Re: selecting old machines for firewall/router use

To: "Elmer E. Dow" <elmeredow@att.net>
Cc: debian-user@lists.debian.org
Subject: Re: selecting old machines for firewall/router use
From: Stan Hoeppner <stan@hardwarefreak.com>
Date: Sun, 20 Feb 2011 22:05:12 -0600
Message-id: <[🔎] 4D61E478.4080504@hardwarefreak.com>
In-reply-to: <[🔎] 4D617362.2020801@att.net>
References: <[🔎] 4D617362.2020801@att.net>

Elmer E. Dow put forth on 2/20/2011 2:02 PM:
> Greetings:
> 
> I'd like to set up a network with a firewall for my home computers for
> security, control and convenience (file sharing), as well as to learn
> about networking. We have the Internet entering via a Motorola DSL modem
> and it currently passes data through a NetGear wireless router. I'd like
> to construct my own firewall/router to connect our three active machines
> and also use the NetGear for wireless access when needed.

You may have a devil of a time setting up a dedicated Linux firewall
machine and reconfiguring the Netgear to function properly as a wireless
ethernet bridge instead of an IP router.  It may or not not be able to
depending on which model you have.  Since you have wireless clients (I
assume laptops) you'll still want/need DHCP.  So you'll have to decide
who serves DHCP, the Linux firewall or the Netgear.

Some consumer wireless routers don't like to do DHCP pass through, and
won't serve DHCP when configured as a bridge, in which case the Linux
firewall will have to serve DHCP.  If the wireless router won't pass
DHCP from the wired to wireless segments while in bridge mode, then
you're in a catch 22.  Some simply can't be configured as bridges at all
(access points--APs).  In this case, you'll have to run the Netgear in
router mode and run multiple RFC 1918 subnets, one for wireless traffic
and one for wired, and you'll have to setup the firewall to perform
routing as well as packet filtering.

You've got your work cut out for you, and it will be a painful learning
curve if you use the trial and error method of setting it up.  All your
machines may be unable to access the net while you're changing your
network architecture, which means no access to troubleshooting docs or
forum help.

Thus, you need to have researched _everything_ and have a solid step by
step migration plan in place _before_ you change a single thing.  If all
clients were wired desktop machines and you didn't have the wireless
Netgear in the mix it may be easier.  You've got a lot of research to do.

> I'm leaning toward using the above machine since it has both pci and isa
> slots for nics (and an ethernet jack on the motherboard) so I won't have
> to  buy a switch right away.

An 8 port 10/100 FDX Rosewill desktop switch is $10 at Newegg, other
brands around the same price ranging from 4-8 ports.  You only need one
NIC in your firewall box when using a switch.  You simply plug
everything into the switch including the DSL modem and the Netgear.
Bind both the public and private IP addresses to the same NIC in the
firewall using a virtual NIC: i.e. eth0 and eth0:1.  Plenty of docs on
the web to teach you this.

> e-machines
> 1.7 Ghz processor
> ethernet jack on motherboard
> 3 pci slots
> It seems like this one would have the greatest energy costs. I'd need to
> buy more pci nics, too.

This most likely uses a Celeron chip.  This box will use no more juice
than the others, maybe a little less actually, due to the smaller
feature size of the CPU silicon and the newer lower voltage memory.  I
wouldn't worry about power draw.  All these machines will be very
similar, within 20% of each other tops.

> Which would be most suitable as a firewall/router? I'm thinking that any
> will work, but the e-machines box will be the most expensive to operate.
> And most of the above machines will require me to get more nics or
> purchase a switch. Any other things that I should consider?

Your selection criteria should be solely based on which of these
machines has proven to be most reliable.  If you acquired them used or
for any reason don't have such information available, go with the
youngest box.  Before entrusting it with all of your internet traffic,
I'd thoroughly beat on the network interface to make sure it's solid.
Check for problems using ifconfig:

~$ ifconfig eth0
eth0      Link encap:Ethernet  HWaddr 00:90:27:65:01:69
          inet addr:192.168.100.9  Bcast:192.168.100.255
Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:2350006 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2708546 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:629009753 (599.8 MiB)  TX bytes:1874802396 (1.7 GiB)

Ideally you should see zeros in the same places as above.  If you see
values above zero that means you have errors at the ethernet level.
This points to a bad NIC, cable, or switch port.

-- 
Stan

Reply to:

Follow-Ups:
- Re: selecting old machines for firewall/router use
  - From: Nate Bargmann <n0nb@n0nb.us>
- Re: selecting old machines for firewall/router use
  - From: Pascal Hambourg <pascal.mail@plouf.fr.eu.org>

References:
- selecting old machines for firewall/router use
  - From: "Elmer E. Dow" <elmeredow@att.net>

Prev by Date: To gmail or not to gmail (was Re: Fwd: selecting old machines for firewall/router use)
Next by Date: Re: Disc encryptian.
Previous by thread: Re: selecting old machines for firewall/router use
Next by thread: Re: selecting old machines for firewall/router use
Index(es):
- Date
- Thread