Is building your own router now a thing?

[Twice_Shy]

So I stumbled across this not long ago Numbers don’t lie—it’s time to build your own router and I was curious what other people think of the idea. I mean I definately like the idea on some level - though on another i'm feeling nuts when you buy a dedicated x86 computer to be the router, to send the packets to your dedicated x86 computer which is your desktop, saving the files to a dedicated x86 computer which is your homebuilt NAS. Sometimes I wonder if we could do it with just one... or add other functionality besides routing... but between performance issues, and things that came out in the Edward Snowden revelations about high end routers right through to Cisco having back doors, I find myself thinking it's not a bad idea afterall.

I'm curious if there is a "go to" place to discuss such things, especially if instead of multiple 1gig someone is looking at more like 10gig speeds (or attempting to), or what the limit is if you need alot of ports (ive seen 4 ports on an x1 card but haven't seen many mobos with more than 3-4 pcie x1 slots besides the one or two x16 slots, despite seven allowed on the ATX standard), how the power usage works out vs 'professional' routers and similar.

Whats your take and if you wanted to build this where would you suggest researching?

 

[RyC]

I do all three of your use cases in one physical machine using virtualization. Plenty of people have dedicated machines running a router/firewall package or dedicated OS for one reason or another. pfSense is probably the most popular one for this if you wanted to start researching there. Sophos also has another popular router/firewall OS.

You can probably look around the Networking section. There's a lot of pfSense and related topics already there. Personally, I use pfSense because it doesn't cost me any extra electricity to run it (since the physical machine has to be on running other tasks anyway) and it has features I use that aren't in normal consumer routers.

 

[pricklypunter]

I'm not running 10Gbps at home, just 1Gbps LAG's so can't speak to that, but I find performance generally very acceptable, at least across my LAN anyway. I also have pfSense virtualised on the same host and can't say that I have ever really noticed any impact on the other VM's at all, even when running a couple of OpenVPN sessions etc. Loads of folks run their pfSense setup the same way. The only real drawback I have unfortunately fell victim to a couple of times, is that when you do something stupid, have a brain fart and lock yourself out etc, often the only thing you can do is reboot your host to get back in and fix it. So providing you are not doing something uber critical with your system, where your uptime requirement is approaching the 5, 9's, you should be fine running it in a VM. If you happen to have spare money, or spare hardware, laying about that will give you the performance that you need and you would rather be able to reboot your firewall without disturbing your VM hosts, then by all means stick pfSense on bare metal, but otherwise it's really 6 of one and half a dozen of the other which way you approach it. There is one situation where a bare metal install comes into its own and that is if you are remote and had your pfSense on a box with iPMI, where you could then remotely reboot, run updates etc etc without pulling everything down

 

[Twice_Shy]

I do all three of your use cases in one physical machine using virtualization. Plenty of people have dedicated machines running a router/firewall package or dedicated OS for one reason or another.

So you basically have one master machine plugged straight into the the cable modem, and that machine both routes for other machines, serves up the files to the house, and works as a desktop with each use in a separate virtual session under a hypervisor?

 

[RyC]

So you basically have one master machine plugged straight into the the cable modem, and that machine both routes for other machines, serves up the files to the house, and works as a desktop with each use in a separate virtual session under a hypervisor?

You got it! Some people do not recommend virtualizing routers because when your VM host needs to be taken down (for maintenance etc), then you lose your network. I personally don't mind since I'm running it in a home environment.

 

[gigatexal]

When wasn't it a thing? I use retail routers only for their wifi radios the rest is pfsense and it's always a physical box for me

 

[wildchild]

You got it! Some people do not recommend virtualizing routers because when your VM host needs to be taken down (for maintenance etc), then you lose your network. I personally don't mind since I'm running it in a home environment.

Or you have like me 2 vmware host and run 2 virtual router instance bound as 1 (vrrp cluster), in combination with vmotion.
That way when you reboot your physical machine , your router(s) stay alive, and when you need to reboot your routers, you do so sequencially, therefor theoretically you'd have a 100% uptime.

 

[whitey]

You got it! Some people do not recommend virtualizing routers because when your VM host needs to be taken down (for maintenance etc), then you lose your network. I personally don't mind since I'm running it in a home environment.

If you have a 2 node cluster or larger as long as you setup a small group of say 4 ports on your switch for a vlan w/ cable modem and ESXi hosts nics and then setup a vSwitch/vDS for WAN/pfSense connectivity it takes a whole site/power outage to take that down and you can freely VMotion v-pfSense between ESXi w/in the cluster w/ no internet downtime.

That's what I do anyways, works like a dream.

 

[Aestr]

I run two pfsense VMs with CARP on different hosts. It provides availability both when rebooting a host as well as rebooting a VM for things like updates. It works very well and lets me make changes without checking with everyone in the house first.

 

[Twice_Shy]

You got it! Some people do not recommend virtualizing routers because when your VM host needs to be taken down (for maintenance etc), then you lose your network. I personally don't mind since I'm running it in a home environment.

This definately increases my interest in virtualization then. I would like to investigate this more. Are there any additional security risks? I'm always leery having a computer plugged directly into the modem though I suppose the way it works is you pass through one gigabit port directly to a virtual machine, and if that virtual machine is down or crashes nothing else can even touch that port. (i'm not sure if that works by the port or by the physical card, like i've seen 4 port cards before)

How big of an effective router can one build this way, or do people just cascade multiple low watt boxes? Are there places online that specialize in just this or is STH the cutting edge? I'd rather ask elsewhere to start or i'll be bugging everyone here on every topic and they'll resent my excess of questions at some point.

Or you have like me 2 vmware host and run 2 virtual router instance bound as 1 (vrrp cluster), in combination with vmotion.
That way when you reboot your physical machine , your router(s) stay alive, and when you need to reboot your routers, you do so sequencially, therefor theoretically you'd have a 100% uptime.

Could you explain that in dummy language? Would the same arrangement work for free hypervisors or is this specific to VMware? This is a whole new area for me to try and map out and understand on top of other projects, i'm just not sure what articles to search for to bring me up to speed. (just like I had many random dumb questions about SAS because I couldnt find the right For Dummies guide or introduction article to start on the internet)

 

[fractal]

You got it! Some people do not recommend virtualizing routers because when your VM host needs to be taken down (for maintenance etc), then you lose your network.

Well, there is that part of it. But for me, I won't physically connect the wan to a host that contains any personal data.

I can see putting pfSense and squid and netmon on separate VMs on a single server but the though of even possibly starting to think about considering the slightest chance of running FreeNAS with any of my data on the same server makes me want to run away and pound my head into the pavement until I regain my sanity.

 

[Twice_Shy]

One thing I was told about pfSense is that it doesn't have Quality of Service though. For the time being i'm stuck on 25down/3up speeds and VOIP is an absolute priority no matter what roommates are doing (torrenting and other crap while i'm simultaneously trying to VPN to friends in my film school group), i'm curious what the best router software for VOIP QoS as top priority is, and perhaps a second priority of "VPN on the router".

 

[ttabbal]

Seems like it has something anyway..

Traffic Shaping Guide - PFSenseDocs

 

[RyC]

Well, there is that part of it. But for me, I won't physically connect the wan to a host that contains any personal data.

I can see putting pfSense and squid and netmon on separate VMs on a single server but the though of even possibly starting to think about considering the slightest chance of running FreeNAS with any of my data on the same server makes me want to run away and pound my head into the pavement until I regain my sanity.

If this was a business environment, absolutely. But at home, I'm willing to risk the minuscule chance someone manages to break out of the VM walls (or vSwitch). If they are able to do that and actually make off with my data, then VMware has a huge problem on their hands.

pfSense traffic shaping is supposed to work. I tried it to experiment with reducing buffer bloat, but Comcast more or less fixed it on their end.

 

[Diavuno]

I have my office on a pair of PFSense applainces for the heavy VPN traffic I do.

My home has a pair of virtualized boxes running in HA, each has a web filtering/logging VM, PFSense, and a small network share (2TB)