall.

And the sad part is, my linux firewall hadn't seen an update in 3 years (at that time)! but winnuke is so easy for the script kiddies that they don't even think to try to attack it.

SMC 7004ABR

[saider]

I do not have any servers, but this works well and has the following features...

- DHCP server
- NAT
- RJ-45 for connection to Cable/DSL and a DB-9 for connection to a modem.

I particularly like the fact that it can do Cable/DSL and Dial-up. Since I am moving a lot, I never know what is going to be available. You can even use the dial-up as a backup, should the Cable/DSL fail. Web based administration is straightforward. But I can't comment on that beyond the basics.

Power consumption is low (22W I think) and it is a lot quieter and much smaller than a PC.

It is good for my simple needs, but you may need more for your servers.

Here is a link to the product page. You can download the product brochure and check it out for yourself.

Re:SMC 7004ABR

[boudreau]

I actually have this same exact router. It has a huge bug, the port forwarding feature does not work. I have contacted tech support and they say that it is a known bug within some loopback function and should be fixed in their next firmware update.

I have also had to reset my router often and tech support has been very unhelpful with this.

If I were you, go with a different brand or build your own. I used to have a linux router, but I wanted to take that functionality off my linux box so I could run other services. It is not like the routing function on the linux box caused a bunch of overhead, but it does have to use the cpu vs. a hardware router which has its own dedicated cpu. That is why I switched.

Basically, read the firmware updates and look at where the bugs have been in all the manufacturers products. I did not do this, but I wish I would have. It would have given me a better idea to the quality of the product.

Michael

Re:SMC 7004ABR

[mattdm]

I've got the wireless version of this, and port forwarding works fine for me. I'm using it right now, in fact.

Re:SMC 7004ABR

[Caballero]

Yes, I've got the 7004AWBR and it does allow you to do DHCP reservations. I can assign specific MAC addresses to specific IPs. Very handy for the laptop that moves between work and home!

By the way, they've been updating the firmware fairly regularly. I had problems with the Orinoco early on, but they got it fixed in the next firmware release.

A bevy of information on configuring your routers

[Typingsux]

Here!

I have a netgear router myself, and have locked it down pretty well with the advice I found.

Another Old PC post!

[imadork]

I couldn't agree more with the other posts. Get yourself an old PC, and go nuts.

Since the poster seemed concerned about power, does anyone know details about how to reduce power consumption on a motherboard? One would assume that, since it is being used as a router, APM Sleep/Suspend is out of the question.

I recently upgraded the Motherboard in my router (an old 486 w/ Pentuim Overdrive) because I eventually want to run Apache on it (and 4MB 30-pin SIMMS are expensive compared to SDRAM!) I got my hands on an AT motherboard with USB (I had to make some "creative modifications" to the case, since the new MB had higher heat-sinks.) I got the lowest-frequency K6 chip I could find, and a cheap 64MB Memory stick. I have no clue how much power Its wasting while I'm here at work, and would be interested in knowing how to reduce it further.

Cisco 827

[cnkeller]

I've been thinking long and hard about the Cisco 827 ADSL router. True you need DSL, but for $500 it seems like a steal. Provides NAT, stateful packet inspection, VPN's with IPSEC 3DES. Might be overkill for Joe gamer, but if you're working from home or running a business, I think it's worth the $500. You can check out the stats here.

Re:Power?

[don_carnage]

Do you have any numbers on exactly /how much/ energy either device uses over the course of a year?

netgear 311RT

[0WaitState]

I've used a Netgear 311RT for the past year, and am quite happy with it--does DHCP, NAT, and port forwarding. BTW, you don't configure it via a web interface, instead you telnet from inside and work through the simple ascii menus.

None of the various home routers ship with a real manual--you have to download it off the manufacturer's website. That should answer more pre-purchase questions about functionality than reading the outside of the box.

Some problems

[TheSHAD0W]

My Linksys router has to be reset every week or so, and seems to have problems "bouncing" packets back into the intranet; instead they seem to get lost. (ICQ doesn't work reliably between machines, for instance.) I'm strongly considering switching to another company's router.

You know what we're going to say ;-)

[ryanvm]

Use a cheap PC.

It's what I've done at my home - and it works great. I took a spare Pentium 166 I had and underclocked it to 120 then put a fanless heatsink on it. I then clipped the leads to the fan in the power supply. The hard drive is set to spin down after a few minutes. Result: a totally quiet, fairly low wattage (35-45 watts I think) router/firewall.

As far as software goes, after much deliberation, I finally settled on Debian GNU/Linux. The main reason I chose Debian is because you can't beat "apt-get update; apt-get upgrade" for pure ease of system management.

I know you'd prefer an "off the shelf" solution, but when you use an old PC you get so much more. Not only can it do all the routing functions you require, but you also get a print server, a file server (MP3 shares anyone?), a Freenet node, etc.

It's more work, but it's fun and it's worth it.

Re:You know what we're going to say ;-)

[ryanvm]

Plus, if you run OpenBSD, you get to be superior to the Linux rabble. ;-)

Heh. I was this close to choosing OpenBSD - it was between that and Debian. But in the end, I picked Debian because you can run "apt-get update; apt-get upgrade" and you're running an up-to-date installation.

Are the *BSD's "make world" scripts as painless as that? I'm not suggesting that they aren't - I truly do not know.

Re:You know what we're going to say ;-)

[ryanvm]

I opened up the power supply (200 watts) and neatly severed one of the wires running to the fan.

Obviously, it does raise the temperature of the power supply several degrees (it's warm to the touch), but nothing to be worried about. I do run the computer without the case on - being a router, I have it stored out of view. It's been running 24/7 for over 6 months and I've had no problems at all.

I would be a little leery of completely shutting down the fan in a bigger power supply especially if you kept the case on the computer. If you decide to experiment with it, just closely monitor the temp for several hours and see how it copes. Another option for you is to simply slow the fan down by putting a resistor on the fan's power leads.

two words

[ellem]

Link Sys

Old hardware

[hardburn]

Using old computers for a rounter/firewall really doesn't take as much power as the above suggests. Recently, my local newspaper had an article on power consumption. It noted that a modern PC takes about as much power as an alarm clock; not much at all. Older equiptment (486 or Pentium) will probably do better, especialy if you can find a low-end power supply to go with.

For what you want, I suggest two boxes. Both can be between a 486 DX 50 to around a P100. You could even do a 386 DX if need be, but I've found that 486s go for around the same price anyway. I suggest the DX processors because I simply don't like the idea of math coprocessor emulation having to sit in my kernel. Give them both a floppy drive and an old hard drive (You can squeeze a good GNU/Linux distro into 40 MB if need be, but be careful of bloated distros like Red Hat; use Debian or even some form of BSD). If you don't want to waste those good 10/100 NICs on this, don't. A simple 10 Mbps NIC has more then enough bandwidth for a cable modem or DSL (except for the very very high speed DSL solutions, which nobody has yet anyway). The second box only needs one NIC (can also be 10 Mbps), but should have a larger hard drive. From this one, run stuff like DHCP, caching DNS, etc.

Personly, I have a 486 DX/4 100 with a 200 MB drive running Debian 2.2r2 and a Linux 2.4 kernel and an IPTables NAT firewall. This has two 10 Mbps NICs and a modem (I'm currently on dial-up, but the second NIC is there for when I finaly get cable or DSL). Another box runs a DHCP and DNS server. Yet another box is a small file server (using Samba) and also runs an FTP and HTTP server.

Re:The one job Windoze seems to do well....

[don_carnage]

One problem: That's a gateway and not a firewall. It would still allow malicious packets in and out of your network and be vulnerable to other type of attacks. Perhaps if you added ZoneAlarm or something to it, it would provide better security.

Efficient SpeedStream

[DeadMeat+(TM)]

You might want to check out one of the Effecient SpeedStream routers. SWBell ran out of DSL modems and gave us a free SpeedStream 5660 DSL modem/router instead (with the warning that sharing the connection is perfectly legal according to our TOS but won't be supported of course, *nudge nudge wink wink*).

It's got probably everything you're looking for: NAT, DNS, port forwarding, hardware firewalling, and support for everything from PPPoE to static IPs on the ISP side. Plus it's got a nice HTML interface plus a UNIX-style Telnet interface (with lock-down support, of course) and even support for a serial cable so you can Telnet to it as a dumb terminal if the Ethernet's down. And the documentation, while not super-thorough, isn't drool-proofed. The only real complaint that I have with it is the way the firewall works; it blocks unopened ports if there's no outgoing packet to correspond with incoming ones. This is only a problem if you're serving something, but more software works like a server (as far as the router's concerned) than you may expect; it was a little weird having to manually open up AIM's port so my little brother could use AIM without having to initiate the conversation.

The main disadvantage is price and availability -- I don't know how easy these are for end users to get their hands on these, and it'll probably run upwards of $300. If you're lucky, your ISP might have some, but I've heard of ISPs giving out these routers and with the remote administration password-locked so people don't (ahem) accidentally enable NAT without paying for a static IP first.

My results for the LinkSys and NetGear products

[netwiz]

i have, in turn, purchased a RT311 and a Linksys 1-port router (okay, so it's two ports, whatever). It turns out that they're pretty much the same hardware, and completely different ROMs.

Ups: The Linksys product was by far the simplest to configure. easy, embedded HTTP server makes config chores simple and fast. It's easy to screw up the password, tho, however recovery is easy. I thought that even though the Netgear was significantly more difficult to use (relying on CLI-based menus and a powerful yet byzantine trigger-based rule system), it had the most configurability.

Downs: This is why I'm using an OpenBSD box to do my NAT. Both routers rely on similar hardware, which, unfortunately, isn't up to the task of a 10Mbit cable modem or a 6Mbit DSL link. The peak rates I got out of each box was south of 490KBps, or right about 5 megabit. On my cable modem, it seriously throttled my downstream bandwidth, and I found it simpler to just take the time to really lock down my workstation and plug it straight into the cable modem.

My $.02

SMC Barricade Wireless Router SMC7004AWBR

[chacal]

I previously had a netgear rt311 on my network in my apartment at school..and when I graduated, I decided I wanted a wireless router, since I've got a couple of laptops, and my girlfriend has one as well. I looked at all the wireless offerings, and it came down to the D-link and the SMC..they're made by the same manufacturer..but the SMC has both a lifetime warranty and mac address restriction of the wireless network.

In one $200 box, I get:
o wireless access point supporting, i believe, 255 users.
o 3 port 10/100 switched hub, plus the wan port.
o firewall/router with plenty of configurability
o print server, which works in both linux and windows.

the administration interface is easy to use, can keep pretty good logs if you want, and allows for the network to be buttoned up pretty tight.

it'll even hook up to a modem via a serial port, if you want to share a modem connection..

here's a review at practicallynetworked:

http://www.practicallynetworked.com/reviews/smc700 4awbr.asp

Re:NAT box - my setup

[Tet]

one cable to an OpenBSD NAT router to the private network for all the internal things (fileserver, multimedia box, etc). A few other cables go to outside facing servers (web, FTP, etc).

And you haven't put your public facing machines behind the OpenBSD firewall why?

Re:What's next?

[rjamestaylor]

What will the next ask slashdot be?
What is a good OS?
What is a good computer?
Why not go to a site that deals with newbie's wait that's slashdot now. Never mind
I give up slashdot is doomed to be what it is now, and no one can change that..... shitty.

Then, leave. Bye bye. Won't miss your arogant, nothing-to-contribute attitude.

I know the asking party mentioned the power requirements of an old (or, I guess, new) PC as a NAT/Router/etc., but the power drain ain't too bad (unless you leave a monitor on for this server...). Besides, not only can you easily set up (see the How-Tos at Linux Documentation Project) a server to do NAT (great for multiple boxes sharing a "one connection only" xDSL/Cable modem connection), DHCP, cipe tunneling to secured office computers, but also to enable a web server (it's actually a last-hope backup server to one of our production systems), SSH "telenet" server for remote access, FTP daemon. With a little care a simple PC will give you tremendous network services that far surpass the capabilities of these network devices. And the investment in terms of $$$s may be much less (in time, more, but what's the fun of not learning?).

My experience...

[jasno]

Wow, its amazing how many people suggested that you should use an old PC. I guess no one read your whole post, or the 57 posts that said the same thing before they posted.

First off, I've done the old PC thing myself. It was very flexible and I really liked having a linux box I could tunnel to. OTOH, it also sucked electricity and space which are 2 precious commodities here in California.

I eventually switched to the BEFSR41 from linksys. I picked it up for $100 (BestBuy just had them for $79) and its worked out wonderfully. Low power, silent, and very, very small.

One word of warning: if you intend on hosting any type of game server (quake, half-life, etc...) you should do a search on google first to make sure there aren't any weird problems with the device you decide on. For instance, I can run a half-life server behind the box, but it tends to kick people randomly.

WatchGuard

[Dr+Caleb]

I've always found the WatchGuard series works well. Especially the SOHO product.

Sure, an old PC with *nix on it is cheaper, but this is quieter and requires less power. It's got a browser configurable setup, serves DHCP, allows for 10 users expandable to 50 users (4 ports, but you can daisy chain another hub off it) and is self updating.

A pretty cool unit for a home network. They also sell units for 100+ users, for small to mid size offices.

The Linksys is nice

[rho]

I have the BEFSR41, which is the router plus a 4-port 10/100 switch. It was about $100 from CompUSA.

Dislikes: the web-based interface is a bit wonky with Netscape 4.7 on *nix. It works, but has some weird errors on occasion.

Likes: it works as advertised. I fought with PPPoE on an OpenBSD box for several hours -- I could not figure out why it wasn't working, and none of the so-called "How-tos" helped.

HOW-TO -- a definition
A cruel on-going joke between free unix-alike "documentation" writers that is mostly filled with "it worked for me, maybe you're stupid" insinuations and "this important part of the configuration is terribly, terribly important, but it's beyond the scope of this shitty How-To. Perhaps you are stupid?" notes.

So, I went and bought the Linksys, and within one hour (including the time it took to buy the thing), I was passing bits around the Internet.

The web-based interface does work somewhat with Lynx, but is very cantankerous when used so. I have ssh'ed into my server and then used Lynx to reconfigure the router.

You can forward ports to particular internal IPs, i.e. "all requests for port 80 goes to the computer at 192.168.1.100", and can even put one computer (one IP address) in a "DMZ", where it is completely open (all ports are available to answer).

If you want to do complex filtering or firewalling, it doesn't do such. If your needs aren't really complicated, it will work for you.

Re:The Linksys is nice

[banky]

I, too, have had nothing but success with the Linksys.

What's cool, is that you can use cURL and wget to skank the various pages and things. There's a file called Gozila.js which contains all the javascript functions, and you can use that to basically figure out how the guts work.

For example, I use it as my DHCP server for my home lan. I have a dual-boot (win98/Linux) desktop, and a Linux laptop. Let's say I'm on my laptop, and my desktop (downstairs, in the other room, etc) is booted into windows, and gets a dynamic IP. Well, each of my roommates has various machines on, too. So, I would look at the client table page, and figure out which machine was mine. then I'd VNC into it, reboot, and Linux is the default. the Linux side of things uses a fixed IP.

So, after some experimentation, I learned that you can use cURL/wget to pull the DHCP table out. Then, some grepping, and you have your machine. A simple click on my desktop, and I can reboot the machine into Linux. *I* was proud of myself.

Perhaps it's an overly geeky solution, but I was impressed at the "openness" of the device for simple tasks like this.

Re:The Linksys is nice

[pi_rules]

Quick comment on the BEFSR41 as I've dealt with them for a few people who I know that have purchased them. It's a pretty slick little product (coming from a guy who uses a full-fledged Linux box for his firewall at home) and if I didn't have the need to do filesharing and CVS with the same server I'd just have ditched it for one of these little puppies a long time ago.

However, I have noticed a little quirky bug that caused me a few hour's trouble with it once. When changing the LAN IP from something other than the default 192.168.1.1 you'll have to power-cycle or get a paperclip out and smack the little indented 'reset' button on it to get things to take effect - sometimes more than once. I'd say for 95/100 home users this isn't something they'd ever try and do but it was frustrating.

Why? Well we were trying to route a class C block of IPs through the thing to stage an ISP until the T1 could be delivered. Ended up just getting a Cisco 600 series for the task. The Linksys is still used though to provide a NAT for the office though behind the Cisco (which could do NAT too -- but that little box is just -so- easy to setup).

Re:The Linksys is nice

[rho]

On another note (we really need to be able to edit comments...)

The Linksys is supported by almost all of the Dynamic DNS scripts available. I use ipcheck with the custom domain option. It works fantastic -- stick it in the crontab, run it every 5 minutes.

Useful if you plan to do anything interesting with your phat broadband.

Score -1, Flamebait

[trauma]

God, do all you "old PC NAT box" folks have fears about your manhood or do you just not read? The man clearly stated that he was looking for info on router appliances, and just as clearly excluded homebuilt PCs as a topic of discussion, but everybody and their brother still has to trot out the damn things, perhaps to demonstrate their questionable 1337tness by tossing it off so casually, as if it were a trivial solution (which it can be, in terms of technical difficulty. But the man mentioned $$$ and watts).

God help us when you all have actual beowolf clusters in your basements to brag about at every opportunity...

Re:Score -1, Flamebait

[dasunt]

Okay, sorry, I advocated the quiet, cheap solution that can be made out of spare parts, for a low cost, doesn't have any moving parts save for the floppy drive, and is endlessly upgradeable and configurable(LRP).

I must apologize, I guess the commercial solution was better. When I posted, I didn't think that this guy needed some more information about a PC-router solution, that maybe he didn't know they could be run fanless and without a hard disk. I didn't think that he might not have known that there was specific distros for this purpose. What I did think was "This guy wants hardware, lets piss him off." This guy mentioned $$$, this solution was cheaper then he wanted, but that is obviously a drawback. He also mentioned wattage, which the solution I gave used little. But I suppose your reading skills aren't the best either, are they?

I wouldn't condemn others so easily, if I was you. There was redundant posts, I agree. But a PC-hardware based solution is just as competitive as the low-end custom router solution, if not more so.

Which "home router" do I choose?

[ogreinside]

Well, doing consulting and having setup a lot of NAT environments across many platforms, I would say that these "all-in-one" solutions are a great idea. That is, however, if you get the right one.

Certainly the first suggestion I have when I see a home business paying for extra ips, is to take an old machine and setup ip masqurading on a linux box. However, I have found that many people are "scared" of linux, and some don't have dedicated machines. Others want a firewall, public servers, and of course the full web/email site setup. While some businesses look at this as opportunities for recuring fees to unknowledgeable users, I try to lay it all out for the customer. Advantages and disadvantages, ease of administration, power consumption, maintenance. In most cases, customers LOVE the all-in-one solution devices.

For power users that want to control all aspects of filtering, routing, port forwarding, and hosting, this is not the best option. However, it can be a *good* solution. I have up until recently been a Linksys advocate. It is actually a great product, and can perform NAT, DHCP (may toggle off and use an internal DHCP server), "DMZ" port forwarding, and flashable firmware. However, don't be fooled by the claim that it is a "switch". I spent many hours trying to find out directly from Linksys what some specifications were on the advertised "switch". First of all, it does not have a backplane. Anyone that knows what to look for in a switch, will first want to know how much data can be shared. When there is no backplane in any specs, and the "engineers" at Linksys don't seem to know what you are talking about, one tends to rethink their purchase. There is no mac table, nor is there anyway I have seen to find any specifics about how it "switches". Does anybody know what these devices really are? They have to be some sort of "smart" hub. What i have ended up doing, is purchasing NAT/router devices, and separate switches that perform like switches. I have found some D-link and Addtron switches with backplanes and viewable mac tables.

Also, the only way to configure any options on a Linksys device, is through a web browser. I have been able to use lynx before, but this one particular 8-port switch/router had broken tags in the config. I flashed the firmware, and tried just about every browser, but each time I would get java erros and broken tags. When I called tech support, they told me to take it back to my retailer. What they don't know, is that I had just replaced it, because the firmware flash died halfway through, and fried the device. This is not very reliable IMHO.

Netgear, however, allows you to telnet in and configure via command-line, which IMHO, is the most important feature of a configurable network device. JetAdmin or telnet for managing HP printers? Are you kidding me? I'll take command-line anyday. We need a low-end cisco device is what we need.

Are there any other command-line configurable NAT/routers that have actual backplanes for the switching component and has flashable firmware (other than a cisco switch) aimed at this market?

Free NetBSD based firewall

[DreamerFi]

I'm the author of the free NetBSD/i386 based firewall at dubbele.com
If my web logs are any indication, it has been installed by over 7000 cable and ADSL owners so far, and the amount of tech support I have to do is very minimal. If you have an old PC and two ethernet cards, you're half-way there.

Check it out and let me know what you think..

-John

Cisco PIX 501 Firewall

[jroysdon]

Being a Cisco guy myself, I'd have to say if money isn't an issue, and security is the main idea, go with Cisco's PIX Firewall. It's actually not that bad if you compare it to their higher end gear (small office 506 is $2K, 515R is at least $3K, and it goes up real fast from there). Plus, you can run IPSEC and connect to anything else running the same (or even PPTP/L2TP). The thing I like is that all of the PIX line runs the same code, so anything you can do on a big ISP-size 535 you can do on 501. Plus, the new 6.0(1) code adds the ability to load the new PDM code (PIX Device Manager) which is a Java-based SSL web interface to allow easier programming in an interface very simular to Checkpoint's Firewall-1, etc.

Any Cisco security engineer-wannabees should really consider this option, since it's a cheap way to practice with the exact same interface as the high-end gear.

"Performance
The Cisco PIX 501 Firewall provides competitive performance in a compact form-factor:
* 10 Mbps cleartext firewall throughput
* 6 Mbps DES VPN throughput
* 3 Mbps 3DES VPN throughput
* Supports 3,500 concurrent connections
* Supports up to 5 VPN/IKE peers concurrently

PIX 501 10 User/DES Bundle, PIX-501-BUN-K8, $595
PIX 501 10 User/3DES Bundle, PIX-501-BUN-K9, $695
"

Oh, and compared to some of the "Cable/DSL" routers out there like Linksys, this is a huge step up. You can do NAT/PNAT from multiple external pools to specific internal ranges, or even port redirection so that multiple global addresses forwards different ports to multiple internal servers, or one-to-one static NATing if you require, or even "NAT 0" (internal and external addresses are the same) but still firewalled. Built-in DHCP, basically everything and anything you could want or expect from a firewall middle-box is here.

http://cisco.com/go/pix

Re:Linksys and NT

[RedX]

Out of curiosity, were you running anything besides the included NT services to provide the IP routing?

Re:My experience with linksys

[ednopantz]

My experience is that if you ever have any kind of technical problems, like the box suddenly not doing anything, forget calling Linksys.

My 4 port job failed in June, shutting down what was supposed to be a day of building websites at home for a client. No router/DHCP box = no network. Yeah, I could of configured a Win2k network by hand, but who really wants to do that just to hack up some quick and dirty asp pages?

So I went to their web site, where most support questions refer to the practicalnetworking site. Cute.

First Linksys jealously guards the tech support number. You have to look for a long time to find it. Then when you call either
1) it just rings and rings
2) the phone tree (push 1 for sales, 2 for support) disconnects every time you select support
3) if the phone tree doesn't just disconnect, it starts over when you select something
4) if you do talk to someone, you don't get a tech, but someone in the outsourced office in Bangalore, they haven't been trained, they don't know anything about your product, they can't troubleshoot it, the database is down so they can't check on any previous calls you have made about that sorry light blue piece of crap, but they will take your number and they promise that someone from tech support will never, ever call you back.

In my case, I just bought another one and sent the original c/o of the ceo with a note instructing what orifice it should be inserted into and with what degree of force.

Were these boxes not handy and cheap, they would have no repeat business. I hated doing it, but just buying another one was the fastest way to get me back up and running (and billing).

better url

[DreamerFi]

urgh. Slashcode 2.0 does ugly things to urls after post... Simply try this: http://www.dubbele.com

Cable Routers are cheap and easy

[Rackemup]

Let's face it, not many of us have the room or the resources to set up and maintain ANOTHER computer in the house just to look after distributing the cable/dsl connection, that's why these cable/dsl routers are becoming so popular.

I've been using a Netgear RT314 for almost a year now and it works great. NAT features, port-range forwarding, etc. It doesn't have a "true" firewall but the NAT does offer some protection.

I'd recommend getting the FR314 that has firewall capabilities. Check out Practically Networked for reviews on hundreds of models.

Go with a LinkSys

[BranMan]

It's what I use and I have had ZERO problems with it. I don't know if it will actually support being a DHCP server while it is doing it's other tricks (like routing all incoming to a designated DMZ machine, or doing selective port forwarding, or packet filtering to specific IP addresses inside, etc. - has a lot of tricks). Has anyone done that? I doubt it would mind as long as you keep the fixed addresses out of the range it will be generating addresses in.

But, even if it doesn't, why not just have one of your dedicated servers be the DHCP server too? Once a box is handed an IP address, everything will work just as well as if it had a fixed one.

Me, I didn't bother - all my boxes have fixed IP addresses, but I'm guessing you have a notebook you want to shuttle from work to home.

Anyway, that's my $0.02 - just make sure you use a switch instead of a hub if you move good volumes of data around.

Re:My experience with linksys

[Midnight+Thunder]

I found that updating the firmware helped the problems I had. Since I am not using Windows I found a link that told me how to update the router from Linux. Basically you first have to disable the admin password on the router ( because tftp does not support passwords ) and then use tftp to send the updated firmware to the router. This approach works for any platform with access to a tftp client - shame they don't put this info on the Linksys website.

For $51, just get a router!

[briansmith]

Sure, you can build one out of an old computer and spare parts. But, think about the physical size, noise of the fans, and electrical consumption. Plus, you could use that old computer for something else. I got a D-Link DI-804 for $51 from Amazon.com this week. $80.00 - $30.00 rebate - $10.00 online coupon + 11.00 S/H. It seems to have all the features you want. It has a simple web interface for basic stuff but it also has a telnet interface for more advanced features. Look at the D-Link site for the product (http://www.dlink.com/products/broadband/di804/).

Note: The picture on the D-Link and Amazon.com websites is of an older design where the four switch ports are on the front, and the WAN port is on the back. On the one I received yesterday, all ports are on the back (much less messy). I emailed them telling them that the picture didn't look anything like the actual product and so they apparently pulled the webpage for the product temporarily.

The setup was painless (basically, just plugged it in, attached network cables, renewed my IP leases, and changed the admin password). I even upgraded the firmware in less than a minute. It is also silent (no fan) and it is about the size of the area of a keyboard between the [ESC] and the right-alt key. It is working great.

It has four ports in the built-in switch. Port one can be used either as a normal switch port or as an uplink. It also has a serial port that you can attach an external modem to share as a backup for then your cable/dsl connect goes out.

For $51, it is basically the same price as the 486 solution that someone else cited as $45, and it even comes with a one-year warrenty (apparently, D-Link used to have a lifetime warrenty but I guess they don't do that for the consumer stuff any more).

CPU 32bits ARM RISC CPU
Memory 512 Kbytes Flash Memory
4 Mbytes SDRAM
Standards IEEE 802.3 10Base-T Ethernet
IEEE 802.3u 100Base-TX Fast Ethernet
IEEE 802.3x Flow Control
ANSI/IEEE 802.3 NWay Auto-Negotiation
Protocols Supported
TCP/IP
NAT
DHCP
UPD
PAP
CHAP
MSCHAP
RIP1/RIP2
PPPoE
Virtual Server

VPN Pass Through Function*
PPTP
L2TP
IPSec

Firewall Protection: Built in NAT firewall using stateful packet inspection

Management: Web-Based - requires a PC, Mac, or Linux based computer with a Web Browser capable of running Java script.

Firmware Upgrade: Web-Based - requires a PC, Mac, or Linux based computer with a Web Browser capable of running Java script.

Ports:
4 x NWay 10BASE-T/100BASE-TX Fast Ethernet LAN
Port 1 has Uplink/Normal switch
1 x 10Base-T WAN
1 x RS-232 (230 Kbps, male DB-9) - for back-up analog modem connection

LED's
Power
WAN
Console
Link/Act. (Link / Activity)
10/100 Mbps

Power DC 5V 2A
Operating Temperature 0 C ~ 40 C
Storing Temperature -20 C ~ 70 C
Humidity Max 95% Non-condensing
EMI Certification FCC part 15 Class B in US

Re:For $51, just get a router!

[briansmith]

I have heard similar stories. Did you register the product with them? I heard that they will absolutely ignore you until you register, but then they are often very helpful.

I've Used Snapgear and Linksys

[OmniGeek]

I used to use a Moreton Bay Nettel (now it's named Snapgear) until lightning killed it; GREAT unit, I highly recommend it.

I now use a Linksys DI-704; good feature set, built-in 4-port hub, inexpensive at $99, but somewhat lacking in remote logging capabilities. Still, I recommend both units.

Re:Old Laptop

[mfarver]

I found old Pentium laptops to make excellent firewalls. They are a little more pricey than the old PC but they have a few advantages:

Built in battery backup
Low power consumption
Few (if any) noisy fans
Small, and fit nicely in a rack shelf
Built in collapsible console

Look around and you can find one for about the same price as the small NAT routers. The only real shame is they only have typically two PCMCIA slots, so you can't have a DMZ or wireless net interface seperate from the internal and external interfaces.

Re:Linksys Wireless Cable/DSL Router

[Midnight+Thunder]

Check that you have the latest version of the firmware. It can make a difference in certain cases. To update:

1. Download firwmare update ( it is in the zip archive )
2. Disable admin password on router (tftp doesn't support passwords)
3. use a tftp client to send firmware update
4. hit the connect button in the router's status page
5. replace admin password
6. Cross your fingers and hope for the best ;)

OOPS. Make that Snapgear and D-Link

[OmniGeek]

Proof one shouldn't post under the influence of glowing phosphors. Make that a D-Link DI-704, NOT Linksys...

Gaming problems

[ThesQuid]

If you are planning on having multiple people running networked games in your house, I would recommend caution when thinking about a hardware router. For example, Linksys (among others) has problems when two people in a household play Q3 and want to connect to the same remote gameserver. As was said before, PracticallyNetworked.com is a good place to investigate before buying.

Alternatively, an old Mac IIcx makes a great router. Two NICs and a video card, old 20mb drive, IPNetrouter software, and there you go! Pretty much unhackable, because with System 7.5.5, you can't even address the Mac's file sharing via tcp/ip. I've got just such a beast running our office because our Linksys died. And I'm really cheap.

Re:Power?

[athakur999]

Looking at the specs of the LinkSys BEFSR41, it uses an external power supply at 5V and 3A, which is 15 watts. It will use 131.4 kw-hours in a year if on 24x7x365.

Your average PC probably has a 250w power supply. It will use 2190 kw-hours in the same time.

I don't know what the average price of electricity is, but I think it's around $0.09 for me in Texas. So it'd cost ~$12 to run the LinkSys router and ~$197 to run the computer for the same amount of time.

The computer estimate may be on the high end since I don't know if a 250w power supply will always pull 250w or if it pulls what is required up to 250w.

PPPoE Relay

[Malc]

The one feature I would really like isn't available in any of these devices: PPPoE relay. The Roaring Penguin PPPoE client for UNIX has this feature, although I haven't tried it as I'm already hooked up via a Netgear RT314.

FYI - what is PPPoE relay? Well, one of the features of PPPoE (which my telco enforces for DSL) is the ability to connect to multiple ISPs without changing anything. PPPoE relay allows a PPPoE connection from a computer on the LAN to go through the router and thus allow individual PPPoE connections in addition to the one being maintained by the router. Thus you can connect to multiple ISPs, or even multiple connections to the same ISP (my ISP - Sympatico - allows two IP addresses for free). The benefits of getting two IP addresses might be more obvious or appealing to some people. We actually wanted multiple ISP access for a while: the university that my wife was attending had a dedicated line from the CO, and allowed highspeed access to their network using PPPoE. We just switched our username and password to access this, but it did mean having to access the internet through their network. I would have preferred that my wife make her infrequent connections directly from her computer without effecting the whole LAN.

Oh, BTW, I think my Netgear RT 314 is great. I've had it almost a year. It sits on a shelf doing it's thing. I don't even think about it. It took only a few minutes to set up. Time (and expense) wise, a lot less effort and much more convenient that finding an old computer and conifiguring that, although Coyote Linux looks very simple.

My configuration

[Srin+Tuar]

I have an old P1-90mhz.

The CPU fan doesnt work. The harddrive stops spinning soon after booting- so i have have to physically smack the side of the box if I want
to log in and change things.

Theres about an inch of dust inside the case.

Its running a 2.4 linux kernel with iptables, and
a custom firewall script which allows multiple battlenet connections behind the firewall (which was impossible with 2.2 kernel) as well as port forwarding, and a special rule to remasq web connection to my cannonical domain name.

Other than the occaisional problem with pump (redhat dhcp client) Its been working flawlessly
for 6 months.

Answer: none of the above

[crucini]

Don't buy these dedicated boxes. Use Linux or BSD on an old PC. Others have addressed the technical tradeoffs - I want to address something else. By buying the packaged router, you:

1. Allow perfectly good computers to go into landfills while you buy the same thing in a different form factor.
   
2. Use closed-source software for a security-oriented application, with all that this implies.
   
3. Cut off your ability to fine-tune, modify, and learn from your firewall.
   

I use Freesco. See other posts for why it's great.

Linux 2.4 iptables...

[josepha48]

If I were to buy a router / firewall, it would be either linksys or netgear. My current hub is netgear. Both are usually UNIX compatible to a degree.

The biggest advantage to using Linux or even BSD or any other UNIX is that you can configure the firewall as an actual gateway/router/firewall, DMZ whatever you want to make you feel safe on the net.

iptables is pretty easy and if you already understand ipchains going to tables makes things easier. As you can specify an interface to forward from to. -i eth0 -o eth1 kinda thing...

Router+FW+Print server=SMC 7004ABR

[N8F8]

I got the SMC 7004ABR last month. I use @Home cable internet and the performance is great. I set up a static IP on the WAN side and DHCP on the LAN side. Two machines are stationary and I have a laptop I boot to Win2K and Mandrake 8.0. DHCP works great.

The Print server is great. I have a Epson Photo 700 I can print to from all machines. It isn't a true print server, more like a virtual printer port. Works great in Win98 and Win2k, but the instructions for Linux are outdated and I can't get it to work:(

The firewall is basic NAT protection with limited hack logging. You can secure ports or map them individually in the Web/HTML setup screen. You can also turn off ping replies.

I'm beginning to think that the logging feature is broken with the new software upgrade available. It logged tons of stuff till I ran the upgrade.

One thing to really boost performance in Windows is to go to SpeedGuide.Net patch section and run the @Home patch and the generic patch. My download speed quadrupled from 400K/s to 1600K/s.

power to the pepole!

[twitter]

People who are not interested in being sysadmins have a right to NAT too!

People who are not interested in being linguists have a right to speak Russian too! Rise up and overthrow they Tyrany of Ihgnorance!

Do You Already Have A Windows PC?

[corky6921]

There has been much discussion on some of our internal mailing lists about the best router. Some involve setting up an older computer or puchasing a new router. Well, I didn't want to clutter up my house with another PC, and I didn't want to spend $110+ on a router, so I used my existing Windows 2000 PC. It's easy to set up. Here are the details:

You will need:

-- Ethernet cards for each of the computers
-- At least one computer running Windows 2000 (recommended for stability)
-- A crossover cable or (preferably) a 10/100 Ethernet hub

Here is the easiest way to do this.

Install Ethernet cards into both of your computers.

Connect one PC to the modem. (If you have an Ethernet-based modem, you'll need two Ethernet cards in the computer connected to the modem.)

Connect both computers to the hub, or, if you're using a crossover cable, connect them together using that.

Make sure your Internet connection is up and running on the computer connected to the modem.

Assuming you're using Windows 2000, the next steps follow like this:

Right-click on My Network Places and click Properties. Right-click on your ethernet adapter and hit Properties. Click the tab labeled "Sharing" and click "Enable Internet Connection Sharing". (If you're using dual Ethernet cards in this system, you should right-click on the adapter connected to the outside world. TIP: rename your adapters so you know which is which; "External" and "Internal" are good choices. ;)

That's it! Both your computers should now be connected to the Internet. Total cost: two ethernet cards at $10-$20 each and a Netgear 4-port 10/100 hub at $40 for $80 maximum.

I recommend installing Windows 2000 (or heck, Windows XP Pro) if you're going to be doing file/print sharing and networking. Windows 2000 in general is a much better product than Windows 9x for network-intensive applications. Whatever you do, if you enable file/print sharing, do yourself a favor and make sure that both computers have the same OS, as you'll save yourself a lot of trouble in the long run. (It is possible to do it with 2000 and 98, but it's a lot more of a hassle than with both computers running the same variety of Windows.)

You can also do the above using Linux, but I already had the Windows 2000 computer, and Linux's version of ICS isn't that easy to set up. Windows 98 and ME also have the Internet Connection Sharing option.

If you want to do specific routing such as setting internal static IPs or setting up network printers, you're much better off going with a server OS. I've used Windows 2000 Server to do this. However, for your basic home networking setup, W2K Pro works wonderfully.

Re:Do You Already Have A Windows PC?

[interiot]

My friend reports that ICS requires no setup whatsoever, moreover, several different computers can run counterstrike behind it. I don't understand how this works, it doesn't seem that linksys or any standard NAT software can possibly do this. Has microsoft made a better product than Linksys could do?

My Suggestion: Netgear RO318

[dhamsaic]

I personally recommend the Netgear RO318. I used to have the Linksys BEFSR41, but I dumped it because it was causing problems playing Quake III Arena online. I did a lot of research, and found the the RO318 best suited my needs. Here's why:

• Price: In the $150 range, it's not cheap, but not expensive. However, its other features quickly make it worth every penny.
• 8 port switch: more than I've seen for this price. This is good, seeing as I have an obscene number of computers in my house.
• Web-based setup: I really didn't want to telnet into the router and set it up, so I made sure this one has web-based setup. It does, and it's easy to configure. It took me about 5 minutes to get it set up with my DSL (Verizon).
• Stateful Packet Inspection: The RO318 is a real firewall, not just NAT (although it does do NAT).
• Web-access policies: You can block certain computers from going to websites containing keywords, etc. This is useful if you don't want your kids to be visiting teenieporn.com
• Email reports: The router will email you and let you know if a) you are being attacked (automatically detects portscans, etc) and b) if sites are being visited that shouldn't be (of course, you set this all up).
• Design: It's flat and sturdy, which means I can put my other switches on top of it. Couldn't do this with the Linksys due to its design.

Overall, I love it. No problems with Quake III Arena, easy to set up, works flawlessly. The reasons the above poster listed are also true: with 8 ports, you can always plug in a laptop; port forwarding works well, and Netgear also has a great reputation.

Here is the product information page at Netgear. It can be had from buy.com for $155.

Re:My Suggestion: Netgear RO318

[dhamsaic]

Heh. If Netgear support sucks, Linksys support sucks more than the entire fluffer girl union. I like their products (use a Linksys switch on a couple computers as well as some Linksys NIC's, and they work great), but their support is awful. It's basically the same deal you describe with Netgear, but imagine stretching it out over a few months. God.

RE: RT314 - As I recall, you can only do 8 computers on this one (to do more, you have to buy an upgrade license and then upgrade the firmware) - that's why I didn't get it. My friend has this one, and he liked it a lot (got it to fix the same Quake III Arena problem), but you can't put more than 8 computers on it (I have 16 in the house right now and 3 more on their way), and that's a problem with me. The RO318 goes up to 253, which is plenty. So... just as a thought, you may want to return the RT314 and grab an RO318 if you plan on having more computers around. I also try and not support the whole scheme of licensing hardware - I bought the shit, it's mine to use as I see fit.

Also, one thing I didn't note to people interested - the firmware on the Netgear RO318 is upgradeable by ftp or by the web browser, so you don't need to be running Windows to do it (unlike some products, which come with a Windows .exe). Another bonus, since I use Linux and MacOS X pretty much exclusively.

Re:My Suggestion: Netgear RO318

[dhamsaic]

My mistake - the RT314 looks okay, it's the FR314 that only does 8. But there's no Stateful Packet Inspection on the RT314... still might want to consider taking it back and getting a different one... but you might not too :) If it ain't broke, don't fix it.

Cisco 1600

[KenFury]

Why screw around? If you are serious about this spend $50 extra and get a used router off e-bay. You can get a 1600 series with 2 ethernet ports of around $225 plus shipping. You get a real router, a little experience with cisco kit and with the GUI config even my dad could set this up.

Funny, I just did this 2 days ago...

[greebly]

I built a new computer for my brother, and got his old K6-200. I used an old 3.2G hdd I had lying around, added a network card, and installed FreeBSD 4.3. I set the 2 cards up in Bridge mode and built a kernel to use IP Firewall. I get stateful filtering, and pretty much a fully transparent (stealth) firewall that I can have multiple machines behind. My cost? $14 for a network card...

Granted, I had a lot of old hardware, but it cost me next to nothing either way. As for power consumption, there's no floppy, no cdrom, no keyboard or mouse or monitor connected, bupkus. There's not much power consumption there. It may not be as little as 15 or 30 watts, but its a small enough amount that I'll use this happily.

Check out LEAF

[dexsun]

LEAF, the Linux Embedded Appliance Firewall project is pretty sweet.
I built one in about an hour using old pc pieces that I had
lying around, (p75, 48mb of RAM, 2 NICs, and a floppy drive.)
Check out the site on sourceforge.
--Andy

OT: NetMeeting

[grammar+fascist]

Speaking of NetMeeting, does anyone know of a kernel module for 2.4 or 2.2 that will handle H323?

Netgear RT314 has been fantastic for me

[websensei]

- Easy to set up

- Cheap ($120 6 months ago)

- Virtually impenetrable

- It DOES support dyndns

- Easy to configure filtersets

- DHCP client and server

- Fast

- Low power consumption

- Solid firmware

- Small footprint

- Cool metallic blue ;)

Seriously, it's virtually flawless.

Also my Linux server and dual-boot linux/win2k dev machine and wife's windows laptop all are happily easily connected simultaneously without any hassle.

I'm not a sysadmin by nature; having an appliance that is secure and easy has allowed me to keep focusing on the stuff I'm interested in.

http://www.netgear.com/product_view.asp?xrp=4&yrp= 12&zrp=55

Cisco 675 DSL modem: Not documented enough

[Futurepower(tm)]

I've found that the Cisco 675 DSL modem is documented very poorly. In three weeks, Cisco technical support has been unable to provide a complete sample script to configure the firewall features of the 675. (The case is still open.)

Cisco makes it very difficult to get firmware upgrades, unless you have a support contract that costs more than the modem.

The 675 provides no protection in "bridging" mode. In NAT mode, it cuts off services like Yahoo Messenger and Microsoft NetMeeting, without documenting that these will not be available.

OpenBSD

[isa-kuruption]

okay, I know it's been said before, but...

I've had my cable modem for 4+ years. I have been running OpenBSD for the last 3 years as my firewall, running originally on a P133 and now on a Ppro200 w/ 64mb ram and an old 3GB drive. For "fun", I bought a 4-port NIC from D-link and have fun doing the VLAN config and stuff. I, in fact, just installed a wireless NIC into it as well and use it as my access point (more or less)! I get about 50' in doors in 'ad-hoc' mode. OpenBSD with Ipfilter+Ipnat+DHCP works great. Why spend the $300 on a crappy "appliance" from half-rate network manufacturers or $700 from a decent manufacturer? It just doens't make sense! Sure, the machine is bigger (mini-tower case) and requires a bit more expertese, but hell this box goes for MONTHS without a reboot and I havent had 1 script kiddie / hax0r incident since I've been running it! It's a great thing!

What I know I learned from:

[AnhZone]

I second the practically network site. Especially good are the product reviews. Start here.

On the strength of a Practically Networked review, I had good luck with an SMC Barricade router with 4 ports and a built-in firewall a year ago, but things may have changed a lot since then. It took me only about 15 minutes to install (not counting network setup on the computer) and cost ~$100.

I learned about related topics from

How to set up a network at home: MIT guide with Linux focus.

World of Windows Networking: If Windows networking is screwing up (as it often does), go here.

homePCnetwork forum: Configuration questions answered, mostly by guy who runs the forum.

Technocopia: Overview articles on home networking.

Grant's Closet: Home LAN wiring.

Steve DeRose's guide: CAT5 wiring.

Telecom wiring: links to HOWTO and info articles on wiring.

Logging?

[glowingspleen]

I finally got cable, so I tossed my Linksys Router onto the LAN last night. I was looking at the logs and they look sparse using that "LogViewer" util Linksys gives out.

Any advice on a better log viewing utility for a Win9x environment?

Two experiences of dedicated NAT boxes

[wfmcwalter]

I've used two of the more popular NAT boxen on my home ADSL connection. For what it's worth, here's what I found:

Linksys BEFSR11 Easy to install, fast, very nice web-based control UI. I had significant ongoing problems with this unit, where it would get "blocked up" (where it would become largely unresponsive, even to pings). With sufficient perseverance once could get through to the webUI and manually force it to drop and reconnect its PPPoE connection, after which it was generally okay. There seemed to be a strong correlation between this happening and my roommate using her (darn) win95 box. The box also went similarly nutzo when the DSL connection had occassional "issues" - when the DSL was down, the box itself became mostly unresponsive, even to internal traffic. I have a two friends who also have this unit - one has perfect results, another has even worse results (all, including myself, using the latest Linksys firmware).

NetGear RP114
Doesn't have the same reliability issues that the NetGear did. Its web interface is terrible, but they do have an excellent telnet based interface, which has a lot more real-time technical info than did the Linksys' UI. Webpage performance seems (subjectively) a bit more sluggish, but raw DSL speed tests are still nice and fast. Includes a DNS server, which the Linksys didn't. Less non-techie friendly than the linksys.

I use Coyote Linux + 486DX4/100 + cable modem...

[Richard+Steiner]

My bandwidth is considerably higher than 180KBytes/sec (testing by grabbing a 10MB files from RR's local FTP server shows 247KBytes/sec), and there doesn't seem to be all that much drain on the box. I think it's capable of handling much higher throughput.

I'm even using two no-name ISA NICs (older NE2000 clones with jumpers).

NetGear, Linksys, & Linux... Oh my!

[weslocke]

I always had great experiences with my old ISDN Netgear router. Easy to configure, easy to open-close ports... just a nice little box sitting there tossing my packets. No real issues to speak of.

I had the Linksys DSL Router (BEFSR1 I believe is the model number) and absolutely loved it. Again very easy to configure, this time due to a web interface that was even easier than the Netgear's text based menu system.

There's just one thing. The Linksys supports PPPOE, but unless they've fixed it in the last 7 months or so their support for it is horribly broken. I had DSL through Bellsouth via PPPOE and was having to constantly reset my Linksys due to it going into Lala-Land constantly. Except for that though it was a great little box, and probably would be my pick if I hadn't been on that PPPOE connection. It does however have a DMZ option which allows you to do static routing to one machine without it performing NAT translation, btw. Don't know about the Netgear.

After I gave up on the Linksys, I decided to "do it right" and slap Linux on a 400mhz I had sitting around. I ran that option for about 6 months or so with only one small problem. (I forgot to change my device for my firewall when I went from DSL to Cable and ran wide open for a few weeks. Got hacked and had to reload. Ooops.) It works great except for a few things... takes a while to reconnect if you lose power, Ipchains/Tables is a pain to configure (Yes there are GUIs, yes, yes, yes to everything else. Blah blah blah), if you decide you want to do something like port forwarding later it's a pain to configure / recompile the kernel for that, and whatnot.

Finally said "ta heck with it" and picked up another Linksys to run on my cable. It's been plugging away for about two weeks now and I'm loving it.

(Btw, I'm not knocking Linux. I have it on my secondary workstation at work, and on my alternate system here at home. But, like the guy originally said, "Die-hards will insist that one should run a standalone box with dual ethernet cards and the appropriate routing goodies -- but these standalone boxes, at 5-15 watts and a couple hundred bucks, seem like comparatively hassle-free solution". He's right. The standalone boxes _ARE_ a nice hassle free low-power low-maintanance solution. Linux for a simple router is like using handgrenades to dig holes for potted plants)

The Cisco 1720 is a good router also, though it'd probably be a bit pricier than what you're looking for. A complete pain in the ass to configure, but it'll let you do just about anything you want to do. You could configure a pool of IPs for static access, another for DHCP, and another for NAT.

the router / firewall I use

[CmdrPinkTaco]

http://www.linksys.com/products/product.asp?prid=1 42&grid=5

IIRC it will forward up to 10 (maybe it's 20) ports to any computer internally. It is fairly configurable. Allows for static or DHCP internally (as a server and a client). And for $99 it is tough to beat. Sure you can get a POS Linux / *BSD box, but this worked for me literally out of the box. DISCLAIMER: I don't claim to be a huge power user, but for what I use it for (firewalling and fowarding of web, mail and ftp ports) it is ideal and it is simple. Here at my office, I wouldn't think of using something like this on our network, but it does quite nicely for a home user who is concerned about security and just wants more blinking lights :)

Hardware and Software Firewall

[Mistah+Blue]

I use a Linksys as my hardware solution. Works great. I then use Tiny Personal Firewall or ZoneAlarm for my PC's. I like either of these products because I'm alerted about outbound connections (trojan protection and in one case it alerted me to the fact I didn't have NAV enabled for a mail account). I previously ran a FreeBSD firewall on an old laptop. I switched to the LinkSys to reduce clutter and simplify life (I have twins and don't really have time to mess with keeping up-to-date on FreeBSD patches/etc.). I like the PPTP pass-through on the LinkSys. Previously I hung the company laptop docking station on my DMZ (I have two statics) and relied on the laptop firewall software. If I wanted to do anything internally I had to plug in the PC Card Ethernet to my network (major pain). Now, I don't need to do that. For me it was a matter of simplifying things.

Linux Router Project

[slipgun]

Have a look at the linux router project (lrp). http://www.linuxrouter.org. I have had it running 24/7 for about 6 months now, and not once has it crashed (not surprising, since it's based on linux). However, it also runs directly off a floppy, which means the PC you run it on is virtually silent.

I have it running on a 486-66, 16MB, no hdd, to connect my cable modem to my LAN. Of course, you can also use it with Tx/DSL/ISDN/analogue.

Sorry, this reads like an ad, but I really love this distro - it has made life so much easier.

crashing Linksys EtherFast

[rneches]

As much as I think these boxes can be nice solutions, and that your average home user ought to consider one of them before diving into the world of routing tables and IP chains, I've had pretty mixed luck. I'm using a Linksys EtherFast Cable/DSL router. It was a breeze to set up, no problem configure, and otherwise cute and cuddly. However, it is not stable. We've updated the BIOS several times, RMAed the box itself, and fiddled the settings as much as we can. The thing still crashes every few days, and it runs much, much too hot. If left alone (with light or no traffic) it will crash about once a week, and require a manual reset. Under heavy traffic (~200 KB/s or more), it will crash about every hour. If you try to VPN through it, it crashes instantly. My roommate (who uses VPN to and from work) has had some luck running VPN through a tunnel, but the router will still crash from the traffic.

Sigh. It's a nice box, and I wouldn't mind using it too much (I wish it were possible to bind multiple IP addresses and map to different subnets), but I hate resetting the damn thing all the time, or calling one of my roommates to have them reset it when I'm trying to ssh to my workstation.

My roommate, a win2k bitch (er, gugu), wants to use that as our firewall/router. I've gotten him to agree that if he can't make it work in a week, he'll let me drop a Linux box in front of our network.

Re:crashing Linksys EtherFast

[Amazing+Quantum+Man]

The Linksys BEFSR41 is a good box. I recommended it for a neighbor that just got RoadRunner.

What was really strange, though, was that I got his second machine a Linksys 10/100 card (can't remember model #). Whenever he went to pogo to play games, it locked up tighter than a drum (Win98SE). No clue why. Replacing the card with a no-name 10/100 worked just fine.

Re:crashing Linksys EtherFast

[Fjord]

You should consider replacing your linksys. I have the BEFSR41 and have never had to reset it except when I upgraded the software on it by choice (it had more better forwarding options). I'm constantly ssh'ed in (through ssh forwarding I do other things) while I am at work. If you box is that unstable, get it replaced. It shouldn't be like that.

WatchGuard Soho vs Sonicwall Soho.

[FrankieBoy]

I purchased the WatchGuard Soho over a year ago and it's been so-so. It tends to lock-up from time to time and when I contacted tech support they told me that it would be fixed in a future rev of the firmware. Unfortunately my one-year of firmware upgrades has now expired and I still have the problem. I could re-up with them but having a gun put to my head doesn't make me very happy. I'm now looking at the Sonicwall Soho which has the same features as the WatchGuard but includes a lifetime firmware subscription. PPPoE is critical for most DSL and NAT allows you to use one DHCP assigned address for many machines on your home network, something that most ISP's frown upon. Setup for the WatchGuard was easy through the browser and the Sonicwall offers the same. If you're real clever you could dust off one of those old P75's in the basement and install a stripped down Linux distro to perform the PPPoE, NAT and Firewall functions.

DNS on the LAN?

[_|()|\|]

Most of the "cable/DSL" routers I've seen include a simple DHCP server. However, none of them handle DNS on the LAN.

I'd like to resolve local DNS requests from the DHCP clients table. Are there any sub-$300 routers that do this?

Dynamic DNS with Linksys router howto...

[raygundan]

I'm doing dynamic DNS with the Linksys 4-port router. There's a python script called ipcheck for this that supports devices from Linksys, Netgear, Draytek, Netopia, HawkingTech, Watchgard, Cayman, Nexland, ZyXEL, SMC, Compex, UgatePlus, DLink and Cisco. That should about cover it...

Just set it up to run with a cron job, and if your IP has changed, it will be updated. With the linksys router, it doesn't even need an external CGI to detect your IP address-- it can query the router. I'm sure some of the other units have similar functionality, too, but my experience is only with the linksys.

Re:Dynamic DNS with Linksys router howto...

[aozilla]

As I mentioned, all of this "can be done with a separate 24/7 machine behind a linksys," but if I'm going to run my machine 24/7 I'm not gaining anything by the linksys in the first place (still have the noise, no cost, still have the electricity usage). There's not even a security benefit in my case since I'm using vmware and running the "router" in an isolated virtual system anyway. Of course vmware isn't a solution for those who don't already have it, since it's expensive, but even without vmware you can gain all the functionality and only lose a very small amount of security (if set up properly). If vmware were only free, I'd publish a .dsk file and anyone could have his/her own virtual linksys running just like I do.

Coyote Firewall

[Ace905]

I believe the easiest way to setup a good firewall is to find an old system (or assemble one). A 486 66mhz with 16MB of ram works incredibly well; but an even lesser system is also good.

Put in two Ethernet cards, and install Coyote linux. A distribution that works off of a standard 1.44Mb Floppy Disk. It reads its config. and binaries from the disk at bootup, and never touches the disk again - to ensure the drive lasts as long as possible, as well as the disk.

This solution is so good, (in my humble opinion), that just last year me and my makeshift consulting company were selling 486 boxes configured for just this purpose at about $300CDN. 1 of the 5 boxes we sold went defunct; it's Cmos battary died. So we replaced the whole box (for nothing) to save time and still made an 'ok' profit.

The benefit to using a whole system, especially an outdated one is the amount of customization you can make to the firewall; ie: displaying attacks of a certain nature on the monitor, respond to attacks of a certain nature maliciously, and automatically. etc. etc. And it's cheap. Super cheap!

The only disadvantage to Coyote is that the distro. doesn't support HDDs, so you can't keep extensive log files.

I would only buy Hardware Routing / Firewall Devices for small business that may wish to go with another, less "knowledgable" consulting company in the near future. Otherwise, Linux boxes are the best for Networking.

Check it out:
Coyote Linux Dot Com

Ace905
[Admin] www.MyHomeTechie.com

Cisco 2611

[green+pizza]

I use a 1U rackmount Cisco 2611. It has two ethernet ports plus several expansion slots. It runs Cisco IOS, the same router OS that powers all of Cisco's routers, and thus can be configured every which way. The 2611 has two 10BaseT ports. The 2621 has two 100BaseTX ports. Both cost a fair amount, but are worth every penny.

Re:Cisco 2611 (URL)

[green+pizza]

Cisco 2600 Series
http://www.cisco.com/warp/public/cc/pd/rt/2600/

I'm using IOS 12.2.X
http://www.cisco.com/warp/public/732/releases/rele ase122.shtml

Re:Good home wireless access point?

[cje]

Linksys wireless access point with card is great. Tested and loved...

I agree about the Linksys access point (WAP11 in my case), but from my experience I would steer clear of the Linksys PC card. It works all right, but the range of the thing is not even close to what is advertised. I have a Linksys access point and an Orinoco (the old Lucent WaveLAN) Silver PC card, and it wirelessly networks my Linux laptop great. I started out with the Linksys card and ended up doubling my range when I moved to the Orinoco.

But get the current firmware and set the password

[Animats]

The Linksys home-sized routers aren't bad if you have current firmware, but firmware from the first half of 2000 crashes frequently.

Also, and I cannot overemphasize this, set the password. Not only are Linksys routers administered via a web interface, and attackable that way, they accept firmware downloads via TFTP, and will accept a firmware download from the WAN side. So an attacker can patch the thing remotely if it's not secured.

Re:Red light the Linksys router

[Keeper]

I've had the oposite experience as you.

I've had no problems with any games, including the same game being played on the internet on the same server but on different computers behind the router. No problems with the router crashing under any kind of load either. *shrug*

For DSL/Cable users, the Multitech RouteFinder

[Fencepost]

Specifically, the RF500S.

For one specific reason: it supports an external modem that can be used as a backup connection.

This is less of an issue now since most of the DSL providers that were going to fail have done so, but for people using Covad who aren't confident that the company is going to live this is a good solution - you can set it up and use it as a NAT box and firewall, and when your DSL provider goes bankrupt and shuts down you can switch to a dialup or ISDN connection with minor configuration changes on the box itself.

This is also useful if it's important that you be able to get access anytime, even if the service is temporarily down.

When it's not being used as a dialup (or ISDN) connection, the serial port can also act as a single-port RAS box, supporting PPP connections into the network.

As far as having boxes outside the firewall I believe it has some support for that but it's not perfect. Specific outside ports can be mapped to particular internal machines and ports, but I don't know if it supports port ranges - I haven't kept completely up to date on the firmware updates.

For the manuals, see http://www.multitech.com/DOCUMENTS/RouteFinder/man uals.asp

These walls are paper thin

[Graymalkin]

Weird discussion, as I just got a cable modem and a router. I went with the Linksys BEFSR11 router because it had the features I wanted and was 79$ as an open item at Best Buy. The main feature I wanted for my cable modem was MAC address cloning. I know some cable companies (MediaOne) lock a cable modem down to the MAC address of the NIC they install in your computer. I don't know if Charter does this but I decided I wanted the functionality just in case. The Linksys also supports port forwarding, access/deny lists and will allow for PPTP and IPSec pass throughs. Oh yeah and one of the most important, DMZ hosting so I can play games and whatnot. I don't plan to stick Linux on it because I just don't have the fetish desire to hack Linux onto everything I own. If you plan on getting one make sure you stay away from the BEFSRU31 model instead of connecting to your LAN/PC by Ethernet is uses USB. Even under Windows I've yet to have a USB device work properly.

Don't buy the Linksys

[tmark]

I had the LInksys (BEFR414 if I recall or some such). It seemed to work great. However, when playing Age of Empires 2 through it, I found that 85-90% of my games ended with out of sync errors, sometimes 45 minutes into the game, with the errors usually attributed to other players. I assumed that the fault lay with the game or the Zone itself, until on a hunch I disabled the Linksys and found that all my games now played through to completion. I guessed that there was some sort of problem with its port-forwarding.

I ended up buy a Netgear RT 314 after they finally implemented port-forwarding and have had nary a problem. Plus, the top of the Netgear is flat which means you can stack your switch-box, hubs, etc. on it (the Linksys has a curved top). Netgear has substantially upgraded their firmware and there are plenty of options now, including filtering rules. It does support DDNS, but I have just been using a box running Perl scripts behind it instead.

SMC is a good choice

[MacBoy]

Wow.. there are a lot of opinions in this thread!

Allow me to enter mine:
I have an SMC Barricade (8 port), and it works beautifully. In addition to all the cable/DSL firewall/Router features you could want, it also does print serving and even dial-up. It is nice to be able to fail-over to dialup when the good ol' reliable @home goes down, as it often does.

The SMC will allow port mapping to static IP's in addition to DHCP on the LAN (as the poster had wanted). In addition to that, it can be configured to block out certain IP's or networks; it can be configured to "open up" a range of incoming ports when a connection is started on a specific outgoing port from behind the firewall (good for kludging support for unsupported protocols); it can be configured to allow for ftp connections to work through the firewall on a non standard port (that kind of thing usually would break ie's ftp client, for example); it can do PPPoE out of the box (for certain DSL providers), supports hostname configuration and MAC address cloning (for certain Cable providers), supports dialup through an external modem, has a built-in print server, etc., etc... very full featured.

It works with my company's VPN (I don't know which protocol it uses, but did not work with WinRoute on a PC as a firewall). It also works with Quicktime streaming (the preffered RTTP over UDP method), which again broke with WinRoute on a PC.

In addition to all that, the unit is fairly small and unobtrusive and it does not use a power brick, instead it has a built-in power supply and takes a standard computer power cord! yeah! That's one fewer wall-wort to deal with on the power strip.

Re:Red light the Linksys router

[Andrewkov]

Yep, I've got a 486 running Red Hat 7.0. Since it has limited disk space I didn't install X or any developement tools (can't recompile the kernel, which kinda sucks!). This machine is currently at 69 days without a reboot, and that was only because the power went out..

That brings me a side point, if you're running the EXT2 file system, it's a good idea to pick up one of those $200 UPS's.

What the poster asked

[Lumpish+Scholar]

... we'd like to pass through packets for our two server machines, and use NAT/DHCP on a third address for the rest of the LAN. Nearly all the boxes advertise that they can do NAT routing, but many don't support NAT and static-IP routing simultaneously.

(1) If you have two servers providing the same service (listening on the same port), you'll need two or three IP addresses, a hub (connected to the DSL or cable "modem"), and either a NAT router or a way for one of your servers to do NAT.

(2) If you have different services on the different servers (e.g., HTTP, e-mail, Q3), you can have one IP address, and configure the NAT to pass the appropriate ports through to the appropriate servers ...

... if the protocols you want to support are NAT friendly. If the protocols specify, "Further communications will happen on such-and-such a port at such-and-such an IP address," it won't work. You're not only doing NAT (Network Address Translation), you're also doing PAT (Port Address Translation), and the "such-and-such a port" message needs to be translated.

For example, FTP clients wouldn't work well over NAT (in passive mode, I think), except that every NAT router supports client FTP. I don't know if they support server FTP. Voice-over-IP protocols (H.323 and SIP) are notorious for not working over NAT; the respective standards organizations are trying to find solutions.

If you need to support a NAT-unfriendly protocol, go back to (1).

See also this article (cached): "Network Address Translation: Not A Panacea".
--
With grief, with determination, and with hope.

if you have an old Mac around

[rakerman]

IPNetRouter will run on relatively underpowered Macs, which gives you an extra level of protection, since the MacOS (before MacOS X) doesn't have many ports/services open for attack by default.

Experiences

[lanner]

I am a CCNA and CCNP, I work with networking equipment for a living.

A friend recently bought a Netgear MR314. It seemed okay. I rather like using my unix box to do filtering, mail, and other stuff, so I would never use one of these boxes. The http interface was fairly nice and easy to follow. Easy is good for networking novices.

One problem that I encountered was the telnet support. This one had me calling their support department, not that they helped any. They command line will only accept 8 character hostnames. My friend had a 10 character @Home hostname for his authentication, and the only way to enter it was through the http interface. That sucked. Telnet is not intuitive, like Cisco IOS, but not horribly horrible.

The MR314 is overall a good router, but I like more powerful stuff. The wireless interface was good. The construction of the box was very nice -- we took it apart. I think that it was using a Motorola processor.

I have also dealt with the Cisco 600, 700, and 800 series routers in my time. They are pretty decent. I wish that the CBOS would allow for access lists greater than 18 (or is it 16?) lines. They take set, show, and debug style commands. Pretty intuitive. Upgrading the OS on them is easy. They can do NAT and PAT very well.

Efficient Networks, formerly Flowpoint, routers are decent. They are command line based, and while help and documentation is really poor, they take some pretty good commands, do good syslogging, and a few other really neat things in their operating system. unfortunately, the commands are cryptic and you have to be a real networking pro to know what they are talking about.

Netopia routers are really great. One of the fantastic features about them is that they do IPSec (DES only, no 3DES)! That is incredible for a router of it's type. They also do GRE tunnels. The next thing up if you want to do IPsec is a small Cisco router or PIX firewall, or a unix box. Netopia's do great system logging and SNMP. Their are configured through a telnet menu interface -- no telnet. They do excellent filtering, but entering filters is sort of a pain. Good construction of the boxes.

A word about Qwest DSL. They only use DMT these days for DSL -- NO CAP. That means that you can no longer use the Cisco 675 on their networks. Use the 678 instead. If you own a 675 and move, you are fscked. I bought a 675 about a year and a half ago, recently moved, and was screwed for $300. I managed to hassle a poor Qwest tech into sending me a 658 at a very steep discount, nearly free -- it took a lot of work and insider knowledge to pull off though. CAP, DMT, and G.lite are like line codes or modem modulation types. They are the analog modulation codes that the DSL interface uses to get it's data across the line. Wrong modulation = no workie.

BTW: Are there linux 2.4 kernel driver for the Intel 2200 DSL NIC? I have two of these things that Qwest sent me, and I would love to use them in my boxen. I do not know of drivers existing though. I need to google that.

Check out the new Cisco Pix 501

[Bluecoat93]

Cisco just announced the Pix 501, targeted at SOHO, but running the same PixOS as the "big iron" Pix firewalls. I'd be very surprised if it doesn't do everything you want.

Cisco product information is here.

3Com Office Connect - supports bridging, nat simul

[x-empt]

The 3Com OfficeConnect 812 modem supports NAT, bridging, bridging firewall, multiple ATM connections, and all the features found on normal "firewalling" DSL modems.

The key feature that stands out on this modem is the ability to use NAT at the same time as using bridging (optionally with firewalling rules).

The modem has a console interface along with a web-based interface to configure with. The modem a number of other neat features that normally don't exist on DSL modems and allows a very complex DSL installation to be performed with ease.

I'm lucky enough to have a friend at an ISP that hooked me up with one to replace my 3Com Dual Connect (Ethernet and USB), and two other modems from 3Com (beta equipment... from an official beta test).

I'd recommend 3Com modems over any linksys modem any day.

- x-empt

LinkSys is simple but does the job

[horza]

I used to run Smoothwall, which was truly excellent. Then we got given a LinkSys which is fine, does the job, and as a lot of people say is quieter and takes less power. It also frees up an old machine to experiment with. I used to be able to consistently crash my LinkSys router requiring a power cycle, but a firmware upgrade (incredibly easy, took me 5 mins using a patch from their web site) solved this. So if you are using the LinkSys router then please make sure you are using the most recent firmware patch.

Phillip.

Netgear

[AaronW]

I have had very good luck so far with my Netgear fr314. It has excellent logging capabilities and periodically sends all logs and alerts by email. It was easy to set up and allowed me to set up a web server behind the firewall. My main reason for getting it was that I have several computers and don't want to dedicate a computer to just being a firewall.

The Netgear allows me to block all Active X, java, and many cookies (I have Active X blocked for most sites for my roommate's windows computer).

Performance wise it seems pretty good. I havn't noticed any degredation in performance, often downloading at over 400KBps (Kbytes/sec).

It has the option of content filtering, but that's not something I want (except for things like doubleclick.net).

It has many common services already configured and allows for more to be added quite easily.

I wish it allowed some more complicated rules, however. For example, I want to allow some ports to only be accessed from certain IP addresses. I can configure the ports allowed or denied and the IP addresses allowed or denied, but not combinations of both. To handle that I run a secondary firewall on the server which allows more options.

Also, the Netgear is limited to 8 clients without buying an upgrade.

In terms of logging, I am quite impressed. It logs all port scans, attempted accesses to known trojans like netbus, pings of death, and other malicious behavior. It also classifies port scans as either possible or probable.

It also draws only around 10 watts, and here in CA where my electric rate is hitting upwards of 0.20$/kwh,

Ping Time, VPN, other stuff

[BrookHarty]

I decided to upgrade my p75 nat router to a netgear RT314 nat appliance. The first think I noticed right way was a ping drop from 40 to 20ms. This was worth it due to all the online gaming I play.

The second thing, the applicance broke my nortel VPN connection, it couldnt handle the ipsec packets correctly. I hear IPSEC/VPN works on the newer versions, but I really dont want to buy a new box just for VPN. They should release a new rom upgrade.

I find the biggest problems with any applicance, not upgradable, limited amount of features, limited access lists and stupid KISS features.

Re:Slightly Off-Topic

[cr0sh]

Maybe - you may be able to remove it. What I would do is try it, and monitor the temp for a few days - if it is going up rapidly, you will know.

I run a Freesco router too - great stuff. My PS fan was actually going out before I got around to fixing it - it was probably moving half capacity, and it was still fine, and not too warm.

They do make "fanless" power supplies - small things - I used one on a small homemade MP3 box. You should be able to find such PS's with PC connectors on various electronic surplus sites (like allelectronics.com). Some of these need no fans, others need only a 486 type fan or something.

I dropped a small four port hub on my box, cause I needed to support a machine that was near it. I have been thinking about extending the LEDs to the front for status, as well as making a custom box... I love Freesco!

P/S Fan solution

[dasunt]

Since a lot of the replies has been about the power supply fan, here's some additional info about building a machine running LRP.

Old Apple Performa's power supplies don't have fans, several other apple machines are simular. With a bit of splicing, they can be easily converted into an AT power supply (you just need to change the connector and either ground or add a voltage source to one wire, since the Performa's had soft poweroff/on). Sure, its not going to fit into a machine without drilling a few holes, but since this is a router that consists of a floppy drive, two NICs, and a motherboard/cpu/memory, there's gonna be plenty of room for the power supply.

Of course, for this solution, you go with a 486/low end pentium and a large, passive (fanless) heatsink. Don't disconnect a fan from a smaller heatsink, just find a larger heatsink that was made to run fanless.

Just my $.02

Re:Linksys BESFR41.

[Genom]

I can use DHCP or static IP addresses on my computers

Hmm...is this a toggle, or can you use both at the same time (for example, using DHCP to allocate a static IP to one MAC address, while allocating an internal dynamic IP to another)?

I have 3 ips with my current setup, (one for my server, one for my desktop, and one for my laptop) and I'd like to free one up for the occasional time I host a small (3 extra comp) lanparty, and use DHCP/NAT for the whole shebang - but I'd want to make sure the server gets it's own IP all the time.

I've been considering putting together a small firewall box to do this, but that'd take a weekend, and I'd have to find room for the extra box - one of those little linksys boxes would be perfect sizewise (we have a rather small apartment) but I wonder about the ability to do both NAT and static at the same time.

freesco

[child_of_mercy]

well last night i got totally shafted because freesco doesn't do PPPoE

Best deal - most features - lowest price

[jbridges]

TigerDirect has the 3COM 3c510 NAT Router for $49, no rebates, that's the real price!

It includes:

1 port WAN (DSL/Cable Modem)
4 port 10/100 Switch
Parallel port with Print server
Serial port with FAX and dialout sharing support.

Why so cheap? It's a discontinued model.

BUT... the insides are exactly the same as models sold by SMC, D-LINK and others, and you can use the drivers and firmware upgrade from the original maker (AMIT) in Taiwan which you can find here:

http://www.amit.com.tw/download/firmware/

The printer server works with standard LPD support in Linux.

Re:Priceless -- not quite

[Electrum]

If the monitor isn't running, a computer shouldn't use more than about 10-20W. A hefty power supply is only necessary for an AGP graphics card that uses a lot of power, or when spinning up the disk drives.

do it the hard way

[BroadbandBradley]

get an old PC and setup a router with help from the Linux Router Project then you can get fancy and have all the features you'd ever want, throw a disk in it and it doubles as a file server, cache dns lookups and web content.

somehow it's more fun that way....or is it just me that thinks this Linux stuff is fun?

Electricity Costs

[billstewart]

Your old PC probably burns 100 watts. At a nice round but too low number of 10 cents/kwh, that's a penny an hour. So that's $1.68/week, or about $7.20/month, or $87.60/year. By contrast, most Cheap Little Routers cost under $100, so they're in the same price range. The real cost differences are your time installing the thing - if you view it as entertainment, along with the enjoyment of laughing at hax0rs, you win. If you view it as 15 minutes of your time at $200/your, you lose, unless it saves you half an hour of hauling the antique to the Computer Recycling Center, in which case you also win.

DSL/Cable Modem Built-In Capabilities; PC NAT

[billstewart]

Chances are your cable modem or DSL router has some firewall capabilities already. If your service provider lets you configure the box yourself (or makes you configure it, or you hack in), you can often get the box to do simple things like DHCP and NAT and maybe block some ports. So you don't even need an extra Cheap Little Router Box or Antique PC.

Also, rather than use your old PC as a firewall, sometimes it makes sense to use your main PC as both the active machine and the firewall and the NAT server for your other machines. This obviously only applies if your main PC runs a Real Operating System (e.g. Linux, *BSD), but it can front-end your Mac or Windoze boxes or that Beowulf cluster of game machines your kid's building.

Re:Red light the Linksys router

[Col.+Panic]

My BEFSR41 (router/4 port switch) works just spiffy. A cinch to setup and no problems with online games, DHCP, port forwarding, MAC address cloning, or any other feature I have tried.

There is an expoit in which the admin password is in clear text within the html config screen, but that is only accessible *after* entering the password - so if the default p/w is changed, WTF?

It is not a suitable replacement for a linux firewall, which can do *so* much more, but it is a nice, relatively low-cost ($160), stable solution for SOHO(small/home office) networks.

Re:Red light the Linksys router

[Fjord]

The admin password is sent in clear text on each request anyways. All Challenge/Response usernames and passwords use Basic authentication which is the username:password base64'd

Re:Priceless -- not quite

[The+Mayor]

You're way off. If this were the case, fans would not be required or used. Don't forget the inefficencies (heat) of the power supply. Each device in an old machine, from the network cards to the video card to the hard drive, as well as everything on the motherboard, all generate heat. The total draw of the components and CPU will likely exceed 50W. I think whe you throw in fans and the power supply, you're going to find it is very close to, if not well above 100W.

People are guessing about how much power is used!!

[Futurepower(tm)]

People are guessing about how much power is used!!!!

It is better to measure it. When I have measured power use, it has been much lower than the rating of the power supply.

Re:But get the current firmware and set the passwo

[Animats]

Correction: "but firmware from the first half of 2001 crashes frequently."

In particular, early BEFW11S4 units, the ones with the 802.11b WAP built in, shipped with flakey firmware. The unit crashes and sits there with the red "DIAG" light blinking. Upgrade via the Linksys web site.