Slashdot Mirror
Benefits of a Homebrew Router (arstechnica.com)
An anonymous reader writes: Jim Salter has posted an article explaining why it can be a good idea to build your own router, and how he put his together. Quoting: "In the consumer world, routers mostly have itty-bitty little MIPS CPUs under the hood without a whole lot of RAM (to put it mildly). These routers largely differentiate themselves from one another based on the interface: How shiny is it? ... I wanted to go a different route. A lot of interesting and reasonably inexpensive little x86-64 fanless machines have started showing up on the market lately. The trick for building a router is finding one with multiple NICs." Once assembled, the homebrew router blows away even high-end SOHO routers for throughput and performance. "Given that nobody's offering any Internet connections over 200mbps in my area yet, that makes my inner crypto nerd dance with glee. I could literally encrypt every single byte of my Internet traffic, in either direction, without a performance penalty." Of course, it won't do wireless, but you can get separate wireless access points to handle that.
raspberry pi, usb ethernet dongle, power supply... about 40$. does 30 mbps with full iptables, NAT, dual stack ipv4 and ipv6, speed test is 30 mbps flat out. my isp rate is 30 mbps ... If you have access to > 100mbps great, but outside of google cities isn't that kind of rare? Don't see the point of a 300$ homebrew router.
been using a pi for years. have two spares. no moving parts, no fan, low power consumption...
Homebrew used to be about doing better than what you could could get off-the-shelf.
In this case it sounds like it's better in some small, useless way, while being far worse in so many others. Now he's got throughput he can't actually use, but is missing critical functionality like wireless support.
I think this decline in the quality of homebrew reflects what has happened to the Linux community as a whole lately. The quality has dropped like a rock. So much Linux software has gotten worse. GNOME 3 looks awful. Systemd and PulseAudio still have caused me nothing but trouble. Firefox gets worse with each release. Wayland is nowhere to be found.
We need to restore the glory of homebrew projects. We need our homebrew projects to be better than the commercial off-the-shelf offerings. We need to not build something that's slightly better, but also far worse. We need to build something that's better in every way.
We need to restore the glory of homebrew projects!
More memory doesn't necessarily make things faster if you have multiple streams and limited bandwidth. You can wind up with a situation where you have a lot of data queued in the buffer, and this botches TCP congestion control so that you wind up getting really poor throughput. Google "bufferbloat" for details. Using a crappy external wireless AP makes this worse. You really do want the wireless card to be treated as a first-class network interface on your router. Unfortunately, wireless drivers are usually closed-source, often have internal bufferbloat problems and other bugs, and can't be updated.
The article's main point, that a faster CPU in the router is wicked awesome, is completely true, of course. You just want to make sure you're running a recent Linux kernel that does a good job of queuing in the presence of a congested link. :)
I have been using a PC with 2 Ethernet cards running a Linux distro specifically for this kind of thing for years. It has antivirus and add blocking at the router level and handles some other important things. Would never go back to before.
Around 2001 I bought an Alpha PC164 board and it ran NetBSD for nearly a decade as my home router/firewall/server. Never once had a freeze up or other hardware issue. As a bonus feature I picked out the correct NIC/video/SCSI cards so it could run OpenVMS and Tru64.
Only the State obtains its revenue by coercion. - Murray Rothbard
I have a managed switch, and an Intel NUC with one network interface. Luckily, the NIC supports VLAN. I installed the free VMWare ESXi on the NUC, and attached it to the managed switch (port configured as "trunk"). I created two VLANS: one for the incoming internet connection, and one for local network. Then, I created a virtual machine with two virtual NIC's for each VLAN. Then I Installed VyOS router on it. The ESXi software is installed on a cheap usb-stick which is plugged into the intel NUC, and I use my Synology NAS for storage for the virtual machines (using NFS). So, no internal hard disk required for the NUC.
:-) This was just for testing purposes, but it worked quite nice. I'm sure you can also plug a usb wifi-dongle in the NUC, and assign it to one the VM's you want to act as a wifi hotspot.
So now, I have a single machine with only one NIC, acting as a router
...You are over-qualified and under-paid. If we give you a raise, we will break the cosmic balance of the universe.
Ubiqiti EdgeRouter is exactly this: dual core MIPS64 @ 1Ghz, 512Mb memory and a removable USB flash stick for storage.
https://www.ubnt.com/edgemax/e...
This is ample for my needs. I bought the 3 port version about a year ago for £80.
https://blog.netbsd.org/tnf/en...
As of today, NetBSD-current has an uptime of about 6 months - which is when I made the last kernel modifications to support the NPF firewall.
This is more uptime than any other SOHO gear I have and the performance of the unit is exceptional.
These guys sell a tiny "travel router" (or just the board if you like) that goes for $25 on Amazon. Crucially it has 2 ethernet ports (albeit only 100Mbits), along with Wifi. It ships with their modified version of OpenWRT but takes only a couple minutes to flash to the latest fully open-source version. From there, going further into homebrew is trivially easy. I find it a better starting point than a raw Linux distro, and the low power consumption just cannot be beat. If you want to go Linux and don't have a fat pipe, I recommend it.
Yes, that has higher power consumption than buying something brand spanking new. However, it was $50 with 4GB RAM and a 500GB disk. I have a separate AP, currently a WRT54g running OpenWRT. It was $10 or less, yard sale. I have a Phobos quad-intel card, I think I paid $5 for that. The savings cover the power budget delta for some time nicely, and eventually I'll get something else when it's cheap. The problem was, I couldn't find a cheap SFF with both dual ethernet and a PCI slot for my quad-ether card. They all cost a hell of a lot more than just buying a cheap used machine. This machine has enough horsepower and RAM left over to run servers as well, so I installed webvirtmgr on it and I have KVM-based VMs.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Overall I've had a positive experience with Soekris devices. However, let me tell you why I won't be buying any more of them:
1. Cases badly designed for cooling. Unless you add a fan, you will have to put the case vertically in summer.
2. Disregard for OS support/integration. These things are supposed to work on Linux and BSD, but when something goes wrong (ie: the device hangs) or the hardware doesn't work as well as it should, they just blame the OS and don't even investigate. They might offer an RMA if its under warranty, but the issues will continue for sure.
3. As soon as their latest device comes out, support for the older ones stops. For example, they promised to add USB boot support for the net5501, but as soon as the net6501 came out, they just forgot about it.
Other minor ones: closed BIOS and the price is not great.
For those of us who want quality, but don't want the hassle of complicated configs, the Unifi USG is pretty nice as well - and it's cheap.
https://www.ubnt.com/unifi-swi...
So far, I'm a big fan of what Ubiquiti is doing these days.
Mini ITX motherboard, case and power supply. All done if you buy one with two ethernet ports, or just add a ethernet adapter for the second.
I use a gigabyte H77N-WIFI it has dual ethernet and absolutely rocks with a small SSD and only 2 gig of ram. Blows out of the water absolutely every bit of "router" hardware with even a very low price processor.
Run IP-COP, Momowall, pfsense or Smoothwall and you are done in less than a couple of hours with a device that makes Cisco enterprise stuff look like a toy.
Do not look at laser with remaining good eye.
Ubiquiti EdgeRouter Lite does 1Gbps w/ NAT, DPI, OSPF, BFD, MPLS, GRE, etc. Around $99 at most retailers. Oh yeah, ipsec hardware offloading as well.
His reference to "home grown" as substandard pipe filler is to marijuana.
Calm yourself. Homebrew is alive and well, you just have to bust out of whatever caused that outburst and read up on your topic of choice. I mean, Homebrew aviation is dead? Have you missed how we can build a 30 minute airtime drone with 300$ of parts from Amazon? With an HD camera on board?
I've been using this PC Engines board for over a year now and it's been the best router I've ever owned. Has 3 Gigabit Interfaces, SD Card, USB, RS232, M.SATA, Mini PCIe, SATA, and GPIO. Packs a 1Ghz Dual Core and 4 or 2 GB of RAM. It's case is also designed to mount antennas for the WiFi card so it looks sleek while doing it.
www.clearfoundation.com It's a super nice piece of software.
I've never really understood why Firewalls with just one interface is an issue, been running that in different ways since 2000.
Ok so you're going to fiddle with making your own firewall.
You use a dedicated bit of hardware, $240 for a useless fixed config box. I can get a more powerfull laptop that is also silent and can run multiple VM's for the same to less. It also has a built in UPS and wifi that may be able to used as an AP a usb3 to gigabit dongle takes care of the second port.
You install ubuntu and throw a few iptable rules in, because obviously years of getting to a sane default with pfsence etc means nothing.
You still need a wifi AP and generally the standalone AP's cost more than a router.
If you're doing this would assume you allready have a VM hosts in the house that you could just run pfsence on. I did this for a decade. You can get 40+ mbs of vpn traffic out of a high end wifi router. Mind you routers used to come with bits like the BCM5365P that could do 75 mbs in hardware (and that is an ancient 2005 ish chip).
No sir I dont like it.
No, I will not calm myself. I will fight to the end in order to restore the glory of homebrew projects!
It is not homebrew when you buy an assemble-it-yourself drone kit. All that does is convert the assembly effort from some Chinese peasant toiling in a factory to you. You did not craft the product yourself. And your end product is no different than that of anyone else who used the same kit.
By its very nature, each homebrew project will inherently be unique. It will have been built with what the builder has at hand. Some of the parts will be fabricated from others. They won't just be bought from Amazon and glued or screwed together, for crying out loud!
What you're talking about is a purified and refined misunderstanding of homebrew. I don't even want to call it homebrew, it's so far from the idea of homebrew. You're talking about self-assembly. We're talking about homebrew.
We need to restore the glory of homebrew projects!
I run pfSense in a VM on ESXi and can do snapshots before upgrades or before I want to tinker with my config. I have 3 separate VPN configs (site to site, remote access for others to a DMZ on my network which also lives in the ESXi virtual network switch, and a path for my mail to flow in from a VPS hosting my inbound SMTP gateway) and there are many interesting plugins available to do things like live graphical traffic monitoring if you are curious what is using your bandwidth. pfSense is also regularly patched. The idea of my router staying up for years at a time in this day and age makes me question how you are getting security updates on that device. Or perhaps people are just referring to the hardware staying up for that long. At one point I even had pfSense load balancing two internet connections but that idea died when budget cuts were mandated by the household council.
Jesus Murphy, the term "homebrew" came from people who used to brew their own beer at home. We rarely see this done these days, and even those who do it make a shitty lager or a pissy ale.
That's almost certainly because most mash tuns run systemd now. The best systemd can do is a shitty lager or a pissy ale.
A proper IPA can only be done with Sys V init.
Bought a dual NIC fanless MITXPC never looked back, I love the machine it's quiet reliable and small.
You can get them with more than 2 NIC's as well (I suggest you do for versatility reasons) there are a few builds you can run on these things PFSense, Smoothwall, etc.
http://www.mitxpc.com/
http://www.smoothwall.org/
https://www.pfsense.org/
http://suricata-ids.org/downlo...
"If any question why we died, Tell them because our fathers lied."
I just solved this problem with mikotik's boards. ( mikrotik.com ; routerboard.com ). They are extremely cheap and the software, RouterOS is far more approachable than dealing with iptables. Includes a GUI tool as well called WinBox.
I have a small nettop with AMD E-350, and it works fine as:
* ADSL/Wifi Router. Does IPv6 like a champ as well.
* File server
* Media box- it's connected to the TV & speakers.
* Backup device
* 2nd machine for some software experiments.
* Whatever else I want it to be.
I tried looking into getting some ARM SOC or off-the-shelf router, but decided it's not worth the hassle. The only thing I would gain is lower power usage, for much weaker CPU/GPU/memory/storage, and much more problems dealing with exotic hardware.
--Coder
The last router I'd need would be an actual enterprise grade equivalent gigabit layer 3 switch that is fanless and doesn't cost more than about $200. Because of those last two requirements, I don't think I'll ever find one.
The summary said something about pitiful CPU and memory configurations in router hardware. I just went to the Soekris website... For that kind of money one builds passable gaming rigs not 1.6 GHz with 2 gigs of RAM.
I don't pay any attention to fanless, but refurb Cisco and other high-end gear can often be had for a song.
Liquid-8 Technology has some deals. http://stores.ebay.com/Liquid-...
Are you sure you're not thinking of commercial microbrewing?
He's thinking of home brewing:
https://www.brewersassociation...
If you're the GGP, then in addition to being a completely insane person, you definitely haven't tasted what homebrewers are making.
Okay. http://www.fit-pc.com/web/prod...
I have been running my own router/firewall for years, and I will never go back. Mainly I run it on an old dell desktop I picked up online for $75. I used Untangle as the OS for a couple years, but they don't offer many features in the free version, and their paid version is way too expensive. Then I found Sophos UTM and in there free version they offer everything, just limit the number of devices to 50. So far I have had no problem with that limit. I am really happy with the performance even on my old desktop. I will probably upgrade it to use newer, more power conserving hardware, but that is not a huge priority because power is cheap when I am.
For wireless I run a couple of access points around the house and I have never had any problems.
Most (If not all) PC Bios' have a "Power State on AC" option, with the choices typically being "Off", "On", or "Last State". Switch this to "On" and the PC will automatically start up when the power comes back.
It's likely not beer sales, but the equipment and ingredients to make beer. I've only been brewing for two years, but I've noticed an large uptick of people in my local home brew store every time I'm there.
Either use it as a bridge/modem, or run Ethernet to the ONT (box outside). If you do the latter, you have to call Verizon to let them enable that port.
Because it's negligible past a certain point. Who cares if it uses 25w instead of 5w, that's a whole $2 a month for me.
Home brewing beer is most definitely growing, as evidenced by the much larger variety of gear and vendors to choose from today vs when I started 10 years ago.
I brew in 5 or 10 gallon batches. Most definitely not a commercial operation. And I would never waste time brewing "a shitty lager or a pissy ale". If I want that stuff, I can buy it off the shelf for less money than what I typically spend on ingredients for a batch. (not to mention time and effort.)
http://www.pcengines.ch/apu.htm these things are great. more expansion options and purpose built than the little boxes you might find on amazon or similar in the same category. really just more capable in general. passive cooling, runs anything you want to put on it, dedicated serial port.. GPIO, mPCIe expansion its perfect for this 'homebrew' stuff, especially a firewall/network appliance.
I dug into building my own when I wanted more control over DNS servers but didn't want to run that in a VM or have a large dedicated machine. I eventually had it take over DHCP services too.
http://www.pcengines.ch/apu.ht...
US Vendor
http://www.mini-box.com/
Works real well with BSD and it even has WiFi in the box I built.
Uh, can I use this as a sig?
Ubnt edgerouter
I'm a fan of their stuff so I recently picked one up to play with and use as a backup to my Juniper.
While the features are there actually configuring and using them is a PITA that is wrought with frustration if you have any experience with real enterprise level gear.
The biggest frustration for me was it's inability to load full structured (e.g. not a list of set commands) config files from a default configuration. The problem is that rather than wipe the existing config and apply the new one, it does it sequentially and not in a transaction. This causes problems when it realizes that you've deleted the default firewall, but it fails to remove it because an existing interface is still referencing it even though later in your config you change the settings for the interface and remove said reference. In such cases it also leaves the configuration in an odd state as some things get applied and other (even unrelated to errors) aren't.
After 2 months of fighting with it and still not being able to replicate my Juniper config I ended up dropping another $400 on a new Juniper to be my backup/dev router.
I like the idea of the Edgerouters, but they just aren't there yet. At least I'm only out $50 for it though. It certainly has a lot for $50!
USB Ethernet limits network and any disk is also on the same bus.
Most cable systems are pushing 50-100+ for most. XDSL2 45-75 (some areas 100).
gigapower 300/300 or 1G / 1G
Have you missed how we can build a 30 minute airtime drone with 300$ of parts from Amazon? With an HD camera on board?
I must have missed it. As a beginner quad aviator, do you have any more information on this $300 super drone?
and the that usb bus limits you to about 35-40MB max the hard disk also eats into that on the pi.
No really why?
Performance? I have a 200/40 connection at home. The cheap nasty ISP provided piece of shit all in one modem, wifi router, gigabit switch in a sexy looking package has absolutely no issue with performance.
I also have a nice server with multiple gigabit NICs in them. All unused. I wouldn't think of using it as a router. There is just really no point.
The last PC that I converted for firewall use required someone to push a button to start it.
5 volt cap across the power button leads. Or so I have read. Value of the cap and... Vth? of the transistor the power button is connected to collectively determine the on-delay. Google for more. My problem with PC hardware is what happens when the CMOS battery dies. Guess what? We have time sync support in our operating systems these days. If the RTC is wrong, I don't care.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Net6501 is crap. I have a 5501 and it was already crap. And here is why: It is largely overpriced. It has only 1 core and low frequency, and no special functions from good i5 or i7. Ram is always low for a x86. Every ethernet is its own device.. So, vlan and bridging happens on the kernel side AKA cpu. You can easly buy 2 or 3 arm based custom routers for its price, all 4 cores and all with switch chip with vlan support.
I already had a server, so when I got gigabit fiber Internet and my old router would only give me ~300 mbps with NAT, I fired up a VM, gave that a couple network ports, and installed the free-for-home-use Sophos UTM. I then repurposed my old router to be simply a wifi AP. The Sophos is giving me high 800s, low 900s throughput just doing NAT and firewall, and dips down to 300 mbps or so if I enable IPS (Intrusion Prevention System.) The interface and documentation aren't the best, but work well enough I suppose. The main issue I've found going the VM route is that kicking off a server backup was causing the VM to snapshot which paused its processing for a few moments, dropping some network connections.
My home router is a NetGear R7000 NightHawk Router with TomatoUSB firmware by Shibby. Tomato firmware is notoriously stable on most of the platforms it supports and it's feature loaded with VPN and a huge number of other features. It also features an extremely nice front end GUI interface and is more than powerful enough for fast Internet applications. I originally ran my Router as a piece of software on my VM Server but eventually found it much nicer to have a dedicated piece of hardware handling it. Besides, if you're not a fan of Tomato then there's also OpenWRT and DD-WRT. Thou I've found DD-WRT to be unstable on some hardware. Regardless, this is probably the cheaper and simpler way of doing it.
We aren't just talking about homebrew routers here, fuckface.
I nominate that sentence for consideration as the Most Slashdot Thing Anyone Has Ever Said.
For home use??
Linksys has updated it's WRT54 and does do alot for $200. I have emulators for training myself for a home lab which by 2016 are very decent with pfsense and GNS3 in a VM.
http://saveie6.com/
I was reading the article earlier, and I used to do this with a mandrake distribution on an old PC via iptables. I'd do it again, but I don't see any of these mini PC's that have 3 or more gigabit LAN ports so that I can preserve the load balancing setup I have with the cisco RV320 i'm currently have.
Anyone seen any of the low cost boxes with 3 or 4 gigabit ports? I realize that potentially a USB ethernet dongle might be possible, but I doubt any USB-based solution would be robust enough.
-a.e.mossberg
Just grab a cheap piece if hardware compatible with an openWRT firmware and flash it. All the customization you'll need. And you get wireless support.
So what stops you from putting your own OS in then, as it seems that is where your beef is?
EdgeRouter uses a removeable USB flash stick for storage.
I put NetBSD on mine and updating the config is just like any other NetBSD machine. The NPF firewall is also quick to configure and works well enough for my needs.
Built a system using an Intel d2500cce board in an Antec ISK case. Its been running pfsense for about 9 months now with no hiccups. Paired that with a Ubiquiti wireless access point and its been smooth sailing. Much better than the Comcast router modem they gave me to start with.
They didn't at least use VLANs or something to logically separate the two networks? If the one legged firewall is simply network configuration it is not worth a lot...
But therein lies an inherent problem, when the border device doesn't even support VLANs. You can put your LAN traffic in a VLAN all day, but if a host on the network gets owned then it can sniff all traffic, incoming and outgoing, doing a little switch spoofing if necessary. VLANs are not a security measure. They are only for convenience.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
I think the procurve 1920-16g meets your needs. I see it on Amazon for less then $200, slightly more on newegg.
Cheap storage VM.
I have been using a repurposed Celeron 300A as my main router running FreeBSD for years without problems. It has ECC memory, boots from Compact Flash attached to an IDE port, and I can alter the number of ethernet ports as needed.
If I were to do this today, I would use one of the cheap AM1 motherboards which support ECC memory and PCI or PCIe network cards as needed. If that does not allow enough ethernet ports, then a VLAN switch can be used as a port expanded. The AM1 CPUs are much faster than necessary for this kind of application so they can be forced to operate at a lower clock speed and core voltage to reduce power. With some cleverness, passive cooling can be used except perhaps for the power supply fan.
I wanted better control of my home network. Mostly filtering the internet for the kids and later scheduled blocking of their devices overnight, plus some playing on the side. I got a refurb Core2 desktop, snagged a leftover dual port NIC from work, and ran ethernet from the basement to the first floor to an AP. First I used pfsense and then Ipfire. It worked great. After a couple of years I started to think of the power usage of a full desktop running at 3%-5% utilization. So I went looking for an alternative. The RouterOS in the MikroTik boards had everything I needed as a drop in replacement for the PC. I got the model in the link below for ~$50. It doesn't have wifi but I already have the AP setup. It uses so little power the power adapter is similar to what you use to charge your phone. It can even run on PoE. I've been using it for about a month with no problems. Now I'm considering adding in one of their 802.11ac APs for $45 because the RouterOS is the same on both devices and the router can manage the AP. Assuming I'm understanding the manual correctly.
http://www.balticnetworks.com/...