I work with PLCs for a living and have always known just enough about PCs and Networking to be dangerous. I've got a question about setting up my home network and firewalls etc. Right now I use a Linksys router to connect my home PCs to my DSL router and the internet. On the wireless side I used WEP and non-broadcast. For the connection to the modem I turned on the Linksys Firewall, blocked some ports and checked performance thru GRC.Com.

All looks pretty good, but I was wondering. I've been reading about people setting up a PC running Linux to serve a the router and Firewall. Letting the Linux PC replace the routing functions of the Router. Does that mean the PC needs multiple ethernet cards? Or what exactly happens in that scenario. Can a more PC Guru minded member explain it to me? And remember you're talking to a networking neophyte.

as far as i recall, regardless of used OS it is possible to have router function using just one NIC but the problem with that is security.
proper way is to have pair of NICs (one for WAN, one for LAN). LAN side connects to any ethernet switch or hub (this gives you needed multiple ports for other computers).

Corallary questions to the gurus. Does network traffic from Lan Adapter to Wan Adapter take up OS and CPU overhead on the host PC?

You need two Ethernet cards and the PC that is screening and passing through the traffic uses its CPU time. Not the client PCs.
We used an older PC and installed linux on it to do exactly what is being suggested here. It really isn't a good idea because you can get dedicated routers in a box with embedder firmware that will come back on line MUCH faster after a power outage and are less susceptible to have their code modified.
We just replaced our Linux router with a $200 embedded router/firewall. It has at least two Ethernet ports. One of the WAN and at least one for the LAN.

Unless you are just wanting to "play", there is not a more efficient, cost effective, and secure arrangement than you currently have.

The only changes that would improve internal security a little bit would be to change the wireless security to WPA instead of WEP, and use the MAC address filtering capability in the Linksys.

Unless you are doing any port forwarding in the router, the NAT (Network Address Translation) function in the Linksys makes your PCs invisible to the outside world.
---------------------------------
My two cents and five bucks will get you a small Starbucks!!

If you are looking to enhance your internet performance, www.opendnc.com has helped mine, I have a cable connection with a company who has filed for chapter 11 and they are struggling. OpenDNS also gives you some additional blocking options. I have their DNS setup in my router.

i also used to have old pc running linux. it works but dedicated router/firewall is way to go. WEP is the weakest encription and it is easily hacked (this was explained step-by-step even on THG). if you keep importand things on your machines, do banking, taxes, personal data or whatewer, change the encription to WPA2 (or WPA) since WEP is history:

http://en.wikipedia.org/wiki/Wi-Fi_Protected_Access

sensitive files are also better kept in a vault. I'm using TrueCrypt:

http://en.wikipedia.org/wiki/TrueCrypt

Thanks Panic I'll give WPA2 a try. I'm also using a non broadcast SSID.

Yes, Linux works great for that. Even better is OpenBSD since this is the most secure operating system in existence at the current time, even compared to Cisco routers. *nix PC's are faster than routers until you get into the 5 digit figure range for routers. Example of how simple a router can be:
http://www.freesco.org/

Example of how much performance you can expect from a PC-based router vs. Cisco equipment:
http://www.vyatta.com/downloads/other/Vyat...ement_Guide.pdf

Keep in mind that the bootup time can be quite long for Cisco equipment and that the primary limitation on a PC is the OS bootup time. If you run it without say X Windows and various other "nice to haves" running (strip out everything not needed), bootup times with current versions of Linux are measured in seconds.

Another nice thing is that you can trivially do "firmware upgrades" on your router, and that it will support far more standards in terms of configuration than I ever get with Cisco stuff. You can also go absolutely crazy with the firewall functions which are far better than the hardware-based ones. And you can also load up the PC with various "DMZ" functions such as acting as a file or web server, realizing of course what the primary mission is should you choose to do this.

As to multiple Ethernet cards...picture your router. How many Ethernet ports does it have? Yep, two minimum. One faces the LAN. One faces the WAN. You need this to physically isolate everything. Otherwise, you'll have WAN packets traipsing across your secure LAN. Not good. If you have lots of ports, you can attach other things of course but at the prices that Ethernet switches are going for these days, that's kind of pointless.

Case in point: a major WISP (wireless ISP) in Central Oregon uses a fast OpenBSD router for their entire system, and they handle megabits (multiple T3's) worth of traffic over the WAN. The primary reason for doing this might surprise you though. It's not a performance/price issue. It's simply that they are using Motorola's wireless gear which is extremely good for wireless WAN's as far as the radio/hardware goes. But apparently the router and DHCP functions are not...they crash and they have a bunch of performance issues. On the other hand using PC's for the routing/DHCP functionality, they can push tens of thousands of packets per second without breaking a sweat, and the stuff is less expensive (easier to replace if something goes wrong) and faster.

You can also have the PC do wireless AP functions depending on the card. The WRT54G is a rather famous and extremely programmable wireless NIC that can be used to do this kind of thing.

As mentioned earlier, "WEP" is anything BUT equivalent. It uses a screwed up version of a really good stream cipher. That's two strikes against it. Stream ciphers are NOT meant to be used in block mode (reset after every packet), and the particular cipher they use is secure if you throw away the first few bytes of output (it leaks a bit of your key in the first few 4-5 bytes, especially the second byte). WEP does neither and hence the reason that with every packet, it leaks a little more key. By forcibly sending bogus packets at the AP, you can actually collect enough pieces of the key to decrypt it in the clear in a few minutes with current WEP hacking software.

If you can, try to use WPA (or WPA-2) for security. If you can't, then use WEP-128 as a minimum.

Also, not-broadcasting SSID is nice but want to know what's even better? Lock down the MAC's at your AP to only accept your chosen list. It is still possible to hack it (by spoofing a known MAC) but this is a level of sophistication that you hardly ever see, while you can trivially hack WEP with downloadable software. Hiding your SSID makes it more difficult but there's software to take care of that problem, too.

As to performance...an Ethernet card for the most part is simply going to receive the packet into memory. It's not going to handle analyzing and processing the packet at all. If you are under 100 Mbps I wouldn't worry anyways...almost any PC can handle full 100 Mbps full streams without a sweat, and I haven't heard of too many people with multiple T3 capability for a "home LAN" except for perhaps Mr. Gates. As you get into the gigabit range, the PC front end becomes a serious bottleneck. The way around it is to use "TOE" (TCP/IP Offload Engine) which moves the TCP/IP front end processing from the CPU onto the NIC card. This is critical in getting maximum performance if you are doing gigabit+ iSCSI (hard drive connections over Ethernet).
http://www.10gea.org/tcp-ip-offload-engine-toe.htm

Fortunately these days, TOE cards aren't very expensive especially in comparison to the usual source for those hard drive services (SAN's, at a price tag of $5K-$500K depending on which vendor you are talking to), and much cheaper than a FibreChannel switch and/or NIC cards.

So...the short answer is yes, if you have a spare PC laying around, Linux or a modified (stripped down) *nix box makes a great router if it has two Ethernet ports. For space/power/heat reasons at the very low end (home router) though, personally I still use an off-the-shelf router and I'd recommend the same to everyone else. Trouble is a lot of them are very cheap (as in buggy as all get out and unstable). Try to find something that appears to be targetted more towards the business market if you can (expect to pay around $200 US).

As always Paul nice usefull information.

Makes me regret getting rid of that old boar anchor PC I had, but sounds like WPA2 and MAC filtering on wireless and I should be relatively secure, especially since I'm using the NAT for PC connection s to internet.

Great input, Paul.

I'll agree that for home networking, an inexpensive firewall/router device is the simplest and best way to go. The lowest-priced stuff on the shelf usually isn't worth your money; I have had especially poor luck with D-Link routers.

I prefer Linksys hardware, because of the large installed base and excellent open-source packages available for their runaway best seller, the WRT54G wireless router. For years, my little lab inside the Rockwell Automation sales office was separated from the enterprise network by a BEFSR41 wired router.

I'm actually going the opposite direction from Peter. I am running a CD-based distribution of the FreeBSD Unix-based firewall called m0n0wall in my office this week to get familiar with it because I plan to install it in the community WISP at my marina to replace a handful of hacked WRT54GL routers, and I plan to install it to replace a Linksys BEFVP41 "VPN Router" at my father's small business.

The more features that vendors (and open-source enthusiasts) try to jam into the smallest hardware footprints, the less stable and functional they seem to be. I want to make the Access Points just be Access Points; I don't want them to attempt stateful packet inspection or provide traffic shaping.

I timed the m0n0wall computer for startup this morning; 92 seconds from beep to login. That's perfect because that's about how long it takes for me to brew the first cup of coffee.

IF we're going to be nostalgic for years my home network ran off a BEFSR41 as well, later had an Airport WAP added. Finally had to switch to a WRT300N when a new Vista PC I'd just purchased refused to communicate with the BEFSR41 and Microsoft and HP both told me I would have to buy a Vista compliant router.

Now I'm shooting for a spot somewhere in the middle.

There's a giant computer surplus place called Re-PC in the industrial south end of Seattle, to which I make the occasional pilgrimage.

Today was a good haul; a 24-port Netgear switch in the middle of a larger stack of 24-port Netgear hubs.

And the mystery purchase: a Watchguard Firebox II security appliance.

The prudent thing to do is to write down all the device information, go to the nearest Internet hotspot, and do some research before making the purchase decision. Re-PC is almost 100% as-is, no refunds, no returns.

But for twenty bucks... I bought the one on top. There's two more, including one still in a box.

Upon review, I think I got just the thing. Inside is a x86-based motherboard with a 200 MHz Pentium MMX processor, what looks like 64 MB of RAM, two PCI slots, a 44-pin IDE connector, and a hidden keyboard connector. I found a couple of blogs indicating people had installed the m0n0wall firewall software without much challenge.

I'm going to double the RAM and use a CF card adapter instead of a hard drive and see if I can put this into service as the main firewall at the marina. It was designed in downtown Seattle and built in China, so it's only appropriate we should use it here on Northlake.

Speaking fo DT Seatac how are things on the Junk Roach this year. Had her away from the dock yet?

I'm a little late, but here goes (for your home application):

1. WPA2 (or even WPA) is a must. It's safe against a determined attacker given a reasonable passphrase (pre-shared key). WEP is trivially broken.
2. Not broadcasting your SSID is probably a waste. Packet sniffers still catch the traffic and log that. It's really only good to keep the casual user from trying to connect, which encryption will accomplish.
3. MAC filtering for wireless client access is also a waste for the same reason. Packet sniffers and spoofing is trivial. Paul - I was surprised to find this, too. ACLs are very applicable applicable in a wired environment...

I had good luck with m0n0wall as well. Linux based routers (a PC with 2 NICs) can be very powerful and cheap. If you want to learn or do some obscure things then this is the way to go - permanent GRE tunnels/VPNs/act as an enterprise router/etc.

For a home application I'd recommend just using an appliance router (it's basically the same thing, but pre-configured and pre-canned). I especially like my D-Link "gaming router" for the super easy to configure QoS. They're locked down pretty tight and support a number of cool features.

S/V Osprey is a sloop, not a junk ! I pried back some carpeting this spring and found out she's actually Coast Guard documented, so I'll be able to get her back into Federal registration and carry a little piece of the USA with me into the frontier waters of Canada this fall.

I'm learning about routers and wireless in order to help out with the WiFi co-operative we run here in the marina. Today there's a WRT54GL running Tomato 1.25 firmware acting as the firewall and DHCP Server for about 30 simultaneous clients, and it's working pretty hard.

Somebody's got a guest in the marina who keeps starting up a BitTorrent server and bringing our network to its knees. Because it locks up the router, we lose the diagnostic information about who did it every time we cycle power. The m0n0wall will just let me restrict P2P traffic to a small percentage of the available bandwidth. He'll still be able to connect, but he'll have to sip instead of gulp bandwidth.

Osprey's ancient Atomic Four gas engine is getting a new Perlux magnetic pickup ignition this weekend and going for a daysail to check that out. The SeaTow subscription is looking better and better, but I can't quite nail them down on what they mean by "service provided during traditional boating season". What, my New Year's Eve Starlight Sail isn't traditional ?

Ken - you can also block ports 6881-6889. The Bit Torrent ports can be changed, but it might help if he's a novice or not very determined.