OK, not really "in the core", but the subject made you look at least. :) I'm interested in people's experiences with consumer-grade routers functioning in non-NAT mode; that is to say, running PPPoE to the ISP and routing a /29 or a /28. A sane filtering language and stateful firewall that can operate in non-NAT mode is a plus. My experiences with Linksys (and Netscreen, which isn't really at the price point I wanted anyway) have caused me to rip out substantial amounts of my already insufficient hair. "Cisco 1700 series" or "Cisco 2600XM" would be nice answers if their price had the decimal point moved one place to the left. Linux or other non-vendor-supplied firmware, while cool, represents an unacceptable support load for my application. Any thoughts? ---Rob
At 09:41 PM 7/30/2005, Robert E.Seastrom wrote:
OK, not really "in the core", but the subject made you look at least. :)
That's for sure! ;)
I'm interested in people's experiences with consumer-grade routers functioning in non-NAT mode; that is to say, running PPPoE to the ISP and routing a /29 or a /28. A sane filtering language and stateful firewall that can operate in non-NAT mode is a plus.
Have you looked at the cheaper (<$200) Netopia routers which have built in hardware IPSec, stateful inspection, and reasonably useful packet filtering capabilities? We also use and like the CyberGuard SnapGear series of routers which are cheap, fast, and reliable and the PIX501 is a great basic firewall for low traffic loads. Here are some links: http://www.netopia.com/equipment/products/3000/3300_bus.html http://www.cyberguard.com/products/firewall/SG_Family/ The 1721 is a good little box, but not in the same range with throughput (too low) or price (too high.) We have used NetGear's little 5 port switches for smaller colo clients, but their routers are too flaky to deploy to customers. Linksys is the same way. They work great 99% of the time, but every once in a while they have to be power cycled for some unknown reason. Good luck with your search! -Robert Tellurian Networks - The Ultimate Internet Connection http://www.tellurian.com | 888-TELLURIAN | 973-300-9211 "Well done is better than well said." - Benjamin Franklin
On Sat, Jul 30, 2005 at 10:11:28AM -0400, Robert Boyle wrote:
I'm interested in people's experiences with consumer-grade routers functioning in non-NAT mode; that is to say, running PPPoE to the ISP and routing a /29 or a /28. A sane filtering language and stateful firewall that can operate in non-NAT mode is a plus.
I think linux runs inside those. Vendor-supplied, yes, but if the OP wants to avoid linux altogether... No personal experience, but could a LinkSys/WRT45g with custom linux load be even cheaper? Can a cisco 1600 run PPPoE? -- Henry Yen Aegis Information Systems, Inc. Senior Systems Programmer Hicksville, New York
At 11:32 PM 7/30/2005, Henry Yen wrote:
On Sat, Jul 30, 2005 at 10:11:28AM -0400, Robert Boyle wrote:
I'm interested in people's experiences with consumer-grade routers functioning in non-NAT mode; that is to say, running PPPoE to the ISP and routing a /29 or a /28. A sane filtering language and stateful firewall that can operate in non-NAT mode is a plus.
I think linux runs inside those. Vendor-supplied, yes, but if the OP wants to avoid linux altogether...
That's correct. It is claimed to be quite hardened. We have around one hundred of their 550 and 575 boxes deployed and they seem to work pretty well although I prefer the PIX. The SG can do much more, but the PIX does what it does better.
No personal experience, but could a LinkSys/WRT45g with custom linux load be even cheaper?
Probably.
Can a cisco 1600 run PPPoE?
I've never tried it, but if they can run 12.2, they should do PPPoE. R Tellurian Networks - The Ultimate Internet Connection http://www.tellurian.com | 888-TELLURIAN | 973-300-9211 "Well done is better than well said." - Benjamin Franklin
Rob
Can a cisco 1600 run PPPoE?
I've never tried it, but if they can run 12.2, they should do PPPoE.
R
Only suitable one is the 1605R (because you would never dial on the same ethernet that your lan is on right?) 20mb flash card and 16mb SIMM you have around and your up and running with 12.3 Go with 1720 and 48/16flash and you still require a WIC-1ENET. (cheaper than 1721 however since cisco pppoe dialer does not support dot1q [for absolutely no good reason] it makes little difference) Cisco has targeted this segment with the 83x series....they are fairly decent but you would need to run 123T/124 You can also target this with the obsolete 2610,2620,2621,3620......using Network modules with additional ethernets. Joe
SCO Unix runs on cyberguards older than 6.0 (aka Classic) Linux 2.6 kernel runs on the 6.0 (aka TSP) as for SG line... I don't know... At home I run WRT54g w/ a opensource firewall image loaded into it... it is a little buggier than I'd risk my job on...I find CG's to be an enormous PITA, better that Sonicwalls, but not a good as a Netscreen or PIX YMMV -----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Henry Yen Sent: Saturday, July 30, 2005 8:33 PM To: nanog@merit.edu Subject: Re: NETGEAR in the core... On Sat, Jul 30, 2005 at 10:11:28AM -0400, Robert Boyle wrote:
I'm interested in people's experiences with consumer-grade routers functioning in non-NAT mode; that is to say, running PPPoE to the ISP and routing a /29 or a /28. A sane filtering language and stateful firewall that can operate in non-NAT mode is a plus.
I think linux runs inside those. Vendor-supplied, yes, but if the OP wants to avoid linux altogether... No personal experience, but could a LinkSys/WRT45g with custom linux load be even cheaper? Can a cisco 1600 run PPPoE? -- Henry Yen Aegis Information Systems, Inc. Senior Systems Programmer Hicksville, New York
On Sun, Jul 31, 2005 at 05:07:41AM -0700, Sam Crooks wrote:
SCO Unix runs on cyberguards older than 6.0 (aka Classic) Linux 2.6 kernel runs on the 6.0 (aka TSP) as for SG line... I don't know...
The Cyberguard line was bought from Snapgear, who in turn bought it from Ozzies Moreton Bay. They have always run Linux, and they do it very well. While their user interface has improved over the years, there are still some things I'd like it to have that it doesn't, and it's not as pretty as, say, Netgear'. But from an operational perspective, I've got a couple dozen of these out as edge routers for client sites behind DSL and RoadRunner, and they Just Work. Easy install and config, gets the job done, never been attacked successfully from outside (so far as I know :-), and I have to reboot one roughly once a year, if that. Nice boxes, not too pricey. I'd shortlist them. Cheers, -- jra -- Jay R. Ashworth jra@baylink.com Designer +-Internetworking------+----------+ RFC 2100 Ashworth & Associates | Best Practices Wiki | | '87 e24 St Petersburg FL USA http://bestpractices.wikicities.com +1 727 647 1274 If you can read this... thank a system administrator. Or two. --me
Robert E.Seastrom wrote:
OK, not really "in the core", but the subject made you look at least. :)
I'm interested in people's experiences with consumer-grade routers functioning in non-NAT mode; that is to say, running PPPoE to the ISP and routing a /29 or a /28. A sane filtering language and stateful firewall that can operate in non-NAT mode is a plus.
I have changed from directly PPPoE to Linux. It was an experiment only, but the box still stays here and I still have to use it from time to time. I have changed again. For a friend a had to connect a portable to the internet. I choose the Seimens Gigaset 105. I have seen that box with differnt names again but it seems not to be to widespread. I literally grilled the first box. It was sitting on top of a wardrobe. Friday it worked. Saturday not so shure. Monday the firealarm went off. The box was silently replaced by the wender. The new one had a new software version with new bugs, mustly about the wireless part. The ethernet part works fine for a pharmacy with five computers. They use only NAT and PPPoE and they use it as access point for the laptop. They dont dare to connect the laptop to their pharmacy system not even for printing. The box is stable now - but I would not choose it again. But it tought me I need a router too. I choose a GrandStream ATA-486. The box is a VoIP gateway for old analog phones. That is why I choose it. It did not work behind my old linux router (IBM 486-SCL/II 66 MHz) guess why? Too slow! The ATA is a NAT Router, that is why I choose it. It replaced my linux router and works fine since then. Problems: It breaks from time to when my ISP forced disconnect hits every 24 hours. Mostly works but sometimes I have to reset it manually. It breaks traceroute. I dont know if it always did. But there could have been an automatic software update. It could have happened then Experimenting, I have used the box as router. I have used the box with both PPPoE and DHCP. It only does NAT. Now I am looking dor a real router. The CISCO PIX would be my choice if I had the money and if CISCO was a bit more adult. But seeing them mudwrestling now, having experienced first hand how difficult and expensive it is to get updates that copany is out of question. My next choice probably will be some kind of linux box that is supported but that I can fix it I ever need too. I am still using my linux router. Mostly it is a server now. For me their support is great: http://www.fli4l.de/ http://www.eisfair.org If I did not speak german, I dont know if I chose it. But my box did run for years without me looking at. I know quite some people who use it without ever looking after the box
My experiences with Linksys (and Netscreen, which isn't really at the price point I wanted anyway) have caused me to rip out substantial amounts of my already insufficient hair.
Have a look at HP. Their support is great. I could get all my updates for free. Their downloadable handbooks, free, were good. I never had any problems with them.
"Cisco 1700 series" or "Cisco 2600XM" would be nice answers if their price had the decimal point moved one place to the left. Linux or other non-vendor-supplied firmware, while cool, represents an unacceptable support load for my application.
The support load for CISCO will be much higher than for the linux box. Dont forget their red-tape departement :)
Any thoughts?
http://www.nat32.com/nat32e/htm/dg834g.htm Overview The Netgear DG834G is a combined DSL Modem, NAT Firewall/Router, 4-port 10/100 Ethernet Switch and 802.11b/g Access Point housed in a rather large (26cm x 17cm) plastic case. The device can be wall-mounted to improve WLAN range, and an external antenna can be connected if needed. Internally, the DG834G contains a 150 MHz MIPS 4KEc CPU running Embedded Linux, the source code for which is available Note that the D-Link G604T uses the same CPU and OS, so it most likely has very similar features and performance.
---Rob
Regards, Peter and Karin Dambier -- Peter and Karin Dambier Public-Root Graeffstrasse 14 D-64646 Heppenheim +49-6252-671788 (Telekom) +49-179-108-3978 (O2 Genion) +49-6252-750308 (VoIP: sipgate.de) mail: peter@peter-dambier.de http://iason.site.voila.fr http://www.kokoom.com/iason
Robert E.Seastrom wrote:
My experiences with Linksys (and Netscreen, which isn't really at the price point I wanted anyway) have caused me to rip out substantial amounts of my already insufficient hair.
What netscreen's did you try, with what version of ScreenOS? I admit that some of the newer (5.1 & 5.2) trains of ScreenOS have yet to stablize, but 5.0.0r10 is pretty decent. In fact, the bits of this email are going to be sent through my 5XT on their way out to the 'net. ;-) As for linksys, the WRT54G is a neat little box, but I've never found a sveasoft or dd-wrt firmware that was rock solid. The linksys boxes sort of remind me of Windows - OK if you don't mind rebooting them once in awhile. ;-)
On 31/07/05, Janet Sullivan <ciscogeek@bgp4.net> wrote:
As for linksys, the WRT54G is a neat little box, but I've never found a sveasoft or dd-wrt firmware that was rock solid. The linksys boxes sort of remind me of Windows - OK if you don't mind rebooting them once in awhile. ;-)
I can recommend http://www.portless.net/menu/ewrt/ -- Suresh Ramasubramanian (ops.lists@gmail.com)
Suresh Ramasubramanian wrote:
I can recommend http://www.portless.net/menu/ewrt/
Thanks, I'll check it out. Does anyone here have experiences to share (good/bad) about m0n0wall on soekris devices? http://m0n0.ch/wall/ http://www.soekris.com/
At 6:06 AM -0700 2005-07-31, Janet Sullivan wrote:
Does anyone here have experiences to share (good/bad) about m0n0wall on soekris devices?
I've heard really good things about m0n0wall, and we're planning on using it on one of the open-source projects I work on (but not on a Soekris). I'm also planning on using it on a Soekris net-4521 here at the house. I'm not fond of their DNS server or their time server (both of which I might try to replace or remove), but overall it seems pretty good. -- Brad Knowles, <brad@stop.mail-abuse.org> "Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety." -- Benjamin Franklin (1706-1790), reply of the Pennsylvania Assembly to the Governor, November 11, 1755 SAGE member since 1995. See <http://www.sage.org/> for more info.
On Sun, 31 Jul 2005, Janet Sullivan wrote:
Suresh Ramasubramanian wrote:
I can recommend http://www.portless.net/menu/ewrt/
Thanks, I'll check it out.
Does anyone here have experiences to share (good/bad) about m0n0wall on soekris devices?
After looking over the various WRT54G options, do any of them support native ipv6? :) (not the tunneled v6 over v4... native v6)
On Sunday, 31-July-2005 18:33, Christopher L. Morrow wrote:
After looking over the various WRT54G options, do any of them support native ipv6? :) (not the tunneled v6 over v4... native v6)
Sveasoft's Talisman does. "Yes, support is in Talisman/basic. Current support is CLI-based up to layer 3 and includes radvd. Web interface additions to configure IPv6 options are planned. To enable support, do the following: nvram set ipv6_enable=1 nvram commit reboot" http://www.sveasoft.com/modules/phpBB2/viewtopic.php?t=5812
On Wed, 3 Aug 2005, Sargon wrote:
Sveasoft's Talisman does.
"Yes, support is in Talisman/basic. Current support is CLI-based up to layer 3 and includes radvd. Web interface additions to configure IPv6 options are planned.
To enable support, do the following: nvram set ipv6_enable=1 nvram commit reboot"
Correct. You can create an in-memory startup script to do tunnel configuration, as well, with something like this: (make script as text file in /tmp; for example, I'll use /tmp/mystartup) $ nvram set rc_startup="$(cat /tmp/mystartup)" $ nvram commit As an in-use example, the contents of one such script I use is as follows. Note the explicit deletes, because the rc_startup can be run in a "warm boot" reset mode, where the interfaces are already up. I didn't bother masking any data from this list post, since anyone could look up my addresses via my Received: header, DNS, and traceroutes. <g> (Though I don't use 6to4 locally, I do have an outbound 6to4 interface -- something I recommend for all tunnelling users, so that 6to4 clients can get packets originating from your network more reliably/quickly.) ===== #!/bin/sh # tunnel to tunnelbroker.net with /64 ip tunnel del sit1 ip tunnel add sit1 mode sit ttl 250 remote 64.71.128.82 local 66.156.66.24 ip link set dev sit1 up ip -6 addr add 2001:470:1F00:FFFF::1E5/127 dev sit1 ip -6 route add 2001:470:1F00:FFFF::1E4/127 dev sit1 metric 1 # assign local /64 address to router ip -6 addr del 2001:470:1F00:342::1/64 dev br0 ip -6 addr add 2001:470:1F00:342::1/64 dev br0 # 6to4 outbound-only tunnel ip tunnel del tun6to4 ip tunnel add tun6to4 mode sit ttl 250 remote any local 66.156.66.24 ip link set dev tun6to4 up ip -6 addr add 2002:429c:4218::1/16 dev tun6to4 # default v6 route through tunnelbroker.net tunnel ip -6 route del default via 2001:470:1F00:FFFF::1E4 dev sit1 ip -6 route add default via 2001:470:1F00:FFFF::1E4 dev sit1 metric 1 -- -- Todd Vierling <tv@duh.org> <tv@pobox.com> <todd@vierling.name>
On 7/31/2005 9:06 AM, Janet Sullivan wrote:
Does anyone here have experiences to share (good/bad) about m0n0wall on soekris devices?
I've used m0n0wall to great effect, and with pleasure, but alas not on a soekris box -- just on an old dell hanging out in the office. It worked like a champ. //jbaltz -- jerry b. altzman jbaltz@altzman.com KE3ML thank you for contributing to the heat death of the universe.
Suresh Ramasubramanian wrote:
On 31/07/05, Janet Sullivan <ciscogeek@bgp4.net> wrote:
As for linksys, the WRT54G is a neat little box, but I've never found a sveasoft or dd-wrt firmware that was rock solid. The linksys boxes sort of remind me of Windows - OK if you don't mind rebooting them once in awhile. ;-)
I can recommend http://www.portless.net/menu/ewrt/
I am a fan of OpenWRT. http://www.openwrt.org I have a number of these deployed and use OpenVPN on them talking to OpenVPN running on SUSE in my facility. Seems to be very stable. Roy Engehausen
On 31.07.2005 17:05 Roy wrote
Suresh Ramasubramanian wrote:
On 31/07/05, Janet Sullivan <ciscogeek@bgp4.net> wrote:
As for linksys, the WRT54G is a neat little box, but I've never found a sveasoft or dd-wrt firmware that was rock solid. The linksys boxes sort of remind me of Windows - OK if you don't mind rebooting them once in awhile. ;-)
I can recommend http://www.portless.net/menu/ewrt/
I am a fan of OpenWRT. http://www.openwrt.org
I have a number of these deployed and use OpenVPN on them talking to OpenVPN running on SUSE in my facility. Seems to be very stable.
Unfortunately neither of them supports native IPv6 (via pppoed). Or did this change recently? Arnold -- Arnold Nipper, AN45
On Sat, Jul 30, 2005 at 09:41:54PM -0400, Robert E.Seastrom wrote:
"Cisco 1700 series" or "Cisco 2600XM" would be nice answers if their price had the decimal point moved one place to the left.
Looks like a Cisco 1760 is $1086.65 'on the street' (well, online actually). Whereas the Cisco 837 is $448.96 'on the street'. Supports both NAT and DMZ interface (if you're running a new enough IOS), access-lists, easy to administer VPNs; in fact everything that we'd like them to at our smaller branch offices... Sadly not a decimal point shift, but much more affordable. -a
participants (17)
-
Andy Davidson
-
Arnold Nipper
-
Brad Knowles
-
Christopher L. Morrow
-
Henry Yen
-
Janet Sullivan
-
Jay R. Ashworth
-
Jerry B. Altzman
-
Joe Maimon
-
Peter Dambier
-
Robert Boyle
-
Robert E.Seastrom
-
Roy
-
Sam Crooks
-
Sargon
-
Suresh Ramasubramanian
-
Todd Vierling