We use Bittorrent to download open-source software and also broadcast TV. (Just programs that are over-the-air free, as I don’t want the RIAA/MPAA mafia on my case). Unfortunately, bittorrent traffic really slows throughput on our network, and I can’t tell if the router or the DSL modem is to blame. I’ve tried setting BT as the lowest priority on the router, and also using the speed limiting features of the Transmission client we use. Neither solves the problem.

From googling and reading, it seems that the large number of TCP connections opened is the most likely culprit. However, that’s inherent to the BT protocol, so although I can limit the number of connections it’s not really a solution. From everything I’ve read, there simply doesn’t exist a SOHO router really built to handle the hundreds or thousands of connections.

After reading quite a bit and thinking about it, here’s my wishlist:

1. Wired-only router with 10/100 ports. Gigabit is nice but not useful given my connection speed.

2. Fanless, low power, no moving parts. This rules out using an old desktop machine.

3. VPN endpoint with at least PPTP support.

4. SNMP reporting ability.

5. IPv6 dual-stack or 6to4 support.

6. QoS/priority by protocol

These would be nice:

1. Web GUI for setup and configuration

2. More than one IP and port on the LAN side, so I could setup multiple subnets

3. syslog support

4. Ability to have multiple WAN ports - someday I want to try BGP and similar routing.

M0n0wall is really close, but OpenBSD’s pf has a few unique tricks I don’t think Monowall can do:

1. Packet filtering based on TCP fingerprint. This is invaluable for spam blocking, as a rule that says ‘no Windows machines can connect to inbound SMTP’ is a nearly-complete block for botnet-generated spam.

2. Simple anti-spoofing, activated with a single line.

3. Packet scrubbing. (Read all about it)

After a lot of reading, my current solution looks like this:

That’s a Soekris 5501, which at 433 or 500MHz could actually run most of my server software too - more than a little overkill for this. Then again, for $320 its 2 to 3x the price of a SOHO router like my RV042. Liveable, and it’s worth it to get the capacity overhead.

Update 11/25/08: The m1m1wall firewall from Netgate looks better - $205 instead of 320, preinstalled with pfsense or m0n0wall. 256 vs 512MB, which is no problem. Best of all, you can get it in red!

For software:

1. OpenBSD plus pf, install via OpenSoekris. Update - see below, pfsense may be our winner.

2. pfw for GUI management and setup of firewall rules

3. SNMP from OpenBSD is looking pretty easy, and of course syslog and IPv6 are built in.

I like it. I think I’ll ebay off the 2U Cisco router, with its fans and 200+ watt heat, and buy one of these instead.

More reading if you’re curious:

1. Slashdot thread on routers, bittorrent, TCP connection limits.

2. Blog post OpenBSD on Soekris

3. SmallNetBuilder on Untangle, which is similar but Linux-based

4. OpenBSD on Soekris plus state-preserving failover (CARP, more advanced than I can use here.)

5. Soekris product page.

6. Soekris also sells a HiFn-based VPN accelerator chip, which can be added later if I need it. Nice.

7. IPv6 intro and IPv6 wiki.

As an amusing footnote, I was researching gigabit switches with SNMP support, so that I could monitor my backbone using Cacti. You can now get 24 ports of SNMP-managed gigabit for $300 from Netgear (GS724T), but the amusing part is that the 16-port version costs the same! Ahh, someday when I outgrow my 8-port maybe.

Update 11/18/08: Commenter timf points me to pfsense, which I had missed, and appears to meet every one of my wishes. Oops. OK, less work for me. Thanks!

Update 11/25: Added m1m1wall hw/sw combo.