Gentoo Archives: gentoo-user

From: thegeezer <thegeezer@×××××××××.net>
To: gentoo-user@l.g.o
Subject: Re: [gentoo-user] new linux router
Date: Sat, 07 Mar 2015 09:40:08
Message-Id: 54FAC6ED.9070004@thegeezer.net
In Reply to: [gentoo-user] new linux router by James
1 On 04/03/15 15:10, James wrote:
2 > Hello,
3 >
4 > It's time to build a new router. Surely, I would just like to
5 > purchase hardware and run a minimized or embedded gentoo on it
6 > along with iptables and a few other packages. But, I got to reading
7 > and well it seems much has changed. Dansguardian is deprecated?
8 > If I add protection above layer 3, what is the best route (pun intended)
9 > to protect some winblows systems? And I need the ability to dynamically
10 > block some gaming sites (kids playing too many hours of video).....
11 >
12 > Then I read about NFtables....... [1]
13 > And there is more. So, being a bit busy what would folks recommend
14 > for purchase (I really do not need another project at this time)?
15 > I've used routers with ebtables in the past too.
16 >
17 >
18 > I'd like to be able to download some open source linux to the router
19 > hardware if updates and pathces are not maintained by the vendor?
20 > That way I do not purchase something that is to be abandoned in
21 > a few years by the vendor.
22 >
23 > It's just a small home/office so 3x100Mb E would be fine, but GigE
24 > ports would be better. I'm flexible on the CPU/arch of the hardware,
25 > so all discussion and suggestions are welcome. In an idealized world
26 > I'd pay extra for a gentoo_derivative based router; but all I find
27 > is the WRT, devil_linux and such, nothing really cool and interesting.
28 >
29 > Anyone used lilblue or pentoo as the basis for a firewalled_router?
30 >
31 > A purchase is what I really want, but some hacking, if absolutely
32 > necessary, would be ok too. Ideas?
33 >
34 > curiously,
35 > James
36 >
37 > [1] http://netfilter.org/projects/nftables/
38 >
39 >
40
41 howdy
42 to get you started i'd really look at something dd-wrt. there's a lot
43 of features in there that is quite amazing.
44 for a lot of features like site blocking etc you might even consider a
45 sonicwall - at around €300 you can get something that will do what you
46 want including the site blocking.
47 however, i believe gentoo is the way forward for internet facing devices
48 because you can fully control every aspect of it and i am regularly
49 deploying gentoo routers.
50 you can go for something arm based, but i tend to favour jetway mini-atx
51 motherboards - they have daughter cards that clip into the main board
52 and are screwed down.
53 the main board will give you 2x gigabit nic, and the daughtercard will
54 give you an additional 3.
55 all in, 4GB memory, extra nics and a small disk, case and power you can
56 get for ~€400
57 it's intel atom and reasonalby quick - you can compile on it for example
58 and not have to wait a week for even small packages
59
60 nftables is going to be a beasty, but the netfilter crowd have already
61 released an iptables to nftables munger. i can see their point of
62 changing things - evolution just got too clunky
63
64 really consider going the gentoo-hardened route especially if you are
65 having ports open on the internet facing side
66
67 regarding software to install:
68
69 0. fail2ban for any internet facing ports
70 1. squid + squidGuard + downloaded lists + username/password allows you
71 to filter a great deal. really with kids though you want to consider
72 have whitelist acces only. i.e. you put in duolingo, wikipedia etc, it's
73 a pain to begin but then after you have all the requiremetns you know
74 they aren't accessign anything else. also consider distributing
75 wpad.dat for autoconfiguration of devices.
76 2. consider putting in freeradiusd as you can then go WPA2 enterprise -
77 sound like overkill but let s you do great things like limit kids _wifi_
78 access to an hour a day
79 3. munin + vnstat +sarg/awstats + other fun for graphing
80 4. you can even then use the device as a NAS and put snaps on there, let
81 the kids have readonly access to stuff and adults can make changes
82 5. can then start looking at vpn like services
83
84 for other things you might like to look at synology apps for DSM - they
85 have a NAS that is essentially a linux server with drop in apps --
86 mariadb, drupal all kinds of fun stuff and all (relatively) easy to do
87 in gentoo
88 happy hacking!