I have always used a simple router at home which NATs everything and seemingly provides protection. Why use IPCop or Smoothwall? I'm currently running WRT54G with DD-WRT. What gains are there over my cheap router?

Not trying to be flame bait. Just trying to learn something so I can improve my network at home.

bump because i want to know also.

I'm using a WRT5GS w/ Tomato firmware. I'd like to see why I should slave my old P3 into a m0n0wall or smoothwall.

I want to know too.

I have endian, and it has like 1000 less features than dd-wrt.

The reason I have run linux/bsd based routers in the past is the ability to do things that the SOHO routers can't (add-ons) and because very few SOHO routers can handle large amounts of connections (torrents) without falling down.

I am not sure what all WRT54G with DD-WRT can do .. but with Smoothwall, IPCop , and Endian you have features like

-Dansguardian content filtering
-Urlfiltering
-Spam filtering
-virus scanning with ClamAV
-QoS
-additional Orange and Blue interfaces provided you have a nic installed for it
-IPSec/VPN
-easy web gui interface
-Guardian Reactive Firewall (smoothwall only i think)
-you can run F@H on your Smoothwall/IPCop/Endian box! :p

I have used Smoothwall for years and there are countless mods for it to suit your needs/wants and the forums are very active for quick help should you need it

I played around with IPCop for a smidge and there seems to be quite a few mods for it too

I am currently using Endian , and straight out of the box , its the most complete package ...but there are no mods for it .. no updating it ..what you see is it... but it is a good complete package..

I dont know what kind of a load a WRT54G with DD-WRT can take ..but we run 100+ comps behind a smoothie box at work with no problems ..

http://www.hardfolding.com/ftag1.php/mem/533.png (http://www.hardfolding.com?go=38&id=533&tm=33)
[F]old|[H]ard

The reason I have run linux/bsd based routers in the past is the ability to do things that the SOHO routers can't (add-ons) and because very few SOHO routers can handle large amounts of connections (torrents) without falling down.

QFT.

I have NEVER found a Soho router that didn't lock up on me. I basically run my connection maxed out on torrents most of the time. I also host my email and a few websites on my own server. This means that my connection must stay up when I leave for vacation and such. Every Soho router I have owned, including the WRT54G, has not been up to that task.

Second, Copfilter. Until I can get trainable Bayesian spam filtering and virus scanning on a Soho box, I am sticking to IPCop. As I said, I run my own email so I have to do all of the spam and virus filtering on my end. Copfilter is the only thing I have used so far that has gotten me to zero spam messages. It also hasn't had a single false positive in nearly 2 years.

So to answer the OP's question. If you are an average internet user then there is no advantage to using a Linux firewall. However if you really beat on your internet connection, then there are many advantages for going with something like Endian.

I've run a lot of them....still have a wrt54gv1 router running DD-WRT. Also usually have around a dozen various routers at any time, from home grade to RV082 to PIX501 to Sonicwall SOHO3, and a small form factor P4 rig that has a few hard drives with various *nix distros in it such as Endian, IPCop, PFSense, etc.

First...yeah DD-WRT is a good project to breath a little more life into the old wrt54g series. It's good..yeah, but comon...those things aren't all that. It's still an old..OLD design on it's last gasp of breath...barely over 200MHz in processing power. With some of todays higher speed broadband connections...they are becoming a bottleneck. I don't care what's running on it for firmware...throughput is throughput...based on processor power.

Good to see them finally porting it over to some MIMO routers though.

Most people with the average home network can barely push them..but to compare them in performance..to what a good business grade router can handle..or a *nix distro on a P4 box with 512 megs....LOL. Sorry...that beloved wrt with DD will crumble soon as you start hitting it with double digit boxes.

And some of the better *nix distros..such as IPCop with the Copfilter add-on, or my favorite...Endian...here is where, in my opinion, some *nix distros can stand up above the crowd......Unified Threat Management features. Transparent proxy features that scan traffic for viruses, worms, malware, SPAM, etc. And SNORT intrusion detection. And multiple zones such as red/green/orange/blue.

How can someone even possibly say Endian has a 1000 less features than DD-WRT?

Thanks. It seems processing power is what I would get the most out of it. Linksys routers are notorious for locking up. I've owned at least a dozen different linksys routers in my life. However, once you get the linksys firmware off the router that problem goes away. I never have to reboot.

For now it seems the linksys is going to do just fine for me. I have double digit machines but I hardly actively use all of them at the same time. It's just me and the wife. I use QoS to control bandwidth so I can run torrent and still surf and make phone calls at the same time. Sometimes this doesn't behave as nicely as I'd like so better QoS might push me toward a dedicated machine.

Thanks All.

As long as you realize what your needs are...and if the wrt will provide the power that you need...you're good. Long as you don't need..what is it....24 megs throughput that most of the wrt54g series does...

I disagree with the statement "Linksys routers are notorious for locking up" though...I have at least several hundred of them out in the field. Granted I'm a bit pickier with the models that I use, and the firmware version..never the befsr series..most of them the befsx and RV0 series...and a few of the MIMO products.

Thanks. It seems processing power is what I would get the most out of it. Linksys routers are notorious for locking up. I've owned at least a dozen different linksys routers in my life. However, once you get the linksys firmware off the router that problem goes away. I never have to reboot.

For now it seems the linksys is going to do just fine for me. I have double digit machines but I hardly actively use all of them at the same time. It's just me and the wife. I use QoS to control bandwidth so I can run torrent and still surf and make phone calls at the same time. Sometimes this doesn't behave as nicely as I'd like so better QoS might push me toward a dedicated machine.

Thanks All.

One of my internet connections here at work is one an IPCop.... the other is on a DI-604.... the 604 had NEVER locked up in over a year.... I definately like my IPCop better, but to say that ALL consumer routers lock up, is simply not true....

I built a dedicated (m0n0wall) box to replace my wrt54g when everything started to grind to a halt when torrenting. Night and day difference. Now with a CF -> IDE adapter & card, the box has no moving parts other than a cpu & powersupply fan.

I think some of the responses here are grade A+ but they've forgotten the base argument that NAT is not a firewall and IPTables that is used as the firewalling software on these *NIX distros is a stateful, connection based firewall.

Sure most unauthorized traffic is harmless that NAT will handle by virtue of not having a connection state to match incoming but for someone that really wants to break in NAT will not stop them. If they notice that you're running services out of your IP address and get the itch to break into something...

I disagree with the statement "Linksys routers are notorious for locking up" though...I have at least several hundred of them out in the field. Granted I'm a bit pickier with the models that I use, and the firmware version..never the befsr series..most of them the befsx and RV0 series...and a few of the MIMO products.

I have only used a dozen or so linksys. All of them had problems using linksys firmware no matter what version of firmware. Seemed to happen more when I used them pretty hard. The WRT54G has never locked up on me, even with the stock firmware. But I didn't run the stock firmware long enough to let it give me trouble. Thst being said, maybe I was having bad luck with my router selection. One was a befsx and that one had the same problems. I still have a few of them in a closet I can pull out and tinker with.

Thanks again. I'm getting a managed switch which I am thinking I will run red and green on in vlans making it easier in the future to swap the router for an IPCop box or something.

I One was a befsx and that one had the same problems. I still have a few of them in a closet I can pull out and tinker with..

Those SX models were great IMO....hardware wise....however..there were a few bum firmware releases. The old 1.45.7 was rock solid, the 1.50 and 1.51 versions were HORRIBLE...slowly got better with the later (but not early) 1.52.x series...1.52.9 and 1.52.10 (the current ones) are good.

I'm running IPCop and love it. I won't go back to the little Linksys type routers.

The reason I switched is at the time I couldn't setup my port forwards like I wanted. I wanted to be able to forward SSH traffic to my server from only certain hosts on the internet... with Linksys type routers it was either permit all or deny all, no granularity to go permit this and this and deny the rest.

I also really like the proxy with Dans Guardian. Its mostly for my son's benefit so that he can't to questionable sites. Me on the other hand... *cough*... The Zerina addon for OpenVPN is great and was a snap to configure and get running. Makes it nice to get into my boxes from the road.

I've had a nice big uptime with the IPCop box and its kept my same IP for me for a long time, but the DynDNS updater takes care of that if it changes.

You can't go wrong putting a couple nics in a really old machine and turning it into a firewall. However I don't recommend Dan's Guardian on a really old machine. I tired DG on a PF/OpenBSD box on a really old Sun Ultra 5 and it crushed the CPU with DG running. My current box is an old p4 and is running it fine.

the only reason, and it is a big one, why I run a *nix router now (PFSense) over DD-WRT is QoS. Frankly, QoS does not work on dd-wrt/wrt54g, torrents will bring the whole thing down to it's knees. Now, I seamlessly run torrents all day and browsing doesn't take a hit at all. It's really something :cool:

Tomato firmware supports QoS.

I've recently moved my wrt54g v2 over to tomato from dd-wrt. It seems to be a pretty good amount faster IMHO. I am still tweaking the QoS but the Qos on DD-wrt brought it it's knees.

I run a network for 6 individual machines, a media center (very little traffic), a file server (most traffic is simply on a switch between the other machines, and an average of three wireless users. On average I'd say that there are 3 or 4 out of 9 people torrenting.

Would I benefit from from moving to a full machine, I can build something lower power like a p2?

If I did, what would be the best distro. pfsense? ipcop? Monowall?

Keep in mind that I really want to avoid doing too much shit in bash. I like a shiny web interface to do my configuration in.

A vote for OpenBSD pf + carp + altq :)

Rob

If I did, what would be the best distro. pfsense? ipcop? Monowall?

Keep in mind that I really want to avoid doing too much shit in bash. I like a shiny web interface to do my configuration in.

With these distros, you pretty much don't have to do anything in bash besides the initial setup, which is easy anyways.

Would I benefit from from moving to a full machine, I can build something lower power like a p2?

If I did, what would be the best distro. pfsense? ipcop? Monowall?

Keep in mind that I really want to avoid doing too much shit in bash. I like a shiny web interface to do my configuration in.

The *nix distro routers are managed via web admin...just like the little Linksys and Dlink routers out there.

Lower power? Yeah..the basic distros will run OK on P2's...but the more inclusive ones..where you have transparent proxy scanning features...you want to stick with at least some midrange hardware (P3's or higher)

The *nix distro routers are managed via web admin...just like the little Linksys and Dlink routers out there.

Lower power? Yeah..the basic distros will run OK on P2's...but the more inclusive ones..where you have transparent proxy scanning features...you want to stick with at least some midrange hardware (P3's or higher)

My P3 550 has never had a problem.... it AVERAGES about 2% CPU usage.....

My P3 550 has never had a problem.... it AVERAGES about 2% CPU usage.....

I have noticed differences myself in experimenting with different physical boxes. Big difference noted in IPCop w/Copfilter and adblock feature...going from my P3 733 or 833 box...to my 2.4 P4 box.

I am not running any extra add-ons... that is probably why...

I went from linksys ddwrt to ipcop and will never go back.

My P3 550 has never had a problem.... it AVERAGES about 2% CPU usage.....

What are you running on it?
I'm considering putting an IPCop based FW with Copfilter in place between the 'Net and our email server. At the moment there is basic firewalling but the email server itself does all the spam and AV filtering.

The reason I have run linux/bsd based routers in the past is the ability to do things that the SOHO routers can't (add-ons) and because very few SOHO routers can handle large amounts of connections (torrents) without falling down.
Yeah, thats what I was gonna say. TORRENTS.
I have been running IPCOP for a couple of years and my WRT-54G is now just an access point. If you torrent a lot, you may eventually cause your router to hang, reboot, etc. while kicking everyone else in the house offline. Also the traffic graphs are a nice touch, I don't know if the other SOHO router firmware hacks have them but I'm sure they do. The only complaint I have with IPCOp is that the traffic graphs are not real time, I'd like to see current upstream/downstream speeds as well as easy to read monthly throughput usage. I see maximal, min, all that crap but I want plain english. I saw a screeshot of pfense and it seems to have something like that, so I may check into it later.

What are you running on it?
I'm considering putting an IPCop based FW with Copfilter in place between the 'Net and our email server. At the moment there is basic firewalling but the email server itself does all the spam and AV filtering.

Just a basic IPCop install, no add-ons.... only 6 machines on it, BUT I have about 30 machines, coming into the network from outside.... they 'sync' their program with our database.... work on whatever they synced, and then 'sync' it back.... not alot of traffic, but with 2% average CPU usage, I am sure I could triple the amount of clients, before I would notice any slow-down..... actually.... I am entirely sure, I would max out my internet connection before I would max out the machine. It's only 1.5Mbps down and 768 up....

256MB ram
P3 550
6GB HDD
2 Realtek 10/100 nics.....

Do the firmware hacks include any sort of Snort intrusion detection? I found this feature of IPCOP to be pretty interesting. I'm only using the free basic subscription to snort updates, but the IDS logs show a lot of pesky assholes from other countries trying to probe my ISP's entire subnet. If you click on an event in the logs it will bring up useful info from the attempted perpetrator like whois, etc.

I get a lot of MS-SQL Worm propagation attempts, but most of the time its logging ignored ping replies caused by bittorrent itself :p

I know somebody has the answer.

What do you mean "Firmware hacks"? You mean 3rd party firmware like DD-WRT?

Firewall logs..depending on level of detail, can get FULL of junk. The internet is very "noisy"..you'll see kajillions of port scans, pings, and yes..the SQL exploits. Just think about how many people in the entire world have their home PCs sitting on public IPs without firewalls...it's safe to assume most of those are compromised..and are the source of many of these attacks of the rest of the internet. It's a lot of "bot" PCs to add up.

I've setup my own 'roll-your-own' Firewall System here at home. It's running on a Intel Celeron 450Mhz with 256MB RAM and like a 4GB Hard Disk Drive. Running Ubuntu Linux 6.06 LTS with an uptime of 1 and a half years.

It runs Shorewall for NATing and Firewalling as well as OpenVPN for VPN Connections, a RADIUS server for Wireless authentication, DHCP and DNS servers (DNS server caches) and has the capability to connect to my AD domain as well when I get around to setting up NAGIOS to intergrate into my AD domain.

For what it has (hardware and software wise) - it tops ANY consumer grade Firewall\Router with EASE.