DIY Firewall Router

From Info Wiki
Revision as of 12:52, 20 February 2016 by Rpeters (talk | contribs) (Developer Boards)

Jump to: navigation, search

Bold text== Getting Technical == DIY routers overcome the limited support that is provided for commercial units. With careful hardware selection the former do not require much additional space or wattage.

A superceded PC provides a suitable "trial-horse" for anyone wanting to explore DIY hardware Firewall. Any PC having a minimum of CPU 500 MHz plus 512 MB RAM is adequate. Web sites for the software below provide lists of newer, compact hardware that could be deployed longer-term.

Software

Although many Linux and BSD can be configured a gateway-router, it is generally simpler and more watt efficient to use a specialised firewall/gateway distribution. Better known ones are listed in Linux_Distribution_Recommendations Although BSD based distributions such as Monowall are quite functional, their use would involve an additional learning curve for most people

Detailed hardware and configuration guidelines are provided on the relevant web sites. The notes below cover some additional issues

Hardware

  • PC having x86 CPU are the most reliable for the above software
    • some only "development boards" having ARM CPU are now viable in lieu x86 - see "Strictly for Geeks" below
    • optional functions, particularly download caching, require extra CPU power, RAM & storage
  • 10 Mb/s network interfaces suffice - unless running ADSL 2 or faster link
    • NB - speed of other devices on the LAN is irrelevant, LAN performance depends on the ethernet switch deployed

New low wattage main-boards supporting x86 compatible CPU are now available, although not widely stocked.

  • an issue now with older mainboards is that these might not be compatible with the Grub 2 bootloader, now being used by the software and it is not feasible to replace the bootloader in these packaged distributions.

Zoning

Software for DIY routers implements similar network zoning to that in up-market commercial routers. An aspect that is different is the colour coding of zones:

  • RED for untrusted/unfiltered Internet
  • GREEN for most trusted, wired LAN connections
  • BLUE for less trusted WiFi connections
  • PURPLE for additional LAN zone
  • ORANGE for Demilitarized Zone, (DMZ)
    • not required by most home users
    • typically used for stand-alone servers, to which access from the Internet is permitted

Strictly for Geeks

Be aware that the following techniques can render commecial routers unusable and perhaps unrecoverable, if applied unsuccessfully.

openWRT

openWRT http://wiki.openwrt.org is a long standing project aimed initially at utilising improved software on commerical routers. More recently it has morphed to:

  • a more general embedded Linux distribution for compact devices
  • covering a much wider range of off-the-shelf devices

One of the more popular devices to which openWRT it is currently applied is the TP-Link TL-703N

  • not sold on the Australian market
  • must be sourced from China
  • nearest equivalent on the Australian market appears to be the TP-Link TL-MR3020

Developer Boards

Boards utilising an ARM CPU can now be used for DIY routers

  • IPFire is the only well-known firewall/router that has reached released level for these
    • and only for specific boards - see IPFire site
  • ARM compilations are not robust to "unclean" shutdowns
    • advisable to retain a reserve copy on SD card
    • advisable to select hardware having an ARM CPU series matching the compilation
  • raspberry pi is best known hardware example - see Raspberry Pi
    • alternatively, raspbian could be adapted as a firewall/router for it

Deploying IPFire on these boards does require more technical knowledge and equipment but has potential to match commercial routers in wattage and size

  • whilst maintaining advantage of frequent software updates

Developer boards typically have more RAM & CPU resources than openWRT devices thus making print servers and caching routers more practical.


--Rod 12:48, 20 February 2016 (AEDT)