#276880 - 06/03/2006 10:22
AP/Router with decent filtering?
|
carpal tunnel
Registered: 13/07/2000
Posts: 4180
Loc: Cambridge, England
|
I've got an opportunity now to replace my Linksys BEFW11S4 AP/router (i.e. I'm thinking of palming it off on someone). I could just get the current Linksys similar thing, but there's one thing it does that I wish it did better, and that's filtering.
I leave my home network open, as I don't mind if the neighbours use it for a bit of casual web browsing or Messenger or whatnot, but recently people have taken to running P2P over it and soaking up all my bandwidth. So I set up filtering: BEFW11S4 can drop UDP or TCP traffic by port number. I filter out all non-privileged ports except the ones Messenger uses, and no P2P traffic gets through. The problem is, it filters out both incoming and outgoing connections indiscriminately, so when the filter is on, I can't SSH in from work, because although the remote (home end) SSH port is privileged and allowed, the local (work end) port is random, so the traffic gets dropped.
So does anyone have a recommendation for an AP/router with smarter filtering, or another way to solve the problem? Separate filter settings for incoming and outgoing connections would solve the problem (all incoming connections other than SSH are already dropped, as only the SSH port gets forwarded anywhere), as would separate filter setings for different local IPs (as the drive-bys all DHCP and end up in a different range than the statically-addressed PC I'm trying to SSH to).
What would be best of all, I suppose, would be traffic shaping per IP range, so I wouldn't need to filter anything, and could just restrict the drive-by IPs to 10% of the connection or whatever. But I bet only expensive enterprise-grade AP/routers do stuff like that. How simple are these replace-the-stock-Linux-firmware APs to set up? I really want this stuff to just work and have no appetite for tinkering with it...
Peter
|
Top
|
|
|
|
#276881 - 06/03/2006 11:50
Re: AP/Router with decent filtering?
[Re: peter]
|
carpal tunnel
Registered: 19/01/2002
Posts: 3584
Loc: Columbus, OH
|
It's a little more expensive, but a SonicWall TZ170 can do all of that. Has a DDNS client built in as well as Static DHCP, Firewall, and Bandwidth management (by ip address range or port). If you'd like to log in and take a look at one of mine, PM me. (note: linked one is not a WAP, just a firewall/router. They make one with wireless also for a few bucks more.)
I'd imagine that a WRT54GS can do all of that with upgraded firmware, but I've had mixed results. Of the three that I've upgraded, one of them bricked on me for no apparent reason. I was not able to recover it even using the hardware reset methods on the net. One of the others was never quite stable. The third one worked great.
|
Top
|
|
|
|
#276882 - 06/03/2006 14:20
Re: AP/Router with decent filtering?
[Re: peter]
|
carpal tunnel
Registered: 08/06/1999
Posts: 7868
|
An easier solution might be a two access point setup. Set the first router up how you want and throw it WPA encryption on the wireless. Set up the second router behind the first router with the restrictive firewall in place to stop P2P and keep the wireless on it open.
The double NAT on the open side will also kill off some things, but web and basic IM still work fine over such a setup.
|
Top
|
|
|
|
#276883 - 06/03/2006 16:03
Re: AP/Router with decent filtering?
[Re: peter]
|
carpal tunnel
Registered: 25/12/2000
Posts: 16706
Loc: Raleigh, NC US
|
I would say to just set up a separate router/firewall and AP. You could then get a firewall that has some actual features, as opposed to the consumer-grade crap that the Linksyses and NetGears give you. But that may well fail your "have no appetite for tinkering with it" criterion.
_________________________
Bitt Faulk
|
Top
|
|
|
|
#276884 - 06/03/2006 18:42
Re: AP/Router with decent filtering?
[Re: peter]
|
carpal tunnel
Registered: 29/08/2000
Posts: 14491
Loc: Canada
|
I believe that all (?) of the features on your wish list are available on the Linksys AP/Routers when used with SveaSoft firmware. And possibly with other firmwares, like perhaps OpenWRT.
Cheers
|
Top
|
|
|
|
#276885 - 06/03/2006 19:43
Re: AP/Router with decent filtering?
[Re: mlord]
|
carpal tunnel
Registered: 27/06/1999
Posts: 7058
Loc: Pittsburgh, PA
|
I will second that, though the web-based config will only get you so far, and you'll need to futz with storing iptables and (name of the command-line util to set QoS stuff that I can't remember) commands in the rc_firewall setting in nvram. This violates my interpretation of peter's lack of tinkerphilia.
|
Top
|
|
|
|
#276886 - 06/03/2006 21:09
Re: AP/Router with decent filtering?
[Re: peter]
|
carpal tunnel
Registered: 18/01/2000
Posts: 5683
Loc: London, UK
|
Quote: So does anyone have a recommendation for an AP/router with smarter filtering, or another way to solve the problem?
My D-Link DSL-604+ has more complicated filter settings, but they're not necessarily smarter. I've never used them -- I use inbound port forwarding, but I don't do anything special with outbound traffic.
Screenshot attached.
Attachments
277264-d-link-filtering.png (150 downloads)
_________________________
-- roger
|
Top
|
|
|
|
#276887 - 07/03/2006 22:56
Re: AP/Router with decent filtering?
[Re: mlord]
|
Carpal Tunnel
Registered: 08/02/2002
Posts: 3411
|
Quote: I believe that all (?) of the features on your wish list are available on the Linksys AP/Routers when used with SveaSoft firmware. And possibly with other firmwares, like perhaps OpenWRT.
Cheers
Yeah, I gave up on the whole web gui thing. I'm running OpenWRT on my WRT54G to great effect - the thing has a built in VLAN switch, so I have my WLAN, internal LAN, DMZ network and internet all on separate VLANs. I'll likely trunk one of the remaining 2 ports to feed an IDS. Setting this configuration up wasn't trivial though - all the commands were programmed manually into the nvram. The great thing is that I know that they won't get screwed up because of some accidental mouse click in a gui though.
Not being one to leave any hardware alone if it at all hackable, I did the sd card mod, so I know have a (previously spare) 64MB sd card for holding stuff on, instead of the paltry 4MB flash. (Actually, I've been wondering whether the hack is suitable for the empeg too..)
As for firewalling, I'm using fwbuilder, which is a _great_ tool. fwbuilder allows you to build policies on a remote machine, and then compile and push them over ssh to the firewall itself. It supports multiple firewalls driven from the same policy file so you can define network addresses and custom services in one place and use them in multiple firewalls. The GUI is powerful and object based - you can define rules based upon groups of objects ( hosts, networks, services etc) and then when you modify the group membership the rules automatically take account of the change. It will compile rulesets for a variety of firewall technologies (ipchains, ipfilters, ipfw, iptables, pf, pix) and target the resulting scripts to a variety of OSs (eg linux, MacOS, FreeBSD, OpenBSD etc), so if I want to change hardware somewhere down the line, I won't have to rewrite my ruleset from scratch like I did last time.
It's hands-down the best GPLed tool I've seen for generating firewall rulesets, and compares well to many commercial offerings too. The GUI design is very similar to Checkpoint, which remains a favorite in the commercial world.
_________________________
Mk2a 60GB Blue. Serial 030102962
sig.mp3: File Format not Valid.
|
Top
|
|
|
|
#276888 - 28/03/2006 17:08
Re: AP/Router with decent filtering?
[Re: peter]
|
carpal tunnel
Registered: 13/07/2000
Posts: 4180
Loc: Cambridge, England
|
Quote: I could just get the current Linksys similar thing, but there's one thing it does that I wish it did better, and that's filtering.
Slightly embarrassingly, the "current Linksys similar thing", the WRT54G, does what I want out-of-the-box: I got one, and now all ports 1024..1859 and 1870..65535 are prohibited to wireless clients, but inbound SSH works fine.
Now if only I could persuade my Frontpath to DHCP from the thing, it'd be perfect
Peter
|
Top
|
|
|
|
|
|