Open source router/firewall software which are you using and why

[mc866]

I have an old P3 1Ghz with 192MB of memory that I'm toying with the idea of installing one of these open source packages on. Which do you guys use and why, have you tried more than one version or just picked one and stuck with it?


Also I have a Dlink DGL-4300 as my main router right now with an Asus WL-520gU with DD-WRT in wireless bridge mode. If I set this box up to work as my router I can just disable DHCP on the 4300 and use it for my wireless correct? Can I also use the 4 gig ports on the router as a switch?

 

[Engineer]

Originally posted by: mc866
I have an old P3 1Ghz with 192MB of memory that I'm toying with the idea of installing one of these open source packages on. Which do you guys use and why, have you tried more than one version or just picked one and stuck with it?


Also I have a Dlink DGL-4300 as my main router right now with an Asus WL-520gU with DD-WRT in wireless bridge mode. If I set this box up to work as my router I can just disable DHCP on the 4300 and use it for my wireless correct? Can I also use the 4 gig ports on the router as a switch?

Can't answer the the first part (althought I'm curious) but the last two questions (bolded) are yes.

 

[mc866]

Nobody? Where's Modelworks, I thought he/she had something setup like this?

 

[Nothinman]

I was recently introduced to Untangle which looks pretty good so far, although I think you'd need more memory.

 

[mc866]

Originally posted by: Nothinman
I was recently introduced to Untangle which looks pretty good so far, although I think you'd need more memory.

Looks good but you are right, minimum requirement is 1GB and I'm maxed out at 192MB.

 

[Nothinman]

Looks good but you are right, minimum requirement is 1GB and I'm maxed out at 192MB.

No, I've got it running in a VM with 512M here and it's fine. Although if you're stuck at 192M you're pretty limited in your choices.

I did the OpenBSD thing for a while but got fed up with upgrades and lack of packages and just went back to Debian. And now I've got an old PIX setup.

 

[sonoma1993]

Originally posted by: mc866
I have an old P3 1Ghz with 192MB of memory that I'm toying with the idea of installing one of these open source packages on. Which do you guys use and why, have you tried more than one version or just picked one and stuck with it?


Also I have a Dlink DGL-4300 as my main router right now with an Asus WL-520gU with DD-WRT in wireless bridge mode. If I set this box up to work as my router I can just disable DHCP on the 4300 and use it for my wireless correct? Can I also use the 4 gig ports on the router as a switch?

I use smoothwall express 3.0 SP1. I have it running on a old AMD athlon 3000XP CPU, Asus A7N8X motherboard with 512MB of ram. I havent tried any of the other opensource firewall out there. But I like using smoothwall express because of the different modules I can add in to my install. I added in openvpn, an updated version of snort, an guardian active response module which i really like. Since it block aggressive malicious IP addresses from IDS (snort) alerts.

I started using smoothwall after my one college teacher was telling us about it. I was curious about it, so i downloaded it and tried it out.

 

[drebo]

I used Smoothwall maybe 10 years ago, the first time I got DSL. It was interesting, but really brought nothing to the table as far as extra features. At this point, I see no compelling reason what so ever to use something like that. The extra electricity costs and cooling costs from running an extra PC will be more over the life of a product than it would have been to just invest in a commercial grade appliance. And using the logic of "just by an Atom board, they're cheap!" doesn't really fly, because I'm not going to spend a couple hundred dollars and STILL be less efficient. No, if I'm going to need to spend a couple hundred dollars to build a router that runs LINUX of all things, I'm just going to buy an ASA or a NetVanta and save money in the long run.

 

[kevnich2]

Originally posted by: drebo
I used Smoothwall maybe 10 years ago, the first time I got DSL. It was interesting, but really brought nothing to the table as far as extra features. At this point, I see no compelling reason what so ever to use something like that. The extra electricity costs and cooling costs from running an extra PC will be more over the life of a product than it would have been to just invest in a commercial grade appliance. And using the logic of "just by an Atom board, they're cheap!" doesn't really fly, because I'm not going to spend a couple hundred dollars and STILL be less efficient. No, if I'm going to need to spend a couple hundred dollars to build a router that runs LINUX of all things, I'm just going to buy an ASA or a NetVanta and save money in the long run.

This is my point, running a dedicated computer for a router is simply too inefficient with power costs and extra hardware costs. My RV042 works great for me, never a single issue and I run A LOT of devices on my network.

 

[ccbadd]

Originally posted by: kevnich2

Originally posted by: drebo
I used Smoothwall maybe 10 years ago, the first time I got DSL. It was interesting, but really brought nothing to the table as far as extra features. At this point, I see no compelling reason what so ever to use something like that. The extra electricity costs and cooling costs from running an extra PC will be more over the life of a product than it would have been to just invest in a commercial grade appliance. And using the logic of "just by an Atom board, they're cheap!" doesn't really fly, because I'm not going to spend a couple hundred dollars and STILL be less efficient. No, if I'm going to need to spend a couple hundred dollars to build a router that runs LINUX of all things, I'm just going to buy an ASA or a NetVanta and save money in the long run.

This is my point, running a dedicated computer for a router is simply too inefficient with power costs and extra hardware costs. My RV042 works great for me, never a single issue and I run A LOT of devices on my network.

I run PFSense at several locations on Alix boards which are low power appliances. I use OpenVPN for VPN's but IPSec is also available along with pptp. I think the RV42 only has the last two. The difference is I can upgrade it when needed, not just when Linksys gets around to it. I can also extend it's functionality, something that you can't get with the majority of the commercial products out there. I used to use WRV54G's several years ago and got fed up with Linksys's lack of responses to issues they deemed unimportant. One thing to consider is the level of technical ability required to set up some of the more sophisticated PFSense features is somewhat higher then low end business routers so be prepared to do a lot of research and spend time getting it going.

 

[Modelworks]

Originally posted by: mc866
Nobody? Where's Modelworks, I thought he/she had something setup like this?

I have tried several of the software based firewalls/routers. My experience is:

Pfsense - very easy to setup , firewall/router uses little resources. I run it off a 4GB compact flash in a ide > flash adapter. P3-933 with 384MB ram, two nics and a switch. Never had an issue with uptime over a year.

Smoothwall - also easy to set up. Firewall/router uses more resources than pfsense. Ran it for about a month, before going back to pfsense because pfsense allowed me to tweak it more and used less resources.

Clark Connect - easy to set up . Firewall/router/server uses lots of resources but provides a lot more features. It can filter content, do antivirus filtering, run squid for caching, run snort for intrusion detection. You just need a beefier machine than I had to dedicate to it.


The way that most of these programs work is you get to pick 3 interface options. RED - your internet connection to modem, GREEN - your internal networked computer, ORANGE - wireless.

Pfsense has another feature that allows it to use multiple GREEN or ORANGE NIC. So if you wanted to fill up a pc with cards and not use a switch you could.

For your situation I would go with pfsense since it uses little resources.
It would need 3 network connections, so if it has one onboard then add two nic cards. You would also need a switch, using the one in the wifi router could be problematic if you want pfsense to work as firewall and supply the ip for the network. Set the router you have now to just act as a interface, leave dhcp enabled if you want pfsense to provide the ip to it.

So you would have , RED ----> modem, Orange NIC >-----Wifi, Green>----Switch. Then from the switch all the other pc. A lot of people just buy a wifi pci card and use that in place of an external wifi based router.

If you decide to buy a pci wifi card it needs to be supported on this list:
http://www.freebsd.org/releases/7.0R/hardware.html#WLAN

It takes a little time to set up but the features you gain are really worth the effort.
Features like being able to look back at any day last month and see every ip involved or how much bandwidth you used at various times of day. Other features like blocking ads or websites, virus scanning, without having to run any software on other pc .

 

[Modelworks]

Originally posted by: kevnich2
[
This is my point, running a dedicated computer for a router is simply too inefficient with power costs and extra hardware costs. My RV042 works great for me, never a single issue and I run A LOT of devices on my network.

It is all about the features and the ability to decide what the router will do. If I want a feature that isn't included in a off the shelf router my only hope is something like DDWRT. With BSD based firewalls chances are anything you can dream of has already been created and just needs to be installed.

Hardware is usually free. People toss it in the trash. Power usage I don't even think about. The most my router box can use is 55Watts, and that is right before the PSU blows. It only hits 40% usage on average, mostly idles. It probably uses 30 watts. An amount I am not even remotely worried about.

 

[Modelworks]

Originally posted by: drebo
I used Smoothwall maybe 10 years ago, the first time I got DSL. It was interesting, but really brought nothing to the table as far as extra features. At this point, I see no compelling reason what so ever to use something like that. The extra electricity costs and cooling costs from running an extra PC will be more over the life of a product than it would have been to just invest in a commercial grade appliance. And using the logic of "just by an Atom board, they're cheap!" doesn't really fly, because I'm not going to spend a couple hundred dollars and STILL be less efficient. No, if I'm going to need to spend a couple hundred dollars to build a router that runs LINUX of all things, I'm just going to buy an ASA or a NetVanta and save money in the long run.

I see those reasons brought up a lot. And for the average home user off the shelf routers are fine. Some like more features. Things like power usage doesn't even figure into for most people. We worry about things like home insulation and better appliances more than the watts a router pc uses. Software routers like pfsense run Free BSD not linux. As for 'pro ' routers and firewalls, crack open the box and see what is inside, you might just find a intel processor and ram along with BSD or unix as the OS.

 

[skyking]

OP, is there any reason besides doing it for the experience? Is the current hardware with DD-WRT working OK?
30 watts versus 1~5 watts for an appliance, I go with the appliance unless I have a compelling reason to need the feature set. I have set up several dansguardian/squid proxy servers for homes and private schools and my first FreeBSD computer was a router, but for personal use I employ a hardware device.

 

[Emulex]

nobody using a nexus 1000V?

 

[Nothinman]

I have set up several dansguardian/squid proxy servers for homes and private schools and my first FreeBSD computer was a router, but for personal use I employ a hardware device.

Depending on funds I tend to go the opposite way, if they've got the money for a firewall I'd recommend an ASA before I built them a custom one for support reasons.

 

[mc866]

Thanks for all the info guys


The main reason for trying this out is both for the experience and also to try and use this old box for something since it's just sitting in the corner. I'm not concerned with power use, though maybe I should be, but I'm also looking for something that's a bit more robust and configurable and also possibly better performing than the router I have now. I just figured I had nothing to lose trying this out because I have all the parts I need.

I have DD-WRT on my secondary router as a wireless bridge but don't have DD-WRT on my main router as it doesn't support it.

 

[n0cmonkey]

I'd use OpenBSD or pfsense.

I got to see a presentation about pfsense at DCBSD2009, and I was pretty impressed. Definitely want to take a look at it in t he near future. It's nothing I can't really do with OpenBSD, but it has a web gui and may be easier for some people.

 

[mc866]

Originally posted by: Modelworks

Originally posted by: mc866
Nobody? Where's Modelworks, I thought he/she had something setup like this?

So you would have , RED ----> modem, Orange NIC >-----Wifi, Green>----Switch. Then from the switch all the other pc. A lot of people just buy a wifi pci card and use that in place of an external wifi based router.

So based on this layout I had a quick question, do I need to be able to reach all of my wired devices with the switch described here: the Green----->Switch? Or can I have other switches further downstream, like in my living room for instance where I need to hook up my HTPC, my 360, and possibly other devices?

 

[sonoma1993]

Originally posted by: mc866

Originally posted by: Modelworks

Originally posted by: mc866
Nobody? Where's Modelworks, I thought he/she had something setup like this?

So you would have , RED ----> modem, Orange NIC >-----Wifi, Green>----Switch. Then from the switch all the other pc. A lot of people just buy a wifi pci card and use that in place of an external wifi based router.

So based on this layout I had a quick question, do I need to be able to reach all of my wired devices with the switch described here: the Green----->Switch? Or can I have other switches further downstream, like in my living room for instance where I need to hook up my HTPC, my 360, and possibly other devices?

you can run a Ethernet cable from one switch to another switch. so for example, if you have a switch in a bedroom and want to hook up a switch in the living room. You can run a Ethernet cable between both of those switches.

 

[mc866]

That won't create a situation with loopback to have multiple switches branched off the one switch connected to the pfsense box? Just want to be sure before I go looking for a few more switches.

 

[skyking]

Originally posted by: mc866
That won't create a situation with loopback to have multiple switches branched off the one switch connected to the pfsense box? Just want to be sure before I go looking for a few more switches.

No problem there. In the old days with hubs, you could cascade up to 4 times before the "shouting" on the network got too loud. Switches are much more civilized. Cascading a switch off another will not be a problem.

 

[Pheran]

Originally posted by: Emulex
nobody using a nexus 1000V?

A Nexus 1000V isn't even remotely in the class of product being discussed here.