Router or firewall
Hello All, I connect to the Internet with a Telstra 4GX mobile modem, and the Netgear cradle for it. I want to put at least one network printer on a home network, but not expose it to the Internet. I would appreciate any recommendations about a router and or firewall. I currently have two PC's on ethernet cables plugged into the cradle, and choose to not use the wi-fi. I would like to try for something that can be run from a 12 volt battery, I can run the modem and cradle that way, although not yet set up that way. In that light I am also considering getting a Raspberry Pi 4+ as a desktop, and using a 12v 24" television as the monitor. I am considering going the 12v route because I do get power flicks now and then, and also am considering going off grid. A native 12v DC system will waste less power than using an inverter to go 240V AC and then back to the DC, along with being a separate system that has the potential to be left running 24x7, while I do switch the various items off at the moment. I had considered a Raspberry Pi for a firewall, but I would prefer to run something with two full Ethernet ports. I know I could add one to a Raspberry Pi with a USB to Ethernet dongle, but there are bandwidth considerations within the Raspberry Pi. That may not matter as the broadband mobile is not always particularly quick, or the Telstra network and tower may be the limiting factor, but still thinking. I am also giving consideration to my limited budget, but trying to take a step at a time that will not be the wrong way. I am prepared to save up for better devices that will last me better, but that may take longer to implement. Regards, Mark Trickett
Mark Trickett via luv-talk wrote:
I connect to the Internet with a Telstra 4GX mobile modem, and the Netgear cradle for it. I want to put at least one network printer on a home network, but not expose it to the Internet. I would appreciate any recommendations about a router and or firewall.
Every host should run its own firewall, in software. If you only have an "appliance firewall", you're really saying "every LAN host trusts every other LAN host to not turn evil." Which is dangerously optimistic. For SOHO sites I typically use OpenWRT on a combined router/switch/wifi AP, so I use their hardware compatibility list as my shortlist: https://openwrt.org/toh/views/toh_available_16128 Since I don't buy second-hand, I set Availability to "Available 2020" or just "Available". Then I start narrowing down by capablities, and end up with something like this: https://openwrt.org/toh/views/toh_available_16128?dataflt%5BAvailability*%7E... I also skip anything based on a Broadcom chip (MediaTek, Marvell, and Qualcomm/Atheros/QCA, are all OK). When the shortlist is down to about 5 to 20 choices, I do a price check on each, e.g. http://staticice.com.au/cgi-bin/search.cgi?q=Linksys+WRT3200ACS You *can* do all this with a commodity OS (e.g. Debian) or commodity hardware (e.g. an old laptop). It just requires more skill and work do set it up. Also unless you make it Debian Live or similar, it usually needs handholding to recover from a bad power event. One ADVANTAGE of using an old laptop is that they have a built-in 1hr+ UPS :-) Historically OpenWRT (and Linux in general) could not drive any ADSL chipsets, so I've always had a separate external modem. In your case that would be your "cradle" thing. What you do is you set that modem to be in "bridge mode", and then do all the real routing on the OpenWRT appliance. These days you MIGHT be able to get a combined device that can run an open OS you trust (e.g. OpenWRT) *and* has a drivable 3.9G LTE radio ("4G modem") in it. If so, that's what I'd be aiming for -- you just take the SIM card out of your cradle and stick it straight into the OpenWRT. https://openwrt.org/toh/views/toh_available_16128?dataflt%5BAvailability*%7E... ...as expected, not a lot of options there.
I currently have two PC's on ethernet cables plugged into the cradle, and choose to not use the wi-fi. I would like to try for something that can be run from a 12 volt battery, I can run the modem and cradle that way, although not yet set up that way. In that light I am also considering getting a Raspberry Pi 4+ as a desktop, and using a 12v 24" television as the monitor.
I don't know if you could run it off an *actual* 12V battery, without a UPS around the battery to clean up the power. (UPSs tend to have 12V batteries inside them. Anything that has an external power brick with a tip-sleeve connector tends to be 12V DC (though varying amperage). That includes cheaper/smaller monitors and desktops built from laptop-style hardware (e.g. chrometops, intel NUC, gigabyte BRIX).
I am considering going the 12v route because I do get power flicks now and then, and also am considering going off grid. A native 12v DC system will waste less power than using an inverter to go 240V AC and then back to the DC, along with being a separate system that has the potential to be left running 24x7, while I do switch the various items off at the moment.
This is sensible. I've only used UPSs that serve 240V AC downstream, but I suppose there are ones that serve 12V DC downstream? Maybe their downstream is a bank of USB A female sockets power-only sockets? People who are already off-grid probably know a lot more about this space. The ones I've used internally take commodity motorbike batteries, which is great because the batteries need to be replaced MUCH more often than the power circuitry, and commodity batteries are cheap and easy to replace yourself. See also https://beyondstandards.ieee.org/general-news/advancing-technology-benefit-h... and the links from there.
I had considered a Raspberry Pi for a firewall, but I would prefer to run something with two full Ethernet ports. I know I could add one to a Raspberry Pi with a USB to Ethernet dongle, but there are bandwidth considerations within the Raspberry Pi. That may not matter as the broadband mobile is not always particularly quick, or the Telstra network and tower may be the limiting factor, but still thinking.
Right - running turning a rpi or old laptop into a router by adding a USB ethernet adapter is a cheap solution, but it feels yukky. I also noticed that my cheapo USB ethernet adapter here pulls down a ridiculous amount of power, even when idle -- as much as the rest of the chromebook combined. On that score, note that newer and purpose-built hardware is likely to be substantially more power-efficient, especially devices where they basically took a smartphone/laptop board and put it into a box and called it a router/desktop :-) e.g. my 2013-era system here is using 4W total, and that's including the LCD backlight (1.2W) and the 802.11 wifi radio (2.5W). So if it was a (non-wifi) router appliance, it would be drawing about 0.5W. And newer stuff is (or can be) even better. The battery reports a discharge rate of 4.05 W Power est. Usage Events/s Category Description 2.35 W 1.0 pkts/s Device Network interface: wlp1s0 (ath9k) 1.18 W 10.7% Device Display backlight 413 mW 0.0 pkts/s Device nic:wg-spoke 91.8 mW 1.0 ms/s 46.2 Interrupt [45] snd_hda_intel:card1 50.7 mW 402.9 µs/s 25.8 Timer tick_sched_timer 27.6 mW 307.2 µs/s 13.9 Process ratpoison
On Saturday, 2 May 2020 12:40:40 AM AEST Trent W. Buck via luv-talk wrote:
Mark Trickett via luv-talk wrote:
I connect to the Internet with a Telstra 4GX mobile modem, and the Netgear cradle for it. I want to put at least one network printer on a home network, but not expose it to the Internet. I would appreciate any recommendations about a router and or firewall.
So the Telstra device in question has 1 public IP address (possibly through some strange NAT system) and all your devices are on private IP addresses and use NAT in the Telstra device. There are ways for devices behind such routers as the Telstra device to request port forwarding, but I doubt that the printer would be doing that and even if it did the Telstra network probably wouldn't cooperate.
Every host should run its own firewall, in software. If you only have an "appliance firewall", you're really saying "every LAN host trusts every other LAN host to not turn evil." Which is dangerously optimistic.
Another possibility is that the hosts on the LAN don't offer insecure services. If for example all hosts on your LAN use protocols like ssh/scp to communicate then you shouldn't need a "firewall". If however you have services like NFS running then it's a different situation. If you want to have something like NFS running then have one Linux PC connected to the Internet (the Telstra device in this case) and have it not forward ports for such protocols.
You *can* do all this with a commodity OS (e.g. Debian) or commodity hardware (e.g. an old laptop). It just requires more skill and work do set it up.
That's a matter of opinion. I recently spent a few hours working on a Microtik router to get it to do some simple stuff I could have done on a regular Linux system in a minute. Maybe for someone who doesn't know how to do things in Linux, doesn't know where to look for advice, and doesn't want to learn about Linux those router devices are good. But for people on this list I think that just learning how to do things on Linux is a better option.
Also unless you make it Debian Live or similar, it usually needs handholding to recover from a bad power event. One ADVANTAGE of using an old laptop is that they have a built-in 1hr+ UPS :-)
What sort of problem is this? I've had lots of power failures for PCs running Linux and since about 1997 not much in the way of problems recovering from them (there were some Ext2 bugs in about 1995 that caused problems on power failure). The eBay prices on laptops are ridiculous. I've had my current Thinkpad now for about 2 years. Every time I've checked recently I haven't seen a similar Thinkpad on eBay for the price I paid on eBay 2 years ago. I've seen broken Thinkpads offered for parts at higher prices than I paid for a fully working Thinkpad 2 years ago! If you have an old laptop and don't need to do laptop things then it's probably best to sell it and buy a RaspberryPi or get an old desktop system for free.
I am considering going the 12v route because I do get power flicks now and then, and also am considering going off grid. A native 12v DC system will waste less power than using an inverter to go 240V AC and then back to the DC, along with being a separate system that has the potential to be left running 24x7, while I do switch the various items off at the moment.
This is sensible.
Certainly a fun project and worthy of a lecture at a LUV meeting once the pandemic is resolved. https://electronics.stackexchange.com/questions/105064/what-is-the-usage-of-... This page suggests that -5V and -12V aren't needed on modern motherboards. So to run such a motherboard from a 12V battery you just need to stabilise 12V (my tests showed that the only way to get the voltage of my car cigarette lighter socket down to 12V was to turn the headlights on while the engine wasn't running) and step down 12V to 5V.
I had considered a Raspberry Pi for a firewall, but I would prefer to run something with two full Ethernet ports. I know I could add one to a Raspberry Pi with a USB to Ethernet dongle, but there are bandwidth considerations within the Raspberry Pi. That may not matter as the broadband mobile is not always particularly quick, or the Telstra network and tower may be the limiting factor, but still thinking.
Right - running turning a rpi or old laptop into a router by adding a USB ethernet adapter is a cheap solution, but it feels yukky.
Routing 100baseT (the maximum speed of NBN) is not particularly strenuous. Any laptop that has USB 2.0 should be able to handle it if you have the right USB device, as Trent noted there's some low quality USB hardware out there. -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/
participants (3)
-
Mark Trickett -
Russell Coker -
Trent W. Buck