View previous topic :: View next topic |
Author |
Message |
Tony0945 Watchman
Joined: 25 Jul 2006 Posts: 5127 Location: Illinois, USA
|
Posted: Sun Jan 26, 2020 11:27 am Post subject: |
|
|
erm67 wrote: | There is nothing to route in his setup he already has a bridging comcast modem all he needs is a firewall, maybe in a VM, like Neddy, he only has a switch + a VDSL modem configured for PPPoE relay and uses a VM on the home server as firewall. There is no physical "soho all-in one router". |
Who is "he" that you are referring to? If it is I, I have a Motorola SB6141. it has an RG-6 input connection and an ethernet output connection. It modulates and demodulates. No firewall.
There is a firewall in the DIR-655 router. You can enable DMZ, block pings, block addresses in or out and such. They don't call it a firewall but it is.
I started this thread because on-line reviews are all about the built-in AP, not the true NAT function or features of the interface. When I looked at wired routers they were intended for business use. Lot's of features like connecting multiple networks and such. Nice but not worth the money to me. The Ubiquiti Edgerouter looked nice, but I didn't really understand the features. All I want is firewall and NAT. I emerged shorewall on my file server and am studying how to set it up. iptables almost looks easier. If I go that, very tempting, route I have much to learn about the internet. |
|
Back to top |
|
|
NeddySeagoon Administrator
Joined: 05 Jul 2003 Posts: 54737 Location: 56N 3W
|
Posted: Sun Jan 26, 2020 12:04 pm Post subject: |
|
|
Tony0945,
Shorewall looks worse than it is. I tested it with a collection of VMs.
My rules drop everything incoming and deny everything outgoing then individual rules permit things.
The bit I struggled with is that the firewall itself is its own zone. _________________ Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
Back to top |
|
|
erm67 l33t
Joined: 01 Nov 2005 Posts: 653 Location: EU
|
Posted: Mon Jan 27, 2020 1:13 pm Post subject: |
|
|
Tony0945 wrote: | All I want is firewall and NAT. I emerged shorewall on my file server and am studying how to set it up. iptables almost looks easier. If I go that, very tempting, route I have much to learn about the internet. |
If you want to learn how it works the virtualized firewall router is an excellent solution, you can also install openwrt in a VM. Ideally all you need are 2 eth ports on a home server but you can also do with only one. There is no risk, it is probably safer than the obsolete software that comes with most routers. If your switch is managed use vlan to isolate the wan link.
openwrt is pre-configured as a router firewall and has an excellent gui. You know learn by example, you can than do the same on your gentoo.
A decent all-in-one with >256MB (better 512MB) ram, multiple cpus and a decent AC2400 (standard) wireless probably costs at least 100$-150$ cheaper router are just good for a couple browsing internet with their phones. Or for ISP that force us to buy them _________________ Ok boomer
True ignorance is not the absence of knowledge, but the refusal to acquire it.
Ab esse ad posse valet, a posse ad esse non valet consequentia
My fediverse account: @erm67@erm67.dynu.net |
|
Back to top |
|
|
mvaterlaus Apprentice
Joined: 01 Oct 2010 Posts: 237 Location: Switzerland
|
Posted: Tue Jan 28, 2020 3:48 pm Post subject: |
|
|
Hi Tony0945,
I personally use a mikrotik [1] router and am very pleased of its features and performance. You can do all the things which are possible with a linux kernel. The mikrotik routerOS works for many archs, including arm and x86. The OS is opensource, you only buy the hardware. I personally have two RB2011UiAS-2HnD-IN in use. For all the features the hardware and os provide, the price is not to expensive.
[1]https://mikrotik.com/
[2]https://mikrotik.com/product/RB2011UiAS-2HnD-IN
[edit]Correction: amd64 is not listed: https://mikrotik.com/download[/edit] _________________ For calming down your eyes or clearing your mind: www.patrickwehli.ch |
|
Back to top |
|
|
erm67 l33t
Joined: 01 Nov 2005 Posts: 653 Location: EU
|
Posted: Tue Jan 28, 2020 7:43 pm Post subject: |
|
|
Join one of the lagest botnets in the world
https://securityboulevard.com/2018/03/the-mikrotik-routeros-based-botnet/ _________________ Ok boomer
True ignorance is not the absence of knowledge, but the refusal to acquire it.
Ab esse ad posse valet, a posse ad esse non valet consequentia
My fediverse account: @erm67@erm67.dynu.net |
|
Back to top |
|
|
mvaterlaus Apprentice
Joined: 01 Oct 2010 Posts: 237 Location: Switzerland
|
Posted: Thu Jan 30, 2020 10:13 am Post subject: |
|
|
@erm67
yes, if you do not follow the Mikrotik security guide, you will have the winbox port open and are a happy part of this botnet. As always, one who has followed the security guidelines of the vendor and turns off all other things which are not needed, is not a member of this botnet. _________________ For calming down your eyes or clearing your mind: www.patrickwehli.ch |
|
Back to top |
|
|
pa4wdh l33t
Joined: 16 Dec 2005 Posts: 903
|
Posted: Thu Jan 30, 2020 10:23 am Post subject: |
|
|
I'm also looking for router hardware and found PC Engines APU4d4: https://pcengines.ch/apu4d4.htm
Does anyone have any experience with them?
The MikroTik hardware looks nice too, can they run Gentoo or are they tied to MikroTik's OS? _________________ The gentoo way of bringing peace to the world:
USE="-war" emerge --newuse @world
My shared code repository: https://code.pa4wdh.nl.eu.org
Music, Free as in Freedom: https://www.jamendo.com |
|
Back to top |
|
|
erm67 l33t
Joined: 01 Nov 2005 Posts: 653 Location: EU
|
Posted: Thu Jan 30, 2020 11:37 am Post subject: |
|
|
Since the OP already has a wifi AP and a good eth switch, what about this as gateway/firewall:
http://wiki.friendlyarm.com/wiki/index.php/NanoPi_R2S
1G is too little for native gentoo but good for cross compile. _________________ Ok boomer
True ignorance is not the absence of knowledge, but the refusal to acquire it.
Ab esse ad posse valet, a posse ad esse non valet consequentia
My fediverse account: @erm67@erm67.dynu.net |
|
Back to top |
|
|
mvaterlaus Apprentice
Joined: 01 Oct 2010 Posts: 237 Location: Switzerland
|
Posted: Mon Feb 03, 2020 10:39 am Post subject: |
|
|
@pa4wdh
I don't know if the hardware is flashable with another os than their own routerOS. I never tried that, since I'm satisfied with their routerOS. _________________ For calming down your eyes or clearing your mind: www.patrickwehli.ch |
|
Back to top |
|
|
pa4wdh l33t
Joined: 16 Dec 2005 Posts: 903
|
Posted: Tue Feb 04, 2020 1:53 pm Post subject: |
|
|
Thanks for the info.
Since i can't find any reports on regular distro's running on MikroTik hardware i assume it can't be done, which means it doesn't fit my use case. _________________ The gentoo way of bringing peace to the world:
USE="-war" emerge --newuse @world
My shared code repository: https://code.pa4wdh.nl.eu.org
Music, Free as in Freedom: https://www.jamendo.com |
|
Back to top |
|
|
dvNuLL n00b
Joined: 17 Apr 2002 Posts: 56 Location: Seattle
|
Posted: Mon Feb 10, 2020 6:27 am Post subject: |
|
|
I recommend the Ubiquiti EdgeRouter (https://www.ui.com/edgemax/edgerouter-4/). They have a 3 port with POE. Their Unifi switches are good, and you can run the management controller on a VM. The controller has an ebuild though it's masked.
pa4wdh mentioned the PCEngines board and they run VyOS well (which is what is used by the EdgeRouter). You might be able to install Gentoo on it.
I like Mikrotik/RouterOS as well, but some of the hardware especially the low end may not be reliable. Their RB2011 is a work horse though. |
|
Back to top |
|
|
Tony0945 Watchman
Joined: 25 Jul 2006 Posts: 5127 Location: Illinois, USA
|
Posted: Mon Feb 10, 2020 3:28 pm Post subject: |
|
|
I've looked at the EdgeRouter and it looks promising. I did get lost in the documentation as most of the terminology is unfamiliar. |
|
Back to top |
|
|
dvNuLL n00b
Joined: 17 Apr 2002 Posts: 56 Location: Seattle
|
Posted: Mon Feb 10, 2020 5:37 pm Post subject: |
|
|
Since the EdgeRouters use a fork of VyOS (with their own GUI on top of it), you can reference the VyOS documentation available at https://docs.vyos.io/en/latest/. VyOS itself is the open source fork of Vyatta before it was bought by Brocade.
You can install and run VyOS on any x86/x86_64 hardware you want. I use the iso in vms (kvm/qemu) to test out network configs before deploying to production hardware.
The EdgeRouter GUI has wizards to get you set up and running. I recommend learning the cli as it will make your life much easier. If you end up using or deploying their USG variant elsewhere (uses the Unifi controller), understanding the cli will allow you to override settings and set up custom configurations for your specific use cases.
If you end up getting the Mikrotik, their Winbox tool is good, but the cli always gets things done faster.
If you have any questions on configuring VyOS or RouterOS, post here and I will try to help as much as I can. |
|
Back to top |
|
|
pjp Administrator
Joined: 16 Apr 2002 Posts: 20581
|
Posted: Mon Feb 10, 2020 8:26 pm Post subject: |
|
|
dvNuLL wrote: | Their Unifi switches are good, and you can run the management controller on a VM. The controller has an ebuild though it's masked. | Can devices be managed without the management controller? I prefer local cli as the default and anything extra as a "nice to have but not required" bonus. _________________ Quis separabit? Quo animo? |
|
Back to top |
|
|
dvNuLL n00b
Joined: 17 Apr 2002 Posts: 56 Location: Seattle
|
Posted: Mon Feb 10, 2020 8:58 pm Post subject: |
|
|
Not for the Unifi series, but they do have the Edge Series switches which can be configured via cli or web ui.
If you want to have a web way of managing all your devices, Ubiquiti has a UNMS controller (free download) which can manage Edge series devices.
Basically,
Unifi series hardware requires the controller.
Edge series does not, and can be configured via cli or local webui. |
|
Back to top |
|
|
dvNuLL n00b
Joined: 17 Apr 2002 Posts: 56 Location: Seattle
|
Posted: Mon Feb 10, 2020 9:16 pm Post subject: |
|
|
Also, did the both of us join these forums on the same date or is it the date of a previous forum move ? |
|
Back to top |
|
|
pjp Administrator
Joined: 16 Apr 2002 Posts: 20581
|
Posted: Tue Feb 11, 2020 1:13 am Post subject: |
|
|
Thanks. They seem to have unclear documentation on stuff like that, so I've not purchased anything from Ubiquiti yet.
I prefer CLI on the device. Anything else that makes it easier is nice, but I don't want to have to run a VM to configure something. I'm not a fan of web only interfaces (another rreason I've delayed making a purchase).
As far as I know, that's the day we both joined. I don't recall the exact date, but that month seems reasonable, and I don't recall any moves from around then (it wasn't until later that I became a moderator). _________________ Quis separabit? Quo animo? |
|
Back to top |
|
|
dvNuLL n00b
Joined: 17 Apr 2002 Posts: 56 Location: Seattle
|
Posted: Tue Feb 11, 2020 2:19 am Post subject: |
|
|
The cli tools work great. It is basically Vyatta/VyOS. So if you don't find something specific on the ubiquiti documentation site or forums, you should be able to lookup docs on the VyOS site which are a bit more extensive. In the past I have played around with various routers/switches and these devices supporting both cli and webui made me happy. I could do the simple stuff in the web ui and do the more complex configurations in the cli. This helps when setting up IPSEC, as the ubiquiti ui names IKE ESP groups as FOOX where X is a number. With one tunnel, its not a problem, with multiple FOO0 and FOO1 make no sense.
When you make a change in the cli and commit it, you get a notification on the web ui, and vice versa. This is a nice touch so that people don't commit on both and overwrite each other.
I have the Edgerouter Lite (3-port) that I purchased back in 2014 and it's still running today. I run the Pro-8 port one in my rack at the data center. |
|
Back to top |
|
|
pjp Administrator
Joined: 16 Apr 2002 Posts: 20581
|
Posted: Tue Feb 11, 2020 5:33 am Post subject: |
|
|
I've considered one of the Edge routers. But that necessitates buying a separate switch and wireless device (I'm presuming an AP). And if I segment the wireless to be in a DMZ, it gets more complicated and requires more planning . Then there's the mounting / placement of the AP. Plus, those 3 devices seem to be more costly than I'd hoped. Which led me back to consumer based all-in-one wifi / router/ switches. And then I get tired of looking at the options. _________________ Quis separabit? Quo animo? |
|
Back to top |
|
|
dvNuLL n00b
Joined: 17 Apr 2002 Posts: 56 Location: Seattle
|
Posted: Tue Feb 11, 2020 6:17 am Post subject: |
|
|
I work a lot more from home these days, so IPSec was something that was needed. The ER Lite was at the right price point, had all the features. I think total between the router, switch and AP, I paid around $350. I bought each of the components over the course of a year. The fact that I can access a log file to troubleshoot each item sealed the deal.
I did segment the network into an internal wireless and a guest wireless, all the devices support VLANs and freeradius+samba ensures I have one set of credentials for the internal wifi. I have a VM running pi-hole which takes care of ad blocking. |
|
Back to top |
|
|
pjp Administrator
Joined: 16 Apr 2002 Posts: 20581
|
Posted: Tue Feb 11, 2020 8:36 pm Post subject: |
|
|
I had originally hoped to find a solution for not more than $200. I suppose I could find a switch and AP and add the router later. _________________ Quis separabit? Quo animo? |
|
Back to top |
|
|
erm67 l33t
Joined: 01 Nov 2005 Posts: 653 Location: EU
|
Posted: Wed Feb 12, 2020 3:02 pm Post subject: |
|
|
pjp wrote: | I had originally hoped to find a solution for not more than $200. I suppose I could find a switch and AP and add the router later. |
You probably have already a all-in-one, so you can just buy the other components one by one. I still use a old all-in-one I got from my ISP as AP. The modem is bridged and relays dhcp so the arm firewall gets it's own external IP. It is not ideal since it adds an unnecesary hop (between router/firewall/dhcp server and modem/gateway) and a bit of latency but works. _________________ Ok boomer
True ignorance is not the absence of knowledge, but the refusal to acquire it.
Ab esse ad posse valet, a posse ad esse non valet consequentia
My fediverse account: @erm67@erm67.dynu.net |
|
Back to top |
|
|
pjp Administrator
Joined: 16 Apr 2002 Posts: 20581
|
Posted: Wed Feb 12, 2020 5:21 pm Post subject: |
|
|
erm67 wrote: | pjp wrote: | I had originally hoped to find a solution for not more than $200. I suppose I could find a switch and AP and add the router later. |
You probably have already a all-in-one, so you can just buy the other components one by one. I still use a old all-in-one I got from my ISP as AP. The modem is bridged and relays dhcp so the arm firewall gets it's own external IP. It is not ideal since it adds an unnecesary hop (between router/firewall/dhcp server and modem/gateway) and a bit of latency but works. | Correct. And it is overdue for replacement. But as I use both wireless and wired, I have to replace those two. The router isn't necessary.
I really have two all-in-one devices. One is from the ISP, and I treat it as a demarcation point. I prefer to not bother with the details of connecting to their network or otherwise use it except as an uplink. And now that I'm thinking about it, I really ought to put the guest wireless on that device. _________________ Quis separabit? Quo animo? |
|
Back to top |
|
|
dvNuLL n00b
Joined: 17 Apr 2002 Posts: 56 Location: Seattle
|
Posted: Wed Feb 12, 2020 6:34 pm Post subject: |
|
|
There is an EdgeRouter-X which is in the $60 range. So thats around $40-$50 cheaper than the 4 port. Same software and configuration options.
And a 10X, with 10 managed switch ports so that should leave just an AP for you to purchase. |
|
Back to top |
|
|
erm67 l33t
Joined: 01 Nov 2005 Posts: 653 Location: EU
|
Posted: Thu Feb 13, 2020 1:37 am Post subject: |
|
|
pjp wrote: |
I really have two all-in-one devices. One is from the ISP, and I treat it as a demarcation point. I prefer to not bother with the details of connecting to their network or otherwise use it except as an uplink. And now that I'm thinking about it, I really ought to put the guest wireless on that device. |
A all-in-one might have some advantages, for example if you buy a shiny new AC3000 (it's a standard) Access Point capable in theory of 3 Gbit/s in theory you should aggregate 3 1Gbit/s cables on the ethernet switch or use a 10 Gbit/s link between the AP and the ethernet switch ....
In practice it unlikely that you will use all that wi-fi bandwidth ... and now there is also the new 2.5gbit/s standard for ethernet that should replace soon the 1gbit/s devices. _________________ Ok boomer
True ignorance is not the absence of knowledge, but the refusal to acquire it.
Ab esse ad posse valet, a posse ad esse non valet consequentia
My fediverse account: @erm67@erm67.dynu.net |
|
Back to top |
|
|
|