Using old second computer as a dedicated firewall/router

Discussion in 'all things UNIX' started by chrome_sturmen, Oct 5, 2014.

  1. chrome_sturmen

    chrome_sturmen Registered Member

    Joined:
    Apr 29, 2006
    Posts:
    785
    Location:
    Sverige
    Hey gents, well I've read some about using an older spare computer as a firewall/router using linux. I've read that this type setup would have capabilities that the little consumer routers do not.
    I have a spare box and so was thinking of trying it, though I have only rudimentary experience with linux. I read though that the setup is fairly easy with programs like pfsense, smoothwall, ipcop, etc.
    So then a couple questions:
    -Thoughts on dedicated firewall vs a desktop distro install running a firewall (is this even done?) ?
    -Is it fairly simple to set up/configure?
    -Overkill for a simple home network?
    -Connecting a consumer linksys router for wifi capabilities, is it fairly straightforward?
    -Benefits of this setup?
    -Drawbacks of this setup?
    -Other thoughts?
    -Links?


    My first thoughts on this were that the firewall would filter the internet/provide security, while the machines on the network would have that much free-er resources for it. Still though It'd seem you'd need a firewall on each local machine if you wanted to control in/outbound, as well as antivirus for the obvious reasons.

    Thoughts appreciated
     
  2. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,030
    Easier would be running a dedicated router/firewall distribution, because by default it would just work. And typically you get a GUI interface that's not much harder to use than most consumer routers. I like pfSense, which is based on FreeBSD, and it's what I know best. The benefit is getting enterprise-level features and capabilities for free, plus hardware cost. You can add all sorts of security etc packages from its repository. I know that it can handle WiFi, but I have no experience with that.

    The PC version runs on just about any hardware. You want 1 GB RAM, but it will work on 512 MB, and it needs less than 2 GB disk space. What it does want is Intel or Broadcom network cards. Do a test install, to make sure that it recognizes your onboard network adapter. Then buy a one- or two-port Intel server gigabit card. If your machine has an old PCIe 1.0 bus, you can use old PCIe 1.0 network cards, which are available (perhaps used/refurbished) at low prices. But they often won't work in machines with PCIe 2.0 bus. And new Intel PCIe 2.0 server gigabit cards are rather pricey.

    With the default setup, everything from LAN is allowed out on WAN, and only established incoming connections are allowed. But you can easily tweak that.
     
  3. Veeshush

    Veeshush Registered Member

    Joined:
    Mar 16, 2014
    Posts:
    643
    If you just want Linux on a router go OpenWRT: http://wiki.openwrt.org/toh/start I have a NETGEAR WNDR3800 I just got this year and I love it. It's also the router the EFF are using to work on their own CeroWRT based firmware: https://openwireless.org/router/download

    Turning an old computer into a Linux firewall/router seems to be the old go-to project people always want to try. But the end result is something that's 10x larger than a regular old router, chews up more power (less you're selecting all hardware before hand, but most cases it's just an old computer) and since it runs 24/7, sucks up all the dust in its fans. All in all, it's a lot of messing around. That said, I'd only do it for the learning experience or if you have some end goal in mind (like setting up a VPN or something). Or if you need it to do something that any of the open router firmwares can't do, or want your custom router to have faster overkill hardware than a store bought.

    Also worth a mention is OpenBSD. http://www.bsdnow.tv/tutorials/openbsd-router I can't find it, but a while back I swear there was a thread here about someone making a secure, private router that ran OpenBSD and had VPN type stuff setup.
     
  4. ChristineBCW

    ChristineBCW Registered Member

    Joined:
    Sep 27, 2014
    Posts:
    38
    Good advice from these replies... Miri states "it's what I know best" and all of these platforms have this caveat. It's going to be like Baptists vs Methodists - what is learned is what is often considered "best" and there will always be some learning. Dive in, make that commitment.

    Veesh points out the power-consumption practicality, too, and some consumer routers open up different firmware possibilities as well, which can exploit the router's electronics in different, non-mass market ways, all consuming less utilities than an old dedicated PC.

    But the "old PC" gives a larger learning ability, too, with more logging, more options.

    "Try both" is probably the best learning method to deciding what's your favorite ultimate option. I hate having my old dust-collectors sit in a closet.

    (By the way, "Overkill for home use" might be a correct value, but the learning of these options has career impact values, too.)
     
  5. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,594
    If you read around, and not just in this forum, you will see some strong validation that running "old PC hardware" is more expensive. By going to PFSense's site and ordering ready to go hardware with amazing "kick butt" speeds, you will have power capabilities your older hardware couldn't even make you dream about. Quiet, powerful, multiple LAN's and all ready to simply program to your specs. And NO I don't have associations there!

    I frankly am not running PFSense at this time. I have had to WIRE (Ethernet) my hobby box to the router because the frickin consumer grade router wireless processor just doesn't do the job for what I need. Its adequate if you are a one hop guy, but I am a 5 hopper and I need processing power to run wireless without getting jammed up in the pipe. So, I bypass that bottleneck, but in a perfect world I'll scrap up some hobby $$ to get a nice piece of hardware some day soon.
     
  6. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,030
    PCs do use more power, take up more space, make more noise, etc. But they're easy to work with for most of us. Working with routers (except enterprise ones that are basically PCs) requires new skills, such as flashing ROM. There is a middle ground, using embedded one-board PCs.
     
  7. NGRhodes

    NGRhodes Registered Member

    Joined:
    Jun 23, 2003
    Posts:
    2,331
    Location:
    West Yorkshire, UK
    I wonder if its better for the environment to keep using an old PC running, rather than throwing it in a landfill (how much is recyclable nowadays ?)
     
  8. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    With the vulnerabilities being found in routers, some of which border on being backdoors, I'd choose to convert a PC over using a consumer grade router. I've been running a very old PC converted with Smoothwall for many years. It has worked flawlessly.
     
  9. chrome_sturmen

    chrome_sturmen Registered Member

    Joined:
    Apr 29, 2006
    Posts:
    785
    Location:
    Sverige
    Thanks all for the informative/interesting replies.
    I'm wondering how a consumer router (for wifi) would fit into that scenario. Would it be old computer/firewall's 2nd ethernet port > wifi router's wan port > wired computer/wireless clients ?
    You'd disable the firewall in the router I'd reason - the computer/firewall would do the processing/filtering, passing the router the clean signal, router then is for wifi/dhcp ?
    I've never tried this stuff, I'm only guessing here
     
  10. ChristineBCW

    ChristineBCW Registered Member

    Joined:
    Sep 27, 2014
    Posts:
    38
    NGR's point about landfill is my concern for dust-collectors. I still think the learning process is a worthy side-effect - along with an anti-landfill factor - for a dust-collecting old PC to be experimented on. Of course, maybe that's why God invented Win10 Tech Previews, too! "Thou shalt dust off and load Tech Previews on..."

    The PC's learning curve will be more steep, but also more fruitful because the larger number of options and the greater chance a 'student' has to log the effects of options and results. Once I saw what a PC-based firewall offered, going 'down' to consumer routers or dedicated firewall boxes was good for the comparison value - "best for each situation" became apparent.

    (One note about 'second router' concepts - many consumer routers have different presets: "(1) I'm your full-time WiFi Router; (2) I'm your Access Point; (3) I'm your Bridge..." and these are basically profiles of options to alter that software/firmware to make all the correct settings for the User. A website like SmallNetBuilder can be a great open-door for this 'universe'.)
     
  11. Veeshush

    Veeshush Registered Member

    Joined:
    Mar 16, 2014
    Posts:
    643
    Just to talk more about the power difference. It's not really a concern less you're living off solar panels or something. It's like the equivalent though of using a 100 watt incandescent light bulb to a 10 watt LED bulb.

    A typical store bought router: chews around 7 or so watts.
    PC router build: chews up anywhere from 80 watts or so, all depending on hardware used.
    Mini ITX board build: chews up under 50 watts depending. ( https://en.wikipedia.org/wiki/Mini-ITX )

    You can always test it out yourself using https://en.wikipedia.org/wiki/Kill_A_Watt Again, it's just more about the fans sucking up dust in systems that run 24/7. No one is going to go broke from running a old pc as a router.

    There are a lot of e-waste recyclers out these days. They usually take a look over the hardware and if it's still in good shape they put it up on eBay for collectors or whoever else would want to get use out of it. If it's in bad shape, then they just dissemble them- putting all the separate parts sorted into bins (wires, boards, plastics, etc). Surprising amount of copper and gold.
     
  12. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,150
    Location:
    UK
    Love the idea of (fanless) mitx boards, but you'd have to get a second network interface.

    Is people's view that it's better to physically decouple the routing function from the wireless hub? I know some wireless routers also offer Guest facilities, but I've never trusted those!

    One economic factor apart from power consumption to consider is the cost of floorspace - depending on where you live, that can be very sobering, and is the technique I try to use to dejunk....
     
  13. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    Regarding the power consumption difference, the power used becomes heat. That heat is only an issue if you don't want it. During the heating season, which is most of the year in this area, the energy it uses translates into energy that your heating system didn't use.
     
  14. chrome_sturmen

    chrome_sturmen Registered Member

    Joined:
    Apr 29, 2006
    Posts:
    785
    Location:
    Sverige
    Those of you who have this setup, what do you have in place for security/privacy on the firewall box? I've read that a computer dedicated as firewall can use hosts files, ip-blockers etc, which the consumer routers cannot, for instance.
    Still, I reckon there's a need for software firewall and antimalware on the client boxes
     
  15. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    I don't run any type of IP blocker, AV, or filter on Smoothwall. It's used strictly as a network firewall with a separate LAN and DMZ. It has an IDS but I don't use it.
     
  16. chrome_sturmen

    chrome_sturmen Registered Member

    Joined:
    Apr 29, 2006
    Posts:
    785
    Location:
    Sverige
    Well I'm gonna finally give this a go - I have 2 spare boxes that I could use for the purpose - which would you guys recommend I use?:
    - a single core athlon 64 1.8 ghz with 2gb ram, or
    -a dual xeon 2.8 ghz dual core with about 1 gig or maybe 1.5 gig ram (cant remember just now) (this is an older tyan server motherboard btw)

    I'm planning to install pfsense and run the box as a standalone firewall, and I do want to install some of the add-on packages such as ip blocker, maybe an IDS as well.
    Any case, which of the aforementioned would be better to go with for this? (if either)
    thanks
     
  17. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,030
    I'd say try the Athlon first. It probably draws a lot less power, right?

    It's important to use Intel Gigabit server NICs.
     
  18. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,150
    Location:
    UK
    @chrome_sturmen The biggest factor I've seen from the pfsense recommended hardware list relates to:

    a) are you intending to do LAN-LAN protection which needs >100M? Or is it just LAN-WAN?
    b) do you intend to run plugins such as Snort (more memory, more processing), VPNs etc.

    I found the DIY hardware selection a very frustrating exercise for pfsense. My ideal would be something like a dual Intel nic fanless J1900 mitx box, but these are not to be had yet, with good track record. It would be possible to do LAN-LAN using VLAN in that case. VLAN could give you a way of adding LAN-LAN afterwards if you don't have the expansion options.

    My personal feeling is that LAN/WLAN-LAN segregation will come increasingly important, with BYOD and grotty tablets and mobile phones proliferating, and worse with the IoT, all with extremely dodgy security IMO. So keeping my valuable desktops separate from the great unwashed is important to me.

    So I've used an old Q6600 quad core and an intel quad nic pcie2 1350-T4, which have come down in price some (about $150). In my opinion these are much more future-proof than the nasty old pcie 1 intel cards. So if the box fails, I can pop the lan card in any modern mobo. I happen to have 8G ram anyway, but I did read that with some plugins, reliability was improved with more RAM sometimes (say up to 4G).

    I would like to have used some old Xeon 5504s, but the motherboards for these are few and far between at sensible prices. I'd choose one with Pci-X because the quad nic cards for that are good and very cheap.
     
Loading...