A list of do it youself *nix router distros

YeOldeStonecat

[H]F Junkie
Joined
Jul 19, 2004
Messages
11,330
Over at Speedguide I have a stickied thread listing all the *nix router distros, firewalls, all in one servers, etc. I thought it might be helpful to have one here...and have people contribute to it so the list keeps growing and growing. Fun resource for us here who like to fiddle with these.

Here's what I have so far...worthy of being stickied?

************************************************
Tired of overwhelming your home grade broadband router with heavy traffic?
Need better quality of service features?
Want something you don't have to reboot often?
Better performance for some of those faster internet connection these days...such as those past 10 or 20 megs that many home grade routers can't keep up with
Add some business/enterprise grade features like VPN, DMZ zones, UTM features such as antivirus scanning and spam removal, web/content filtering, some have blocking of protocols for IM and peer to peer traffic.

You don't need to know linux to built these routers, or manage them..they are all managed through web interfaces just like your typical Linksys/Netgear/DLink router. Download an ISO..burn to CD...take a computer that has 2x network cards...boot from the CD..and they have an install wizard that holds your hand through the whole process. If you're somewhat comfortable setting up and managing your home grade router..you can built and manage one of these.

There are many of them out there...some stronger in certain areas than others, and a growing number that bring full UTM features (Unified Threat Management). These UTM features are the ones I'm really interesting in..and using at a few clients with good success. The UTM distros add antivirus scanning of all web, mail, and ftp traffic, as well as spam removal of web traffic. Some add ad/spyware blocking of browser traffic as well. And beefier intrusion detection via Snort.

Some of the basic *nix router distros....

IPCop...one of the more popular ones, has a big development/support community with lots of add-on packages.
http://www.ipcop.org/
You can add UTM functionality to it with the add-on called Copfilter
http://www.copfilter.org/

m0n0wall
http://m0n0.ch/wall/

Smoothwall
http://www.smoothwall.org/

pfSense...originally built on m0n0wall...with stronger QoS features
http://www.pfsense.com/

Clark Connect is a cool distro for a small business, sort of an open source *nix version of Microsoft Small Business Server
http://www.clarkconnect.com/

ClearOS a further developed fork of Clark Connect....another open source version of Microsoft Small Business Server, UTM, file/print server, e-mail, web, myphp. Very nicely developed.
http://www.clearfoundation.com

Zentyal another open source "all in one" version of Microsoft Small Business Server.
http://www.zentyal.org/

BlueOnyx..another sort of all in one, web/mail included
http://www.blueonyx.it/

vyatta
http://www.vyatta.com/

Zeroshell
http://www.zeroshell.net/eng/

For some of the UTM distros....in addition to the Copfilter build of IPCop listed above....

Endian...one of my favorites..built on top of IPCop..with the features of Copfilter...bundled into one tight package
http://www.endian.com/en/community/

Comixwall (Has terminated Dec 09 after dispute with BSD)
http://comixwall.org/

Astaro...a great UTM distro, they have a UTM free version for home users, and a free non-UTM version for business. UTM for biz is pay for.
http://www.astaro.com/

Untangle...this one is fantastic...I've built a few...using them in production...very powerful. Lots of features...even blocking of IM traffic and peer to peer traffic.
http://www.untangle.com/

eBox
http://ebox-platform.com/
Similar to ClarkConnect...quasi server duties

Gibraltar
http://www.gibraltar.at/
A UTM appliance, aimed at businesses but they have a free open source community version for home users.

IPFire
http://www.ipfire.org/en/index
A basic firewall aimed at new users, easy setup, etc.



On the basic distros...all you need is an older PC...P2 or so, moderate RAM, a pair of NICs..and you're good to go. For the UTM distros..you want a bit more power...mid range or higher P3, 512 megs of RAM...Untangle likes to go above 1.0GHz and a gig of RAM.

Fun stuff..and put your retired older PC to work! :thumb: :cool:

http://en.wikipedia.org/wiki/List_of_Linux_router_or_firewall_distributions?c6b0b560

A short article I found mentioning a few distros...with a brief blurb of each
http://www.fsckin.com/2007/11/14/7-different-linuxbsd-firewalls-reviewed/

*************************************************************************************************
 
Last edited:
Thanks for taking the time to throw this thread together. Good job :cool:
another vote for sticky!
 
i vote sticky aswell, i didnt know anythig about them till i came here. so making aa sticky would make it easier for people like me. also somemight no know there are so manyto choose frrom, havebad luck with1 and give up nott knowing that.
Posted via [H] Mobile Device
 
Commixwall is no more, after a spat with Theo on the OpenBSD-MISC mailing list the maintainer decided to give it up.
 
Commixwall is no more, after a spat with Theo on the OpenBSD-MISC mailing list the maintainer decided to give it up.

Thanks for pointing that out....edited the post to reflect it's demise. I won't miss that one, tried it quite some time ago for a day, it didn't grow on me.
 
+1 for stickey

also is PFSense the only one with UPnP? I know Smoothwall does, but after too many issues with smoothwall not getting an IP from the modem... I moved over to PFSense...

I'm a big gamer and I would have to port forward every port for each game that I play fairly regularly, Its quite a list, and would rather not have to spend the effort putting in each port...
 
I've been playing around with several of these as VMs under Hyper-V for use on my home network.

I think this would be a good item to get sticky'd.
 
+1 for sticky, thanks for the guide, I'm going to play around with them on some VM's just like the poster above
 
Stickying this would be awesome, but I'd like to know up front if any of these distros are 30 day trials, etc.
 
sickie this up! Make sure UNTANGLE is in Bright green :)


maybe do something like this.



Url http://www.x.x.x.x.com
then company image like logo below so people can see it.



Like this.


http://www.untangle.com
logo.gif
 
YeOldeStonecat,

Very sorry.

I forgot to say GOOD WORK THANKS FOR THIS!!


J'
 
+1 for sticky.

Just tried Zentyl in a VM. Web filtering is somewhat confusing. I piddled with it for an hour and decided I didn't like it. Trying Endian in a VM again....
 
I've used smoothwall, ipcop, endian, pfSense, clarkconnect, clearos, untangle and astaro. pfSense has the best traffic shaping, untangle is the easiest to use. I always end up back at Astaro because of the excellent filtering, QoS and web server firewall. I think the web interface is intuitive and easy to use. Its definitely not for novices, though. You'll find yourself constantly tinkering with it until you get everything just right. Community support is best for untangle and I do really like the product. I just don't like the ad supported filtering they stuck in. I understand why they did it, just don't like it so I won't run it at my house anymore.
 
A lot of the ones mentioned are more "firewall appliances" type distros

Vyatta is by far one of the best "router" distros
 
Any distros with inline snort built into them that could run on atom mini-itx motherboards? I need something with a low carbon footprint. Excessive power use can get costly over time.
 
Last edited:
Any distros with inline snort built into them that could run on atom mini-itx motherboards? I need something with a low carbon footprint. Excessive power use can get costly over time.

There's a snort thread about that very subject:
http://hardforum.com/showthread.php?t=1559846

From that thread I've learned for sure that pfsense and untangle both offer snort as a installable package.
There might be others out there as well. I just don't know of any off hand.

*edit* just saw your post in that thread. looks like you've had pretty extensive hands on with untangle and pfsense. and from your post it looks like they don't offer quite the same functionality as standalone snort?
 
Last edited:
*edit* just saw your post in that thread. looks like you've had pretty extensive hands on with untangle and pfsense. and from your post it looks like they don't offer quite the same functionality as standalone snort?

Both firewall applications do use snort. Untangle use their own custom snort rules to avoid false positives. Pfsense doesn't use snort inline so it's not as efficient or effective as an IPS.

I also want to find out if an atom 1.8 ghz server can handle a bulk of snort rules without freezing or crashing.
 
Both firewall applications do use snort. Untangle use their own custom snort rules to avoid false positives. Pfsense doesn't use snort inline so it's not as efficient or effective as an IPS.

I also want to find out if an atom 1.8 ghz server can handle a bulk of snort rules without freezing or crashing.

The Atom should be able to handle it. The biggest most impotent factor is to use Intel NICs.
Don't use anything except intel networking cards in a home brew router to avoid odd bugs that the realtec cards seem to bring in.
 
Great thread! +1

After tinkering with about four of the distros on that list (Untangle, pfSense, Vyatta, Astaro), I settled with Astaro.

Each distro has something really nice to offer, I guess it's just preference. I went with Astaro for the quick and painless configuration and the WebAdmin interface is quite easy to work with.
 
Both firewall applications do use snort. Untangle use their own custom snort rules to avoid false positives. Pfsense doesn't use snort inline so it's not as efficient or effective as an IPS.

I'm new to all of these packages but am at the point of needing an IPS in addition to basic firewalling. Pfsense with snort looks like it will meet my needs in that regard but your statement causes me a bit of concern. By efficiency do you mean CPU / power efficiency? And by effective what do you mean?

If it makes any difference I'm going to be using a 1U rack mount appliance, probably one from Hacom (www.hacom.net) - I'm open to vendors but I don't have the time/interest to roll my own.
 
I'm new to all of these packages but am at the point of needing an IPS in addition to basic firewalling. Pfsense with snort looks like it will meet my needs in that regard but your statement causes me a bit of concern. By efficiency do you mean CPU / power efficiency? And by effective what do you mean?

If it makes any difference I'm going to be using a 1U rack mount appliance, probably one from Hacom (www.hacom.net) - I'm open to vendors but I don't have the time/interest to roll my own.

THOSE prices are outrageous HOLY SHIT!

499$ for a basic unit, using realtek cards = YUK!

a dual core atom board with 2gigs ram dual intel g0bit NICS 1u rackmount case is about 350$ to your door.

Would take you about 15 min to assemble, and about 30 assembled untangle / other firewall software running and probably configured.

j'
 
If you live in the central PA area, check out the state surplus warehouse in Harrisburg. I got a Dell Pentium D system (1GB RAM) w/ LCD panel for $80. They also have loads of Intel Server 10/100 NICs for $1 each! Currently have one core turned off, running pfSense on it flawlessly. My installed packages include Snort, Antivirus proxy, IP Blocklist, Country Block, NMap, and iperf. Everything works well but I find myself constantly tweaking it out of boredom knowing the capability pfSense has :)
 
I use sme server (www.contribs.org) it is sort of similar to clear os i think, It does a lot more than just route, it is a web server, email server ftp server file server, and just about everything else. It is based on cent os.

what I am looking for now is ready to go ipv6 firewall/server. I have found lots of instructions on how to set up my own, and I may have to but if one was already set up that would make me much more happier!

rody
 
well after stumbling around a bit I have found that m0n0wall and pfsense both have betas out that you can enable ipv6 in. After i figure it out I may have to write up a guide, because this is very confusing stuff.
 
I've tried the following UTM's / Firewalls and this is what I have to say:

Untangle: By far the easiest... but also kinda the most bloated UTM. Option menus (i.e. the UI) is not very intuitive and I hated the fact you could not set up VLANs with it - appears it strips everything. The community is pretty tight and responsive so there's always someone to help you out if needed. I'll give it 3/5 stars.

Astaro: The most feature reach but holy crap is it bloated. DEFINITELY NOT FOR BEGINNERS. The simplest things, such as port forwarding, is just a nightmare. However once you have it setup, its pretty darn solid. The community is pretty sparse... takes a while to get someone to assist you on their forums. I give it 3/5 stars; would have been 4 if it hadn't been so damn difficult to navigate through.

Endian (currently running): Based on IPCop with Copfilter features but just nicer. Appears to be pretty solid and easy to manager. The UI is great, has a lot of features and especially has VLAN tagging! It's based of a customized CentOS which has YUM removed but Smart package management still there. Doesn't eat much space and has native 64 bit and dual core support (well, so do all the other ones). One thing I am kinda bummed about is that, unlike Untangle and Astaro, there is no easy way to do auto update. You have to manually invoke an upgrade command via CLI (SSH into the box) as there is nothing in the UI that lets you run an upgrade. Furthermore, I am not very pleased with its reporting capabilities... a bit clunky if you ask me... Oh and don't get me started on the HTTP proxy - the content filter sucks (I set it to block anything remotely resembling porn, then hit youporn.com - yup, went through no problem... blocked it in the black list and it appears that you actually have to type every variation in order to properly block it, doing *youporn* just wont work). In terms of support/community - you are on your own... their unofficial forums are pretty dead. I give it 4/5 stars

ClearOS: This is a full SME - has a lot of capabilities and the UI is up to par with Endian (actually almost looks the same). Simple tasks such as port forwarding, static DHCP, static DNS names - all those are easy peasy. However it appears there is no UI-based VLAN tagging option; you must do it via CLI (again, SSH to the box). I didn't play too much with it after I've discovered there was nothing I could do in terms of UI based VLAN tagging (doing it via CLI ain't a biggie but since I don't need any SME capabilities - reverting to Endian is fine by me). I give it 3.5/5 stars.

IPCop: Everyone raves about it but I don't quite understand what's so great about it. The base UI is clunky, current stable version is 1.4 and beta is 1.9; 2.0 seems far away based on their roadmap. I like what Endian did with IPCop - made it look a whole lot nicer and behave better and smoother. I actually had to install a 3rd party add-on in order for VLAN tagging to work - which was, I suppose, nicer than all the other UTMs that didn't have it but still. Some people consider it as the granddaddy of all home-made routers/UTMs so I suppose it can get some kudos :p. I give it 3/5 stars

Smoothwall: Didn't try it; I heard the firewall sucks so I walked far... far away.

Pfsense: This it what I am looking forward to trying out. I had very brief experience with it when I installed 1.2.3 (which is based on FreeBSD 6), however it did not like my Marvell based NICs (got TCP Segmentation errors followed by Tx Mac parity errors). The UI looks fantastic and simple; very easy to use in terms of all the firewall/NAT related features and the community for it is quite great - very responsive. There are a lot of mods available for it and even ports to make it run on embedded systems. Their 2.0 beta server was down so I could not get the beta version but it's FreeBSD 8 based and is compatible with all my equipment. I hope to give it a shot this weekend. Based on my current experience, I'll give it 4/5 stars but I suspect I'll give it a perfect 5 once I get it properly working!

The hardware I am running is pretty simple yet powerful enough for all these appliances:

MSI Fuzzy RS690T mainboard
Athlon 4450e 2.3 GHz Dual Core @ 65 watts (using 125 watt copper heatsink for optimal cooling)
1x 2 GB of DDR2-800 SODIMM
80 GB Hitachi SATA 2.5" drive (only thing I had lol)
Raidmax Mini-ITX case with a 150 watt PSU

Currently I am using the two built in Marvell NICs, but since the board comes with a PCI slot, I am planning on picking up an Intel Pro/1000 GT card and slapping it in to do LAG; appears that when I do VLANs on my network and have traffic routed through the box (when one VLAN tries to hit another VLAN), my network throughput drops by a nice... well, 85%. I went from 80 mb/s average transfer from my fileserver to... 15. That's pitiful :|

Welps - those are my 2 cents :)
 
Back
Top