LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices


Reply
  Search this Thread
Old 08-17-2019, 04:34 PM   #16
bifferos
Member
 
Registered: Jul 2009
Posts: 189

Rep: Reputation: 65

Quote:
Originally Posted by upnort View Post
Bare metal? Virtual? How many NICs? Wireless AP (hostapd)? Web browser interfaces to display various stats? QoS?

I am aware of a few related topics at SlackDocs. I'm not yet interested at that level. Just interested in reading from those already doing this.
My setup for wifi is basically this: https://docs.slackware.com/howtos:ha...spberrypi3_wap
But not using the pi any more as I don't rate it for 24/7 operation. I think if I had to use the Pi I'd switch distro to use OpenWrt and running off an initrd because I think repeated access to the SD-card has reliability issues. I believe the Pi hardware itself to be sound though.

Although the Alpha networks wifi is USB it works fantastically well, especially when paired with a decent quality JuicEBitz cable (it's worth avoiding cheap cables IMHO). I can site the antenna some distance above the PC chassis and it gets across three floors of the house and most of the way down the garden with no issue.

I now run oldish Phenom hardware. I toyed with the idea of getting Atom or other hardware to reduce power bills but it's a tough decision because power consumption is hard to determine and I need to compare money spent on that with the 'free' solution I have using a machine that's spare after an upgrade. The 55W consumption (measured) is more than for a dedicated router but avoids the hassle of hacking OpenWrt onto something. Also, PC architecture allows me to do sshfs, where performance is poor for either the Pi or most NAS solutions unless they cost $$$s.

For DNS/DHCP I use dnsmasq, with all wifi MAC addresses added to the DNS config, so all devices get a sensible name in DNS. There's an Apache web interface but only for the QR code (see above article) and for the occasional redirection of certain DNS names to a local picture address e.g. to tell the kids they've had too much time on youtube.

For ethernet hardware I use the built-in NIC on the mobo for one side and a dual-port intel pro 1000 the other side. The only reason I got that was because at the time I wanted e1000 hardware for ESX compatibility, and the dual-port card was the cheapest way to buy Intel. I tried *really* hard to find a USB ADSL modem for the external side of things, however they don't seem to exist anymore so it's been a case of disabling the wifi on the ISP-supplied router and configuring a non-conflicting network address for it.

For routing I use some iptables rules, nothing particularly advanced. I'm not expecting to have to deal with much hitting my external NIC because it's connected to another NATing router from the ISP (see above).

Hopefully this is of some use to you!

Last edited by bifferos; 08-17-2019 at 04:39 PM.
 
1 members found this post helpful.
Old 08-17-2019, 06:19 PM   #17
abga
Senior Member
 
Registered: Jul 2017
Location: EU
Distribution: Slackware
Posts: 1,211

Rep: Reputation: 640Reputation: 640Reputation: 640Reputation: 640Reputation: 640Reputation: 640
Quote:
Originally Posted by bifferos View Post
But not using the pi any more as I don't rate it for 24/7 operation. I think if I had to use the Pi I'd switch distro to use OpenWrt and running off an initrd because I think repeated access to the SD-card has reliability issues. I believe the Pi hardware itself to be sound though.
I started to use the Pi2B boards some 3 years ago and installed a dozen as gateway&router&firewall&DNS-resolver and some small postgres DBs. They're all running fine to this very day on Slackware ARM - current, with all the updates. I just managed to destroy one SD Card recently on one of my personal Pi2B boxes, a Samsung EVO 16GB card on which I did a lot of compilations, and I mean a lot (test box).
If you use Sandisk/Samsung cards, keep the /boot partition (the FAT one) on read-only, only use half of the SDCard space (Slackware ARM with XFCE fits in around 7-8GB, that's half of a 16GB Card) and create a tmpfs (100-200MB), mount it at boot, extract and archive its contents during startup/shutdown to store the files that are changing a lot (basically logs - messages/syslog/firewall... etc.), then you can safely "rate it for 24/7 operation".

The issue I have with the Pi3B is the thermal throttling that affects primarily the VPN bandwidth (OpenVPN - CPU intensive application). On the Pi2B I get constantly ~18-19Mbps on AES-256-CBC and around 21-23Mbps AES-128-CBC per core (the quad-core Pi2B (Pi3B too, but throttling) can handle 4 VPNs at these speeds with all its cores).

OpenWRT is OK for basic stuff, but all the packages are crippled, that's features disabled, in order to make them fit on the tiny flash chips these routers come with. I stumbled upon some problems with OpenVPN in the past and the devs at OpenWRT (forum) didn't seem to care to enable/fix them.

P.S. - OpenWRT upgrade PITA if additional packages are installed - better use a full Linux System - Slackware, if more than a simple router is required.
https://forum.openwrt.org/t/18-06-2-...kages/30659/19

Last edited by abga; 08-17-2019 at 06:56 PM. Reason: P.S.
 
Old 08-17-2019, 08:19 PM   #18
upnort
Senior Member
 
Registered: Oct 2014
Distribution: Slackware, Proxmox, Debian, CentOS, Ubuntu
Posts: 1,212

Original Poster
Rep: Reputation: Disabled
Some helpful tips written here. Thank you.

Currently I use DD-WRT on an Asus RT-AC66U router. Works OK, but some time ago I tried updating the release and ran into all kinds of breakage. The general consensus around the web seems to be that the good ol' days of DD-WRT are long gone. I tend to agree. Just one big playground for developers and to hell with users. Users still wait for an official release. In all the years I used DD-WRT I always found the DD-WRT web browser interface painfully slow. I keep the thing running but try to avoid opening WAN side ports because the firmware is getting old.

I looked at OpenWRT. Not a warm and fuzzy feeling. Information is jam packed on each web page. No nice formatting or layout. No pics anywhere. Their web browser interface seems like a reluctant after-thought feature. I really don't want to mess with routers with that kind of software. I also found many comments that wireless is tricky with OpenWRT and to choose a router wisely.

I have no interest in the proprietary firmware installed on almost all consumer routers. Shoddy security updates. Most are designed to phone home in some way. Many people online are big on UBNT and Mikrotik, but I am familiar with those brands at work. I'm not impressed with either.

I don't want to tinker with small SBCs. Most are under powered and the Pi doesn't even have a RTC. I'm not interested in running a project like this with USB NICs.

After reading the ARS Technica article I thought perhaps I could build my own gateway device. At the very least I could install two NICs, a selected package installation of Slackware, and configure the firewall to block all incoming WAN side requests. That would be a simple gateway device.

I want remote access to the home office desktop. Both SSH and OpenVPN would be convenient. I need to port forward from the WAN side to the office system SSH port. I have OpenVPN running on DD-WRT and that is one reason I keep using the firmware.

I segregate test systems using two VLANs on the current router. Another reason I keep using DD-WRT. That would be an additional two NICs. The stock Slackware has vconfig. Never touched the software but I can learn.

I would like some kind of firewall front-end to handle the firewall. I'm not really Cool Hand Luke with iptables. Perhaps GUFW, Shorewall, or Webmin.

For years on all of my systems I have run vnstat. Would be nice to create some kind of LAN side web page to display the stats so I can monitor data caps and perhaps usage of each computer on the LAN. I have Apache running on the office system, but I'm no guru with designing web pages.

Wireless. If I could get that far I suppose for the interim I could run the Asus router as my AP and just connect the router to the LAN side switch. Then tinker with a reliable wireless NIC and hostapd. I get the feeling from browsing the web that hostapd is finicky about what NICs to use.

Adding multiple NICs should not be a big hill to climb. I always found rc.inet1.conf straightforward to understand. Five NICs total does not exceed the $MAXNICS=6 limit embedded in the comments of rc.inet1, so Pat would not get any pictures.
 
Old 08-17-2019, 10:07 PM   #19
abga
Senior Member
 
Registered: Jul 2017
Location: EU
Distribution: Slackware
Posts: 1,211

Rep: Reputation: 640Reputation: 640Reputation: 640Reputation: 640Reputation: 640Reputation: 640
I used DD-WRT on a few occasions and I wasn't really happy with the GUI, condensed and pretty chaotically organized, couldn't remember where's where. On one occasion, old D-Link Router on which the latest OpenWRT didn't fit anymore, I tried to setup a Wi-Fi repeater by following the DD-WRT guides and failed, had to follow some stuff I found on a blog...
OpenWRT on the other hand looks a little more polished and easier to configure. One thing I like about it is that you have a "Custom Firewall" section where you can literally paste iptables rules (I usually have some pages of them ). I'm always configuring it in Routed AP Mode:
https://oldwiki.archive.openwrt.org/...cipes/routedap
considering the WiFi as untrusted and the only way I allow WiFi devices into the LAN is on trusted MAC, IP and only through a VPN.
In both cases you really need to be careful about the router you pick, especially the HW revision and firmware, pick the box and check the label personally.

On SBCs, way superior compared to the routers and for less $, you can load a full Slackware on them and you have good CPU power & sufficient RAM, at least for a 100Mbit scenario. Now I stopped using them myself, got stuck at the Raspberry Pi2B level and at the $5 Pi Zero (which BTW can easy handle an 100Mbit routing/gateway scenario (advanced firewall script too) with two USB NICs!), mainly because of two reasons: I don't really like the latest CPU performance developments - constant thermal throttling = unreliable! and the price tag, better buy an X86 MiniPC, they got cheaper.

I suggested such a fanless small x86 quad-core Atom - $109 for a gigabit scenario:
https://www.amazon.com/ACEPC-T8-x5-Z...dp/B07D9YX3W6/
It only comes with one integrated gigabit NIC but you could use a second one on USB, besides, while USB adapters put some overhead on the CPU and cannot use DMA, that overhead is really negligible from my own experience, other confirmations:
https://superuser.com/questions/1420...nection-vs-nic
However, you might be able to find some other x86 MiniPC with more integrated NICs, maybe a little more expensive...

Iptables, well, you could use the webmin interface, it looks OK and you can do some basic stuff with it:
https://doxfer.webmin.com/Webmin/Linux_Firewall
I do however recommend to learn iptables and write the rules manually, first, you will understand what you're doing and secondly, you have access to the whole power and versatility of the iptables firewall tool. You'll be able to do "wonders" with it, so to say.
The same goes for the routing stuff, static in your case, learn and use the iproute2 tools.

I wouldn't use a full computing system desktop/tower for such a function, but size it accordingly and look after something small, fanless, powerful enough to handle the gateway functions and not that power-hungry (heat+electricity).
I'd also like to point out that nowadays, with all these gadgets (smartphones/tablets/other smart devices) and increasingly powerful office devices (like printers), you need to extend your security considerations and protect your core systems also from inside and not only from the big bad world outside.
 
1 members found this post helpful.
Old 08-17-2019, 10:17 PM   #20
glorsplitz
Member
 
Registered: Dec 2002
Distribution: slackware!
Posts: 773

Rep: Reputation: 172Reputation: 172
I did two nics for a while once, internet and lan, used Easy Firewall Generator for IPTables, you clear everything then open only what you need.
 
2 members found this post helpful.
Old 08-18-2019, 06:52 AM   #21
bifferos
Member
 
Registered: Jul 2009
Posts: 189

Rep: Reputation: 65
Quote:
Originally Posted by abga View Post
....then you can safely "rate it for 24/7 operation".
Add USB wifi to the mix and tell me how you get along. It's interesting to hear your experience but I'm not going back. The thing I like about my current setup is that I can leave a SVGA monitor attached to it full time for any fault-finding. People give away SVGA monitors, but tend to want money for HDMI ones that the Pi needs. It sounds like a minor thing I know but makes a difference to me.
 
1 members found this post helpful.
Old 08-18-2019, 07:33 AM   #22
zuriel
LQ Newbie
 
Registered: Aug 2012
Distribution: Slackware
Posts: 25

Rep: Reputation: 21
I have a little mini-ITX AMD E-350 system as my router. It has *one* ethernet port.

It has *24* network interfaces.

A ton of VLAN interfaces, several bridges, three VPN interfaces, some virtual ethernet interfaces, etc, etc. Policy based routing and network namespaces and all sorts of fun stuff.

I have a VLAN that only runs IPv6, for example. And another one that uses policy based routing to send all its traffic out over the VPN.

If you want something that just does the job, get an EdgeRouter or something. Slackware on a router is for if you want to fiddle with it.
 
1 members found this post helpful.
Old 08-18-2019, 09:59 AM   #23
abga
Senior Member
 
Registered: Jul 2017
Location: EU
Distribution: Slackware
Posts: 1,211

Rep: Reputation: 640Reputation: 640Reputation: 640Reputation: 640Reputation: 640Reputation: 640
Quote:
Originally Posted by bifferos View Post
Add USB wifi to the mix and tell me how you get along. It's interesting to hear your experience but I'm not going back. The thing I like about my current setup is that I can leave a SVGA monitor attached to it full time for any fault-finding. People give away SVGA monitors, but tend to want money for HDMI ones that the Pi needs. It sounds like a minor thing I know but makes a difference to me.
Add a TP-Link TL-WN722N or TL-WN722NC USB WiFi adapter to the mix and you have a good range&speed&stable AP. I used this adapter in many setups, including my own and I'm really happy with it. You can easily add/change an external antenna and increase the coverage, it's cheap too, around 10EUR/USD. Careful, TP-Link released some new revisions that come with a Realtek chipset and I don't have any experience with them, see:
https://www.linuxquestions.org/quest...3/#post5852180
You could also use this list as a guidance - look for adapters that support AP mode:
https://elinux.org/RPi_USB_Wi-Fi_Adapters

I'm using the Pi boards pretty much headless, I trust both my work and Slackware Using Monitorix for some stats and connecting to them every now and then, performing updates and checking other details on console (ssh), but you can also setup a VNC.
Sorry, cannot follow you on your VGA requirements, you can easily get a cheap second-hand LED monitor with HDMI these days. Besides, CRTs are not good for your health and older TFT monitors with CCFL backlight have a short lifetime (the neon tubes will gradually loose brightness, flicker and start to shift into red, again, bad for your health).
You could also get a small touchscreen and attach it to your Pi, leave it on and display your preferred stats. Or, get one beer less, save the money and buy one of these smaller displays:
https://pandorafms.com/blog/monitor-...h-rpi-monitor/
https://www.instructables.com/id/Ras...itor-Via-OLED/
 
Old 08-18-2019, 10:42 AM   #24
glorsplitz
Member
 
Registered: Dec 2002
Distribution: slackware!
Posts: 773

Rep: Reputation: 172Reputation: 172
Quote:
Originally Posted by zuriel View Post
If you want something that just does the job, get an EdgeRouter or something.
interesting company, thanks for that
 
Old 08-19-2019, 09:06 AM   #25
bifferos
Member
 
Registered: Jul 2009
Posts: 189

Rep: Reputation: 65
Quote:
Originally Posted by abga View Post
Add a TP-Link TL-WN722N or TL-WN722NC USB WiFi adapter to the mix and you have a good range&speed&stable AP. I used this adapter in many setups, including my own and I'm really happy with it. You can easily add/change an external antenna and increase the coverage, it's cheap too, around 10EUR/USD.
As I explained in previous post, I'm happy with the Alpha Networks adapter I'm using. Your initial post made no mention of wifi. My reliability issues may have stemmed from using Pi + SD card + powered hub + Wifi. If you're now saying you've run that combination for up-time in years (as I have done), and seen no issues then fine, good for you, but it wasn't clear from your initial post.

This isn't some pissing contest. The OP wanted to know what people were using. I explained what I was using and why, so I'm not sure why you feel a need to invalidate my posts.

Quote:
Sorry, cannot follow you on your VGA requirements
I wanted something free. You can suggest 10 other models of cheap monitor but the one I get for free is (for me) preferable. I don't see why that's hard to understand.

Quote:
Besides, CRTs are not good for your health and older TFT monitors with CCFL backlight have a short lifetime (the neon tubes will gradually loose brightness, flicker and start to shift into red, again, bad for your health).
Neither would matter as I am looking at it for some minutes per year for when my router needs attention, but I was talking about TFT, FWIW.
 
Old 08-19-2019, 09:27 AM   #26
montagdude
Senior Member
 
Registered: Apr 2016
Distribution: Slackware
Posts: 1,584

Rep: Reputation: 1221Reputation: 1221Reputation: 1221Reputation: 1221Reputation: 1221Reputation: 1221Reputation: 1221Reputation: 1221Reputation: 1221
Quote:
Originally Posted by baumei View Post
I have used Slackware as a gateway. It was installed "bare metal".

A gateway is exposed to every attack which may come from either the Internet or the local network, and it is usually expected to resist these attacks.

It is likely that every piece of software on the gateway has at least one flaw.

In order to reduce the likely number of software flaws on the gateway --> do not install any software which is not necessary for the tasks at hand.
Quote:
Originally Posted by upnort View Post
Seems obvious to me, but I suppose needs saying for others wandering into this thread. I suppose some folks might get upset because that means not having a "full install" of Slackware.
Sometimes things that seem obvious are not actually true. Software that just sits on your server not running does not present any attack surface. Just don't enable services that you don't need.
 
Old 08-19-2019, 09:59 AM   #27
bifferos
Member
 
Registered: Jul 2009
Posts: 189

Rep: Reputation: 65
Quote:
Originally Posted by montagdude View Post
Software that just sits on your server not running does not present any attack surface.
It's unlikely to be an initial way in, but it could be used for privilege escalation.
 
Old 08-19-2019, 10:44 AM   #28
montagdude
Senior Member
 
Registered: Apr 2016
Distribution: Slackware
Posts: 1,584

Rep: Reputation: 1221Reputation: 1221Reputation: 1221Reputation: 1221Reputation: 1221Reputation: 1221Reputation: 1221Reputation: 1221Reputation: 1221
Quote:
Originally Posted by bifferos View Post
It's unlikely to be an initial way in, but it could be used for privilege escalation.
I suppose so, but I would say that if they are in, you're already in trouble. At least in Slackware, your time is better spent securing the entry points rather than trying to remove unneeded software beyond the obvious package groups.
 
Old 08-19-2019, 11:49 AM   #29
abga
Senior Member
 
Registered: Jul 2017
Location: EU
Distribution: Slackware
Posts: 1,211

Rep: Reputation: 640Reputation: 640Reputation: 640Reputation: 640Reputation: 640Reputation: 640
Quote:
Originally Posted by bifferos View Post
This isn't some pissing contest. The OP wanted to know what people were using. I explained what I was using and why, so I'm not sure why you feel a need to invalidate my posts.
Never considered it a "pissing contest", usually I'm using the toilet for such biological needs. Instead, I provided details about my experience with Slackware as a gateway, in a civilized and constructive manner, sharing many technical details. The same I did for your post in which you quoted me, provided the requested details and experience feedback, again, in a constructive way.
All in all, I hope that the OP and the community are happy with this thread, as it contains many good tips from all of the participants.
 
Old 08-19-2019, 12:33 PM   #30
bifferos
Member
 
Registered: Jul 2009
Posts: 189

Rep: Reputation: 65
Quote:
Originally Posted by montagdude View Post
I suppose so, but I would say that if they are in, you're already in trouble. At least in Slackware, your time is better spent securing the entry points rather than trying to remove unneeded software beyond the obvious package groups.
Agreed that securing the entry points has got to be the priority, but most security people will be looking at defence in depth. They'll try to prevent the intrusion by pen testing and so on, but then they'll look for software they don't understand or feel isn't needed and get it removed. If something resides on a machine there is a chance it gets activated. Someone may activate it by mistake. They may activate it temporarily to test something and forget to disable it. They may misconfigure it. There is a human element.

The risk is reduced with you as sole admin, however it's still good practise to bear the above in mind. I don't know if you've been forced to go on security training in the course of your job but any decent course will drum this stuff into you, so I'd hope there's something in it.
(especially bearing in mind how much we pay for these courses.)
 
1 members found this post helpful.
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
My gateway desktop will not load windows it stops after the gateway logo Jcayton General 5 06-07-2012 07:04 AM
normal default gateway reapperas with openvpn redirect-gateway jonnytabpni Linux - Networking 2 04-23-2009 02:11 PM
lm10.0 gateway is set but when I reboot I have to set the gateway rharvey32 Mandriva 8 02-13-2006 01:35 PM
What is a gateway? can I have more than one gateway on a vlan? abefroman Linux - Networking 3 09-06-2005 10:43 AM
Odd problem: Gateway unreachable after certain amount of time (Win XP Gateway) SocialEngineer Linux - Networking 2 08-13-2004 12:54 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware

All times are GMT -5. The time now is 04:41 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration