Over-the-counter routers are fine and work as they should, but they simply aren’t enough for some of us. Quite a few of the standard routers located around the homes of the world allow for an open source WRT-based firmware to be installed, but that might still not be enough. If that’s the case, you might want to look into the idea of building your router. Today, I’m going to take you through the basics and show just how easily you can get a router and firewall with any feature you could want on more powerful hardware than pre-built routers offer.
A standard router comes with an ARM-based processor of some kind that runs up to 1.2GHz when it comes high, but mostly the hang around the 800MHz mark. Memory wise you usually only get around 512MB and flash memory for your operating system is limited too. That sets some limitation in regards to performance, ability, and possible installations.
But what if I told you that you could run a router or firewall on standard PC components? And what if I said that it was so easy that everyone could do it? With standard PC hardware components at our disposal, we can build a more robust system that can handle any workload we throw at it, and are also able to build it with the features that we’re looking for in our setup.
For today’s test, I’m using one of Shuttle’s DH110 slim form factor barebone systems, and the DH110 is both compact and powerful. The DH110 uses a custom motherboard with an Intel H110 chipset and support for everything from Celeron to Core i7 processors with a max TDP of 65W. We can install up to 32GB DDR3 SO-DIMM memory in it and a standard 2.5-inch drive as well as expansion cards through the 2260 Type-M and 2230 Type A/E slots. There’s also a card reader that could be used to run the operating system from and plenty of USB ports.
The compact form factor does set some limitations in regards to expansion cards so that it might be a smarter choice for a firewall setup than your primary router. We can still build in wireless network cards in the M.2 slots and attach USB-based wireless adapters for that kind of coverage. You could also run the wired network to an access point or wireless mesh network to gain more coverage. The only limitation is your imagination and budget.
The Shuttle DH110 comes with two Intel Gigabit Ethernet ports, and that is the reason why we are using this system today. That allows us to use one as the WAN connection and the other as the LAN for a perfect firewall solution between our internet connection and our local network.
If you want a more flexible build with more add-in cards, then you could opt for something bigger like the XPC cube or take any other over-the-counter PC chassis and install your components into that. But, the smaller, the better. After all, this is a system that is meant to work, not to look at. However, if you opt for a bigger system, you can install extra network adapter cards, wireless cards, and yes, even 10 Gigabit Ethernet cards. With this kind of options, you get just the features you are looking for and require in your setup.
The hardware part of a do-it-yourself router and firewall solution might have been more or less obvious to you, but what about the software? That is most likely where your previous plans to do it yourself have failed. Yes, you could install some random Linux or BSD distribution and manually set it all up, but you might lack to necessary skills to do so, or you might simply be too lazy for this. Not to worry, some people have done all the hard work for you already.
That hard work is called pfSense, and it is an open-source project based on the FreeBSD operating system. It has been specially tuned for this kind of tasks and comes with an easy-to-use web interface for the configuration. The installation can be done with minimal user interaction too. We will take a look at both sides on the following pages.
The pfSense project is a free network firewall distribution, based on the FreeBSD operating system with a custom kernel and including third party free software packages for additional functionality. pfSense software, with the help of the package system, is able to provide the same functionality or more of common commercial firewalls, without any of the artificial limitations. It has successfully replaced every big-name commercial firewall you can imagine in numerous installations around the world, including Check Point, Cisco PIX, Cisco ASA, Juniper, Sonicwall, Netgear, Watchguard, Astaro, and more.
pfSense software includes a web interface for the configuration of all included components. There is no need for any UNIX knowledge, no need to use the command line for anything, and no need to ever manually edit any rule sets. Users familiar with commercial firewalls catch on to the web interface quickly, though there can be a learning curve for users not familiar with commercial-grade firewalls.
I built a firewall in an Antec Minuet 350 6 years ago. It’s been running m0n0wall 24/7 ever since with zero issues.
Sweet, bookmarked.
I have just set one up using a cheap hp refurb off of eBay and some Intel GB Ethernet cards. Using my old routers as AP and a managed switch. My setup is a bit more noisy than above but was cheaper than most off the shelf routers. And I can get it to work with Sky Broadband and their MER setup. Pfsense is a fantastic piece of software and i would highly recommend it. I’m all vlanned, guest network across multiple AP’s and all traffic completely segregated!.
I could not agree more. The SOHO market you find for the general consumer is atrocious… What routers have gained in style have fallen in security, power, and features. I also run pfsense w/ SNORT but i took a different approach on the hardware it sits on. The system above could be rated for a 10gb pipe (minus the 2x 1gb nics). it is way over kill not to mention loud with fans. I picked up my components from pcengines.ch (yes the website is in china and the owners are in sweeden)
I felt the apu2c4 would fit my needs the best. the APU3 have LTE support for cellular faillover, but I have a lot of automated downloads and the possibility of that running over LTE is too costly for me.
Anyway, it has a AMD quad core 1GHz/per core 4gb of ram a 16GB (yes folks sixteen) MSata drive. the enclosure is the size of a 3ish CD cases and completely fan less. 3 Intel Gig Nics
you will need to know how to terminal (telnet/ssh) into it (google is great for this)
All parts out the door ~$180 USD. ordering was simple and they kept me apprised of when things were coming in stock when it shipped expected arrival etc.. Do not let the simplicity of the site discourage you. the site has everything you need nothing more. nothing less. If you can build the above system you can do this in spades. (its actually even simpler). PfSense is small and 16GB msata will be more than enough (currently utilizing 7%) not to mention it was only $18… it does not have wifi, but there is a add-on card for that as well if you wish. Personally i picked up Engenius 1750H AP w/ PoE injector. which could be considered overkill but with the explosive growth of IoT and my next fridge is going to tell me when to buy milk I figured it is a good investment. and it is very stable.
Apologies I digress. If you have a old computer laying around I would try loading it on that first. It is very possible that the hardware will be supported. If you want a cool little project build it. No matter what you build you should build it around what they are designed for. If anything this shows the possibilities. no matter what route (pun intended) you choose you will have a router that decimates the off the shelf products with enterprise class features and free IPS/IDS add-ons for a fraction of the cost of the big boys with similar features.
I had a screen shot of my pfsense homepage and I attempted load it but it told me i needed to login… even though i had to log in to post this.. so whatever…
Yes, you are absolutely right. The test system is way overpowered for the setup, which I mentioned a few times throughout the article. But it was the system in the office that was free and had the abilities for it. It has the power to be a 4K signage player, so way overpowered. But the principle is the same.
Yes, the APU2C4 systems are brilliant ones. Tricky to get hold of at times, but really nice. There are other options too that come with mSATA, WiFi, and more bundled for similar money. All you need in one box and easy to setup, so worth browsing for.
If you’re going to suggest a hardware firewall maybe don’t suggest a crappy one that’s a pain to setup, has a steep learning curve and an terrible UI…something like untangle or maybe sophos would be far far better.
its a router, the amount of cpu grunt it needs is little in the soho market makes more sense to just use a retired desktop and throw in some supported nics(or while your at it ap cards) pfsense cares little about the machine its running on so long as the nic(s) have support and even old pentuim 4s can manage a 10Gbit network fine(maybe not multiple but a doubt you would need. ore then a 10Gbit backbone for local fine access and 1Gbit for to the isp in a soho)
One should keep in mind that pfsense 2.5 will need something more powerful that an eBay discard, or old closet computer.
https://www.netgate.com/blog/pfsense-2-5-and-aes-ni.html
Been wanting to do something like this for ages in my home server.
It’s currently a NAS and Plex Server. I want to add a VDSL card to it and run it as a modem, then a router with pfSense and then dump all Ethernet connections into an 8-port gigabit switch I’ve got.
That means I could get rid of my existing modem router and use my Linksys 1900ACS as a WiFi access point. But then why not go further and find a WiFi PCIe card that’ll act as an access point via Ubuntu?
ARM is affected by Spectre & or meltdown; not a good choice as a router until they develop cpus without aforementioned security flaws
Doh, you got an intel management enabled firewall with hardware level backdoor access. Highly recommended you switch away from Intel based chipset systems, disable intel ME, or buy a prebuilt system with intel ME disabled altogether. HP offers such solutions. I’m using a 2008 Asus P5Q pro modded with a quad core Xeon 5460; According to the Makers of Me_Cleaner, it does not have Intel Management enabled. Highly recommended you avoid all 2013 onward AMD based systems as well. Read more on this serious threat here, https://libreboot.org/faq.html#intelme
Since you want to avoid state level backdoors, remember that hardware itself has to be open sourced too. And perhaps consider a Turris Omnia as the most open sourced router ever made.
https://www.amazon.com/dp/B01MG47OY3/