Ask Slashdot: Advice On Building a Firewall With VPN Capabilities?

An anonymous reader writes "I currently connect to the internet via a standard router, but I'm looking at bulking up security. Could people provide their experiences with setting up a dedicated firewall machine with VPN capabilities? I am a novice at Linux/BSD, so would appreciate pointers at solutions that require relatively little tweaking. Hardware-wise, I have built PC's, so I'm comfortable with sourcing components and assembling into a case. The setup would reside in my living room, so a quiet solution is required. The firewall would handle home browsing and torrenting traffic. Some of the questions knocking around in my head: 1. Pros and cons of buying an off-the-shelf solution versus building a quiet PC-based solution? 2. Software- versus hardware-based encryption — pros and cons? 3. What are minimum requirements to run a VPN? 4. Which OS to go for? 5. What other security software should I include for maximum protection? I am thinking of anti-virus solutions."

geek or not

This will let you connect to vpns and such http://www.buffalotech.com/products/wireless
or for a more geek solution https://www.pfsense.org/

Re:geek or not

https://www.youtube.com/watch?...

For $50 a Raspberry Pi with a USB ethernet connector can do it if you dont push too much data.

Re:geek or not

[bsdasym]

Another +1. I use it at home between my cablemodem and the rest of my network. I use it at work to protect the corporate network. Can get access to the work VPN remotely via both pfsense/pfsense VPN that's always on, and VPN client into pfsense from elsewhere. Runs like a champ in VMWare too, with a small footprint.

Re:geek or not

[aaarrrgggh]

I've had miserable experience with Buffalotech reliability, and would recommend Asus and the RT-AC-66U in a heartbeat. The custom firmware adds a lot of nice functionality including OpenVPN with GUI.

For non-paranoid, non-geeks, avoid OpenVPN in my book.

Re:geek or not

[static0verdrive]

I love my Asus RT-AC66U with Merlin's custom firmware. I use openVPN with it (and Tunnelblick etc on my clients). That being said, if you want the best, pfSense is where it's at. You just need any cheap motherboard and a total of 2 network connections (usually that's one on-board and one add-in card, and they're cheap). I'd use a mobo that had on-board video so you have less generating heat in the case (and also less to buy and supply power to).

Re:geek or not

[MR2Dave]

I agree. If you don't mind tinkering, pfSense is the way to go, but it isn't for the sort of people who want something to just work right out of the box.
I run it on a compact Intel Atom box: http://www.newegg.com/Product/...
Round off that setup with 4GB of RAM and a small SSD for a quiet, power-sipping network appliance for around $200.
That setup firewalls/NATs a 50Mb internet connection, runs a VPN server, runs a Snort IDS/IPS, and runs a transparent proxy that captures all http traffic and runs it through a virus scanner.
Add a managed switch that can handle VLANs (Mikrotik sells a 5-port for around $40), and you've got a router on a stick. Now you can run a separate access point to provide free wifi to the neighborhood without compromising your own network, etc.
It's a really flexible setup, and I can't recommend it enough.

Re:geek or not

My OpenVPN/Raspberry Pi proxy was a miserable failure... it pegged the CPU and the console was barely responsive even with normal web browsing. There's better hardware available to do this.

Re:geek or not

[ottawanker]

I'm fairly certain my pfSense box has no video card in it at all to generate heat. It also has 6 ethernet interfaces, all in a nice mini-itx package.

Re:geek or not

[houstonbofh]

Also look at the father of pfSense, m0n0wall. Leaner, so it can run on lighter hardware.

Re:geek or not

I made the mistake of buying a Buffalo router.

To quote Neil Young, it was a piece of shit, forever dropping wireless connections - which, as I stream my music and video wirelessly was a serious pain in the arse.

Go with DD-WRT but NOT Buffalo's own version; they seem to have taken a fairly rock-solid piece of software and broken it.

The Buffalo HDD I had also failed after a year.

The only piece of Buffalo kit I have that actually still works is an 8-port switch. That I would recommend.

Re:geek or not

[viperidaenz]

An old CPU that has to manage two usb ethernet devices on a single usb port? That'll be great performance. It will totally handle VPN and torrenting.

Re:geek or not

Cisco ASA appliances are not that expensive, and they provide the industry standard of security. If I didn't go with pfsense or roll my own BSD router, I'd probably just go with Cisco's offering.

Re:geek or not

[Dishevel]

100% Agree. If you have the ability to read and understand words then pfSense will work for you.

Re: geek or not

Do you mind sharing details -- what brand /model board it that?

Re:geek or not

[WuphonsReach]

For DYI, the choice really does boil down to either pfSense or IPFire depending on whether you want BSD or Linux underneath.

Personally, I went with a full blown CentOS with Shorewall / OpenVPN on top, but it was definitely not the easiest thing to setup. Next time around I'm strongly considering a firewall distro.

Why VPN?

Do you regularly remote in to your home network? Do you connect out to a server somewhere? If not, then setting up a VPN isn’t going to give you much (well technically it won’t give you anything). If so, your specific use case (which was not provided) matters.

As for software, one of:

- Throw your linux on there (I like Gentoo hardened) and roll your own with OpenVPN and other assorted tools (I like shorewall as an iptables frontend).
- pfSense if you’ve got a decent box and want bells and/or whistles
- m0n0wall if you want something light but functional

You might also want to consider routerboard, it’s cool shit and reasonably priced.

Re:Why VPN?

[aaarrrgggh]

One big reason is to avoid all the "cloudy" ways to allow remote access to things like cameras, storage, security. Another incentive might be to route all (say) netflix traffic to a VPN so that it doesn't get throttled by your ISP.

Re:Why VPN?

[twistedcubic]

Do you regularly remote in to your home network? Do you connect out to a server somewhere?

Have you ever met anyone considering a VPN who does neither? But anyway, there are many other good reasons for using a VPN.

Re:Why VPN?

[Anrego]

Have you ever met anyone considering a VPN who does neither?

Honestly, some people will hear these kind of terms referenced a lot in relation to security and decide they should have them without any understanding of what they actually provide (beyond security of course, which is what they want!).

Re:Why VPN?

[NotSanguine]

Do you regularly remote in to your home network? Do you connect out to a server somewhere? If not, then setting up a VPN isn’t going to give you much (well technically it won’t give you anything). If so, your specific use case (which was not provided) matters.

As for software, one of:

- Throw your linux on there (I like Gentoo hardened) and roll your own with OpenVPN and other assorted tools (I like shorewall as an iptables frontend). - pfSense if you’ve got a decent box and want bells and/or whistles - m0n0wall if you want something light but functional

You might also want to consider routerboard, it’s cool shit and reasonably priced.

I agree. I've been running a similar set up on a PIII-100 (remember those?) with 96MB RAM and a 200MB disk for almost twenty years. The most important part is hardening the kernel, stripping out unneeded software and having a sane set of IPTables rules. Works like a champ!

Re:Why VPN?

[Huckleberry_Hell_Raz]

Except a PIII-100 did not exist. at 100mhz you would have been talking about a 486dx4 or a Pentium 100mhz machine. PIII ran from 450mhz-1.4ghz IIRC. However, if you are talking about bus speed, then yes, P3 did use a 100mhz-133mhz bus speed. However, when talking about a P3 (or even Pentium 1), a 200mb hard drive would have been tiny. When I bought my Pentium 166mhz machine it came with a (pricey) 4.3gb scsi drive. I believe I even had a 500MB drive hooked up to my 386. And I sure did not have 96MB of RAM, more like 4MB. Those were the days, just not quite like how you remember them...

Re:Why VPN?

[NotSanguine]

Except a PIII-100 did not exist. at 100mhz you would have been talking about a 486dx4 or a Pentium 100mhz machine. PIII ran from 450mhz-1.4ghz IIRC. However, if you are talking about bus speed, then yes, P3 did use a 100mhz-133mhz bus speed. However, when talking about a P3 (or even Pentium 1), a 200mb hard drive would have been tiny. When I bought my Pentium 166mhz machine it came with a (pricey) 4.3gb scsi drive. I believe I even had a 500MB drive hooked up to my 386. And I sure did not have 96MB of RAM, more like 4MB. Those were the days, just not quite like how you remember them...

You're right. I was incorrect. It's a Pentium Pro-200, not a PIII-100. And it's not about *remembering* It's right here, under my desk. Purchased new (Dell Dimension XPS) in 1995, IIRC.
$ cat cpuinfo
processor : 0
vendor_id : GenuineIntel
cpu family : 6
model : 1
model name : Pentium Pro
stepping : 9
cpu MHz : 199.434

$ cat /proc/meminfo
total: used: free: shared: buffers: cached:
Mem: 96964608 94928896 2035712 0 3387392 13291520

Is there anything else I'm not "remembering" from way back then, Huck?

Re:Why VPN?

[Huckleberry_Hell_Raz]

That's awesome! I think my 386 came with a really large 40MB drive and I wanted so badly get a CDROM until I found out you still needed drive space to run the games on them. I only remember because that was really when I started to get into computers on my own. I was quite a hardware geek back in those days. I bought that p166 back in 1996 I think, and it was a really expensive rig looking at hardware nowadays.

Re:Why VPN?

[NotSanguine]

That's awesome! I think my 386 came with a really large 40MB drive and I wanted so badly get a CDROM until I found out you still needed drive space to run the games on them. I only remember because that was really when I started to get into computers on my own. I was quite a hardware geek back in those days. I bought that p166 back in 1996 I think, and it was a really expensive rig looking at hardware nowadays.

Yeah. The leaps in performance and capacity have been so huge. I remember back in the late 80s (before IDE/ATA) how awesome it was to get an 80MB (RLL format vs 40MB MFM) disk for my PC XT. Ahh, the joys of INT13 calls under DOS 3.3 :)

Re:Why VPN?

Yes, you've forgotten your fucking manners. No reason to be a doooooooosh.

Re:Why VPN?

[NotSanguine]

Yes, you've forgotten your fucking manners. No reason to be a doooooooosh.

I assume that's meant to be humor. If not, I'm guessing you didn't take your medication today. Oh, and it's spelled 'douche'. Have a wonderful day, my rude, spelling-challenged friend.

Re:Why VPN?

[DarwinSurvivor]

Another incentive might be to route all (say) netflix traffic to a VPN so that it doesn't get throttled by your ISP.

Or routes out through a country that doesn't have shit for selection.

Re:Why VPN?

[Wolfrider]

> I agree. I've been running a similar set up on a PIII-100 (remember those?) with 96MB RAM and a 200MB disk for almost twenty years.

--Dude, how high is your electric bill? o_O

--If you hook up a kill-a-watt to that beast, you might want to consider replacing that ancient machine with something like a Raspberry Pi / Cubietruck / Atom box - it will likely pay for itself within a year due to the power savings...

TS-836A Plug Power Meter = ~$16 on Amazon

Re:Why VPN?

[NotSanguine]

> I agree. I've been running a similar set up on a PIII-100 (remember those?) with 96MB RAM and a 200MB disk for almost twenty years.

--Dude, how high is your electric bill? o_O

--If you hook up a kill-a-watt to that beast, you might want to consider replacing that ancient machine with something like a Raspberry Pi / Cubietruck / Atom box - it will likely pay for itself within a year due to the power savings...

TS-836A Plug Power Meter = ~$16 on Amazon

Just to clarify, it's actually a Pentium Pro-200, not a PIII-100.

My electric bill is between me and the electric company. Thanks for your concern, though.

That said, I appreciate the suggestion, but my bill is already bit lower since I got rid of the Dell PowerEdge 6400 I was running for many years. What is more, when it's hot in the summer, my AC unit uses more power than all the other electric devices in my house. If I was really concerned, I'd sweat more. :)

Compared to the AC and the other systems I run, my firewall's power usage is negligible. I guess it's just a matter of perspective, eh?

DD-wrt

[everett]

That was easy.

Re:DD-wrt

[michrech]

You realize that DD-WRT runs on far more hardware than the WRT-54x series of routers, right? In fact, I'm running it on a Netgear WNDR3700 V4 (a *far* more capable router than the WRT-54G). I'm barely using any of its features, however, it's interface is far more responsive than the Netgear "genie" interface, and it no longer randomly resets its network connections.

In this case, I'd say a little *research* into a particular topic, before you comment, goes a long way... ;)

OpenWRT

Get a router compatible with OpenWRT (Netgear WNDR3800 is a good choice) and install OpenVPN.

Re: OpenWRT

+1 for OpenWRT! I haven't found anything I can't do with it. Regardless of whether I'm using an older DLink DIR-825 or DIR-615, or a TP-Link WND3600 the interface and management is the same. And you can't beat the silence; no fans and no drives make it very quiet. The VPN was a bit of a bear to get going but it's quite capable. For the cost of a cheap home router and OpenWRT you have a nice platform.

EdgeRouter Lite

www.amazon.com/gp/product/B00CPRVF5K

With US internet speed growth as it is, that router will last you for a decade.

Re:EdgeRouter Lite

[DittoBox]

This. I have one at home, and install them for clients who need to replace SonicWalls and the like. Very hackable, very stable, very fast.

Re:EdgeRouter Lite

[GSloop]

++1

Seriously. I've used Mikrotik (hostile latvians [check], and buggy firmware [super check] - really the rant list is too long to enumerate here!) and am moving lots of stuff to UBNT.

The edge-router line is frankly totally incredible.
And speaking of VPN - they have an OpenVPN that actually supports the full spec, rather than the totally neutered one 'Tik does.
Real IPSec firewall interfaces! [L2TP where IPSec can get bypassed? Another 'Tik exclusive!]

(Do I sound kind of bitter about 'Tik? :) Yeah, I've got quite a number of people on 'Tik stuff, but given their hostility [it's legendary] and crap firmware [firmware russian roulette anyone!?] and a host of other issues - I'll be glad to have all my clients off onto Ubiquiti's stuff. )

Learning curve is steep, but no more than equivalent products - for example 'Tik, Cisco etc. It's a Vyatta based platform. UBNT's forum is incredible, as are UBNT staff themselves.

Virtually any UBNT product I'd not hesitate to buy. It's *incredible* value.

---
As for a router on a PC or some other idea...
It's way less power than a franken-PC.
Solid-state disks. [less mechanical failure possibilities]
Massive packet throughput. [1M pps for the $100 ER Lite, 2Mpps for the 8 port versions!] Based on Debian. Rocks.
Damn cheap!
Quiet!
And best of all. Really pretty easy, quick.

Basic stuff won't require a lot of work/time. If you want more, pretty much the sky's the limit. But more fancy stuff will take more time.
But basic functionality - probably a couple of hours start to finish.

Good luck!

-Greg

Re:EdgeRouter Lite

So long as you never want any documentation, Ubiquiti is great. Who needs that documentation stuff anyway?

Re:EdgeRouter Lite

What documentation were you unable to find?

Re:EdgeRouter Lite

Ones I've countered:
EdgeRouter Lite, advanced QoS and queue configuration.
Something other than datasheet and quick-start guide for: EdgeSwitch, UniFi Video, UniFi VoIP and UniFi Security Gateway etc.
Even their existing UniFi stuff is just communtiy wiki content, I remember upgrading to UniFi 3 and the problems the captive portal pages. Thanks for telling us the form variables changed!

Good hardware but software and documentation leaves a lot to desired. Don't even get me started on the choice of Java and MongoDB for UniFi, stupid installation directories and the begging we had to do to get UniFi to run as a Windows service. All this said, their AirFiber product is fantastic, I've always assumed it was made by a completely separate team.

Re:EdgeRouter Lite

And let's not forgot mFi. Lots of community content but not a lot of actual documentation. I've nearly listed their entire product range beyond their AirOS and PTP wireless gear!

What are you trying to do?

[RobbieCrash]

A VPN? To connect to where, from where? Are you doing this for something to do, or because you want to implement the best solution? Do you just want better router software?

Install Tomato or DD or OpenWRT or any one of their variants on your existing router.

Building your own in the name of security isn't going to work unless you really know what you're doing, which you said you don't in your summary. That sounds like a dick thing to say, but it's not. Security is difficult for people that know what they're doing, when people who don't try to DIY it, it's almost universally bad.

Re:What are you trying to do?

[mpthompson]

I can second going the Tomato route. I've used this for nearly 10 years now and have been very happy with the results. Heard good things about DD and OpenWRT, but haven't tried them myself.

New hardware capable of running Tomato can be had on Amazon for less than $50 and are very low in power consumption. Tomato is a small enough sandbox that you're less likely to screw up security, but has enough options and add-ons to do whatever you are likely to want to do with it. There is also an active community that can lend help with questions when needed.

Prior to Tomato I tried running my own BSD system as a firewall/VPN, but I never could sleep well not knowing whether I actually had it properly configured with regards to security. I'm fairly knowledgeable in such things, but don't have the time to stay on top of everything. Particularly for a home network where I don't want to spend more than a few hours each year on system maintenance and updates.

Re:What are you trying to do?

[Nimey]

I've got an Asus RT-N16 with Shibby's mod of Tomato Firmware. OpenVPN is available in certain builds thereof and I've used it successfully, though it takes a bit of setting up (and trial & error in my case).

Re:What are you trying to do?

[Necroman]

Exactly. "Firewall" is somewhat of an overused word at this point that can mean so many different things. And the capabilities of said firewall will vary highly from product to product.

A stateful firewall will keep track of all connections going through it. A good one can help detect malformed packets and drop those. It can also detect some fun attacks people use to fake initiating a TCP connection.

Beyond the basics of looking at port/ip/protocol data, you can start getting into more packet analysis to filter out sites. But a lot of the application detection that can be done isn't as useful now adays due to SSL becoming the standard for so many sites. So to do real good packet analysis you need a SSL model to decode traffic (MITM your own house).

Going the next level is to use an IPS to detect bad traffic. The popular solution here is Snort or Suricata. If you want a linux distro with IPS tech built in, security-onion seems ok.

Re:What are you trying to do?

I'll second that. Have exactly the same setup and VPN worked pretty much immediately without too much trouble. The Asus RT-N16 has been fantastically stable with Shibby's full Tomato build.

Re:What are you trying to do?

A VPN? To connect to where, from where? Are you doing this for something to do, or because you want to implement the best solution? Do you just want better router software?

Install Tomato or DD or OpenWRT or any one of their variants on your existing router.

Building your own in the name of security isn't going to work unless you really know what you're doing, which you said you don't in your summary. That sounds like a dick thing to say, but it's not. Security is difficult for people that know what they're doing, when people who don't try to DIY it, it's almost universally bad.

I will add to that and say that the pros that do know what they are doing still use the easiest solution whenever they can, not some convoluted mess. If you're doing it to learn that's one thing, if you're doing this as a noob to protect yourself somehow, stop!

Re: What are you trying to do?

THIS is the attitude of the great security wizards that brought us heart bleed.

Re:What are you trying to do?

Read the goddamned summary for one fucking minute before you post please. He says it is torrenting. If you torrent, you pretty much have to have a VPN or the 6 strikes DMCA lawsuit shit kicks in. That's also why he wants the ad blocking/antivirus features as well. He is pretty much wanting to make a pc that runs his torrents through a vpn while filtering them with Peerblock and scanning the final DL for viruses. Somehow TOR needs to be in there too cause sekoority. He probably wants a one device solution because his kids keep turning on bit torrent without turning on the VPN and he's on his 3rd or 4th letter from Comcrap. Ask me how I know all of this?

Re:What are you trying to do?

+1 for shiiby's tomatousb build. the tomato UI is so well done, and the recent feature additions by shiiby, toastman et al fit right in. just make sure you get the right build for your hardware.

Re:What are you trying to do?

i used the use tomato, then i tried DD when i bought a new router and tomato wasn't supported on it. about 2 months later tomatousb added support and i switched back. so. much. better.

Re:What are you trying to do?

You don't know all of that. You are making a lot of assumptions and guesses.

http://www.ipcop.org/

Try
http://www.ipcop.org/

Try pfSense

I have used pfSense running on a PC Engines Alix board for a few years now. There is a good community behind pfSense, along with a commercial entity if you want to pay for support. It supports both IPSec and OpenVPN.

pfSense has minimal requirements for hardware. I'm using an Alix 2D13, which has a 500Mhz AMD CPU with 256MB of RAM. I went with the Sokris VPN Accelerator card to offload the VPN. The newer version of the Alix board, the APU1C, no longer needs the VPN accelerator.

pfSense

freebsd network engine, openbsd packet filter

can't lose

Try pfSense

https://www.pfsense.org/

The price is right, and you can install it on just about anything including ALIX boards https://blog.pfsense.org/?p=155 , which is what I happen to use.

Buy a Ubiquiti EdgeRouter Lite.

[FictionPimp]

Buy a Ubiquiti EdgeRouter Lite.

Re:Buy a Ubiquiti EdgeRouter Lite.

[SwingMonkey]

Second this. Big fan of Ubiquiti tech. Steeper learning curve, but great bang for the buck.

Re:Buy a Ubiquiti EdgeRouter Lite.

Third this!

I purchased the $99 unit several months ago and am loving it!

It is Vyatta based so the CLI is easy to learn for those that are familiar with Vyatta.

Re:Buy a Ubiquiti EdgeRouter Lite.

Third this, its basically the best of both worlds. Fast enough to do gigabit routing, flexible enough to basically run enterprise networking and cheap enough that you'll probably feel silly building basically a server to handle what that little 100ish dollar little box can.

Setup isn't exactly super easy if you want to do advanced things with it but there's a good community that makes it reasonable to figure out how to get it to do what you want it to if you can google at all.

Re:Buy a Ubiquiti EdgeRouter Lite.

Edgerouter lite for the win. I've installed these at nearly all my clients' sites. Excellent value.

Re:Buy a Ubiquiti EdgeRouter Lite.

[loki_2525]

Been running the EdgeRouter lite for a few months, great hardware. Only outstanding issue on the device is with DDNS vpn endpoints. Seem the router doesn't update the vpn sa information when the ip changes.

Used the following command to check sa :
show vpn ipsec sa

Used the following command to clear/update the sa :
clear vpn ipsec-peer host.dydns.com

IPFire

[BarneyRabble]

You will not find a more dedicated firewall system like IPFire, (http://www.ipfire.org). Requires a PC with at least two network interface cards to route traffic, an easy to configure web based front end, back end through the command line, with firewall rules that include VPN, GIve it a go.

Re:IPFire

[junkgoof]

I've found openwrt to be a little more flexible than dd-wrt for VPNs. I used openvpn with good results a few years back.

A straight linux server running openswan can connect to almost anything but it takes a bit of doing. I haven't used it in the last few years but it worked last time I tried. Multiple NICs are helpful and considering negligible cost (if you don't have a pile, I have a drawerful around somewhere) easy to justify.

Re:IPFire

[krammit]

Another vote for IPFire. Excellent little distro.

IPTables and OpenVPN

[MightyMartian]

I build these critters all the time. Our entire multioffice infrastructure is based on Debian-based routers with OpenVPN. OpenVPN is pretty simple to get running, and I use Webmin to build my iptables rules.

Re:IPTables and OpenVPN

[aaarrrgggh]

Do you use OpenVPN from iPhone/iPads in your environment? Can't stand the client I have from OpenVPN.com.

Re:IPTables and OpenVPN

[MightyMartian]

The client isn't great, but it does work. We have a few Android and iOS devices that use the apps, and it works once you get it configured.

Re:IPTables and OpenVPN

The Android client is easy-peazy and doesn't require root.

For idevices you'll want to jailbreak and get a copy of GuizmoOVPN.

Re:IPTables and OpenVPN

This sounds like a typical freetard excuse to dismiss the incompetence of open source programmers.

Re:IPTables and OpenVPN

[aaarrrgggh]

Ironically, it is the licensing of openvpn (not that open) that makes the problem.

Re:geek or not ~ pfSense

[InitZero]

I love me some pfSense. We use it at the office and it handles everything we can throw at it (including VPN/IPSec between offices to backfeed high bandwidth security video). It is also light weight enough to work in a home environment on minimal hardware.

Their hardware is both overpriced and well-made. For our small branch offices their embedded devices (such as https://store.pfsense.org/VK-T...) are better than what we could create on our own in low volume and a lot less work. For larger branch offices we will stick pfSense in virtual machine with whatever else they have running. It does well as a VM, too.

Cheers,
Matt

Raspberry pi

raspbian on raspberry pi works very well as a firewall/router. Software I use: dnsmasq(Just for dns), openvpn(for administration), openvpn(trusted clients use vpn as gateway, thus avoiding unencrypted packets on wifi), dhcpd(Serving 3 networks) and of course finally: iptables.
I can easily max out both upload and download speed(35/35 uplink) without the rpi choking.

Re: Raspberry pi

I'd like to know in depth/detail on how you did this, very interesting and I'd try it out for my setup

Re:Raspberry pi

this is a short sighted solution at best, since your probably nearly at the limits of the rpi's io abilities.

most broadband in my area is much faster than 100mbps.

RPi is the solution if:
- you want a router that's going to be a bottleneck in the near future
- You like things with a perceived low price then lots of small extra expenses as you go
- Good choices aren't as important as popular or trendy choices
- your time is worth nothing to you, and rebooting your router every few weeks because they have shitty power handling sounds fun

stop advocating for an RPi its not a good solution, you CAN make it work but its a waste of time and money

Re:Raspberry pi

I think you are being a bit harsh.
My reasoning for using the rpi is:
1. Price (around $45 with case and usb ethernet stick)
2. No noise
3. Linux and iptables offer incredible flexibility in routing, filtering and traffic prioritizing

Of course cpu, ethernet and usb will be a bottleneck for me in the future when I get >100Mbit internet, but i'm sure by then I will have moved on to another cheap arm platform running pretty much the same setup.

I did a simple 15 minute test b/w test on my usb ethernet stick by sending and receiving zeros to/from a different computer:
ps reports 88% cpu utilization, and here are load average:
  23:33:34 up 62 days, 21:41, 2 users, load average: 1.40, 1.27, 0.96
traffic on ethernet measured with ifstat remained stable at 4600/4700 kb/s in/out concurrently (100Mbit usb stick)

Oh and about stability. I havent had a single crash since I played with overclocking settings(arm=1000,core=500,sdram=600,voltage=6 is what I ended up with)
Another nice thing with it is that even if it does crash it can reboot and be fully operational in 20 seconds automatically without requiring a manuel reset.

To sum up: I disagree that it's a waste of time and money.

yo

Cheap - ddwrt router
more involved - pfsense or kubuntu (not joking)

Cheap silent fan - brand called BeQuiet! - very surprised how quiet and gives about 90% efficiency, no messing with water cooling etc

Untangle

[Smoky+D.+Bear]

Look at www,untangle.com to get a good idea of what other options there are. Runs on a variety of hardware and they give some scoping info to figure out how much power you need.

Re:Untangle

[BabaChazz]

Second Untangle. On a little Atom-based machine it will do home service quite well, and I even have two Atom-based industrial locations.

Re:Untangle

[wonkey_monkey]

I too liked the look of Untangle, but I couldn't bring myself to use it after I discovered a probably-never-happens-in-real-life bug that causes emails to be dropped without a trace. I'd always be wondering...

Re:Untangle

[trentfoley]

Probably not an issue for 99.99% of the population, but last time I checked, Untangle does not support IPv6 and has no plans on doing so. Also, Most of the interesting modules require a monthly subscription. I ran Untangle as a vm on an vsphere 5 hypervisor for a couple of years and it did the job ok. However, it is a cpu and memory hog which is surprising for being a firewall/security appliance. And probably the most annoying is the horrible user interface. They tried to make it look like a rack which is just silly. You'd be better off getting a Zyxell Zywall USG and mounting it in a real rack.

Re:Untangle

> Probably not an issue for 99.99% of the population...

Comcast provides internet service to at least 20% of the households in the US. Comcast provides IPv6 service through DHCPv6-PD to 100% of the people that it serves.

</nit-pick-mode>

That's old school...

[__aaclcg7560]

The last time I built a dedicated firewall computer for my home network was for DSL in the late 1990's. I had a Cyrix MediaGX CPU/motherboard (freebie from work), a pair of network cards, and SuSE Linux for the firewall. Most DSL modems back then didn't support sharing multiple computers. Tech support wouldn't speak to you if you didn't have a "abby-normal" computer (i.e., Windows) connected directly to the modem.

Get a better router?

[goldcd]

I picked up an Asus ac66u last year (there are later models and I suspect cheaper ones in the range that are similar) - and it supports VPN (amongst all manner of other stuff).
Just have an extra page on the GUI to allow you to generate an openVPN cert and account privs. Pretty useful as means when I'm travelling I can just seamlessly add my phone to the home network.
I'd thought about buying something dedicated (well was more a NAS project, I thought I could add this to) - but unless you've got some complex needs or high volume - I strongly suspect I'd make more of a mess (both function and security) trying to set it up myself.

Re:Get a better router?

I know that router can create multiple wireless networks. Do you know if set different proxies on them? I'm in Canada and have subscription to a VPN service which has exit nodes in the US and UK. It'd be cool to tunnel into these countries just by switching networks, for Netflix, BBC, etc.

Mikrotik

[PsychoSlashDot]

Grab a cheap Mikrotik RB750 or similar and you'll find you have an out-of-the-box solution that's feature-rich, supported, and easy to use.

Re:Mikrotik

[SledgeHammerSeb]

Dude's got it right. An RB750 or equivalent provides lowest TCO. Others aren't even close.

Re:Mikrotik

[jeffstar]

I have deployed about 30 mikrotiks and I disagree with "feature rich, supported and easy to use"

feature-rich: so many features are half baked. Like openVPN only supports TCP for transport, so you end up running TCP on TCP, which is bad.
supported: the documentation is poor (although getting better now that they have a wiki), working examples are hard to come by since there are so many versions of RouterOS and each introduces different bugs and breaks different bits of functionality. The mikrotik people on the forum are at best surly.
easy to use: I have had to do so much trial and error only to find out the specific piece of functionality I am trying to use is half baked.

I've had good experiences with Watchguard VPN products - which use open VPN under the hood. so any decent openVPN based product is probably what you want.

Re:Mikrotik

[Fencepost]

We've started putting Mikrotik routers in some small offices as replacements for older Linksys/Cisco VPN routers, and while they're powerful I'd definitely dispute the "easy to use" for anyone not a networking pro.

Some of the issue is that there are so many things you can change, unless you're very knowledgeable you're not going to know what to do (or refrain from doing) in a bunch of areas. You can go down the path of "I have a recipe and I will follow it exactly!" and basically copy/paste commands while changing passwords, but there are how-to articles that go back 6+ years and multiple versions, and many of them no longer apply. Setting up remote user VPN connections is also kind of a pain, in that you have to go to a half dozen different areas to configure different bits and pieces. Much of that setup is one-time even if you're setting up a bunch of remote users, but if you're only setting up one, then you still have to do all of it.

For someone wanting a home router that he can OpenVPN into (for road warrior use from coffee shops), I'd recommend getting something you can run OpenWRT on and just using that (get plenty of flash); I'm sure Tomato and DD-WRT are also decent choices, I just moved away from DD-WRT because I felt like there was a little too much "magic" going into it. I don't want to have to worry about whether I'm running the Brainslayer or EKO branch or whether I'm running build 12345 or have to roll back to 12332 because it's more stable/doesn't brick routers/whatever any more than I want to water-cool a Celeron and put a fart-can tailpipe on it.

Re:Mikrotik

[GSloop]

Danger Will Robinson!

Do yourself a favor; avoid the hostile Latvians at Mikrotik and use UBNT's Edge Router! [And hey, I've got nothing against Latvians - a colleague is Latvian and the nicest guy ever. Dunno, perhaps it's something in the water, but wow Normis is out there - as are most of the other 'Tik guys.]

Seriously! The feature set of EdgeRouters is pretty full and there's nothing I can't do on ER that I could [and used] on 'Tik.

Plus you get a real Linux underbelly - if you can't do it in the CLI, you can probably find a way to do it in Debian.

-Greg

m0n0wall & soekris

[dru]

I've been very happy with m0n0wall running on Soekris hardware.

Re:m0n0wall & soekris

[Barny]

Only reason my 15 year old m0n0wall setup was replaced recently was how hard it became to find modern DSL PPPoE modems in retail outlets and the hard drive just stopped spinning. Still, 15 years out of one router (was a VIA integrated CPU + MB with a few gig of ram) is fairly good.

One downside I noticed recently is the silly change that makes the WAN (in my case DSL) password blank out once entered. I really don't see a point in that.

pfsense

Runs on cheap/free hardware and loaded with features. Plus it's not tied to pathetic wifi router hardware.

Router of my own

I have an ADSL connection and I connect to it through an RPi / Draytek Vigor 120 setup with LFS distro (yes it takes shitloads of time to compile).

It also works as a WIFI hotspot with an Edimax USB wifi dongle (and a high-gain antena)

Thou this is OT as it's not easy to set up for a novice.

Re:Router of my own

I have an ADSL connection and I connect to it through an RPi / Draytek Vigor 120 setup with LFS distro (yes it takes shitloads of time to compile).

It also works as a WIFI hotspot with an Edimax USB wifi dongle (and a high-gain antena)

Thou this is OT as it's not easy to set up for a novice.

just lol

1. Compiling linux from source, is usually a waste of time, and if i get your implication you compiled it using your rpi? which well is hilarious cross compilers ftw.
2. RPi is grossly inadequate for any kind of router most modern broadband where i come from can easily exceed the network performance of the 100mbit usb nic on the RPi
3.This could be an easy setup, if he'd just used one of the already optimized distros, but its a bad setup and really not something anyone should try to emulate.
4. this would basically under perform any $30 junk router from the store, and it costs at least 3x as much

Re:Router of my own

JUST LOL!

1. I had the time.
2. You are probably right. On the other hand, it's quite cabable of handeling the slow connection we get here.
3. Of course it would be easy to do with the existing distros. What was your point?
4. You sir are an idiot.

NetGear FVS336

I'm running a NetGear FVS336 in a similar situation. Working very well for me (static IP, wanted to use VPN to connect to my home network, wanted security between the open internet and my network).

Setup was quick, I was able to assign static local IP's to devices that needed them very quickly. Was able to forward specific ports to specific end-point machines (e.g. port 80 hits the Raspberry Pi) without leaking any config on my local network externally. VPN setup was fairly quick, so I can connect securely to my home network when I need to (I run a Squid instance on my Mac Mini to allow me to bounce web traffic to my home network. YMMV.)

Software answer

[B5_geek]

The hardware is easy:
Either get a router that you can add DD-WRT/tomato to or build your own PC.

Software answer:
OS = OpenBSD
VPN = OpenVPN

BUT you are not asking the right questions.
VPN's only work when 2 ends connect. So what VPN server/client will the other end of your connection use? What are you actually trying to do? Does your work have a fat-connection that they will let you use? Are you planning on paying for VPN service from a 3rd party? Do you want to create a VPN between your home and your laptop while you travel?

If you want to build yourself a solid, dependable, 'solution' follow this guide:

http://www.bsdnow.tv/tutorials...

Re:Software answer

On a PC... definitely start with FreeBSD, your systems administration life and learning curve will be much easier than with Linux. This is primarily because the BSD's write everything in one house and ship it to you... kernel, userland, packages, ports, everything... all done by one house of authors under one flag. And because Linux distros (assemblages of many disparately authored components/flags) love to pack in layers upon layers of abstraction away from the actual system tools and kernel in a vain attempt to make things 'easier to use', when in fact it just mucks up the works.
Go with FreeBSD (ipfw) and OpenVPN. No need to install a bunch of stuff... everything you want is there.

If you want to use a 'hardware' 'router', use OpenWRT.

That's all you need to know for 'personal' use at home.

I'm trying PFSense and an APU kit

[captrb]

I just ordered one of these kits: http://store.netgate.com/kit-A... to use with PFSense. I haven't set it up yet, but many people seem happy with a similar bits. PFSense seems well-respected and relatively easy-to-use. Since it is FreeBSD under the hood, I should also be able to run my AP/Wifi management services on it (outside of the home, I'd probably insist on a separate VM for this).

Netgear VPN router

[clay_shooter]

Save a bunch of time. Buy a netgear FVS type VPN router. You can get 4 port, 8 port and/or wifi.

Re:geek or not ~ pfSense

I second pfSense - easy to use, and great out of the box, and available add on features, GUI interface, OpenVPN and PPTP. Covers all the bases.

+1 pfsense

[gandhi_2]

pfsense is rock solid.
even on shitty hardware, you can do a LOT with pfsense.
the turnkey boxes from their store are pretty neat too.

Consumer routers suck

[xtal]

Buy a good switch and a low power PC with some ram. Virtualize it all.

Smoothwall is a good choice, there are lots out there.

Makes it easy to do other things like IDS as well later.

Vyatta

I've used Vyatta for exactly this for a small business LAN that needed a mobile VPN. It supports MS style PPTP and others. It's configured using cisco style routing commands, but there's configs you can use pretty much out of the box. I ran it happily on a 5 year old dell pc for years.

Re:Vyatta

[datapharmer]

Isn't it a little questionable to be suggesting a solution that has essentially be taken closed source? Vyatta is great, but unless the vyos community gains some strength it could end up as a dead end in a couple years. That aside, vyatta is a solid solution, so I'm only bringing up the potential negatives here since the vyos maintainers don't seem to have a lot of development/maintenance resources.

Re:geek or not ~ pfSense

[bluec]

I love pfSense, it is superb, but that hardware is very overpriced. I guess it includes a support contract, but still, you could build out one of those appliances for less than half the cost.

Re:geek or not ~ pfSense

Just throw a Soekris 5501 at it: http://soekris.com/products/net5501.html

anything else is a waste.

I'm a little sick of stupid questions like this

This is a question by an admitted new nerd, that could easily be answered by a few Google searches. There must be countless sites where people have related how they solved this problem.

Think about it on the other hand: what if today's story was "User X made his own firewall with VPN! It was his first time using Linux." We would maybe congratulate the newbody, but 99% YAWN...

Re:I'm a little sick of stupid questions like this

[twistedcubic]

Given a choice between "do a Google search" and "ask an expert (Slashdot?)", any reasonable person would choose...both. Is that really so bad?

eBay a Cisco ASA 5505

[LostMyBeaver]

Or a checkpoint UTM-1 or a Juniper SSG...

Get a small premade solution and skip the DIY thing. It's minimal power and unless you happen to like pain and suffering, a simple SSL VPN with a decent Web UI is much nicer than spend in half your life building one.

Re:eBay a Cisco ASA 5505

[aaarrrgggh]

I love our work ASA5505, but it is a bear to configure properly unless you know what you are doing. High point with me is the ease of connecting on the client end.

Re:eBay a Cisco ASA 5505

[labnet]

Got to agree. We use a cyberoam appliance and ssl VPN. Does all firewall and av duties as well as VPN.

Endian Firewall

[thechemic]

I absolutely love Endian firewall. Put it on an old box, a virtual machine or whatever you want. It has all the firewall features you could want, and has VPN support out of the box.
http://www.endian.com/us/

Re:Endian Firewall

[datapharmer]

I love (and use) endian, but I can't recommend it to a newbie. Once built it is solid as a rock, but Endian always seems to have some bugs out of the box that can be really frustrating, and the vpn setup is not very user friendly in my experience (but as simple as anything else if you are familiar with open vpn). It has gotten better lately with some long existing bugs being fixed, but it can still be painful out of the box and moving between versions can be hazardous (prepare to install from scratch as a backup plan). That said I do appreciate that most of Endian's bugs are frustrating from a "x doesn't work, y doesn't display properly, z doesn't configure as expected" but the security related bugs seem to much less common than many other open source and commercial firewall/utm solutions.

A WiFi router re-flashed with OpenWRT or DD-WRT

[atrimtab]

The classic router for this purpose was the Linksys WRT54G, but that is getting very long in the tooth and does not support 802.11n or 802.11ac.

The current reasonably priced (about $100) pick that supports everything and is a *working* 2.4ghz and 5ghz 802.11ac router with OpenWRT or DD-WRT is:

TP-Link Archer C7 V2 AC1750

Manufacturer Info is here -> http://www.tp-link.com/en/prod...

It can be re-flashed with either OpenWRT or DD-WRT to provide firewall and a variety of VPN types. It also has enough flash to add other features and given that it includes 2 USB 2.0 ports can also used as a low power (compared to a full hardware PC) internet server.

The disadvantage on this router is that it only supports 1750AC and not 1900AC and that the USB ports are only 2.0. There are routers that cost a lot more that provide both 1900AC and USB 3.0, but they also do not currently FULLY support OpenWRT and DD-WRT.

My personal experience is that OpenWRT is more module than DD-WRT. This makes is easier to pick and choose "packages" in any configuration you'd like. For instance, I added the stunnel package to protect a IP video camera that did not provide HTTPS for remote home monitoring. Now the router provides necessary HTTPS for that use case.

If you are looking to use either DD-WRT or OpenWRT check their home pages BEFORE purchasing a router so you know that it is fully supported by each.

The router to AVOID at the moment appears to be the Linksys 1900AC which the manufacturer FALSELY claimed in their sales literature at launch supported. It still does not.

You can view info on the OpenWRT project here -> https://openwrt.org/

And the DD-WRT project here -> http://www.dd-wrt.com/site/ind...

Re:A WiFi router re-flashed with OpenWRT or DD-WRT

[c0d3g33k]

I'll second this - currently running OpenWRT flashed on to a TP-Link WDR-4300. It replaced a very old beige-box PC running IPCop and has been doing very well for the past year.

Checkout IPFire

I'm not a fan of pfSense but I do recommend you check out IPFire http://www.ipfire.org/

If you have the time and interest, there's no substitute for learning about setting up these things via command line. Learning about iptables / DHCP / DNS / OpenVPN / SQUID are invaluable skills.

alix APU with pfsense.org

Those boxes:

http://www.pcengines.ch/apu.htm

with

https://www.pfsense.org/

as software. Very small, low power usage, no noise, sufficient for most cases.

PFSense and OpenVPN

pfsense plus openvpn does a decent job. Building your certs with XCA takes some time, but it is very easy to manage after it is up. Plus, it is BSD under the hood.

There are tons of options available to you.

Try the internet

I would try this new web page: google.com it can find things for you.

pfense

[DaMattster]

I really like pfsense. It is FreeBSD based and very easy to setup. See http://www.pfsense.org/

Re:pfense

Yes! pfsense rules.

Re:geek or not ~ pfSense

[buswolley]

AskSlashdot is a joke. I mean all you get are jokes, or whatever comes up first in a basic Google search.

pfSense and mini ITX

I use pfSense with this box... small, quiet, and rock solid

Intel Celeron 1007U Dual LAN, Dual COM Mini-ITX PC, 2GB, Morex 557, GA-C1007UN-D
by MITXPC

I added a 60gb ssd to this myself but you can buy it already installed.

Can be found here for about $200
http://www.mitxpc.com/proddetail.asp?prod=EKGBC1007DLT3410

Re:pfSense and mini ITX

My PFSense build

Intel Core i5-4570 Haswell Quad-Core 3.2GHz
G.SKILL Ripjaws X Series 8GB (2 x 4GB) DDR3 SDRAM DDR3 1600 Timing 8-8-8-24
GEOM Raid1 - SAMSUNG 840 EVO 120GB
MSI B85I LGA 1150 Intel B85
Intel Ethernet Server Adapter I350-T2
Case: http://www.newegg.com/Product/...

About 5% cpu when moving 3gb/s. Down clocks to 200mhz-400mhz during normal operation, even when maxing my 50/50 connection with 20k+ connections.

The summary of my research

[thehunted99]

I just went through this and here's the short summary of my research. DIY - go with a PC Engines Alix board or a Soekris board if Intel NICs matter to you. You can buy them here (link below). Install PFSense. Done. Easy. Or if you want a more command line approach install VyOS. https://soekris.com/ http://www.mini-box.com/ALIX-b... https://www.pfsense.org/ http://vyos.net/wiki/Main_Page If you want an off the shelf solution the best product I've found for the money is by Ubiquiti Networks called Edge Router lite. http://www.ubnt.com/edgemax/ed... As far as VPN acceleration. With the Alix or the Soekris you can have a dedicated Crypto Accelerator. I haven't gotten to the VPN portion of my build yet. It only really matters if you need fast sustained throughput on a point to point IPSEC. If you are just connecting from remote software decoding will probably be fine. PFsense has OpenVPN included and makes this easy. VyOS or another route will require more hands on.

Re:The summary of my research

[rcw-home]

I've used Soekris hardware extensively with Strongswan IPSec at work. I love the boards, but a large number of our Internet circuits are now faster than the net5501 and net6501 can soak with AES IPSec. The net5501 is good for about 8Mbit/sec and the net6501 is good for about 25Mbit/sec with our firewall ruleset and some dynamic routing thrown into the mix. I'm looking forward to the net6801 when it comes out, but in the meantime for those circuits I've been building whitebox 1U routers that have CPUs with AES-NI support (which can easily soak several gigabit/sec). These can be low-power solid state too - recently we've been ordering the Supermicro A1SRi-2758F boards, which have the new Rangeley Atom CPUs, 4 gigabit ethernet ports, and no fans. Just add an SO-DIMM and a USB stick to boot off of, and stick in a 1U short-depth mini-ITX case (I like the Supermicro CSE-505-203B, which puts everything but the power socket in the front).

Sophos UTM

Enterprise product, free (as in beer) for home use.
Encryption, VPN's ipsec and SSL mail scanning anti virus etc etc etc
easy to use !
No I have no association with them apart from a user and a customer

http://www.sophos.com/en-us/products/unified-threat-management/tech-specs.aspx

http://www.sophos.com/en-us/products/free-tools/sophos-utm-home-edition.aspx

 

Re:Sophos UTM

[Kagato]

I've been using since it was a German Company called Astaro. Good stuff.

Re:Sophos UTM

Free for up to 50 users on the home use and IIRC comes with 10 licenses for antivirus software (Sophos) for the endpoints. I am glad someone mentioned it because I really like mine.

Re:geek or not ~ pfSense

[FatdogHaiku]

AskSlashdot is a joke. I mean all you get are jokes, or whatever comes up first in a basic Google search.

We are the Google algorithm...

Cisco Small business

http://www.ebay.com/sch/i.html?_from=R40&_trksid=p2050601.m570.l1313.TR2.TRC1.A0.H0.Xcisco+rvs4000&_nkw=cisco+rvs4000&_sacat=0

Incredibly cheap. It runs my home network.

PfSense

Yea, may be the best, build yourself, actually not that hard, its a rock solid solution!!!

Zyxel Zywall USG line

[trentfoley]

Since your question was not clear as to whether you wanted to connect to a vpn for outgoing traffic encryption, or to provide secure access to your home network, I will assume that you want both. I've got a zyxel usg50 at home and a usg100 at my office and they have been able to handle everything I have thrown at them. http://www.amazon.com/dp/B0042.... I was also pleased that when the whole Heartbleed fiasco appeared, the zywall firmware was not vulnerable at all. Dual WAN connections are supported which lets me use both my AT&T Uverse and Charter Cable internet access with load balancing. The only negative that I can note are the several features on the zywall that require monthly subscriptions. But, since I don't use those, there is no loss to me.

In the past, I have built my own firewalls either on dedicated hardware, or as a vm on an esxi hypervisor, from Linux ipchains to netfilter to BSD pfSense. While I love to roll my own, having such a critical piece of infrastructure as dedicated hardware has made life much easier.

Re:geek or not ~ pfSense

They seem to be reselling http://pcengines.ch/

My mobile VPN setup

I recently did this very thing, but my setup is for mobile use specifically and is tied to my cell phone data connection.

I used an older laptop that has WiFi and a LAN port, coupled that with a WiFi enabled router (all routing functions to the WAN port are disabled) and DHCP is served by the laptop. Wifi is served by the router and forwards all DHCP requests to the laptop, so I can have wired and wireless connections.

For the OS, I used Ubuntu Server LTS and loaded the GUI on top of it for ease of use (with a 500gb drive, why not?) as well as the build-essential and a number of other packages. I also loaded up Apache, Webmin, Shorewall, DHCP Server, Squid and a number of other services I felt I had a need or use for. I then set up the WiFi connection to my mobile phone, plugged the LAN into the Wifi router and turned on DHCP.

I then created the VPN connection and then set the WiFi connection to auto-start the VPN connection, configured the firewall to not allow forwarded/masq'd traffic over the unprotected interface and allow it only via the tunnel and deny any inbound traffic that wasn't related/established on both the VPN tunnel and Wifi interfaces. The effect is that if the VPN tunnel goes down for some reason, internet access goes down with it and I know something went boom and I'm not left unprotected inadvertently and not know it.

This works very well for me since I live a mobile life, but I've used the same setup with wired cable/DSL connections in the past too. The fact my mobile carrier can't pick and choose what data it wants to transmit (or throttle) is, of course, a HUGE bonus. All they see is binary data flowing. Unlimited data also helps. :)

Off the shelf

It is going to be hard to beat something like a Ubiquiti EdgeRouter Lite by building your own, unless you have specific non-normal requirements.

If you want to learn more about network gear, then a Juniper SRX210 on eBay would be interesting.

pfSense is a winner

[Calibax]

I have pfSense running on a Soekris net6501 for my home network firewall. I have set up OpenVPN - configuration took only a few minutes and it has worked perfectly.

The Soekris Net6501 is more than sufficient for my needs but pfSense scales well and will run on many types of hardware. When I was testing it I ran pfSense as a VM without any problems - in retrospect I should have left it that way permanently.

Re:pfSense is a winner

[Ecks]

Another vote for pfSense on Soekris here. I'll admit that I prefer straight up OpenBSD but for quick and dirty, pfSense is the way to go. Which Soekris is the real question. If you don't mind the spend, the Net6501 is best. It's got well supported gigabit nics so it will handle full speed traffic from Verizon FIOS, Google Fiber, or the top speed of a Docsis 3 modem. Net5501's show up on eBay irregularly in the $150.00 range. It doesn't make sense to buy them new as they are not much cheaper than the big brother Net6501. You can put a multi-port intel Gigabit card in a Net5501 but it will run hot so you probably want to spring for the larger rack mount case or just get the Net6501. Both the 6501 and the 5501 have more grunt than you need for a firewall/VPN box provided that you don't need to run 5 or more concurrent VPN connections terminating on the soekris' CPU. The last advantage of the net5501 is the presence of a USB 2.0 connection on the front panel. The net4801 is actually a workable solution for pfSense as a firewall/VPN termination box. They commonly show up on eBay in the $60 ~ $100 range. I wouldn't bid more than $80.00. If you find that the lack of CPU horsepower is getting in your way, search for a soekris VPN1411 card, again on eBay. These are typically very cheap, $25.00 and do hardware crypto offload, allowing a Net4801 to handle multiple VPN streams if that's your fancy.

If you don't want to build your own - Cisco

[zerofoo]

I bought an ASA-5505 on Amazon for around $500. For that price you get a firewall that is used by many big companies. You can get your feet wet in the Cisco world - which could help if you ever need to look for a job, and it handles VPN nicely.

If you've never worked with Cisco before, it will take you some time to get up to speed on the cisco way though.

The only drawback with this box is that the interfaces are 100 Mbps only.

Re:If you don't want to build your own - Cisco

But you'll not be able to pay for support to get the upgrades to make it secure.

Either go open source or get a cheaper commercial appliance such as a WatchGuard.

A few options

[dvNull]

There are a few affordable solutions out there. Here are 3 options with support for IPSec, OpenVPN and PPTP.

1. Ubiquiti Edge Router, The Lite model retails around $99. The gui is intuitive and easy to use. The latest update makes setting up site to site IPSec tunnels pretty simple. Don't like the GUI? No problem, It has ssh and serial support and is based on the excellent vyatta fork VyOS.
2. Mikrotik, I recommend the RB2011 series as they have 10 ports ( 5GigE and 5 FastE ), plus the $129 model has wifi and an SFP port as well. Quite easy to set up.
3. pfSense. The hardware is pricey but the software is excellent and works well in a VM. You can pick up a low end fanless micro ATX board , pick up an extra NIC and have a quiet firewall sitting in your living room.

Re:A few options

> 1. Ubiquiti Edge Router,

I second this. $99 and it is significantly faster than anything even close to the $99 price range. I use it for my 1gbps fiber (yay EPB) and get full speed out of it which is better, way better, than practically all of the "residential" routers out there.

As dvNull said, It is a Vyatta fork which means embedded linux.

Here is a review: http://www.smallnetbuilder.com/lanwan/lanwan-reviews/32012-first-look-ubiquiti-edgerouter-lite

PFsense plus Snort

[koan]

Check out PFSense, has a snort plug in and the vpn capabilities you're looking for.

Cisco 1800 series from eBay?

There seem to be quite a lot of 1801s and also some 1811/1812s on eBay. They have hardware crypto and are designed to support VPNs The 1801 has ADSL2+ but the others have 2 WAN ports to connect to a cable or ADSL modem.

Vyattat

[brunes69]

Just download and install VyOS (fork of Vyatta) if you're building your own firewall.

http://vyos.net/wiki/Main_Page

Re:geek or not ~ pfSense

[Anonymous+Psychopath]

Yup, pfSense is Good Stuff. On the hardware side it'll run on damn near anything. I run mine on an old Celeron machine with traffic shaping, no issues. I don't know that I'd want more than one or two simultaneous VPN users with that compute capacity, though.

hmmm

[Espectr0]

somehow i think he is just trying to hide behind a VPN to do some "torrenting"

Re:hmmm

[SeaFox]

somehow i think he is just trying to hide behind a VPN to do some "torrenting"

So... what's he really doing behind the VPN if he's not torrenting?

*cough*

Cisco Rv042

[visionsofmcskill]

Hands down the most reliable and easy to use dual wan, VPN enabled Router for quick deployments, silent, low power consumption, handles PPTP, ipsec, etc...

I am no fan of their quickVPN software (a third VPN option included with this router), but it works as well if you dont like pptp or if you find IPSEC too much of a pain to setup.

Plus it has DUAL WAN connections, so you can use a hotspot or DSL, or the neighbors connection as a failover (or you can load balence them, or bind stuff, etc...).

Im blown away noone has mentioned this router as i see it everywhere.
http://www.newegg.com/Product/...

Pfsense is a huge winner as well, though youll need to buy silent low cost hardware to run it (and its a good deal more involved - though considerably more powerful).

We use these two for all of our client locations with offices of up to 100 or so people, for at least 7-8 years or more.

Re:Cisco Rv042

We have two RV042s and they are awful. They have interoperability issues with Juniper and even other Cisco equipment (especially VPN related issues). I would recommend a pfsense box. For the inexperienced, however, I would have to say one of the WRTs is easier to get configured than a PC with multi-nics.

Re:geek or not ~ pfSense

[LWATCDR]

or smoothwall or moonwall.

Smoothwall

No mention has been made of Smoothwall yet, so I will. It has OpenVPN and IPsec capabilities.

Tinkering not required for simples cases

[Calibax]

I agree. If you don't mind tinkering, pfSense is the way to go

I agree that pfSense is a great solution but I disagree about the tinkering . pfSense fits well in the mantra of "simple things can be done simply but complex things are possible". It needs little tinkering if you have a reasonably standard setup - say an internet connection plus a local network. It has decent defaults.

If you have a more complex setup (I have a LAN interface, a DMZ, a guest network, and a VPN interface as well as several additional software packages) then some tinkering will be needed.

Raspberry Pi and SoftEther

[NCG_Mike]

It's what I use and clients can use openvpn. Works fine for me.

Cisco ASA

[paysonwelch]

I think the question is do you want to constantly be fixing your firewall and routing rules and also troubleshooting problems that might cause you to tear your hair out? Or do you want to do this in a weekend or a few hours and have something that is pretty solid and stable? I see already that everyone is recommending their favorite firewalls. What you want to get is an enterprise grade firewall. For this reason you should look at the Cisco ASA line (You can get one eBay for about $300), or a Dell Sonicwall. Note that you need to spec all of these to your needs. And remember there is no such thing as total security whether you have spent $100 or $100,000 on your firewalls.

Distrowatch search

Run a quick Google search for Linux or BSD firewalls.
Or Distrowatch's distribution search form is helpful.
http://distrowatch.com/search.php?ostype=All&category=Firewall&origin=All&basedon=All&notbasedon=None&desktop=All&architecture=All&status=Active

Depending on your level (you said newbie) and willingness to get your hands dirty, you have a whole lot of options.
- pfSense (as others mentioned)
- Vyatta
- IPFire
- IPCop ...and more

And as far as VPN software goes you have a few software options, some of which can inter-operate and others than cannot.
OpenVPN
LibreSWAN
OpenSWAN (succeeded by LibreSWAN)
StrongSWAN

Smoothwall

[niks42]

http://www.smoothwall.org/

pfSense

Try pfSense. https://www.pfsense.org/

m0n0wall FTW

I've been using m0n0wall on Soekris boards for years. Recently switched to using it in the free version of ESXi. Have not only IPSEC site-to-site VPNs to the parent's and sister's house, but mobile VPN as well.

+1 for parent Re:Vyatta

[Fubari]

+1 for parent; I'm just learning about Vyatta. If you want to build your own as a research project, cool. Otherwise read up on this: vyatta and see if it might do what you want.

Just download and install VyOS (fork of Vyatta) if you're building your own firewall.

http://vyos.net/wiki/Main_Page

Re:+1 for parent Re:Vyatta

[kobaz]

Or, buy a box that already runs vyatta. The Ubiquiti EdgeRouter

http://www.ubnt.com/edgemax/ed...

At less than $100, with build in switching, embedded linux and apt-get support, you can't go wrong.

http://www.newegg.com/Product/...

Oh, and it's quiet. (No fans)

And wait, there's more! Their $175 version the Edgemax Pro has 5 ports and 24/48v poe. (You'll need to buy a third party power brick for 48v poe, but it's worth it)

Sophos UTM - Turn Key - Free for Home Use

[Kagato]

By far the best solution I've come across. It's a enterprise class product you can use at home for free. All you need is a PC with a couple NICs. I use a cheap fanless Dual Core 2GHZ Atom machine with a couple gig of RAM. It's a turn key solution with a lot of options.

It has all the whiz bang VPN and firewall features you'd want. Plus a bunch of intrusion detection, malware and virus features. Really the list feature list is huge. The only limit is the home edition is limited to 50 active devices.

Re:Sophos UTM - Turn Key - Free for Home Use

I will +1 the same. I use a VM for mine and love it. By using it at my house, I've got a friend who paid for license and uses it in his office now.

All free for under 50 devices.

Re: geek or not ~ pfSense

[shitzu]

Actually i would recommend m0n0wall. This is what pfsense is built upon - but without the kitchen sink its even lighter. And m0n0 does everything he asks excellently.

pcengines + openbsd

Check out the pcengines apu1d4 (http://www.pcengines.ch/apu1d4.htm)

and of course, openbsd is the way to go.

Another vote for PFsense

As a network consultant I deal with a myriad of FWs. PFSense is definitely my favorite for an open-source solution. It's free, powerful, easy to install, and has very basic hardware requirements. I've run it both on standard hardware and in a VM.

Re:geek or not ~ pfSense

The netgate solution is a bit less: http://store.netgate.com/NetgateAPU2.aspx

Buy an off the shelf product like Ubiquiti ERL

If you feel the need to build something, builld a commodity PC and put Vyatta on it. If you want something inexpensive that works and doesn't require too much effort on your part, get something like the Ubiquiti EdgeRouter Lite. Three Ethernet ports, Linux-based OS with a fork of Vyatta on it. Less than $100, and its a three-port IPv4/IPv6 router, customizable firewall, IPsec/PPTP/L2TP/OpenVPN VPN gateway, and more. Small physical package, seems to have good reliability, has enough performance for typical USA ISP speeds (15-50 Mbps).

I don't have any relationship with Ubiquiti other than as a satisfied customer. I have two family locations separated by 3000 miles. I put an ERL in each, with a site-to-site VPN between the two locations and L2TP VPN remote access to each location. I can manage all the family IT stuff from my house as if we had our own private network (we do - VPN). There is a bit of a learning curve, but if you are willing to build your own in the first place, you shouldn't have much trouble learning what you need to know to work with the ERL in all three configuration modes: GUI, command line interface, or (for efficiency with certain types of changes) editing the config.boot or other configuration files directly. Its not perfect, but I found it a lot more acceptable than laying out $250-$500 apiece for used Cisco ASA 5505 hardware, then dealing with the hassle of getting software upgrades and such out of Cisco.

This, but also multi-factor?

My question is basically the OP's question, but the requirement for multi-factor?

Anything out of the box that supports low-cost hardware tokens, e.g. yubikey/yubicloud support?

Thanks.

Out of the question

[CosaNostra+Pizza+Inc]

I guess OpenVPN would be out of the question. I'm installing mine on a Rasberry Pi running Rasbian.

Re:geek or not ~ pfSense

[somenickname]

pfSense works well but Untangle is also worth mentioning (http://www.untangle.com/). It has all sorts of pluggable modules like VPN client/server, ad blocking, intrusion detection, etc. I've been using it for a few years on modest hardware (Intel Atom with 4G of RAM and a 1TB green disk) and it's always worked flawlessly.

vpn router

I use the kong mod of dd-wrt on NetGear WNR3500L V1 routers at two locations.

I connect remotely from an iPad using OpenVPN client for IOS.

NetGear hosts a site called MyOpenRouter that is less confusing than the dd-wrt site. Its a good place to start.
 

ClearOS

ClearOS installed on an Atom based dual NIC piece of hardware with an SSD. Run this for years with no issues. PPTP, OpenVPN, whatever VPN you want! Acts as a firewall and newer versions can handle a WiFi dongle too I believe.

sophos utm

[crakbone]

Sophos software utm with a home license. the license is free. you will have free ssl clients and web filtering.

This is what I did

[chepati]

I have a pc in my living room that is on 24/7 and serves as my media server (xbmc) and storage (hardware raid + lvm + nfs). It's also my compile machine so I invested two years ago in a i7 3930k with 64GB ram and loads of disk space. I'm running the community edition of Astaro Firewall (nowadays called Sophos UTM http://www.sophos.com/en-us/pr...) under kvm. I purchased on ebay a quad port intel 1GB NIC which is reserved for my firewall VM. I have one port connected to my ISP, one to my internal network via a real hardware switch, one to a dmz VM, and one to my wireless AP. The system is rock solid, Sophos UTM is being updated on a regular basis, has a long list of nice features, including OpenVPN and iOS/Android friendly VPN solutions, with clients for linux/mac/windows/ios/adnroid. The interface is super nice. And since a few versions ago it supports google authenticator for a two factor authentication, both to the admin console and the user portal, as well as the VPN. Very very nice feature. Works with iOS and Android, NetworkManager, etc.

In the past I was using netbsd on an old powerpc machine, then ipcop on the same powerpc machine (I was the guy who ported ipcop to ppc and sparc), then ipcop on x86 under vmware server, then ipcop under virtualbox, then astaro firewall under virtualbox. I switched to kvm+qemu because I was not happy with the virtualbox network performance. I even played with PCI passthrough to have complete control over the network card. Finally I settled on libvirt + kvm with astaro firewall. I'm running all this under LFS (linux from scratch), but this setup can be easily replicated on any modern distro: Fedora, CentOS, Debian, Ubuntu, you name it.

Or you can try and roll something yourself, based on iptables, whatever. But if you're not into monitoring security mailing lists for the latest vulnerabilities, you're better of with an off-the-shelf commercial product with a free community offering.

IPCop

I have used IPCop at work for years; it'll run on any old PC, or a small Atom machine these days is ideal. Fairly easy install, excellent web GUI, IPSec & OpenVPN support.
I'm sure that all these other suggestions will be good too, IPCop is just what I know.

Re:geek or not ~ pfSense

[buswolley]

well played sir!

DNS?

the problem is finding your public routable ip address needle in the big internet hay-stack if you're using "dial-up" with a ever changing address.
once you know which ip address to send your vpn packets to then it becomes trivial: openVPN and port-forwarding.
to find your ephemeral ip address without ever using domain-name system (dns servers):
1: irc client connect to irc server static.ip from your home ip address and leave it running (set to auto-reconnect on ip change)
to find your dynamic.ip address from abroad connect to irc server static.ip and do a whois on the user logged in and get the home ip address.
2: run a tor relay and give it a name. use some tor-relay tracker to lookup your tor relays name to find the ip address.
3: seed a secret torrent and be sure you're the only seeder. download this torrent from abroad and find the ip address of seeder.
4: ...
5: $$$

Re:geek or not ~ pfSense

[mattventura]

I like embedded boards, but most of them are just horrible value. If space/power/etc isn't an issue, grabbing a PC from a junk pile and throwing a couple NICs in it will be far more cost effective. Pretty much the only network-centric embedded board I've seen with truly good value was the Uibiquiti Routerstation Pro but sadly it's discontinued.

Untangle?

[dickens]

What do you think about Untangle? (untangle.com) You can buy appliance version of it too.

cheap dualcore asus ac56u with asuswrt-merlin

[SinShiva]

as the subject line indicates, i use the rt-ac56r (~100usd at walmart) as my primary router and with the asuswrt-merlin fork i have dual simultaneous openvpn servers configurable from the webui. awesome router. and true to asus' reknown for keeping old devices updated, the 'adaptive qos' based on trendmicro's DPI based system is on it's way to this venerable device, which premiered in the latest model, the rt-ac87u

geek or not

Firewalls are not easy to do right. PFsense makes is easy enough, but you can still shoot yourself in the foot. The nice thing is PFsense is ROCK solid. Make all the filter or rules changes you want in production, during the day!!

Use a Pre-Built Network Appliance

[TMYates]

Unless you have a computer laying around, I strongly recommend getting an off the shelf solution using a router with capabilities built in. One good example I can point out is the Cisco Small Business RV215W Router. For $100-ish off Newegg, you get a full router with ACLs, QOS, VPN, VLAN, and more. If you like your current router, set up your current router to forward VPN traffic to this device. Best part is that it is small, quiet, and energy efficient when compared to a full computer.

There is nothing wrong with using a custom computer and throwing Linux on there with a software package to handle VPN, but based on your description, I think this would be a better fit unless you really want to go in depth on learning VPN technologies. By the sound of it, you just want something easy to set up and manage with little maintenance.

Re:Use a Pre-Built Network Appliance

[dickens]

A "Full Computer" isn't what it used to be. We like this kind of thing.

Re:Use a Pre-Built Network Appliance

[TMYates]

While that is an awesome option (no complaints about the product), it still sits above the price point of the Cisco route I mentioned. I was under the assumption that the author of the article was looking for reasons to go one way or another. In this case based on his intended usage, I gathered that the device would most likely be set and forgotten. While there is a lot you can do with a pre-built pfsense firewall that you cannot do with the Cisco model, most of the functionality the author is looking for is also in a device built for small businesses at a quarter of the price.

Might be overkill

Might be overkill but why not......zentyal has been good for my needs.

Linux or not (Re:geek or not)

[mi]

My OpenVPN/Raspberry Pi proxy was a miserable failure...

Dare I raise the suspicion, that the underlying Linux is to blame? pfSense, on contrast, is based on FreeBSD and is — as mentioned by numerous people here — quite usable even on old celerons...

Re:Linux or not (Re:geek or not)

[viperidaenz]

It's probably more to do with the CPU in the raspberry pi being a very old arm architecure and only a single usb port that needs to handle multiple ethernet devices with the under powered cpu running both ethernet -> usb drivers.

Re:Linux or not (Re:geek or not)

[mi]

So underpowered, the responsiveness of the console was affected by light web-browsing? Well, maybe...

Re:Linux or not (Re:geek or not)

Same AC here... I had the Pi running a SOCKS proxy and routing all outbound traffic over the OpenVPN tunnel, with plans of terminating another inbound tunnel later. OpenVPN had the CPU completely pegged as soon as I started testing. I don't know if the Pi has any kind of crypo acceleration or if the distro or OpenVPN can use it if it does, but it was pathetic. I ran out of fun time that weekend and chucked the Pi back in the Hardware of Questionable Utility box. Now I use the SD card from the Pi for ReadyBoost on my Windows laptop and terminate the tunnel there instead. My wife is a little miffed that she can't use certain services from her own PC, but it works. It's kinda like the old regex joke: you have a problem and think "I'll solve this with my Raspberry Pi." Now you have two problems.

Re:Linux or not (Re:geek or not)

[viperidaenz]

Apparently it does work well as a media player running xbmc. It actually has a half decent GPU with hardware 1080p h264 decoding. Doesn't really do much else well though.

Re:geek or not ~ pfSense

You don't need to buy their hardware, you can install pfsense on whatever you want. I have it running on a VM with 256mb ram.

All you need....

pfsense.org Period.

pfSense

[BurgEnder]

I have pfSense running on a dual-core mini-itx Atom board with on-board Intel GB NIC, a Intel PCI-E GB NIC, 2GB RAM, and a CompactFlash to SATA adapter for storage: this setup has gotten me enterprise level performance and reliability, no matter what I throw at it - IPSEC VPN, off-site video monitoring, a Plex server serving up to six WAN side clients at once, etc. It has never frozen/locked up, it controls my commercial grade UPS which all networking gear in my riser closet is connected to, and it consumes about 13 watts under full load.

Options

[pak9rabid]

Oh man, this is totally my area of expertise.

Hardware:

• APU 1C
• APU 1C4 (same as above but with 4 GB of ram instead of 2)

Software:

• Voyage Linux This is a Debian-based Linux distribution that's tweaked to run on x86-based embedded systems (like one of the APU systems above). This is a good option if you're a Linux power user and prefer to set things up yourself manually.
• pfSense You can flash this onto an SD or mSATA card and boot straight into it. This is good for those that want a more turn-key solution. pfSense is based on m0n0wall.

Re:geek or not ~ pfSense

Agreed, pfSense is a great solution. I've run it at home on an old Pentium 3 and a first-generation Fit-PC embedded box, and at work on everything from a first-generation Athlon to a pair of Dell R-200s (overkill, but they were cheap and we wanted identical machines for the failover pair)

the best FW

the best way to bulk up security is to turn it off.

you might miss it for a little bit but the increase in your life will make up for it.

Re:geek or not ~ pfSense

[avgjoe62]

This indeed. I have pfSense running on one of these with a 60 Gig SSD drive. If it wasn't for the cat trying to hide behind it I wouldn't even know it was there and running.

IPFire + PC Engines APU

As others stated pfsense is excellent and *WRT runs on cheap MIPS/ARM hardware.

However, pfsense is more difficult than IPFire and the MIPS/ARM soho routers struggle with VPN (underpowered). PC Engines APU uses about ~7 watts and IPFire is developing nicely with grsecurity + PAX and they recently added Active Directory.

It results in a nice low powered reasonably priced router and a user friendly UTM.

PC Engines APU

IPFire

ipcop.org

I would have to most definitely suggest you get a second NIC and install IPcop on any old box. Very easy to get a VPN setup. Or if you want to go really hard core, try out RouterOS at http://www.mikrotik.com/software.html

Try Gargoyle

[I+will+be+back]

Try http://www.gargoyle-router.com... It is a nice front-end for open Wrt and has OpenVPN plug-in.

Build?

Buy an RV042, deploy in 20 mins and go to the bar.

vyos is firewall software numba 1

vyos.

That it all.

http://vyos.net/wiki/Main_Page

O'Reilly to the Rescue

[shking]

Get The Book of PF

Re:geek or not ~ pfSense

[niftymitch]

This indeed. I have pfSense running on one of these with a 60 Gig SSD drive. If it wasn't for the cat trying to hide behind it I wouldn't even know it was there and running.

The above is a rather nice little box. At half this price I would buy two.

I was going to reply to the original poster that if he had to ask
he could not get there from here. The above system has the
critical two Gig-E network ports. He would have to install
and learn how to administer a linux system or install a pile of odd
things on top of an IMO fragile WindowZ OS. Full blown Win-Server
software that can get the job done costs more than the hardware.

The best bet is to run the router that the ISP gives you and
then use that as the basic firewall and allow one port
access inside to a machine that runs VPN software.
That machine could be the above or it could be anything
else.

The obvious other place to start is to Google for "gig-e router vpn".
When shopping VPN solutions make sure all three bits are
working.... Client, server, firewall...

VPNs are interesting... they punch a hole in a firewall that
once inside other security must be in place. Badly structured
VPN solutions increase the footprint and enable many
worms, viruses and other cruft to run free.

Well structured good things happen.

Is this Apple forum?

"It's hard so don't do it."

Fuck off.

Maybe a bit overkill

I've been using Zentyal, it does everything I need it to.

firewall with VPN

ipCop or ipfire are both good for your purpose, free, stable, easy to set up, try it and you'll love it

Try Zeroshell!

I would highly recommend ZeroShell, it's easy to configure as the name implies and it's full of advanced features such as turning your wireless card into a WiFi router and multi-wan fail over, for redundant internet connectivity.

I just deployed it at my job to replace a Cisco router and access point and I'm not even considering going back to the old hardware. As for security, let's just say after I deployed the firewall rules our PCI compliance auditor couldn't even detect any open ports (even though there are many services running). This distro supports 3 different kinds of VPN access (OpenVPN, IPSec, & PP2P) depending on your preference. Check it out at wwe.ZeroShell.org

Re:geek or not ~ pfSense

[rev0lt]

Full blown Win-Server software that can get the job done costs more than the hardware.

No, not really. Windows has the easiest internet-sharing and vpn configuration wizard you'lll find. And its not half bad, but...

The above is a rather nice little box. At half this price I would buy two.

I have an equivalent box, Instead of pfSense (which, besides the gui and the easy VLAN setup, is a crappy system for everything else), I run FreeBSD 9.2. And I use it everyday to tunnel into my windows machines with RDP via SSH :)

ZeroShell is a good distro...

[samssvt]

I would highly recommend ZeroShell, it's easy to configure as the name implies no shell required, and it's full of advanced features such as turning your wireless card into a WiFi router and multi-wan fail over, for redundant internet connectivity. This could be useful if you want to use your cell phone's internet for a backup to your main net connection. I just deployed it at my job to replace a Cisco router and access point and I'm not even considering going back to the old hardware. As for security, let's just say after I deployed the firewall rules our PCI compliance auditor couldn't even detect any open ports (even though there are many services running). This distro supports 3 different kinds of VPN access (OpenVPN, IPSec, & PP2P) depending on your preference. It also has easy to install add-ons such as integrated Anti-Virus for all incoming traffic, along with bandwidth monitoring, proxy caching, and content filtering. Check it out at www.ZeroShell.org

DD-wrt is old TOO

current stable (v24 SP1) is dated July 2008 (Link)

In fact, if you check the official site's downloads area, you will find the the "obsolete" folder is newer than v24-sp1! (Link)

I'd say you should do a little research too.

Re:DD-wrt is old TOO

[michrech]

I'm pretty sure that I never mentioned anything about how old / new DD-WRT's software is. That said, the current version I'm running was released in June of this year.

You were saying?

Re:geek or not ~ pfSense

[ping.kwong]

Or you can get a used Watchguard Firebox XCore or XCore-e series for around $50-100 on ebay. Drop in a 2 or 4GB Compact Flash and you're in business. Looks professional with working LCD display with a few modifications. I'm not sure about throughput over VPN so that could be a dealbreaker for some. The XCore-e series has gigabit NICs if you need the extra bandwidth. https://doc.pfsense.org/index....

Buy a Ubiquiti EdgeRouter Lite.

Yeah. The ERL looks super-sexy, and (at 99 USD is reasonably priced.) Its VPN throughput looks very good, and it can route and firewall traffic at or near gigabit speeds.

It uses a lightly-customized version of Vyatta (which runs on top of Linux), so if you're a Linux novice, you'll need to do a little bit of more reading to work with the CLI. However, the Ubiquiti wiki has a squillion examples of config files that should cover most every need.

Also, the device does have GUIs for configuration of many common things (like, for instance, a NATting firewall, VPNs, and QoS.). The beta firmwares add even more GUIs and appear to be developed by a couple of guys in the company who really know their stuff.

I use D2700MUD

I stuck in the following mobo - http://www.intel.com/content/w... - into an old casing, put in an old psu, and an ethernet card on its slot, with an SSD card, and that's all to it

And it has been running for the past 3 years, 24/7 without giving me any problem

IPCop

I use IPCop. We have it running on our utility internet connections in our offices connected to our labs in each of our 10 offices. We use them for typical lab purposes and to provide raw internet access to guests and for testing in the office. All of them are connected together using IPsec.
They are mainly running on old HP desktops we had laying around with a dual port NIC or the internal NIC and a second cheap nic from old servers we retired. Some are a virtual instance on VMWare. I have some that have been running with no KB, mouse, or monitor sitting in the corner of the datacenter for over 900 days untouched. The others are only not at 900 days because power in the building went down for what ever reason. Yes they are behind on patches but nothing is being offered from the outside that I am worried about getting in. Quite a few of them pass over 500GB of traffic a month to the and from the internet. Rock fkng solid.

one of them is running on ESX on one of those HP desktops, the IPCop instance has 512MB ram and it easily passes 100mbit/sec traffic in from the outside to physical machines in our lab.

3000+ usd Cisco.. has a pentium 4 inside...

[D,Petkow]

I'd go off with the DIY solution. Inside expensive branded solutions you are bound to find usuall PC components anyway - Pentium 4 buth with ddr3 ram. And known Cisco issues like revert 10- firmwares backwards and install each firmware update one after each other, else it does not work... also make me steer away from branded pre-made solutions.

I don't think so - although never tried

[goldcd]

Quite helpfully if you want to have a look, at what it supports, they've put the UI online:
http://event.asus.com/2012/nw/...

Recipes

[csoh]

There is more than one way to do it.

1. Raspberry Pi(not practical)
RPI+linux+iptables+openvpn
pros : cheap, low power(5W), no noise, low heat
cons : 1 100Mbps port only, usb-ethernet/usb-wifi+additional switch needed, usb performance not good. Not recommended unless your outer ethernet side is very slow.

2. DD-WRT + supported hardware(ap/router)
AP/router(typically arm based)+linux+iptables+openvpn
pros : relatively cheap(depends on hardware model), low power(typically 10W), no noise, low heat, integrated WIFI/wired ports. small. clean looking.
cons : limited internal storage/memory. May brick your hardware if you are not careful enough(and void your warranty) useful for dedicated role(firewall, vpn)only
                    may use for printer/file server or other role if your hardware has usb port, but (typically) slower than full pc.

3. Mini ITX based PC
Low-end bay-trail based Mini ITX motherboard(j1800 recommended)+dc-dc power+12V power brick+small case+storage+linux/bsd(?)+iptables/pf(?)+openvpn
pros : versatile(file/full printer(cups)/application(ex. minecraft) server capable depend on configuration, up to 8/16GB ram + TBs of storage),
                  still can be made fanless&no noise if you've planned well,
                  relatively low heat(warm) if you leave it on open space
cons : most power hungry(~15W, depend on configuration), additional usb-ethernet adapter/switch/wifi needed, biggest of all above(20cm*20cm*5cm + brick)

tips
-for cheap 12V power brick, look for power brick for LCD monitors(12V 3.5A/5A SMPS - depend on your system's power usage- widely manufactured)
-about iptables, read iptables tutorial on frozentux.net
-p910nd - light, spoolless(no file operation) print server daemon. turn your cheap usb only printer to always-on networked printer even on limited storage platform.

Why Re-Invent the wheel while you increase CapEx

[raleigh.dst]

I would rather see you utilize one of the newer Single Board Computer routers from a vendor like Mikrotik rather than spend far too much money for a Cisco ASA or SoHo solution.

As an enthusiast I would recommend the Routerboard CRS series for price and punch. It will provide the OP with all of the features he requested and a ton more that CISCO would charge a licensing fee for. The base cost will be around $149.00 for a CRS with 8 1gbp Ethernet Ports, a Gbit SFP cage, and integrated 802.11N MIMIO interfaces. http://routerboard.com/CRS109-...

Wanna build your own, you can add 802.11AC to any of thier base baords and chuck it in an enclosure for rock bottom prices. -- http://routerboard.com/R11e-5H... .

It supports Client and Server modes for IPSEC, OVPN, PPTP, L2TP, VPLS,GRE,SSTP and those are off the top of my head.

I'm not a salesman, just a nerd.

Casey Annis

P.S. If you go with Mikrotik, I'd be happy to do a TeamViewer session with you and get you started.

Re:Why Re-Invent the wheel while you increase CapE

[raleigh.dst]

Pros:

• The OP Gets what he asked for in a single package with great software development and durable hardware platforms
• Developed on open standards and utilizes a Linux Kernel 3.3.8 package on Arm and Tilera Cores (Also runs on x86 hardware)
• You get to annoy some pushy Tier 1 Blue router salesperson and get something useful at a reasonable price while they sputter incoherently about TAC availability and premium service contracts. . This has happened to me

Cons:

• There can be a bit of a learning curve if you are only used to COTS routers like linksys and D-Link - But I will volunteer to help you get started.
• The price:to-feature-set ratio is so low you may have a hard time convincing yourself that it is a quality device. Trust me it is.. If you don't trust me just Google around.
• Annoyed blue router salesperson might stop taking your calls for when you really do need a large blue router/switching package. This has happened to me. I just called up and got a new one. They were much nicer.

IPcop

I recommend IPcop. Its a dedicated firewall Linux distro with an easy to configure gui for VPNs and DMZ. Runs on any old hardware.

Re:Why Re-Invent the wheel while you increase CapE

[raleigh.dst]

I forgot to mention the State-full Firewall with Connection Tracking and QoS systems with packet inspection rulesets. Casey

I want my stuff to work and get support when it do

Juniper SRX100H2 .. $500 which includes 3 years of HW replacement and SW support .. Plus this stuff actually works.

Re:geek or not ~ pfSense

[raleigh.dst]

The RouterStation Pro was merely Ok.. for the value point. We sold a lot of them when I used to work for a WISP hardware provider but they had a ridiculously high 10% return rate compared to the less than 1% return rate on a comparable Routerboard.

I don't work there anymore but I still use Mikrotk RouterOS and Routerboard in my home and office. While comparable in priceto Ubiquiti they both beat the blue router pricing by a hundred country miles and pound for pound the configuration interfaces are superior to blue router's old and busted command line. It just makes sense when you look at it.
The console Mikrotik console commands actually resemble english.

VPN

[dhjdhj]

I just set up a couple of sonic walls with site-to-site VPN enabled

Re:geek or not ~ pfSense

[niftymitch]

Full blown Win-Server
software that can get the job done costs more than the hardware.

No, not really. Windows has the easiest internet-sharing and vpn configuration wizard you'lll find. And its not half bad, but...

The above is a rather nice little box. At half this price I would buy two.

I have an equivalent box, Instead of pfSense (which, besides the gui and the easy VLAN setup, is a crappy system for everything else), I run FreeBSD 9.2. And I use it everyday to tunnel into my windows machines with RDP via SSH :)

One caution is that Windows is not as secure an OS perhaps because
there is a rich set of stuff that is darn hard to replace or eliminate.

A FreeBSD or Linux based firewall+VPN system can be pruned to an astoundingly
short list of services and binaries. I say this but most Linux system owners
do not do this.... but it is better facilitated if you want to do it.

You open up a good context to make the point that a user should use what
they know best. If the poster knows how to manage one system and not
the other then the best answer for that user is obvious.

Opinionated discussions like this are really homework check lists
for others. At some point consensus identifies a winner to learn first.
Along the way issues, tools and options surface as alternatives worthy
or research and may cause the consensus answer to change.

I am not a fan of consensus science but it does have its place.

Re:geek or not ~ pfSense

[rev0lt]

One caution is that Windows is not as secure an OS perhaps because there is a rich set of stuff that is darn hard to replace or eliminate.

I haven't seen one single landline direct-connection to the internet since the dialup/adsl days. Most consumers will have a router. The only exception is 3G/4G adapters, but the topic is about firewalling. And unless you're running a DPI appliance to check for binary malware, you're getting those in your windows machines anyway.

A FreeBSD or Linux based firewall+VPN system can be pruned to an astoundingly short list of services and binaries

As can Windows. And you can also take the easy approach of just closing any external port besides the VPN, leaving only potential attacks on the TCP stack and the VPN layer. I actually find funny people that use firewalls on unix systems "as a checklist item"; Most systems don't even require firewall if properly configured. But yeah, lets badmouth windows and forget the ton of distros that allow remote root login via ssh *by default*.

You open up a good context to make the point that a user should use what they know best. If the poster knows how to manage one system and not the other then the best answer for that user is obvious.

No. If the user knew what was best - or at least the options available - he woudn't be asking this. Having guys following tutorials on the internet to configure stuff is not my idea of "secure", and he'd probably be better buying a dedicated appliance with a nice gui interface.While realizing that you exposed something from the internal system or used a weak password for root after your whole network was compromised does have its educational value, it is a dreadful experience for a non-unix nerd.

OpenWRT

[mathew7]

Just as a heads up, I measured 18Mbps (that is 1.8MB/s) with my OpenWRT TP-link WDR4300 (with AR9344 @ 560MHz) . I don't think off-the-shelf routers have any openVPN support, so no HW encryption engines.
If you need higher speeds, forget off-the-self routers (at least for the VPN end-points).

Plenty of choice

We use it at work and I'm planning to move it to home too. It will give you the options of all the VPN's you could think of.

Other open source firewalls are pretty good out there too. I'd download the firewall software as an ISO and fire it up in a vm. That way you can see which you find the best for you.

Dedicated boxes pre installed are good, we have one at work. But you could quite as easily buy some second hand machine throw another NIC in and build your own with whatever you choose.

But yes these seem good choices:

pfsense
Untangle
Smoothwall

From previous posts and http://en.wikipedia.org/wiki/List_of_router_and_firewall_distributions for helping you choose one too :)

CeroWrt (or OpenWrt)

Another alternate firmware for home routers is CeroWrt. Although its goal was as a research platform for studying Bufferbloat (which has been solved!), the current 3.10.50-1 build has been extremely solid for over a month. You will need a Netgear WNDR3800 router to run CeroWrt. See details at: http://www.bufferbloat.net/projects/cerowrt/wiki/CeroWrt_310_Release_Notes

If you prefer another router, the OpenWrt project has virtually all the updates for Bufferbloat (especially fq_codel queue discipline). The Barrier Breaker builds are nearing final release, and are quite stable. https://openwrt.org/

Why a full PC?

[thatkid_2002]

Why not get just a router (I've been contemplating a Netgear WNDR-4300) and load it with OpenWRT or even DD-WRT?

If OP wanted to do video transcoding/HTPC duties I could see the use for a full PC but otherwise it is just a nuisence compared to a small, efficient, embedded system.

The main advantage of OpenWRT over $OTHER is it's packaging system and ability to install updates without reflashing. It has good documentation and a great community too.

A PC with Windows?

A PC running Windows 7 with firewall enabled should do, no?