Slashdot Mirror
Ask Slashdot: Advice On Building a Firewall With VPN Capabilities?
An anonymous reader writes "I currently connect to the internet via a standard router, but I'm looking at bulking up security. Could people provide their experiences with setting up a dedicated firewall machine with VPN capabilities? I am a novice at Linux/BSD, so would appreciate pointers at solutions that require relatively little tweaking. Hardware-wise, I have built PC's, so I'm comfortable with sourcing components and assembling into a case. The setup would reside in my living room, so a quiet solution is required. The firewall would handle home browsing and torrenting traffic. Some of the questions knocking around in my head: 1. Pros and cons of buying an off-the-shelf solution versus building a quiet PC-based solution? 2. Software- versus hardware-based encryption — pros and cons? 3. What are minimum requirements to run a VPN? 4. Which OS to go for? 5. What other security software should I include for maximum protection? I am thinking of anti-virus solutions."
This will let you connect to vpns and such http://www.buffalotech.com/products/wireless
or for a more geek solution https://www.pfsense.org/
Do you regularly remote in to your home network? Do you connect out to a server somewhere? If not, then setting up a VPN isn’t going to give you much (well technically it won’t give you anything). If so, your specific use case (which was not provided) matters.
As for software, one of:
- Throw your linux on there (I like Gentoo hardened) and roll your own with OpenVPN and other assorted tools (I like shorewall as an iptables frontend).
- pfSense if you’ve got a decent box and want bells and/or whistles
- m0n0wall if you want something light but functional
You might also want to consider routerboard, it’s cool shit and reasonably priced.
That was easy.
Sig withheld to protect the innocent.
Get a router compatible with OpenWRT (Netgear WNDR3800 is a good choice) and install OpenVPN.
A VPN? To connect to where, from where? Are you doing this for something to do, or because you want to implement the best solution? Do you just want better router software?
Install Tomato or DD or OpenWRT or any one of their variants on your existing router.
Building your own in the name of security isn't going to work unless you really know what you're doing, which you said you don't in your summary. That sounds like a dick thing to say, but it's not. Security is difficult for people that know what they're doing, when people who don't try to DIY it, it's almost universally bad.
Keep on knockin'
https://robbiecrash.me
Buy a Ubiquiti EdgeRouter Lite.
You will not find a more dedicated firewall system like IPFire, (http://www.ipfire.org). Requires a PC with at least two network interface cards to route traffic, an easy to configure web based front end, back end through the command line, with firewall rules that include VPN, GIve it a go.
I build these critters all the time. Our entire multioffice infrastructure is based on Debian-based routers with OpenVPN. OpenVPN is pretty simple to get running, and I use Webmin to build my iptables rules.
The world's burning. Moped Jesus spotted on I50. Details at 11.
I love me some pfSense. We use it at the office and it handles everything we can throw at it (including VPN/IPSec between offices to backfeed high bandwidth security video). It is also light weight enough to work in a home environment on minimal hardware.
Their hardware is both overpriced and well-made. For our small branch offices their embedded devices (such as https://store.pfsense.org/VK-T...) are better than what we could create on our own in low volume and a lot less work. For larger branch offices we will stick pfSense in virtual machine with whatever else they have running. It does well as a VM, too.
Cheers,
Matt
raspbian on raspberry pi works very well as a firewall/router. Software I use: dnsmasq(Just for dns), openvpn(for administration), openvpn(trusted clients use vpn as gateway, thus avoiding unencrypted packets on wifi), dhcpd(Serving 3 networks) and of course finally: iptables.
I can easily max out both upload and download speed(35/35 uplink) without the rpi choking.
Look at www,untangle.com to get a good idea of what other options there are. Runs on a variety of hardware and they give some scoping info to figure out how much power you need.
The last time I built a dedicated firewall computer for my home network was for DSL in the late 1990's. I had a Cyrix MediaGX CPU/motherboard (freebie from work), a pair of network cards, and SuSE Linux for the firewall. Most DSL modems back then didn't support sharing multiple computers. Tech support wouldn't speak to you if you didn't have a "abby-normal" computer (i.e., Windows) connected directly to the modem.
I picked up an Asus ac66u last year (there are later models and I suspect cheaper ones in the range that are similar) - and it supports VPN (amongst all manner of other stuff).
Just have an extra page on the GUI to allow you to generate an openVPN cert and account privs. Pretty useful as means when I'm travelling I can just seamlessly add my phone to the home network.
I'd thought about buying something dedicated (well was more a NAS project, I thought I could add this to) - but unless you've got some complex needs or high volume - I strongly suspect I'd make more of a mess (both function and security) trying to set it up myself.
Grab a cheap Mikrotik RB750 or similar and you'll find you have an out-of-the-box solution that's feature-rich, supported, and easy to use.
"Oh no... he found the
I've been very happy with m0n0wall running on Soekris hardware.
The hardware is easy:
Either get a router that you can add DD-WRT/tomato to or build your own PC.
Software answer:
OS = OpenBSD
VPN = OpenVPN
BUT you are not asking the right questions.
VPN's only work when 2 ends connect. So what VPN server/client will the other end of your connection use? What are you actually trying to do? Does your work have a fat-connection that they will let you use? Are you planning on paying for VPN service from a 3rd party? Do you want to create a VPN between your home and your laptop while you travel?
If you want to build yourself a solid, dependable, 'solution' follow this guide:
http://www.bsdnow.tv/tutorials...
"The price good men pay for indifference to public affairs is to be ruled by evil men." ~Plato (427-347 BC)
I just ordered one of these kits: http://store.netgate.com/kit-A... to use with PFSense. I haven't set it up yet, but many people seem happy with a similar bits. PFSense seems well-respected and relatively easy-to-use. Since it is FreeBSD under the hood, I should also be able to run my AP/Wifi management services on it (outside of the home, I'd probably insist on a separate VM for this).
Save a bunch of time. Buy a netgear FVS type VPN router. You can get 4 port, 8 port and/or wifi.
I second pfSense - easy to use, and great out of the box, and available add on features, GUI interface, OpenVPN and PPTP. Covers all the bases.
pfsense is rock solid.
even on shitty hardware, you can do a LOT with pfsense.
the turnkey boxes from their store are pretty neat too.
THL phish sticks
Buy a good switch and a low power PC with some ram. Virtualize it all.
Smoothwall is a good choice, there are lots out there.
Makes it easy to do other things like IDS as well later.
..don't panic
I love pfSense, it is superb, but that hardware is very overpriced. I guess it includes a support contract, but still, you could build out one of those appliances for less than half the cost.
Or a checkpoint UTM-1 or a Juniper SSG...
Get a small premade solution and skip the DIY thing. It's minimal power and unless you happen to like pain and suffering, a simple SSL VPN with a decent Web UI is much nicer than spend in half your life building one.
I absolutely love Endian firewall. Put it on an old box, a virtual machine or whatever you want. It has all the firewall features you could want, and has VPN support out of the box.
http://www.endian.com/us/
Let's make like a bird... and get the flock outta here.
The classic router for this purpose was the Linksys WRT54G, but that is getting very long in the tooth and does not support 802.11n or 802.11ac.
The current reasonably priced (about $100) pick that supports everything and is a *working* 2.4ghz and 5ghz 802.11ac router with OpenWRT or DD-WRT is:
TP-Link Archer C7 V2 AC1750
Manufacturer Info is here -> http://www.tp-link.com/en/prod...
It can be re-flashed with either OpenWRT or DD-WRT to provide firewall and a variety of VPN types. It also has enough flash to add other features and given that it includes 2 USB 2.0 ports can also used as a low power (compared to a full hardware PC) internet server.
The disadvantage on this router is that it only supports 1750AC and not 1900AC and that the USB ports are only 2.0. There are routers that cost a lot more that provide both 1900AC and USB 3.0, but they also do not currently FULLY support OpenWRT and DD-WRT.
My personal experience is that OpenWRT is more module than DD-WRT. This makes is easier to pick and choose "packages" in any configuration you'd like. For instance, I added the stunnel package to protect a IP video camera that did not provide HTTPS for remote home monitoring. Now the router provides necessary HTTPS for that use case.
If you are looking to use either DD-WRT or OpenWRT check their home pages BEFORE purchasing a router so you know that it is fully supported by each.
The router to AVOID at the moment appears to be the Linksys 1900AC which the manufacturer FALSELY claimed in their sales literature at launch supported. It still does not.
You can view info on the OpenWRT project here -> https://openwrt.org/
And the DD-WRT project here -> http://www.dd-wrt.com/site/ind...
Facebook is billions of individual "Skinner Boxes." And if you use it you are the pigeon!
I really like pfsense. It is FreeBSD based and very easy to setup. See http://www.pfsense.org/
I just went through this and here's the short summary of my research. DIY - go with a PC Engines Alix board or a Soekris board if Intel NICs matter to you. You can buy them here (link below). Install PFSense. Done. Easy. Or if you want a more command line approach install VyOS. https://soekris.com/ http://www.mini-box.com/ALIX-b... https://www.pfsense.org/ http://vyos.net/wiki/Main_Page If you want an off the shelf solution the best product I've found for the money is by Ubiquiti Networks called Edge Router lite. http://www.ubnt.com/edgemax/ed... As far as VPN acceleration. With the Alix or the Soekris you can have a dedicated Crypto Accelerator. I haven't gotten to the VPN portion of my build yet. It only really matters if you need fast sustained throughput on a point to point IPSEC. If you are just connecting from remote software decoding will probably be fine. PFsense has OpenVPN included and makes this easy. VyOS or another route will require more hands on.
AskSlashdot is a joke. I mean all you get are jokes, or whatever comes up first in a basic Google search.
We are the Google algorithm...
You have the right to remain sentient. If you give up the right to remain sentient, you will be elected to public office
Since your question was not clear as to whether you wanted to connect to a vpn for outgoing traffic encryption, or to provide secure access to your home network, I will assume that you want both. I've got a zyxel usg50 at home and a usg100 at my office and they have been able to handle everything I have thrown at them. http://www.amazon.com/dp/B0042.... I was also pleased that when the whole Heartbleed fiasco appeared, the zywall firmware was not vulnerable at all. Dual WAN connections are supported which lets me use both my AT&T Uverse and Charter Cable internet access with load balancing. The only negative that I can note are the several features on the zywall that require monthly subscriptions. But, since I don't use those, there is no loss to me.
In the past, I have built my own firewalls either on dedicated hardware, or as a vm on an esxi hypervisor, from Linux ipchains to netfilter to BSD pfSense. While I love to roll my own, having such a critical piece of infrastructure as dedicated hardware has made life much easier.
Isn't it a little questionable to be suggesting a solution that has essentially be taken closed source? Vyatta is great, but unless the vyos community gains some strength it could end up as a dead end in a couple years. That aside, vyatta is a solid solution, so I'm only bringing up the potential negatives here since the vyos maintainers don't seem to have a lot of development/maintenance resources.
Get a web developer
I have pfSense running on a Soekris net6501 for my home network firewall. I have set up OpenVPN - configuration took only a few minutes and it has worked perfectly.
The Soekris Net6501 is more than sufficient for my needs but pfSense scales well and will run on many types of hardware. When I was testing it I ran pfSense as a VM without any problems - in retrospect I should have left it that way permanently.
I bought an ASA-5505 on Amazon for around $500. For that price you get a firewall that is used by many big companies. You can get your feet wet in the Cisco world - which could help if you ever need to look for a job, and it handles VPN nicely.
If you've never worked with Cisco before, it will take you some time to get up to speed on the cisco way though.
The only drawback with this box is that the interfaces are 100 Mbps only.
There are a few affordable solutions out there. Here are 3 options with support for IPSec, OpenVPN and PPTP.
1. Ubiquiti Edge Router, The Lite model retails around $99. The gui is intuitive and easy to use. The latest update makes setting up site to site IPSec tunnels pretty simple. Don't like the GUI? No problem, It has ssh and serial support and is based on the excellent vyatta fork VyOS.
2. Mikrotik, I recommend the RB2011 series as they have 10 ports ( 5GigE and 5 FastE ), plus the $129 model has wifi and an SFP port as well. Quite easy to set up.
3. pfSense. The hardware is pricey but the software is excellent and works well in a VM. You can pick up a low end fanless micro ATX board , pick up an extra NIC and have a quiet firewall sitting in your living room.
Check out PFSense, has a snort plug in and the vpn capabilities you're looking for.
"If any question why we died, Tell them because our fathers lied."
Just download and install VyOS (fork of Vyatta) if you're building your own firewall.
http://vyos.net/wiki/Main_Page
Yup, pfSense is Good Stuff. On the hardware side it'll run on damn near anything. I run mine on an old Celeron machine with traffic shaping, no issues. I don't know that I'd want more than one or two simultaneous VPN users with that compute capacity, though.
Eagles may soar, but weasels don't get sucked into jet engines.
somehow i think he is just trying to hide behind a VPN to do some "torrenting"
Open Source Java Web Forum with LDAP authentication
Hands down the most reliable and easy to use dual wan, VPN enabled Router for quick deployments, silent, low power consumption, handles PPTP, ipsec, etc...
I am no fan of their quickVPN software (a third VPN option included with this router), but it works as well if you dont like pptp or if you find IPSEC too much of a pain to setup.
Plus it has DUAL WAN connections, so you can use a hotspot or DSL, or the neighbors connection as a failover (or you can load balence them, or bind stuff, etc...).
Im blown away noone has mentioned this router as i see it everywhere.
http://www.newegg.com/Product/...
Pfsense is a huge winner as well, though youll need to buy silent low cost hardware to run it (and its a good deal more involved - though considerably more powerful).
We use these two for all of our client locations with offices of up to 100 or so people, for at least 7-8 years or more.
--Idiots, Every single one of YOU, A flaming mass of conglomerated morons, hey wait a second, isnt that how RAID works?
or smoothwall or moonwall.
See my blog http://ilovecookes.blogspot.com/ for light hearted technical information.
I agree. If you don't mind tinkering, pfSense is the way to go
I agree that pfSense is a great solution but I disagree about the tinkering . pfSense fits well in the mantra of "simple things can be done simply but complex things are possible". It needs little tinkering if you have a reasonably standard setup - say an internet connection plus a local network. It has decent defaults.
If you have a more complex setup (I have a LAN interface, a DMZ, a guest network, and a VPN interface as well as several additional software packages) then some tinkering will be needed.
It's what I use and clients can use openvpn. Works fine for me.
I think the question is do you want to constantly be fixing your firewall and routing rules and also troubleshooting problems that might cause you to tear your hair out? Or do you want to do this in a weekend or a few hours and have something that is pretty solid and stable? I see already that everyone is recommending their favorite firewalls. What you want to get is an enterprise grade firewall. For this reason you should look at the Cisco ASA line (You can get one eBay for about $300), or a Dell Sonicwall. Note that you need to spec all of these to your needs. And remember there is no such thing as total security whether you have spent $100 or $100,000 on your firewalls.
http://www.smoothwall.org/
Given a choice between "do a Google search" and "ask an expert (Slashdot?)", any reasonable person would choose...both. Is that really so bad?
Just download and install VyOS (fork of Vyatta) if you're building your own firewall.
http://vyos.net/wiki/Main_Page
By far the best solution I've come across. It's a enterprise class product you can use at home for free. All you need is a PC with a couple NICs. I use a cheap fanless Dual Core 2GHZ Atom machine with a couple gig of RAM. It's a turn key solution with a lot of options.
It has all the whiz bang VPN and firewall features you'd want. Plus a bunch of intrusion detection, malware and virus features. Really the list feature list is huge. The only limit is the home edition is limited to 50 active devices.
Actually i would recommend m0n0wall. This is what pfsense is built upon - but without the kitchen sink its even lighter. And m0n0 does everything he asks excellently.
The netgate solution is a bit less: http://store.netgate.com/NetgateAPU2.aspx
I guess OpenVPN would be out of the question. I'm installing mine on a Rasberry Pi running Rasbian.
This. I have one at home, and install them for clients who need to replace SonicWalls and the like. Very hackable, very stable, very fast.
Good. Cheap. Fast. Pick Two.
I've been using since it was a German Company called Astaro. Good stuff.
pfSense works well but Untangle is also worth mentioning (http://www.untangle.com/). It has all sorts of pluggable modules like VPN client/server, ad blocking, intrusion detection, etc. I've been using it for a few years on modest hardware (Intel Atom with 4G of RAM and a 1TB green disk) and it's always worked flawlessly.
Sophos software utm with a home license. the license is free. you will have free ssl clients and web filtering.
I have a pc in my living room that is on 24/7 and serves as my media server (xbmc) and storage (hardware raid + lvm + nfs). It's also my compile machine so I invested two years ago in a i7 3930k with 64GB ram and loads of disk space. I'm running the community edition of Astaro Firewall (nowadays called Sophos UTM http://www.sophos.com/en-us/pr...) under kvm. I purchased on ebay a quad port intel 1GB NIC which is reserved for my firewall VM. I have one port connected to my ISP, one to my internal network via a real hardware switch, one to a dmz VM, and one to my wireless AP. The system is rock solid, Sophos UTM is being updated on a regular basis, has a long list of nice features, including OpenVPN and iOS/Android friendly VPN solutions, with clients for linux/mac/windows/ios/adnroid. The interface is super nice. And since a few versions ago it supports google authenticator for a two factor authentication, both to the admin console and the user portal, as well as the VPN. Very very nice feature. Works with iOS and Android, NetworkManager, etc.
In the past I was using netbsd on an old powerpc machine, then ipcop on the same powerpc machine (I was the guy who ported ipcop to ppc and sparc), then ipcop on x86 under vmware server, then ipcop under virtualbox, then astaro firewall under virtualbox. I switched to kvm+qemu because I was not happy with the virtualbox network performance. I even played with PCI passthrough to have complete control over the network card. Finally I settled on libvirt + kvm with astaro firewall. I'm running all this under LFS (linux from scratch), but this setup can be easily replicated on any modern distro: Fedora, CentOS, Debian, Ubuntu, you name it.
Or you can try and roll something yourself, based on iptables, whatever. But if you're not into monitoring security mailing lists for the latest vulnerabilities, you're better of with an off-the-shelf commercial product with a free community offering.
well played sir!
A Good Troll is better than a Bad Human.
I like embedded boards, but most of them are just horrible value. If space/power/etc isn't an issue, grabbing a PC from a junk pile and throwing a couple NICs in it will be far more cost effective. Pretty much the only network-centric embedded board I've seen with truly good value was the Uibiquiti Routerstation Pro but sadly it's discontinued.
What do you think about Untangle? (untangle.com) You can buy appliance version of it too.
as the subject line indicates, i use the rt-ac56r (~100usd at walmart) as my primary router and with the asuswrt-merlin fork i have dual simultaneous openvpn servers configurable from the webui. awesome router. and true to asus' reknown for keeping old devices updated, the 'adaptive qos' based on trendmicro's DPI based system is on it's way to this venerable device, which premiered in the latest model, the rt-ac87u
Unless you have a computer laying around, I strongly recommend getting an off the shelf solution using a router with capabilities built in. One good example I can point out is the Cisco Small Business RV215W Router. For $100-ish off Newegg, you get a full router with ACLs, QOS, VPN, VLAN, and more. If you like your current router, set up your current router to forward VPN traffic to this device. Best part is that it is small, quiet, and energy efficient when compared to a full computer.
There is nothing wrong with using a custom computer and throwing Linux on there with a software package to handle VPN, but based on your description, I think this would be a better fit unless you really want to go in depth on learning VPN technologies. By the sound of it, you just want something easy to set up and manage with little maintenance.
Dare I raise the suspicion, that the underlying Linux is to blame? pfSense, on contrast, is based on FreeBSD and is — as mentioned by numerous people here — quite usable even on old celerons...
In Soviet Washington the swamp drains you.
I have pfSense running on a dual-core mini-itx Atom board with on-board Intel GB NIC, a Intel PCI-E GB NIC, 2GB RAM, and a CompactFlash to SATA adapter for storage: this setup has gotten me enterprise level performance and reliability, no matter what I throw at it - IPSEC VPN, off-site video monitoring, a Plex server serving up to six WAN side clients at once, etc. It has never frozen/locked up, it controls my commercial grade UPS which all networking gear in my riser closet is connected to, and it consumes about 13 watts under full load.
Hardware:
Software:
This indeed. I have pfSense running on one of these with a 60 Gig SSD drive. If it wasn't for the cat trying to hide behind it I wouldn't even know it was there and running.
How come Slashdot never gets Slashdotted?
++1
Seriously. I've used Mikrotik (hostile latvians [check], and buggy firmware [super check] - really the rant list is too long to enumerate here!) and am moving lots of stuff to UBNT.
The edge-router line is frankly totally incredible.
And speaking of VPN - they have an OpenVPN that actually supports the full spec, rather than the totally neutered one 'Tik does.
Real IPSec firewall interfaces! [L2TP where IPSec can get bypassed? Another 'Tik exclusive!]
(Do I sound kind of bitter about 'Tik? :) Yeah, I've got quite a number of people on 'Tik stuff, but given their hostility [it's legendary] and crap firmware [firmware russian roulette anyone!?] and a host of other issues - I'll be glad to have all my clients off onto Ubiquiti's stuff. )
Learning curve is steep, but no more than equivalent products - for example 'Tik, Cisco etc. It's a Vyatta based platform. UBNT's forum is incredible, as are UBNT staff themselves.
Virtually any UBNT product I'd not hesitate to buy. It's *incredible* value.
---
As for a router on a PC or some other idea...
It's way less power than a franken-PC.
Solid-state disks. [less mechanical failure possibilities]
Massive packet throughput. [1M pps for the $100 ER Lite, 2Mpps for the 8 port versions!] Based on Debian. Rocks.
Damn cheap!
Quiet!
And best of all. Really pretty easy, quick.
Basic stuff won't require a lot of work/time. If you want more, pretty much the sky's the limit. But more fancy stuff will take more time.
But basic functionality - probably a couple of hours start to finish.
Good luck!
-Greg
Try http://www.gargoyle-router.com... It is a nice front-end for open Wrt and has OpenVPN plug-in.
Get The Book of PF
-- "At Microsoft, quality is job 1.1" -- PC Magazine, Nov. 1994
This indeed. I have pfSense running on one of these with a 60 Gig SSD drive. If it wasn't for the cat trying to hide behind it I wouldn't even know it was there and running.
The above is a rather nice little box. At half this price I would buy two.
I was going to reply to the original poster that if he had to ask
he could not get there from here. The above system has the
critical two Gig-E network ports. He would have to install
and learn how to administer a linux system or install a pile of odd
things on top of an IMO fragile WindowZ OS. Full blown Win-Server
software that can get the job done costs more than the hardware.
The best bet is to run the router that the ISP gives you and
then use that as the basic firewall and allow one port
access inside to a machine that runs VPN software.
That machine could be the above or it could be anything
else.
The obvious other place to start is to Google for "gig-e router vpn".
When shopping VPN solutions make sure all three bits are
working.... Client, server, firewall...
VPNs are interesting... they punch a hole in a firewall that
once inside other security must be in place. Badly structured
VPN solutions increase the footprint and enable many
worms, viruses and other cruft to run free.
Well structured good things happen.
Truth is stranger than fiction, but it is because Fiction is obliged to stick to possibilities; Truth isn't. Mark Twain.
Full blown Win-Server software that can get the job done costs more than the hardware.
No, not really. Windows has the easiest internet-sharing and vpn configuration wizard you'lll find. And its not half bad, but...
The above is a rather nice little box. At half this price I would buy two.
I have an equivalent box, Instead of pfSense (which, besides the gui and the easy VLAN setup, is a crappy system for everything else), I run FreeBSD 9.2. And I use it everyday to tunnel into my windows machines with RDP via SSH :)
I would highly recommend ZeroShell, it's easy to configure as the name implies no shell required, and it's full of advanced features such as turning your wireless card into a WiFi router and multi-wan fail over, for redundant internet connectivity. This could be useful if you want to use your cell phone's internet for a backup to your main net connection. I just deployed it at my job to replace a Cisco router and access point and I'm not even considering going back to the old hardware. As for security, let's just say after I deployed the firewall rules our PCI compliance auditor couldn't even detect any open ports (even though there are many services running). This distro supports 3 different kinds of VPN access (OpenVPN, IPSec, & PP2P) depending on your preference. It also has easy to install add-ons such as integrated Anti-Virus for all incoming traffic, along with bandwidth monitoring, proxy caching, and content filtering. Check it out at www.ZeroShell.org
Or you can get a used Watchguard Firebox XCore or XCore-e series for around $50-100 on ebay. Drop in a 2 or 4GB Compact Flash and you're in business. Looks professional with working LCD display with a few modifications. I'm not sure about throughput over VPN so that could be a dealbreaker for some. The XCore-e series has gigabit NICs if you need the extra bandwidth. https://doc.pfsense.org/index....
I'd go off with the DIY solution. Inside expensive branded solutions you are bound to find usuall PC components anyway - Pentium 4 buth with ddr3 ram. And known Cisco issues like revert 10- firmwares backwards and install each firmware update one after each other, else it does not work... also make me steer away from branded pre-made solutions.
Quite helpfully if you want to have a look, at what it supports, they've put the UI online:
http://event.asus.com/2012/nw/...
There is more than one way to do it.
1. Raspberry Pi(not practical)
RPI+linux+iptables+openvpn
pros : cheap, low power(5W), no noise, low heat
cons : 1 100Mbps port only, usb-ethernet/usb-wifi+additional switch needed, usb performance not good. Not recommended unless your outer ethernet side is very slow.
2. DD-WRT + supported hardware(ap/router)
AP/router(typically arm based)+linux+iptables+openvpn
pros : relatively cheap(depends on hardware model), low power(typically 10W), no noise, low heat, integrated WIFI/wired ports. small. clean looking.
cons : limited internal storage/memory. May brick your hardware if you are not careful enough(and void your warranty) useful for dedicated role(firewall, vpn)only
may use for printer/file server or other role if your hardware has usb port, but (typically) slower than full pc.
3. Mini ITX based PC
Low-end bay-trail based Mini ITX motherboard(j1800 recommended)+dc-dc power+12V power brick+small case+storage+linux/bsd(?)+iptables/pf(?)+openvpn
pros : versatile(file/full printer(cups)/application(ex. minecraft) server capable depend on configuration, up to 8/16GB ram + TBs of storage),
still can be made fanless&no noise if you've planned well,
relatively low heat(warm) if you leave it on open space
cons : most power hungry(~15W, depend on configuration), additional usb-ethernet adapter/switch/wifi needed, biggest of all above(20cm*20cm*5cm + brick)
tips
-for cheap 12V power brick, look for power brick for LCD monitors(12V 3.5A/5A SMPS - depend on your system's power usage- widely manufactured)
-about iptables, read iptables tutorial on frozentux.net
-p910nd - light, spoolless(no file operation) print server daemon. turn your cheap usb only printer to always-on networked printer even on limited storage platform.
I would rather see you utilize one of the newer Single Board Computer routers from a vendor like Mikrotik rather than spend far too much money for a Cisco ASA or SoHo solution.
.
As an enthusiast I would recommend the Routerboard CRS series for price and punch. It will provide the OP with all of the features he requested and a ton more that CISCO would charge a licensing fee for. The base cost will be around $149.00 for a CRS with 8 1gbp Ethernet Ports, a Gbit SFP cage, and integrated 802.11N MIMIO interfaces. http://routerboard.com/CRS109-...
Wanna build your own, you can add 802.11AC to any of thier base baords and chuck it in an enclosure for rock bottom prices. -- http://routerboard.com/R11e-5H...
It supports Client and Server modes for IPSEC, OVPN, PPTP, L2TP, VPLS,GRE,SSTP and those are off the top of my head.
I'm not a salesman, just a nerd.
Casey Annis
P.S. If you go with Mikrotik, I'd be happy to do a TeamViewer session with you and get you started.
Cons:
I forgot to mention the State-full Firewall with Connection Tracking and QoS systems with packet inspection rulesets. Casey
The RouterStation Pro was merely Ok.. for the value point. We sold a lot of them when I used to work for a WISP hardware provider but they had a ridiculously high 10% return rate compared to the less than 1% return rate on a comparable Routerboard.
I don't work there anymore but I still use Mikrotk RouterOS and Routerboard in my home and office. While comparable in priceto Ubiquiti they both beat the blue router pricing by a hundred country miles and pound for pound the configuration interfaces are superior to blue router's old and busted command line. It just makes sense when you look at it.
The console Mikrotik console commands actually resemble english.
I just set up a couple of sonic walls with site-to-site VPN enabled
Full blown Win-Server
software that can get the job done costs more than the hardware.
No, not really. Windows has the easiest internet-sharing and vpn configuration wizard you'lll find. And its not half bad, but...
The above is a rather nice little box. At half this price I would buy two.
I have an equivalent box, Instead of pfSense (which, besides the gui and the easy VLAN setup, is a crappy system for everything else), I run FreeBSD 9.2. And I use it everyday to tunnel into my windows machines with RDP via SSH :)
One caution is that Windows is not as secure an OS perhaps because
there is a rich set of stuff that is darn hard to replace or eliminate.
A FreeBSD or Linux based firewall+VPN system can be pruned to an astoundingly
short list of services and binaries. I say this but most Linux system owners
do not do this.... but it is better facilitated if you want to do it.
You open up a good context to make the point that a user should use what
they know best. If the poster knows how to manage one system and not
the other then the best answer for that user is obvious.
Opinionated discussions like this are really homework check lists
for others. At some point consensus identifies a winner to learn first.
Along the way issues, tools and options surface as alternatives worthy
or research and may cause the consensus answer to change.
I am not a fan of consensus science but it does have its place.
Truth is stranger than fiction, but it is because Fiction is obliged to stick to possibilities; Truth isn't. Mark Twain.
One caution is that Windows is not as secure an OS perhaps because there is a rich set of stuff that is darn hard to replace or eliminate.
I haven't seen one single landline direct-connection to the internet since the dialup/adsl days. Most consumers will have a router. The only exception is 3G/4G adapters, but the topic is about firewalling. And unless you're running a DPI appliance to check for binary malware, you're getting those in your windows machines anyway.
A FreeBSD or Linux based firewall+VPN system can be pruned to an astoundingly short list of services and binaries
As can Windows. And you can also take the easy approach of just closing any external port besides the VPN, leaving only potential attacks on the TCP stack and the VPN layer. I actually find funny people that use firewalls on unix systems "as a checklist item"; Most systems don't even require firewall if properly configured. But yeah, lets badmouth windows and forget the ton of distros that allow remote root login via ssh *by default*.
You open up a good context to make the point that a user should use what they know best. If the poster knows how to manage one system and not the other then the best answer for that user is obvious.
No. If the user knew what was best - or at least the options available - he woudn't be asking this. Having guys following tutorials on the internet to configure stuff is not my idea of "secure", and he'd probably be better buying a dedicated appliance with a nice gui interface.While realizing that you exposed something from the internal system or used a weak password for root after your whole network was compromised does have its educational value, it is a dreadful experience for a non-unix nerd.
Just as a heads up, I measured 18Mbps (that is 1.8MB/s) with my OpenWRT TP-link WDR4300 (with AR9344 @ 560MHz) . I don't think off-the-shelf routers have any openVPN support, so no HW encryption engines.
If you need higher speeds, forget off-the-self routers (at least for the VPN end-points).
Why not get just a router (I've been contemplating a Netgear WNDR-4300) and load it with OpenWRT or even DD-WRT?
If OP wanted to do video transcoding/HTPC duties I could see the use for a full PC but otherwise it is just a nuisence compared to a small, efficient, embedded system.
The main advantage of OpenWRT over $OTHER is it's packaging system and ability to install updates without reflashing. It has good documentation and a great community too.
I'm pretty sure that I never mentioned anything about how old / new DD-WRT's software is. That said, the current version I'm running was released in June of this year.
You were saying?
bork bork bork!