It's a shell script that allows you to turn any ol' Linux computer into a WiFi router in one quick command-line:
By default, it will setup your WiFi card as an access point (allows WPA2/3, MAC filtering, etc), setup packet forwarding and routing, and run a DHCP and DNS server. It will generally pick sensible defaults, but it's also highly customizable. If your WiFi card supports simultaneous AP and client mode, it will allow that.
Its requirements are extremely minimal: basically just Linux, a compatible wireless card, and a few common configuration packages (hostapd, iw, iproute2, iptables, dnsmasq). No NetworkManager needed.
I used it as my own home Internet gateway for many years, running on an ancient fanless Atom mini-PC.
Because it can quickly setup and teardown WiFi networks on-the-fly, it's also a valuable tool for setting up test networks when reverse-engineering IoT devices. I use it frequently for this purpose (see https://snowpatch.org/posts/i-can-completely-control-your-sm...).
Any ath10k card is great. They support up to 802.11ac, cost about $10 (e.g. amazon.com/dp/B07HDXP9R4), and can run AP in either the 2.4 GHz or 5 GHz bands.
The firmware and driver are very stable and they in terms of regulatory constraints they defer entirely to the Linux kernel (which means you can use https://github.com/singe/wifi-frequency-hacker or similar for frequency hacking).
I don't have much personal experience with ath11k (802.11ax) or ath12k (802.11be), but I've heard good things about them generally.
For use in a real, practical access point, you want to avoid Intel cards. Intel's firmware completely locks down the ability to run a 5 GHz AP. For whatever reason, Intel takes a maddeningly conservative view of regulatory restrictions. They clearly don't want their cards to be used in APs. On the other hand, Intel's cards have a nice feature that they support dual-channel operation with a single radio (e.g. `iw list` shows `channels <= 2`), which is extremely handy for running a quick-and-dirty 2.4 GHz access point while staying connected to a WiFi network.
mt7996 is good for wifi 7. You can also check the suggested hardware list on the kismet project for good recommendations for older bands and protocol versions
Also, if you have ever used docker or virtual machines with NAT routing (often the default), you've done exactly the same things.
If you have ever enabled the wifi hotspot on an android phone also, you've done pretty much what the article describes on your phone.
All of these use the same Linux kernel features under the hood. In fact there is a good chance this message traversed more than one Linux soft router to get to your screen.
Windows PCs had (have?) that Internet connection sharing feature for a long time. It was really just a checkbox to enable NAT too.
Sometimes I think combining a firewall/router/switch/AP/file server/etc into a device called a "router" really confuses people. Even people who should know better.
The perfect machine back then was a 100MHz Pentium, in a slimline desktop case. At the time, the Pentium III was the current desktop chip, so you'd have a pile of early Pentium-class machines to use. And even a 10mb ISA network card (3Com if possible) would have plenty of power for the internet connections of the day. But 100mb PCI cards were still fairly cheap.
Install two NICs, load your favorite Linux distro, and then follow the IP-Masquerading HOWTO and you've got internet access for the whole apartment building, office, or LAN party.
Eventually I moved on to Linux Firewalls by Robert Ziegler for a base to build on.
After that I started piling other services on, like a spam filter, Squid cache, it was amazing to get so much use out of hardware that was going to just get thrown out.
That snowballed into “we want a website do you know how to do that?” and. Well, no, but it had Apache available and I … figured things out enough to take the skills elsewhere.
Repeated the same trick with a place in Wisconsin, who initially shared a 56k dialup connection with all their dispatchers and were impressed the thing had stayed up for 900 days without even redialing. 90% of their work was done in an on-prem wyse terminal anyway, dialup used to do the job for email or googling an address.
27, 28 years later I’m still dragged in front of them once in a while to ask how they can accomplish something cheaply with Linux, bubble gum, paper clips, or whatever . The times and technology have changed, but not how cheap they are!
Eventually I got all the devices marked from origin to their patch cables in the server room, and I started looking into the Squid cache. It turns out that they were caching everything, as well as blocking websites. I figured out what websites they needed to do their job, and turned off caching, while also learning the ACLs for blocking websites. Anything else was allowed, but the Squid cache would hold a copy for some set amount of time (I think it was 24 hours, so if it was legitimate they only had to wait a day, but it also saved on bandwidth by quite a bit - although think this was used more to monitor user activity).
It was frustrating as someone new to large LANs, as well as to in-house caching, but had been using Linux since an early version of Slackware in the later 1990's. Even to this day, as someone that writes software and does DevOps, that knowledge has helped my debugging skills tremendously. Dealing with caching is a skill I feel you need to be burned by in order to finally understand it, and recognize when it's occurring. I cut my teeth on Linux through a teacher that set up a web server in 1997, and not only gave students access to upload their web files, but also a terminal to message each other and see who was online.
I was doing the same. Router and firewall on old Pentium CPUs. I don't have these machines anymore but I still have HDDs from back then with post-it notes on them saying stuff like: "Linux firewall / HDD 120 GB". For whatever reason my HDDs adapter that can read just about everything doesn't have the correct pin out for those HDDs. Would be a blast if they were to still boot: at some point I'll just buy a compatible adapter and see what I can find on those HDDs. I was very likely also saving some backups there.
But really my best memory was years (I think) before 120 GB HDDs became an affordable thing, in the super early Slackware days, on a dial-up connection: I had a 486 desktop computer and I'd share the Internet connection to a very old laptop (!) using... PLIP. A printer cable and the Parallel Line Internet Protocol. Amazing hack: my brother and I could then both use Netscape at the same time and to us this felt like a glimpse into the future.
The old one is getting really old now, nearly 25 years ago [2].
[1] Book Review: Linux Routers - A Primer for Network Administrators, 2nd Ed:
It just wouldn't die.
The suspicion was because the electricity going to it cleaner than average, in a datacenter, the normal wear and tear on electronics may have been reduced.
Respect was paid at it's decommissioning to convert it into a vm, knowing it's luck, chances are it would still boot up and keep on running.
IIRC, there were some Macs that were confused if there was a bridge in the network, so had to change the segmentation and run masquerade, but that was still better than not having internet. And no need to allocate those precious public IPs, though you could still get them.
Masq was one of the first killer features for Linux.
I did routing duties for my LAN with my primary desktop for about a decade, variously with Linux, OS/2 (anyone remember InJoy?), and FreeBSD -- starting with 486 hardware. Most of that decade was with dial-up.
The first iteration involved keying in ipfwadm commands from, IIRC, Matt Welsh's very fine Running Linux book.
WAN speeds were low; doing routing with my desktop box wasn't a burden for it at all. And household LANs weren't stuffed full of always-on connected devices as they are today; if the Internet dipped out for a few minutes for a reboot, that wasn't a big deal at all.
I stayed away from dedicated hardware until two things happened: I started getting more devices on the LAN, and I saw that Linksys WRT54G boxes were getting properly, maturely hackable.
So around 2004 I bought a WRT54GS (for the extra RAM and flash) and immediately put OpenWRT on it. This lead to a long rabbit hole of hacks (just find some GPIO lines and an edge connector for a floppy drive, and zang! ye olde Linksys box now has an SD card slot for some crazy-expensive local storage!).
I goofed around with different consumer router-boxes and custom firmware for a long number of years, and it all worked great. Bufferbloat was a solved problem in my world before the term entered the vernacular.
And I was happy with that kind of thing at home, with old Linksys or Asus boxes doing routing+wifi or sometimes acting as extra access points... until the grade of cheap routers I was playing with started getting relatively slower (because my internet was getting relatively faster) and newer ones were becoming less-hackable (thanks, binary blob wifi drivers).
---
I decided to solve that problem early in 2020. Part of the roadmap involved divorcing the routing from the wifi completely -- to treat the steering of packets and the wireless transmission of data as two completely distinct problems.
I used a cheap Raspberry Pi 4 kit to get this done. The Pi4 just does router/DNS/NTP/etc duties like it's 1996 again. Dedicated access points (currently inexpensive Mikrotik devices) handle all wifi duties.
That still works very well. Pi4 is fast enough for me with the WAN connections available here (which top out at 400Mbps) even while using SQM CAKE for managing buffers, and power consumption of the whole kit is too low to care about.
The whole OpenWRT stack just plods along using right around 64MB of RAM. VLANs are used to multiply the Ethernet interface into more physical ports (VLANs were used to do this inside the OG WRT54G, too).
It's sleepy, reliable, and performant.
---
And it'll keep being fine until I get a substantially-faster WAN connection. For that, maybe one of the China-sourced N150 boxes, with 10gb SFP+ ports, will be appropriate -- after all, OpenWRT runs on almost anything including AMD64 and the UI is friendly-enough.
But there's no need to upgrade the router hardware until that time. Right now, all of my routing problems are still completely solved.
This is the move. Let's you upgrade the different parts of the network separately. I have 3 components, an N150 router/fw/DNS/VPN box with 2.5GB NICs running OPNSense. A cheap but surprisingly good 2.5GB managed switch, and a cheap wifi 6 VLAN tag capable wifi access point.
When I am doing network management on my weekends, I’m so glad I’m not stuck in the Linux terminal learning about networking internals and can instead just go to a webui and configure my router.
I was recently introduced to a Barracuda router, and bashed my head against the wall long enough to discover it had an ssh interface, and linux userland, and was able to solve my immediate problem by directly entering the commands to get it to [temporarily] do what I needed. (Of course, using the GUI to reapply settings wiped my manual configuration...)
I've used pfsense, OpenWRT, Barracuda, Verizon's OEM router (Actiontec) and they all represent the same functionality wildly differently.
Worth noting that pfSense (and OPNsense) are not Linux-based, they're based on BSD, specifically FreeBSD. While it's possible to have standard router OS web UIs that are cross platform, the underlying technology is different, so it's not really a surprise that there will be differences in how the devices running these OSes are configured.
At this point I rather doubt the sanity of people still sticking to iptables tbh.
So there is approximately one concept of "packet filter done right". UI madness is on UI authors.
I will concede that the OpnSense UI is far from perfect. I would really like to see a device-centric view that lets me set all the things related to that device from one screen (or possibly one screen with multiple tabs). For example, if I add a Roku device to my network, I want to enter in the MAC address and then be taken to a screen where it will let me set the hostname, pick a static IP address, hand it a specific DNS resolver IP, see all of the traffic going to/from the device, only allow it access to the Internet between during certain hours, etc. All of this currently requires jumping around between multiple disconnected parts of the OpnSense UI.
I used a lower power Intel Atom mini PC with an additional NIC as a router for years. I tested it and found it could route around 300Mb/s which was plenty.
But then I got gigabit internet. So I bought an Intel 4 port GigE card from eBay and now run OPNSense as a VM. If you get the right Intel card you can pass through ports to VM individually, which is nice for playing (don't know the exact details but look for cards with virtualisation support, mine is an 82575GB I think).
To be fair, my setup still probably has too much to go wrong, due to the VM thing, but I just haven't got round to getting dedicated hardware, and it's worked fine for a couple of years now.
Is there something like that?
Caveat: I have only used OpenWRT on a high end consumer router (GL.inet MT6000) out of those. That works well, anything else is based on reading about people using those options.
For all of those, once you set it up you don't really need to do much except install updates a couple of times per year, or if you want to forward a new port or such.
Some recent changes are driving me up the wall though - their new UIs for configuring VPNs (IPSEC and OpenVPN) are far less intuitive than what they've termed the 'legacy' UI and I note that recent versions have introduced a firewall rule migration feature that I'm not touching with a 9-ft barge pole.
These changes are making me wary about using opnSense in future, which is a pity because other than pfSense there isn't really a fully-featured, open-source firewall OS that comes close to matching it (and pfSense has its own issues). Linux is great and all - and I do use it for routing/firewall/VPN in places on our network - but there doesn't seem to be a dedicated network appliance distro that bundles in a comprehensive Web UI. Apart from OpenWRT and its ilk, but I'm not convinced that that's suitable for enterprise deployment.
Anyone actually measured this? I see a lot of bandwidth/etc style tests but few that can show the actual impact of enabling disabling deep packet inspection and a few of the other metrics that I actually care about. Serve the home seems to have gotten some fancy test HW but they don't seem to be running these kinds of tests yet.
Mikrotik sells the CCR2004-1G-2XS-PCIe, which is a fascinating device:
https://mikrotik.com/product/ccr2004_1g_2xs_pcie
It is a full Mikrotik router stripped down to just a board and hung off a PCIe interface. Iirc by default it exposes a virtual gigabit interface to the host and otherwise acts exactly like a CCR2004 running RouterOS.
Doesn't really buy you anything vs a RB5009 unless you can use the pair of 25Gbps ports, but it sure is neat.
I've got a 10G fiber connection, and I swapped out a Fortigate 100F for a server running VyOS. I had performance problems, because the 10G to 1G transition caused dropped packets at the switch. I was able to solve it by shaping the traffic to the 1G devices to handle queuing in the router, which is something this particular Fortigate can't do. (High end routers have algorithms like WRED designed to get TCP to behave nicely on 10G to 1G drops, but I don't want the noise of a Cisco in my basement.)
My home router was an old Thinkpad for a while, but then I switched over to a slightly newer Dell Optiplex that my work was throwing out. The plus side of that is that the i7 is total overkill for routing so I can also have my "router" run some VMs for network services and cut down on the number of boxen in my homelab rack.
Alpine is a great distro for this.
I am not really sure about it. My ISP provided AP can do a gigabit over wifi.
I need to change it because the ISP hardcodes the dns for spying reasons.
But sadly to match that performance I need to spend like $180 to get an AP with that performance
Is the concern mainly things like botnets and DDoS activity, weak default credentials on network equipment, or compromised business networks where poorly secured routers or attached NAS devices could expose sensitive or proprietary data? In other words, is the concern less about decrypting traffic and more about using the router as a foothold for surveillance, disruption, or access to poorly secured internal systems?
Imagine everyone had their routers disabled simultaneously. I don't know if the cell networks could function with the surge in standard traffic that would happen, and then you've effectively plunged all or part of the country into a communication blackout.
I think "turn it off permanently by bricking it" is almost as bad as "leverage for DDoS".
I worked on Bot Mitigation at Amazon, and we once saw a ton of traffic that was heavily distributed amongst consumer devices world-wide, but surprisingly in the US too. We suspected compromised routers that were using the home page as a health check. There was a lot of investigation I did, and the short realization after talking with the network engineers is that the amount of traffic, and distribution of sources, would be impossible to stop. There merely isn't enough bandwidth in the world to stop so many residential device if it hits a specific target. To be clear, this was coming from less than half of active Amazon customers, not everyone in the US.
Anyway, it wasn't routers, but it was a consumer device, and it wasn't nefarious, it was incompetence (in code), as usual.
IME cell networks definitely can't cope with a loss of all routers in an area, given how mobile data becomes basically unusable when there's a power outage. That said, "everyone had their routers disabled" is probably not realistic, given that there are plenty of non-chinese router vendors.
These are networks of controlled devices. They're hard to eradicate, as shown by the fact that they haven't been eradicated: they're still active and being used to compromise systems, including defense and intelligence systems, power systems, financial systems, identity systems, etc.
Is banning foreign gear going to fix this? No. Security isn't a product. It is, however, a process, and in a process you take steps. I think this: we (individuals and institutions) enjoy tremendous liberty in the use of communications equipment in the US and most of the West. Taking that for granted is a mistake. If part of keeping this means the US has to spin up a domestic supply of network gear, or carefully modulate where such gear comes from, then lets do that. Otherwise, The Powers That Be will leverage its concerns into far worse steps.
If this were really about computer security they would follow California’s example of requiring unique passwords. Maybe make manufacturers liable for not patching known remote exploitable security vulnerabilities. It doesn’t matter if the source of a DDoS is a Huawei box or a Netgear box.
- Access to data (dns/ips, domain names (if not using ESNI), amount of traffic, etc) of sites you are visiting
- Access to the inside of your network where it can attack machines that may not be secure
- DDoS
- The ability to shut down your internet
I'm sure there are more.
That should probably be the technical concern. Even if you have traffic protected by TLS, you still typically have enough metadata to cause some problems for users individually, but the assumption that foreign equipment is back-doored by some security service or other is probably safe.
In additon, compared to PF/OPNsense or OpenWRT (Linux based), you have more control and exposure to the underlying network concepts with VyOS. You're not configuring the kernel manually, but you still learn quite a bit.
net.ipv4.ip_early_demux = 0
net.ipv4.tcp_early_demux = 0
net.ipv4.udp_early_demux = 0
Such things do not preclude additional tuning on the client and server sides as well but those are even bigger topics.
I've always found fq_codel to be good enough for gaming through my router. But I have a 10gbps uplink.
It depends on what kind of packet rate one is pushing through the device, what type of hardware is being used as the router and how sensitive ones applications are to such things but if you want a better scientific answer run as many load tests as you can that measure packet rates, lag and jitter then disable them and run your tests again. I should add this is just one tunable related to routing. If bored dig into this a lot deeper and one will find there are many things that can be adjusted at the NIC, in the OS network stack and so much more.
Some people like defaults because it is less cognitive load and some like to tweak things until they can't get better results. I believe that everyone should be able to choose their own path to satisfaction. If the defaults and fq_codel work for you then that is probably the right answer.
I've been very interested in some of Radxa's boards in the ~$30-70 range, like the E52C [0] and the E20C [1], but they don't have many distributors and seem to have stocking issues [2].
[0] https://radxa.com/products/network-computer/e52c/
[1] https://radxa.com/products/network-computer/e20c/
[2] https://shop.allnetchina.cn/products/radxa-e52c?variant=5034...
I ended up with an Opnsense box. It's an m920q (i5-8500), with riser card and a dual SFP+ nic in it. All in, it was less than 200 bucks (now it would be closer to three). I ended up with a cheap, Chinese "media converter" (from aliexpress because the same thing on amazon is 3x the price) that just had two SFP+ ports on it. That let me go from an SPF+ copper ethernet module to a DAC and not dump a bunch of heat into the 1L pc.
I have to say that the functionality made it a worth while investment: traffic shaping, wireguard and the like have been mostly a joy. And the documentation for Opnsense made the setup and use (mostly) easy.
But I've never even tried to set up my own access point, I just pay Unifi for that [1]. The software part is doable but I don't want to learn to handle the signal issues.
[1] Switched to Unifi in anger after my first consumer level 5 Ghz wifi needed reboots weekly because it was overheating. Do yourself a favour and get the semi pro stuff, Unifi or others.
I kind of feel like that's cheating though; I've outsourced the hardest part of the project to someone else. Maybe one of these days I'll take an old NUC or something and buy a decent wifi antenna for it and try and do it properly.
[1] Initially pfsense, then OpnSense, then ClearOS, and now some custom firewall rules in NixOS.
What’s the simplest way to spin up a simple „cattle, not pet“ routing VM? I don’t want to mess with any state, I just want version controllable config files. Ideally, if applying a version fails, it would automatically roll back to the previous state.
OpenWRT seems like it fits my description most closely, but maybe someone here is a fan of something more flashy/modern.
This made me chuckle, I'm definitely going to quote this the next time our K8S cluster has issues
After I upgraded to a 10GbE ethernet card in my previous router, my card didn't work correctly with FreeBSD-based stuff anymore. I changed to ClearOS and that was actually comparably easy to Pfsense...maybe even easier? I recommend checking that one out.
Beyond getting support for devices completely absent on freebsd, quality of drivers, bugs much more rapidly squashed, and general misc features absent on the bsd side like NBASE-T.
Version control is in the GUI, you can adapt for your needs the number of changes you need. automatic config.xml backup also possible.
There are steps in the middle :)
I'm running OpenWRT on the recent WRT3200ACM and it's going beautifully.
https://openwrt.org/docs/guide-user/installation/openwrt_x86
As much as I love hostapd... the performance using commodity hardware has always sucked for me. I can get 150MB/s over wifi with my proprietary AP!
Edit: And ofc best cheap device imo is OrangePI R1 LTS and a whatever usb wifi dongle. Came in clutch a few times, such a nice little device.
Any computer with a single network interface, maybe even an (old) laptop, can be used. Anything x86 from at least the last 10 years is energy efficient and fast enough to route at gigabit speed. If you don't care about energy usage, any x86-based computer from the last 20 years is fast enough.
The magic trick is to use VLANs, which require switches that support VLANs, which can be had for cheap. VLANS also allows you to create separate isolated networks for IoT or other 'less secure' or untrusted devices.
I’ve always made my own routers by using low-power devices running Linux (Debian) with IPtables and now NFtables.
No special router OS or software required.
Highly recommend.
P.S. that single network interface is very likely never a bottleneck because network interfaces are full-duplex. Only when your router is also your file server (not recommended), internet traffic and file server traffic could start to compete with each other.
The "router on a stick" paradigm using VLANs to a share a single physical port is perfectly valid. You're creating a "now you have two problems" scenario in which you need a VLAN-capable switch and have VLAN configuration to make.
I typically like the ISP router on a dedicated router port to make monitoring the physical link and/or cycling the physical link easier.
Unless your ISP is >1Gbps adding a second port to most devices is as easy as adding a USB NIC.
There are 2.5 Gbps, 5, and even 10 Gbps USB NICs these days, although 10 Gbps ones are pretty expensive and require really recent USB ports.
I agree I want my local network and my WAN port separate, if for no other reasons than so I can use ssh to get into the router from my LAN with the WAN port disabled.
But you might want VLANs anyway, so it's an interesting thing to consider.
VLAN hopping is only possible due to misconfiguration. I'd like to be proven otherwise if that's not the case. VLANs are used EVERYWHERE where it matters. And no, the single port is absolutely not a bottleneck because the port is full-duplex.
Ideally the PI also should to what the extra DSL Modem does… but I guess that's where the dram must stop. :D
This of course means you need a VLAN-aware switch that this single ethernet port can plug into, configured as a VLAN trunk (in Cisco terms) port. You would then want to configure one of the other switch ports as a VLAN access port assigned to VLAN 100 (untagged). This is the port you would plug your cable modem into. Then (in the simplest example) you could assign all the rest of the switch ports to VLAN 200 (untagged), and you would plug all your LAN devices into them.
I've no deep knowledge of the field, but my understanding is a lot of router/switch hardware uses dedicated hardware designs to ensure they deliver the bandwidth and ultra-low latency even if the device is absolutely slammed with traffic.
I've read before routing/switching in software like pfsense or similar can potentially struggle under some workloads dedicated hardware does not, but I've never seen a good analysis of the trade offs with actual benchmarks.
I'm sure most recent modern CPUs can probably handle a lot, but people often repurpose old SBCs they have like Raspberry Pis etc for projects like this.
The first two versions of 225 have packet drop issues and it’s unclear to me whether v3 third time lucky fixed it. And getting the stepping info out of aliexpress supplier is hard so 226 is safer
Would you have a picture of the ExpressCard laptop connector?
Before Thunderbolt was common, people attempted to use external GPUs with this sort of expander, but it worked really poorly.
Ran openbsd for a few years like that, the base OS included everything needed. I recall it used 24MB of ram and closer to 30MB if ssh'd in. It was very handy to have a local login when playing with firewall rules.
As an added bonus, you get atomic updates of all chains for free.
Granted, for simple usecases, ufw or firewalld may be simpler though.
I have an Orbi AX system which works reliably, but now I want to upgrade the radio to WiFi 7 and that means I need to upgrade all the hardware.
Hoping to move to using off the shelf parts so in the future I can just change the radio (ideally bunch of USB sticks).
I understand this is not strictly just the router. I can (and used to have) a router as separate device, but any mesh WiFi right now that I can find need a pricy router that acts as the coordinator, essentially negates the economic benefits.
Then there's the roaming issue. This is largely what the commercial "mesh" systems try to solve: deciding / helping inform when clients should switch APs. There are many solutions and none of them are without issues, including the commercial ones. Here's a starting point: https://openwrt.org/docs/guide-user/network/wifi/roaming
I encourage everyone to run a hardware router. A cheap dedicated wired router can be had for $50. Run PfSense or the vendor firmware . It’s very rewarding. Also a long term investment since routers tend to last for many years while wifi standards are revised every year or so .
I recommend the free home version of Sophos for the least painful way to do it. Buy a Palo Alto with a full subscription if you are really serious.
Like is the "free" laptop going to cost you more in the long-run then a nice little power-sipping ARM like a Pi5? Or do you need those extra operations-per-second that the more power-hungry x86 CPU gets you?
10W running 24/7 means about 7.3 kWh/month. In my area the average kW/h costs about $0.13 CAD
So a good rule of thumb is that every 10W 24/7 is about $1CAD/mo.
So assuming 30W for a laptop and 6W for a pi4, that means a difference of $29/yr. Which isn't a lot but isn't a rounding error either.
What a dumb timeline.
if you could show all the wiring and label it (according to the table below) i think it would add a lot of value for someone less familiar with these kinds of setups (like me)
* WAN connection comes in by coax, into my cheapo cable modem (off screen), and then by Ethernet into the franken-NIC sitting on top of the laptop.
* The NIC on top is a normal PCIe card, but with the bracket missing. The ExpressCard riser [1] is connected by a mini-HDMI cable, the flat black cable, which curves up, around, and back in from the left side into the laptop
* Then, the blue cable on the side of the laptop is a VLAN trunk going into the Cisco switch on port 23/24, outside the picture.
* From there, another port on the switch is setup as an access/untagged port going into one of the LAN ports on the D-Link acting as the access switch
I don't think it was set up here, but at one point I also had a dock under the ThinkPad, with the serial adapter wired up to the switch's console port so I could manage everything by ssh'ing into the router.
[1] https://www.ebay.com/itm/115721630079
Also note that all the cables were hand-crimped because I was too cheap to buy new patch cables at the time.
I was in college, and truly had more time than money back then. it's the kind of doohickey made by only somebody very young, very crazy, or a bit of both. ;)
I've been running various homebrew routers for close to 20 years now; OPNsense is fantastic. Bonus, run it as a VM on your Proxmox host and eliminate a few wires!
Why not? I use an old gaming PC as a "router" (machine exposed to the WAN), and run dozens of services on it besides the firewall/NAT (iptables). Among others: email, Web server, multiple game servers, and many internal services (DNS, hostapd, loads of Docker containers).
E.g. is your pf-based load balancer running its rules before or after the global filtering rules? And if they're running first are they SNATing incoming traffic so the LAN rules allow the traffic through or does it need explicit exceptions for external IPs to traverse to a LAN endpoint?
If you're comfortable with more advanced networking then it's fine to run it all on one box. If you just want to open ports for internal LAN services then that is a very canned and well-supported feature for a gateway firewall.
E.g. see AirSnitch which resulted in large part from mixing too many complex networking rules in single devices.
It seems like you weren't really asking, but I'll answer anyway.
It's bad security practice, and opens up your network to attack and/or compromise, you're massively increasing the attack surface, and a compromise of one of those components leaves the attacker sat on your edge router, at which point your entire network is fair game.
Generally speaking you shouldn't expose anything on your edge router / firewall, it's a safety barrier.
You can sit things behind it in a "DMZ" and port-forward and isolate them etc so that there's no packets terminating on the actual edge device itself.m, that lowers the risk of a full network level compromise.
Chances are you might be fine and never have a problem, but it's still recommended against.
I don't believe physical separation really buys you much here. At most, if may reduce downtime if you do indeed get pwned, but I think that you can achieve the same objective through a combination of containers, VMs, and UNIX users. And running multiple, somewhat redundant machines also has obvious downsides such as increased power consumption, increased maintenance burden, additional space and cabling, etc.
- Soekris net4501 (x86, 486-class CPU) (discontinued)
- PCEngines alix2d3 (x86, AMD Geode LX800) (discontinued)
- PCEngines APU (x86, AMD T40E) (my current router/firewall) (discontinued)
I'm also currently using an APU2 as one of my wireless access points (with hostapd).
All of these have been solid machines that have given me zero problems.
The next system I plan to use is going to be a Banana Pi R4 (ARM Cortex A73), it's a solid choice for a simple router/firewall/DNS/DHCP box. It has a built-in 4-port gigabit switch where each interface can be used as normal Linux interfaces, as well as 2 SFP+ ports that are capable of supporting up to 10 gig ethernet.
It's also one of the few systems that offers true hardware offloading for connection tracking, so things like netfilter flowtables don't have to use any main CPU processing.
I'm currently experimenting with a Banana Pi R4 as a Wifi7 access point (running Debian with hostapd), however the current state of the wifi7 module for it (BPI-R4-NIC-BE14) and Linux driver (mt7996e) is still pretty young and a bit buggy (i.e., limiting transmit power to 6 dBm without patching the driver to override it, and there's apparently a lack of RF shielding which can contribute to low SNR on the receiving end). With the proper patches in place it makes a decent Wifi 6 access point. I'm hoping these issues get ironed out in the future and I can use it as a true Wifi7 AP. frank-w is doing outstanding work to help support the open source community with this new hardware.
A year or two back, I was able to get a brand-new fanless Intel N150 with 4x2.5G ports with 16 GB memory for about $150 from AliExpress. I run Proxmox on it, with OpnSense and a couple other things in virtual machines. These days, due to tariffs and the memory shortage, that is more like $440 now, unfortunately. I am kicking myself for not buying two, not so much because of the price increase, but because it would have come in handy multiple times to have a second one on-hand for random experiments.
Given that CPU performance does _not_ tend to be critical for firewall/NAS use cases, if I had to replace it tomorrow, I would go onto eBay and get the highest-spec'd used Dell or HP mini workstation I could find for $120 and plug in a USB3 1gig ethernet dongle for the WAN side.
If you want maximum speed a Lenovo Thinkcentre m720q has a desktop Intel CPU and a PCIe slot. You can add a 2x SFP+ NIC and PCIe riser to get 10G.
:-)
Let me guess, ".*@.*\..*"?
Configuring FreeBSD is extremely straightforward.
Run it in what miniupnpd calls "secure mode" (which prevents clients from adding rules for IPs they can't talk from), put the daemons's rules after your manually-managed ones and -because of today's world of NAT hole-punching and "just tunnel it over HTTPS, it's the universal firewall bypass protocol" techniques- you're exactly as secure as if you had it off.
Anyone with translate.kagi can find it and translate
Some more idiocy from the FCC chair.
Sure, follow the article and you will get things.....working but will also turn you into a SysAdmin.
Homelab is my hobby, CLI aka command line interface is where I spend most of the time playing with my linux containers BUT you do wanna a GUI to manage network stuff.
Do you wanna do this right and once?? And trully open-source meaning, you will never have to pay to use it??
1. OpenWRT: It supports many WiFi6/7 wireless router, it provides you router, wireless, basic firewall, plugins. Set it once and forget. My dumb OpenWRT wireless only access point has been running for years. It used to be my main router, same device.
2. OPNSense: This is like going from an EV to a V12 bi-turbo: It will work out of the box, you change things ONLY if you wanna mess around. Provide your ISP login when installing it and everything works out of the box.
My OPNSense baremetal has dozens of firewall rules and what not but from an every day life pov, I do not touch it other than check for updates and neither should you.
Good luck troubleshooting network problems via CLI only if you have no idea of what is going on and just followed some article online.
The ready-mades are brutally under-powered, have snowflake UIs that have to be re-learned on each revision, and have very short firmware update windows, so have to be replaced (and the UI re-learned) every few years. While with my OpenBSD thing, it's just `sysupgrade` then `pkg_add -u` -- for almost a decade now.
But yeah, if you're just copy-pasting without understanding, OPNSense is far better.
I get by without it, but I can imagine some won't be able to.
I'd be willing to bet, though, that the overwhelming majority of people who use consumer routers aren't doing anything remotely advanced. A how-to that covers the majority of use cases is valuable even when it excludes advanced use cases.
Perhaps someone else will (or did) write up a how-to for support mesh networking in your homebrew router.
about 20 or 25 years ago i used whatever old hardware i could find in someones cellar or a junkyard together with 2 NICs and a floppy-disk drive / FDD based linux-distribution ...
it outgrew its original media - FDD - and is still active, as a router-focused distribution:
just my 0.02€
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
So if anything can be turned into a router will importing anything be banned as well?