Choosing a Router/Firewall for the Home LAN

Dr. Zowie asks: "How should one choose a router for a home LAN? We just added a few hosts on our home ethernet, which is connected via DSL. There are an amazing number of new entries into the market for routers and even stand-alone firewalls. NetGear, Linksys, SMC, and even Panasonic all have boxen in the $99-$300 range, each of which will do some combination of NAT, routing, source-IP filtering, port filtering, and content filtering."

"It's not at all obvious from the packaging, the web sites, or the drool-proof pamphlets in the boxes which routers will do what. For example, we'd like to pass through packets for our two server machines, and use NAT/DHCP on a third address for the rest of the LAN. Nearly all the boxes advertise that they can do NAT routing, but many don't support NAT and static-IP routing simultaneously.

Die-hards will insist that one should run a standalone box with dual ethernet cards and the appropriate routing goodies -- but these standalone boxes, at 5-15 watts and a couple hundred bucks, seem like comparatively hassle-free solution. Which one do you use?"

A Good Source of Info

[rcatarella]

Practically Networked
All kinds of good information and reviews on exactly what you're looking for.

Re:Old PC

[JamesOfTheDesert]

Perahps, but compared to a dedicated device from D-link or linksys:

• How much more electricity does this use?
• How much more heat does this give off?
• How much more noise does this make?
• How much more space does this require?

Take a look at Smoothwall, perhaps?

[King_TJ]

http://www.smoothwall.com should get you to the main product page. It's a freeware GPL firewall running Linux, but designed for ease of installation and administration via a web browser afterwards. The new version 0.99 is due for release any day now, and the beta of 0.99 works quite well for me.

Since most people have an old 486 or Pentium lying around, the cost to set this up is next to nothing - and it has features the hardware firewall/router boxes don't include. (EG. Ability to auto-update your dynamic IP with the dyndns.org service and "snort" to log hack attempts with details on what was attempted.)

Re:Take a look at Smoothwall, perhaps?

[Telecommando]

I think you mean http://www.smoothwall.org

www.smoothwall.com is a real estate site.

I got the Linksys

[Delirium+Tremens]

I chose the Linksys (3 RJ45 + 1 USB connections) over a custom PC running Linux/*BSD because:

• For $160, I couldn't have built a cheap computer(I don't own enough spare parts yet).
  
• Its power consumption is so much lower than any custom computer I (=limited skills) could build.
  
• It is completely silent.
  
• If a friend visits me with his/her laptop, we can connect it without any extra hardware to the net via the USB connection (albeit, the laptop must run Windoze 2000 ... last time I tried, none of the Linux USB network drivers worked)
  
• 
  I love the IP forwarding of the linksys. All connections to port 80, 443, 21 and 22 are reditected to my Linux box, and all other ports that involve games and *apster clones are redirected to my Game box. Remaining ports are blocked.
  
• And then I choose Linksys over other brands because ... well ... it's Linksys, after all!
  

Harddriveless

[dasunt]

You don't need a hard drive for a firewall/router made from an old machine. Check out the LRP for a solution that fits on a single 1.44 mbyte floppy that can be write-protected and just needs to be power-cycled to be reboot.

Priceless

[DigiBoi]

Compaq 486/66: Free
2 old NICs sitting on shelf: Free
OpenBSD: Free

Laughing at hax0rs trying to hack your Bridge Firewall: Priceless.

SMC 7004ABR

[saider]

I do not have any servers, but this works well and has the following features...

- DHCP server
- NAT
- RJ-45 for connection to Cable/DSL and a DB-9 for connection to a modem.

I particularly like the fact that it can do Cable/DSL and Dial-up. Since I am moving a lot, I never know what is going to be available. You can even use the dial-up as a backup, should the Cable/DSL fail. Web based administration is straightforward. But I can't comment on that beyond the basics.

Power consumption is low (22W I think) and it is a lot quieter and much smaller than a PC.

It is good for my simple needs, but you may need more for your servers.

Here is a link to the product page. You can download the product brochure and check it out for yourself.

A bevy of information on configuring your routers

[Typingsux]

Here!

I have a netgear router myself, and have locked it down pretty well with the advice I found.

Re:Old PC

[aozilla]

But with a D-link or linksys:

• Does it support IPv6?
  
• Can you run a dynamic DNS client on it?
  
• Can you create a VPN between it and your parents' house?
  
• Can you call it with a modem for access from anywhere?
  
• Can it act as an answering machine?
  
• Can you run a mail server on it?
  

Other than IPv6, all the rest can be done with a separate 24/7 machine behind a linksys, but IPv6 tunnels do not work through a linksys on a dynamic IP, at least not with freenet6 or any other IPv6 tunnel service I know. Because of this I've personally been forced to stop using my linksys completely. What we need is an open-source linksys with a bios that can be programmed by the end user. I'd pay $100-200 for such a device.

The Linksys is nice

[rho]

I have the BEFSR41, which is the router plus a 4-port 10/100 switch. It was about $100 from CompUSA.

Dislikes: the web-based interface is a bit wonky with Netscape 4.7 on *nix. It works, but has some weird errors on occasion.

Likes: it works as advertised. I fought with PPPoE on an OpenBSD box for several hours -- I could not figure out why it wasn't working, and none of the so-called "How-tos" helped.

HOW-TO -- a definition
A cruel on-going joke between free unix-alike "documentation" writers that is mostly filled with "it worked for me, maybe you're stupid" insinuations and "this important part of the configuration is terribly, terribly important, but it's beyond the scope of this shitty How-To. Perhaps you are stupid?" notes.

So, I went and bought the Linksys, and within one hour (including the time it took to buy the thing), I was passing bits around the Internet.

The web-based interface does work somewhat with Lynx, but is very cantankerous when used so. I have ssh'ed into my server and then used Lynx to reconfigure the router.

You can forward ports to particular internal IPs, i.e. "all requests for port 80 goes to the computer at 192.168.1.100", and can even put one computer (one IP address) in a "DMZ", where it is completely open (all ports are available to answer).

If you want to do complex filtering or firewalling, it doesn't do such. If your needs aren't really complicated, it will work for you.

Which "home router" do I choose?

[ogreinside]

Well, doing consulting and having setup a lot of NAT environments across many platforms, I would say that these "all-in-one" solutions are a great idea. That is, however, if you get the right one.

Certainly the first suggestion I have when I see a home business paying for extra ips, is to take an old machine and setup ip masqurading on a linux box. However, I have found that many people are "scared" of linux, and some don't have dedicated machines. Others want a firewall, public servers, and of course the full web/email site setup. While some businesses look at this as opportunities for recuring fees to unknowledgeable users, I try to lay it all out for the customer. Advantages and disadvantages, ease of administration, power consumption, maintenance. In most cases, customers LOVE the all-in-one solution devices.

For power users that want to control all aspects of filtering, routing, port forwarding, and hosting, this is not the best option. However, it can be a *good* solution. I have up until recently been a Linksys advocate. It is actually a great product, and can perform NAT, DHCP (may toggle off and use an internal DHCP server), "DMZ" port forwarding, and flashable firmware. However, don't be fooled by the claim that it is a "switch". I spent many hours trying to find out directly from Linksys what some specifications were on the advertised "switch". First of all, it does not have a backplane. Anyone that knows what to look for in a switch, will first want to know how much data can be shared. When there is no backplane in any specs, and the "engineers" at Linksys don't seem to know what you are talking about, one tends to rethink their purchase. There is no mac table, nor is there anyway I have seen to find any specifics about how it "switches". Does anybody know what these devices really are? They have to be some sort of "smart" hub. What i have ended up doing, is purchasing NAT/router devices, and separate switches that perform like switches. I have found some D-link and Addtron switches with backplanes and viewable mac tables.

Also, the only way to configure any options on a Linksys device, is through a web browser. I have been able to use lynx before, but this one particular 8-port switch/router had broken tags in the config. I flashed the firmware, and tried just about every browser, but each time I would get java erros and broken tags. When I called tech support, they told me to take it back to my retailer. What they don't know, is that I had just replaced it, because the firmware flash died halfway through, and fried the device. This is not very reliable IMHO.

Netgear, however, allows you to telnet in and configure via command-line, which IMHO, is the most important feature of a configurable network device. JetAdmin or telnet for managing HP printers? Are you kidding me? I'll take command-line anyday. We need a low-end cisco device is what we need.

Are there any other command-line configurable NAT/routers that have actual backplanes for the switching component and has flashable firmware (other than a cisco switch) aimed at this market?

For $51, just get a router!

[briansmith]

Sure, you can build one out of an old computer and spare parts. But, think about the physical size, noise of the fans, and electrical consumption. Plus, you could use that old computer for something else. I got a D-Link DI-804 for $51 from Amazon.com this week. $80.00 - $30.00 rebate - $10.00 online coupon + 11.00 S/H. It seems to have all the features you want. It has a simple web interface for basic stuff but it also has a telnet interface for more advanced features. Look at the D-Link site for the product (http://www.dlink.com/products/broadband/di804/).

Note: The picture on the D-Link and Amazon.com websites is of an older design where the four switch ports are on the front, and the WAN port is on the back. On the one I received yesterday, all ports are on the back (much less messy). I emailed them telling them that the picture didn't look anything like the actual product and so they apparently pulled the webpage for the product temporarily.

The setup was painless (basically, just plugged it in, attached network cables, renewed my IP leases, and changed the admin password). I even upgraded the firmware in less than a minute. It is also silent (no fan) and it is about the size of the area of a keyboard between the [ESC] and the right-alt key. It is working great.

It has four ports in the built-in switch. Port one can be used either as a normal switch port or as an uplink. It also has a serial port that you can attach an external modem to share as a backup for then your cable/dsl connect goes out.

For $51, it is basically the same price as the 486 solution that someone else cited as $45, and it even comes with a one-year warrenty (apparently, D-Link used to have a lifetime warrenty but I guess they don't do that for the consumer stuff any more).

CPU 32bits ARM RISC CPU
Memory 512 Kbytes Flash Memory
4 Mbytes SDRAM
Standards IEEE 802.3 10Base-T Ethernet
IEEE 802.3u 100Base-TX Fast Ethernet
IEEE 802.3x Flow Control
ANSI/IEEE 802.3 NWay Auto-Negotiation
Protocols Supported
TCP/IP
NAT
DHCP
UPD
PAP
CHAP
MSCHAP
RIP1/RIP2
PPPoE
Virtual Server

VPN Pass Through Function*
PPTP
L2TP
IPSec

Firewall Protection: Built in NAT firewall using stateful packet inspection

Management: Web-Based - requires a PC, Mac, or Linux based computer with a Web Browser capable of running Java script.

Firmware Upgrade: Web-Based - requires a PC, Mac, or Linux based computer with a Web Browser capable of running Java script.

Ports:
4 x NWay 10BASE-T/100BASE-TX Fast Ethernet LAN
Port 1 has Uplink/Normal switch
1 x 10Base-T WAN
1 x RS-232 (230 Kbps, male DB-9) - for back-up analog modem connection

LED's
Power
WAN
Console
Link/Act. (Link / Activity)
10/100 Mbps

Power DC 5V 2A
Operating Temperature 0 C ~ 40 C
Storing Temperature -20 C ~ 70 C
Humidity Max 95% Non-condensing
EMI Certification FCC part 15 Class B in US

Re:Old Laptop

[mfarver]

I found old Pentium laptops to make excellent firewalls. They are a little more pricey than the old PC but they have a few advantages:

Built in battery backup
Low power consumption
Few (if any) noisy fans
Small, and fit nicely in a rack shelf
Built in collapsible console

Look around and you can find one for about the same price as the small NAT routers. The only real shame is they only have typically two PCMCIA slots, so you can't have a DMZ or wireless net interface seperate from the internal and external interfaces.

Re:Old PC

[IronChef]

But you also need to know OpenBSD. People who are not interested in being sysadmins have a right to NAT too!

There are also people who do not want to, or do not know HOW to assemble a cheap PC from parts. There is no shame in a "black box" solution.

Re:Old PC

[Manitcor]

I think you are missing the point. Yes it may be the best solution to set up a PC. The person asking the question however wants to know which out of the box solution is best. Not what do-it-yourself solution is best.

How is it so many smart people have so much trouble reading?

But get the current firmware and set the password

[Animats]

The Linksys home-sized routers aren't bad if you have current firmware, but firmware from the first half of 2000 crashes frequently.

Also, and I cannot overemphasize this, set the password. Not only are Linksys routers administered via a web interface, and attackable that way, they accept firmware downloads via TFTP, and will accept a firmware download from the WAN side. So an attacker can patch the thing remotely if it's not secured.