
Why I built my own homebrew Linux router - alxsanchez
https://opensource.com/life/16/6/why-i-built-my-own-linux-router
======
gcommer
I went through building a home network recently. I went into the project
planning to build my own pfsense box, but after researching it I decided that
I couldn't piece together a custom solution that would both fit my needs and
beat an off the shelf ubiquiti edge router in more than one of: price,
performance, reliability, power usage, and form factor.

As to the "reliability" point: I love messing with my own networking stuff,
but I've learnt the hard way that if I build my infrastructure from scratch,
I'll inevitably play around with it too much and it'll break as soon as I
desperately need it to just work.

------
mark-r
Is Linux the best choice for a router, or would one of the BSDs work better?
Obviously the author chose Linux because he was most familiar with it, and
that's an excellent reason, but I'm curious what the choice would be if you
were starting with a clean slate.

~~~
mhurron
I found pf's syntax to be much clearer and easier to write, so I chose OpenBSD
for my home router.

~~~
vbezhenar
CentOS 7 (and probably some other distributions) contain firewalld which is
much easier to configure than iptables. You can easily setup NAT, open and
forward ports, so most of typical router tasks are very easy. Though if you
encounter untypical task, you have to learn iptables, of course.

~~~
Spivak
For reference it's at least RHEL 7, CentOS 7, Fedora 21+, Debian, Ubuntu,
Arch, and Gentoo.

Source:
[http://www.firewalld.org/documentation/](http://www.firewalld.org/documentation/)

------
widea
Smallwall ([http://smallwall.org](http://smallwall.org)), the successor of
M0n0wall: not many 'moving parts', rock-solid. Saves a lot of time comparing
to building it yourself (software-wise).

~~~
VLM
How can it be faster than two lines

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

iptables -A FORWARD -i eth1 -j ACCEPT

and how does it get security patches more often than Debian or FreeBSD or
OpenBSD?

As an answer to the second, I checked the site and the last release was 51
weeks ago and the last beta was 3 weeks ago. Compare that to Debian archive
runs a couple times a day, has a couple hundred devs, and a couple mirrors,
and full security teams.

Here's a list to security related bugs that Debian has patched since the last
beta of smallwall.

[https://www.debian.org/security/](https://www.debian.org/security/)

There's 27 debian security patches since the most recent smallwall beta, not
all related to a firewall installation of course.

~~~
lowtolerance
You're comparing the numbers of patches for a distro that's an 11 MB download
to one whose total archive weighs in at about a 1.5 TB.

~~~
VLM
Latency vs bandwidth.

One has large formal teams and procedures and FAST updates.

The other ... doesn't.

If there's a problem found and released today, the first will have a patch in
hours. The second will have a new beta every couple weeks, or maybe a stable
release every couple years. That's a long time to wait.

~~~
lowtolerance
Specialization vs. generalization.

One aims to do one thing and do it well (in this case, to provide a means to
use an embedded PC as a secure firewall), while the other aims to provide a
complete solution to make use of a vast repository of free software for many
platforms.

The developer of SmallWall follows the same philosophy put in place by the
developer of m0n0wall that preceeded it:

> SmallWall is a firewall, and the purpose of a firewall is to provide
> security. The more functionality is added, the greater the chance that a
> vulnerability in that additional functionality will compromise the security
> of the firewall.

SmallWall is barebones FreeBSD with about 10 utilities strung together to
provide the functionality one would expect of a commercial-grade firewall.
That's not to say that SmallWall is impenetrable, of course, but it does mean
that its attack surface is a few orders of magnitude smaller than Debian's,
which attempts to make possible virtually anything that can be done today with
free software, on multiple architectures.

You don't have to rush to patch the latest vulnerability in a piece of
software if you've made a conscious decision to avoid using that software in
the first place. For instance, while people on Debian's security team
scrambled to patch Shellshock, m0n0wall was unaffected because it doesn't
provide shell access.

------
cnvogel
For years I was running a Linux “router” for a DSL Line on an old Pentium 3.
It was running [http://grml.org/](http://grml.org/) of a Compact-Flash card in
an IDE Adapted, mounted read-only.

Worked very, very stable. And e machine came for free from a dumpster.

Running services were pppd, dnsmasqd, NTP, misc cron-jobs and a IPv6 tunnel.

~~~
khedoros
My college roommates and I used to run m0n0wall (which pfSense was forked
from) on a Pentium 3, running from a 400MB hard drive from a stack of very old
computers in my parents' garage.

I turned it on, assigned the network interfaces, and left it alone for about 9
months at a time. Security wasn't really the point. One device per student was
allowed on the dorm network. We had three computer science students living in
that room, so obviously that wouldn't fly for long.

------
sofaofthedamned
I did my own, too. There's more to it than you think.

Firstly my internet provider BT also provides premium rate TV channels via
multicast, so that was fun. igmpproxy isn't in the latest couple of Ubuntu
releases - i'm currently rewriting it in Golang so to spare others the pain.

Secondly, there's other things you take for granted - upnp for example, which
is not great for security by default but my son would kill me if he didn't get
decent XBox Live online play.

Then you've got the usual suspects - DNS, DHCP, traffic shaping per device, a
DMZ for friends devices without access to my LAN, Unifi controller, the
generally shitty quality of Ubuntu packages etc etc.

It's a useful exercise for learning and i'm glad I did it, but it is
definitely more work than sticking a Ubuntu install on and enabling ip_forward
in sysctl.

------
pixl97
I use VyOS (www.vyos.net) for my home router. Linux based, but has a command
line interface that something you would expect in a dedicated router platform.
Your entire configuration is easily backed up to a text config file that makes
setting up the same configuration on new hardware easy.

~~~
widea
Still I wished they had a html interface wrapped around it, for convenience.

~~~
btgeekboy
Ubiquiti maintains a fork of Vyatta (which is related to VyOS in ways I'm
admittedly not quite clear on) that also has a web interface. It's for their
hardware, but the EdgeRouter series is quite decent in terms of both
performance and cost. (The Lite platform will do gigabit line speed for about
$100.)

~~~
throwaway1979
I've used Vyos and was generally impressed. The part where we used Vyos was
not exercised to capacity. One thing that confused me was how most (all?)
networking hardware of today makes use of custom ASICs (e.g. chips from
Broadcom) to get line speed in routing etc. How does Vyos/Vyatta compare? If
you had your VMs on the same host as the software router, I understand it is
going to be really fast. But if you have a separate box, don't you see a
significant slowdown?

~~~
pixl97
That depends on if your network card supports TOE. If your network card
supports full TCP offload then your routing latency can be as low as .6-1.4
_us_. If you have to go through the entire TCP software stack it's around
20-40 _us_ , on 10Gb hardware. Full TCP offload puts it in the same ballpark a
hardware router.

------
dang
Originally discussed at
[https://news.ycombinator.com/item?id=11514221](https://news.ycombinator.com/item?id=11514221).

------
castratikron
I would do something like this, but I can't seem to find any cheap VDSL2 cards
that would work with Centurylink's DSL.

~~~
mindslight
Even if you could, you'd want to keep that blobby PoS away from your PCIe bus.
AFAIK, DSL chipsets suffer from the same insecurities as cellphone basebands,
from similar desires for secrecy.

You're better off just getting a modem that speaks ethernet or using your
current router in bridge mode. Consider the ethernet your demarc point. This
will get you some additional galvanic isolation as well.

------
ausjke
nice and that's what I do, c1037u is a bit out of date as far as cpu goes
though.

~~~
ausjke
why the down vote? you can find better CPUs these days for the same purposes
be it gen8 or j1900.

