Linux distro with these reqirements?

[knutp]

Im trying to make a linux router that bonds multiple dsl and or t1/e1 lines to one local interface. It should be using NAT on the inside, and then of course got a DHCP server. And it would be really nice to forward public IP's to selected private mac adresses.

And it must also have one sort of traffic shaper. A web interface are also a must.

It would also be nice if it got snort, dns proxy, web proxy, VPN server etc.

Any linux/bsd distroes that meets these requirements?

Or any other recommadations?

 

[Oaf357]

That's the great thing about Linux. You can make your own distro.

 

[knutp]

Yeah, but not with a webinterface... especially when I got limited time extra from my studies.

 

[alrox]

You can do most of that stuff with linux or bsd with the right software(aside from the "foward public IP's to selected private mac addresses" thing, that makes no sense), but I don't know of any packages that come with it neatly configured out of the box. And I'm pretty sure no one who would write such a distro would include a web interface to control it all.

Doing any sort of NAT loadbalancing with your WAN connections is spotty at best and not really worth it on a side note.

 

[knutp]

Originally posted by: alrox
You can do most of that stuff with linux or bsd with the right software(aside from the "foward public IP's to selected private mac addresses" thing, that makes no sense), but I don't know of any packages that come with it neatly configured out of the box. And I'm pretty sure no one who would write such a distro would include a web interface to control it all.

Doing any sort of NAT loadbalancing with your WAN connections is spotty at best and not really worth it on a side note.

The point to make public ip's on an inside adress is to make some of our customers happy, and not bother them with NAT.

Why is that NAT loadbalancing is spotty?

 

[alrox]

The way pretty much any OS handles default gateways makes it hard. Source based routing is necessary since the OS knows only one defaultroute. The 2nd(and 3rd, etc) have no route to the internet without routing the packet based on the source address. I don't know of any NAT package that will do this type of routing/load balacing(ipf won't, ipfw won't, only 2 I really use). It would make more sense to buy a fatter pipe from 1 company rather than 2+ from different companies.

I'd have to know more specifics about the setup to say anything about the "public ip's on an inside address" thing.

 

[knutp]

Well we actually got 4 shdsl lines from one company with 8 public IP adresses we can use.

The reason we want to route a public IP adress to a computer on the inside is that we got more IP's than lines, and there aren't always easy to use voice/video services when using nat.

Let's say that there are around 40 users on the LAN, that are sharing 4 2,3mbit SHDSL lines (each user are getting around 1Mbit, at least not more than 2,3 mbit). Then perhaps 2-4 pc's will use voice/video to the outside world. Then it would be alot easier to have public IP's on those computers.

We are perfectly aware of the security issues with this, but that's really the users problem, not ours.

 

[alrox]

You'd probably want those voice/video boxes that need public IP's to be dual homed, 1 nic with a public ip, and another interface with a private address for talking to your local lan. You're breaking about 10 subnetting rules by placing the voice/video box in your private lan only with a public IP.

 

[knutp]

There are not going to be any usage between the LAN, every bit of traffic will go to the wan interface.

 

[fib3r]

here are some Linux Gateway/Router Distro's.... all of which have the majority of what u need!

ClarkConnect
-----------------
http://www.clarkconnect.com - Works on modular base so u can also use it as a server / apache,email etc etc

SmoothWall
---------------
http://www.smoothwall.org - One of the more popular distros. Nice distro but doesnt have lotta felixibilty if thats what u need!

IPCop
--------
http://www.ipcop.org - Smoothwall Fork, although the newer versions are slowly puting their own code into place!


Cheers

 

[stash]

I have tried all of the above, and IMO, none of them comes close to astaro. Check them out at astaro.com and astaro.org. They just came out with a new version (4.0), and it's great. The web interface has been sped up considerably, so that it is extremely fast even on very slow machines.

The only thing that astaro does not include is snort (or any other IDS), which is a good thing to me, since I believe that an IDS shouldnt be on the same box as your firewall.

 

[knutp]

I haven't seen any traffic shaping and bonding of several lines in Clarkconnect or smoothwall. I haven't tried IPCop yet.

And Astaro seems fine, but it does cost alot of money for commercial use.

 

[n0cmonkey]

OpenBSD combined with OpenVRRP might work. You would need to add webmin for the crappy web interface, if you really need that stuff. Idiots shouldnt be setting up firewalls. Non-idiots can figure out how to use the command line.

Definitely put the NIDS on seperate machines. The VPN, DHCPd, web proxy (snort), etc should each be on seperate machines, or atleast (minimum) not be on the firewall.

 

[knutp]

Well the need is only to get a router that will do this. The need for a firewall isn't really that important, but it would be nice.

 

[Oaf357]

Originally posted by: knutp
Yeah, but not with a webinterface... especially when I got limited time extra from my studies.

Webmin