Slashdot Mirror
Replace NAT Box with Commercial Broadband Router?
hjf asks: "Three years ago, when I got DSL, I set up a 486 box, with 8 megs and a floppy drive to run FloppyFW. It has been through a couple hardware upgrades: 16Mb RAM for running the 2.4 kernel and a 100MBit PCI NIC for the internal network. It has a little UPS which lasts for over 60 minutes. The only downtime it has is when there's a thunderstorm and I unplug it. Besides that, it has been running flawlessly since I set it up.
Lately I have been kind of seduced with this product from 3Com, and other similar to it. I know it says it can handle 253 simultaneous users and all that. My home network has 4 users, but most of us run eMule and other P2P, and as many of you know, those P2P programs can beat the crap out of your router."
"For example, the default NAT table of my box wasn't enough (syslog reported TABLE FULL - DROPPING PACKET), so I made it 32768 entries and that message doesn't appear anymore. Now, what I'd like to know is, how big is that router's (or any other which does that kind of job) NAT table? Will it handle that many concurrent connections? I know I'll lose most of Linux's flexibility but I think I can live with that, but I'd surely win lots of room in the closet. So Slashdot, what's your opinion about all this?"
Whoa, you want to replace a simple, working firewall, which is open-source, understood by you, and which costs next to nothing, with a closed-source, commercial, EULA-encumbered device with arbitrary limits, unknown functionality, guaranteed to work only with Windows, but in a shiny branded box?
Damn, if you're not a manager now, you're in the wrong line of work!
I mean, you're seduced by this kind of crap?
IP functions such as PPTP/PPPoE, NAT, and DHCP enhance addressing privacy and economy
Wow! Enhanced addressing privacy! And Economy! Both in one sleek white box!
Hacker pattern detection firewall feature automatically detects and blocks denial-of-service attacks and other common intrusions
I can just imagine that sophisticated technology.. if packets/second exceed X, start dropping packets randomly....
I think that says it all. The box you have now works just fine, so why ditch it for a less flexable consumer-grade router?
Do any of those Linksys boxes have ssh? Nope. Stick with the PC.
Your loss, if you make the transition, is mostly
the loss of flexibility in customizing firewall rules and adding edge services.
Your gain is a reduction in maintenance, size,
energy consumption, noise production, and portability.
-I like my women like I like my tea: green-
A few years ago I gave up using a dedicated machine as a firewall on my DSL line in favor of a hardware router. You lose a bit in flexability, but the space savings, the lower power requirements, and the lower heat output immediately make up for it. And I've decided I like my home office looking a little neater, more like an office and less like a low-rent data center.
At first I used one of those crappy Linksys things. I don't remember what model it was, but the thing was a heap of shit. I had to hard reset it once a month or so and it would regularly stop routing packets for a minute or two for no readily apparent reason. I finally had enough and replaced it with a Cisco SOHO 91 and I've never been happier (well, with a hardware purchase, anyway). It runs IOS and so can be configured via SSH, does stateful packet filtering and pretty much everything you'd expect from a real router (except VLANs, dammit). It costs a little more than your typical home router, but not by too much. Mine was around $250 new and I'm sure you can find used one cheaper.
I like my women like my coffee... pale and bitter.
You should never rely on these small black boxes! Yes, they do basic NAT fine (for me). Yes, they have no moving parts. But they are stupid when it comes to packet filtering or security problems.
When you have problems with *BSD or Linux, you search through forums and maillists. You read manuals. You can upgrade kernel and userland.
When you have problems with these broadband routers, the best you can do is firmware upgrade. Will they provide security and bug fixes after year or two? I guess no.
The price of black box is comparable to an old but still strong computer. The value is much less. Commercial routers with value comparable to *nix box are more expensive than new computer.
Broadband router is quick and easy solution, but never use them for yourself! Go and buy old Pentium or Celeron without HDD and use *nix on it.
I put my 3-NIC-486/100Mhz-FreeBSD-Box into trash and moved on to the new shiny world of routers, that is a 1-NIC, WLAN-enabled German Telekom router.
/. and read this article.
Configuring the network is easy and straightforward, you can even configure for things like VoIP/p2p and it works pretty well. But the configuration procedure is HTML-only and does not allow any special setup (like using 192.168.1.2 instead of 192.168.1.1 because you have a stupid Windows Box with another LAN on your LAN; or putting through connection from 192.168.2.2 which is on a LAN behind your LAN but not masqueraded, so you can play StarCraft everywhere...).
And obviously, I cannot run any servers on this box (I used to run httpd).
And then I experienced connection problems. These happen mainly when asking the router to resolve a domain name. That is why I installed my old dnsd on my main computer, just before I was able to find
In one word: If your system is small enough (buy a laptop), and has all NICs you need (buy a wifi-card), DO NOT REPLACE IT!
Humph. You have something that works for you and you
want to replace it with something that might not?
Why. Go take up pornogami or something more fruitful...
Seriously - be thankful your router complained and told you what was happening. A closed box from Cisco,
LinkSys et al would sit there silently and let you
burn half your brain power for the next milennium.
We use an intracom (local greek company) DSL router with no problems - but on the other hand
you won't have the same flexibility that a PC + linux will give you - for instance, imagine that
you want to make one machine internally an intranet web server (I collaborate with two other
very mobile business people on lot's of things both software and food related).
Right now, I'm stuck because DHCP + DNS + NAT mix
like oil and water.
If it was a linux box I *KNOW* I'd find a solution
(anyone else who has one discuss this, I bet a lot
of us would like to know...).
About three years ago, the fan failed on my (almost entirely silent) Linux-based NAT box. I didn't find this out until the cascading failures took down the whole box.
I replaced it with a Linksys router. I've been happy ever since.
Set it up and forget about it.
I'm a coder. I've also done enough sysadmin that it pisses me off when I have to do it at work, and more so when I have to do it at home. Plug-it-and-forget-it is awfully nice.
Spending $50 on a router, is also more economical than working on one for several hours. My time is not free.
how often to poll for device interrupts.
What's the point of interrupts if you have to poll for them...?
Lemme see: 2 hours with G/F or building a firewall that really doesn't turn my crank????
For people who like playing with firewall rules, the DIY solution is (or should be, until MS makes it illegal) always going to be available.
For anybody else who judges the off-the-shelf product adequate and isn't up to building something better, then I'd say 'go for it'.
Time spent is time spent -- whether it's building a router, necking with your SO, sweping the floor, posting to slashdot or playing with 'the kid'. Choose and spend.
No refunds allowed.
Which reminds me: I've got other things to do now.
Sometimes boldness is in fashion. Sometimes only the brave will be bold.