OTish: Best free network manager- replace ClearOS? Maybe pfSense?

certanly not this one.

Possibly one with 'networking' in its name

But why not simply get a router that manages all that?

uk.comp.homebuilt is fairly quiet but might be worth a go. Adding a crosspost...

I suppose the real question is: what do you want your 'network manager' to do?

Any router will handle DHCP, DNS, NAT. How do you handle wifi - is that a separate AP/mesh setup? Do you have requirements on top of what a consumer router would provide?

IMX a good reason for a DIY router is because the one you have can't handle the internet bandwidth, which is more common with cable and FTTP setups. The issue tends to be that the router CPU is too poor to handle routing tasks like lots of connections being made at once.

some of the motivation behind using a mini PC for this which has 'PC' class hardware rather than the single-core 400MHz MIPS you got in consumer routers. Jim Salter has a number of 'DIY router' articles on Ars that benchmark his DIY build over consumer alternatives, which are worth reading.

Your old PC is almost certainly going to take a lot more power than one of those, so your running costs will be a lot higher than even a mini PC solution. On the other hand, internet bandwidth has been rising slower than router performance - these days routers can be more like a cheap smartphone

- eg quad 1.5GHz ARM cores which is a lot more horsepower than the single

400MHz MIPS. So the window in which using a 'PC' rather than a 'router' seems to be closing.

On the other hand, if you want full control a proper OS is attractive, especially if your ISP or a Netgear/etc router is too restrictive. A middle ground would be to look at OpenWRT or dd-wrt or some of the other router distros - you get to run these on a traditional low power router platform (a reflashed Netgear or TP-Link or even an old ISP router if it has suitable specs, although you can run them on PCs too) while giving you more control.

A suggestion: a cheap and simple entry point to this world is the BT Homehub

5 reflashed with OpenWRT. These can be bought preconfigured for about £20 on ebay (search 'homehub 5 openwrt'). The wifi on these is mediocre (although good for its time) but otherwise it's a solid OpenWRT router, if not the newest. That gives you a chance to play with OpenWRT on such a platform, and if you don't like it you've only wasted £20. You'd probably burn that in a few months of power of your old PC router.

Theo

Thanks both. The main appeal for me with the PC route is that there is hardware separation between my internal and external networks which seems more secure to me than a pure software firewall if I went down the router space. ClearOS also gives a lot better logging/ metrics that my routers - unsure what OpenWRT provides.

My house is all wired with cat6 so either have the end devices connected via Ethernet or via a series of other wifi routers dotted around the house to give coverage. For these routers, whilst I was at it, I was thinking about whether it is worth flashing these with OpenWRT (if the routers are supported)?

thanks

Lee.

pfSense is OK. I've been using it for many years. If you have a PC with a dual NIC you can test it in a Virtual Machine.

People say OpenWRT is good. I would try it, but I have a working pfSense set up and it is too much effort to change. i.e. pfSense doesn't annoy me enough for the effort of a change.

Thanks Pancho - I was in a similar position with ClearOS in that it works fine and didn't have a reason to change it until now:). Do you use pfSense in a similar way to my use of ClearOS? Re: OpenWRT I thought that was only to replace the OS on the routers themselves as opposed to act as a separate network manager?

Thanks

Lee.

Not with respect to oClearOS Vs pfSense, but I would normally go for a business class COTS router rather than running a whole PC just as a router for even a fairly sophisticated home network. The difference in cost of electricity alone will be significant.

Depends a bit on what you ordered, and who is supplying the FTTP. However in most cases the feature set will usually be fairly basic.

Typically if running IP V4, then the router will be running NAT and a firewall anyway. The two "sides" of it are on separate networks. Disabling access to any configuration and management from the WAN side is also a good idea in most cases.

Ultimately much depends on what facilities you need. For example do you need external VPN access to your home network? The ability to run multiple subnets internally? VLAN support? Failover to a backup WAN connection? Load balancing? etc.

Also how much are you prepared to spend? (routers etc are more pricey at the moment than usual sue to the current semiconductor shortages and other constraints). So things that were £200 last year are £300+ this year!

I don't really understand what you meant by broadband router on it's own subnet. I don't understand what a network manager is?

My pfSense has the WAN interface on its own NIC and a LAN interface on another NIC. I have a LAN subnet, 192.168.0.xxx. But the WAN is just the IP my ISP gives me

pfSense routes between the two, and a few VPN tunnels. That is the separation of the WAN and LAN. You will always need something to route between the two networks, WAN/LAN. I have always thought of two NIC's as hardware separation, it means everything has to go through pfSense.

I have my ISP supplied router on my "outward facing" subnet 192.168.A.xxx with the router itself set to a fixed IP address on that subnet and DHCP and Wifi switched off. The only thing that is connected to the ISP router is my ClearOS PC on NIC 1 - this NIC has a fixed IP address on the same 192.168.A.xxx subnet. The other NIC has a fixed IP address on the "internal" subnet (192.168.B.xxx). Everything in the house is then on this "internal" subnet (192.168.B.xxx) including the various wifi routers (fixed IP addresses, DHCP turned off, pointing to ClearOS for DNS etc.). The ClearOS PC then provides all the network services - DHCP, DNS, some level of virus/ malware protection etc.

So essentially a device on my internal network has the following route to the internet...

device -> local Wifi router -> house switch -> ClearOS all of this on 192.168.B.xxx and then....

ClearOS -> ISP Router -> internet all this on 192.168.A.xxx

If by "But the WAN is just the IP address my ISP gives me" you mean that the NIC gets it's IP address from your ISP router (assuming it has DHCP switched on) as opposed to your internet facing IP address then I think the macro level setup is the same just that I have further restricted access.

Thanks

Lee.

I'm not sure what you mean about a 'pure software firewall'. The PC with two NICs is using software to route from one NIC to the other. It doesn't have a hardware firewall.

A typical wifi router has a single NIC but its five ports (4xLAN, 1xWAN) are all connected to a VLAN-enabled switch. The OS sets up the VLAN tags on the ports to be, for example, 1-4=VLAN #1, 5=VLAN #2, and designates VLAN#1 as LAN and VLAN#2 as WAN.

Then it sees a packet coming in on VLAN#2 and decides whether or not to route it to VLAN#1. Depending on the SoC there may be a bit of NAT acceleration in there, but it's mostly all software, just like the dual-NIC case.

As far as the OS is concerned it has two network ports, which are enforced by the VLAN tagging in the switch (ie hardware). An attacker coming in on VLAN#2 can't forge the VLAN tag to make their traffic look like it came from VLAN#1, because the tags are all internal and not sent over the wire. So unless the OS sets up the VLANs in a broken way (in which case it wouldn't work) it's effectively two NICs.

With a replacement router OS you can control the port<->VLAN mappings, so you can decide to have 5 different isolated networks if you want. To do that on a PC would require a 5 port NIC or an external VLAN tagged switch.

OpenWRT has some packages for logging etc. They aren't installed by default (due to having to fit on routers with small amounts of flash) - I haven't tried them.

It could be worth a go. I have a HH5a as the main router, and a Ubiquiti AP for wifi, both flashed with OpenWRT. Both have a port configured to export VLAN-tagged traffic (ie not strip the VLAN tags inside the switch), and I have multiple wifi networks configured, one for each VLAN. That means I have a 'IoT junk never going near the internet' wifi network which routes back to the firewall config on the main OpenWRT router. It's a bit more fiddly setting this up than if it was integrated into the main router, but then I can place the AP in a better location.

Theo

+1

Have a look at Edgemax or Ubiquiti

e.g:

or

Some routers will allow direct connection to the ONT allowing you to throw away the ISP supplied router. However, you will need to get the vlan number, username and PWD from the ISP to put into your router.

+1

I have Wireguard running here for all mobiles connecting back home via public wifi.

I also have a Pi Hole to filter out the unwanted trackers and ads.

I also have a Ubiquiti Network manager for teh Ubiquiti access points I use for Wi Fi.

+1

The Ubiquiti and Edgemax have not risen much in price.

Another brand to look at is Meraki.

Yup, they make decent enough kit (Ubiquity especially). I tend to go for Draytek, but mostly because I have loads of it already installed.

Why pay for a business class router? Even 10 years ago the open source router firmware (e.g. Tomato) was very good, with all the features of "business class" routers. Install it on a cheap router and you have something to compete with a business router for a fraction the price.

I only run pfSense, because 6 or 7 years ago, I couldn't get a standard router (arm based) to drive OpenVPN tunnels at 100+ Mb/s.

The PC I run pfSense on is only 6 watts, Intel Celeron based.

In my case because I want something that will work "out of the box", and I can swap out in a hurry if required.

Also most SOHO routers lack things like VPN encryption acceleration hardware, and I need lots of LAN to LAN nailed up VPNs.

I am supplying business customers, and they appreciate that the cost of the router is not really significant in the grand scheme of things (especially when they will typically spend the same on a couple of months of dual redundant broadband service as they will for the router)

Yup there are some low power PCs about, but typically they are things that you need to spec and buy specifically for the task - they are not usually the cast off desktop that no one in the office wants because it takes 90 seconds to load Excel! So that does add to the cost of using one as a router.

Thanks Theo. The router arrived yesterday it is a "Vodafone" THG3000 I had a quick scoot through the menus and couldn't see a way to set up vlans on different ports. I take your points re: Router may be the same conceptually as my setup in that it is all controlled by software. I may have misunderstood how these things work but my logic (may be flawed) was that in the router scenario everything was on the same subnet (assuming I couldn't do the vlan thing) and therefore more liable to attack if someone externally managed to get on my network. In my setup I have the usual router firewall and the ClearOS firewall to breach. Having said that, if someone got into my external subnet (i.e. 192.168.A.xxx - the one with just my router and the ClearOS NIC) and tried to get to devices on my internal subnet (192.168.B.xx) then I was assuming ClearOS will stop that but maybe it just routes it?

Now I have the FTTP router, it wasn't what I was expecting. I assumed it would be equivalent to an ADSL router where you connect the ADSL one side and the LAN connects to the other. So I assumed the fibre would connect to it somewhere and it would expose Ethernet ports for the LAN. With this one (Vodafone THG3000) it has a port labelled "INTERNET" which seems to be for an ADSL connection and a different one labelled "WAN" which seems to be like an Ethernet port but connects to whatever OpenReach installs (which I assume converts the optical fibre to Ethernet?). So wonder now whether in my setup in theory whether I need to even have the new router?

Having said that, the router has a couple of phone ports which it says will enable me to connect my normal phones to it and it will "convert" then to the Voip line Vodafone are providing. So irrespective of the above, I will need the phone bit but does maybe ask the question as to whether I could/ should put the new router after the ClearOS box. i.e. OpenReach thing -> ClearOS Nic 1 -> Clear OS Nic 2 -> New Router -> internal switch.

As you can probably tell, I don't know how this whole FTTP stuff works under the covers and suspect I am still missing something in my network knowledge :)

thanks in advance for you help.

Lee.

P.S. still not sure how to get my replies to appear on the other NG this was cross posted to so will cut and paste it :)

Let's unpick this a bit.

Vodafone offer two products: FTTC via Openreach. It's just 'faster ADSL' as far as the consumer end goes

- it comes in via your normal telephone line. That's what the 'INTERNET' port is for.

FTTP via Cityfibre (and maybe OR too?). Typically FTTP installs an ONT box with the fibre going in and an ethernet port to attach to your router. That goes into the WAN port on your router.

It is likely you'll be doing the second. But what comes over the ethernet port is the 'WAN' - you don't have a firewall and you get a single IPv4 address. You could plug in a single PC but it would be unprotected from attackers.

If you need the phone bit you either: a) use their router or b) extract the SIP credentials out of them to use with a your own VOIP adapter.

Good luck with b). People have tried that with BT and got nowhere. That means if you want to use their VOIP service you have to use their router. If you want to use your own router I'd recommend porting your phone number to a third party VOIP provider so you're free of this lockin.

You can put your own router *after* the Vodafone box but then you'll have double NAT. Which is bad, but I've been running it for a while (out of laziness) and it's been fine as long as you don't want to run outward-facing services. However you'd only do this if you wanted something their router didn't offer.

In answer to your other post, internet and local traffic aren't mixed on interfaces. Your local traffic might be 192.168.0.x, which is assigned to the router's 'LAN' interface. Your public IP might be assigned by your ISP to be 22.33.44.55 in a subnet of 22.33.32.xx to 22.33.63.xx. That's assigned to your 'WAN' interface. The interfaces aren't connected, ie if the internet tried to send a packet to 192.168.0.x it would come in on your WAN port but there would be no means for it to reach your LAN port and so it would get thrown away. It is not a 'party line' arrangement where anyone apart from the router can pick up internet traffic: it all has to be relayed through the router, which is subject to your firewall rules.

Sigh, Google Groups :(

Theo

The problem with VLAN's is that all the switches in your LAN need to be able to handle them. I can't think of many home LAN questions where VLAN is the answer.

+1. Port landline phone number to third party VOIP provider. I've happily used Sipgate basic for many years. A wireless DECT VOIP base station costs about £50. I was happy to get £90 off the cost of broadband when they introduce SOGEA, i.e. dropped telephone line rental from my broadband landline change.

When Open-Reach fitted FTTP at a friend's house they asked if she needed a phone, I think they were offering to keep the existing copper phone line. I very clearly said she didn't want the telephone. They seemed keen on providing it. I didn't look to see what they actually did.

I think in general it is safer to have one WAN/LAN firewall and understand what the rules mean.

Its worth noting that multiple subnets and VLANs are not the same thing, although can share some characteristics. Some routers support multiple subnets but not necessarily VLANs. So having things split onto different subnets makes it more difficult for someone on a PC to reach other bits of the network, but not impossible - since you can have multiple IP addresses attached to one NIC and it can be on more than one subnet at a time, or you can issue an explicit routing instruction to allow it to access another subnet. VLANs give a much more robust segregation, that can't be routed around in the same way.

It would not know how to route something originating from "outside" to "inside" unless you have setup a default routing instruction, or created port forwarding rules.