8 gigs of RAM? SSD disk? 2.4GHz (incorrectly stated as MHz)? factory image is 4 GB in size? All this for a router? I'm no expert by any metric, but that's one hell of an overkill IMHO. Shit, dude, my home pc is weaker in almost all aspects and I play video games and HD content on that, in addition to network stuff.
In my day, a router was a Intel Pentium @90MHz with 4M of RAM. No HDD, only a FDD with Linux. Granted, it probably would have problems today with speeds we're all used to and WLAN, but, man, strip it down, strip it all down to Megs. You don't need X running on that. You don't need all these services. Fonts. Libraries. Default pictures. That's all bloat. Throw out the SDD. A 1G usb thumb drive is enough. I/O speed concerns? You got 8 gigs of ram, dude, you could fit your whole "factory" image in it and have enough space for the second one. Ramdisk the shit out the system. Dude...
And, just out of curiosity, how does using iptables make that not a real firewall (even if you're using iptables in an indirect manner)?
Throw out the SDD. A 1G usb thumb drive is enough.
Agreed, though if you do, you have to be careful with writes. I literally had to reflash my drive every time the power went out (I don't have an UPS). My solution was to move every writable directory to a tmpfs, then mount the root fs as readonly. Logs get shipped by a cron job over ssh. It's been rock-solid ever since.
If you want to upgrade or reconfigure without reflashing, you can still remount with rw, do your thing and then remount with ro again.
Or, rather than going through all that rigmarole, just use an SSD. If you want to save money, get a really cheap one. You can easily get a 60 GB SSD for $30.
Well, it's not like filesystems in SSDs never get corrupt when power goes off. And the USB stick is helpful if you need to mount it on a laptop, for example if you fucked up the firewall rules and you're now unable to SSH in :)
In my day, it was thought PCs would never need more than 640KB...
No, seriously... Usually these kind of devices end up doing a lot more, like file serving, backups, code repository duties, music playing services, SMTP relay or even build machine tasks. If it's accessible by a technical person, it will get some serious use and abuse.
...and none of these tasks that you mentioned are that resource-intensive, with a possible exception of build machine. What I'm saying is that we _waste_ those resources on trivial tasks very casually. Besides, the article talks about building a "router", not a "home server" or a "multipurpose hack box with routing capabilities". It's like taking $10 mil to make a bicycle "to commute".
I've got pretty much the same hardware but it's got 2xSSDs for iscsi storage.
It didn't cost too much and it's flexible - running Ubuntu server I can stick some Docker containers on it, run a/v for the network, Nagios, anything really. It's a good learning exercise too when you consider anything that impacts my son accessing XBox Live is essentially mission-critical in this house.
When I replaced my ISP supplied router with it (BT Home Hub 5) I immediately saw better performance and less latency. Unfortunately I forgot they deliver their premium sport channels over IPTV/Multicast so it was a couple of days learning that but i've acquired a new skill for my CV, so hey-ho.
BTW if the processor is like mine the 2.4ghz thing is the burst clock, it normally idles are 800mhz, which is important as the box is fanless.
> It didn't cost too much and it's flexible - running Ubuntu server I can stick some Docker containers on it, run a/v for the network, Nagios, anything really.
If it's imperative infrastructure, sure. But this is a home setup, no need to run 5 different machines on reduntant powersupplies. Be prepaired to reconfigure if the machine releases the magic smoke, which virtual machines will make extremely easy, and call it a day.
Yup. It's especially nice to have when I get a problem I can actually check the logs, restart services, run tcpdump on the WAN interface etc. Couldn't do this with the ISP supplied box.
How is your home network not a production system ? If your router crashes, won't the other inhabitants of your home be annoyed they can't use the internet or watch TV ?
To me a non-production system is one I can turn off for indeterminate periods of time without loss of any service I actually need to use in daily life.
By that definition, there are almost no production systems in real life. Because what you really, really need is air, warmth and water. Anything else is disposable, a convenience. So what if the internet access breaks - just plug in an old router that's been gathering dust as a temporary measure while you fix the "project" one.
Well that's one way of making your own life difficult. To each his own I suppose. I have no qualms about running multiple services on the same machine as long as it's firewalled sufficiently. That's why we have multi-process and multi-user operating systems after all.
The OS on my gateway only goes down on kernel updates, and I can crontab them (unlike with the ISP supplied box).
My son and his mates can put any old malware infested phone on his SSID, but they can't get to my LAN. I can run my gitlab etc without affecting him, apart from QoS - any the latter is something the ISP gateway doesn't even offer.
Anybody sufficiently experienced can segregate services on a single box without any worry.
The wifi my partner and childs kit is connected to = VLANd off, goes straight out through a DMZ via its own interface.
The stuff i'm testing doesn't touch this and I can do what I like through those interfaces without affecting their stuff. Unlike the ISP supplied router if something crashes, I can restart the service rather than pull the power. It doesn't crash anyway, unlike the ISP kit which is temperamental at best.
ISP routers already have wifi. Shouldn't the wifi be separate, as rebooting the router will bring it down otherwise? Where do you draw the line?
> The stuff i'm testing doesn't touch this and I can do what I like through those interfaces without affecting their stuff.
Can you pull the power on your testing machine without affecting the wifi ? The point is not that you can usually do it without affecting any other services, the point is that even if you fuck up in the most spectacular way possible and literally fry all the hardware in that box it should not affect any other service than the one you were tinkering with. (Note that in a corporate setting that would not be acceptable either and you'd want failover and no single points of failure).
> unlike the ISP supplied router if something crashes, I can restart the service rather than pull the power. It doesn't crash anyway, unlike the ISP kit which is temperamental at best.
I'm not saying you should use the ISP-provided router, on the contrary, you should definitely build your own. But build a second machine for your experiments, and third for your fileserver, and a fourth for your torrents, and a fifth for.. etc. etc.
> ISP routers already have wifi. Shouldn't the wifi be separate, as rebooting the router will bring it down otherwise?
Yes it should certainly be separate. And it is, at least in my house. Router is a simple server-grade machine (IPMI, ECC, etc.) that ONLY does network routing. I use Ubiquiti access points for the WiFi.
No complaints yet, except pfSense is not that great with Wifi. It's probably best to do wifi separately if you want to run a BSD flavour on it. I haven't tried installing Linux on it yet, since WiFi is functioning well enough, albeit sub-optimally.
it's efficient because the fast path is a very closed-source binary blob running on the hardware. anything the binary blob doesn't support, is going to be "software switched" as it is commonly called.
It'll outperform a low-end PC on really simple and dumb benchmarks. But in the real world, routers should usually be doing active queue management and often traffic shaping. Good luck getting the hardware offloads to do any intelligent packet processing like that.
Nope, EdgeOS is a fork of VyOS, based on Debian. There is a GUI, but there's also a CLI which exposes a lot more functionality. You can even install standard Debian packages via Apt.
Confusing "router" with "router + WiFi access point" is a pet peeve a mine. To me a router has absolutely nothing to do with WiFi, yet almost every discussion of routers presumes WiFi.
I don't use WiFi much, but when I do, I use a separate box. Separation of function.
Having said that, the Qotom is absolutely perfect for 1000Base-T to 1000Base-T routing. It's got plenty of CPU (unlike the commercial crap is hopelessly lacking), and plenty of RAM so it won't overflow its NAT tables.
"almost every discussion of routers presumes WiFi"
That would be because numerically, the majority of routers are tiny boxes sold for home use with three NICs: external ethernet, internal ethernet (often connected directly to a mini-switch), and internal WiFi. They also serve as firewalls, DHCP servers, NTP servers, and DNS relays, none of which are technically routing.
This is neat. I'm curious if the author has gotten to test it with a Gigabit internet connection yet?
I initially intended to build my own router when I got Gigabit internet. After some research, I settled on a SOHO solution that seemed hard to beat in bang-for-buck: Ubiquiti EdgeRouter LITE-3. It does roughly 933Mbps for WAN->LAN, which means I don't lose much speed in that transition. For prebuilt solutions, the only way to one-up that is to move to 10Gbps hardware which is cost prohibitive.
All that said, the Ubiquiti router runs a custom version of Debian and I'd prefer to work with something that could work with Ansible or the like and is a little more open.
For a router, I'd pick some BSD-based OS. pf is much more efficient than iptables, although I only know this anecdotally.
I'm a huge fan of pfSense which wraps a nice UI and some great tools (proxy, AV, analysis, etc.) into one big package. Worth a look. I used to run my home router on a little Qotom computer, but virtualized it to get rid of wires and boxes; works great. I'm running three pfSense boxes in various environments and can't say enough good things about 'em.
I do enjoy these sorts of projects but ... My router needs were recently fulfilled by a TP-Link MR3020, an old mobile phone and ROOter/GoldenOrb, an OpenWRT variant.
£25 and two minutes to flash it, and away. It amazes me what OpenWRT and ROOter have crammed into 4MB. 4MB!
In my day, a router was a Intel Pentium @90MHz with 4M of RAM. No HDD, only a FDD with Linux. Granted, it probably would have problems today with speeds we're all used to and WLAN, but, man, strip it down, strip it all down to Megs. You don't need X running on that. You don't need all these services. Fonts. Libraries. Default pictures. That's all bloat. Throw out the SDD. A 1G usb thumb drive is enough. I/O speed concerns? You got 8 gigs of ram, dude, you could fit your whole "factory" image in it and have enough space for the second one. Ramdisk the shit out the system. Dude...
And, just out of curiosity, how does using iptables make that not a real firewall (even if you're using iptables in an indirect manner)?