Creating my own Router/Firewall/NAS/VPN server.

[Syllinger]

Hey guys,

Well, first off, the project that I am about to discuss spans over several different areas, but I figured that this section of the forum would be the best place to start.

So, I have a few questions, and I'm not sure if it would be better to break this project up into several components, but my goal is to consolidate as many functions as possible. As the title suggests, I'm trying to convert an older machine into a mega server that accomplishes everything on my home network bar switching and wireless functions (I will be using a gigbait switch, and wireless N access point for those).

The hardware specs are reasonably powerful. The system will be running a Core 2 Duo E6600 with 4GB of RAM (easily upgradable to 8GB if necessary, but I only have 2 DIMM slots on my mATX motherboard). I am looking to run a RAID array (undecided which type) for disks commonly accessed as well as larger/slower backup drives that will be updated daily.

My main questions are:

From a security standpoint, is this consolidating too many devices into one? I'm not running a corporate or SMB network here, just something for my home. I also read another forum where someone suggested having a NAS/router system would expose the computer to the internet, but if properly set up, is that really true?

How would I go about doing this from a software standpoint? Is this even possible? I've heard of Linux, UNIX or BSD OS software for each individual device, but not something that would be all encompassing. I haven't used Linux in a while, but I figure that it's time I revisit it anyway. This is more of a learning project than it is practical.

The original idea came from the fact that I wanted to find a hardware router that I could flash the firmware on. I was looking to run Tomato until I found out that it doesn't support many routers, and there is no wireless N support at all from what I can tell.

Anyway, I realize that this project may sound a bit superfluous, but I would really appreciate it if someone could steer me in the right direction. I'm also open to suggestions as to what OS I should use. Should I be looking at something like Windows server, or a Ubuntu server?

Thanks for reading.

 

[GregN]

I recommend against overloading, Even outside of the security issue, if your router fails you have no NAS, And vice-versa.

On the security issue, your router is on your network perimeter, it should conceal and hold secure any other machines inside that perimeter, by combining that functionality you are putting your files where they are easiest to get for an attacker.

Additionally, depending on your usage patterns, the performance requirements for both on the same machine may be expensive. A good router does SPI, stateful packet inspection. Each packet pulls up its skirt as it goes by, and the router say ok. At the same time the machine is fielding requests for storage, and translating them to disk addresses.

Combining the two means you'll have to compromise.

Beyond the strong recommendation, that you let form follow function, building a machine geared towards the purpose you intend ( I recommend running your NAS apart from your HTPC for the same reason ). What you are suggesting can be done.

If you are bent on doing this, there are three approaches you can take:

One, you can find software (open source) that that works as a router, and opensource that handles NAS requirements. Both need to have the that have the same underlying OS. There are three open source OS's to look at FreeBSD, Linux, and OpenSolaris.

You'll have to pick a primary distro, and then weave in the additional functionality, for example

pfSense and FreeNAS run under BSD.
Openfiler and IPCop/Astaro/Endian etc under Linux


Two, you can get one of the small office server distros, which tend to be compromises:

Under Ubuntu there is a distro called Zentyal which is a office uberserver ( I don't know much about it ), but it looks like a compromise.

Under Redhat, there is ClearOS seems to do heavy overloading.


Three, you can run two separate distros on the same physical machine, each under a separate VM - ESXi and VMWare will let you do that, at the cost of some performance.


If someone put a gun to my head and said, one machine, two functions, I'd go with the VM approach - at least you'd have two logical machines that run separately.


Building your own NAS or Router can be a challenge, take a look at a couple articles here on SNB:

Build Your Own IDS Firewall Router With pfSense

DIY Openfiler NAS/SAN

Hope that helps

 

[Syllinger]

Hey Greg,

Thanks for the reply and especially for being so thorough. That gives me a lot to think about. I've dabbled in networking in the past, to the extent of programming routers and switches, but I haven't really approached it from a software standpoint.

I'd prefer to keep this as low cost as possible. The only reason that I said anything about Windows is because I have Home Server, and I actually have access to a corporate copy of Server 2008 with 5 user CALs (more than enough for my needs). But, that in mind, I'm sure some of those recommendations are going to be expensive. ClearOS was the one that I stumbled upon while browsing the net, but I didn't really like the feel of how it works. I would prefer a Windows/*NIX kernel and simply modularize it.

So, at this point, how should I be looking to split this up? Should I be running a VPN/NAS server and then pick up a separate Router/Firewall/Switch/WAP combo? The only problem is that I want to run Tomato, or at least DD-WRT and it looks like support is very limited with respect to Wireless N. Even OpenWRT doesn't seem to have much support for it.

I've been reading the DIY NAS articles, there are about 7 of them I think. I've only read bits and pieces of each, but I'll focus around the article that talks about building a "Big NAS" because the hardware specs are virtually the same.

Also, I'll check out Zentyal and see if that will work for my needs. What I'm trying to address now is definitely the router with customizable firmware. End User firmware just seems to be complete garbage these days, horribly undeveloped, and sometimes the functionality doesn't even work correctly upon the final release. Not a satisfactory attempt by the manufacturers in my opinion.

Also, I've read nightmares about how a VM approach to anything is a MASSIVE performance hit. Has this been improved lately? You say some performance, what I've read usually documents MOST performance.

Finally, I've never heard of SPI, I'll have to look into it. What becomes the point of a firewall then? Aside from blocking access through certain points if the router is handling all of the packet inspection?

 

[GregN]

So, at this point, how should I be looking to split this up? Should I be running a VPN/NAS server and then pick up a separate Router/Firewall/Switch/WAP combo? The only problem is that I want to run Tomato, or at least DD-WRT and it looks like support is very limited with respect to Wireless N. Even OpenWRT doesn't seem to have much support for it.

I'd look at pfSense, it is much like DD-WRT but will run on an old laptop. Stick with version 1.2.3. It has Intrusion Detection, Firewall, Proxy Server, Anti-Virus and a bunch of other security features. There is a series of articles about pfsense as a Unified Threat Management (UTM) Server here, that lays out alot of the functionality. It also supports three different types of VPN.

I've been reading the DIY NAS articles, there are about 7 of them I think. I've only read bits and pieces of each, but I'll focus around the article that talks about building a "Big NAS" because the hardware specs are virtually the same.

I think the forums cover more diversity in NASes. You can probably build a compact NAS for less than three hundred bucks ( mITX Atom board + Memory, A Case, and a Sata card ) less if you go EBay - using FreeNAS.

I'm currently looking at a build using Nexentastor (OpenSolaris), it allows for differing sized disks and is easily expanded ( like how WHS used to be ) and supposedly has good performance.

Also, I've read nightmares about how a VM approach to anything is a MASSIVE performance hit. Has this been improved lately? You say some performance, what I've read usually documents MOST performance.

You'd probably need a beast of a machine to get excellent performance for both router and NAS. But I think the VM Kernels are pretty lean these days. I don't have personal experience, but enough folks are doing it, so it can't be outrageous.

I'm looking at VMs to allow for iSCSI sharing of the same filesystem across multiple network nodes.

Finally, I've never heard of SPI, I'll have to look into it. What becomes the point of a firewall then? Aside from blocking access through certain points if the router is handling all of the packet inspection?

SPI is yet another way, above a firewall to try to make a network more secure. Intrusion Detection relies on SPI.

Let us know the way you go, and I'd be interested in hearing about Zentyal.

 

[Syllinger]

Hmm, I might give pfSense a try, but you may have swayed me in your original response. I'm starting to think that that this project is not such a good idea after all. It makes sense for simplicity in terms of network management, but it sounds like it's going to be far too much work to set up, ensuring that everything is compatible and whatnot. I have that article you are talking about saved, but I haven't read it yet. I also didn't recognize the term "UTM," so thanks for clearing that up.

The problem is that I have one extra computer that I wanted to use as the NAS box, but if I were to split this project up, I wouldn't have anything to run pfSense on. Should the NAS be completely separate from the UTM? I wanted the Core 2 Duo E6600 to end up being my NAS server, because it's relatively powerful and will probably be hammered constantly. I was also planning to run a small web server on it for personal use, but I'll set that up after I get all this out of the way. I imagine I could use pretty simple hardware for the UTM, could I not? I mean, when was the last time you saw a router outside of an enterprise environment with beefy hardware?

So, I'm thinking that I should keep all my data behind the router, but if that same device could act as a firewall, Proxy Server, Anti-Virus, and offer VPN support, I figure that's as good as it gets.

Different sized disks don't really interest me, but I read an article on OpenSolaris and I was pretty keen on trying it out. I've always hated Apple, but when I delved into some of the features of OS X, I enjoyed my experience. The problem is that I felt too restricted in a lot of cases where even Windows provided more functionality. I was looking for something better, not just something different. This article explained that OpenSolaris was probably the answer.

All of my disk are either 1 or 2 TB, and although I would like the scalability, learning a whole new OS on top of it might be difficult.

I'm looking at VMs to allow for iSCSI sharing of the same filesystem across multiple network nodes.

I'd be lying if I said that this isn't over my head. After a quick search of iSCSI though, sounds interesting.

So many layers of security these days. I'm not confident on whether I'm going the Zentyal direction yet, but I'll definitely give the distro a look and see what it offers.

 

[GregN]

Should the NAS be completely separate from the UTM?

That is how I roll But others differ. Do you feel the need for the extra security that is offered by a UTM? Do you need a VPN Server? Other than an admirable desire to learn, is it compelling? Added storage of a NAS is always useful.

Separate is also a good idea if you are going to be hitting your NAS hard and heavy, like you said. Take a look at FreeNAS, it it plug and play, administered through a web interface, pretty straight forward. How many SATA interfaces does your MB have?

In the IDS article I pointed to, the router, Cerberus, cost $360 bucks with nice accoutrements. And with all of that added security it still performs as well as the best router's in the SNB Charts (and in may cases out-performs them, like in number of concurrent sessions.) If you can find a used NetBook you can probably beat $200.

Where would we be if we didn't try to buck rodgers a few things, just plain old computer geeks.

Keep us in the loop.

 

[YeOldeStonecat]

Seeing the title of the thread, I was going to also mention ClearOS. I've used it now and then at home, it's well groomed distro (developed from a branch of ClarkConnect).

 

[Syllinger]

That is how I roll But others differ. Do you feel the need for the extra security that is offered by a UTM? Do you need a VPN Server? Other than an admirable desire to learn, is it compelling? Added storage of a NAS is always useful.

Like I said, this is more of a learning experience than it is practical. Creating a NAS is the priority, but I am definitely interested in having a UTM just to figure out how it all works. I'm a bit of a closet computer nerd; I don't work in the field, but I dabble to an extreme degree staying on top of web technologies & design, networking, and programming. Obviously my networking ability is a bit rusty, and has always been the least developed of the three.

Separate is also a good idea if you are going to be hitting your NAS hard and heavy, like you said. Take a look at FreeNAS, it it plug and play, administered through a web interface, pretty straight forward. How many SATA interfaces does your MB have?

Like I said, I've been wanting to dip my toe in the Linux pool again, so I was actually looking at using Ubuntu Server instead of FreeNAS. That being said, they are both based on Linux, are they not? This should allow me to achieve the same functionality I desire by simply adding modules to FreeNAS, should it not? Or even look at something that's already been set up like Zentyal, and simply disable the features I don't want. The motherboard only has 4 ports, so I will be adding an expansion card for sure. I'm looking to accommodate 7 drives in total.

In the IDS article I pointed to, the router, Cerberus, cost $360 bucks with nice accoutrements. And with all of that added security it still performs as well as the best router's in the SNB Charts (and in may cases out-performs them, like in number of concurrent sessions.) If you can find a used NetBook you can probably beat $200.

If you went the netbook route, how would you overcome the fact that they come with single LAN ports? Would you use a USB ethernet device? Wouldn't that hit on performance?

Where would we be if we didn't try to buck rodgers a few things, just plain old computer geeks.

Watch it, I think you may be dating yourself a bit. I'm only 26 years old, my generation seemingly isn't cultured enough to identify with a term like that. Very valid point though, knowledge isn't really beneficial to anyone unless you put it to use.

Obviously, I have quite a bit of research to do, and I confess that I haven't read any of the links you provided in their entirety, yet. I will, once I hammer through this NAS series on SNB just to get a little bit more background on the subject. Then I will definitely be reading about the Cerberus setup.

I really appreciate all the help Greg.

 

[GregN]

Dude, ya gotta let your freak flag fly (yep, definitely dating myself ).

I've been wanting to dip my toe in the Linux pool again, so I was actually looking at using Ubuntu Server instead of FreeNAS. That being said, they are both based on Linux, are they not? This should allow me to achieve the same functionality I desire by simply adding modules to FreeNAS, should it not? Or even look at something that's already been set up like Zentyal, and simply disable the features I don't want. The motherboard only has 4 ports, so I will be adding an expansion card for sure. I'm looking to accommodate 7 drives in total.

FreeNAS is BSD based, pretty much turnkey, if you are looking for to be more Linux smart, I'd recommend going Ubuntu and adding what you need to run it as a NAS (like mdadm), it is a lot less user friendly, but you'll learn a whole lot more.

A PCIe x16 SATA four port card should do the trick. One system drive, and 7 drives for your NAS. That means going software RAID, but if hardware raid (I think more reliable) you'll need a raid card, EBay is a good source for those (Areca, 3Ware).

If you went the netbook route, how would you overcome the fact that they come with single LAN ports? Would you use a USB ethernet device? Wouldn't that hit on performance?

You'd want to use a ethernet to USB2 (Trendnet TU2-ET100, cheap ) for the WAN, interface, USB2 is spec'ed at 60 Megabytes per second, more than enough for most WAN side interfaces. And, as you suggest, an unmanaged switch on the Lan side. pfSense supports Atheros chipset for the wireless interface.

Watch it, I think you may be dating yourself a bit. I'm only 26 years old, my generation seemingly isn't cultured enough to identify with a term like that. Very valid point though, knowledge isn't really beneficial to anyone unless you put it to use.

Barbarian! Guess what I'm saying is projects like this should have a cool factor, some edge and style - otherwise it ain't as much fun.

 

[Syllinger]

Alright, I think that I might put the router project on hold. It's an interesting concept, but I should really be focusing on the NAS box first and then branch out from there.

Also, I need something relatively quickly, and because I don't have a netbook or spare box on hand I will probably end up going with the ASUS RT-N56U Black Diamond, or the Netgear WNDR3700v2 N600 Wireless-N router/switch. It's just the only cost-conscious way to go about things.

I appreciate the help, and I will still be looking into a few different solutions for the future. My only real concern going forward will be the introduction of gigabit broadband providers, but I don't know how soon we will see those in the market.

With respect to the NAS, I'll probalby make things hard on myself and end up going the Ubuntu/mdadm, but we'll see how tough it really is. If it's too much, I might just default to FreeNAS. I've never used BSD, but from what I've read, there are quite a few similarities between Linux, BSD, and OpenSolaris. That said, I'm still leaning towards Ubuntu. I like their desktop refresh, and it seems a lot of other distros are now based around it, including Zentyal (based on 10.04). This way, if I want to transition into a stepping-stone product like Zentyal, it should be much easier to navigate.

 

[GregN]

With respect to the NAS, I'll probalby make things hard on myself and end up going the Ubuntu/mdadm, but we'll see how tough it really is. If it's too much, I might just default to FreeNAS. I've never used BSD, but from what I've read, there are quite a few similarities between Linux, BSD, and OpenSolaris. That said, I'm still leaning towards Ubuntu. I like their desktop refresh, and it seems a lot of other distros are now based around it, including Zentyal (based on 10.04). This way, if I want to transition into a stepping-stone product like Zentyal, it should be much easier to navigate.

They really are fairly similar except when you get to system admin, kernel semantics and device drivers.

Keep us in the loop, be interested in hearing how big a hassle it is to use a non-specific distro.

 

[Syllinger]

I've been looking to immerse myself in the power user functionalities of Linux for a while, but I didn't even think about giving BSD or OpenSolaris a shot originally. You've definitely given me something to think about.

I will probably end up sticking with my gut and going the Ubuntu route, but I may revisit the alternatives in the future, just to try them out. I realize that there will be a few differences with respect to drivers and the kernel, but I don't feel I'll be delving that deep. The system admin functions would probably (hopefully) be the only real hang-up.

I will provide updates, if only due to the fact that I have numerous questions. I will probably end up installing freeNAS to start while I look at mdadm, but I've read a few guides that say that you can set it all up through Samba as well. I've got a Samba book kicking around somewhere by O'Reilly, but it's pretty old. We'll see what happens. I'll let you know.

 

[msl]

If you are going the Ubuntu route then you will find decent documentation on setting up a RAID array using mdadm at http://raid.wiki.kernel.org/. Setting up Samba shares for fileserving duties is as easy as installing Samba (if it is not already installed) and configuring your network shares by editing the /etc/samba/smb.conf file. The smb.conf manpage can help you here. Setting up a Web server with Apache is also pretty straightforward if you are happy tweaking the configuration files located in /etc/apache2.

If you are comfortable with Linux, have some understanding of Linux admin, and are happy using the command-line then I think Ubuntu Server can be a good, flexible option. If not then a NAS distribution or an operating system you are more comfortable with (Windows?) might be an easier option.

 

[Syllinger]

Thanks for the input msl. Like I said, this project is as much to re-acquaint myself with Linux (from a command-line standpoint) as it is to get a stable NAS/Web server up and running. Apache and Samba are allegedly easy to use and set up, but I haven't heard much about mdadm, so I appreciate the link.

Also, I never really covered how the file structure in Linux works. I realize that it's based on a rood directory, but I'm not used to the absence of letters for specific disks or partitions. I don't imagine it's going to be too difficult to adjust though.

Also, what am I going to get by going with Ubuntu server instead of the standard desktop distro? Is Ubuntu server simply Ubuntu without a GUI? Also, I've read about the torrent/downloading features of things like FreeNAS. That said, I don't know what a Torrent server really is. What's the difference between that and simply sshing into a box running torrent software and adding a torrent file to the existing queue? Unless I could, for example, click a torrent link from my windows desktop and have it automatically queued up on the "Torrent/Download server." What is the use of such a feature.

These are all things that I'm in the process of sorting through right now. I've used a simple computer running Windows 7 Ultimate as a server for a while now, administering it via RDP, but that's becoming tiresome. I don't really understand what a server distrobution is going to provide me with that a destop package won't, and I would love to have the functionality I explained, if it exists. If I download a file, I would like to simply save any downloaded or torrented content to the NAS server.

 

[msl]

As a very general reference for where things live on Unix-based operating systems, including Linux, this Wikipedia page may help: http://en.wikipedia.org/wiki/Filesystem_Hierarchy_Standard#Directory_structure.

To make an Ubuntu server machine work as a "BitTorrent server", I have installed the transmission-daemon package of the Transmission BitTorrent client. This gives a web interface on the server for kicking off and monitoring BitTorrent downloads, which are saved to a directory that I have setup as a Samba share so I can access completed downloads direct from a desktop machine. I use the Autotrans add-on for Firefox to allow me to send a torrent link from Firefox straight to the server with a right-click option. The addon has not been actively maintained for a while and also needs an add-on compatibility add-on to allow it to run in latest versions of Firefox, but it does work.

Ubuntu Server and Desktop are not fundamentally different. Each just has a different set of default packages, including a differently tuned kernel. Once installed you are free to install or remove packages as you want. You can use a desktop install as your NAS if you prefer. The GUI will just be chewing up a bit more memory versus a command-line only server.