Building a home firewall router is a right of passage for any geek. We all start out with a retail device from one of the major vendors like Linksys or Netgear but soon outgrow the limited capabilities.
For many geeks the next level is flashing their router with a custom firmware such as the popular DD-WRT. This unlocks the full potential of the router's hardware but still don't offer the features and flexibility of an enterprise class firewall.
Nobody wants to pay enterprise prices for a home firewall and thankfully there are many free alternatives. One option is to turn an old desktop PC into a firewall. All Linux or BSD distros include IPtables or PF which can be configured to route and filter your traffic but setup can be time consuming to setup and desktop PCs aren't energy efficient so here's my wishlist.
Requirements
- Rule based stateful packet filtering
- Multiple subnet support with filtering between networks
- Mobile VPN
- Dynamic DNS client
- Wake on LAN
- Traffic shaping for torrent... I mean VoIP
- Intrusion detection (snort)
- Radius
- 802.11n with WPA2
- 4x Gigabit Ethernet ports (LAN)
- 1x 100M Ethernet port (WAN)
- Energy efficient
Software
M0n0wall meets most requirements above. PFsense extends M0n0wall's features by adding openVPN, optional Snort IDS and FreeRadius. I've used both distros for quite some time and I can say that both are exceptional.
The only feature missing in PFsense are wireless 802.11n. Both M0n0wall and PFsense are BSD based and it doesn't look like 802.11n BSD drivers will be available anytime soon so I'm willing to let this requirement slip down to 802.11g then upgrade once drivers are developed.
Hardware
Hardware is a bit more tricky because there just doesn't seem to be many hardware platforms that meet my requirements. Router boards such as the ALIX or NET are energy efficient but they lack the gigabit Ethernet and may not be able to handle snort's CPU load. Then there's this Lex Neo box which sports 4x gigabit, two expansion slots mPCI and PCMCIA either of which could be used for wireless device, and a 1GHz C7 chip. That should be enough power for SOHO routing, traffic shaping, IDS and VPN. Other than the $550 barebone price tag it's ideal.
An ITX or miniITX PC would be cheaper but those consume significantly more power than a fanless, AC adapter-powered single board computer.
Future hardware
- Fanless - noise and power reduction
- Intel Atom or VIA Isaiah CPU
- 2 memory slots
Update 2008/8/28 - I just found two more boards that fit the bill. The first is the VIA NAB 7500 and the other is the VIA NAB 7410. Still looking for retail sellers of these boards. So far it looks as if they are only available for OEM bulk orders.
Post new comment