DIY Firewall Router
Getting Technical
DIY routers overcome the limited support that is provided for commercial units. With careful hardware selection the former do not require much additional space or wattage.
A superceded PC provides a suitable "trial-horse" for anyone wanting to explore DIY hardware Firewall. Any PC having a minimum of CPU 500 MHz plus 512 MB RAM is adequate. Web sites for the software below provide lists of newer, compact hardware that could be deployed longer-term.
Software
Although many Linux and BSD can be configured a gateway-router, it is generally simpler and more watt efficient to use a specialised firewall/gateway distribution. Better known ones are listed in Linux_Distribution_Recommendations Although BSD based distributions such as Monowall are quite functional, their use would involve an additional learning curve for most people
Detailed hardware and configuration guidelines are provided on the relevant web sites. The notes below cover some additional issues
Hardware
- PC having x86 CPU are the most reliable for the above software
- some only "development boards" having ARM CPU are now viable in lieu x86 - see "Strictly for Geeks" below
- optional functions, particularly download caching, require extra CPU power, RAM & storage
- 10 Mb/s network interfaces suffice - unless running ADSL 2 or faster link
- NB - speed of other devices on the LAN is irrelevant, LAN performance depends on the ethernet switch deployed
New low wattage main-boards supporting x86 compatible CPU are now available, although not widely stocked.
- an issue now with older mainboards is that these might not be compatible with the Grub 2 bootloader, now being used by the software and it is not feasible to replace the bootloader in these packaged distributions.
Zoning
Software for DIY routers implements similar network zoning to that in up-market commercial routers. An aspect that is different is the colour coding of zones:
- RED for untrusted/unfiltered Internet
- GREEN for most trusted, wired LAN connections
- BLUE for less trusted WiFi connections
- PURPLE for additional LAN zone
- ORANGE for Demilitarized Zone, (DMZ)
- not required by most home users
- typically used for stand-alone servers, to which access from the Internet is permitted
Routed Modems
The software is most simply configured for use with a modem that has been put into Bridged Mode. Some newer models, including some USB Mobile Broadband devices, are permanently in Routing Mode. Different settings are required for these and are detailed at Wireless Broadband Although written for wireless broadband devices, the settings also work with wired modems in Routing Mode.
Fail-Over
This feature is often provided in commercial routers, to quickly switch Internet connection between wired and wireless WAN, as a contingency. It is more complicated to set up in DIY Firewall Routers because the latter have settings for their WAN interface in the low-level menu. Simplest approach is to use a SD card for the system then cold-swap SD cards & reboot when the other WAN is required.
Strictly for Geeks
Be aware that the following techniques can render commecial routers unusable and perhaps unrecoverable, if applied unsuccessfully.
openWRT
openWRT http://wiki.openwrt.org is a long standing project aimed initially at utilising improved software on commerical routers. More recently it has morphed to:
- a more general embedded Linux distribution for compact devices
- covering a much wider range of off-the-shelf devices
One of the more popular devices to which openWRT it is currently applied is the TP-Link TL-703N
- not sold on the Australian market
- must be sourced from China
- nearest equivalent on the Australian market appears to be the TP-Link TL-MR3020
Developer Boards
Boards utilising an ARM CPU can now be used for DIY routers
- IPFire is the only well-known firewall/router that has reached released level for these
- and only for specific boards - see IPFire site
- essential to select exact hardware specified
- ARM compilations are not robust to "unclean" shutdowns
- advisable to retain a reserve copy on SD card
- ssh to these installations is not robust
- a USB-to-(low-voltage)-UART cable is desirable see Serial_Console
- raspberry pi is best known hardware example - see Raspberry Pi
- alternatively, raspbian could be adapted as a firewall/router for it
Deploying IPFire on these boards does require more technical knowledge and equipment but has potential to match commercial routers in wattage and size
- whilst maintaining advantage of frequent software updates
- BananaPi boards additionally require a 3.3V UART-USB cable during installation
Developer boards typically have more RAM & CPU resources than openWRT devices thus making print servers and caching routers more practical.
--Rod 12:48, 20 February 2016 (AEDT)