Build Your Own Router/Firewall Discussion Thread - Canadian TV, Computing and Home Theatre Forums
 1Likes
Reply
 
LinkBack Thread Tools Search this Thread Display Modes

post #1 of 26 (permalink) Old 2016-05-09, 10:33 PM Thread Starter
Veteran
 
Join Date: Jun 2011
Location: 43° N, 81.2° W
Posts: 8,191
Build Your Own Router/Firewall Discussion Thread

This thread is to discuss building your own internet router/firewall/VPN/etc. That includes discussion of suitable hardware, software, configuration, personal projects or experiences and advantages/disadvantages to building vs buying a commercial product.

Hardware - What could be used and what have people had success using? That could include mini-PCs with multiple network ports, building a custom PC or an unused PC gathering dust in the basement.

Software - This includes using Linux or FreeBSD and prebuilt router/firewall distros such as pFsense, IPFire, Smoothwall, ClearOS and OPNsense.
ExDilbert is offline  
Sponsored Links
Advertisement
 
post #2 of 26 (permalink) Old 2016-05-09, 10:48 PM Thread Starter
Veteran
 
Join Date: Jun 2011
Location: 43° N, 81.2° W
Posts: 8,191
Why Build Your Own Router/Firewall

Speed: It's needed for gigabit internet and VPNs. This is where a lot of consumer products fall short. There are routers out there than can handle this but they tend to cost close to $200 or more. A good business grade router can cost $500 and up.

Cost: That shiny new internet router that costs $200 today may need to be replaced in 2-3 years. Meanwhile, rolling your own with a low end PC can cost very little. Sometimes, a couple of network cards is all that is needed.

Security: A lot of consumer grade internet routers do not get updates after a year or two, sometimes never. Meanwhile, hackers are uncovering new router exploits on a regular basis. Internet routers based on open sources projects like Linux get regular security updates. In addition, it's possible to install virus scanning on a home built router.

Features: Lots of them are left off of consumer grade internet routers but they are available in Linux and open source router distros.
ExDilbert is offline  
post #3 of 26 (permalink) Old 2016-05-10, 07:02 AM
Veteran
 
Join Date: May 2009
Location: Mississauga
Posts: 7,959
I've been running a computer running openSUSE Linux for several years. The current computer used is a refurb HP 64 bit. I just use the firewall software built in with openSUSE. One thing I have been using it for is a 6in4 tunnel, to get IPv6. I've been doing that for about 6 years, but will be shutting it down soon, now that Rogers offers native IPv6. I also run a caching DNS server.

I haven't lost my mind. It's around here...somewhere...
JamesK is online now  
 
post #4 of 26 (permalink) Old 2016-05-10, 09:20 AM
Veteran
 
Join Date: Nov 2003
Location: Kincardine ON.
Posts: 4,453
I played with my old Netbook (Atom N250, 2GBRAM), with PFsense, its built in network, and a spare USB network adapter. I never used its wireless, just my routers set up as a WAP.

That experiment was not unsuccessful, but ultimately I stuck with a conventional router for simplicity.
classicsat is offline  
post #5 of 26 (permalink) Old 2016-05-10, 10:08 AM
 
Join Date: Nov 2005
Location: Calgary
Posts: 731
Simplicity - dedicated router wins 10 out of 10. Flexibility, for home use, I doubt anything can beat pfSense with few inexpensive Wi-Fi access points spread throughout the house.

Year and a half ago, I built dedicated server based on Asrock E3C226D2I mini-ITX motherboard. And, while it comes with 2+1 Intel LAN ports, I couldn't resist getting cheap Intel i350 based quad port, half-height card off of eBay. Installed free Microsoft Hyper-V 2012 R2 Server, pfSense as one VM, Blue Iris security camera server on another, and 2-3 more VMs covering other tasks (web server, offloading recorded shows from Telus Optik TV PVR via Hauppauge HD PVR 2, etc.)

Took some planning, but I wouldn't go back. Now getting into IPv6 since Telus activated it earlier this year. Open VPN server alone on pfSense is worth a lot. I had Open VPN previously running on Asus RT-AC68U, but there was always one issue or the other, even with Merlin's firmware. Much smoother now, and utilizing full speed of 50/10 Internet connection, since Xeon's do AES-NI acceleration in hardware.

I realize it's not for everyone, but if you are technically inclined it can be done relatively fast. Cost effectiveness of my setup is questionable, but I didn't do it for cost. If you are looking for cost effective(er) solution maybe one of prebuilt pfSense boxes makes more sense. Still offer 2-6 LAN ports, just can't run VMs on it. Check product page oh pfSense web site.
The_Penguin likes this.
753951 is online now  
post #6 of 26 (permalink) Old 2016-05-10, 03:33 PM Thread Starter
Veteran
 
Join Date: Jun 2011
Location: 43° N, 81.2° W
Posts: 8,191
I became interested due to this article. It makes a pretty good case for building a DIY router.

I looked at the Mini-PC dual LAN box described in the article. Two things occurred to me. One is that the are probably a bit overpriced and I could do a little better at that price point. The other is that I wanted 4 LAN ports or at least the option to expand to more ports. I found an Intel J1900 Fanless Firewall Barebone Mini Box PC with Multi Intel Nic 4 LAN on eBay and Amazon. Landed cost for a fully configured unit would be close to $300. The one drawback is that the LAN ports are Realtek. That's a major strike against it.

Then I realized that I had a mostly idle media server (formerly HTPC) that could be re-purposed. It consisted of the following components:
  • IN WIN BK623 Case
  • Silverstone SFX Series 300W PSU
  • GA-MA785GM-US2H
  • AMD Athlon 64 X2 5050E Dual Core Processor
  • 8GB RAM
  • 60GB SSD Drive

It's a bit of overkill for an internet firewall/router and the motherboard only has 2 PCIe slots but that's enough for now. The addition of 2 Intel PRO/1000 CT Gigabit network adapters completed the system. Building a similar system from scratch would cost close to $400 but, with a little scrounging and borrowing parts from other systems, the cost was nothing.

Up next was deciding on the software. It was pretty much a given that it would be Linux or BSD based. Distrowatch lists 16 dedicated firewall distros and any stable distro would work, plus I ran into a few others. After tracing down a few dead ends and reading lots of specs I decided on pfSense. It's based on FreeBSD which is very stable, very secure and very small. Add to that the relatively easy setup and that I have some experience with FreeBSD.
ExDilbert is offline  
post #7 of 26 (permalink) Old 2016-05-10, 03:49 PM Thread Starter
Veteran
 
Join Date: Jun 2011
Location: 43° N, 81.2° W
Posts: 8,191
@753951
I also have a server based on a dual NIC ITX board. It's Atom based so I doubt the CPU would handle that much load. I also want to keep it behind a firewall, not act as one. Nice work though. That Intel i350 based quad port NIC is an especially nice find. It has the potential to save some money and space on a router/firewall build.

Another motivation for me is being able to specify DNS servers on the router. There are fields for that on the current router (D-Link DIR-827) but it gets overridden by DHCP. The primary DNS server that Rogers points to is a real dog. The secondary server is much better but the router doesn't allow reordering or overriding the Rogers defaults.
ExDilbert is offline  
post #8 of 26 (permalink) Old 2016-05-29, 07:45 AM
Veteran
 
Join Date: May 2009
Location: Mississauga
Posts: 7,959
Last week, I switched my firewall/router computer from openSUSE Linux to pfsense, due to support for dhcpv6-pd. It appears to work well. The computer I use is a refurb HP 64 bit computer I picked up from Factory Direct a couple of years ago. Since Rogers now provides IPv6, I no longer use the 6in4 tunnel that I had running for 6 years.

I haven't lost my mind. It's around here...somewhere...
JamesK is online now  
post #9 of 26 (permalink) Old 2016-05-29, 04:25 PM
 
Join Date: Nov 2003
Location: Toronto, ON
Posts: 626
Here is something else you may want to consider.

OpenBSD PF: User's Guide

More info

https://en.wikipedia.org/wiki/PF_(firewall)
Gino Cerullo is offline  
post #10 of 26 (permalink) Old 2016-10-30, 03:32 PM
Rookie
 
Join Date: Oct 2016
Posts: 11
Another hearty recommendation for the free netbsd based pfSense here. Mine is an old P4 2.8GHz with 4GB of RAM (overkill I'm sure). It has everything you'd want as it scales up to relatively large business sizes. Great support forums too. I used to use ipcop, and single floppy based Linux Router Project - LRP before that :-), but support died off and I'd heard great things about pfSense. I've always used my own router/firewall for some reason. Probably due to the greater feature set. For wifi I simply turn off the router portion of the wifi unit and have the pfsense box dish out IP's to wireless hosts also.

Ironically a capacitor in my firewall's Antec power supply blew this week which scared the hell out of me as it's real close under my desk. So I had to call Shaw to get them to change my modem from bridge mode (no routing/firewall) to normal until I can find a new power supply for cheap.
Rimsky is offline  
post #11 of 26 (permalink) Old 2016-10-30, 03:58 PM
Veteran
 
Join Date: May 2009
Location: Mississauga
Posts: 7,959
^^^^
I recently came across a pfSense box from Netgate. They also have other models.

I haven't lost my mind. It's around here...somewhere...
JamesK is online now  
post #12 of 26 (permalink) Old 2016-10-31, 11:21 AM Thread Starter
Veteran
 
Join Date: Jun 2011
Location: 43° N, 81.2° W
Posts: 8,191
I've switched to OPNsense. It's based on the same open source code as pfSense but it's more stable and fixes a couple of bugs in pfSense that were causing problems. OPNsense is also more secure and does not charge for documentation. The OPNsense documentation can be found here.

pfSense and OPNsense sell their own hardware but they tend to be a little overpriced. The best small form factor solution I've seen is using a 'j1900 mini pc' that are widely available from sites like eBay and Amazon. They are available in two port and four port models and feature integrated Intel NICs which makes them ideal for pfSense and OPNsense firewall router use.

Quote:
I recently came across a pfSense box from Netgate.
That looks like it may work but it doesn't exactly represent building your own firewall/router. It also appears to be under-powered for use with very high speed internet connections such as gigabit internet. It falls short on other specs such as the recommended minimum 1.6GHz dual core CPU, 4GB of RAM and 4GB of virtual disk space.
ExDilbert is offline  
post #13 of 26 (permalink) Old 2016-10-31, 11:47 AM Thread Starter
Veteran
 
Join Date: Jun 2011
Location: 43° N, 81.2° W
Posts: 8,191
I decided to update my original configuration with a lower power motherboard and CPU. It now consists of the following components:

IN WIN BK623 Case
Silverstone SFX Series 300W PSU
GIGABYTE AM1M-S2H AM1 FS1B
AMD Athlon 5350 Quad Core APU
8GB RAM
60GB SSD Drive
OPNsense Open Source firewall/router software

The updates are in bold. The new components cost about $100 combined which makes it a low cost solution. The AM1 APU is very low power, saving on electrical costs, while providing more than enough computing power to run a firewall/router. The GIGABYTE AM1M-S2H was chosen because it has 3 PCIe slots for network cards. If I was building from scratch, I might have used the Intel i350 based quad port NIC mentioned above and a mini-ITX board and case.
ExDilbert is offline  
post #14 of 26 (permalink) Old 2017-07-30, 11:09 AM
Rookie
 
Join Date: Jul 2017
Posts: 5
Hi;
I have a 4 gig pfsense box setup next one will be like yours I hope LOL.
right now I split from optik modem to a switch pfsense on my pc only as I need to not filter with snort and squid another user(gf/she hates not being able to go to spots/work site lol) + iptv on the 3200 router.

Dual core amd 350d onboard
4gig ram
small hard disk
mini-itx build
1 pci nic+onboard

I have a ideal as I could just pass iptv and users pc through snort and squid I think.
But it's the not blocking bogon networks on both interfaces I'm worried about.
any thoughts would be great.
I may go ipfire though but I'm happy with pfsense for now after this update i'm screwed though as hardware does not do aes-nl and is needed.
modd is offline  
post #15 of 26 (permalink) Old 2017-07-30, 03:47 PM Thread Starter
Veteran
 
Join Date: Jun 2011
Location: 43° N, 81.2° W
Posts: 8,191
The AM1 mentioned above is no longer available. There seems to be a general lack of options for low power CPUs and embedded motherboards with mobile chips. I'm guessing there is not much of a market for them due to ARM (and cheap Android boxes) taking over much of the low power CPU market. Unfortunately, Android boxes are not suitable for use as a router. AMD is rumored to be developing a Rizen based replacement for the AM1 but I haven't seen it.

These days, I would consider one of the Intel J1900 barebones PCs with 4 ethernet ports that are sold for for use with pfSense. Make sure the ethernet ports are Intel based since they have better performance and support. These barebones boxes are not cheap. The end cost would be close to that of a high end router but it is an elegant solution and is more powerful than most routers. They don't include wifi. I would stick with OPNSense which seems to be a bit more stable.

Another option would be an Intel Mini-ITX build using a motherboard with dual Intel ethernet ports. The Z270 boards often also have very good AC wifi. That would be a considerable overbuild due to the nature of the chipset. (These boards are usually designed for gamers.) Cheaper Pentium or i3 CPUs are available but they are not low power and the combined cost fairly high. I would also get a much smaller case. An AMD motherboard could be used but then a 2 to 4 Intel NIC and larger case would be required.
ExDilbert is offline  
Reply

Quick Reply
Message:
Options

Register Now



In order to be able to post messages on the Canadian TV, Computing and Home Theatre Forums forums, you must first register.
Please enter your desired user name, your email address and other required details in the form below.

User Name:
Password
Please enter a password for your user account. Note that passwords are case-sensitive.

Password:


Confirm Password:
Email Address
Please enter a valid email address for yourself.

Email Address:
OR

Log-in










Thread Tools Search this Thread
Show Printable Version Show Printable Version
Email this Page Email this Page
Search this Thread:

Advanced Search
Display Modes
Linear Mode Linear Mode



Posting Rules  
You may post new threads
You may post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On

 
For the best viewing experience please update your browser to Google Chrome