If you insist on building your own router, you can get helluva router using a raspberry pi.
There’s no need for x86 computers and what not, if you’re not affraid to get your hands abit dirty, and enjoy some bash.
basically all your router does is allow a gateway(iptables, and allow ip4 forwarding, check iptables).
have a DHCP service, check something like isc-dhcp.
WIFI, just setup a hostapd session, it is well easy.
unless you’re using it for something very commercial, id go with the low power solution, since having a x86 running 24/7
is expensive powerwise, compared to lets say a raspberry pi(any ARM system really).
Basically ask yourself the question, do you need more then a gateway to the interwebz, if yes go for a router ditro,
else grab the 35$ hardware, and spend 3 hours doing googling, and setup.
A router is something which is on preferbly 24/7-365, and it doesn’t require 100’s of watts of power.
Infact my raspberry pi barely reach 40% utilization on full network load, meaning it’ll be like bringing a mortar
to a rifle duel with something like those heavy fully loaded distro’s for x86.
none of the software actually needed to make a router requires a supercomputer.
If you insist on building your own router, you can get helluva router using a raspberry pi.
I build my home router with this ITX MB.
It is true RPI will have much less power consumption, it will use much less space and it would be good for a router…
But as my starting point I have set pfsense and I want to try out as much as it can offer … Maybe I will change that along the way, and use some other distro, I don’t know…
But at first I would like to explore it, reconfigure it, most certainly break it, fix it…
When I find the best configuration that fits me I can find more optimized hardware, maybe I will deploy that on RPI or something similar, and use it as router…
But for testing and playing around something like J1800/A4-5000 will be great, it doesn’t use that much power…
One more thing RPI has only one 100Mbit ethernet so I would probably need to use some USB network interfaces?
And would it be possible to have Gigabit LAN connections between workstations over switch if router supports only 100Mbit?
A pi can do a lot of things. Personally I would not run it as a router. Not even for home use. It surely doesn’t have to get as overkill as my build but fiddling with USB-power, additional USB NICs (at least one) and being restricted to stuff that exists for ARM… Nah, would not recommend that.
These little PC-engines machines are pretty nice, a kit with a drive and a case and you are good to go. Also AM1 stuff is still an option, does everything you need (even AES-NI) and is also pretty cheap.
This is what I am running. Like I said, I know it is overkill.
- Intel Xeon E3 1220L v3 CPU (2c/4t, 13W TDP)
- Asus P9D-M M-ATX mainboard
- 6GB (3x2) of DDR3 1066 ECC memory
- Corsair Force GT 60GB SATA SSD
- Draytek VigorNIC132 PCIe DSL modem/router
- Intel Pro 1000 PT dual port gigabit NIC
- Seasonic SS-350 ES PSU with Noctua NF-A8 ULN mod
- Noctua NH-L9i low profile CPU cooler
- 2x Noctua NF-A6 60mm PWM fans
- Inter-Tech 2U 2098-SK rack case
- 5.25" hot-swap bay for one 3.5" drive
- Icy Dock EZConvert Pro 3.5" cage for one 2.5" drive
RPi isn’t powerful enough to route a connection over 400Mb or so without hardware offloading. Also it only has a single ethernet port, which is only 100 megabit. So you’d need to use two USB3 ethernet adapters. You’d end up with something worse than a $60 linksys. Truly, a terrible solution all around.
I don’t think so. The arguments go something like this:
- There are additional interfaces between a guest and a host besides the network interface, so there is a larger attack surface between your server and router than there would be if they were separate physical machines. However, this problem is not specific to a pfSense VM. You have to live with this reality anyway if you want to make any services in your VMs Internet-accessible.
- If you are not using PCIe passthrough to attach a NIC to your router VM, then you are exposing part of the host’s network stack (a bridge) to “the Internet” (your ISP’s equipment). I don’t think this is much of a risk.
If you get a managed (or “smart”) switch (with configurable VLANs), you can set up the RPi as a “router on a stick” with just the one Ethernet port.
Yes, you would only be limited to 100Mb/s for traffic which goes through the router.
If you like the idea of a small, low-powered ARM router, I should point out that Netgate offers an official model for pfSense. It has dual gigabit Ethernet.
It’s even worse than that. The RPi doesn’t have any USB 3.0 ports, and all of its USB 2.0 ports and the 100 Mb Ethernet port are all connected through the same hub.
You could get a used WRT54G from eBay shipped to you for less than the cost of an RPi, install an open source firmware on it, and it would be faster.
wrt54G wouldn’t be faster, ffs, it doesn’t even have enough ram to store a cut down modern kernel; stop buying/selling these, just recycle them.
As a reference point: N3150/J3160 does 350Mbps full duplex (700Mbps) with OpenVPN (the CPU has AES-NI).
It can probably do more with IPsec (hazy recollection of 800Mbps full duplex?)
Probably the cheapest overall setup is to go with some kind of B350/B450? and ryzen 3/5 … one with gpu built in, put internet on a separate nic… put everything in one box.
Downside is, if you misconfigure stuff, you’re sitting butt naked on the internet.
You could get a hap ac^2 for your raw internet access. It uses QCA4018 , for $70 you even get some wifi you can use.
Yeah, ok, I have to retract that claim after looking up some reviews. I had somehow forgotten that there were ever devices which could not handle Fast Ethernet at line rate.
Oddly enough, DD-WRT released a firmware for it as recently as September 2017, so perhaps some people are still using them.
I just replaced one at my mom’s house. It is still fully functional and I plan to use it as a visitor’s access point at my place now. So it only gets a simple password and it’s own network on my router to provide basic internet. And my proper wifi can be locked down to known devices and give me access to everything.
Wow, not even USB3. Yeah, it’s even worse than I thought!
RPi makes a great Kodi box, and is fine for specific uses like Pi-Hole. Routing, not so much.
It is a very nice machine
Yes I would like to have that option,
and this one,
basically what I had in mind is to have switch-AP (maybe all in one), and one more AP for guests the same as noenken described…
and here are two ideas that I have to configure them:
- directly to PFSense box, WAN, LAN (for switch and AP combo) and opt1 for guest AP
- or by using PFSense box, WAN, LAN for switch and VLANs to configure my APs from the switch …
with this kind of setup I’d like to restrict visitor on my network (I will have my home-server there), and I’d like to isolate my server from the internet with few more layers, maybe I allow some specific services or none at all …
I’m not sure that anyone answered this, would it be overhead to have DoS, IDS, SPI, one more firewall on switch/AP with those set in PFSense router as well ???
I would stick with separate switches and APs. It will be easier to find devices which support all the features you want, and to do drop-in replacements later.
Option 2) relaxes your hardware requirements a bit, since you will only need two Ethernet ports on the box. Otherwise these options are essentially equivalent.
- Do you mean QoS? That would be fine.
- pfSense’s firewall is stateful (SPI) by default.
- IDS is in a different league than the other two. It’s a much heavier service both in terms of CPU and memory and also it tends to require you to disable offloading features of your NIC in order to work correctly. It’s also only useful if you regularly review the logs, and tends to get a ton of false positives. That being said, it shouldn’t be a problem for an x86 box and a home Internet connection.
- I wouldn’t bother with two firewalls. It doesn’t add any security and it creates a headache of having to configure all of your rules in two places.
Most decent access points will let you configure multiple SSIDs so you can use a single AP for multiple wireless networks.
This is true, however if you don’t run it inline (which you shouldn’t anyway) then the performance doesn’t effect the network speed. It isn’t worth spending money on this as you will not see a meaningful difference on your network.
At no point does the OP say it is for a 400Mb connection.
Yes offcourse if you’re running 20Gbit dual fiber connections, a raspberry pi aint going to cut it.
And like a wrote, for every day usage the Rpi is beyond capable of serving internet for a full household, but if you wanna wire up
Trump towers, with gigabit connections, you may wanna aim higher.
Pretty much everybody has AC wifi and gigabit ethernet, both of which are over the 400Mb (wifi) and 100Mb (ethernet) the RPi can handle.
So I’ve bought few used things for the router:
- Dell Optiplex 790 SFF case with 240W PSU 80+Gold, it is in decent condition, I like the size and design of that case (one fan, dvd, all mounting mechanisms and cables were included) and I will mod it a little bit to fit everything but that will be fun … On the bookshelf it won’t be even noticeable… And it can be reused for a mini-ITX build if I decide to use anything else for the router…
- MB/APU combo looks like this one, only it has AMD A4-5000, APU has TPD of 15w, [email protected] and AES
- HP NC360T dual Gigabit Intel based PCIe x4 low-profile card
All in total was like ~$70 shipped in good working condition… I’ll probably reuse some DDR3 ram that I have and get some cheap SSD/HDD
When I get the time to build it and clean it properly, I will post some pictures… For now this will be the hardware for the router…
I meant denial of service (DoS, DDoS) attack prevention, some routers have those built in …
Kind of on a tangent, but how do you like those case fans? I was looking into upgrading my NAS’s fans to those.
The board is controlling them and they are basically inaudible, like the whole system.
If I find a way to switch standard fans, they become noctua’d. Even on PSUs.
I don’t have much time atm, so just a small update, in order to fit the motherboard into the case I needed to modify the case I/O shield…
before the cut:
after cut and some paint:
I tried to reuse old sticker from the case, but I’m annoyed about green part around the blue audio in…
It fits nicely into the case now:
I’ve tested it a bit with ubuntu, live from the usb, it is working ok…
this MB has two pcie slots which is cool, quad core @1.5GHz, AES support…
orientation of the ram sticks will be good for the airflow, that’s cool…
Next I’ll need to extend the psu 24pin connector and rewire power button, 80mm pwm fan, these have proprietary dell connectors… I won’t do rewiring of the front panel I/O because I’m probably not going to use it anyway…
I’ll try to take some better pictures, at least when it’s finished …