Archive for February, 2010

Buying a new Firewall/Router

For about a year I’ve been using a CheckPoint Safe@Office for my home Firewall.  It’s a demo unit that my boss actually won at a CheckPoint event as a door prize.  Since he didn’t need it, he gave it to me to “evaluate” for as long as I wanted.  I’m actually generally pretty happy with it, as it is very powerful and easy to use.

Previously, I used a Soekris net4801 single-board computer to run Monowall, Zeroshell, and pfSense.  Monowall 1.2x was well suited to the net4801.  The Zeroshell revisions I ran on it worked great as well, but it wasn’t nearly as easy to use as Monowall.  I liked pfSense a lot, but it ran on the slow side with the older versions.  I recently tried pfSense 2.0 BETA on my net4801 and it was abysmally slow, taking 20-30 seconds between page loads, not to mention being a bit on the buggy side (but, it is just out of ALPHA).

Recently, I’ve been interested in a new Firewall/Router.  I didn’t want a full-fledged machine due to power and price.  After looking around a bit at some alternative options, I ordered a MikroTik RB750G router.  It was under $80 shipped.  It is a fully featured router with 5 Gigabit Ethernet ports and includes a switching chip.  I figured worse case scenario (if I didn’t like it) would be that I’d put all 5 of the ports into “switch” mode, and have a managed 5 port Gigabit switch.

This switch chip was actually a key feature for me.  This means you can tie any of the 5 ports together to act as a switch, and their packets will be hardware switched between each other, not hitting the processor.  Speaking of the processor, this router has a 680 Mhz ARM its core.  My experience has been that clock-for-clock, an ARM is faster than an x86 chip, so I imagine this would be at least 3 times faster than my net4801, though proving that may be difficult since they won’t run the same OS.

Anyhow, I’ve had it now since Thursday night.  It has taken a bit of getting used to, but it is awfully powerful if you can figure out how to use it!  There are things you can do with the Firewall features of this box that I’ve never seen on the Enterprise firewalls I’ve worked on (IBM and most recently CheckPoint).  The ability to detect Bruteforce attacks and then add the attacking source IPs to an ACL (to be dropped) is pretty neat, and the ability to detect other types of attacks and “tarpit” them automatically is really nice too, for example.

The way the firewall works takes some getting used to…  You have three chains to add rules to, the “input” chain, the “output” chain, and the “forward” chain.  This doesn’t translate well from the Cisco world.  An “input” chain is relative to traffic destined to the router, regardless of the Interface it is coming in on.  The “output” chain is relative to traffic generated by the router itself.  Finally, the “forward” chain is related to traffic flowing through the box.  I’ve heard that this is the chain you are most likely to be using.

In practice, (in my mind at least) the “input” chain seems to be the main one to be concerned with, for a home router.  In this case, any attack would be destined to the public IP of the router itself.  If you want to block traffic from a specific internal host (I have my reasons), the “input” chain would be the spot to block it as well.

Setting up NAT is very easy with this box.  One rule NATs the internal hosts out to the Internet.  I was able to set up a “Port forward” as a “dstnat” action, though I’ve also seen it listed as a “netmap” action.  Not sure of the advantage of one over the other.

There’s another functionality called “Mangle” on this box.  Personally, I would think you wouldn’t want to “mangle” any packets, but that’s not really what this is about…  It lets you tag packets for later processing.  I’m not real clear on the exact advantage of this, or how it works yet, but I’m going to look into it further, as it sounds very interesting and perhaps very powerful.

I’d love to have the power of this in an easy to use (and comprehend) WebGUI, but the WebGUI that comes with RouterOS is very limited.  Anyhow, I’m really liking the power and speed of this thing…

Oh – I forgot to mention this…  A few days ago, I was testing pfSense on a net4801 with my Comcast Cable Internet.  With, I was getting just under 15 Mbit/sec.  With this new unit, I’ve seen a peak of 21 Mbit/sec!

February 27, 2010 at 10:11 pm Leave a comment

MikroTik – suprisingly good stuff!

MikroTik.  No, I’m not talking about some insanely tiny parasite, I’m talking about a routing platform.

About a year ago, a friend of mine introduced me to MikroTik.  It’s Linux-based and uses a command-line based environment to perform configuration for lots of network services.  You might think this is just another Linux distro, but it’s not.  You never actually get to a normal Linux command line with MikroTik’s RouterOS. It’s closer to a Cisco router than any Linux distro I’ve dealt with in the past.  It has auto-complete, color coding, and interactive help. In some ways, it’s even nicer than Cisco IOS.  A tool called Winbox exists to let users who aren’t command-line fans have full access to this power via mouse clicks.

The bad news is that it is completely different from Cisco, or any other router I’ve used before.  It has a huge range of services and the documentation isn’t easy to follow. The wiki they run has lots of example commands, but it’s not very long on explanation, consisting mostly of lists of commands.  Add to that conflicting information on various versions of RouterOS, and it’s hard to know what to do if you are new to it.

Thankfully, Greg Sowell has a few video tutorials to help the MikroTik newbie at  His tutorials give you a good introduction to things, then go on to explain in depth how things like the firewall and various VPN features actually work.  If you are new to MikroTik, this is currently the best freely available information online (at least, that I’ve been able to find).

February 27, 2010 at 9:13 pm Leave a comment

VirtualBox on a ReadyNAS

There’s quite a discussion on the ReadyNAS forum about how to install VirtualBox on a ReadyNAS Pro.  I installed it and brought up a VM running Windows 2008 to try a few things out.

First, yes, it works.  The performance isn’t terrible, either.

I installed a Windows 2008 Server, installed the “guest additions” (which helped RDP performance greatly), installed all the updates (to SP2 and beyond), set up a domain, DNS, added a few users, and all seemed to work well.

But, there’s one problem.  After running the VirtualBox for a while, the ReadyNAS goes from making only a slight noise of airflow to a fan noise level only a little lower than when you first boot the unit up (when all fans go to full blast briefly).

Since my ReadyNAS is located in an area that I’d prefer to be more of the whisper-quiet noise level, I’ve shut down the VM and rebooted the ReadyNAS.  It’s back to the normal noise level, but I see how if my home office was anything like the office I spend most of my day in (inside a computer room), I wouldn’t even notice the noise.

Another factor is longevity – If the ReadyNAS fans have to run that hard, it can’t be good for the life of the unit.

February 2, 2010 at 12:10 am Leave a comment


February 2010

Posts by Month

Posts by Category