Using an old pc for dedicated router/firewall

[Modelworks]

Just wanted to let others know, if they didn't already, that you can use that old junk pc you have for a very good dedicated router/firewall .

Theres several good ones out there .
ipcop
pfsense
smoothwall

The software is easy to install, just download the image, burn the cd and boot from it on the target pc.


I'm currently using pfsense.
Its running on an old compaq deskpro , p2-400, 128mb ram, 20gb hard drive, 2 nics, connected to a switch. The pc only has one case fan, cpu has just a large heatsink, no fan.

Even with 400+ open connections, p2p, etc it never even flinches.
I had trouble with some hardware routers needing to be reset often , etc.

This box has been up almost 2 weeks without a hiccup.
Only uses about 50% of cpu at max, and about half the ram.
It powers down the hard drive when its not needed so power draw is really low.
You can also replace the hard drive with a compact flash card making it even better.

Web site admin and more features than hardware routers costing tons more.

 

[nweaver]

Originally posted by: Modelworks
Just wanted to let others know, if they didn't already, that you can use that old junk pc you have for a very good dedicated router/firewall .

Theres several good ones out there .
ipcop
pfsense
smoothwall

The software is easy to install, just download the image, burn the cd and boot from it on the target pc.


I'm currently using pfsense.
Its running on an old compaq deskpro , p2-400, 128mb ram, 20gb hard drive, 2 nics, connected to a switch. The pc only has one case fan, cpu has just a large heatsink, no fan.

Even with 400+ open connections, p2p, etc it never even flinches.
I had trouble with some hardware routers needing to be reset often , etc.

This box has been up almost 2 weeks without a hiccup.
Only uses about 50% of cpu at max, and about half the ram.
It powers down the hard drive when its not needed so power draw is really low.
You can also replace the hard drive with a compact flash card making it even better.

Web site admin and more features than hardware routers costing tons more.

I have a smoothwall box with 70+ people behind it (small ISP I help with) and it's at about 100 days uptime (we rebooted trying to clear an issue with the web server) with no issues. It really is great.

To add to that list, you CAN manually hack IPTables on your favorite distro (but that's an advanced users scenario)

also, there is Monowall, which is Unix based, but works great, and clark connect (i've never used that one)

 

[BZeto]

I've always wanted to try this but considered power consumption and noise an issue.

 

[nweaver]

it's not really much of an issue. An older computer shouldn't consume much power (sure, it's more then a small router, but it's not even $5 over a month, I would guess). And noise is the same way, don't use an older athlon that requires a small turbine to keep it cool, instead look at the older (and very stable) P2's on Intel mobo's with passive CPU cooling. We have the PSU fan, and that's all in our little smoothwall box.

 

[Modelworks]

I was curious so I hooked up the pc I use through an amp meter.
Its using 700 milliamps right now.
At 120 volts thats 84 watts. Not as much as a 100watt lightbulb

Once the hard drive spins down, there isn't anything left to draw power except the motherboar/cpu and one fan.


Noise , its way way quieter than my pc is.
go with the older hardware, like the p2-400's and the noise/power is no problem.
PC's like these are often found in the trash.

 

[Brazen]

I have a have a CentOS box used as a router at work. Here is the uptime from it:

[brazen@myboxen01 ~]$ uptime
09:01:33 up 592 days, 23:10, 1 user, load average: 0.10, 0.03, 0.01

That is over a year and a half of continuous operation with no downtime. The cpu is "Intel(R) Pentium(R) 4 CPU 1.60GHz". It's not going to win any awards, but that's pretty darn good.

 

[nweaver]

592 is pretty darn good....

although a P4 is a waste, since we sit at under 10% with a P2 400

 

[jlazzaro]

Originally posted by: nweaver
592 is pretty darn good....

although a P4 is a waste, since we sit at under 10% with a P2 400

same boat...i hate to waste a 2.4ghz p4 but its the slowest i have ;x

 

[nweaver]

Originally posted by: jlazzaro
<div class="FTQUOTE"><begin quote>Originally posted by: nweaver
592 is pretty darn good....

although a P4 is a waste, since we sit at under 10% with a P2 400 </end quote></div>
same boat...i hate to waste a 2.4ghz p4 but its the slowest i have ;x

hah...I only just finally got rid of my sub 500Mhz machines. I have 400+ Dell Optiplex GX machines (they are 600 Mhz) sitting here, and I have to fire them up/image them about 3 times a year. What a freaking circus. I'm HOPING to elminiate those this year, and then the only sub 2Ghz machines should be some servers that I don't care to part with (come on, a quad 700 is pretty decent machine for the menial tasks I throw at it). Ah, the dreams smashed by the accounting dept year after year.

 

[p0lar]

Originally posted by: nweaver
<div class="FTQUOTE"><begin quote>Originally posted by: jlazzaro
<div class="FTQUOTE"><begin quote>Originally posted by: nweaver
592 is pretty darn good....

although a P4 is a waste, since we sit at under 10% with a P2 400 </end quote></div>
same boat...i hate to waste a 2.4ghz p4 but its the slowest i have ;x</end quote></div>

hah...I only just finally got rid of my sub 500Mhz machines. I have 400+ Dell Optiplex GX machines (they are 600 Mhz) sitting here, and I have to fire them up/image them about 3 times a year. What a freaking circus. I'm HOPING to elminiate those this year, and then the only sub 2Ghz machines should be some servers that I don't care to part with (come on, a quad 700 is pretty decent machine for the menial tasks I throw at it). Ah, the dreams smashed by the accounting dept year after year.

Hmnn.. I use a Nokia IP120 where I displaced Checkpoint's FW1 with OpenBSD at home. I'm certain it draws less than 20 watts, though it could probably draw less if I replaced the laptop drive in it with a 44-pin IDE -> CF adapter. It is silent, aside from occasional chatter on the laptop drive, and it runs a full version. PM me for a dmesg if you're interested -- it has a 266MHz i686 CPU, 128MB RAM, 10GB 2.5" drive, 3x Intel 8255x (fxp) 10/100 interfaces, and 2x16550 serials (one for console, the other goes to the console of.. I believe a Cisco 2940G that switches for basic access.)

 

[bob4432]

been wanting to do this when my linksys wrt54g v2 dies - running HyperWRT 2.1b1 +tofu13c -
uptime - 441 days, 04:58:10

not many connections but not bad for a "home" router no issues w/ connected and wifi connections

 

[RebateMonger]

Originally posted by: nweaver
although a P4 is a waste, since we sit at under 10% with a P2 400

I tried to go REALLY old a while back, hoping to set up an ultra-low-power fileserver with a 486 or something like that. Windows told me, rather harshly, that it wanted a math coprocessor or it wasn't going to run. I think I sold all my original Pentium and P2 and P3 processors and motherboards. Oh well.....

But I'm a big fan of PC-based routers. In the "good old days", you could count on a $100 metal-cased Netgear router. I think my first one went three years without a reboot. But it seems like today's home routers suck for reliability.

 

[p0lar]

Originally posted by: RebateMonger
I tried to go REALLY old a while back, hoping to set up an ultra-low-power fileserver with a 486 or something like that. Windows told me, rather harshly, that it wanted a math coprocessor or it wasn't going to run. I think I sold all my original Pentium and P2 and P3 processors and motherboards. Oh well.....

But I'm a big fan of PC-based routers. In the "good old days", you could count on a $100 metal-cased Netgear router. I think my first one went three years without a reboot. But it seems like today's home routers suck for reliability.

I have a few Nortel Contivity routers that I uh.. upgraded.

Original specs: 266MHz, 12MB RAM, 8MB CF, 1 10/100 WAN, 7 10/100 LAN (bridged)
Upgraded specs: 550MHz, 268MB RAM, 8GB CF, + HiFN 7955

If it weren't so loud (3 fans), I would consider it as a primary firewall though the dumb switch that attaches to the LAN interface isn't my cup of tea. One of these days I'm going to take a spare AMD K6-2 400 MHz CPU, lap it and its Socket7 HSF to see if I can get it to the point where it will stay cool enough to operate fanlessly or at a significantly reduced RPM -- the positive side to it is that OpenBSD detects all the sensors so it's a no-brainer to figure out what works and what doesn't.

P.S. 20 mbit/s is no sweat for this animal but I bet it chews up at least 50 watts.

 

[Kelemvor]

I think it's a neat project but is there really any benefit to doing it this way over a standard router? I'm guessing not really for most people's "Home" networks but maybe in a more advanced setting?

Unless any of them come with free web filtering to filter out porn and things like that, then I'd definitely be interested.

 

[tomt4535]

I have a m0n0wall running on a PIII 550mhz, 256mb ram, 32mb cf card, and a 165w psu I got at work. Its pretty sweet. Quiet as hell and it just sits in a box next to my pc

 

[HannibalX]

Alternatly you could buy an old Enterprise Cisco router on eBay for $100.00.

 

[amdskip]

I have a smoothwall box that is a P4 and 128mb of rdram. I'm planning on finding something that has more memory in it. I have it loaded up with anti virus filtering and content filtering (it is setup at elementary school) so it sucks up the memory. It also has a password bypass for the content filtering.

 

[p0lar]

Originally posted by: Kelemvor
I think it's a neat project but is there really any benefit to doing it this way over a standard router? I'm guessing not really for most people's "Home" networks but maybe in a more advanced setting?

Unless any of them come with free web filtering to filter out porn and things like that, then I'd definitely be interested.

For most people, not really. It's a roll-your-own, like any O/S based installation, but I'm keen on about anything I can shoehorn OpenBSD onto, mainly because of PF I suppose.

 

[RebateMonger]

Originally posted by: Pale Rider
Alternatly you could buy an old Enterprise Cisco router on eBay for $100.00.

But won't that likely be 10Mbps, too? And, of course, you have to learn IOS to make it work.

 

[RebateMonger]

Originally posted by: Kelemvor
Unless any of them come with free web filtering to filter out porn and things like that, then I'd definitely be interested.

Well, there's definitely freeware add-ons for many software firewalls. I know that some folks maintain a file that works with ISA Server to filter out "bad" web sites. I'm sure you can get the same for other software firewalls. If you want such a list for a hardware firewall, you are likely to be paying for it.

Edit: Wow! Looks like the "quotation posting bug" is gone!

 

[nweaver]

Originally posted by: Kelemvor
I think it's a neat project but is there really any benefit to doing it this way over a standard router? I'm guessing not really for most people's "Home" networks but maybe in a more advanced setting?

Unless any of them come with free web filtering to filter out porn and things like that, then I'd definitely be interested.

smoothwall offers squid proxy right out of box, and there are probably tons of lists for blacklisting "bad" sites.

IMHO, this DOES and doesn't offer advantages to small homes. The advantage is that most SOHO routers are crap. They are shoddily built, lock up, need rebooted, etc. These boxes will run for literally years without a reboot. These also offer much more flexibility in port forwarding, blocking, etc. Because they are running *nix, you can also script things, such as turning off internet access to kids at 8:00 PM, turning it back on at 8:00 AM, emailing you when they try and bypass the proxy, feeding the cat, petting the dog, etc.

The downside is it's a bit more to set up then a traditional SOHO router, which they average joe already sucks at.

 

[nightowl]

I still have a ClarkConnect box running that I set up, but at home I am sticking with my Cisco set up. I know IOS better than *nix so it is easier for me.

 

[skyking]

My first router and my intro to unix still sits in the shed. It was a gift from the friend who got me started in unix and I can't part with it yet
It is a horizontal 486 that is strong enough to use as a jackstand for the car, with an evergreen technologies overdrive 133 chip, woohoo. It has some stripped down 4.x freebsd install with IPFW on a 330mhz hard drive. It was about a 40 watter, IIRC.
Good times

 

[BZeto]

Bringing this thread back from the depths because I just setup a Smoothwall box at home. The hardware I'm using is a bit overqualified (celeron 1ghz, 384MB ram) but it's all I could find. I tried leaving the cpu fan off and just having the PSU fan, but the temps got a bit too high so I stuck a low rpm 80mm fan on it. If only I could underclock it..

So far I'm loving it though, been running 3 days with no problems. My previous Buffalo DD-WRT flashed router made it impossible to browse the net while downloading anything via p2p. I have no problems at all now. Anyone thinking about building one, I'd recommend it.

 

[cleverhandle]

Originally posted by: Kelemvor
Unless any of them come with free web filtering to filter out porn and things like that, then I'd definitely be interested.

That would be Dan's Guardian, which runs along with squid on a proxy server. It's been several years since I played with it, but at the time I was extremely impressed with its accuracy compared to very expensive commercial alternatives. Setting it up well (i.e. so that it can't be easily bypassed) does require some technical savvy, though.

And, as others have mentioned, OpenBSD's PF absolutely rocks. Besides the fact that it's got a bunch of neat features, it's really simple to write rulesets for. I hate having to setup firewalls using anything else, even for fairly simple situations.

Originally posted by: nweaver
These also offer much more flexibility in port forwarding, blocking, etc. Because they are running *nix, you can also script things, such as turning off internet access to kids at 8:00 PM, turning it back on at 8:00 AM, emailing you when they try and bypass the proxy, feeding the cat, petting the dog, etc.

I have babies (plural!) on the way Real Soon Now. We'll see whether they're as geeky as I am, but in the event that they are I plan to have 802.1x switch port authentication in place by the time I have to worry about shutting off the Internet and getting them working on their homework.