
Building My Own Home Router - akerl_
http://nickpegg.com/2014/8/building_my_own_home_router,_part_1.html
======
blueking
These are the best SBC routers on the market. It used to be between Soekris
and pcengines, but Soekris dropped the ball.

and the enclosures are also very nice too

[http://pcengines.ch/apu.htm](http://pcengines.ch/apu.htm)
[http://pcengines.ch/case1d2u.htm](http://pcengines.ch/case1d2u.htm)

It uses coreboot, which you can recompile from source to be reasonably sure no
BIOS backdoors, and it also has a hard firmware flash write jumper (thanks to
me)... to make sure your recompiled BIOS doesn't get overwritten remotely when
a vulnerability is found in your OS (easy with coreboot if you leave the
.config in the firmware image which is the default). I suggest you run the
latest OpenBSD, and add the NEUG USB RNG. This is a dream machine. 64bit 1ghz
dual core... up to 4 gigs of ram,low power, great great design, two PCIe card
slots, gig eth. The best. And I have tried everything.

Building your own PC tower as a firewall, well been there. Its not the way.
Fun project sure, but wasteful and inefficient.

There are a few really good cheap routers that can run OpenWRT amazingly fast
ie.

[http://www.amazon.com/TP-LINK-TL-WR841N-Wireless-
Router-300M...](http://www.amazon.com/TP-LINK-TL-WR841N-Wireless-
Router-300Mpbs/dp/B001FWYGJS/)

If you

1\. add the packet shaping module and fill in your modems speed

2\. replace the routers /etc/hosts file to block all internet advertising inc
youtube ads with this ;

[http://winhelp2002.mvps.org/hosts.htm](http://winhelp2002.mvps.org/hosts.htm)

and 3. change the DNS to googles 8.8.8.8 and 8.8.4.4

Then you have the ultimate home router setup. But if you want secure / vpn /
tor bridge etc then you need to go to the above mentioned with OpenBSD and be
careful to buy a compatible wifi PCIe card.

~~~
q3k
The main problem I have with the PCEngines APU is that it has Realtek
8111/8169 NICs, while the Soekris net6501 has e1000 Intels... Realtek NICs
tend, from my experience, to behave erratically under high load on Linux, and
sometimes simply not work on FreeBSD and OpenBSD

The full-sized PCIe slot is also a nice touch.

(disclaimer: possible bias, am running a OpenBSD/net6501 as an edge router for
a hackerspace)

~~~
sounds
I tracked down the r8169 problem to a problem when multiple descriptors are
fetched in one IRQ. Kernel 3.12 includes a fix that only fetches one at a
time. Have you tried a kernel with that fix in it?

~~~
q3k
Not yet - I'm really more interested in getting FreeBSD working with it :).

------
brooksbp
Highly recommend Mikrotik for those interested in something beyond your
average household router. Their Tilera-based CCR series routers are quite nice
and affordable. More L2-L7 features than you could wish to nerd out with for
your home network.

Also agree with the statement that rolling your own is generally a bad idea.

~~~
watt
Yeah, Mikrotik routers are insanely feature-rich. I got RB2011UiAS-2HnD-IN
(Level5 licence). I would recommend RB951G-2HnD (Level4) actually, because I
have no use for SFP optical cage or 5 extra 100mbit ports (both have 1+4
gigabit ports). Both run on Atheros AR9344 600MHz CPU.

------
vonskippy
Rolling your own firewall is almost always a bad idea. Hardening a full blown
distro is a terrible place to start, and no place for a novice to "guess" that
they have it locked down "enough".

There are numerous open source firewall distro's that have the advantage of
being authored by people well practiced in security coding, pen testing, etc,
and are continually crowd tested for loopholes and shortcomings.

It's your edge device for security - not exactly a place you want to take
risks with.

~~~
jfindley
While I sympathise with the sentiment, there's a couple of things to point out
here.

Firstly, none of the firewall distros I've seen have really prioritised
security all that much - they tend to prioritise fancy interfaces and rolling
lots (often far too many) features into one box. I'm not aware of a single one
of the commonly used firewall distros that enables selinux, for example
(although I've not looked at all of them - I could have missed one).

Secondly, this is clearly a home product - not a device that's likely to be
the focus of a large amount of determined attacks. As long as you don't allow
password-based logins, and regularly apply security patches the likelyhood of
being compromised is very small. Modern mainstream linux distributions aren't
as horrendously insecure by default as you imply - the job of locking them
down isn't a massively complex black art.

~~~
VLM
"I'm not aware of a single one of the commonly used firewall distros that
enables selinux"

commonly used "for" firewalls distro is Debian and selinux "works" on vanilla
Debian. Its a labor hog making it less efficient to enable selinux than to
look for / fix other problems, but it can be done if you insist and are
willing to spend less time securing more important areas (pretty much
everything, unfortunately)

On the other hand I am also unable to find a "firewall distro" solely for FW
work that does selinux as of last time I looked. Hard to prove a negative but
it is possible to prove that if it exists, its well hidden. The marketplace
for FW distros is focused on ease of use, security theater, and
authoritarianism and credentialism so actual security related features are
going to be a pretty low priority in the market, which is humorous / ironic.

~~~
blueking
Ah selinux, the NSAs contribution to the linux kernel.

------
rstephenson2
Does anyone know of anything a bit larger? There are a lot of great little
devices for running WRT for your home, but are there any open distributions
for, say, a 50-person startup? At that level, things like maximum connection
count and QoS play more of a role. Is it possible to just scale up the
hardware and run openWRT, or are there other concerns?

~~~
walterbell
Ubiquiti has a $100 device that will route 1 million packets/sec, distro is
Vyatta based on FreeBSD, [http://www.ubnt.com/edgemax/edgerouter-
lite/](http://www.ubnt.com/edgemax/edgerouter-lite/)

~~~
m-app
I was intrigued at first especially after reading the comparison with Cisco
and Juniper gear and seeing that the Ubiquiti was out performing them. But
when I read up on the forums I noticed that as soon as you enable any
interesting advanced features the performance will drop because hardware
offloading is disabled. A couple of examples: a modify firewall rule, load-
balancing, netflow, QoS and probably many more.

For a couple of end user benchmarks:
[http://community.ubnt.com/t5/EdgeMAX/kernel-
compilation/td-p...](http://community.ubnt.com/t5/EdgeMAX/kernel-
compilation/td-p/466677/page/3)

~~~
walterbell
This thread claims that additional offload support is planned, but there are
no recent progress reports,
[http://community.ubnt.com/t5/forums/forumtopicprintpage/boar...](http://community.ubnt.com/t5/forums/forumtopicprintpage/board-
id/EdgeMAX/message-id/4750/print-single-message/false/page/1)

Is this a limitation of VyOS or the closed-source offload/acceleration driver?

For Intel hardware, DPDK improves performance even in virtualized
environments, [http://rishidot.com/blog/cloudcomputing/intel-dpdk-and-
cloud...](http://rishidot.com/blog/cloudcomputing/intel-dpdk-and-cloud/) &
[http://events.linuxfoundation.org/sites/events/files/slides/...](http://events.linuxfoundation.org/sites/events/files/slides/DPDK_RCU_0MQ.pdf)

~~~
gonzo
it's a limitation of the offload that the (closed source) driver enables.

------
akerl_
The second post
([http://nickpegg.com/2014/8/building_my_own_home_router,_part...](http://nickpegg.com/2014/8/building_my_own_home_router,_part_2_-_802.11.html#disqus-
thread)) mentions issues with getting the 7260-ac to do 5GHz.

Does anybody have suggestions for another card that would allow that without
having to do kernel-level hijinks?

~~~
sounds
Have a look at TP-Link cards with an Atheros chipset. They're cheap and work
quite well out of the box.

------
rsync
An older laptop with two xircom realports[1][2] is a great platform for a
router.

First, you never, ever have to futz around with monitors, monitor cables,
serial cables, terminals, etc., because _the kvm is built in_. I don't care
how slick your tools are, when things aren't working, you don't want to spend
the first 15 minutes dicking around with tip and ring and your null modem
cable, etc.

Second, with two xircom realports, you have a laptop with up to three full
size rj45 ports, which is very handy. No dongles.

Bonus: it has a built in UPS!

[1] xircom realports were these really slick full-height pcmcia cards that
were modular and you could mix and match them ... and they had real, full size
rj11 or rj45 ports in them.

[2] xircom realports work in FreeBSD 8.3-RELEASE, but neither 8.2 nor 8.4. So
you need to choose a pfsense build based on 8.3 ...

~~~
callesgg
I used to say the same stuff about the built in ups in my laptop server.

Until I almost burned down my house. Aparently laptop battery charge
controllers do not work as intended when plugged in for long periods.

Otherwise laptops are perfect as cheap low power servers.

~~~
mnw21cam
Sounds like you had a duff charger circuit.

However, yes, a LiIon battery is not meant to be left continuously on charge.
A lead-acid battery (typically used in UPSes) _is_ meant to be left
continuously on charge.

~~~
simoncion
Shouldn't the charging controller in the laptop stop charging the battery once
the battery is at full charge?

It seems to me that a great many folks leave their laptops plugged in for
weeks or months at a time, and that this would be something that a laptop
designer would account for.

(Anecdata: The six-ish year old battery in my primary laptop still holds ~60%
of its original maximum charge. This laptop spends the vast majority of its
time on, with the battery installed, and plugged in to an AC outlet.)

~~~
callesgg
It definitely SHOULD turn off when full. No doubt about it.

------
chrissnell
I undertook a similar project last year to replace my outdated Soekris router:

[http://output.chrissnell.com/post/39550480075/the-jack-of-
al...](http://output.chrissnell.com/post/39550480075/the-jack-of-all-trades-
home-server)

I built a mid-tier server-grade machine with Intel NICs and I run ESXi on it.
My firewall (pfSense/FreeBSD) runs virtualized in an instance. It's very
flexible, stable, and the performance is outstanding. I used VMware's
vSwitches to connect the pfSense VM with dedicated NIC ports for each network
segment.

------
windexh8er
Beyond the coreboot argument I don't see a whole lot of value in the SBC
router arena anymore. I used to be "that guy" as well, but since purpose-built
hardware exists that does routing better there's no point.

AMD and Intel CPUs are pointless in this space - you can get far more packet
performance, accelerated in hardware, with CPUs like Cavium (MIPS). I happen
to work for a company that uses a lot of Cavium processors in it's products
and they are the defacto standard in networking gear that is accelerated
today. There is a little company called Ubiquiti (not who I'm employed by) has
one of the best values in this space for the money. You can buy a $99 router
that has a dual-core 500MHz Cavium which will do 1M PPS, oh - and I forgot to
mention it runs Vyatta, so hack away.

[http://www.ubnt.com/edgemax/edgerouter-
lite/](http://www.ubnt.com/edgemax/edgerouter-lite/)

I get it - there are people who want to run soup-to-nuts on a SBC, and there
are legitimate use cases. The reality is that Wifi in those platforms is flat
out: horrible (again, go buy Ubiquiti UniFi for $80 and get real RF
performance - [http://www.ubnt.com/unifi/unifi-
ap/](http://www.ubnt.com/unifi/unifi-ap/)) Putting an underpowered mPCI card
that's sitting around all kinds of other RF noise and likely deployed in the
wrong location compared to where your users are anyway isn't ever ideal.

But if you have a hypervisor laying around your house (and 9 times out of 10
on HN that's probably the case) throw your voice at a small instance - or a
Raspberry Pi if you're worried about your carbon footprint / electrical bill.
There's no shame in that - and at the end of the day you're going to have a
far better network in terms of performance and reliability. SBCs are at that
weird middle ground of being not worth the money when there's much better
hardware targeted at what you're trying to accomplish. They feel, still, very
2005ish to me as they haven't really changed or added value - but the cost is
still outrageous for what you get.

At the end of the day don't get caught up in MHz at your router - it's about
accelerated packet performance. The Cisco and Juniper's of the world have
known this for, well, ever. I have no relation to Ubiquiti what-so-ever other
than having purchased a lot of their products over the years for personal use
- and the brand is nothing short of undervalued IMO. I'm enthralled that
they've branched out from a great line of cheap and reliable RF products to
switching, routing, voice, video and even a small nugget of security (although
- the L3/L4 firewall of days gone by is nothing more than useless in today's
landscape).

~~~
gonzo
"AMD and Intel CPUs are pointless in this space"

You could not be more wrong. Citing the Ubiquiti ER-lite 'Tolly' results just
shows that you don't understand what they did to get their cited
"performance".

Disclosure: We sell a ton of Ubiquiti. Hell, I nearly bought the company in
its formative days, when Robert's original two partners quit to get "real
jobs".

~~~
windexh8er
Please share.

I work for a company that uses Cavium in almost all of our products. To
accomplish the performance per watt on Intel or AMD would be 1) ridiculously
expensive 2) still not scale to what we can do with Cavium. We do ~20Gb of DPI
in Cavium today in a construct of roughly 24 processors on a dataplane.

Intel can't touch that - and I've seen a lot of attempts. I don't agree with
Miercom / Tolly or, hell, even NSS - they're all paid for results. But the
Cavium truly can do the offload and it does in a $99 device, some of what
people have said around QoS and other aspects is true, it's writing your
software to take advantage of that.

Not to be a detractor but your sentiment seems bitter - but I'd be interested
in real perspective if you have one.

~~~
windexh8er
And, just to clarify. I've done extensive testing for large organizations
using most test tools under the sun testing a lot of 10-100Gb platforms. Ixia
BreakingPoint, Spirent, etc. I can also say that I've tested the EdgeRouter
Lite and know that, in terms of pure packet processing, it will beat an APU1C
in packets per dollar every day of the week.

I also understand your perspective now - coming from Netgate. I'm sure I'd be
kicking myself as well, but - then again Ubiquiti probably wouldn't be what
they are today.

------
bcl
Instead of reinventing (and unexpectedly exposing your whole network) you
should use something like shorewall to setup your firewall.
[http://shorewall.net/](http://shorewall.net/)

------
nullc
Now if only there were a PCI ADSL2+ modem that was a real network interface
and not another crappy, exploitable, buffer bloat infested, traffic
intercepting cesspool (but embedded on a PCI card)...

~~~
mindslight
Any DSL modem is going to be a proprietary cesspool of who knows what -
putting that on a trusted PCI bus seems like the exact wrong thing to do.

I was just looking into ADSL2+ routers supported by OpenWRT and concluded it
wasn't worth the bother. Just get any old proprietary ADSL2+ modem, set it to
bridge mode, and treat its ethernet as the actual demarc point. Better
galvanic isolation, too.

~~~
nullc
One problem there is that you lose all queue management and it seems they all
do awful things. Many of them also randomly intercept and tamper with tcp
connections even while not natting.

~~~
mindslight
Yes, it's less than ideal. But I don't think you're ever going to find a nice,
proper, trustable device. Communications gear is basically just complex
software (DSP and the like). The parts count will be minimized to keep costs
down, so the necessarily-proprietary parts get mingled with the needlessly-
proprietary ones. Redeveloping those blobs as free software is certainly
possible, but it will always lag behind the proprietary version. IMHO, that
effort is better spent on working around the brokenness of such devices -
maintain your own txqueue at a slightly slower rate than the modem, etc.

(My thinking on the "ideal cellphone" is the same - physically separate the
baseband from the personal computer, with an IP-only interface (eg Wifi)
between them.)

FWIW, I haven't noticed any packet mangling from my ADSL2+ modem in bridge
mode, but I haven't looked very hard either.

~~~
walterbell
> physically separate the baseband from the personal computer, with an IP-only
> interface (eg Wifi) between them

Are there any options on the market besides iPod Touch and Samsung Galaxy S
WiFi?

~~~
mindslight
Eh? Any laptop or wifi-only tablet would do, so I don't see why you're
implying there's a shortage?

I've been meaning to enumerate the possibilities of things with long battery
life that will ideally run normal GNU/Linux with a chorded keyboard for input.
If that works out successfully, then a smart watch for notifications would be
the logical next step.

~~~
walterbell
Since you mentioned "ideal cellphone", I was thinking of pocketable devices (<
5"), not many of those around which are baseband-free.

~~~
mindslight
Ah sorry, good point. I had other requirements in mind that made me think I
would end up with a larger device (battery life, un-tablety to hopefully run
GNU as a base), and forgot about those when writing my comment.

Not that I _really_ want something that won't fit in my pocket, so thanks for
your suggestions of things to look into :>

Although a device with a baseband (but antenna removed) could even be a decent
starting point. Lacking a network channel, it would be basically equivalent
security to a desktop CPU (that's an uncomfortable truth).

~~~
walterbell
Thanks for pointer on antenna removal, will search for teardown examples of
successful removal. Could be added to a future version of guides similar to
[https://blog.torproject.org/blog/mission-impossible-
hardenin...](https://blog.torproject.org/blog/mission-impossible-hardening-
android-security-and-privacy)

~~~
mindslight
Well, I'll add a disclaimer that my comment was from a rough theoretical
perspective. To successfully "remove the antenna", you're going to have to
make sure communications don't continue to function on any remaining parasitic
antenna - I wouldn't be surprised if removing just the obvious antenna still
left you with a phone that worked in 80% of places. I don't know enough about
cellphone chipsets to know if the mixer/external amp are integrated, or are
still discrete things that can be removed. But you'd have to investigate these
details on a specific model of phone and then measure the its actual emissions
before you could have something even approaching a "guide".

------
dtaht3
This thread has been pretty good.

Disclaimer: I run the cerowrt project as part of bufferbloat.net's efforts to
reduce latency across the internet. The hardware it runs on is getting long in
the tooth (netgear wndr3800), and we've been trying to find new hardware as a
base for a while.

I LIKE ubnt's gear, however their default firmware for their APs did not do
ipv6 when last I looked, which makes it a non-starter. Most of their gear
takes a load of openwrt barrier breaker quite well (or dd-wrt), and that's
what I do to most of it.

Openwrt has excellent features, gui, firewalling and security, and runs on a
huge variety of platforms so if you can find an off-the-shelf platform you
like that it runs on, goferit.

The edgerouter lite (vyatta based) is ok (does do ipv6), but the hardware
forwarding engine is not featureful enough on the edge gateway side to do
everything I need it to do, and when disabled to use software rate limiting,
we are only getting forwarding rates in the 70-90Mbit range. The edgerouter
pro is better...

Work is in progress on that front, see the ubnt edgerouter beta forums for
more details. I keep hoping cavium will put more effort into their forwarding
engine firmware...

Nearly no platform out there today is terribly good at doing forwarding rates
> 100mbits with QoS/AQM/packet scheduling enabled, certainly nothing in the
below 150 dollar range that i know of.

The APU box mentioned here barely forwards at greater than 500mbit without
qos. You CAN do pretty well with e1000e based boxes today, but the ivy
bridge/rangeley stuff is WAY better than the atom is for packet processing. In
either case you are getting well above the 200 dollar range and into potential
heat and cooling issues.

Lastly, most of the first and second generations of 802.11ac gear are pretty
terrible at getting anywhere close to the peak rates of the medium, partially
due to hardware limitations, and partially due to terrible queue management.

Obviously I'm pretty focused on delivering a low latency network experience
using the algorithms developed by the bufferbloat.net project... YMMV.

At the moment what I'm leaning towards at the > 100mbit level is dedicated
hardware for each of the gateway and wifi functions, and that steers towards
rangeley gateway (running openwrt) and ubiquiti (or at least atheros based)
wifi (also running openwrt).

------
yCloser
I don't like this that much. It's expensive.

My netgear router takes 11W.

I have a mini-itx amd c60, takes 25W without wifi.

------
socceroos
Still trying to find a great home router that I can slap something like
pfSense on.

~~~
noonespecial
I use these little guys. A bit overpriced and only 100mb but they work well,
run pfsense, openWRT etc and generally do what I want for years in a closet
with no further intervention.

[http://www.pcengines.ch/](http://www.pcengines.ch/)

~~~
anderiv
That, and the ~6 watt current draw at full tilt (at least that's what it was
when I was load testing a couple of 2d3 boards) is very nice on the utility
bill. Their newly-released APU boards are very nice, with GigE interfaces,
increased RAM, and _much_ faster CPUs.

~~~
socceroos
Yeah, fanless/low power draw is a must for me. I'm willing to pay a bit more
for it too. But since I also want to run a transparent proxy it needs a bit of
beef.

------
WizzleKake
If you want to switch the device that gets assigned an IP address by Comcast's
DHCP servers, all you need to do is reset the cable modem. At least that is
how it always was for me.

I have a gigabit ethernet connection now, so I quit using a router. All the
ones that I have couldn't manage more than 500 megabits/sec through the WAN
port, even though they were supposedly gigabit.

I did some research at www.smallnetbuilder.com and I found that generally
speaking, "gigabit router" actually means "router with a gigabit switch"
unless you are buying something that isn't marketed to consumers.

------
alexnewman
Totally want to build a NSA proof WIFI router. The problem is the wireless
cards themselves are a big gaping threat.

------
Alupis
PFsense and some old hardware with 2 nics... instant DIY home router.

~~~
gonzo
Or even pfSense with new hardware.

