XPost: uk.d-i-y

leen...@yahoo.co.uk <leenowell@yahoo.co.uk> wrote:

Hi All,

I have been using ClearOS on an old PC for many years to manage my
internal network. I have my broadband router on it's own subnet on one
NIC of my ClearOS PC and then the internal network on a separate subnet on the other NIC. ClearOS then manages all the network, DHCP, DNS, in theory virus scan/ malware protection etc. etc.

I am getting FTTP installed next week so thought I would take the
opportunity to re-look at the network setup whilst I am at it. My version
of ClearOS requires a full rebuild to upgrade anyway so thought I would
look at what the best is these days.

After a bit of Googling, pfSense seems to be the most popular but was wondering if anyone here had any views on pfSense vs ClearOS or indeed any alternative suggestions? I don't know what router I am getting with the install so maybe these days the routers are good enough and should scrap
the external network manager - although I do like the idea of the internal and external networks being on separate subnets with a hardware/ physical separation (maybe a security expert might say this makes no real difference?).

Also, any suggestions on good newsgroups I should post to instead who
focus on these sorts of things?

uk.comp.homebuilt is fairly quiet but might be worth a go. Adding a crosspost...

I suppose the real question is: what do you want your 'network manager' to
do?

Any router will handle DHCP, DNS, NAT. How do you handle wifi - is that a separate AP/mesh setup? Do you have requirements on top of what a consumer router would provide?

IMX a good reason for a DIY router is because the one you have can't handle
the internet bandwidth, which is more common with cable and FTTP setups.
The issue tends to be that the router CPU is too poor to handle routing
tasks like lots of connections being made at once.

https://arstechnica.com/gadgets/2016/09/the-router-rumble-ars-diy-build-faces-better-tests-tougher-competition/
gives some of the motivation behind using a mini PC for this which has
'PC' class hardware rather than the single-core 400MHz MIPS you got in
consumer routers. Jim Salter has a number of 'DIY router' articles on Ars
that benchmark his DIY build over consumer alternatives, which are worth reading.

Your old PC is almost certainly going to take a lot more power than one of those, so your running costs will be a lot higher than even a mini PC
solution. On the other hand, internet bandwidth has been rising slower than router performance - these days routers can be more like a cheap smartphone
- eg quad 1.5GHz ARM cores which is a lot more horsepower than the single 400MHz MIPS. So the window in which using a 'PC' rather than a 'router'
seems to be closing.

On the other hand, if you want full control a proper OS is attractive, especially if your ISP or a Netgear/etc router is too restrictive. A middle ground would be to look at OpenWRT or dd-wrt or some of the other router distros - you get to run these on a traditional low power router platform (a reflashed Netgear or TP-Link or even an old ISP router if it has suitable specs, although you can run them on PCs too) while giving you more control.

A suggestion: a cheap and simple entry point to this world is the BT Homehub
5 reflashed with OpenWRT. These can be bought preconfigured for about £20
on ebay (search 'homehub 5 openwrt'). The wifi on these is mediocre
(although good for its time) but otherwise it's a solid OpenWRT router, if
not the newest. That gives you a chance to play with OpenWRT on such a platform, and if you don't like it you've only wasted £20. You'd probably burn that in a few months of power of your old PC router.

Theo

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: uk.d-i-y

On 26/09/2021 11:51, Theo wrote:

leen...@yahoo.co.uk <leenowell@yahoo.co.uk> wrote:

Hi All,

I have been using ClearOS on an old PC for many years to manage my
internal network. I have my broadband router on it's own subnet on one
NIC of my ClearOS PC and then the internal network on a separate subnet on >> the other NIC. ClearOS then manages all the network, DHCP, DNS, in theory >> virus scan/ malware protection etc. etc.

I am getting FTTP installed next week so thought I would take the
opportunity to re-look at the network setup whilst I am at it. My version >> of ClearOS requires a full rebuild to upgrade anyway so thought I would
look at what the best is these days.

After a bit of Googling, pfSense seems to be the most popular but was
wondering if anyone here had any views on pfSense vs ClearOS or indeed any >> alternative suggestions? I don't know what router I am getting with the
install so maybe these days the routers are good enough and should scrap
the external network manager - although I do like the idea of the internal >> and external networks being on separate subnets with a hardware/ physical
separation (maybe a security expert might say this makes no real
difference?).

Also, any suggestions on good newsgroups I should post to instead who
focus on these sorts of things?

uk.comp.homebuilt is fairly quiet but might be worth a go. Adding a crosspost...

pfSense is OK. I've been using it for many years. If you have a PC with
a dual NIC you can test it in a Virtual Machine.

People say OpenWRT is good. I would try it, but I have a working pfSense
set up and it is too much effort to change. i.e. pfSense doesn't annoy
me enough for the effort of a change.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Sunday, 26 September 2021 at 13:17:14 UTC+1, Pancho wrote:

On 26/09/2021 11:51, Theo wrote:

leen...@yahoo.co.uk <leen...@yahoo.co.uk> wrote:

Hi All,

I have been using ClearOS on an old PC for many years to manage my
internal network. I have my broadband router on it's own subnet on one
NIC of my ClearOS PC and then the internal network on a separate subnet on
the other NIC. ClearOS then manages all the network, DHCP, DNS, in theory >> virus scan/ malware protection etc. etc.

I am getting FTTP installed next week so thought I would take the
opportunity to re-look at the network setup whilst I am at it. My version >> of ClearOS requires a full rebuild to upgrade anyway so thought I would >> look at what the best is these days.

After a bit of Googling, pfSense seems to be the most popular but was
wondering if anyone here had any views on pfSense vs ClearOS or indeed any
alternative suggestions? I don't know what router I am getting with the >> install so maybe these days the routers are good enough and should scrap >> the external network manager - although I do like the idea of the internal
and external networks being on separate subnets with a hardware/ physical >> separation (maybe a security expert might say this makes no real
difference?).

Also, any suggestions on good newsgroups I should post to instead who
focus on these sorts of things?

uk.comp.homebuilt is fairly quiet but might be worth a go. Adding a crosspost...

pfSense is OK. I've been using it for many years. If you have a PC with
a dual NIC you can test it in a Virtual Machine.

People say OpenWRT is good. I would try it, but I have a working pfSense
set up and it is too much effort to change. i.e. pfSense doesn't annoy
me enough for the effort of a change.

Thanks both. Not sure how the cross posting works when using the Google groups front end as my replies only seem to be posted on the newsgroup I replied to whereas yours seem to appear on both. Anyway, manually cross posting my replies below for others
on this group :)

====================
Thanks both. The main appeal for me with the PC route is that there is hardware separation between my internal and external networks which seems more secure to me than a pure software firewall if I went down the router space. ClearOS also gives a lot
better logging/ metrics that my routers - unsure what OpenWRT provides.

My house is all wired with cat6 so either have the end devices connected via Ethernet or via a series of other wifi routers dotted around the house to give coverage. For these routers, whilst I was at it, I was thinking about whether it is worth flashing
these with OpenWRT (if the routers are supported)?

thanks

Lee.
===================
Thanks Pancho - I was in a similar position with ClearOS in that it works fine and didn't have a reason to change it until now:). Do you use pfSense in a similar way to my use of ClearOS? Re: OpenWRT I thought that was only to replace the OS on the
routers themselves as opposed to act as a separate network manager?

Thanks

Lee.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: uk.d-i-y

leen...@yahoo.co.uk <leenowell@yahoo.co.uk> wrote:

Thanks both. The main appeal for me with the PC route is that there is hardware separation between my internal and external networks which seems more secure to me than a pure software firewall if I went down the router space. ClearOS also gives a lot better logging/ metrics that my routers - unsure what OpenWRT provides.

I'm not sure what you mean about a 'pure software firewall'. The PC with
two NICs is using software to route from one NIC to the other. It doesn't
have a hardware firewall.

A typical wifi router has a single NIC but its five ports (4xLAN, 1xWAN)
are all connected to a VLAN-enabled switch. The OS sets up the VLAN tags on the ports to be, for example, 1-4=VLAN #1, 5=VLAN #2, and designates VLAN#1
as LAN and VLAN#2 as WAN.

Then it sees a packet coming in on VLAN#2 and decides whether or not to
route it to VLAN#1. Depending on the SoC there may be a bit of NAT acceleration in there, but it's mostly all software, just like the dual-NIC case.

As far as the OS is concerned it has two network ports, which are enforced
by the VLAN tagging in the switch (ie hardware). An attacker coming in on VLAN#2 can't forge the VLAN tag to make their traffic look like it came from VLAN#1, because the tags are all internal and not sent over the wire.
So unless the OS sets up the VLANs in a broken way (in which case it
wouldn't work) it's effectively two NICs.

With a replacement router OS you can control the port<->VLAN mappings, so
you can decide to have 5 different isolated networks if you want. To do
that on a PC would require a 5 port NIC or an external VLAN tagged switch.

OpenWRT has some packages for logging etc. They aren't installed by default (due to having to fit on routers with small amounts of flash) - I haven't
tried them.

My house is all wired with cat6 so either have the end devices connected
via Ethernet or via a series of other wifi routers dotted around the house
to give coverage. For these routers, whilst I was at it, I was thinking about whether it is worth flashing these with OpenWRT (if the routers are supported)?

It could be worth a go. I have a HH5a as the main router, and a Ubiquiti AP for wifi, both flashed with OpenWRT. Both have a port configured to export VLAN-tagged traffic (ie not strip the VLAN tags inside the switch), and I
have multiple wifi networks configured, one for each VLAN. That means I
have a 'IoT junk never going near the internet' wifi network which routes
back to the firewall config on the main OpenWRT router. It's a bit more
fiddly setting this up than if it was integrated into the main router, but
then I can place the AP in a better location.

Theo

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Sunday, 26 September 2021 at 16:56:56 UTC+1, Theo wrote:

leen...@yahoo.co.uk <leen...@yahoo.co.uk> wrote:

Thanks both. The main appeal for me with the PC route is that there is hardware separation between my internal and external networks which seems more secure to me than a pure software firewall if I went down the router space. ClearOS also gives a lot better logging/ metrics that my routers - unsure what OpenWRT provides.

I'm not sure what you mean about a 'pure software firewall'. The PC with
two NICs is using software to route from one NIC to the other. It doesn't have a hardware firewall.

A typical wifi router has a single NIC but its five ports (4xLAN, 1xWAN)
are all connected to a VLAN-enabled switch. The OS sets up the VLAN tags on the ports to be, for example, 1-4=VLAN #1, 5=VLAN #2, and designates VLAN#1 as LAN and VLAN#2 as WAN.

Then it sees a packet coming in on VLAN#2 and decides whether or not to route it to VLAN#1. Depending on the SoC there may be a bit of NAT acceleration in there, but it's mostly all software, just like the dual-NIC case.

As far as the OS is concerned it has two network ports, which are enforced by the VLAN tagging in the switch (ie hardware). An attacker coming in on VLAN#2 can't forge the VLAN tag to make their traffic look like it came from VLAN#1, because the tags are all internal and not sent over the wire.
So unless the OS sets up the VLANs in a broken way (in which case it wouldn't work) it's effectively two NICs.

With a replacement router OS you can control the port<->VLAN mappings, so you can decide to have 5 different isolated networks if you want. To do
that on a PC would require a 5 port NIC or an external VLAN tagged switch.

OpenWRT has some packages for logging etc. They aren't installed by default (due to having to fit on routers with small amounts of flash) - I haven't tried them.

My house is all wired with cat6 so either have the end devices connected via Ethernet or via a series of other wifi routers dotted around the house to give coverage. For these routers, whilst I was at it, I was thinking about whether it is worth flashing these with OpenWRT (if the routers are supported)?

It could be worth a go. I have a HH5a as the main router, and a Ubiquiti AP for wifi, both flashed with OpenWRT. Both have a port configured to export VLAN-tagged traffic (ie not strip the VLAN tags inside the switch), and I have multiple wifi networks configured, one for each VLAN. That means I
have a 'IoT junk never going near the internet' wifi network which routes back to the firewall config on the main OpenWRT router. It's a bit more fiddly setting this up than if it was integrated into the main router, but then I can place the AP in a better location.

Theo

Hi,

Sorry still can't work out how to get my replies on one NG to appear on the cross posted so have pasted the latest updates below...

===========
Thanks Theo. The router arrived yesterday it is a "Vodafone" THG3000 I had a quick scoot through the menus and couldn't see a way to set up vlans on different ports. I take your points re: Router may be the same conceptually as my setup in that it is all
controlled by software. I may have misunderstood how these things work but my logic (may be flawed) was that in the router scenario everything was on the same subnet (assuming I couldn't do the vlan thing) and therefore more liable to attack if someone
externally managed to get on my network. In my setup I have the usual router firewall and the ClearOS firewall to breach. Having said that, if someone got into my external subnet (i.e. 192.168.A.xxx - the one with just my router and the ClearOS NIC) and
tried to get to devices on my internal subnet (192.168.B.xx) then I was assuming ClearOS will stop that but maybe it just routes it?

===========
Now I have the FTTP router, it wasn't what I was expecting. I assumed it would be equivalent to an ADSL router where you connect the ADSL one side and the LAN connects to the other. So I assumed the fibre would connect to it somewhere and it would expose
Ethernet ports for the LAN. With this one (Vodafone THG3000) it has a port labelled "INTERNET" which seems to be for an ADSL connection and a different one labelled "WAN" which seems to be like an Ethernet port but connects to whatever OpenReach installs
(which I assume converts the optical fibre to Ethernet?). So wonder now whether in my setup in theory whether I need to even have the new router?

Having said that, the router has a couple of phone ports which it says will enable me to connect my normal phones to it and it will "convert" then to the Voip line Vodafone are providing. So irrespective of the above, I will need the phone bit but does
maybe ask the question as to whether I could/ should put the new router after the ClearOS box. i.e. OpenReach thing -> ClearOS Nic 1 -> Clear OS Nic 2 -> New Router -> internal switch.

As you can probably tell, I don't know how this whole FTTP stuff works under the covers and suspect I am still missing something in my network knowledge :)

thanks in advance for you help.

Lee.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)