Any computer with a single network interface, maybe even an (old) laptop, can be used. Anything x86 from at least the last 10 years is energy efficient and fast enough to route at gigabit speed. If you don't care about energy usage, any x86-based computer from the last 20 years is fast enough.
The magic trick is to use VLANs, which require switches that support VLANs, which can be had for cheap. VLANS also allows you to create separate isolated networks for IoT or other 'less secure' or untrusted devices.
I’ve always made my own routers by using low-power devices running Linux (Debian) with IPtables and now NFtables.
No special router OS or software required.
Highly recommend.
P.S. that single network interface is very likely never a bottleneck because network interfaces are full-duplex. Only when your router is also your file server (not recommended), internet traffic and file server traffic could start to compete with each other.
What’s the cheapest (new) computer that can drive a 1Gb port with NAT? With a busy encrypted (wireguard?) connection?
[I don’t think qos has a lot of use in the domestic environment; sure, someone here does it but I think it’s much less mainstream than the features I already mentioned. ]
Such a device could drive my home. But in a couple of years I suspect I’ll want 2Gb or 10.
In the past I’ve tended to use a device until its crappy power supply failed. So I guess I’m hoping for a >5 year life span/upgrade capacity.
For all I know the answer to my question is one of those passively cooled four port n100 bricks from AliExpress. Anecdata happily accepted.
About any n100 will do. Question is in their reliability which mostly comes down to power regulation components quality. Not performance.
One of my installs runs on a repurposed old android phone. Which has about 100 times CPU capacity of the router I write this through, and that one being cheap tplink shit still terminates wireguard at link speed which is 100Mbps. You don't need fancy gear for routing. And you don't usually need gigabit uplink because speed is limited way upstream.
But if you want "the right gear and damn the price" go get a Microtik. They are very good.
That's how you can have multi-Gbps on a router with a 200MHz MIPS CPU. Or Tbps on a router with a quad-core Xeon.
VLAN hopping is only possible due to misconfiguration. I'd like to be proven otherwise if that's not the case. VLANs are used EVERYWHERE where it matters. And no, the single port is absolutely not a bottleneck because the port is full-duplex.
Both get 500Mbit.
Bottleneck.
If you're trying to push close to a gigabit up and down simultaneously that single port will become a bottleneck. I agree for most typical use cases it is not a concern.
Ideally the PI also should to what the extra DSL Modem does… but I guess that's where the dram must stop. :D
But you might want VLANs anyway, so it's an interesting thing to consider.
The "router on a stick" paradigm using VLANs to a share a single physical port is perfectly valid. You're creating a "now you have two problems" scenario in which you need a VLAN-capable switch and have VLAN configuration to make.
I typically like the ISP router on a dedicated router port to make monitoring the physical link and/or cycling the physical link easier.
Unless your ISP is >1Gbps adding a second port to most devices is as easy as adding a USB NIC.
I get by without it, but I can imagine some won't be able to.
I'd be willing to bet, though, that the overwhelming majority of people who use consumer routers aren't doing anything remotely advanced. A how-to that covers the majority of use cases is valuable even when it excludes advanced use cases.
Perhaps someone else will (or did) write up a how-to for support mesh networking in your homebrew router.
As an added bonus, you get atomic updates of all chains for free.
Granted, for simple usecases, ufw or firewalld may be simpler though.
When I am doing network management on my weekends, I’m so glad I’m not stuck in the Linux terminal learning about networking internals and can instead just go to a webui and configure my router.
I used a lower power Intel Atom mini PC with an additional NIC as a router for years. I tested it and found it could route around 300Mb/s which was plenty.
But then I got gigabit internet. So I bought an Intel 4 port GigE card from eBay and now run OPNSense as a VM. If you get the right Intel card you can pass through ports to VM individually, which is nice for playing (don't know the exact details but look for cards with virtualisation support, mine is an 82575GB I think).
To be fair, my setup still probably has too much to go wrong, due to the VM thing, but I just haven't got round to getting dedicated hardware, and it's worked fine for a couple of years now.
I was recently introduced to a Barracuda router, and bashed my head against the wall long enough to discover it had an ssh interface, and linux userland, and was able to solve my immediate problem by directly entering the commands to get it to [temporarily] do what I needed. (Of course, using the GUI to reapply settings wiped my manual configuration...)
I've used pfsense, OpenWRT, Barracuda, Verizon's OEM router (Actiontec) and they all represent the same functionality wildly differently.
Worth noting that pfSense (and OPNsense) are not Linux-based, they're based on BSD, specifically FreeBSD. While it's possible to have standard router OS web UIs that are cross platform, the underlying technology is different, so it's not really a surprise that there will be differences in how the devices running these OSes are configured.
At this point I rather doubt the sanity of people still sticking to iptables tbh.
So there is approximately one concept of "packet filter done right". UI madness is on UI authors.
Is there something like that?
Caveat: I have only used OpenWRT on a high end consumer router (GL.inet MT6000) out of those. That works well, anything else is based on reading about people using those options.
For all of those, once you set it up you don't really need to do much except install updates a couple of times per year, or if you want to forward a new port or such.
Also, if you have ever used docker or virtual machines with NAT routing (often the default), you've done exactly the same things.
If you have ever enabled the wifi hotspot on an android phone also, you've done pretty much what the article describes on your phone.
All of these use the same Linux kernel features under the hood. In fact there is a good chance this message traversed more than one Linux soft router to get to your screen.
Edit: And ofc best cheap device imo is OrangePI R1 LTS and a whatever usb wifi dongle. Came in clutch a few times, such a nice little device.
Would you have a picture of the ExpressCard laptop connector?
So if anything can be turned into a router will importing anything be banned as well?
The perfect machine back then was a 100MHz Pentium, in a slimline desktop case. At the time, the Pentium III was the current desktop chip, so you'd have a pile of early Pentium-class machines to use. And even a 10mb ISA network card (3Com if possible) would have plenty of power for the internet connections of the day. But 100mb PCI cards were still fairly cheap.
Install two NICs, load your favorite Linux distro, and then follow the IP-Masquerading HOWTO and you've got internet access for the whole apartment building, office, or LAN party.
Eventually I moved on to Linux Firewalls by Robert Ziegler for a base to build on.
After that I started piling other services on, like a spam filter, Squid cache, it was amazing to get so much use out of hardware that was going to just get thrown out.
if you could show all the wiring and label it (according to the table below) i think it would add a lot of value for someone less familiar with these kinds of setups (like me)
I recommend the free home version of Sophos for the least painful way to do it. Buy a Palo Alto with a full subscription if you are really serious.
What’s the simplest way to spin up a simple „cattle, not pet“ routing VM? I don’t want to mess with any state, I just want version controllable config files. Ideally, if applying a version fails, it would automatically roll back to the previous state.
OpenWRT seems like it fits my description most closely, but maybe someone here is a fan of something more flashy/modern.
Version control is in the GUI, you can adapt for your needs the number of changes you need. automatic config.xml backup also possible.
But I've never even tried to set up my own access point, I just pay Unifi for that [1]. The software part is doable but I don't want to learn to handle the signal issues.
[1] Switched to Unifi in anger after my first consumer level 5 Ghz wifi needed reboots weekly because it was overheating. Do yourself a favour and get the semi pro stuff, Unifi or others.
omani•1h ago