Fnord.

We use Bittorrent to download open-source software and also broadcast TV. (Just programs that are over-the-air free, as I don’t want the RIAA/MPAA mafia on my case). Unfortunately, bittorrent traffic really slows throughput on our network, and I can’t tell if the router or the DSL modem is to blame. I’ve tried setting BT as the lowest priority on the router, and also using the speed limiting features of the Transmission client we use. Neither solves the problem.

From googling and reading, it seems that the large number of TCP connections opened is the most likely culprit. However, that’s inherent to the BT protocol, so although I can limit the number of connections it’s not really a solution. From everything I’ve read, there simply doesn’t exist a SOHO router really built to handle the hundreds or thousands of connections.

After reading quite a bit and thinking about it, here’s my wishlist:

1. Wired-only router with 10/100 ports. Gigabit is nice but not useful given my connection speed.
2. Fanless, low power, no moving parts. This rules out using an old desktop machine.
3. VPN endpoint with at least PPTP support.
4. SNMP reporting ability.
5. IPv6 dual-stack or 6to4 support.
6. QoS/priority by protocol

1. Web GUI for setup and configuration
2. More than one IP and port on the LAN side, so I could setup multiple subnets
3. syslog support
4. Ability to have multiple WAN ports - someday I want to try BGP and similar routing.

M0n0wall is really close, but OpenBSD’s pf has a few unique tricks I don’t think Monowall can do:

1. Packet filtering based on TCP fingerprint. This is invaluable for spam blocking, as a rule that says ‘no Windows machines can connect to inbound SMTP’ is a nearly-complete block for botnet-generated spam.
2. Simple anti-spoofing, activated with a single line.
3. Packet scrubbing. (Read all about it)

After a lot of reading, my current solution looks like this:

That’s a Soekris 5501, which at 433 or 500MHz could actually run most of my server software too - more than a little overkill for this. Then again, for $320 its 2 to 3x the price of a SOHO router like my RV042. Liveable, and it’s worth it to get the capacity overhead.

For software:

1. OpenBSD plus pf, install via OpenSoekris. Update - see below, pfsense may be our winner.
2. pfw for GUI management and setup of firewall rules
3. SNMP from OpenBSD is looking pretty easy, and of course syslog and IPv6 are built in.

I like it. I think I’ll ebay off the 2U Cisco router, with its fans and 200+ watt heat, and buy one of these instead.

More reading if you’re curious:

1. Slashdot thread on routers, bittorrent, TCP connection limits.
2. Blog post OpenBSD on Soekris
3. SmallNetBuilder on Untangle, which is similar but Linux-based
4. OpenBSD on Soekris plus state-preserving failover (CARP, more advanced than I can use here.)
5. Soekris product page.
6. Soekris also sells a HiFn-based VPN accelerator chip, which can be added later if I need it. Nice.
7. IPv6 intro and IPv6 wiki.

As an amusing footnote, I was researching gigabit switches with SNMP support, so that I could monitor my backbone using Cacti. You can now get 24 ports of SNMP-managed gigabit for $300 from Netgear (GS724T), but the amusing part is that the 16-port version costs the same! Ahh, someday when I outgrow my 8-port maybe.

Update 11/18/08: Commenter timf points me to pfsense, which I had missed, and appears to meet every one of my wishes. Oops. OK, less work for me. Thanks!

 

Much more time. Check out this 38-part (!) series on creating an FPGA from scratch

Damned impressive. However, I fail the first requirement:

1. Make sure you have plenty of time to spare.

Ahh well. Impressive piece of work.

This is a new thing for Java to tackle. A sub-$400-dollar box for industrial controls and similar applications, which to do have mostly been C/C++/assembly or similar. Fully equipped, too:

Development kit is 1500, so its out of my price range, still pretty cool.
Full article is here on EE Times.