Date: Mon, 3 Mar 2008 20:39:22 -0500 (EST) From: Bob Keyes <bob@sinister.com> To: Aaron Siegel <aj@siegel-tech.net> Cc: freebsd-embedded@freebsd.org Subject: Re: Building my first gateway firewall with wireless support Message-ID: <Pine.LNX.4.58L0.0803032023430.28241@dark.sinister.com> In-Reply-To: <200803031807.53588.aj@siegel-tech.net> References: <200803031807.53588.aj@siegel-tech.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 3 Mar 2008, Aaron Siegel wrote: > Hello > > My almost ten year old pc that has been running 24/7 as a firewall gateway is > about to die. (Of course it is running Freebsd) I would like to build a > embedded gateway, DNS server, with DDNS client, wireless access point, > IPSEC , and firewall. > > I appreciate some guidance, some helpfull links, or maybe share some of your > experiences. I hobbyist not a developer. I do not expect this to be easy. You may want to consider some QoS as well. > My dream access point would have two interfaces one protect by IPSEC vpn and > an unsecured (just a cheap linksys device connected to the LAN). The big > question how much processor power will I need to support one to ten clients? It depends on how much you want to look into the packets in order to do things like QoS, firewalling, etc. Once you start sharing out your bandwidth to unknown parties, you have to be much more concerned with people who would hog all the bandwidth for P2P sessions. One other thing i've found is that if you use wifi, connections can get a bit flakey. High bandwidth connections will drop packets and the delivery queue which waiting for a retransmit can get very, very large. various 802.11 implementations can't handle this. Well, actually, i haven't found one that handles it completely satisfactorily. I'd separate out your wifi from your core router / firewall, just so any crashes doe to wifi flakiness won't take out your wired network. I imagine i am going to get some responses to the effect 'Freebsd is rock solid!', well, it may be. But you're dealing with proprietary 'blobs' for drivers or hacks made by reverse engineering of them. There's no way you can be 100% sure. So go get a WRT54G or similar and put OpenWRT on it (so far there's no good bsd solution for such embedded devices, as far as i know), and have it offload as much as possible to something running FreeBSD. something with a good amount of ram, that you know is reliable, etc. something that doesn't use a huge amount of power. I have a system using an amd k6-2 at 500 mhz with 256 mb of ram that works pretty well. priorities should be reliability, noise, ram, speed, power consumption. Yes if you are using something in your house that pentium4 running all the time may generate too much noise and suck down too much power. > The LAN will support a couple of desktops, and maybe a toy server > (backup mail server). > > I am looking at Soekris 48xx and if needed the vpn board.. As of now I > like to stick with x86 platform. Any other suggestions? I believe that soekris stuff is coming to end-of-life. You may want to check out alternatives. PC Engines made something called WRAP, and there's a replacement board for it that's supposed to be pretty good. I used soekris boards quite a bit and have mixed feelings about them. Don't stress them too hard, and don't try to do PoE. -Bob i miss my shift key
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.LNX.4.58L0.0803032023430.28241>