Replace NAT Box with Commercial Broadband Router?

hjf asks: "Three years ago, when I got DSL, I set up a 486 box, with 8 megs and a floppy drive to run FloppyFW. It has been through a couple hardware upgrades: 16Mb RAM for running the 2.4 kernel and a 100MBit PCI NIC for the internal network. It has a little UPS which lasts for over 60 minutes. The only downtime it has is when there's a thunderstorm and I unplug it. Besides that, it has been running flawlessly since I set it up. Lately I have been kind of seduced with this product from 3Com, and other similar to it. I know it says it can handle 253 simultaneous users and all that. My home network has 4 users, but most of us run eMule and other P2P, and as many of you know, those P2P programs can beat the crap out of your router." "For example, the default NAT table of my box wasn't enough (syslog reported TABLE FULL - DROPPING PACKET), so I made it 32768 entries and that message doesn't appear anymore. Now, what I'd like to know is, how big is that router's (or any other which does that kind of job) NAT table? Will it handle that many concurrent connections? I know I'll lose most of Linux's flexibility but I think I can live with that, but I'd surely win lots of room in the closet. So Slashdot, what's your opinion about all this?"

stick with what you've got

Whoa, you want to replace a simple, working firewall, which is open-source, understood by you, and which costs next to nothing, with a closed-source, commercial, EULA-encumbered device with arbitrary limits, unknown functionality, guaranteed to work only with Windows, but in a shiny branded box?

Damn, if you're not a manager now, you're in the wrong line of work!

I mean, you're seduced by this kind of crap?

IP functions such as PPTP/PPPoE, NAT, and DHCP enhance addressing privacy and economy

Wow! Enhanced addressing privacy! And Economy! Both in one sleek white box!

Hacker pattern detection firewall feature automatically detects and blocks denial-of-service attacks and other common intrusions

I can just imagine that sophisticated technology.. if packets/second exceed X, start dropping packets randomly....

Upgrade to a Pentium Laptop

Get a Pentium laptop, and you will still get the flexability of linux, and you will save room.

These things are designed for home use

[mind21_98]

Routers such as above are designed for home use, not for anything that's user-intensive. If you're planning on beating the crap out of it, you should probably purchase a product designed for that purpose (or keep your Linux box). The general rule applies when considering buying an electronic item: read reviews and ask around.

Absolutly not.

[Inominate]

Consumer grade broadband routers are notorious for causing problems, and are almost always badly underpowered. Using a PC based router to handle nat generally works much better, provided you have the know-how to set it up.

Re:Absolutly not.

[Wonko]

Consumer grade broadband routers are notorious for causing problems, and are almost always badly underpowered. Using a PC based router to handle nat generally works much better, provided you have the know-how to set it up.

A few months ago I replaced an aging P133, an ancient 3com 12 port 10 megabit switch (with 2 100 megabit uplink ports, woo hoo!), and an 802.11b access point with a Linksys WRT54G.

I replaced the firmware with this. I've been very happy with it so far. I think the 200 mhz mips processor is probably a decent replacement for the P133. It takes up much less space, makes much less noise, and it's in much better condition that the old hardware it replaced. I can still ssh into it, and according to /proc/version it is running a 2.4.20 kernel.

I think it was approximately 70 dollars well spent.

Re:Absolutly not.

[Wonko]

the cheap hw routers are notorious for choking up on even "moderate" use, even when they have 100mbit ports(so they'll choke at natting something like 10-20mbit/s).

The only issue that I had with mine at all so far was that the default value of 1024 for ip_conntrack_max was too low. That caused problems with bittorrent and whatnot.

I don't have a 100 megabit link to the internet, and I don't think my p133 could nat much better than this box if that were the case. One of these days I need to install top on my WRT54G and see how much load it is under. My guess is not very much.

and yes usually even ~150mhz pc with decent network cards can kick the crap out of them when needing high speeds.

What does a 150 mhz pc have over this box exactly? They've both got a 33mhz pci bus and they both have capable processors.

(this may have changed, but i doubt it. and with most home connection speeds it of course doesn't matter because not everyone has 100mbit connection to home. it does for me though.)

Well, most of us only have a 3 megabit connection. Therefore for 99.999% of us a WRT54G is more than enough. I would bet that if all you need is NAT at 100 megabit, it is still probably good enough. If I had more gumption I would do some testing... But if I ever need to put hardware on the end of a 100 megabit WAN link it will be a piece of enterprise class hardware. And it certainly wouldn't be the fastest WAN link I've ever had :p.

What I use

[Judg3]

I use SmoothWall on a P200 with 384mb ram and a 10gb hdd.

There's been upwards of 20 PCs on the network and there's been a few times when 1 of us will been on the phone (VoIP), 2 of us are downloading a lot of files via p2p and another downloading ISO after ISO off of MSDN - all at the same time.

The little smoothwall box handled it all wonderfully, plus there's a fairly large community out there writing custom modules and addins for it.

The best part? Well, besides the transparent web proxy, I really like how you can have an internal-only network and a seperate DMZ network to hang your web services off of.

It's not as small or sexy as that 3com, but for me it's a perfect fit - handles a lot, plenty of ways to monitor it, and the price is right. Give it a shot, see what you think.

Re:What I use

[ManxStef]

I've used Smoothwall too, and it's great. I'll add another suggestion, though: IPCop, a free GPLed fork of Smoothwall which adds many features not available in the basic Smoothwall distro; great for home and small network use (though I'd highly recommend SW if you need any commercial support). The latest version - on release candidate 4 now, watch out for 1.4 stable any day now! - includes traffic shaping using Wondershaper, so will solve your P2P problems quite nicely. See the unofficial support forums for the latest news and plenty of help.

Of course, if you just want a standalone device, like others have said youe best bet is to get a LinkSys WRT54G/WAP54G plus alternative firmware, such as the Sveasoft one. See more info here:
http://www.seattlewireless.net/index.cgi/LinksysWr t54g

Re:What I use

[f()rK()_Bomb]

I really have to add a vote for smoothwall , where i used to work (government office) Me and rest of the IS section used to regularly beat the hell out the SOHO firewall. My sysadmin wanted to "upgrade" to a big,better,faster sonicwall product (the previous sonicwall product liked to download firmware upgrades and crash itself. Nice) I just said give me 2 hours and i will have i new firewall running. He laughed and said thats something id love to see. 2 hours later after hunting in the basement for p166 and downloading smoothwall there is very little we can throw at it that it cant handle , sysadmin is now a manager. Great }:-) Where am i ? Pretty much quit at that stage. Recently nmapped their network , ports open now include such gems as 135,137,21,25,1433 & 6669. WTF

Huh?

[jazman_777]

and as many of you know, those P2P programs can beat the crap out of your router.

Do you mean your NICs get hot? Or does the machine start vibrating under the load?

Linsys WRT54G

[brunes69]

Get one. They're dirt cheap, have plenty of CPU power, and they run Linux. Combine one with an open source OS image and you have one powerful router - you can do VPN with it, firewall, anything you want - and you can adjust the NAT table to your liking if the default isn't sufficient, and it does wireless to boot.

It'll save you plenty on your home power bill too. Seriously, a 486 or simmilar running 24x7 can cost you 5-10 bucks a month, or even more in some areas. Home routers use significantly less power.

Re:Linsys WRT54G

[eludias]

Or even better, a ASUS wl500g (~$90) -- it even contains a USB connector to connect any USB device Linux can use.

It has the same broadcam chipset as the Linksys, btw. (...which is closed source, so you're bound to run 2.4 forever).

http://forum.chupa.nl/ has a forum about it for background information (custom firmware for ssh, samba, ...).

Why?

[josh3736]

from the if-it-ain't-broke dept.

I think that says it all. The box you have now works just fine, so why ditch it for a less flexable consumer-grade router?

Do any of those Linksys boxes have ssh? Nope. Stick with the PC.

Re:Why?

[fwc]

Do any of those Linksys boxes have ssh? Well.... Actually... Yes, the WRT54G(S) sure can have ssh with the appropriate third party firmare.

Re:Why?

Just an FYI, the Linksys WRT54g is just about the most hackable $60 box you can buy. I'm contemplating throwing out my sparc5 w/ 4pt ethernet and replacing it with this smaller, quieter, and cooler (temp) box.

https://sourceforge.net/projects/wifi-box/

http://openwrt.org/

There's lots more out there, I'm sure.

You can even add a serial port to it! Hack the voltage and get 200mw (or something) out of it!

Four years ago when I setup this sparc, it was the easiest solution available for a wireless router and firewall. But now it sits on my shelf and is by far the loudest box I own. Meanwhile my girlfriend has a *silent* firewall and access point for roughly half of what I paid for my sparc. Maybe I'll make the thing diskless so it's not so noisey, but I it might be time to retire it...

I used to play that game

[Pengo]

Now I save my time and money from electricity and noise and use a little netgear router with 50mbit wireless. I do all the things that you described and never have had an outage, and it's silent.

Why use a 130wat power supply when you can use a 12, and 0 noise. Only router I have owned that routinely craps out is a linksys, I wouldn't touch it with a 10' pole. My 2 netgear routers have worked flawlessly.

Your loss

[aminorex]

Your loss, if you make the transition, is mostly
the loss of flexibility in customizing firewall rules and adding edge services.

Your gain is a reduction in maintenance, size,
energy consumption, noise production, and portability.

If you haven't already...

[dhaines]

You might check out DSLReports for some opinions on that router. One guy seemed to have trouble with P2P on it. In my experience a lot of these home-networking boxlets seem to choke on P2P.

I have one

[Sklivvz]

I have an OfficeConnect (but the one with 55Mb/s wifi). It works very well. My home setup is:
- 2 Mbit connection to internet
- 1 computer connected via 100Mb eth
- 1 computer connected via WiFi
- 1 pocket pc via WiFi
- 1 Kiss DVD connected via 100Mb eth

I never had any problems, even using eMule (PC), shoutcast (DVD), Skype (PPC) and browsing (notebook) at the same time.
The little critter even supports a VPN so i can remotely control it from work.

Very recomended!

In MN area?

[kcb93x]

If so, I've got about 20 Pentium Laptops sitting behind me, no HDs, otherwise most of 'em boot. I'll give them to anyone in the Twin Cities area...just speak up....
Various brands
Power supplies for most
No hard drives

Buy a router

[elemental23]

A few years ago I gave up using a dedicated machine as a firewall on my DSL line in favor of a hardware router. You lose a bit in flexability, but the space savings, the lower power requirements, and the lower heat output immediately make up for it. And I've decided I like my home office looking a little neater, more like an office and less like a low-rent data center.

At first I used one of those crappy Linksys things. I don't remember what model it was, but the thing was a heap of shit. I had to hard reset it once a month or so and it would regularly stop routing packets for a minute or two for no readily apparent reason. I finally had enough and replaced it with a Cisco SOHO 91 and I've never been happier (well, with a hardware purchase, anyway). It runs IOS and so can be configured via SSH, does stateful packet filtering and pretty much everything you'd expect from a real router (except VLANs, dammit). It costs a little more than your typical home router, but not by too much. Mine was around $250 new and I'm sure you can find used one cheaper.

Never rely on them!

[dimss]

You should never rely on these small black boxes! Yes, they do basic NAT fine (for me). Yes, they have no moving parts. But they are stupid when it comes to packet filtering or security problems.

When you have problems with *BSD or Linux, you search through forums and maillists. You read manuals. You can upgrade kernel and userland.

When you have problems with these broadband routers, the best you can do is firmware upgrade. Will they provide security and bug fixes after year or two? I guess no.

The price of black box is comparable to an old but still strong computer. The value is much less. Commercial routers with value comparable to *nix box are more expensive than new computer.

Broadband router is quick and easy solution, but never use them for yourself! Go and buy old Pentium or Celeron without HDD and use *nix on it.

did it, regret it

[kwench]

I put my 3-NIC-486/100Mhz-FreeBSD-Box into trash and moved on to the new shiny world of routers, that is a 1-NIC, WLAN-enabled German Telekom router.

Configuring the network is easy and straightforward, you can even configure for things like VoIP/p2p and it works pretty well. But the configuration procedure is HTML-only and does not allow any special setup (like using 192.168.1.2 instead of 192.168.1.1 because you have a stupid Windows Box with another LAN on your LAN; or putting through connection from 192.168.2.2 which is on a LAN behind your LAN but not masqueraded, so you can play StarCraft everywhere...).
And obviously, I cannot run any servers on this box (I used to run httpd).

And then I experienced connection problems. These happen mainly when asking the router to resolve a domain name. That is why I installed my old dnsd on my main computer, just before I was able to find /. and read this article.

In one word: If your system is small enough (buy a laptop), and has all NICs you need (buy a wifi-card), DO NOT REPLACE IT!

Re:FloppyFW or FreeSCO (free cisco)

[innosent]

The low ping is most likely due to network polling clock rate. Not sure how to adjust in Linux, but FreeBSD has a kernel option HZ that determines how often to poll for device interrupts. By default, HZ=100 for FreeBSD, which hurts pings significantly (adding 10-20ms) for things run through NAT or any type of pipe/queue. Bump this number up to 1000-2000Hz+, and you're probably processing packets through NAT faster than any off-the-shelf router. Commercial NAT routers are made for small businesses with limited use and no IT department. Beyond that, or for heavy home use, they become a bottleneck. Just on a ballpark guess from my experience with them, Linksys/Netgear/DLink routers seem to poll at about 1000Hz. (adding 1-2ms to pings) Personally, I like HZ=2000, which seems a fair trade-off for machines that do more than just route packets, and adds 1ms worst-case to pings. If you strictly want a router, you could probably increase that quite a bit, until you reach the point that polling takes up too many cycles. Unfortunately, FreeBSD requires a kernel compile to change the HZ value.

How about a lower-power box?

[smoon]

There's a thread just recently on undeadly.org that offers suggestions on low-power (under 30 watt) boxes to run OpenBSD.

Chances are if they run OpenBSD they will run Linux as well (although why you'd prefer the linux firewall features over the OpenBSD pf firewall escapes me).

If your main goal is lower electrical cost, that might be a good option anyway. If you are willing and technically competent enough to maintain your own box, you should. Othwerise you give up a _lot_ of flexibility (ability to run snort, dsniff, caching proxy, dns, honeypot, etc.).

fan failure - no network

[jkujawa]

About three years ago, the fan failed on my (almost entirely silent) Linux-based NAT box. I didn't find this out until the cascading failures took down the whole box.

I replaced it with a Linksys router. I've been happy ever since.
Set it up and forget about it.

I'm a coder. I've also done enough sysadmin that it pisses me off when I have to do it at work, and more so when I have to do it at home. Plug-it-and-forget-it is awfully nice.

Spending $50 on a router, is also more economical than working on one for several hours. My time is not free.

I did this recently

[Drakino]

One big reason I did this. I now have two ISPs coming into the house, and my attempts to get my Linux router to use both in a stable way were not met with sucess. After several hours of pouring over documentation scraps from one site and another, hacking the kernel, and rebooting, I gave up.

In the end I spent $200 on a nice Xincom Twin Wan Router XC-DPG502. With all it's options and configuration, I got both ISPs working very quickly and got my server set up behind it with no problem.

Anything advanced for networking under Linux becomes very hard to implement, and even harder due to the fact that there are very few good documentation sites for such things. Most of your research will be from scraps of info off listserves from people attempting this before you.

Re:FloppyFW or FreeSCO (free cisco)

how often to poll for device interrupts.

What's the point of interrupts if you have to poll for them...?

linksys wrt-54g

[aderusha]

for roughly $65, you can buy a linksys wrt-54g which runs linux out of the box. add to this some free third-party replacement firmware and you get full control over the unit and loads of features - VPN, packet shaping, advanced packet filtering, captive portals, and all sorts of other stuff. the unit is very flexible, reliable, cheap, and most of all it is supremely hackable - especially if you know your way around linux.

if you do go down this route be sure to avoid sveasoft's firmware, for reasons illustrated here. basically, the guy writing it is a total cockbite. last time i questioned his (ab)use of the GPL here on slashdot he banned me from his forums, so if you do intend to send him $20 you'd better be nice.

Re:linksys wrt-54g

[aderusha]

forgot one link - to learn more about sveasoft, read this guy's journal on the topic.

Bullshit

[Quattro+Vezina]

guaranteed to work only with Windows

You, sir, are lying. My D-Link DI-604 router works perfectly with Linux. In fact, I don't think I've ever even touched the configuration interface under Windows.

It works beautifully, and I'd recommend one to anyone who needs a NAT. It's a tiny (5.5" wide, 4" long, 1" tall) silver box that sits in the corner of my desk, surrounded by whatever junk I have. I don't have a second machine to use as a router, and if I were to buy one, I'd be spending far more money--I bought this thing for $20. Not to mention the fact that another machine would take up far more space.

And you know what? It just works. I plug it in between my machine and my cable modem, and assuming my machine is set up to use DHCP, it's working. If I want to open some ports to my machine so I can have my servers publically accessible, it takes me about 10 seconds to do so. It's also never dropped me. Ever.

Of course, it depends on what kind of router you own. For example, I would never touch a Linksys product with a 10-foot pole. I have a friend with one...that piece of crap frequently stops working, and won't come back up for a couple of hours, even after it's unplugged and re-plugged into the wall multiple times (it's not the connection--plugging the machine into the cable modem works fine..it's just the piece of crap router that's a piece of crap). Of course, she's refused to listen to me when I constantly told her to get a D-Link router, so I've refused to ever help her on anything network-related until she does.

And I'd also say that if you do have a dedicated NAT machine, and it works, then there's no need to replace it. If it's not broken...

Re:Bullshit

[harlows_monkeys]

Of course, it depends on what kind of router you own. For example, I would never touch a Linksys product with a 10-foot pole. I have a friend with one...that piece of crap frequently stops working, and won't come back up for a couple of hours, even after it's unplugged and re-plugged into the wall multiple times (it's not the connection--plugging the machine into the cable modem works fine..it's just the piece of crap router that's a piece of crap). Of course, she's refused to listen to me when I constantly told her to get a D-Link router, so I've refused to ever help her on anything network-related until she does

Check the environmental specs on that Linksys and your DLink, and I bet you'll find that there is a difference. I had a Linksys that consistently lost packets, and then a Netgear that consistently lost packets. I then noticed that if I blew into the vents on them while they were losing packets, they would stop losing packets for a bit. If I arranged a fan to blow over them, they were fine. Reading their specs, they are rated to 40C. I pointed an IR thermometer inside one of the vents...and it said 45C. Aha!

I then bought a DLink that is rated to 55C, and the packet loss went away. I gave the Linksys to a friend whose computers are placed where the airflow is better, and it worked great for him.

BTW, the DLink not only was rated 15C higher than the other two, it runs cooler.

Re:Umm... actually it is

[darkonc]

While it's a popular thing to say on Slashdot, when the one using your time is ...you, I have a difficult time seeing how it is not free.

Lemme see: 2 hours with G/F or building a firewall that really doesn't turn my crank????

For people who like playing with firewall rules, the DIY solution is (or should be, until MS makes it illegal) always going to be available.

For anybody else who judges the off-the-shelf product adequate and isn't up to building something better, then I'd say 'go for it'.

Time spent is time spent -- whether it's building a router, necking with your SO, sweping the floor, posting to slashdot or playing with 'the kid'. Choose and spend.
No refunds allowed.

Which reminds me: I've got other things to do now.

try an old notebook

[mqx]

This is the biggest secret out there, you can pick up old notebooks of decent speed (sub 200mhz, 586, 64-96mb ram, etc) and use it as a gateway, the benefit is:

- low power, low noise, low cost, small form factor;
- cheap, get them for sub $50 or free - nobody wants them;
- built in UPS (i.e. the notebook battery);
- simply install good firewall OS (OpenBSD);
- plug pcmcia wireless in the side (take your pick: 802.11b, b+, g ...);
- use spare pcmcia slot for modem card to provide backup connectivity, or use it for fax server and even for voice mail / phone system (i.e. asterisk)
- use the USB slot for cheap-o USB DSL modem (e.g. accessrunner, etc)

The real benefit is that you can just upgrade parts of it as necessary (e.g. all the suckers on 802.11b DSL gateways are hosed while you just buy a new 802.11g card, install it, and throw the old one away), and of course, you get the confidence in a bullet proof system (e.g. OpenBSD).

Seriously, you'll get years of mileage out of it -- much more than a "closed" DSL gateway, you'll get better performance and functionality, all at a cheaper price.