I'm extremely interested in building a low powered firewall as well. I eventually settled on micro ATX format, intel Atom chip with 2GB ram (fanless) It's about twice the size of a linksys router and I was able to get a multi ethernet board (5 ports). I have multiple networks at home. I settled for pfSense for the firewall application. I haven't done extensive research from as far as I can tell, you can't add more then 2 RJ45 ports on Raspberry PI (would love to use that format) The best low powered solution I could find that still had enough meat and potatoes under the hood is from these guys http://soekris.com/products/net5501.html but they are a bit pricey. Jeff Green Email: mail [ at ] forjeff [ dot ] com Blog/Photography/Bio: http://forjeff.com Cell/Text: 613.552.2704 > -------- Original Message -------- > Subject: Linux Digest, Vol 121, Issue 6 > From: linux-request [ at ] lists [ dot ] oclug [ dot ] on [ dot ] ca > Date: Mon, January 05, 2015 10:00 pm > To: linux [ at ] lists [ dot ] oclug [ dot ] on [ dot ] ca > > > Send Linux mailing list submissions to > linux [ at ] lists [ dot ] oclug [ dot ] on [ dot ] ca > > To subscribe or unsubscribe via the World Wide Web, visit > http://oclug.on.ca/mailman/listinfo/linux > or, via email, send a message with subject or body 'help' to > linux-request [ at ] lists [ dot ] oclug [ dot ] on [ dot ] ca > > You can reach the person managing the list at > linux-owner [ at ] lists [ dot ] oclug [ dot ] on [ dot ] ca > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of Linux digest..." > > > Today's Topics: > > 1. Re: Opinions requested: LF Good low powered multi-port > gateway/wireless router (Alex Pilon) > 2. Re: Opinions requested: LF Good low powered multi-port > gateway/wireless router (Paul Belanger) > 3. Re: Opinions requested: LF Good low powered multi-port > gateway/wireless router (Peter Meyer) > 4. Re: Opinions requested: LF Good low powered multi-port > gateway/wireless router (Singer Wang) > 5. Re: Opinions requested: LF Good low powered multi-port > gateway/wireless router (Alex Pilon) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Mon, 5 Jan 2015 12:00:52 -0500 > From: Alex Pilon <alp [ at ] alexpilon [ dot ] ca> > To: Peter Meyer <petermeyer69 [ at ] gmail [ dot ] com> > Cc: linux [ at ] lists [ dot ] oclug [ dot ] on [ dot ] ca > Subject: Re: [OCLUG-Tech] Opinions requested: LF Good low powered > multi-port gateway/wireless router > Message-ID: <20150105170052 [ dot ] GA800 [ at ] alexpilon [ dot ] ca> > Content-Type: text/plain; charset="utf-8" > > On Sun, Jan 04, 2015 at 01:52:23PM -0500, Peter Meyer wrote: > > Opinions please. I am looking to build/buy something that replaces my > > existing router/gateway box. > > > > My thinking is taking me in two directions. One is to replace my existing > > WRT54GL running Tomato with another embedded system running openWRT > > Why not just stock Linux? What are you doing that requires those > firmwares? Just stock linux, sysctl net.ipv4.ip_forward=1, a bit of > iptables or nftables, dnsmasq or ISC DHCPd and your favourite caching > and recursing nameserver, some static addressing and routes, and you're > done, not to mention have far more control than you could hope for. > > But first, what are your speed requirements? > > > or build a multi-port router > > How is being multi-port exclusive? > > > (raspberry pi???) > > The Raspberry Pi *isn't* multi-port. You'll have to use tagged VLANs and > a managed switch, like a Netgear GS-10[58]T to get around that. > > > with: > > [?] > > 2. unique zones and policies that separate the wifi (wlan) from the > > local network (lan) and firewall both from the internet. > > iptables or nftables. Zones are an abstraction built by the *WRTs, that > produce very messy rulesets, no more. Did that with my router at home > for my two ISPs and two subnets, and it works. > > > 3. QOS controls - This has become less of an issue as my DSL pipe is > > 10/1, however I would like to add VOIP onto this network and > > prioritize its traffic above all other. > > If you want to *strictly prioritize*, and aren't worried about > starvation, you'd use the prio qdisc. The simplest would be two bands, > one for VoIP traffic, and the other for the remainder. > > Use tc (from iproute2) and a few iptables targets used to manage Linux > QoS. But before even looking at that, is your link even appropriate for > VoIP? What's the latency on it like? Low and predictable enough? Have > you tested it? > > Mind you, if you can find good tc filter documentation, you'll be in > luck. tc itself isn't very helpful when you enter incorrect rules. And > I'm sorely tempted to run Linux under a debugger just to figure out > where it's failing. > > > I've started prototyping this idea using a raspberry PI running Shorewall, > > Why Shorewall? > -------------- next part -------------- > A non-text attachment was scrubbed... > Name: not available > Type: application/pgp-signature > Size: 819 bytes > Desc: not available > URL: <http://oclug.on.ca/pipermail/linux/attachments/20150105/55f024d3/attachment-0001.sig> > > ------------------------------ > > Message: 2 > Date: Mon, 5 Jan 2015 12:16:47 -0500 > From: Paul Belanger <paul [ dot ] belanger [ at ] polybeacon [ dot ] com> > To: Alex Pilon <alp [ at ] alexpilon [ dot ] ca> > Cc: Peter Meyer <petermeyer69 [ at ] gmail [ dot ] com>, linux > <linux [ at ] lists [ dot ] oclug [ dot ] on [ dot ] ca> > Subject: Re: [OCLUG-Tech] Opinions requested: LF Good low powered > multi-port gateway/wireless router > Message-ID: > <CALLKq0QFF9ZFFfSyoQMHurZk8yUU+EOwuanWzv0qBwcVT=TuWw [ at ] mail [ dot ] gmail [ dot ] com> > Content-Type: text/plain; charset=UTF-8 > > On Mon, Jan 5, 2015 at 12:00 PM, Alex Pilon <alp [ at ] alexpilon [ dot ] ca> wrote: > > On Sun, Jan 04, 2015 at 01:52:23PM -0500, Peter Meyer wrote: > >> Opinions please. I am looking to build/buy something that replaces my > >> existing router/gateway box. > >> > >> My thinking is taking me in two directions. One is to replace my existing > >> WRT54GL running Tomato with another embedded system running openWRT > > > > Why not just stock Linux? What are you doing that requires those > > firmwares? Just stock linux, sysctl net.ipv4.ip_forward=1, a bit of > > iptables or nftables, dnsmasq or ISC DHCPd and your favourite caching > > and recursing nameserver, some static addressing and routes, and you're > > done, not to mention have far more control than you could hope for. > > > > But first, what are your speed requirements? > > > >> or build a multi-port router > > > > How is being multi-port exclusive? > > > >> (raspberry pi???) > > > > The Raspberry Pi *isn't* multi-port. You'll have to use tagged VLANs and > > a managed switch, like a Netgear GS-10[58]T to get around that. > > > >> with: > >> [?] > >> 2. unique zones and policies that separate the wifi (wlan) from the > >> local network (lan) and firewall both from the internet. > > > > iptables or nftables. Zones are an abstraction built by the *WRTs, that > > produce very messy rulesets, no more. Did that with my router at home > > for my two ISPs and two subnets, and it works. > > > >> 3. QOS controls - This has become less of an issue as my DSL pipe is > >> 10/1, however I would like to add VOIP onto this network and > >> prioritize its traffic above all other. > > > > If you want to *strictly prioritize*, and aren't worried about > > starvation, you'd use the prio qdisc. The simplest would be two bands, > > one for VoIP traffic, and the other for the remainder. > > > > Use tc (from iproute2) and a few iptables targets used to manage Linux > > QoS. But before even looking at that, is your link even appropriate for > > VoIP? What's the latency on it like? Low and predictable enough? Have > > you tested it? > > > > Mind you, if you can find good tc filter documentation, you'll be in > > luck. tc itself isn't very helpful when you enter incorrect rules. And > > I'm sorely tempted to run Linux under a debugger just to figure out > > where it's failing. > > > >> I've started prototyping this idea using a raspberry PI running Shorewall, > > > > Why Shorewall? > > > Some feedback on another product. > > I'm in the process of pulling the trigger on getting a RouterBoard > RB2011iL-IN[1]. However, this version does not have wireless support > so you'd have to drop a wireless AP or move to the RB2011UiAS-2HnD-IN > [2]. It should offer everything listed in your original email. > > [1] http://routerboard.com/RB2011iL-IN > [2] http://routerboard.com/RB2011UiAS-2HnD-IN > > -- > Paul Belanger | PolyBeacon, Inc. > Jabber: paul [ dot ] belanger [ at ] polybeacon [ dot ] com | IRC: pabelanger (Freenode) > Github: https://github.com/pabelanger | Twitter: https://twitter.com/pabelanger > > > ------------------------------ > > Message: 3 > Date: Mon, 05 Jan 2015 18:33:35 +0000 > From: Peter Meyer <petermeyer69 [ at ] gmail [ dot ] com> > To: Alex Pilon <alp [ at ] alexpilon [ dot ] ca> > Cc: linux [ at ] lists [ dot ] oclug [ dot ] on [ dot ] ca > Subject: Re: [OCLUG-Tech] Opinions requested: LF Good low powered > multi-port gateway/wireless router > Message-ID: > <CAPuTOo1WRO5XaswoSpC5kwTw+VXeXTLO5DWOpLM1QzFP+Xgnfw [ at ] mail [ dot ] gmail [ dot ] com> > Content-Type: text/plain; charset=UTF-8 > > Hi Alex: > > Stock Linux would be my first choice, but I do want a system that has a > power budget of less than 10 Watts. (This is for home use). > > My end goal is to create a separate guest account for the wireless(with > access blocked to the local lan). I know a number of Linksys (and I hear > OpenWRT) configuration will support this. > > The Utilite (http://www.compulab.co.il/utilite-computer/web/utilite-overview) > would be my best best in terms of power and has separate GMII ports. > > As for speed, I can't forsee data ever exceeding 30Mb/s (the anticipated > limitation of DSL in my area). > > The QOS is a nice to have. I've been spoiled by the simple interface > offered by Tomato. I don't know what it does with my QOS classes in the > background. > > This might make a solution with the PI possible. Again, I need to see if > the USB hub can handle a push of traffic without dropping packets. > > I mention Shorewall, as it's a firewall configuration script/tools I became > familiar with some years ago to lbridge/firewall a modem to my home network. > > Alex: Thanks for replying!! > > Peter > > > On Mon Jan 05 2015 at 12:01:11 Alex Pilon <alp [ at ] alexpilon [ dot ] ca> wrote: > > > On Sun, Jan 04, 2015 at 01:52:23PM -0500, Peter Meyer wrote: > > > Opinions please. I am looking to build/buy something that replaces my > > > existing router/gateway box. > > > > > > My thinking is taking me in two directions. One is to replace my > > existing > > > WRT54GL running Tomato with another embedded system running openWRT > > > > Why not just stock Linux? What are you doing that requires those > > firmwares? Just stock linux, sysctl net.ipv4.ip_forward=1, a bit of > > iptables or nftables, dnsmasq or ISC DHCPd and your favourite caching > > and recursing nameserver, some static addressing and routes, and you're > > done, not to mention have far more control than you could hope for. > > > > But first, what are your speed requirements? > > > > > or build a multi-port router > > > > How is being multi-port exclusive? > > > > > (raspberry pi???) > > > > The Raspberry Pi *isn't* multi-port. You'll have to use tagged VLANs and > > a managed switch, like a Netgear GS-10[58]T to get around that. > > > > > with: > > > [?] > > > 2. unique zones and policies that separate the wifi (wlan) from the > > > local network (lan) and firewall both from the internet. > > > > iptables or nftables. Zones are an abstraction built by the *WRTs, that > > produce very messy rulesets, no more. Did that with my router at home > > for my two ISPs and two subnets, and it works. > > > > > 3. QOS controls - This has become less of an issue as my DSL pipe is > > > 10/1, however I would like to add VOIP onto this network and > > > prioritize its traffic above all other. > > > > If you want to *strictly prioritize*, and aren't worried about > > starvation, you'd use the prio qdisc. The simplest would be two bands, > > one for VoIP traffic, and the other for the remainder. > > > > Use tc (from iproute2) and a few iptables targets used to manage Linux > > QoS. But before even looking at that, is your link even appropriate for > > VoIP? What's the latency on it like? Low and predictable enough? Have > > you tested it? > > > > Mind you, if you can find good tc filter documentation, you'll be in > > luck. tc itself isn't very helpful when you enter incorrect rules. And > > I'm sorely tempted to run Linux under a debugger just to figure out > > where it's failing. > > > > > I've started prototyping this idea using a raspberry PI running > > Shorewall, > > > > Why Shorewall? > > > > > ------------------------------ > > Message: 4 > Date: Mon, 5 Jan 2015 14:12:52 -0500 > From: Singer Wang <wang [ at ] singerwang [ dot ] com> > To: petermeyer69 [ at ] gmail [ dot ] com > Cc: linux [ at ] lists [ dot ] oclug [ dot ] on [ dot ] ca > Subject: Re: [OCLUG-Tech] Opinions requested: LF Good low powered > multi-port gateway/wireless router > Message-ID: > <CAGaPp0ygCyWnTBhjAiWRaD146-_TymRgDDbEe8z-LkJZ-exKRA [ at ] mail [ dot ] gmail [ dot ] com> > Content-Type: text/plain; charset=UTF-8 > > I tried the ThinkPengiun solution and I found it rather lacking. We do a > fair bit of transfers on the local LAN between computers plugged in and > those on Wifi. The two main limitations for us were: > 1) only 100Mb ethernet ports > 2) the wireless-N is only on the 2.4GHz band, not 5GHz and is really slow.. > I have never been able to hit more then 80Mb/s from it even right next to > it.. > > S > > On Sun, Jan 4, 2015 at 1:52 PM, Peter Meyer <petermeyer69 [ at ] gmail [ dot ] com> wrote: > > > Forum: > > > > Opinions please. I am looking to build/buy something that replaces my > > existing router/gateway box. > > > > My thinking is taking me in two directions. One is to replace my existing > > WRT54GL running Tomato with another embedded system running openWRT or > > build a multi-port router (raspberry pi???) with: > > > > 1. wireless N > > 2. unique zones and policies that separate the wifi (wlan) from the > > local network (lan) and firewall both from the internet. > > 3. QOS controls - This has become less of an issue as my DSL pipe is > > 10/1, however I would like to add VOIP onto this network and > > prioritize its traffic above all other. > > > > > > I've started prototyping this idea using a raspberry PI running Shorewall, > > but read discussion groups that mention that the USB hub can't handle the > > multiple USB<->Ethernet ports and will start dropping packets. I'll know > > more once I've go this set up and start pushing serious traffic through it. > > > > The one box that might serve this firewall function well is a utilite < > > http://www.compulab.co.il/utilite-computer/web/utilite-overview> box that > > has two GIGE ports connected right to the ARM processor. > > > > Can you make any further comments on the thinkpenguin solution < > > https://www.thinkpenguin.com/gnu-linux/free-software- > > wireless-n-broadband-router-gnu-linux-tpe-nwifirouter2> mentioned or > > other router boxes that with OpenWRT would meet the above mentioned > > requirements. > > > > Thanks!! > > > > Peter > > _______________________________________________ > > Linux mailing list > > Linux [ at ] lists [ dot ] oclug [ dot ] on [ dot ] ca > > http://oclug.on.ca/mailman/listinfo/linux > > > > > ------------------------------ > > Message: 5 > Date: Mon, 5 Jan 2015 22:00:38 -0500 > From: Alex Pilon <alp [ at ] alexpilon [ dot ] ca> > To: Peter Meyer <petermeyer69 [ at ] gmail [ dot ] com> > Cc: linux [ at ] lists [ dot ] oclug [ dot ] on [ dot ] ca > Subject: Re: [OCLUG-Tech] Opinions requested: LF Good low powered > multi-port gateway/wireless router > Message-ID: <20150106030038 [ dot ] GB4444 [ at ] alexpilon [ dot ] ca> > Content-Type: text/plain; charset="us-ascii" > > > > On Sun, Jan 04, 2015 at 01:52:23PM -0500, Peter Meyer wrote: > > > > Opinions please. I am looking to build/buy something that replaces my > > > > existing router/gateway box. > > > > > On Mon Jan 05 2015 at 12:01:11 Alex Pilon <alp [ at ] alexpilon [ dot ] ca> wrote: > > > Why not just stock Linux? > > On Mon, Jan 05, 2015 at 06:33:35PM +0000, Peter Meyer wrote: > > Stock Linux would be my first choice, but I do want a system that has a > > power budget of less than 10 Watts. (This is for home use). > > Pardon me, I meant software; not disputing the choice of hardware. > > > The Utilite (http://www.compulab.co.il/utilite-computer/web/utilite-overview) > > would be my best best in terms of power and has separate GMII ports. > > I've been looking for a solid-cased 2-4 port SBC, *without video*, or > any extraneous components. Too bad the Utilite is just one more such > board. > > > I can't forsee data ever exceeding 30Mb/s (the anticipated limitation > > of DSL in my area). > > No intra-WLAN, or WLAN-LAN traffic? There was another post that > complained about that too. Sure, 802.11 is half-duplex, so you're not > losing any more throughput, but LAN-WLAN traffic will take more of a hit > than it ought, being both over the same USB bus. > > > > Use tc (from iproute2) and a few iptables targets used to manage Linux > > > QoS. > > > > The QOS is a nice to have. I've been spoiled by the simple interface > > offered by Tomato. I don't know what it does with my QOS classes in the > > background. > > LARTC was written a while back, and isn't too bad of an *introduction* > still, as outdated and occasionally faulty as it is. There's also this: > > http://wiki.linuxwall.info/doku.php/en:ressources:dossiers:networking:traffic_control > -------------- next part -------------- > A non-text attachment was scrubbed... > Name: not available > Type: application/pgp-signature > Size: 819 bytes > Desc: not available > URL: <http://oclug.on.ca/pipermail/linux/attachments/20150105/512a2d45/attachment.sig> > > ------------------------------ > > Subject: Digest Footer > > _______________________________________________ > Linux mailing list > Linux [ at ] lists [ dot ] oclug [ dot ] on [ dot ] ca > http://oclug.on.ca/mailman/listinfo/linux > > > ------------------------------ > > End of Linux Digest, Vol 121, Issue 6 > *************************************