1 |
On 04/03/15 15:10, James wrote: |
2 |
> Hello, |
3 |
> |
4 |
> It's time to build a new router. Surely, I would just like to |
5 |
> purchase hardware and run a minimized or embedded gentoo on it |
6 |
> along with iptables and a few other packages. But, I got to reading |
7 |
> and well it seems much has changed. Dansguardian is deprecated? |
8 |
> If I add protection above layer 3, what is the best route (pun intended) |
9 |
> to protect some winblows systems? And I need the ability to dynamically |
10 |
> block some gaming sites (kids playing too many hours of video)..... |
11 |
> |
12 |
> Then I read about NFtables....... [1] |
13 |
> And there is more. So, being a bit busy what would folks recommend |
14 |
> for purchase (I really do not need another project at this time)? |
15 |
> I've used routers with ebtables in the past too. |
16 |
> |
17 |
> |
18 |
> I'd like to be able to download some open source linux to the router |
19 |
> hardware if updates and pathces are not maintained by the vendor? |
20 |
> That way I do not purchase something that is to be abandoned in |
21 |
> a few years by the vendor. |
22 |
> |
23 |
> It's just a small home/office so 3x100Mb E would be fine, but GigE |
24 |
> ports would be better. I'm flexible on the CPU/arch of the hardware, |
25 |
> so all discussion and suggestions are welcome. In an idealized world |
26 |
> I'd pay extra for a gentoo_derivative based router; but all I find |
27 |
> is the WRT, devil_linux and such, nothing really cool and interesting. |
28 |
> |
29 |
> Anyone used lilblue or pentoo as the basis for a firewalled_router? |
30 |
> |
31 |
> A purchase is what I really want, but some hacking, if absolutely |
32 |
> necessary, would be ok too. Ideas? |
33 |
> |
34 |
> curiously, |
35 |
> James |
36 |
> |
37 |
> [1] http://netfilter.org/projects/nftables/ |
38 |
> |
39 |
> |
40 |
|
41 |
howdy |
42 |
to get you started i'd really look at something dd-wrt. there's a lot |
43 |
of features in there that is quite amazing. |
44 |
for a lot of features like site blocking etc you might even consider a |
45 |
sonicwall - at around €300 you can get something that will do what you |
46 |
want including the site blocking. |
47 |
however, i believe gentoo is the way forward for internet facing devices |
48 |
because you can fully control every aspect of it and i am regularly |
49 |
deploying gentoo routers. |
50 |
you can go for something arm based, but i tend to favour jetway mini-atx |
51 |
motherboards - they have daughter cards that clip into the main board |
52 |
and are screwed down. |
53 |
the main board will give you 2x gigabit nic, and the daughtercard will |
54 |
give you an additional 3. |
55 |
all in, 4GB memory, extra nics and a small disk, case and power you can |
56 |
get for ~€400 |
57 |
it's intel atom and reasonalby quick - you can compile on it for example |
58 |
and not have to wait a week for even small packages |
59 |
|
60 |
nftables is going to be a beasty, but the netfilter crowd have already |
61 |
released an iptables to nftables munger. i can see their point of |
62 |
changing things - evolution just got too clunky |
63 |
|
64 |
really consider going the gentoo-hardened route especially if you are |
65 |
having ports open on the internet facing side |
66 |
|
67 |
regarding software to install: |
68 |
|
69 |
0. fail2ban for any internet facing ports |
70 |
1. squid + squidGuard + downloaded lists + username/password allows you |
71 |
to filter a great deal. really with kids though you want to consider |
72 |
have whitelist acces only. i.e. you put in duolingo, wikipedia etc, it's |
73 |
a pain to begin but then after you have all the requiremetns you know |
74 |
they aren't accessign anything else. also consider distributing |
75 |
wpad.dat for autoconfiguration of devices. |
76 |
2. consider putting in freeradiusd as you can then go WPA2 enterprise - |
77 |
sound like overkill but let s you do great things like limit kids _wifi_ |
78 |
access to an hour a day |
79 |
3. munin + vnstat +sarg/awstats + other fun for graphing |
80 |
4. you can even then use the device as a NAS and put snaps on there, let |
81 |
the kids have readonly access to stuff and adults can make changes |
82 |
5. can then start looking at vpn like services |
83 |
|
84 |
for other things you might like to look at synology apps for DSM - they |
85 |
have a NAS that is essentially a linux server with drop in apps -- |
86 |
mariadb, drupal all kinds of fun stuff and all (relatively) easy to do |
87 |
in gentoo |
88 |
happy hacking! |