Building my first gateway firewall with wireless support
Bob Keyes
bob at sinister.com
Tue Mar 4 02:08:12 UTC 2008
On Mon, 3 Mar 2008, Aaron Siegel wrote:
> Hello
>
> My almost ten year old pc that has been running 24/7 as a firewall gateway is
> about to die. (Of course it is running Freebsd) I would like to build a
> embedded gateway, DNS server, with DDNS client, wireless access point,
> IPSEC , and firewall.
>
> I appreciate some guidance, some helpfull links, or maybe share some of your
> experiences. I hobbyist not a developer. I do not expect this to be easy.
You may want to consider some QoS as well.
> My dream access point would have two interfaces one protect by IPSEC vpn and
> an unsecured (just a cheap linksys device connected to the LAN). The big
> question how much processor power will I need to support one to ten clients?
It depends on how much you want to look into the packets in order to do
things like QoS, firewalling, etc. Once you start sharing out your
bandwidth to unknown parties, you have to be much more concerned with
people who would hog all the bandwidth for P2P sessions.
One other thing i've found is that if you use wifi, connections can get a
bit flakey. High bandwidth connections will drop packets and the
delivery queue which waiting for a retransmit can get very, very large.
various 802.11 implementations can't handle this. Well, actually, i
haven't found one that handles it completely satisfactorily. I'd separate
out your wifi from your core router / firewall, just so any crashes doe to
wifi flakiness won't take out your wired network.
I imagine i am going to get some responses to the effect 'Freebsd is rock
solid!', well, it may be. But you're dealing with proprietary 'blobs' for
drivers or hacks made by reverse engineering of them. There's no way you
can be 100% sure. So go get a WRT54G or similar and put OpenWRT on it (so
far there's no good bsd solution for such embedded devices, as far as i
know), and have it offload as much as possible to something running
FreeBSD. something with a good amount of ram, that you know is reliable,
etc. something that doesn't use a huge amount of power. I have a system
using an amd k6-2 at 500 mhz with 256 mb of ram that works pretty well.
priorities should be reliability, noise, ram, speed, power consumption.
Yes if you are using something in your house that pentium4 running all the
time may generate too much noise and suck down too much power.
> The LAN will support a couple of desktops, and maybe a toy server
> (backup mail server).
>
> I am looking at Soekris 48xx and if needed the vpn board.. As of now I
> like to stick with x86 platform. Any other suggestions?
I believe that soekris stuff is coming to end-of-life. You may want to
check out alternatives. PC Engines made something called WRAP, and there's
a replacement board for it that's supposed to be pretty good. I used
soekris boards quite a bit and have mixed feelings about them. Don't
stress them too hard, and don't try to do PoE.
-Bob
i miss my shift key
More information about the freebsd-embedded
mailing list