?

Log in

No account? Create an account
 

January 27th, 2017 - Bloggit's Journal

About January 27th, 2017

Router-Firewalls and WRT 05:55 pm

The Problem

I have an IoT nest. And run some servers for some custom applications. And a static I.P. And printers and file servers.
I don't trust those cheap Chinese web-cams, even though I find them cost effective and useful. I'm willing to use them, but want to fence them off from the rest of my network.

So this really started as an effort to isolate devices on the network.  Which I figured I'd do via VLans.  That hasn't fully happened yet, but I did gain more knowledge of routers.

Background

For years I've used the ASUS RT-AC66U and then RT-AC68U as both my home router and firewall, as well as my WiFi access point.  These wonderful little machines have great coverage, impressive speed, work extremely fast in Bridge mode (providing wired connections remotely to, for example, a craptastic Samsung TV that has terrible wireless itself but can use wired fine), and WRT-level features.

(If you're not clear on that, you can use two wireless routers to act as a network cable, giving you wired ports where you otherwise don't have them.  Which is very useful for devices that can take either wired or wireless, but have terrible wireless and aren't near wires.)

WRT?  WTF?!

WiFi Router Replacement Firmwares

Higher-end consumer-grade WiFi routers can often have an open-source firmware on them replacing the stock firmware.  The top ones are:These largely descended from improvements to the LinkSys WRT54G firmware around 2002-2004, pioneered by the DD-WRT project.  It's probably the best supported of the lot, with more router support (different ones at any rate) than Tomato and a nice GUI.
Open-WRT is  a bit more hard-core; it is CLI (command-line-interface) only, no GUI, so it's lighter weight but perhaps at the sacrifice of ease-of-use and features.  (There is a GUI add-on project, Gargoyle.)
Tomato historically is easier to use than the others, with better monitoring and a nicer GUI, but fewer routers supported.  It's important to ensure you're looking at the latest version/fork/website.  For example, Tomato's original development ended around 2010, but that website is still alive.  The current Tomato site would be http://tomato.groov.pl/, which still has recent updates.

The Asus routers have their own version, ASUSWRT, which started based on Tomato... but, and this matters, a much older version of Tomato. Merlin starts from ASUSWRT.  Asus routers come with ASUSWRT, and it's pretty nice, pretty powerful, well documented and so on.  Plus it's optimized for Asus hardware, so the performance is top-notch.  Where it falls down is in some less consumer-oriented features, such as VLans and monitoring.  Where it excels in in QOS (quality of service), as it has the hardware optimizations for what is a very hardware-intensive task.

To these optimizations, Merlin adds some features and fixes.  But not many.  For example, VLan support is present, but (currently) only via CLI, while Tomato has a nice GUI for it.  And Tomato supports alternative utilities such as DNSMasq, which AsusWRT and Merlin do not.

Basically, WRT (and Tomato) just mean a bit more solid, more features, more capabilities, such as being able to both run a VPN endpoint on the router and also serve as a VPN client for all traffic coming from the router.  And such as better firewall features.  Tomato has VLan support in the GUI, while Merlin only supports it via CLI.

Anyhow, these systems have served me well, but as the IoT (Internet of Things) attacks become more common and we have more devices we don't know much about on our home networks, I decided I wanted to segregate my network better.  One downside of the Asus devices is, they aren't really cheap.  And what they do, they do very well, but they can't stretch.  So I did some additional investigiation to augment my network.

Requirements

My requirements were:

  • Fast throughput.  I have real 1Gb connectivity to the web, and with the work I do, I use it.

  • Not too hard to set up.  I'm a serious programmer, but GUI interfaces are far faster and more reliable than CLI for most configuration stuff.

  • Not too expensive.

  • Compatible with my devices without too much work.  Which practically rules out, for example, VLans, given the age of some of my devices.

My first looks were at something like a <a target="_blank" href="https://www.amazon.com/gp/product/B016E93IQS/ref=as_li_tl?ie=UTF8&camp=1789&creative=9325&creativeASIN=B016E93IQS&linkCode=as2&tag=tech0b39-20&linkId=4092077114b6e23c2f1b41286bdadf21">Mikrotik RouterBOARD</a?, but they're notoriously slow.  (They do have the best network mapper though.)

Trials and Solutions

In my trials, I got a Qotom quad-lan J1900-based micro-PC.  Unfortunately, it died in less than four hours, and there simply isn't quick affordable support for this device.  Getting a replacement motherboard required $50 in shipping and waiting two months.   Not ideal.  But... it's an amazing box when it's working.  Tiny, cheap, fast, can run Windows 10 no problem.

I also got a Ubiquiti ERL3 (Edge Router Lite 3).  Which can be fast enough, but you really have to pay attention to how you configure it.  For example, just bridging two interfaces drops the simple throughput from around 800Mbps to around 130Mbps.  Seriously.  Nothing else going on.  But

Other tool options were:

  • pfSense firewall, the open-source firewall many other solutions are based on, which the Qotom was going to run.  (There are pre-built Qotom-pfSense boxes too; these are built by a third-party with pfSense configured.)

  • snort intrusion detection/prevention.  (Basically a packet sniffing layer that can retain state and react to packet contents.)

  • UTM (Unified Threat Management) packages, AKA USM ("Security"), generally including the firewall, intrusion detection, anti-spam, anti-virus and VPN.  Very expensive and heavier than I was after.

  • Appliances - These typically serve as firewall and intrusion detection, but have high costs.

    • WatchGuard - firewall appliances with very high annual costs.  I owned one years ago, and they are very powerful.  But very expensive.

    • Fortigate - For example, the FG-60D is $400 on Amazon

    • As an example of annual fees, the Cisco ASA 5505 Security Appliance is $225 to buy, but estimated around $800 (pricing is only through dealers) annually for licenses!



  • Sophos - very expensive software

So, as I mentioned, I got a Qotom to put pfSense on.  And it died.  So I followed up with an Ubiquiti ERL3 , which isn't running pfSense, but rather a customized Vyatta, which is a fork of Debian.  Still a micro-pc, just a different O.S. and lower requirements.
I also wound up installing Tomato (just Tomato, not Advanced, as I didn't want any options/features obscured by an incomplete U.I.) on my older Asus router.

And I attempted to set up VLANs.

What I found out is that VLAN support isn't very mature yet (2017Q1), and that Tomato/WRT cannot prep packets for upstream routers. But, of course, since nobody is using VLANs, this isn't clear.

And that you can filter outgoing packets with Ubiquiti (or pfSense) simply by assigning static IPs/leases and filtering the outgoing port on IP address; it doesn't restrict internal addresses, but that data can't go anywhere.  Which gives me much of my original goal with a much simpler, no-VLAN, design.

I also discovered that the Asus (and Merlin) Media Bridge Mode is much faster, as in it's really significant, than the generic Tomato Media Bridge mode.  If you're going to use a WiFi router as a wired access point extension, stick to Asus and to an Asus WRT-based ROM.

Lessons Learned

AsusWRT (and Merlin) have some huge advantages.  They are much easier to configure for Bridge mode than Tomato is, and they will use the radios more optimally (for pairing two Asus devices at any rate.) It seriously took nearly an hour to get Tomato bridging... on the wrong band... effectively, while AsusWRT was a simple button-and-select process.   But they would not have allowed me to do the VLan stuff I wanted.
Routers don't have on-board batteries, so they lose the time on hard-boot (i.e. unplug-to-boot.)  To get around that, you must configure the NTP server correctly, and the router must both have external access (to the NTP server) and a correct DNS server (to resolve the name.)
But this alone doesn't get you the logs leading up to a crash, because... the logs by default, if any, are generally stored in /tmp/logs, which is reset on each boot.  To keep the logs past a boot, you need to either format some router NVRAM (non volatile - very limited supply in the router) for file storage, a bad idea due to how little there is, or you have to add storage via an external device (USB drive) or external server (less useful for logging when something hasn't started or has broken.)  This really just means add a USB Drive and change the log storage to something like /tmp/mnt/FLASHDRIVE.

Another problem I had, which I'm not fully clear on yet, is that the Asus routers running Tomato were not as good at maintaining a high-speed bridge as they were with the native Asus ASUSWRT.  I'm not clear on why, but with my 1Gb internet, they required regular rebooting to keep up a connection sufficient for streaming 1080p HD (roughly 6Mbps), while I had never had that problem with ASUSWRT.  Restoring the original firmware...
Top of Page Powered by LiveJournal.com