Purpose built firewall - how powerful?

[danomac]

I'm getting a 15/1 connection in the next day or so from my ISP. I currently have a WRT-54GL flashed with ddwrt.

The WRT is struggling with 3/1 and wireless. Say for example I have a torrent running with a download cap *and* an upload cap (set at less than half of what the connection is capable), I still get very bad lag remoting in or even just browsing locally.

I was thinking about a purpose-built firewall. The problem is I don't know what type of CPU to put in it. The Broadcom CPUs are way underpowered; I know that. I'd like it to be a small form factor of some sort and low power consumption.

I was thinking about perhaps using a flash drive to boot and running a preconfigured firewall within system RAM. Keeps noise low and shouldn't require a disk to spin all the time.

I was looking at AMD's Geode CPUs, but I'm not really sure if they're going to be powerful enough. Anyone have other suggestions?

 

[Noway2]

Do you have a set of requirements specs that you are using to determine that particular processors aren't powerful enough?

Do you have the engineering skill set necessary to develop and build such a device, both hardware and software? Do you have access to the tools that will be required to assemble it? Do you know enough about the intricacies of firewall operation and security to ensure that the device operates reliably? If the answer to the above is yes, do you still think that you can build one cost and time effectively?

Have you considered using a more professionally designed router?

 

[BadBigBen]

I used to build an old 486 computer and installed Linux as the FireWall, worked without a problem (this has been several years ago)...

now what was mentioned, another Router, should suffice, but make sure that it can handle the traffic (if it has the modem build in)...



Ben
"If it works don't fix it! If it doesn't use a sledgehammer..."
How to ask a question, when posting them to a professional forum.
Only ask questions with yes/no answers if you want "yes" or "no"

 

[kmcferrin]

Noway2,

There are a number of software products that you can use (Smoothwall being one of them) that include routing and firewall functionality. All you need besides the software is an x86 PC with two or more supported network cards and you're off to the races. There's no real technical design or engineering involved, the firewall software (usually based on Linux) runs directly on the hardware in place of the OS.

________________________________________
CompTIA A+, Network+, Server+, Security+
MCTS:Windows 7
MCTS:Hyper-V
MCTS:System Center Virtual Machine Manager
MCSE:Security 2003
MCITP:Enterprise Administrator

 

[danomac]

Yes, it'll be running either smoothwall, pfsense, or something similar. I'm not too worried about how to get the firewall running. I am concerned about having a similar problem with the new build as I do with my existing router and its Broadcom CPU.

I've read several reports now of consumer grade routers failing over 15/20M. They just can't handle the volume of packets that can go through the device.

The problem I'm having is finding a benchmark of the Broadcom CPU so I can make sure I get something a little more powerful.

I used to have an old Pentium-50 that did this, but it gave up the ghost years ago - back then my coinnection was only 1.5mbit so a consumer router did the job.

I figured on using something a little more recent for the time being. I've found some good boards and chipsets that are even fanless. The only thing I can't seem to locate is a comparison of the CPUs (Geode, Nano, Atom.) The Atom (esp. the 1.6 dual core) is probably a little overkill, which is why I was trying to find something on the Geode.

 

[kjv1611]

My personal suggestion?

Go buy a D-Link DIR-655 router. The price has dropped A LITTLE of late, and even if was original price, it'd be cheaper than building an all new machine just for this... Also it uses FAR less power. I can guarantee you that the DIR-655 will handle anything you want to throw at it. I've got one, which I've had for I guess about 2 or 3 years now, and by far it's the best router I've EVER owned. Back when it came out, Tom's Networking - now called SmallNetBuilder did an article reviewing this router. And in the review, they stated, the router had the highest throughput (I believe it was... or maybe it was total # connections) than any they had tested to date, including enterprise level stuff. Well, I'm not quoting, and I'm just going off very old memory.

Here's the article if you want to take a look.

And I believe the latest firmware updates supposedly increase it's effectiveness, but I've not tried any - I've been happy all along, and I figure it isn't worth the risk of bricking the router... my opinion... b/c as soon as I started it, the power could go out or something, I really don't want to have to mess with that.

Anyhow, I've tried all sorts of things on it, over web, between LAN PCs, wireless and wired.. all sorts of things, no issues at all. I also suggested it to a friend whose family all plays online gaming. They never looked back... the guy was actually in tears - a grown man in tears, b/c was so happy with a router's performance - he had no clue it could make that much difference... that was probably a year ago.

There are faster ones now, but they cost usually 1.5 to 2x as much as a minimum.

The benefit?
*Overtime, probably cheaper, b/c less electricity.
*MUCH easier - then again, you may be wanting the challenge/experience
*All gigabit connections, supports 4 wired, practically unlimited wireless, out of the box.

Anyhow, that's my thoughts on the matter. Though, I have thought about building my own router, just to do it.. but I don't have enough time for all the just to do it things I want to do.

--

"If to err is human, then I must be some kind of human!" -Me

 

[ArizonaGeek]

I've been running Smoothwall since they very beginning, currently it is running on a Dell Dimension 700mhz PIII Celeron with 256mb of RAM. I used Intel Gig NICs and I would pit it against any corporate firewall. Basically, I used parts laying around so it didn't cost me anything out of pocket.

Cheers
Rob

The answer is always "PEBKAC!

 

[kjv1611]

AG,

How about power usage? Does that system not use more power than a typical router - not enterprise level router, but home router?

--

"If to err is human, then I must be some kind of human!" -Me

 

[ArizonaGeek]

Same as a regular, older PC, it has a 150 watt power supply. I have it running on a 6 gig hard drive, I actually bought a dozen 6 gig drives a few years ago for like $20 on Ebay.

So I would say it would be more than a regular router but I have more control over it.

This is actually my fourth PC running Smoothwall, when one dies I just find another. My first was a PII 233mhz with 32mb of RAM, when the power supply finally gave out I went to another PII 450mhz and the CPU finally died, then went to a PIII 500mhz and the power supply died on that one and finally went to my PIII 700 Celeron. It has been running about 4 years now. I've had a few hard drives give out, I do live in Arizona, and I have three big dogs so my house is pretty dusty. Which is why I bought the 6 gig hard drives. But I make sure to safe my config to a floppy any time I make changes so if I have to reload I can do it in about 15 minutes.

Cheers
Rob

The answer is always "PEBKAC!

 

[JimInKS]

You might look at something like a MSI Wind PC

http://www.newegg.com/Product/Product.aspx?Item=N82E16856167032

I have XP running on one of these and it is a nice little box.

Of course after you buy ram, a second nic, and a ssd or hard drive you will be getting close to $200.

 

[kjv1611]

Well, if anyone wants to build a router from a PC, I know at least a year or so ago, I saw a handful of motherboards which had loads of LAN connections onboard, so no extra cards necessary... I suppose that's what they were built for. I haven't looked since, b/c I don't really need a ton of them on one PC, but they may still have some... if not, surely someone does. I did think it'd be pretty cool to set up a router like THAT.

--

"If to err is human, then I must be some kind of human!" -Me

 

[danomac]

I actually found a motherboard for ~$120 CAD that is mini-itx, 2 LAN, and an embedded atom CPU. All I'd need is a small case for it. Now I can't remember if it was passive cooled or not.

I guess I'll keep looking.

 

[IRudebwoy]

I built my own firewalls (with routing and VPN services) at work for production and testing going on 6 years. Right now the production unit is a Dell OptiPlex GX150 (1.2 MHz PIII, 512MB ram, 20GB HDD, two 3com 3c90x NICs, plus the onboard 3c92X that is disabled). At it's peak it serviced approximately 200 PCs over a 45MB DS3 link.

Using iptables to filter packets barely made a dent in processor usage. OpenVPN used much more processing to encrypt/decrypt packets. I've never experienced any lag while using the VPN. Although I wish I could add more memory which would help out with iptables' connection tables.

The real difference is whether or not the NICs share IRQs. Make sure they don't or they will step all over each other and you will not see the bandwidth you seek.

BTW, my firewall runs gentoo but any *NIX will do. I started out with Red Hat but I like the small foot print and malleability of gentoo.

 

[goombawaho]

A little off-topic, but if you're cranking some major downloads, don't be surprised to hear from your ISP if A) they can sniff out that you're downloading movies/music or B) you go over their magic "enough is enough" download limit.

Comcast is famous for their "stop the downloading like crazy" letter.

 

[danomac]

Hmm, maybe a Geode will do then. I'll have to look into it more. There doesn't seem to be a whole heck of a lot on them. Searching a few sites yield no prices.

Another Gentoo'er here - been using it since 2002 and it's basically on all my computers at home (file server, web server, desktop, laptop, htpc.) I generally don't use Windows at all at home unless I want to play a game. Messing with wine is too time-consuming. The package manager is what drew me to the distribution... it's SO damn flexible.

goombawaho: My ISP has a cap in paper of 100GB or so (actually, that was for my old 3M/512K connection, might be different for Turbo.) I do know if you go over 200GB they'll call/email. Most of the time I'm around 100 anyway.

I just updated my laptop... 750MB of source files to compile. Fun. I haven't updated my desktop since March, that'll probably require a few GB of source files to compile.

 

[IRudebwoy]

I hear ya. I just finished updating my laptop to KDE 4.3.4 & QT 4.6.0. It was an overnight compile but pretty painless. All that is left is updating the kernel to 2.6.31.

Getting off track, my gaming rig dual-boots gentoo & windows 7. Compiling on it is a dream - AMD64 Dual core 3.2GHz with 8GB RAM, nVidia 9800 GTX and HDD space to spare. I really want to build a new one with a Phenom x4 but that will have to wait until the new year and a new job.

 

[danomac]

Yeah, my laptop is a slow-arse thing when it comes to compiling. My desktop I just built last year is sweet - QX9650 OC'ed to 3.8GHz, 4GB DDR3, RAID1+0... I can compile openoffice source in <45 minutes, my old PC took like 6.5 hours (no joke.) Heh. )