Ideally the PI also should to what the extra DSL Modem does… but I guess that's where the dram must stop. :D

I'd be willing to bet, though, that the overwhelming majority of people who use consumer routers aren't doing anything remotely advanced. A how-to that covers the majority of use cases is valuable even when it excludes advanced use cases.

VLAN hopping is only possible due to misconfiguration. I'd like to be proven otherwise if that's not the case. VLANs are used EVERYWHERE where it matters. And no, the single port is absolutely not a bottleneck because the port is full-duplex.

Both get 500Mbit.

Bottleneck.

My point isn't that there isn't anybody that could use information for how to support mesh networking in a homebrew router, it's that this article wasn't intending to address that segment of users.

Windows PCs had (have?) that Internet connection sharing feature for a long time. It was really just a checkbox to enable NAT too.

Sometimes I think combining a firewall/router/switch/AP/file server/etc into a device called a "router" really confuses people. Even people who should know better.

A year or two back, I was able to get a brand-new fanless Intel N150 with 4x2.5G ports with 16 GB memory for about $150 from AliExpress. I run Proxmox on it, with OpnSense and a couple other things in virtual machines. These days, due to tariffs and the memory shortage, that is more like $440 now, unfortunately. I am kicking myself for not buying two, not so much because of the price increase, but because it would have come in handy multiple times to have a second one on-hand for random experiments.

Given that CPU performance does _not_ tend to be critical for firewall/NAS use cases, if I had to replace it tomorrow, I would go onto eBay and get the highest-spec'd used Dell or HP mini workstation I could find for $120 and plug in a USB3 1gig ethernet dongle for the WAN side.

If you want maximum speed a Lenovo Thinkcentre m720q has a desktop Intel CPU and a PCIe slot. You can add a 2x SFP+ NIC and PCIe riser to get 10G.

I am not really sure about it. My ISP provided AP can do a gigabit over wifi.

I need to change it because the ISP hardcodes the dns for spying reasons.

But sadly to match that performance I need to spend like $180 to get an AP with that performance

- Soekris net4501 (x86, 486-class CPU) (discontinued)

- PCEngines alix2d3 (x86, AMD Geode LX800) (discontinued)

- PCEngines APU (x86, AMD T40E) (my current router/firewall) (discontinued)

I'm also currently using an APU2 as one of my wireless access points (with hostapd).

All of these have been solid machines that have given me zero problems.

The next system I plan to use is going to be a Banana Pi R4 (ARM Cortex A73), it's a solid choice for a simple router/firewall/DNS/DHCP box. It has a built-in 4-port gigabit switch where each interface can be used as normal Linux interfaces, as well as 2 SFP+ ports that are capable of supporting up to 10 gig ethernet.

It's also one of the few systems that offers true hardware offloading for connection tracking, so things like netfilter flowtables don't have to use any main CPU processing.

I'm currently experimenting with a Banana Pi R4 as a Wifi7 access point (running Debian with hostapd), however the current state of the wifi7 module for it (BPI-R4-NIC-BE14) and Linux driver (mt7996e) is still pretty young and a bit buggy (i.e., limiting transmit power to 6 dBm without patching the driver to override it, and there's apparently a lack of RF shielding which can contribute to low SNR on the receiving end). With the proper patches in place it makes a decent Wifi 6 access point. I'm hoping these issues get ironed out in the future and I can use it as a true Wifi7 AP. frank-w is doing outstanding work to help support the open source community with this new hardware.

That snowballed into “we want a website do you know how to do that?” and. Well, no, but it had Apache available and I … figured things out enough to take the skills elsewhere.

Repeated the same trick with a place in Wisconsin, who initially shared a 56k dialup connection with all their dispatchers and were impressed the thing had stayed up for 900 days without even redialing. 90% of their work was done in an on-prem wyse terminal anyway, dialup used to do the job for email or googling an address.

27, 28 years later I’m still dragged in front of them once in a while to ask how they can accomplish something cheaply with Linux, bubble gum, paper clips, or whatever . The times and technology have changed, but not how cheap they are!

I've always found fq_codel to be good enough for gaming through my router. But I have a 10gbps uplink.

I was doing the same. Router and firewall on old Pentium CPUs. I don't have these machines anymore but I still have HDDs from back then with post-it notes on them saying stuff like: "Linux firewall / HDD 120 GB". For whatever reason my HDDs adapter that can read just about everything doesn't have the correct pin out for those HDDs. Would be a blast if they were to still boot: at some point I'll just buy a compatible adapter and see what I can find on those HDDs. I was very likely also saving some backups there.

But really my best memory was years (I think) before 120 GB HDDs became an affordable thing, in the super early Slackware days, on a dial-up connection: I had a 486 desktop computer and I'd share the Internet connection to a very old laptop (!) using... PLIP. A printer cable and the Parallel Line Internet Protocol. Amazing hack: my brother and I could then both use Netscape at the same time and to us this felt like a glimpse into the future.

The old one is getting really old now, nearly 25 years ago [2].

[1] Book Review: Linux Routers - A Primer for Network Administrators, 2nd Ed:

https://www.linuxjournal.com/article/6314

These are networks of controlled devices. They're hard to eradicate, as shown by the fact that they haven't been eradicated: they're still active and being used to compromise systems, including defense and intelligence systems, power systems, financial systems, identity systems, etc.

Is banning foreign gear going to fix this? No. Security isn't a product. It is, however, a process, and in a process you take steps. I think this: we (individuals and institutions) enjoy tremendous liberty in the use of communications equipment in the US and most of the West. Taking that for granted is a mistake. If part of keeping this means the US has to spin up a domestic supply of network gear, or carefully modulate where such gear comes from, then lets do that. Otherwise, The Powers That Be will leverage its concerns into far worse steps.

Before Thunderbolt was common, people attempted to use external GPUs with this sort of expander, but it worked really poorly.

* WAN connection comes in by coax, into my cheapo cable modem (off screen), and then by Ethernet into the franken-NIC sitting on top of the laptop.

* The NIC on top is a normal PCIe card, but with the bracket missing. The ExpressCard riser [1] is connected by a mini-HDMI cable, the flat black cable, which curves up, around, and back in from the left side into the laptop

* Then, the blue cable on the side of the laptop is a VLAN trunk going into the Cisco switch on port 23/24, outside the picture.

* From there, another port on the switch is setup as an access/untagged port going into one of the LAN ports on the D-Link acting as the access switch

I don't think it was set up here, but at one point I also had a dock under the ThinkPad, with the serial adapter wired up to the switch's console port so I could manage everything by ssh'ing into the router.

[1] https://www.ebay.com/itm/115721630079

Also note that all the cables were hand-crimped because I was too cheap to buy new patch cables at the time.

I was in college, and truly had more time than money back then. it's the kind of doohickey made by only somebody very young, very crazy, or a bit of both. ;)

I kind of feel like that's cheating though; I've outsourced the hardest part of the project to someone else. Maybe one of these days I'll take an old NUC or something and buy a decent wifi antenna for it and try and do it properly.

[1] Initially pfsense, then OpnSense, then ClearOS, and now some custom firewall rules in NixOS.

E.g. is your pf-based load balancer running its rules before or after the global filtering rules? And if they're running first are they SNATing incoming traffic so the LAN rules allow the traffic through or does it need explicit exceptions for external IPs to traverse to a LAN endpoint?

If you're comfortable with more advanced networking then it's fine to run it all on one box. If you just want to open ports for internal LAN services then that is a very canned and well-supported feature for a gateway firewall.

E.g. see AirSnitch which resulted in large part from mixing too many complex networking rules in single devices.

Version control is in the GUI, you can adapt for your needs the number of changes you need. automatic config.xml backup also possible.

Ran openbsd for a few years like that, the base OS included everything needed. I recall it used 24MB of ram and closer to 30MB if ssh'd in. It was very handy to have a local login when playing with firewall rules.

If this were really about computer security they would follow California’s example of requiring unique passwords. Maybe make manufacturers liable for not patching known remote exploitable security vulnerabilities. It doesn’t matter if the source of a DDoS is a Huawei box or a Netgear box.

That should probably be the technical concern. Even if you have traffic protected by TLS, you still typically have enough metadata to cause some problems for users individually, but the assumption that foreign equipment is back-doored by some security service or other is probably safe.

- Access to data (dns/ips, domain names (if not using ESNI), amount of traffic, etc) of sites you are visiting

- Access to the inside of your network where it can attack machines that may not be secure

- DDoS

- The ability to shut down your internet

I'm sure there are more.

https://docs.docker.com/engine/network/#published-ports

After I upgraded to a 10GbE ethernet card in my previous router, my card didn't work correctly with FreeBSD-based stuff anymore. I changed to ClearOS and that was actually comparably easy to Pfsense...maybe even easier? I recommend checking that one out.

It seems like you weren't really asking, but I'll answer anyway.

It's bad security practice, and opens up your network to attack and/or compromise, you're massively increasing the attack surface, and a compromise of one of those components leaves the attacker sat on your edge router, at which point your entire network is fair game.

Generally speaking you shouldn't expose anything on your edge router / firewall, it's a safety barrier.

You can sit things behind it in a "DMZ" and port-forward and isolate them etc so that there's no packets terminating on the actual edge device itself.m, that lowers the risk of a full network level compromise.

Chances are you might be fine and never have a problem, but it's still recommended against.

Imagine everyone had their routers disabled simultaneously. I don't know if the cell networks could function with the surge in standard traffic that would happen, and then you've effectively plunged all or part of the country into a communication blackout.

I think "turn it off permanently by bricking it" is almost as bad as "leverage for DDoS".

I worked on Bot Mitigation at Amazon, and we once saw a ton of traffic that was heavily distributed amongst consumer devices world-wide, but surprisingly in the US too. We suspected compromised routers that were using the home page as a health check. There was a lot of investigation I did, and the short realization after talking with the network engineers is that the amount of traffic, and distribution of sources, would be impossible to stop. There merely isn't enough bandwidth in the world to stop so many residential device if it hits a specific target. To be clear, this was coming from less than half of active Amazon customers, not everyone in the US.

Anyway, it wasn't routers, but it was a consumer device, and it wasn't nefarious, it was incompetence (in code), as usual.

Then there's the roaming issue. This is largely what the commercial "mesh" systems try to solve: deciding / helping inform when clients should switch APs. There are many solutions and none of them are without issues, including the commercial ones. Here's a starting point: https://openwrt.org/docs/guide-user/network/wifi/roaming

There are steps in the middle :)

I'm running OpenWRT on the recent WRT3200ACM and it's going beautifully.

It depends on what kind of packet rate one is pushing through the device, what type of hardware is being used as the router and how sensitive ones applications are to such things but if you want a better scientific answer run as many load tests as you can that measure packet rates, lag and jitter then disable them and run your tests again. I should add this is just one tunable related to routing. If bored dig into this a lot deeper and one will find there are many things that can be adjusted at the NIC, in the OS network stack and so much more.

Some people like defaults because it is less cognitive load and some like to tweak things until they can't get better results. I believe that everyone should be able to choose their own path to satisfaction. If the defaults and fq_codel work for you then that is probably the right answer.

It just wouldn't die.

The suspicion was because the electricity going to it cleaner than average, in a datacenter, the normal wear and tear on electronics may have been reduced.

Respect was paid at it's decommissioning to convert it into a vm, knowing it's luck, chances are it would still boot up and keep on running.

This made me chuckle, I'm definitely going to quote this the next time our K8S cluster has issues

Beyond getting support for devices completely absent on freebsd, quality of drivers, bugs much more rapidly squashed, and general misc features absent on the bsd side like NBASE-T.

I don't believe physical separation really buys you much here. At most, if may reduce downtime if you do indeed get pwned, but I think that you can achieve the same objective through a combination of containers, VMs, and UNIX users. And running multiple, somewhat redundant machines also has obvious downsides such as increased power consumption, increased maintenance burden, additional space and cabling, etc.

IME cell networks definitely can't cope with a loss of all routers in an area, given how mobile data becomes basically unusable when there's a power outage. That said, "everyone had their routers disabled" is probably not realistic, given that there are plenty of non-chinese router vendors.

Though you'd still need a switch or two. And a fiber modem which already has a router and a switch built-it. Oops.

You can do a lot of routing on a $70 Mikrotik, although they might not be "easy".

Virtualization means you now have multiple layers of drivers and privileged code in the mix to add and amplify bugs, it can and should work but if you are doing this in the name of stability that is a bit curious.

The reason Netflix can do what they do is they have good relationship with their HW vendors, NVIDIA(Mellanox) and Chelsio. If they were on Linux, they'd need the same level of support.

I use Linux for my router now because my server is NixOS, so I was able to consolidate my router into my server and turn off a machine (and thus save a little power), and I have so thoroughly drunk the Kool-aid for NixOS that I kind of want to put it everywhere. I run the latest kernel and I update daily, so I think most bugfixes (and hopefully security updates) will manifest quick enough.

Everyone has a starting point, starting with soemone has lying around is one thing.. the quicker they can get going the more they can get to leveraging the real power in most devices.

I predict some day this will be one of many things that will get adjusted by the "tuned" daemon if they add a profile for routers.