# Thought Experiment in Software Routers



## hat (Jan 10, 2016)

My mind got to wondering about these again...

1. Security - How much safer can I be with a router like this compared to a standard consumer unit? I'm not worried about hackers, terrorists, or the NSA, just typical everyday threats. I understand it's possible to install antivirus software on such a router, I imagine that could come in handy...

2. Speed - How much faster can it be? I don't have ultra fast internet, and I have no problems hitting the speeds I am paying for, but could I possibly have less latency, faster web page load times etc with such a router?

3. Features - What else can I do? Possibly run a media server? RAID NAS? Any other interesting features?


----------



## FireFox (Jan 10, 2016)

hat said:


> 1. Security -


You're as paranoid as me ( in a good way) about security.


----------



## hat (Jan 10, 2016)

Well, not really (I don't know how 'paranoid' you are, but it's not that big of a concern to me). I'm mostly interested in running an AV on the router, that way it crushes anything before it even gets to the PC behind it, without using system resources on the PCs and annoying people with silly prompts and whatnot.


----------



## Ferrum Master (Jan 10, 2016)

You are trying to do what I did 2004... a PC slapped with network cards?

Use slackware... there are guides over the net... pretty much nothing is changed. Starting with IP routes and kicking DHCP to run.

Yes you can do pretty much anything... web server, file server, torrent, traffic filtering... the only downside... it eats a lot of power.


----------



## Mussels (Jan 10, 2016)

hat said:


> My mind got to wondering about these again...
> 
> 1. Security - How much safer can I be with a router like this compared to a standard consumer unit? I'm not worried about hackers, terrorists, or the NSA, just typical everyday threats. I understand it's possible to install antivirus software on such a router, I imagine that could come in handy...
> 
> ...




1. can be safer, can be worse. Comes down to the group/company that makes the software really. most secure would be both i guess?

2. Without say, 100Mb+ internet or someone running torrents on 30 million peers at once it wont really be faster.

3. depending on the OS, choices are limitless. You could run game servers, a transcoding media server, print server, FTP file server, torrent clients, etc etc. Then again, high end consumer routers can do almost all of those too.


----------



## silentbogo (Jan 10, 2016)

1) It all depends on your skills and imagination. There are many features you can implement/deploy which a regular consumer router won't allow due to resource limitation and lack of flexibility (if you are using stock firmware).
2) For a very small network (5-10 clients) it's not going to make any difference in terms of network latency and overall performance.
The only reason why you should consider this for small home network, it's if you want to deploy NAS, Intranet, DLNA or some other network sharing feature, given that your router cannot do any of it.
3) Anything.

If antivirus is not critical, you may actually benefit more from a decent router + DD-WRT.

Another thing to think about is wireless connectivity. Running a wireless AP off a regular wifi card is two steps short of stupid - trust me, I've been there on several occasions 
This means that you'll either need a wireless AP, or your retired router to share internet over the air with all of your smartphones, tablets, laptops etc... Too many complications followed by reduced performance will make you wish you'd never started this project.


----------



## Ferrum Master (Jan 10, 2016)

Mussels said:


> 3. depending on the OS, choices are limitless. You could run game servers, a transcoding media server, print server, FTP file server, torrent clients, etc etc. Then again, high end consumer routers can do almost all of those too.



I do that mostly for file servers. Price wise you have to spend a lot to be capable sharing file at 128MB/s per multple clients running from raid5... you can make a el cheapo amd machine as they provide good sata performane also. Whatever most cheap AMD FM2+ APU works fine too, and you have some sort backup. For Intel you will have to pay premium to get raid5. To get comparable numbers from NAS, especially rebuilding the array, you have to spend a lot.



silentbogo said:


> Another thing to think about is wireless connectivity. Running a wireless AP off a regular wifi card is two steps short of stupid - trust me, I've been there on several occasions
> This means that you'll either need a wireless AP, or your retired router to share internet over the air with all of your smartphones, tablets, laptops etc... Too many complications followed by reduced performance will make you wish you'd never started this project.



Tried it once... wanted to burn down realtek and intel together because of their crappy half arsed Linux driver performance . I wonder if something has changed. Last time I checked my X79 Intela GBE LAN is still bugged. If I download a Steam game, it just stops in the middle  a known bug, at first I thought it is a distro bug... but nada, everyone had it. Windows driver is patched to no to do so... Linux... well who cares  I took 2$ broadcom PCIE crap, and it woked... and Intel didn't... lolz


----------



## hat (Jan 10, 2016)

I already have an RT-N66R (same thing as the RT-N66U, just sold at Best Buy). Not sure what DD-WRT could do for me that the stock firmware can't...


----------



## silentbogo (Jan 10, 2016)

Another option to consider, if you decide to go this way, is Celeron J1900-based solution. Most of those boards retail for ~$60-$70, include SATA-II and USB 3.0 support, have much smaller TDP (10W max) and are passively cooled. 

http://www.newegg.com/Product/Product.aspx?Item=N82E16813138416

... or go AMD side and use this:
http://www.newegg.com/Product/Product.aspx?Item=N82E16813138412

25W max power, 2xSATA 6Gb/s ports, USB 3.0, etc. etc.


$90 will get you a nice dual NIC board with a quad-core J1900 and 4xUSB 3.0 ports:
http://www.newegg.com/Product/Product.aspx?Item=9SIA24G3RH4544


----------



## silentbogo (Jan 10, 2016)

hat said:


> I already have an RT-N66R (same thing as the RT-N66U, just sold at Best Buy). Not sure what DD-WRT could do for me that the stock firmware can't...


I have RT-N66U and so far had no need for DD-WRT. You can try Merlin, but most of the merlin features were already included in official ASUS firmware.


----------



## Ferrum Master (Jan 10, 2016)

silentbogo said:


> 2xSATA 6Gb/s ports



That's the only downside... the power numbers are superb!


----------



## Aquinus (Jan 10, 2016)

hat said:


> 1. Security - How much safer can I be with a router like this compared to a standard consumer unit? I'm not worried about hackers, terrorists, or the NSA, just typical everyday threats. I understand it's possible to install antivirus software on such a router, I imagine that could come in handy...


A Linux gateway server should just be locked up tight from a firewall perspective, otherwise something like AV is completely unnecessary for such a machine.


hat said:


> 2. Speed - How much faster can it be? I don't have ultra fast internet, and I have no problems hitting the speeds I am paying for, but could I possibly have less latency, faster web page load times etc with such a router?


For your internet, you'll only be wanting >100Mbit if your internet is that fast or if you're copying files over your network from a NAS or such however, that's only if you want good performance. I tolerate 300Mbit wireless for such tasks (in reality 150Mbit each direction.)


hat said:


> 3. Features - What else can I do? Possibly run a media server? RAID NAS? Any other interesting features?


Whatever you want it to do. 
My gateway server is additionally a NAS, DLNA server and VM host on top of regular gateway server services (bind (dns), dhcp, and iptables (firewall).


----------



## Ferrum Master (Jan 10, 2016)

Aquinus said:


> AV is completely unnecessary for such a machine.



Only when having a public file server on it... then yes...


----------



## SnakeDoctor (Jan 10, 2016)

*PF Sense* - Awesome Firewall / Router
Many packages to install within the pfsense os , monitor clients bandwidth , vpn , proxy server ,dhcp server ,web cache server , intrusion protection , Antivirus , Ad blockers... List below 
Very easy to setup and configure via web gui
Does not require heavy hardware or even a hdd
Configure to your needs Home or Business .

Best of all its Opensource

https://www.pfsense.org/

*Packages*
Packages can be installed with one click. Some are in beta stage.
Security

  arpwatch - Arpwatch monitors Ethernet to IP address pairings and logs changes to syslog.
  Ipguard-dev - Attempts to maintain IP:MAC pairs by force.
  nmap - A utility for network exploration or security auditing.
  OpenVPN Client Export Utility - Allows a pre-configured OpenVPN Windows Client or Mac OSX's Viscosity configuration bundle to be exported directly from pfSense.
  snort - An open source network intrusion prevention and detection system (IDS/IPS).
  SSHDCond - Defines SSH overrides for users,groups,hosts and addresses using Match in a convenient way.
  stunnel - An SSL encryption wrapper between remote client and local or remote servers.
  sudo - Allows delegation of privileges to users in the shell so commands can be run as other users, such as root.
  suricata - High Performance Network IDS, IPS and Security Monitoring engine by OISF.
  tinc - tinc is a Virtual Private Network (VPN) daemon that uses tunnelling and encryption to create a secure private mesh network between hosts on the Internet.

Network Management

  Apache with mod_security - ModSecurity is a web application firewall that can work either embedded or as a reverse proxy.
  Avahi - Avahi is a system which facilitates service discovery on a local network.
  HAVP antivirus - HTTP Antivirus Proxy with a ClamAV anti-virus scanner.
  LADVD - Send and decode link layer advertisements. Support for LLDP (Link Layer Discovery Protocol), CDP (Cisco Discovery Protocol), EDP (Extreme Discovery Protocol) and NDP (Nortel Discovery Protocol).
  Lightsquid - High performance web proxy report (LightSquid). Proxy realtime stat (SQStat). Requires squid HTTP proxy.
  mtr-nox11 - Enhanced traceroute replacement
  netio - Network benchmark tool.
  nut - Network UPS Tools
  Proxy Server with mod_security - Web application firewall that can work either embedded or as a reverse proxy.
  siproxd - Proxy for handling NAT of multiple SIP devices to a single public IP.
  squid - High performance web proxy cache.
  squidGuard - High performance web proxy URL filter.
  Zabbix-2 Agent - Monitoring agent.
  Zabbix-2 Proxy - Monitoring agent proxy.

Monitoring

  bandwidthd - Tracks usage of TCP/IP network subnets and builds html files with graphs to display utilization.
  darkstat - darkstat is a network statistics gatherer.
  iftop - Realtime interface monitor (console/shell only)
  pfflowd - Converts OpenBSD PF status messages (sent via the pfsync interface) to Cisco NetFlow datagrams.
  mailreport - Periodic e-mail reports containing command output, log file contents, and RRD graphs.
  ntopng - A network probe that shows network usage in a way similar to what top does for processes.
  softflowd - Softflowd is flow-based network traffic analyser capable of Cisco NetFlow data export.
  urlsnarf - HTTP URL Sniffer (console/shell only)
  vnstat2 - Vnstat is a console-based network traffic monitor. The vnstat PHP frontend and vnstati adds a more user friendly way of displaying traffic usage.

Services

  Apcupsd - Set of programs for controlling APC UPS.
  arping - Broadcasts a who-has ARP packet on the network and prints answers.
  AutoConfigBackup - Automatically backs up the pfSense configuration file. All contents are encrypted before being sent to the server. Requires Gold Subscription
  bacula-client - Bacula is a set of Open Source, computer programs that manage backup, recovery, and verification of computer data across a network of computers of different kinds.
  bind - The most widely used name server software
  Check_mk agent - The basic idea of check_mk is to fetch "all" information about a target host at once. For each host to be monitored check_mk is called by Nagios only once per time period.
  Cron - The cron utility is used to manage commands on a schedule.
  Dansguardian - An award winning Open Source web content filter.
  dns-server - pfSense version of TinyDNS which features failover host support
  freeradius2 - A free implementation of the RADIUS protocol.
  git - GIT Source Code Management (console/shell only)
  haproxy-devel - The Reliable, High Performance TCP/HTTP(S) Load Balancer.
  imspector - An Instant Messenger transparent proxy with logging capabilities. Currently it supports MSN, AIM, ICQ, Yahoo and IRC to different degrees.
  iperf - A tool for testing network throughput, loss, and jitter.
  mailscanner - An e-mail security and anti-spam package for e-mail gateway systems.
  NRPE v2 - An addon for Nagios that allows plugins to be executed on remote Linux/Unix hosts.
  Open-VM-Tools - VMware Tools (open source)
  PHPService - PHP run as a service it can do anything PHP can do including but not limited to monitoring files, CPU, RAM, and send alerts to the syslog.
  Postfix Forwarder - Postfix mail forwarder acts as a relay server for a domain.
  Service Watchdog - Monitors for stopped services and restarts them.
  Shellcmd - The shellcmd utility is used to manage commands on system startup.
  spamd - Graylisting SMTP connection forwarder.
  syslog-ng - Syslog-ng independent syslog server.
  TFTP - Trivial File Transport Protocol is a very simple file transfer protocol.
  Varnish3 - Varnish is a state-of-the-art, high-performance HTTP accelerator.
  vHosts - It is a web server package that can host HTML, Javascript, CSS, and PHP.
  widentd - RFC1413 auth/identd daemon with fixed fake reply

System

  Backup - Tool to Backup and Restore files and directories.
  blinkled - Allows system LEDs to be used for network activity on supported platforms (ALIX, WRAP, Soekris, etc)
  gwled - Allows system LEDs to be used for gateway status on supported platforms (ALIX, WRAP, Soekris, etc)
  RRD Summary - Gives a total amount of traffic passed In/Out during this and the previous month.
  System Patches - A package to apply and maintain custom system patches.

Routing

  olsrd - The olsr.org OLSR daemon is an implementation of the Optimized Link State Routing protocol.
  OpenBGPD - OpenBGPD is a FREE implementation of the Border Gateway Protocol, Version 4.
  Quagga OSPF - OSPF routing protocol using Quagga
  routed - RIP v1 and v2 daemon.

Misc

  File Manager - PHP File Manager
  Filer - Allows files to be created and overwriteen from the GUI.
  LCDproc - LCD display driver
  Notes - Track things to note for this system.
  pfBlocker - Introduces Enhanced Aliastable Feature to pfsense.
  Sarg - Squid Analysis Report Generator.


----------



## Frick (Jan 10, 2016)

If you have a router like this, how necessary is it to have a dedicated firewall before it?


----------



## Kursah (Jan 10, 2016)

hat said:


> I already have an RT-N66R (same thing as the RT-N66U, just sold at Best Buy). Not sure what DD-WRT could do for me that the stock firmware can't...



Funny... My AC66R is for Refurbished. I assumed the N66R was the same.

I use my AC66R as an AP and upstairs 5-port switch. These routers have AP mode and I'm also using Merlin which provides extra.settings and better stability.

You could always run a VM router too..I know quite a few folks that do this with fail over prep being easier. Dedicate two NICs to the VMs and don't share with the host OS. PF Sense works amazingly well in the Hyper-V virtual environment and I'm sure it works well in Virtualbox, Xen, etc. I use one on my home server as an OpenVPN server and it works pretty damn well.

But to avoid complication it would be easier to host it directly on the system instead of virtually. If doing this...I'd go PF Sense or Debian or another flavor of Linux...as the OSes work great for server and server role platforms and need less resources than Windows Server.

PFSense + the plugins stated above would have you set. It'll be time to setup...but any of these projects will be. Pick your poison.

You could always try out an Ubiquity EdgeRouter Lite, use your Asus as an AP, and fix up your system as a file server/VM setup. ERLs are pretty easy to config and have a lot of advanced CLI goodness once you're ready to take that step.


----------



## Solaris17 (Jan 10, 2016)

I use OPNsense, and while you cant put "anti virus" on it anti virus only really works with files not packets, so in this case firewall/IDS/IPS all things it provides.


----------



## remixedcat (Jan 11, 2016)

Untangle can do a lot of what you need as well. They even sell low powered units as well


----------



## xvi (Jan 11, 2016)

remixedcat said:


> Untangle


+1 for worth considering/trying out
I ran a box with Untangle on it a while ago. Once I set up some QoS rules, it made my 768/128Kbps DSL line feel pretty snappy even though we had three people on it. Untangle also did some ad and malware filtering. Ran pretty nice on a little P4 box.


----------



## Kursah (Jan 11, 2016)

Another thing to consider is OpenDNS instead of your ISP's (or even Google's as many use) DNS. Set your router/gateway to use it, and set your DHCP server to give it out. You don't even need an account to take advantage of the anti-malware/adblock that they utilize. There's a free home account you can use, so you can filter how you'd like. It works extremely well.

https://www.opendns.com/

I do recommend using the free home account, it's pretty nice to have an extra filter that helps outside of your network. If not just use these: 208.67.222.222 · 208.67.220.220


----------



## taz420nj (Jan 11, 2016)

Frick said:


> If you have a router like this, how necessary is it to have a dedicated firewall before it?



Completely unnecessary.  It becomes your firewall.  I have pfSense running on a Watchguard Firebox x550e.  Cost me $45 on ebay, plus maybe $15 for a processor and RAM upgrade.  Swapped the ATX power supply for a PicoPSU, and I have it running off a 12V battery backed power supply.  It draws less than 30 watts.  The only gotcha is that unless you buy one preinstalled with pfSense (MUCH more expensive) you'll have to do a 'blind' BIOS flash and the initial setup must be done through the serial console (requires an actual hardware serial port, USB-serial adapters have issues).  But once it's set up it's configured through the WebGUI.


----------



## Kursah (Jan 11, 2016)

taz420nj said:


> Completely unnecessary.  It becomes your firewall.  I have pfSense running on a Watchguard Firebox x550e.  Cost me $45 on ebay, plus maybe $15 for a processor and RAM upgrade.  Swapped the ATX power supply for a PicoPSU, and I have it running off a 12V battery backed power supply.  It draws less than 30 watts.



I wanted to do one of those builds...never did get around to it. How long ago did you get that up and running?


----------



## taz420nj (Jan 11, 2016)

Kursah said:


> I wanted to do one of those builds...never did get around to it. How long ago did you get that up and running?



Almost 2 years ago and still running strong. Last time it was offline was when I put the PicoPSU into it over 4 months ago .  I do eventually have to get off my ass and upgrade it to 2.2, but that means I have to pull it out of the rack and hook it up to the console again because there's a something that changes in FreeBSD10 (a DMA setting) that causes it to hang when you upgrade it from the WebGUI.

My favorite feature is that it has an OpenVPN server built in.. It was a lot easier to set up than the one in DD-WRT (once the server is set up, you can download its preconfigured files for windows/mac, ios, and android devices), plus there's a lot more CPU horsepower available to handle the crypto than there is in a consumer router so it doesn't bog down local traffic when a VPN is connected..


----------

