JTC
Always Mount A Scratch Monkey
join:2002-01-09
USA
 ·Comcast Workplace
 ·Integra Telecom
edit:
September 1st, @06:56AM
|  Looking for a firewall/router distro
Greetings!
I have searched the forum and googled, but have yet to find something that matches what I'm looking for. Perhaps someone here might know of a firewall/router build that can do what I'm after.
Currently, I'm using a WRT54G running DD-WRT.
The hardware I have:
VIA C3VCM6 motherboard with a C3 800 MHz CPU
512 Megs RAM
40 gig drive (massive overkill, I know, but it's one I had laying around)
Dual port Compaq ethernet card, Intel chipset
What I want/need, beyond the usual NAT and PAT:
Multiple public IP handling (1:1 NAT)
QoS by MAC address
Internal traffic redirection via MAC
Of course, if this can be wrapped up in a web browser accessible GUI with traffic and system statistics, all the better.
IPCop can't deal with 1:1 NAT via the GUI
pfSense (and, I believe, by extension monowall) can't do QoS based on MAC address
The QoS and redirection by MAC I need to keep a very smart child of mine from switching her IP address on the LAN to one that isn't covered by QoS (her MAC can't be spoofed as the allowed MAC is set at the switch) or the content filter.
The multiple public IP requirements... I've got five statics via Comcast, and by the computer ghods, I wanna use them. 
I know, I can build one by hand that will do all this, but really, I've got more than enough to maintain on the network. I don't want to mess with more scripts and config files than I have to.
Suggestions?
--
All hardware sucks, all software sucks, some just suck more than others |
|
Steve
R.I.P. 3B2
Consultant
join:2001-03-10
Tustin, CA
| For QoS by MAC - have you considered just setting a static ARP entry in the firewall to tie the MAC and IP together?
How about setting her account up as a limited user that doesn't allow fooling with IP?
Steve — who loves pfSense
--
Stephen J. Friedl | Unix Wizard | Microsoft Security MVP | Tustin, California USA | my web site |
|
x30n_
Not Sure What Color Pill To Call It
Premium
join:2000-09-14
wrong turn
clubs:  | reply to JTC
maybe »smoothwall.org might be it for you? |
|
JTC
Always Mount A Scratch Monkey
join:2002-01-09
USA
·Comcast Workplace
·Integra Telecom
| Sadly, no. Latest version of express doesn't deal with multiple public IP's.
--
All hardware sucks, all software sucks, some just suck more than others |
|
JTC
Always Mount A Scratch Monkey
join:2002-01-09
USA
·Comcast Workplace
·Integra Telecom
| reply to Steve
said by Steve  :For QoS by MAC - have you considered just setting a static ARP entry in the firewall to tie the MAC and IP together? ......
Excuse me while I go hit myself in the head a few times for not thinking of this myself. then see if I can figure out how to do it in the pfSense machine.
Sadly, it's deciding to be a pain today... For some reason, I can't access the GUI from the machine I'm on now, but I can from other machines that are either VM's or servers.
And I've still not got the port fowarding to the LAN with the DMZ active working right.
Dunno, it was a late night. I think I'm going to put this down for now, go drink some coffee, and reset the install to defaults. 
said by Steve :Steve — who loves pfSense From what I have read about it and it's feature list (as well as the rep of the BSD network code), I wanted to like it. But right now, I'm not so sure.
--
All hardware sucks, all software sucks, some just suck more than others |
|
AlFrugal
@verizon.net
| reply to JTC
A novice-level question about this thread. Given the hardware the OP has:
VIA C3VCM6 motherboard with a C3 800 MHz CPU
512 Megs RAM
40 gig drive (massive overkill, I know, but it's one I had laying around)
Dual port Compaq ethernet card, Intel chipset
what is the benefit of a firewall/router distro versus installing a conventional distro?
I have a spare, 8-year-old PC: Celeron 566mHz, 192 MB RAM, 10 GB HDD. that I would like to use as a router.
I posted to the mailing list of my local Linux Users Group asking whether I should use a firewall/router distro or something else. I was told that for basic router/firewall functionality (no QOS or other advanced functions like OP is looking for) that a conventional distro would work. |
|
Steve
R.I.P. 3B2
Consultant
join:2001-03-10
Tustin, CA | said by AlFrugal :
what is the benefit of a firewall/router distro versus installing a conventional distro? Management.
Otherwise you're mostly left with iptables at the command line. |
|
JTC
Always Mount A Scratch Monkey
join:2002-01-09
USA
·Comcast Workplace
·Integra Telecom
| reply to JTC
said by Steve :said by AlFrugal :
what is the benefit of a firewall/router distro versus installing a conventional distro? Management. Otherwise you're mostly left with iptables at the command line. Which is exactly what I want to avoid this time around.
I've still not quite found exactly what I'm looking for, but right now pfSense appears to cover most of it, I just need to figure out how to 'convert' $FOO with iptables to BSD's pf.
Sadly, the docs for m0n0wall and pfsense are not exactly the clearest IMO, but I think I'm getting there.
--
All hardware sucks, all software sucks, some just suck more than others |
|
sporkme
drop the crantini and move it, sister
Premium,MVM
join:2000-07-01
Budd Lake, NJ
·Optimum Online
| said by JTC :I've still not quite found exactly what I'm looking for, but right now pfSense appears to cover most of it, I just need to figure out how to 'convert' $FOO with iptables to BSD's pf. Don't. IPTables is a sick joke.
Set inbound rules on the wan interface (block all, open what you want).
Set outbound rules on the lan interface (most people tend to let it all out)
NAT is really easy, IIRC the damn thing made all the corresponding rules for me and setup "reflection" by just making the port forwarding rules.
Where are you getting stuck? Other than the general concepts, this thing needs few docs. |
|
Steve
R.I.P. 3B2
Consultant
join:2001-03-10
Tustin, CA | said by sporkme : IPTables is a sick joke. Why? |
|
PToN
join:2001-10-04
Houston, TX | reply to JTC
vyatta |
|
sporkme
drop the crantini and move it, sister
Premium,MVM
join:2000-07-01
Budd Lake, NJ
·Optimum Online
| reply to Steve
said by Steve :said by sporkme : IPTables is a sick joke. Why? One, I've never met a distro that even included some sample docs or startup scripts... Two, the syntax is god-awful.
Other things I've used and found easier and better documented:
ipf on solaris/*BSD
ipfw on FreeBSD
pf on *BSD
FW-1 |
|
Steve
R.I.P. 3B2
Consultant
join:2001-03-10
Tustin, CA
| Well, Red Hat Enterprise Linux comes with pretty reasonable scripts to start with, and the open source world is so full of poorly documented projects that I think it's showing a lack of perspective to claim this factor alone dooms that project to "sick joke" status.
Pass. |
|
JTC
Always Mount A Scratch Monkey
join:2002-01-09
USA
·Comcast Workplace
·Integra Telecom
edit:
September 4th, @03:13AM
| reply to sporkme
said by sporkme :said by JTC :I've still not quite found exactly what I'm looking for, but right now pfSense appears to cover most of it, I just need to figure out how to 'convert' $FOO with iptables to BSD's pf. Don't. IPTables is a sick joke. Right now, that's what I've got to work with.
I'm moving from DD-WRT on a WRT54G to the new install, and for some of the things I have set up, iptable commands are what I'm used to dealing with.
said by sporkme :Set inbound rules on the wan interface (block all, open what you want). Set outbound rules on the lan interface (most people tend to let it all out) NAT is really easy, IIRC the damn thing made all the corresponding rules for me and setup "reflection" by just making the port forwarding rules. Where are you getting stuck? Other than the general concepts, this thing needs few docs. My current stumbling blocks are:
Alias settings:
I make an alias of five IP's, I set a limit for the number of simultaneous client connections. Is that limit for the entire list, or is it applied for each entry in the alias
I have my private IP range carved into sections on paper. Servers that need access go in this range, while servers that don't need it go over there, and so on (why would a SQL server or an network ATSC tuner need access to the world anyway?). DD-WRT has a section to specify a range of IP's for scheduled rules, I can't find a way to duplicate this under pfSense aside from entering in every IP I want blocked (and I've mapped out the entire /24 subnet).
Since pf doesn't deal with MAC addresses like iptables does, Steve suggested to use a static ARP mapping (which I still kick myself a bit for not thinking of it myself). However, I still have yet to find a way to add the commands to pfSense that doesn't require turning on the DHCP server, which I do not want to do as I already have DHCP with fail over set up on the network. I saw a reference to using the php shell, but nothing on how to actually use it.
The traffic shaping... While it's very flexible and powerful, it also confused the heck out of me at first, but I think I'm starting to get my head around it. What bugs me most about it is the lack of L7 filters, especially when dealing with P2P clients that can use just about any port.
Redirecting my daughters' traffic through a filter while leaving the adults traffic alone (which works along with the static ARP), I think I have the NAT rules configured correctly, but I've not had a chance to test them yet. *EDIT* Nope, didn't work, and every thing I've found searching talks about redirecting everything, not just traffic from a few particular IP's. 
--
All hardware sucks, all software sucks, some just suck more than others |
|
