Powerful Linux ISP Router Distribution?

fibrewire writes "I'm building a Wireless ISP using commercial grade, low cost equipment. My main stumbling block is that I cannot find a decent open source ISP class routing distribution. Closest thing to even a decent tool is Ubiquiti's AIRControl — but even it doesn't play well with other network monitoring software. I've used Mikrotik's RouterOS for five years, but it just isn't built for what I need. I don't mind paying licensing fees, but $300K for a Cisco Universal Broadband Router is out of my budget. Has anyone seen any good open-source/cheap hardware/software systems that will scale to several thousand users?"

Just use any Linux distro

[ls671]

Just pick up your favorite Linux distribution and get back to me with your requirements. I think Linux can easily do what you need almost out of the box. It is only a matter of configuring it. I bet some would recommend looking at OpenBSD or FreeBSD as well.

Either way, you would definitely have a more flexible solution that any canned product will provide you with.

Re:Just use any Linux distro

[grub]

Does it have to be Linux?

Why not try OpenBSD and its excellent BGP implementation OpenBGP! It powers some pretty hefty businesses and ISPs.

-

Vyatta

http://www.vyatta.com/about/press_releases.php?id=75

try the beta v6

Are you serious, or just killing time?

[jeffmeden]

So Cisco makes billions of dollars a year selling some ungodly expensive, ungodly powerful head end router like devices (not even routers in the IP sense) and somehow you suspect a Linux distribution with the same features is going to unpack itself and be everything you want it to be? You need to tell us what the rest of your platform looks like if you expect any answers that go beyond 'any linux distribution can act like a router!'. What subscriber equipment is in use? How much user control do you need (access on/off vs. bandwidth filtering, etc.) Details, details, details.

Re:Are you serious, or just killing time?

[dave562]

And beyond that, just because a Linux box might support all of the protocols and implementations that Cisco has leveraged in their own products, it does not mean that the Linux box is going to configure itself. A lot of the reason that Cisco makes money is because they provide solutions. The solutions themselves leverage established technologies in many cases (RFCs are in the public domain), but Cisco makes them work together. It's the old discussion about Open Source vendors. They aren't making money selling people Linux because Linux is free. They are making money selling people Linux configured to perform specific tasks, and then selling support to keep the solution functioning and up to date.

Re:Are you serious, or just killing time?

[b1t+r0t]

The "same features"? You mean like ASICs that forward the data with low latency once the route is established? Yep, Linux is going to somehow magically add those to your computer, and that's one of the reasons people pay the extra money for Cisco over some old P3 tower PC and a CD-ROM with a penguin on it. Another is that they fit nicely in a rack.

The submitter apparently has his own unique idea of what "ISP class" means. Admittedly, this is for a wireless network, so there is already a bit of latency expected and maybe not as much total bandwidth as a wired ISP, but you can never remove latency, only add less. And as you have pointed out, "ISP class" should include things like metrics and controls for users.

Re:Are you serious, or just killing time?

[rantingkitten]

Do you need a Cisco Catalyst to handle 3 desks on a fairly slow DSL line, who aren't doing outrageous sharing between each other? No.

Sheesh. I wish someone would tell that to our clients. My company provides service to (mostly) small businesses, and half of these little five-man operations have some totally over-engineered Cisco gear acting as their network edge because some smartass, self-styled "IT Guy" told them it was the best. Surprise, he vanishes after plugging it in and collecting his fee, and now the client has all these problems with our SIP service and of course they have no idea how to manage their own equipment, and WE end up looking like jerks because our stuff won't work out of the box with whatever equipment the client has.

Could you do the 3 desk operation with a Linux machine and 4 network cards? Sure. In this example, it's cheaper to pick up a cheap hub, than to take even a salvage machine and put 4 network cards in it.

Here, though, I disagree. At the same company I mentioned, when I joined, we were a three-person operation, and we used a Linux machine with two network cards and a switch as our router. It worked great as we scaled up in staff numbers, particularly when tools like ntop and tcpdump existed to let me see when some joker was ruining it for everyone by torrenting the entire internet. If you never plan to expand, then sure, some cheap little router toy from Dlink or Linksys will do fine, but if you intend to grow, may as well do things right the first time than have to re-engineer your network down the road.

Also, a hub? Who the hell uses hubs anymore? I can't even think of a use for them these days other than packet sniffing, and an inexpensive managed switch will let you do that.

Re:Are you serious, or just killing time?

[JWSmythe]

    I don't believe in overselling customers. I believe customers appreciate the fact that I'm looking to milk them for extra money. Really, I can score one big scale, or I can build a relationship and continue with them as needed. I've had customers not call for years because they didn't need anything, but the minute they do, I'm there for them.

    Growth is a funny thing. A lot of places I've seen have had 4 desks with the intention of growing, and years later they still have exactly 4 desks. One place had a dozen or so servers with high hopes for the future. Those high hopes were a serious understatement. Their partial T3 became multiple GigE circuits, and their dozen server became over 100. Even the first big growth spurt overgrew the agreed upon server naming convention and it had to be changed after two years.

    One place I worked at, which was growing rapidly, they were set up with a bunch of hubs (I'll explain the hubs thing in a moment), and terrible links between the suites (multiple suites in a complex). It was terrible. Literally, it was normal to have >100ms pings between suites on a good day. I got 6 Cisco Catalyst 2924XL-EN's with 4 port 100baseFX cards, deployed one switch per suite, and ran fiber between all the suites. Total expense was about $600. Then the economy took a dump. They started downsizing, and I believe they were down to something like 5 desks and 3 servers (don't ask).

    Ok, now the hubs thing. I say "hubs" for any low end consumer grade unmanaged "switch". For some manufacturers, it was a marketing ploy to say "switch", which just meant "auto speed switching", where it would handle 10baseT/100baseT/100baseTX, but was still a hub (you could see all traffic on all ports). Some really are switches, but usually not at the level of a real managed switch. If you can get 5 ports for $20, it's a hub. :) I have seen some recently that act like a hub, which is really sad. Well, not just act. They'll even have a single collision light on the front. Oh, there's a big hint. :)

Re:Are you serious, or just killing time?

[mysidia]

Show me the Franken' Catalyst 2950/6500 Sup720 3BXL, Franken Cisco 12006, or Franken Juniper M7i/M320, and then I'll be impressed. Your desktop PC will not contain TCAM or other components required for a minimal level of forwarding performance needed by an ISP.

After all these years, a desktop PC still cannot perform the task of a simple 8 port switch, at nearly the same packet rates as the switch. The packet rates that can occur on an Ethernet network easily overwhelm the desktop PC's limited interrupt capacity and memory I/O bus bottlenecks.

For an Enterprise branch office edge a desktop router is fine. Because Enterprises only buy a limited amount of capacity from an ISP. Also, Enterprise branch offices have only clients, not servers, so they aren't really subject to a DoS (rejecting unwanted packets is half as expensive as fully forwarding normal packets).

Of course, Enterprise server farms never use a firewall at the edge on the path into the servers, unless the periodic unavailability due to DoS attack taking out the firewall is not an issue.

But for an ISP, if you are planning on being a serious ISP, your core business is providing a professional service. Use a well-designed solution, not something you've cobbled together from off-the-shelf parts. You get real value buying gear that performs forwarding in hardware

In the long run, one 24 hour outage or service degradation, can cost more than engineering the network properly, and using good managed pieces.

The fact of the matter is the FrankenPIX was based on the original PIX platform, and Enterprise firewall, that used to be just a PC with some fancy packaging and a proprietary flash card. That platform has been obsolete for many years, and is not suitable for an ISP, anyways.

In case you didn't know, Firewalls like the original PIX can't handle that much traffic, and they are easily DoSed into oblivion by a simple flood.

Anyways, decent gear for service providers these days offloads work to hardware. And runs on a real-time OS that can provide something closer to a service level guarantee than a commodity OS can.

In case you didn't know... Linux is not a real-time OS, and cannot provide timing guarantees a RTOS can.

Generic Linux running on commodity hardware cannot provide proper separation between control plane and forwarding plane.

For certain very important functions, a commodity PC simply can't match the performance of a dedicated ASIC.

You can talk BGP all you want, but you can't reliably forward 30,000 pps through a commodity PC, or push speeds higher than approximately 200megs, due to interrupt contention.

There is also the matter of reliability of the hardware...

Commodity desktop parts are not designed to run 24x7, and they fail frequently. Physical failure in routers is rarer, unless there are environmental issues, or the equipment is old.

Re:Are you serious, or just killing time?

[atamido]

The "same features"? You mean like ASICs that forward the data with low latency once the route is established? Yep, Linux is going to somehow magically add those to your computer, and that's one of the reasons people pay the extra money for Cisco over some old P3 tower PC and a CD-ROM with a penguin on it. Another is that they fit nicely in a rack.

A lot of router equipment is essentially an x86 PC. Add on cards are often just PCI or PCIe cards. You'd be surprised how commodity a lot of that equipment is. At least, for a big part of the mid range stuff.

Granted it's all specially chosen hardware and custom firmwared, plus Cisco IOS is a heavily developed and mature OS specifically written for routing, so you're not going to see anywhere near the same performance with some random Linux whitebox system.

Re:Are you serious, or just killing time?

[shaitand]

'Ok, now the hubs thing. I say "hubs" for any low end consumer grade unmanaged "switch". For some manufacturers, it was a marketing ploy to say "switch", which just meant "auto speed switching", where it would handle 10baseT/100baseT/100baseTX, but was still a hub (you could see all traffic on all ports).'

Your showing your age here my friend. This hasn't been true for many years.

What on earth are you trying to actually do?

[sirket]

Routing and ISP's are huge topics- what are you trying to do?

The main problem with routing isn't bandwidth- anyone can pump enough 1500 or 9000 byte frames per second to fill a gigabit pipe. The problem is when you have lots of small packets. At that point, dedicated routing hardware with a high-speed TCAM becomes really important.

What kind of line cards do you need? ADSL? Ethernet? OC12?

What kind of services do you need to run? BGP? OSPF?

What kind of bandwidth are you going to be pushing?

Ebay is your friend.

[jjeffries]

Start off small. Pick up some used Cisco stuff off Ebay at 1% list. Maybe a 6500 with a couple of SUP2s for your core switch, a couple or four 7200s for the upstreams/customer facing bits. Make lots of money, upgrade to newer stuff as needed.

Re:Hire someone who knows what they are doing.

[lymond01]

The fact that you are asking on slashdot shows that you are not qualified, and what you're going to get back is a bunch of others, who aren't qualified, suggesting all sorts of half assed hacks to do it which will just result in a utterly shitty service overall.

I disagree. The Open Source community has a thousand hidden gems that a person might not have heard about. Proxmox VE for one: virtualization, with a GUI, with live migration, and if 2.0 turns out, with heartbeat and failover (high availability). Most people have never heard of this where I work even though half the place is virtualized with KVM, VMWare, Hyper-V, etc. I would think the Slashdot, with its plethora of experiences, might come up with a little-known or workable solution in an already developed product that you haven't heard of yet.

Re:m0n0wall is a great BSD distro

[clarkn0va]

I have to agree, although I registered a vote for PFSense above. PFS is based on m0n0wall and both are excellent routers filling slightly different niches. I currently use PFS at home for its packages (freeswitch, squid), but I recently worked for a growing WISP and got them onto m0n0wall, now serving something in the neighbourhood of a thousand customers.

If you want pure simplicity, go m0n0wall. Otherwise, I strongly recommend looking at PFSense for the squid caching and adjust-on-the-fly connection table size.

Re:Hire someone who knows what they are doing.

[Jeng]

Wait, isn't shitting on topics a well-known slashdot tradition?

As others have said...

[KiwiGod]

What's your interface to the net, line cards, bandwidth expectations, etc. I spent 5 years building a fairly heavy duty wISP network on a stupid low budget from my boss. You can obtain used cisco stuff for cheap. For instance, you can get your hands on a 7206vxr with a NPE-G1 for $10k or less nowadays... If you need something with high redundancy do do less intensive switching, you can pick up a 6509 with a pair of SUP2-MFSC2 cards for less than $2k. As far as support contracts go, I can't imagine that you need the latest and greatest IOS, let alone a support contract that costs more than the replacement of a piece of hardware. On a side note... why are you asking about the uBR series? Are you not running an ethernet network? Last I checked, there's no such thing as "low cost commercial grade." Depending on where you are, unlicensed stuff may not cut it, dealing with interference etc. And licensed hardware is certainly not cheap. With wireless, as well as so many other areas, you get what you pay for.

Re:Hire someone who knows what they are doing.

[nine-times]

I think you have a good point, but I don't necessarily agree. First, we don't know what market the submitter plans on operating in or who his clientele are. We don't know what his experience is, how much resources he has, or exactly what level of service he intends to offer. Like the guy who criticized the submitter for refusing to buy a $300k Cisco router, I think you committed a common mistake in thinking that IT is just a series of 1-size-fits-all solutions, and that if you going to use the "right" solution to each problem, you shouldn't bother.

The era of entrepreneurship and hacking things together isn't over, and it probably never will be. Our tools and hacks may become more advanced, but hopefully there will always be people trying out new techniques and business models, testing new start-up technology, and finding different ways of accomplishing the same goals. The answer isn't always to pay an expensive expert or to use established tech.

As for this:

You could get by with this in the late 90s, but when you're going to compete with cell phone companies, cable companies and standard POTS companies, you probably need to have a bit of a clue.

That's true, but neither my phone company nor my cable company provide wireless access where I live. Cell phone companies provide wireless, but it's pretty spotty and slow, and I live in NYC. There are plenty of areas in the US where no service is available except through dialup. Obviously these large companies aren't interested in competing in all markets, so if you come up with a business model and think you can make it work, then I say go for it.

Re:Hire someone who knows what they are doing.

[GooberToo]

The proper question is: How do I find someone qualified to do this for me?

You mean because he's humble enough to realize he doesn't know every thing, you believe he's unqualified anything. I suggest you look hard in the mirror and read what you just wrote to yourself.

Re:Mutually exclusive

[Fez]

You can have low-cost commercial grade services run using off-the-shelf hardware.

pfSense includes support for CARP, which lets you build high-availablity failover clusters. You can have two (or three or four...) cheap systems and if one dies, just fix/replace it as needed. The backup system(s) automatically take over and nobody would likely even notice the changeover.

When it's cheap, that is much easier to consider.

If you want no moving parts, you can use an ALIX box, Soekris, or perhaps even some atom-based boards. If you want to use server-grade boxes to make yourself feel warm and fuzzy, you can do that too. Supermicro even has a server-class atom board in a 1U rack which runs pfSense very well for us.

Re:DD WRT

[pak9rabid]

http://www.dd-wrt.com/site/index

It's Linux on low cost wireless routers.

Yeah, that's just what I'd want my ISP to run as a core router.

been there done that bought the tee shirt

I founded and operate a wireless ISP serving about 1000 wireless subscribers, and have my own embedded linux distro inside just about everything. It would be a fair statement to say that linux literally saved our business on more than one occasion, by giving us the tools to overcome manufacturer software bugs, by establishing 'known good' systems of various types, by enabling read-only compact flash based systems running on solar power, by bringing a high level of utility and reliability into the critical parts of the network, by allowing us to make it anything it needed to be.

As a CPE, my linux distro never lets me down and never puts customers of at risk of 'stone dead - lights on but nobody home', like linksys/netgear/etc always seem to. Never having to tell someone 'just pull the power and plug it back in' for their connectivity is a real saving grace. And when in a business situation, I can equip these customers with connectivity devices that _do not fail_ and make us look stupid, while at the same time giving them useful feature sets unavailable in higher end router manufacturer gear (cisco 2621 - excellent hardware with great stabillity, just weak on features I get with dnsmasq, openvpn, tcpdump and others.. trying to diagnose network connectivity issues without tcpdump is just dumb.). Its also never choked and zeroed out it's own flash config for no goddam rason, unlike the previously mentioned low-end consumer devices frequently do. Basically, that consumer stuff puts you at risk and is suicide.

As a network appliance, linux flings packets just fine and gives you great tools to filer, mangle and generally control how and what it does. The ebtables code is awesome, the iptables stuff is killer, openvpn rocks asses, dnsmasq kills, there's just too many useful and cool things just go right. I have a pppoe server running rp-pppoe + my patches and userspace tools, running for years now and hit with every kind of client side bug and malfunction imaginable, and just keeps trucking along. Freeradius backed up with mysql is sweet as can be, and quagga for distributing my routes internally is just a dream. I have it all on read-only compact flash, so they never write and basiclaly will run until there is a show stopper hardware problem, at which point I will more than likely be able to remove the flash and put it into another machine and away I go.

There is a lack of management interface, and there is a learning curve to this route, but the upside is very low dollar cost and an attainable level of flexibillity, reliabillity and stabillity you are unlikely to find in any commercial solution anywhere. Cisco IOS is awesome, but you won't power anything that runs it off a 12v battery and solar panel on the side of a mountain and flinging/filtering 20mbps of traffic.

Good luck.

Re:no DD WRT

[bartwol]

In my experience, I think there's something to what you say. The DD-WRT software is quite capable, but the CPUs in consumer routers are relatively slow and get bogged down when you fire up a bunch of chatty sessions, a good load of firewall rules, and try to pound data through too. Add monitoring of the router (which DD-WRT doesn't do much to support) and it doesn't take much to make the router start lagging and gasping for air. I've experienced such limitations in an office environment.