Jump to content
Covecube Inc.
  • 0
Christopher (Drashna)

High End "Custom" Routers

Question

For those that are not as familiar with this topic or ... why you'd want to do this, let me quickly sum it up:

Control, speed, reliability. And Control.

 

I've been running pfSense for a while, as a custom router. Instead of a normal consumer router, such as a linksys or asus or belkin router. I've been happy because it gives me more options and more control over the network.

 

But between some performance issues with pfSense, and then it not booting back up... I've had to replace my router. I have a Linksys WRT610N v2.... but it's been less than stable. Wireless dies on it, and if I even try to enable QoS (Quality of Service, aka Traffic Shaping) or WMM (wireless QoS basically), it crashes my router. Hard. Every 10 minutes or so. 

 

So I did so looking and shopping. I found a very nice little box that is an Atom CPU, low powered, and supports 2 NICs. And I got a license from Sophos for Home/Free use. Installed it and set it up. Absolutely love it.

 

http://www.newegg.com/Product/Product.aspx?Item=N82E16856205007

This is the box I got. IT doesn't come with RAM or drive, but I had both. 

And it idles at around 5-10% CPU usage.

 

If you're inclined on building your own router, then I highly recommend Sophos. It's a bit "draconian", but it has a great firewall built in. It also uses Squid I beleive to filter the traffic (and block things if needed), as well as to virus scan contents as you browse. Much like Untangle or pfSense. But it's all free, and requires a little more than a couple of clicks to setup.

 

For anyone interested, I've been writing about it here:

https://drashna.net/blog/2014/02/adventures-with-sophos/

 

 

 

Share this post


Link to post
Share on other sites

Recommended Posts

  • 0

Drashna, this is perfect timing for me....I've been wanting to put in a custom router for several years, and am now at the point ready to do it. My Netgear routers have the same problem as your Linksys, they can't handle much beyond standard settings. I also have kids getting to the age where they will be on the internet, and I need this thing locked down, besides the great routing features that are gained.

 

I've been all over the forums reading about the different solutions, so far I've been skeptical of pfSense for the reasons you mentioned, mostly because from what I can see, it is not bad software, but it's more of a true geeks solution, if you have time to play, which I don't.... so far I have been undecided between Untangle and Sophos. I like the simplicity of UT, but am drawn more towards Sophos. I've played with it a few times on an old PC. I will read your blog posts about this. This is great timing for me, also thanks for the link to the mini system since low power draw is a big item for me.

 

You had pfSense running on a FireBox right? How do you like the new mini box by now?

Share this post


Link to post
Share on other sites
  • 0

Well, glad that I could help out then!

 

And yes, I was running on a Firebox (x Peak e series).  And as for the new box, yeah, I definitely saw a definitely improvement to speed. Where as with pfsense, I didn't really. And the box apparently idles at about 15W (according to newegg reviews). So I'm very happy with the new box. Also, it has a VGA port, which makes installation and maintenance on it much easier.

 

But it runs at less than 20% CPU, and at about 1.5GBs of RAM used (out of 2). It's been great. 

 

Untangle is a pretty good solution as well, but Sophos comes with the firewall, web filtering, and anti virus for 50 devices for free (for home use). IIRC, most of that is trial or rather expensive on Untangle.

Share this post


Link to post
Share on other sites
  • 0

Yes, Sophos has more features than Untangle, more IP's, and especially more in the area of internet filtering and firewall, two of my main concerns with young children in the house.

 

will you be detailing more about your thoughts on the Sophos build on your blog? I would like to hear more about some of the features, if they happen to be features that you are using, such as the internet filtering, and I am very interested in the VPN functionality. Also wondering about the built in wireless access point management. Although I should know soon enough when I get mine running, will be several weeks yet.

 

Would you mind giving a topology of your network, how the Sophos appliance fits in? I would like to see this to compare it to how I am planning mine, to make sure I get the best speed possible.

 

Are you using standard hard drive with this, is there any advantage that you would know of for using an SSD?

Share this post


Link to post
Share on other sites
  • 0

yes, I will be detailing more on my blog.

Specifically, I plan on covering how to configure the firewall (both on a per service basis, and how to "make it super simple), and then onto NAT (simple). And then about the web filtering (this may take several parts, because there is a HECK OF A LOT to cover.

 

As for the VPN, I'll have to look into it because I don't actively use it. Specifically, I use Server 2012 (R2) Essentials, which has it's own VPN (PPTP, SSTP, L2TP, and DirectAccess). But it should be simple enough.

 

As for topology, it's rather simple. Cable Modem -> Sophos -> 16 port gigabit switch (ZyXEL?), and then most everything connects directly to that (patch board mounted to wall, with cables from all over the house). Though, a couple locations also have gigabit switches (HTPC area). And I have a linksys wireless router, flashed with DD-WRT set to be just an AP. I can do a chart/graphic, but it's a rather simple setup for the most part.

 

And yes, I'm using a "spinner" for this. As for advantages for an SSD? Less power consumed. Would probably be better with caching files, but otherwise, I don't think it would make any performance boost here. it's a lightweight linux OS.

Share this post


Link to post
Share on other sites
  • 0

Thanks drashna. I will keep an eye on this thread, and on your blog. I really appreciate that you are taking the time to document this, it is helping me decide to go with Sophos. I am needing to rebuild the drive config on my desktop computer, (as discussed in the other thread about the feeder disk) then will turn my attention to building the Sophos unit with the items you linked to in the first post. Hopefully by then you will have had time to review some of these subjects and write about them!!

 

I have WHS 2011 so will need to use the VPN of the firewall.

 

My network topology is the same as yours actually, so should be fine there.

 

Thanks again

 

PS...really off topic. Will this forum be Tapatalk enabled??

Share this post


Link to post
Share on other sites
  • 0

Well, I'm documenting it for myself, as well as anyone else. I've got a couple of guys very interested it in over at the Home Server Show forums as well. 

And I've always enjoyed spreading my knowledge.

 

As for the sophos box, feel free to use whatever you want. I just like that one because it's got two NICs already, and is very small and power efficient. 

Also, I justed added a section about using the firewall on Sophos to allow services through it (it's rather long).

 

As for the VPN, well, you have WHS2011, you could install the Routing and Remote Access role on the server, and set up VPN on that (it supports PPTP, SSTP (preferred), L2TP, and IPSec, IIRC)

 

 

As for Tapatalk.... I'll inquire of Alex. Shouldn't be an issue.

Share this post


Link to post
Share on other sites
  • 0

As for the VPN, well, you have WHS2011, you could install the Routing and Remote Access role on the server, and set up VPN on that (it supports PPTP, SSTP (preferred), L2TP, and IPSec, IIRC)

 

 

As for Tapatalk.... I'll inquire of Alex. Shouldn't be an issue.

 

Instructions somewhere for enabling Routing and Remote Access role on WHS 2011? This might fix part of my problem, I can't access the remote web login, tried everything I can find.

 

Thanks for checking on the Tapatalk, it is much easier for me to use in the house when I have time for the forum.

 

I left a msg. on your blog, what happened to the donate button? was going to tip you something for all your help.

 

I'm getting off topic here, maybe should continue this convo elsewhere?

Share this post


Link to post
Share on other sites
  • 0

http://www.mswhs.com/2012/03/setup-a-vpn-for-whs-2011/

 

As for the remote web login? have you tried "https://servername/remote/"? If that works fine locally, then the issue is with local DNS lookup.  
Personally, I use "proxy.org" to make sure everything is working properly, as it looks from outside the network.

 

As for the donate button, oops, I forgot to add that back as I was diagnosing an HTTPS issues. Fixed.

 

As for TapaTalk, in the meanwhile, it should have a mobile skin that works better on mobile devices. But I've let alex know, and I'll let him install it at his discretion.

 

As for "off-topic". well, this is the section for off topic. :)

Share this post


Link to post
Share on other sites
  • 0

Ah, didn't see the mobile theme for the forum, much better.

 

Thanks for the link for the VPN setup. I will check it out.

 

Sent you a little something for your blog via PayPal.

 

Other than that, I should be good for now, I have some PC maintenance and upgrading to do that will keep me busy for a while.

 

Later....

Share this post


Link to post
Share on other sites
  • 0

Odd. Normally, it should auto-detect the mobile device and use the mobile skin. Since it's a tablet, it may not be doing so. Odd though.

But we will still pursue TapaTalk, as it is pretty much the defacto standard.

 

And you are very welcome. If you want/need more non-StableBit related help, the Home Server Show forums are a fantastic place (and I frequent there as well).

 

And thank you for the donation. I assure you, it goes to "feeding my tech habits". And bills. :)

 

And hopefully that upgrading and maintenance is painless for you. I know how it can turn out.... 

Share this post


Link to post
Share on other sites
  • 0

I don't have a tablet, I do all my browsing on my phone, HTC One.... so yes, Tapatalk integration would be nice. Upgrading the PC, ya well, it has to be done. It will be fine, just takes time...

 

So, back on topic finally.....Sophos

 

I'm more interested in the pretty cool VPN features of Sophos vs. the WHS VPN, and I do believe it would be more secure, with true SSL/SSH, which from I can gather from the postings out there, is more hit and miss with WHS?

 

I have friend who uses Untangle, and he thinks the VPN with Untangle is better than using his SBS 2011 server? I'm also thinking that the Sophos VPN will play better with non MS devices, AKA Android??

 

What do you think?

 

Cool new HTML5 VPN with Sophos:

 

http://www.sophos.com/en-us/support/knowledgebase/117470.aspx

 

http://www.sophos.com/de-de/support/knowledgebase/2450/2500/3450/115157.aspx

Share this post


Link to post
Share on other sites
  • 0

TapaTalk enabled. As for the HTC one, that's the phone I have and tested on. Should have automatically detected that is was mobile though.

 

As for VPN, PPTP is not completely secure, iirc. But sstp is. As is l2tp. Those are both methods supported by Server. But sstp isn't supported by android.

And it plays fine with android. I've been using pptp for a while, and I've never had any issues. But it does require that your server be on to connect. So being able to connect to your router is a better solution, as it will always be on.

 

As for the HTML5 VPN, I haven't had a chance to look into it yet. But I am aware of it.

Share this post


Link to post
Share on other sites
  • 0

Sweet [emoji108] Thanks!

 

I agree with having the vpn in the router, can access anything on the lan at any time as long as it's powered on. I'll keep an eye on your sophos posts this will be interesting.

 

Sent from my HTC One using Tapatalk

Share this post


Link to post
Share on other sites
  • 0

Well, just to let you know, the "to do" list for sophos is NAT, web filtering (which make 2-3 posts, as there is a LOT there), Active Directory authentication, and then VPN.

 

I am really enjoying it. Though I'm having one issue with it.. but I suspect that is because the RAM I'm using may be damaged (reused, not new). 

The issue is that when the web filter is on, it's occasionally dropping the WAN connection, which is pretty bad. But as I said, I reused RAM from a system that wasn't entirely stable... so now I know what the issue was..... 

Share this post


Link to post
Share on other sites
  • 0

Your to-do list is actually perfect, that's the order I will be implementing myself, minus AD because I don't use it.

 

Glad you figured out the problem with the bad RAM.

 

Sent from my HTC One using Tapatalk

Share this post


Link to post
Share on other sites
  • 0

That would definitely work, I was using a P4 for pfsense, and it worked okay.

If you plan on using the web filtering and Antivirus, then this may be on the low side for specs.

 

http://www.sophos.com/en-us/products/unified-threat-management/tech-specs.aspx?utm_source=Non-campaign&utm_medium=PDF-link&utm_campaign=PDF-DS-UTM

Sophos recommends a Dual or Quad core CPU, and 2GBs of RAM. And I second that.

 

And that's why I went with the box I did. It's dual core w/ hyper threading (4 cores) and supports up to 8GBs of RAM. Has 2 NICs, and is very low powered.

http://www.newegg.com/Product/Product.aspx?Item=N82E16856205007

Share this post


Link to post
Share on other sites
  • 0

Ok yes I will definitely be using the web filtering and antivirus. It will be hard to find a used box with those specs for the price of the newegg item don't you think? I'll just have to get one of those.

 

I haven't seen these come thru on special, have you? Did you pay full price?

 

Sent from my HTC One using Tapatalk

Share this post


Link to post
Share on other sites
  • 0

You can definitely find similar for cheap. Or buy a larger box (microATX) and add a second (or third) network adapter. 

 

There are downsides to that box though. You can't add any more cards to it, no room. Also, it's very finicky about the RAM, and only takes SO-DIMMs (laptop). 

Aside from that, I'm loving it, and it idles at about 10% usage.

 

And yes, I paid full price. $129 for the box, and ~$50 for a WD Scorpio Black (laptop drive, 2.5", 7200 RPM). I had the RAM, but ... yeah, I'm pretty sure that is why the system was dropping connection periodically. Once I disabled webfilter (and the memory usage dropped to like 30%, instead of like 70%), the issues stopped. So it definitely looks like damaged RAM.

 

But look at it this way, that's about $200-250 for a high end consumer, or low end commercial router. Which you'd pay $200-300 for anyways. And may not get half of the features. It's a worthwhile investment.

Share this post


Link to post
Share on other sites
  • 0

This is good information. The issue with webfilter concerns me........I am going to wait a bit for you to fully test out the webfilter, since that is the main reason for me to put together a Sophos box. I have been reading on the forums about the need for more RAM, and also there have been some issues with Atom processors when a lot of features are being used.

 

It seems that a lot of people report real good performance with a core i3, although I don't know how much it would cost to put something together with that.

 

I will have a pretty heavy duty firewall and web filter in Sophos, with a very large blacklist/whitelist, so I need more research before I get that unit from Newegg. I need to know it will work well.

 

I see you've been chatting with someone over at HSS forum, he is talking about lag times. Others have talked about extended ping times with the web filter enabled. So far I haven't found food answers for this. Some have suggested a setting that pulls the web filter database to the local machine instead of going out to the Sophos server with each request. Maybe you'll figure it out!

 

I'm really thinking of going with untangle in the meantime because I have a friend who uses it full-time. Once I'm familiar with this type of setup then can migrate to the more powerful Sophos.

 

Unless you can convince me it will work [emoji56]. I have a high latency rural dsl connection, so this issue with the web filter making it anyway slower is a big deal for me....

 

Keep me posted, I really appreciate it!

Share this post


Link to post
Share on other sites
  • 0

Yeah, if you're using a lot of features.... then a core i3 with 4-8GBs of RAM would be a much better idea.

In fact, just upgraded mine from 2GB to 4GB and it's definitely running better.

 

As for cost... check newegg's shell shocker deals. Sometimes, they have some nice systems for cheap. Spending ~$200 on a computer to use as a router/UTM, well, considering a lot of higher end consumer routers will cost you that much .... and you'll get a lot more out of it (well, except for Wi-Fi, maybe)...

 

I've added a couple of additional posts, but I'm just getting started on the web filtering stuff. There is a LOT there, and I don't want to skimp on details.

Share this post


Link to post
Share on other sites
  • 0

Yup, that's why I want to wait until you and a few others have tested it out a bit more, then I will know more precisely what my needs for the box to run Sophos are, especially with a fully enabled web filter. So far I see people just turning it off to lighten the load on the router and that's just what I don't want to do. I need the web filter working well. I'll stay tuned to your posts. Thanks

Share this post


Link to post
Share on other sites
  • 0

Well, with that RAM upgrade (to 4GBs), I'm no longer seeing the drop out I was before. Occassional lag, but that's very minor and only once in a while. I think if I had to redo the router, I'd go with a Haswell Pentium or low end Core i3. 

 

But otherwise, it's been running strong for a week, with no real issues. And I'm very happy about that. Very. 

 

 

Also, just FYI, you get 10+2 licenses of Sophos AV for your client computers, and can manage them on the router! :)

Share this post


Link to post
Share on other sites
  • 0

What's a Haswell Pentium? Would I have to build something to get that? Last time I used a Pentium was a P4.

 

I'm pretty convinced about the need for a better spec'd machine because a friend of mine tried running Sophos on an older dual core computer, and it locked up when web filter was enabled. Just couldn't handle it.

 

For the Sophos AV, can it be used on a client that's not always on the Lan, like a laptop? Or does it always have to be connected to the Sophos management?

Share this post


Link to post
Share on other sites
  • 0

Haswell, is the architecture codename. They're the newest CPUs from Intel.

http://www.newegg.com/Product/Product.aspx?Item=N82E16819116950

They're supposed to be a lot more power efficient than the previous serious, without sacrificing CPU power.

And note that it has built in Intel HD graphics? That means you don't need to add a video card either. It's on-die (on the CPU). great for an "embedded" system like a router!

 

And yeah, the web filter can eat up a lot of resources. Especially if you're enabling HTTPS scanning as well. Though, I think the 9.2 beta fixes part of that.

 

As for the Antivirus, I believe so. but I'd have to test that out. But I'm pretty sure it would work "remotely" as well. If not... Sophos has a bunch of VPN options ;)

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Answer this question...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...

×
×
  • Create New...