Recent Thoughts About The Edge of My Network

monowall-pfsense-alix-kit.jpg

monowall-pfsense-alix-kitIn recent weeks I’ve been accumulating some thoughts about the edge of networks, and the edge of my home office network in particular.

This all started last month where there was an Ars Technica article describing how someone found a backdoor that allowed an evil-doer to gain admin access to a common consumer combination DSL Modem/router/Wifi AP. The author initially proved the exploit by hacking his Linksys WAG200G wireless gateway.

The article describes how he published the script used to run the exploit. That allowed others to try the exploit against various makes/models of consumer hardware. It thus came to light that the same trick works against various products from Linksys and Netgear, amongst others.

Our earliest access to broadband included a Linksys BEFSR-41. When we started to use Asterisk  and various SIP devices we moved to a Linksys BEFSR-81 for it’s QoS capability. Eventually, I wanted greater control of the network perimeter, and Linksys support devolved into something less than stellar.

Since March 2004 (literally the last decade!) we’ve used m0n0wall running on a single board computer as our network edge device. In the past it was running on a Soekris Net4501 or 4801 single board computer (SBC.) At present our m0n0wall installation is based upon a PC Engines ALIX board. Netgate is a great resource for such systems. I’ve deployed a number of their m0n0wall and pfsense kits over the years.

This sort of solution, a single board computer running open source software, is a little more costly than the commodity consumer hardware described in the Ars article. You can expect to spend around $200 to get just the perimeter router function implemented.

That said, it’s definitely more secure. The fact that a vast community of users is using and contributing to the code ensures that it’s known to be secure.

Earlier this month Manuel Kasper, the leader of the m0n0wall project, released m0n0wall v1.8 into the wild. This is the first major release in just over a year. I updated my ALIX system in less than 10 minutes, completely without incident. The change log lists a variety of improvements, including improved support for IP v6.

m0n0wall_mug_logoI simply cannot say enough nice things about m0n0wall and the community from which it hails. The software combines an outstanding mix of capabilities with breathtaking ease-of-use. The support from the community has never failed to meet my requirements. I have tried to give back where possible by helping others and occasionally purchasing m0n0wall merchandise.

While our m0n0wall experience has been exemplary, it has long been my intention, as yet unrealized, to migrate to pfsense. There are pragmatic limits to what Manuel Kasper wants to incorporate into m0n0wall. He is intent to keep it light and suitable for low-power, low-cost hardware.

In our case a migration to pfsense would  allow us to setup a dual-WAN arrangement that incorporates both our Comcast Business Class service and the backup DSL service. It would be dual-WAN with auto-failover where we presently live with a manual failover arrangement.

When this plan was hatched pfsense was still in the v1.x era. Support for QoS and traffic shaping of a dual-WAN setup did not arrive until v2.0 was released.

The pfsense team is presently shipping their v2.1 release, which is a feature rich-monster. It’s more hardware intensive than m0n0wall, but it is also much more ambitious. Support from the community is every bit as solid as m0n0wall, and the availability of commercial support from the leaders of the project makes it an SMB treasure. You may recall the Chris  Buechler of pfsense made a VUC guest appearance in November 2012.

At CES Linksys, now a Belkin brand, announced the return of their venerable WRT series of wireless routers with the launch of the WRT 1900AC. The device is intended to run third party, open source firmware like DD-WRT, Open WRT or Tomato. With an MSRP of $299 I wonder if anyone will care? I certainly don’t. I’m done with Linksys consumer products.

To paraphrase a famous athlete, “Open source perimeter firewalls have been very, very good to me.”

  • marca56

    the famous athlete in question is Chico Esquela, played by Garret Morris, on SNL a very long time ago. It was one of my favorite sketches

  • fiber man

    Greg check out Mikrotik first! Cab beat their hardware pricing

    • mjgraves

      Who is Greg? I’ve heard some good things about Mikrotik over the years. Their hardware certainly is cheap, but the software requires a license. It doesn’t seem to have the ease of use of m0n0wall or pfsense.