DIY Firewall Router

From Info Wiki
Revision as of 02:58, 20 February 2016 by Rpeters (talk | contribs) (→‎Developer Boards)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigationJump to search

Getting Technical

DIY routers overcome the limited support that is provided for commercial units. With careful hardware selection the former do not require much additional space or wattage.

A superceded PC provides a suitable "trial-horse" for anyone wanting to explore DIY hardware Firewall. Any PC having a minimum of CPU 500 MHz plus 512 MB RAM is adequate. Web sites for the software below provide lists of newer, compact hardware that could be deployed longer-term.

Software

Although many Linux and BSD can be configured a gateway-router, it is generally simpler and more watt efficient to use a specialised firewall/gateway distribution. Better known ones are listed in Linux_Distribution_Recommendations Although BSD based distributions such as Monowall are quite functional, their use would involve an additional learning curve for most people

Detailed hardware and configuration guidelines are provided on the relevant web sites. The notes below cover some additional issues

Hardware

  • PC having x86 CPU are the most reliable for the above software
    • some only "development boards" having ARM CPU are now viable in lieu x86 - see "Strictly for Geeks" below
    • optional functions, particularly download caching, require extra CPU power, RAM & storage
  • 10 Mb/s network interfaces suffice - unless running ADSL 2 or faster link
    • NB - speed of other devices on the LAN is irrelevant, LAN performance depends on the ethernet switch deployed

New low wattage main-boards supporting x86 compatible CPU are now available, although not widely stocked.

  • an issue now with older mainboards is that these might not be compatible with the Grub 2 bootloader, now being used by the software and it is not feasible to replace the bootloader in these packaged distributions.

Zoning

Software for DIY routers implements similar network zoning to that in up-market commercial routers. An aspect that is different is the colour coding of zones:

  • RED for untrusted/unfiltered Internet
  • GREEN for most trusted, wired LAN connections
  • BLUE for less trusted WiFi connections
  • PURPLE for additional LAN zone
  • ORANGE for Demilitarized Zone, (DMZ)
    • not required by most home users
    • typically used for stand-alone servers, to which access from the Internet is permitted

Routed Modems

The software is most simply configured for use with a modem that has been put into Bridged Mode. Some newer models, including some USB Mobile Broadband devices, are permanently in Routing Mode. Different settings are required for these and are detailed at Wireless Broadband Although written for wireless broadband devices, the settings also work with wired modems in Routing Mode.

Fail-Over

This feature is often provided in commercial routers, to quickly switch Internet connection between wired and wireless WAN, as a contingency. It is more complicated to set up in DIY Firewall Routers because the latter have settings for their WAN interface in the low-level menu. Simplest approach is to use a SD card for the system then cold-swap SD cards & reboot when the other WAN is required.

Strictly for Geeks

Be aware that the following techniques can render commecial routers unusable and perhaps unrecoverable, if applied unsuccessfully.

openWRT

openWRT http://wiki.openwrt.org is a long standing project aimed initially at utilising improved software on commerical routers. More recently it has morphed to:

  • a more general embedded Linux distribution for compact devices
  • covering a much wider range of off-the-shelf devices

One of the more popular devices to which openWRT it is currently applied is the TP-Link TL-703N

  • not sold on the Australian market
  • must be sourced from China
  • nearest equivalent on the Australian market appears to be the TP-Link TL-MR3020

Developer Boards

Boards utilising an ARM CPU can now be used for DIY routers

  • IPFire is the only well-known firewall/router that has reached released level for these
    • and only for specific boards - see IPFire site
    • essential to select exact hardware specified
  • ARM compilations are not robust to "unclean" shutdowns
    • advisable to retain a reserve copy on SD card
  • ssh to these installations is not robust
  • raspberry pi is best known hardware example - see Raspberry Pi
    • alternatively, raspbian could be adapted as a firewall/router for it

Deploying IPFire on these boards does require more technical knowledge and equipment but has potential to match commercial routers in wattage and size

  • whilst maintaining advantage of frequent software updates
  • BananaPi boards additionally require a 3.3V UART-USB cable during installation

Developer boards typically have more RAM & CPU resources than openWRT devices thus making print servers and caching routers more practical.

--Rod 12:48, 20 February 2016 (AEDT)