EEVblog Electronics Community Forum
Products => Other Equipment & Products => Topic started by: GreyWoolfe on November 30, 2014, 09:59:58 pm
-
My Linksys WRT54G is getting long in the tooth and suddenly I am regularly rebooting the router to bring the network back up. I am favoring the Linksys EA6350 or the EA6100. Does anyone have experience with either of these? What is everyone using? The one thing I am interested in is having a USB port on it to connect a 1TB hard drive to so I can share data across several computers. I am trying to keep the budget under 150USD if I can. SWIMBO doesn't want me to spend a fortune but wants her Internet when she wants it. |O
-
$150 is quite a lot. I'd probably go for the cheapest that is Gigabit and can run 3rd party firmware. Maybe a TPLink WR1043 v2 for about $50. You shouldn't expect great USB performance, but I think that would be the norm with routers.
http://www.amazon.com/dp/B002YLAUU8/ (http://www.amazon.com/dp/B002YLAUU8/)
If you want 802.11ac, maybe a TPLink AC1750 for $80 is a good option: http://www.amazon.com/gp/product/B00BUSDVBQ/ (http://www.amazon.com/gp/product/B00BUSDVBQ/)
Haven't checked about 3rd party firmware for this one.
Edit: Found now a simpler 802.11ac option: TPLink AC750 for about $40. Haven't read up on it, maybe it's better than the 1043.
http://www.newegg.com/Product/Product.aspx?Item=N82E16833704206 (http://www.newegg.com/Product/Product.aspx?Item=N82E16833704206)
-
Check out smallnetbuilder.com for detailed reviews including storage performance.
-
I use pfSense (https://www.pfsense.org (https://www.pfsense.org)) which is a free and powerful open source router/firewall. I run it as a standalone appliance on an older Dell 1RU server, although it will run on just about anything with a Pentium II processor or better.
At one stage I had it running quite successfully on an old Watchguard FireBox II appliance (I think it had a 266MHz CPU).
So if you have an old computer kicking around, throw a few NICs in it and give it a go. It won't cost you anything.
-
I have a TP-Link TL-WR1043ND, the old white model. USB performance is poor, not really useful if you're dealing with large files. Maybe a few megabytes per second at most.
It can do about 120 mbit wan<->lan, not sure what happens when you open many connections. I never really used it's routing features, I just use it as an access point.
Minor annoyance is that I have to reset it maybe once in 2-3 months, for some reason the wifi stops working. The SSID is visible but none of my wifi devices can connect to it.
I actually use a mini-ITX system running M0n0wall as a router, but I don't think that will fit your budget.
-
My Linksys WRT54G is getting long in the tooth and suddenly I am regularly rebooting the router to bring the network back up.
Take it apart. You might have bloated capacitors? If yes, easy fix. If no bad capacitors there, try another AC adapter as it might have bad caps in it as well.
http://www.dd-wrt.com/phpBB2/files/img_0027_660.jpg (http://www.dd-wrt.com/phpBB2/files/img_0027_660.jpg)
http://www.dd-wrt.com/phpBB2/files/img_0029_179.jpg (http://www.dd-wrt.com/phpBB2/files/img_0029_179.jpg)
-
3hp variable speed Bosch Plunge router with 1/2" collet capacity :-+ :-DD
-
I wasn't allowed to install one in one of our racks even as a joke - no sense of humour :-// .
-
3hp variable speed Bosch Plunge router with 1/2" collet capacity :-+ :-DD
That'll work but where is the USB port for the HD? :-DD
-
sophos home utm on an i3 3220 based system.
-
You ask what router I use, but it sounds like you want recommendations for what you should use.
I second a TL-WR1043ND or TL-WDR4300 with OpenWRT; have hundreds deployed with only one failure, and that was a random bit flip in flash.
I use a custom Gentoo-based router, running on a fanless J1900 (quadcore 2GHz) :)
rollatorwieltje, which firmware on your 1043ND? there was a problem for a while with Atheros-based routers and OpenWRT that caused wireless issues including non-communication but SSID still being broadcast. You shouldn't have to reboot anymore with 14.07 final.
-
Snapgear / Cyberguard / Secure Computing / McAfee.... SG-580
(They changed names a few times over the life!)_
Also have an unused SG-300 laying around somewhere.
Kinda neat for hackers that want to breach your firewall - telling them your WAN facing hardware.
- unless you have additional strategies in place...
-
I second a TL-WR1043ND or TL-WDR4300 with OpenWRT; have hundreds deployed with only one failure, and that was a random bit flip in flash.
The TL-WR1043ND is a great device if you only need 2.4GHz coverage. However, 2.4GHz is so heavily used that most of us REALLY need 5GHz coverage too. I think it won't be too long before 5GHz is just as crowded and troublesome as 2.4GHz is today, but at least a dual band router will work well for most people right now.
If you live far from the madding crowd, and you don't need huge throughput, I guess the TL-WR1043ND is still a great value for money choice.
-
I use a: http://lifehacker.com/turn-a-raspberry-pi-into-a-wireless-router-1582672426 (http://lifehacker.com/turn-a-raspberry-pi-into-a-wireless-router-1582672426) ^-^
-
TL-WDR4300
I have one of these w. original fw , but was thinking about changing to dd-wrt , as i used that on the old wrt54G.
Any experinces with dd-wrt and a TL-WDR4300 ?
/Bingo
-
I have a Netgear WNDR-4000, and I'm not happy since it cannot publish DNS settings to clients. It always tell clients he is the DNS, and he slows stuff down. (100/100 fiber)
But, when DNS servers are setup locally the thing does its job without issues.
-
I got ticked off at Linksys and all the other popular consumer routers and got a Mikrotik RB951:
http://routerboard.com/RB951-2n (http://routerboard.com/RB951-2n)
You can spend more and get MORE POWER but this one is good for a home router. The management interface is super geeky but if you're on this board, you should be able to handle it. Way more capability than I need but it's been really reliable, zero reboots needed.
-
I'm running pfSense on a Watchguard Firebox x1250 with a CPU and RAM upgrade to the highest the board supports to boost VPN speeds. I'd highly recommend a setup like this. Admittedly there's a few tweaks to get the LCD and front panel LEDs working which also needs repeating if you update BSD, but it's all documented and easy to follow.
I run a set of PoE AP's for wireless.
-
rollatorwieltje, which firmware on your 1043ND? there was a problem for a while with Atheros-based routers and OpenWRT that caused wireless issues including non-communication but SSID still being broadcast. You shouldn't have to reboot anymore with 14.07 final.
The stock TP-Link firmware
Firmware Version:
3.13.15 Build 140319 Rel.41339n
Hardware Version:
WR1043ND v1 00000000
-
Ubiquiti Edgerouters and associated wireless bridges and airstations. So far, I feel these are the best in the business.
-
I run PFsense as well.
I've been very happy with it. Running on a supermicro Atom server mobo with two integrated NICs, and a $40 ssd (60 GB). It's low power, and very reliable.
-
I'm using a netgear WNDR3800 with OpenWRT.
I've been debating whether to upgrade for a while. If I do, there are a few ways to go:
Router only, no Wifi: Ubiquiti EdgeRouter
Router + WiFi: TP-Link Archer C7 running OpenWRT or, something from MikroTik, once theyir 802.11ac stuff rolls out.
-
When I was in the business there was an adage that 'you never got sacked for specifying Cisco'. I don't necessarily agree with that adage but what is your context; personal, small, medium or corporate business? It does make a difference.
-
I second a TL-WR1043ND or TL-WDR4300 with OpenWRT; have hundreds deployed with only one failure, and that was a random bit flip in flash.
The TL-WR1043ND is a great device if you only need 2.4GHz coverage. However, 2.4GHz is so heavily used that most of us REALLY need 5GHz coverage too.
Which is why I mentioned TL-WDR4300, a dual-band 802.11n router.
Most of our installs are 1043nd as most customers have no idea how their WiFi works much less how to grunt a greeting properly and have so much money they don't have neighbors.
Any experinces with dd-wrt and a TL-WDR4300 ?
DD-WRT is garbage. Additionally, I don't think it works on this device - if it does, great, who cares? You can use OpenWRT on this device.
rollatorwieltje, yes, I see this with stock firmware, anywhere from a week to a couple months. OpenWRT was worse for a while, but 14.07 final is better. If you are using it only as a wireless router and not using USB or care about WPS (or AOSS, something I recommend disabling anyway), try that.
Ubiquiti Edgerouters and associated wireless bridges and airstations. So far, I feel these are the best in the business.
Been meaning to try one, but I don't like closed equipment, and also Ubiquiti loves to overpromise and underdeliver. We use a lot of UniFi and airmax gear though.
eas, no sense upgrading now if it works, you probably wouldn't notice a difference unless you have >100mbit WAN speeds. Wait.
-
Most of our installs are 1043nd as most customers have no idea how their WiFi works much less how to grunt a greeting properly and have so much money they don't have neighbors.
If they are that rich don't they need the extra capacity at 5GHz for their own use? :)
-
Linksys has gone to crap since the WRT54G, Cisco ruined them. Had a E4200 v1 that lasted a year before it just up and died. Avoid Linksys.
Replaced it with a Netgear WNDR4300, running OpenWRT compiled straight out of the dev tree. Works nice, it has taken over file serving duty and everything.
-
I first had a Belkin lasted 6 mo before started dropping out. Everyone i know says Belkin routers are bad news. :palm:
I replaced with refurb Netgear lasted 3 yrs, then started deciding to block sites for no apparent reason.
I replaced it with an ASUS RTN65U. Has an annoying UI wizard on setup, but that's just because i know that i'm doing and would rather do myself. I got my router from newegg on special like a $130 router i got with rebate, and 128GB usb 3.0 stick to use with it for about $80.
One really nice thing is that unlike every other router i have had if the modem decides to be stupid and lock up and need reboot i can just do it without having to reboot the router too. I understand why most need that, but this one seems to have no issue with it. Good job ASUS I think it runs something called ASUS wrt which is i guess a custom ASUS version of DDWRT. What I've seen many gamer types with the new 802.11AC ASUS routers see to be one of the more popular.
-
If you're going to spend $150 you might as well got for an AC router. With both channels running with Spacial Division Multiple Access, and a client that supports dual channels you can get around 1.3Gb/s throughput.
At work we just upgraded to Cisco N WAPs (a generation behind Wireless AC) and wow the difference between that and G was amazing.
-
When I was in the business there was an adage that 'you never got sacked for specifying Cisco'. I don't necessarily agree with that adage but what is your context; personal, small, medium or corporate business? It does make a difference.
It is for personal use. Not a big network here. I have 2 networked printers, 2 wired computers, 4 laptops, 3 cell phones and 4 tablets.
I replaced it with an ASUS RTN65U. Has an annoying UI wizard on setup, but that's just because i know that i'm doing and would rather do myself. I got my router from newegg on special like a $130 router i got with rebate, and 128GB usb 3.0 stick to use with it for about $80.
One really nice thing is that unlike every other router i have had if the modem decides to be stupid and lock up and need reboot i can just do it without having to reboot the router too. I understand why most need that, but this one seems to have no issue with it. Good job ASUS I think it runs something called ASUS wrt which is i guess a custom ASUS version of DDWRT. What I've seen many gamer types with the new 802.11AC ASUS routers see to be one of the more popular.
I am actually contemplating the ASUS RTN66U. I like the external antennas. My office is in the back corner of an 1800 ft2 ranch style house and I want to make sure that there is pretty good coverage. There is nothing here running 802.11AC, 3 of the 4 laptops are wireless N. I am not sure about the tablets. It is a shame to hear that Cisco has mucked up Linksys. I have had Linksys for years. I like the extra features the new routers have like guest accounts and the USB ports for some basic file sharing-no videos just documents and maybe some photos. I will also look at the RTN65U. After looking around, I think ASUS is the way for me to go. As long as the network stays up and SWMBO has her internet then I am happy.
-
GreyWoolfe - understood.
For home use I just use the British Telecom supplied router/switch combination. It's sufficient for my usage.
-
I use pfSense as well. I would NEVER go back to some consumer grade garbage!
-
I replaced the glorious WRT54G with the asus rt-n66u running Shibby FW.
It has a mini SD card has a Easter egg inside, and 2 USB port for your HD (BTW build a NAS PC with FreeNAS, as suggested).
I am very happy, rock solid and good FW support/Community.
EDIT: blown away by pfSense! Thanks eev forum!
-
What do people use when they have say, 350 Mbps broadband?
Most of the routers I looked at don't support that kind of WAN->LAN speed above some 50 Mbps with anything firewall or NAT running. Firewalls and routers get _really_ expensive at that point (400 EUR and above for example ZyXEL ZyWall 110)
-
What do people use when they have say, 350 Mbps broadband?
Most of the routers I looked at don't support that kind of WAN->LAN speed above some 50 Mbps with anything firewall or NAT running. Firewalls and routers get _really_ expensive at that point (400 EUR and above for example ZyXEL ZyWall 110)
We have had 1Gbps up and down broadband at home for about 3 years. When it was first installed it was really hard to find consumer routers which could keep it busy. If you want to send lots of small packets, like VoIP, that's still true. For most people's usage a lot of recent routers, especially the 802.11ac ones, can keep a 1Gbps connection pretty much fully loaded with large packets while firewalling.
I put together a small Linux machine with one of the low power variants of the i3 (I think its the Sandy Bridge generation). I used an Intel motherboard, which generally use several watts less than most other makes. I guess they use efficient VRMs, rather than ones which are overclocking friendly. That machine can keep the link busy with small or large packets, without consuming unreasonable amounts of power.
-
What do people use when they have say, 350 Mbps broadband?
You'll lose at least €100 ($150) for a router for fiber.
But if you can afford fiber you should be able to afford a router, or get one "for free" from the isp.
Our ISP (dutch KPN) forcibly leases you a router worth approx €200 if bought "new". Unfortunately, they screwed it up to a worth and performance of a potato. (it doesn't support WAN-UDP and lan-multicast properly)
It's an investment of a few years, say it'll work for three years, you'll pay 70 per year for your (hopefully) trouble-free superspeed internet router. :)
-
I use a Supermicro X7SPA-HF ITX board, it has an Atom D510 and 2x Intel Gigabit NICs (on PCIe, be aware that a conventional PCI bus is too slow for 2x gigabit).
In a test setup I could do torrents at 400 mbit. I don't recall it maxing out the CPU, but I didn't bother looking into it further as I only have a 120 mbit connection anyway. 400 mbit smells like a maxed out harddrive of one of the test computers.
It has been running 24/7 since Feb 2011, no problems with it at all. Only reason for reboot is a software update which has been 500+ days ago, don't tell anybody.
-
What do people use when they have say, 350 Mbps broadband?
Most of the routers I looked at don't support that kind of WAN->LAN speed above some 50 Mbps with anything firewall or NAT running. Firewalls and routers get _really_ expensive at that point (400 EUR and above for example ZyXEL ZyWall 110)
Even a fairly basic pfSense setup is good for 1Gbps.
-
I could have in my hands for 75$ a Dual 64 bit Xeon 3.6 Ghz CPUs with 16GB RAM.
mmmmm.... Let´s add a used Intel quad NIC PCI-X and a used SSD I will be around max 150$ total.
Stupid overkill for pfSense? I am thinking for that amount of money it could make sense (forgive me for this nosense... probably), yes it will be more than an 11W mini ATX PC and the electric bill will go up.
Since it must be a 24/7 machine the dilemma is always go old, power consumption inefficient and cheap but tons of horse power (no worrires about installing packages, load traffic and so on or faster future ISP connection or whatever) or go in the other direction with a new/lightly used machine. (Praying the old machine will last for at least 5 years?)
Sorry I have some experience with FreeBDS but none with pfSense... so it is difficoult for me to judge.
Ah, it is for my home and yes when I design something I love to overkill if it is cheap.
-
Linksys and some Cisco equipment are notorious for the elec. caps. I can't remember what brand they were, but if you get a product that has those, don't expect it to work for more than a year. I've changed bulged up caps on 3-4 linksys products so far. Last one was one of the EA series (can't remember the exact model).
Get an Asus router, Dark Knight. Very stable, very good range and fast. If you're on a budget TP-link.
-
I could have in my hands for 75$ a Dual 64 bit Xeon 3.6 Ghz CPUs with 16GB RAM.
mmmmm.... Let´s add a used Intel quad NIC PCI-X and a used SSD I will be around max 150$ total.
Stupid overkill for pfSense? I am thinking for that amount of money it could make sense (forgive me for this nosense... probably), yes it will be more than an 11W mini ATX PC and the electric bill will go up.
Since it must be a 24/7 machine the dilemma is always go old, power consumption inefficient and cheap but tons of horse power (no worrires about installing packages, load traffic and so on or faster future ISP connection or whatever) or go in the other direction with a new/lightly used machine. (Praying the old machine will last for at least 5 years?)
Sorry I have some experience with FreeBDS but none with pfSense... so it is difficoult for me to judge.
Ah, it is for my home and yes when I design something I love to overkill if it is cheap.
Personally I'd buy a small atom based mini-ITX board and an Intel dual NIC for a pfSense setup. You should be able to set something up for that money that is cheap to run but still fast enough. I'm running a server with two quad core Xeons which on it's own is drawing over 300W continuously :(
-
Any experinces with dd-wrt and a TL-WDR4300 ?
The TL-WDR4300 runs great with openwrt.
-
Most of our installs are 1043nd as most customers have no idea how their WiFi works much less how to grunt a greeting properly and have so much money they don't have neighbors.
If they are that rich don't they need the extra capacity at 5GHz for their own use? :)
Again. They have no idea how WiFi works. Should be taken then that they have no idea how their electronics and computers work, they just cry about it not working at every edge of their property. Sending emails and watching Netflix is super important! (obviously no, no capacity issues)
Any experinces with dd-wrt and a TL-WDR4300 ?
The TL-WDR4300 runs great with openwrt.
Early models had issues with overheating.
Any model you find now shouldn't have this problem.
-
I'm running a server with two quad core Xeons which on it's own is drawing over 300W continuously :(
That seems excessive. My entire server rack pulls about 400 watts which includes 1x 1RU Xeon server, 2x Dual Xeon servers (one has 8 hard disks), 2x switches and some other small bits. My desktop PC uses about 85 watts which is a single Xeon machine with a 30" Dell UltraSharp monitor (this is all at 240v line voltage mind you).
-
Personally I'd buy a small atom based mini-ITX board and an Intel dual NIC for a pfSense setup.
The Atom ITX boards are good choices because a number of them have multiple NICs on the board, and they are typically the better NICs for some reason (Low end Atoms have the high end NICs. High end I7s have the cheap NICs. Why?). Non-Atom choices usually require adding a NIC card, which can increase the height, and stop you using a very compact case.
-
I'll add my support to the PfSense crowd, I'm running that here too.
Its running on a HP-t5740 Intel Atom N280 thin client re-tasked, easily achieves +500Mbs throughput.
Previously was using a PCengines ALIX 2D2 which was fine until I started running dual stack IPv4/IPv6 and then it started to run out of memory on some tasks.
Do a search on pfsense on ebay and you'll find many prebuilt units over various power.
regards
Tim
-
Sorry I have some experience with FreeBDS but none with pfSense... so it is difficoult for me to judge.
Ah, it is for my home and yes when I design something I love to overkill if it is cheap.
Project stopped due to noisy fan: 65dB after the booting phase is too much in a home enviroment. Tempted to buy it and then monkey around with mineral oil in order to keep it quiet but cool. I already know it whould be another project start with no end, so I pass thanks.
-
Any experinces with dd-wrt and a TL-WDR4300 ?
The TL-WDR4300 runs great with openwrt.
I have no experience with openwrt , only used dd-wrt on WRT54G's
I need openvpn client support , as it's going to open a VPN tunnel towards my linux server.
Any quick start guides for openwrt ?
I could start out on my wrt54g , just to get the feeling of it.
/Bingo
-
Actually any OS with support for pf will do just fine for this purpose. I used to run an old PC with OpenBSD as a router for years. Won't consider it now cause of practical constraints. Right now I'm using a MikroTik RouterBoard, it's not the most intuitive thing to configure, but small/low power and relatively inexpensive, yet it allows for very advanced configurations, it's practically a router with a managed switch built in. I use an Asus dark knight as a wireless access point and switch. If you decide to use a homegrown solution anything with pf is much more robust than linux with iptables for this purpose. The rules are much more intuitive to set up in pf than iptables.
-
I have no experience with openwrt , only used dd-wrt on WRT54G's
I need openvpn client support , as it's going to open a VPN tunnel towards my linux server.
Any quick start guides for openwrt ?
I could start out on my wrt54g , just to get the feeling of it.
Openvpn is no problem. BTW, you should update your openvpn server (major vulnerability found). A good starting point would be http://wiki.openwrt.org/doc/start (http://wiki.openwrt.org/doc/start) for the basics. Download and flash firmware (Barrier Breaker), telnet 192.168.1.1, change root password with "passwd" and logout. After that you'll use ssh for shell access or the web-UI which is pretty straight forward. For special stuff you should read the references/tutorials and check out "uci".
PS: openwrt has full IPv6 support.
-
Sorry I have some experience with FreeBDS but none with pfSense... so it is difficoult for me to judge.
Ah, it is for my home and yes when I design something I love to overkill if it is cheap.
Project stopped due to noisy fan: 65dB after the booting phase is too much in a home enviroment. Tempted to buy it and then monkey around with mineral oil in order to keep it quiet but cool. I already know it whould be another project start with no end, so I pass thanks.
There's really no point in using such a heavy machine. Look at the Vyatta 3500 series, they used a mid-range Xeon with 3GB ram to run a device that can handle a small company. That's already gross overkill for home use. I think they claimed 20 Gbps throughput.
-
What is everyone using?
Currently I use a FortiNet FWF-80CM which is under full support. Not only is the hardware rock-solid, it's fast enough for most high-speed lines, and it gives me much better protection with sophisticated Intrusion Detection, anti-malware scanning and such. It's also a modern NGW firewall which works at the application level and not one of the old stupid SPI firewalls (which is what consumer routers and firewall distros such as pfSense and IPFire are).
Someone said that all consumer routers are more or less shit. I can nothing but agree. Some of these routers may be better, but at the end of the day they are all very poor. And installing something like OpenWRT/DD-WRT doesn't help much when the low-performance hardware is made for the lowest price point possible. And no matter what you put on top of such a POS it's still a plain old stupid SPI firewall.
Depending on how much comfort you want (i.e. router acting as media server, NAS or other gimmicks) and how important security is for you there are various options:
1. Roll Your Own
Get some decent(!) reliable low-power hardware and install one of the free firewall distros on it for example:
- pfSense: reliable, doesn't need much ressources. Negatives are that even in the current 2.2 beta the support for 11n WiFi sucks donkey balls. It's also an SPI Firewall and the IDS and anti-malware options are very basic and pretty poor
- IPFire: simple router distro which does other things as well. No WiFi AP support as far as I know, 32bit only, and like all the other firewall distros a simple SPI firewall.
- Untangle: free version of the commercial UTM firewall variant, bit awkward GUI, and the free UTM apps are overall pretty basic.
- Sophos UTM: former Astaro ASG, this is a professional UTM firewall that is free for home use. One of the best products on the market which provides very good IDS and antimalware protection. If you roll your own then I'd strongly recommmend Sophos over the alternatives.
2. Get a real Firewall
These days you can get decent second hand firewalls (i.e. Watchguard XTM2 Series) for little money on ebay. With Watchguard you can create a free account and have the device ownership transferred to that account, and you can download firmware updates even without support contract (although they can only be installed with a little trick). You can get some cheap FortiGate/FortiWifis as well, firmware for those is also available.
Whatever you do however, don't buy anything where you can't get regular firmware updates. "Just works" isn't enough, there's a lot of stuff going on even on consumer routers, and without good firmware support you make yourself vulnerable. If you buy a "real" firewall then make sure that the device is still supported through updates.
-
1. Roll Your Own
Get some decent(!) reliable low-power hardware and install one of the free firewall distros on it for example:
- pfSense: reliable, doesn't need much ressources. Negatives are that even in the current 2.2 beta the support for 11n WiFi sucks donkey balls. It's also an SPI Firewall and the IDS and anti-malware options are very basic and pretty poor
- IPFire: simple router distro which does other things as well. No WiFi AP support as far as I know, 32bit only, and like all the other firewall distros a simple SPI firewall.
- Untangle: free version of the commercial UTM firewall variant, bit awkward GUI, and the free UTM apps are overall pretty basic.
- Sophos UTM: former Astaro ASG, this is a professional UTM firewall that is free for home use. One of the best products on the market which provides very good IDS and antimalware protection. If you roll your own then I'd strongly recommmend Sophos over the alternatives.
You missed off ClearOS which is also a great solution.
-
You missed off ClearOS which is also a great solution.
ClearOS isn't really a router/firewall distro, it's meant as a server distro. It can do routing and firewalling (as any Linux distro can) but it's a bit oversized for that, and still only offers a plain old SPI firewall and snort IDS.
ClearOS nice if you need a file/mail/groupware server but none of these servers should really run on the firewall hardware.
-
Maybe overkill but I have a 1U server I put pfsense on and use as my router/firewall. It does vlans too. I have a Unifi AP for the wireless and a few wireless networks that are on different vlans. Works great and it has tons of configuration options compared to the crappy consumer grade ones.
-
I wouldn't go so far as to say SPI firewalls are old and stupid. Snort is a perfectly good IDS but you need to pay money to get the latest definitions, and for web browsing at least you can set up squid with ClamAV and then you can even use caching which can be nice on some connections.
-
Router Name dd-wrt v24
Router Model Linksys E4200
It's got USB, 2.4GHz and 5GHz.
Get great coverage all over our (large, brick, concrete floor) house.
I paid about $50 for it and it took about 20 minutes to reflash and configure with DD-WRT.
-
... routers get _really_ expensive at that point (400 EUR and above for example ZyXEL ZyWall 110)
At my old office (last year), I was using Extreme Networks switches, routers and access points... but just the switches were north of $25K each. Sigh.
-
You missed off ClearOS which is also a great solution.
ClearOS isn't really a router/firewall distro, it's meant as a server distro. It can do routing and firewalling (as any Linux distro can) but it's a bit oversized for that, and still only offers a plain old SPI firewall and snort IDS.
ClearOS nice if you need a file/mail/groupware server but none of these servers should really run on the firewall hardware.
Maybe on the old versions, but from 6 onwards it can be set up for whatever you want. File server, web server, mail/printer server, firewall or a router or any combo of the above. The virus and firewall subscriptions make it no worse than any other device on the market.
-
Whatever you choose, make sure it has a proper IPv6 support. Not just routing and filtering, but also address assignment and prefix delegation.
-
ClearOS isn't really a router/firewall distro, it's meant as a server distro. It can do routing and firewalling (as any Linux distro can) but it's a bit oversized for that, and still only offers a plain old SPI firewall and snort IDS.
ClearOS nice if you need a file/mail/groupware server but none of these servers should really run on the firewall hardware.
Maybe on the old versions, but from 6 onwards it can be set up for whatever you want. File server, web server, mail/printer server, firewall or a router or any combo of the above.
It's all fine and great that all these functions can be set up on one box, this doesn't mean it's a good idea. Server services should never ever run on the firewall.
The virus and firewall subscriptions make it no worse than any other device on the market.
Only if you don't know what else is on the market. ClearOS is certainly a great all-in-one package but even the paid-for options are nowhere near the protection you can expect from a NGFW like a WatchGuard, Fortinet, SonicWall or Sophos UTM. The latter also runs on PC hardware and is free for home use.
As a simple SPI firewall it's overladen, something like pfSense is a much better option for such a case, which I would also trust much more to address safety issues promptly than ClearOS.
-
I wouldn't go so far as to say SPI firewalls are old and stupid.
They *are* stupid. SPI firewalls are application agnostic, which means they can't see what application is going to communicate. SPI firewalls act by communication states, but that's about it.
Oh, and they are definitely old, SPI firewalls exist since the 90's.
Snort is a perfectly good IDS but you need to pay money to get the latest definitions
Exactly, but then the question arises why not invest in something which offers a bit more sophisticated IDS. Or if it's for home use why not use something like Sophos UTM which is free for home use and does a much better job as a firewall?
and for web browsing at least you can set up squid with ClamAV and then you can even use caching which can be nice on some connections.
Yuck, ClamAV. You know that this is by far the worst and most useless antivirus scanner ever invented? It's effectiveness against malware is roughly the same as Holy Water.
-
Just because SPI firewalls have been around since the 90's doesn't mean they aren't effective. Protocol-inspecting firewalls can have some advantages, but it takes significantly more horsepower to run one of those at high throughput, and not everyone likes to have all of your packets messed with that much. Coming out so blatantly against something that is perfectly fine for 100% of home users, kind of makes you look a bit arrogant, ya know?
-
I'm surprised about the barking on about SPI firewalls when , fundamentally , SOFOS UTM is an SPI with other things stuck on top.
After all its just the Astaro linux distro firewall with commercial support and nicer antivirus like McAffee rather than ClamAV.
Fundamentally the end user needs to ask ...
"Am I happy with the TrendMicro|McAfee|Avaste|etc protecting my PC ?"
if the answer is yes then an SPI firewall is all that's needed plus whatever additional features you might require like IPv6 support, OpenVPN, logging etc - which 99% of top ten distro's provide.
If you're trying to protect an number of desktops, or small business, where you might not have direct control over the configuration of those desktops or end hosts, then yes a UTM firewall is probably what you need.
Any security is a layered approach, how many, what they are, and where you want to implement those layers should be an output of your risk assessment.
regards
Tim
-
ClearOS isn't really a router/firewall distro, it's meant as a server distro. It can do routing and firewalling (as any Linux distro can) but it's a bit oversized for that, and still only offers a plain old SPI firewall and snort IDS.
ClearOS nice if you need a file/mail/groupware server but none of these servers should really run on the firewall hardware.
Maybe on the old versions, but from 6 onwards it can be set up for whatever you want. File server, web server, mail/printer server, firewall or a router or any combo of the above.
It's all fine and great that all these functions can be set up on one box, this doesn't mean it's a good idea. Server services should never ever run on the firewall.
You're missing the point. You can use it as a plain firewall, or a firewall and router. Nothing says you have to use the web or file servers :palm:
The firewall subscriptions are as good as any other offering. I had a Watchguard firewall before I turned it into a pfSense box, but the differences as minimal.
-
https://blog.pfsense.org/?p=1546 (https://blog.pfsense.org/?p=1546)
pfSense 2.2-RELEASE Now Available!
January 23rd, 2015 by Chris Buechler
I’m happy to announce the release of pfSense® software version 2.2! This release brings improvements in performance and hardware support from the FreeBSD 10.1 base, as well as enhancements we’ve added such as AES-GCM with AES-NI acceleration, among a number of other new features and bug fixes. Jim Thompson posted an overview of the significant changes previously.
In the process of reaching release, we’ve closed out 392 total tickets (this number includes 55 features or tasks), fixed 135 bugs affecting 2.1.5 and prior versions, fixed another 202 bugs introduced in 2.2 by advancing the base OS version from FreeBSD 8.3 to 10.1, changing IPsec keying daemons from racoon to strongSwan, upgrading the PHP backend to version 5.5 and switching it from FastCGI to PHP-FPM, and adding the Unbound DNS Resolver, and many smaller changes.
-
I'm surprised about the barking on about SPI firewalls when , fundamentally , SOFOS UTM is an SPI with other things stuck on top.
I think he wants an ALG. But that's going to be too expensive for SOHO users.