Building my own router...

[swiftleeo]

I want to build my own router. I have a few reasons for this. The main reason for this is that I want to use a VPN service for my entire home network. Previously, I bought a router with TomatoUSB firmware. It was fun to play with. However, even though it has the ability to utilize OpenVPN across the entire network, the encryption kills its puny hardware and along with it my internet speed. I also want to learn more about networking in general. I have enough knowledge of Linux to get it installed (I want to use a barebones Linux without a GUI for the network) and some commands. Whatever I can't figure out, well, there's Google (or StartPage is what I use anyway).

I have about 200mbps down, 10mbps up from my provider. With Wi-Fi, I tend to get about... 10mbytes/sec download speed and the upload speed gets up to about 2mbytes/sec. However, with a VPN, this comes crawling down to about 1mbytes/sec (and that's on the higher side) and the upload speed just doesn't even count anymore xD. I understand that encryption will tax the hardware, and I've noticed that I get much better speeds running it as a client on each system versus throughout the entire network with my puny Linksys E2500v3 with OpenVPN. So, if I build my own router with decent hardware, I assume that it will have the same effect as if I were to use a client version on each system, as long as the hardware can handle the encryption without much effort.

I'm looking for advice on what hardware to use for such a thing. I want it to be small form factor. For instance, Mini-ITX board, those super small boxes (small book size, e.g. Mini-Box)... I'm thinking around 4gb of DDR3L SODIMM. Most likely will use a small SSD to avoid the extra heat a laptop hdd would add. Depending on the size of the box, maybe a low-profile cpu fan just to help it out a little. Also the board would need to have at least two NICs, one for WAN and one for LAN. All of my devices connect wirelessly, so technically one would be enough, but in the future I may need an extra one, so might as well get it now. Also need a small PSU (that can be plugged in externally for power), and a Wi-Fi adapter. However, I know there are certain boards that have Wi-Fi built in. Would this be enough (and compatible with Linux?) or would I be better off getting an adapter with antennas? Of course, I would also need a CPU... I don't want to go crazy and get an i7 or even an i3 for that matter, as I feel that those would be overkill for something like this. However, seeing as I will be running OpenVPN on it, and most likely a few other things (Snort and such), I still want something that will not bottleneck the whole build and kill my dreams.

 

[rhysiam]

You're still going to use a separate wireless access point, I assume? Or were you intending to try and set up your software router as a switch/access point too? FWIW, I really don't think that's a good plan. It's not something I've looked in to for a while, but last I did, it was not a good plan. Generally the best practice is to use a dedicated box as a Wireless Access Point, then connect that to the "LAN" (cable-ethernet) connection on your software router. You can just use your existing Linksys Router, but turn off DHCP and connect your software router via cable to one of the LAN ports.

I've done what you're asking a few times now, but I've always used an pre-packaged software router solution. I've used M0n0wall (no longer being developed), OPNSense and PFSense. All are fantastic and support all the features you're talking about. Is there a particular reason you're trying to do this on a vanilla linux build using command line, rather than a pre-packaged and full featured solution?

RE Hardware requirements, the only real challenge is the encryption associated with the VPN. Certainly PFSense (probably OPNsense too - but I'm not entirely sure) will leverage the AES-NI feature set on most recent processors which makes a huge difference to VPN throughput.
One of the new Hyperthreaded Pentiums (like the Pentium G4560) would be a great processor for what you're trying to do.
This Gigabyte board supports that Pentium and has dual Intel NICS + wifi for under ~$115 if you're interested: http://pcpartpicker.com/product/gVZ2FT/gigabyte-ga-h270n-wifi-mini-itx-lga1151-motherboard-ga-h270n-wifi
You'd need DDR4
Could get an M.2 SSD for a cleaner/simpler build too.

The routing bit is absolutely easy for that hardware (I have 100Mbps Internet running on an old Core2Duo something or other with 512MB RAM).
The VPN bit, as long as the software you're using can leverage the AES-NI features (which PFsense can - hence my recommendation to use it), you should be fine with a simple hyperthreaded dual core.

 

[swiftleeo]

You're still going to use a separate wireless access point, I assume? Or were you intending to try and set up your software router as a switch/access point too?

Originally that was the plan, yes. I mean, I got the idea from the Linksys router I already use, seeing as it does both the routing and the wireless network. Would there be much benefit to using a separate access point as opposed to having it do both? Would the network speed then be bottlenecked by the access point, or would it still be based on the router I'm building?

Is there a particular reason you're trying to do this on a vanilla linux build using command line, rather than a pre-packaged and full featured solution?

Well, I know some of the basics of networking. However, I want to learn a lot more. Plus, I feel as if for my needs, a full featured router distro would provide a ton of features I'd probably never use. Plus I like the idea of knowing what my router is doing. With a distro of some sort, as well as my lack of knowledge in networking, I don't really know what's going on beyond the interface, and that's partly why I want to do it myself, at least for now. I'm majoring in Computer Engineering and I've always gotten joy out of messing with computers, building them, figuring out how everything works and such.

AES-NI feature set

Seeing as pfSense does it... With the right setup, my generic linux distro would be able to leverage it as well. correct?

EDIT: I also read somewhere that by default, OpenVPN uses OpenSSL for encryption/decryption. OpenSSL supports AES-NI, thus OpenVPN on it's own should utilize the instruction set without any extra steps.

One of the new Hyperthreaded Pentiums (like the Pentium G4560) would be a great processor for what you're trying to do.
This Gigabyte board supports that Pentium and has dual Intel NICS + wifi for under ~$115 if you're interested: http://pcpartpicker.com/product/gVZ2FT/gigabyte-ga-h270...
You'd need DDR4

As far as the processor goes, I was thinking along the same lines as a Pentium. Technically I have an actual spare desktop I could use that would more than run what I need it to... but it would be overkill and I would rather use the desktop for something else... not to mention the power consumption in comparison to the less power hungry mini router box. The board... looks solid. I only need two NICs so that's good... If I were to do the whole separate access point, would I need built-in WiFi or even an adapter? Wouldn't that be handled by the access point (e.g. Linksys)?

 

[nigelivey]

Dual core cpu, 8Gig Ram, Small HDD, Minimum Dual NIC, PFSENSE. Check out pcengines.

 

[rhysiam]

Originally that was the plan, yes. I mean, I got the idea from the Linksys router I already use, seeing as it does both the routing and the wireless network. Would there be much benefit to using a separate access point as opposed to having it do both? Would the network speed then be bottlenecked by the access point, or would it still be based on the router I'm building?

Well that's where you'd need to do your research. Your 200Mbps Internet is actually pretty decent and many cheaper wifi units won't sustain that throughput. I note that the Gigabyte board I listed is only a single stream solution, not sure the exact model number either. So question mark over linux support, question mark over throughput and question mark over how well a consumer grade wifi client will function as an AP.

Well, I know some of the basics of networking. However, I want to learn a lot more. Plus, I feel as if for my needs, a full featured router distro would provide a ton of features I'd probably never use. Plus I like the idea of knowing what my router is doing. With a distro of some sort, as well as my lack of knowledge in networking, I don't really know what's going on beyond the interface, and that's partly why I want to do it myself, at least for now. I'm majoring in Computer Engineering and I've always gotten joy out of messing with computers, building them, figuring out how everything works and such.

There's actually quite a bit of nuts-and-bolts networking setup involved in pfsense or the like. As a first-go I'd encourage you to start there. If you get it all up and working easily and you still feel like a challenge, you can always go for a manual config on top of a linux distro later. But for a long-term, functional router, use the tool for the job would be my advice... which is pfsense or OPNsense.

Seeing as pfSense does it... With the right setup, my generic linux distro would be able to leverage it as well. correct?
EDIT: I also read somewhere that by default, OpenVPN uses OpenSSL for encryption/decryption. OpenSSL supports AES-NI, thus OpenVPN on it's own should utilize the instruction set without any extra steps.

You'd need to do your own research there, I'm afraid. I have no idea.

If I were to do the whole separate access point, would I need built-in WiFi or even an adapter? Wouldn't that be handled by the access point (e.g. Linksys)?

Correct - you would not need wifi if you were happy with a separate wifi AP (or router configured as an AP). Once you get to the dual NIC boards, the wifi doesn't seem to add much extra cost though, so it might be an option if you want to experiment/play around with getting the AP working in future and fall back to the Linksys if it proves difficult or throughput isn't what you hoped

 

[swiftleeo]

Your 200Mbps Internet is actually pretty decent and many cheaper wifi units won't sustain that throughput.

Well I've got a Linksys E2500 which says it supports N600 which would mean 300mbps support on each band, and I only have 200mbps so it should be able to handle it. I also have a Linksys EA4500 which is N900 or 450/450, so that should be able to handle it as well, I think.

Correct - you would not need wifi if you were happy with a separate wifi AP (or router configured as an AP). Once you get to the dual NIC boards, the wifi doesn't seem to add much extra cost though, so it might be an option if you want to experiment/play around with getting the AP working in future and fall back to the Linksys if it proves difficult or throughput isn't what you hoped

True. Would the Wi-Fi support Linux or would it specifically have to state that it supports Linux? I would assume the latter as it would depend on the type of Wi-Fi. I'll just research it.

That about wraps up my question. You've given me a lot of help so I'll choose you as the solution.

 

[rhysiam]

Well I've got a Linksys E2500 which says it supports N600 which would mean 300mbps support on each band, and I only have 200mbps so it should be able to handle it. I also have a Linksys EA4500 which is N900 or 450/450, so that should be able to handle it as well, I think.

If you're keen to learn about network and wireless, it's worth knowing that getting a real-world 50% of your theoretical bandwidth out of consumer wireless gear is actually pretty good. It's not at all unusual to get a fraction of that "300" or "450" mbps written on the box, and you'll never get anywhere near that number.

True. Would the Wi-Fi support Linux or would it specifically have to state that it supports Linux? I would assume the latter as it would depend on the type of Wi-Fi. I'll just research it.

You'd need to find the specific controller to see whether there are linux or FreeBSD (for pfsense) drivers available for it.
I actually spent a few minutes when I recommended that motherboard trying to find out the controller. But it's not listed in their detailed specs or even in their PDF product manual (I checked). That's really frustrating and poor from Gigabyte. They should tell you exactly what you're buying.
Unless I missed it somewhere you'd have to contact Gigabyte to confirm. Or alternatively, just buy it and take the risk... you can find the wireless controller afterwards and see if it's supported.

 

[swiftleeo]

If you're keen to learn about network and wireless, it's worth knowing that getting a real-world 50% of your theoretical bandwidth out of consumer wireless gear is actually pretty good. It's not at all unusual to get a fraction of that "300" or "450" mbps written on the box, and you'll never get anywhere near that number.

Well there always seems to be a difference in marketing vs. real-world usage. Mainly because bigger numbers sound better than less. They do the same with hard drives... Marketing uses 1,000 mb as a gigabyte, whereas computers use 1,024 mb for gigabyte. Which is why when you buy a 2 TB hard drive, you lose about 250 gb (just an estimate, can't be bothered to check my external drive atm 😛). Plus everyone has different conditions... some have more interference than others... Not to mention the ISP they use and the strength of the connection and how close the servers are, etc. So there's always going to be a difference. I understand that at least. Even so, 200mbps is more than enough for my usage, even when the speed gets cut down a bit by wireless. What I really need is to be able to use a VPN across the network without sacrificing too much speed. I know that also depends on the service I choose and how close their servers are and what not, but I would be happy even getting 50% of my current speed. When I try to use the Linksys, however, it gets cut down by about 90% if not more, and is too slow to bare. Hopefully building a more capable system for handling the encryption will do what I need it to. I will most likely get a board with WiFi just because it doesn't seem to be that much more expensive, and who knows, maybe it will do what I need it to and then that's one less device to use.

I may actually wind up getting more than I need for this build... Maybe an i3 instead of a Pentium. Considering a bigger case than before (instead of a mini box type setup, maybe standard size mini-ITX case). Most likely will go with one of the newer i3's and chipsets so I can utilize DDR4. Also having a standard size would allow for more in the future... for instance if I need more NICs, I can fit more, where as with the smaller box, it may not fit. It'll use more power, but compared to the other system I have that I'm not using, it'll be much much less. Not to mention it won't need a high-end graphics card like my gaming rig and so on. It comes down to either spending more and having more if I need it, or spending less and needing more and having to spend a lot more to upgrade it (one time purchase of $120 versus buying a $60-70 processor and then another $120). Plus I'm fortunate enough to have the means to have a more... "flexible" budget than most. I don't want to spend more than $400-$450 on something like this, but it'll be worth spending that much so I can do more with it and not be held back by limitations. Something I learned from getting barely entry level laptops when I was younger. For the most part (with exceptions), if you go cheap, you get cheap.

Also is the i3-7100 (Kaby Lake) Dual-Core 3.9ghz a good choice?

 

[rhysiam]

Don't get the i3 7100, it's basically the same CPU as the G4560 but with a very slight clockspeed bump. Save your cash or spend it elsewhere. Remember that whatever board you get is compatible with any Skylake or Kabylake CPU, so if you do decide to turn this into a gaming rig or whatever in future, the Pentium might cut it, but if not, just drop in an i5 or i7 and you're good to go.

Mini ITX is fine, but one card only. So you can't add a NIC and a GPU, it's one or the other. If you're happy with that limitation then go for it, otherwise, look at mATX, which gives you a bit more flexibility in future.

I agree with your comments on spec - stretch, but WIFI is particularly bad. I regularly get 115MBps over 1Gbps ethernet - which is over 90% of the theoretical max. Wireless, as I say, you're lucky to get 50%.

Good luck with the build.

 

[swiftleeo]

Good luck with the build.

For sure. Thanks for all the help!