On Sun, Jan 04, 2015 at 01:52:23PM -0500, Peter Meyer wrote: > Opinions please. I am looking to build/buy something that replaces my > existing router/gateway box. > > My thinking is taking me in two directions. One is to replace my existing > WRT54GL running Tomato with another embedded system running openWRT Why not just stock Linux? What are you doing that requires those firmwares? Just stock linux, sysctl net.ipv4.ip_forward=1, a bit of iptables or nftables, dnsmasq or ISC DHCPd and your favourite caching and recursing nameserver, some static addressing and routes, and you're done, not to mention have far more control than you could hope for. But first, what are your speed requirements? > or build a multi-port router How is being multi-port exclusive? > (raspberry pi???) The Raspberry Pi *isn't* multi-port. You'll have to use tagged VLANs and a managed switch, like a Netgear GS-10[58]T to get around that. > with: > […] > 2. unique zones and policies that separate the wifi (wlan) from the > local network (lan) and firewall both from the internet. iptables or nftables. Zones are an abstraction built by the *WRTs, that produce very messy rulesets, no more. Did that with my router at home for my two ISPs and two subnets, and it works. > 3. QOS controls - This has become less of an issue as my DSL pipe is > 10/1, however I would like to add VOIP onto this network and > prioritize its traffic above all other. If you want to *strictly prioritize*, and aren't worried about starvation, you'd use the prio qdisc. The simplest would be two bands, one for VoIP traffic, and the other for the remainder. Use tc (from iproute2) and a few iptables targets used to manage Linux QoS. But before even looking at that, is your link even appropriate for VoIP? What's the latency on it like? Low and predictable enough? Have you tested it? Mind you, if you can find good tc filter documentation, you'll be in luck. tc itself isn't very helpful when you enter incorrect rules. And I'm sorely tempted to run Linux under a debugger just to figure out where it's failing. > I've started prototyping this idea using a raspberry PI running Shorewall, Why Shorewall?
Attachment:
pgpEo4IeFTsQA.pgp
Description: PGP signature