Quiet, small PC for firewall?

[SinnerP]

Hi!

I'd like to get a new PC to act as a firewall. The current one is too loud for the missus, and probably eats too much power.

The desired specs:

* quiet!
* dual network (ethernet)
* low power!
* capable of running 24x7

No need for big CPU, lots of RAM, audio, etc, as it will run Linux, headless. I like to assemble my computers (done that since my 486), although I'm not opposed to a prebuilt system, if it exists.

What are your recommendations? Usually people focus on "performance", "media-center capabilities"...

I just need "the sound of silence"

Also, what online hardware vendors do you recommend?

Thank you in advance.

Salut,
SinnerP

[psiu]

Well, a mini-itx or nano-itx board (which often have the cpu built-in) would be the easiest but probably not the cheapest. Otherwise micro-atx board with a mobile chip (Pentium M, Core (1 or 2) Solo, Athlon XP-M, Sempron or the mobile A64's which I forget the name of...there is a name, right?) would be the best bet, followed by micro-atx with a low power modern Sempron or A64 (cheaper than the Core chips I believe).

What distro are you using? I use BrazilFW for routing and firewalling, it's the successor to Coyote Firewall. Boot off CF in CF->IDE adapter on P3-450 with 128MB.

Good luck

[flyingsherpa]

are you familiar with the NSLU2? i've been reading about them recently and evidently they can be used as a firewall. not sure if it would do everything you want, but it's worth a look since it's silent and cheap!

[jessekopelman]

The lowest cost DIY option is to get a micro/flex-ATX motherboard bundled with a Via C3 or C7 cpu. Newegg has a few choices for < $100. Add a cheap flex/micro-ATX case (flex fits in a micro case, but not vice versa -- strangely flex is the smaller of the two) and a PCI NIC and 256 MB of RAM (or less if you can find smaller smaller size DIMM any cheaper). If you have a functioning PC to use as a "server" you could even use boot from LAN and avoid needing a HD. Even with a small HD, the whole thing will cost < $200. It will certainly be relatively bulky, though. If you go without the HD, your only source of noise will be the PSU. Newegg has a small case that comes with a 80W external brick for $80 (likely cheaper than adding a PicoPSU to another case). Even with this more expensive case your build shouldn't be much > $200.

I'm assuming you need some fairly advanced capabilities, otherwise why not just buy an off the shelf 4-port Ethernet switch? They all come with a built in firewall, are tiny, silent, and cost like $20.

[Meato]

Grab a $100-125 used K6-2 or a P3 and start identifying the noise sources and replace with quieter components. Recycle whenever its probable.

[eitheta]

The m0n0wall folks have a page (http://m0n0.ch/wall/hardware.php) full of pointers to hardware platforms for exactly this sort of thing. And m0n0wall is a very popular firewall-purposed Linux distro. I've heard many good things about the Soekris hardware platforms.
For a lowest-cost option, buy a Linksys WRT54G -- the firmware in it is a lightweight Linux derivative, and there are several third-party open-source projects which produce enhanced versions of the software. See http://en.wikipedia.org/wiki/WRT54G for lotsa links to some of these projects.

[thejamppa]

I am planning to build old parts Firewall for my friend aswell. I'll be using free Smooth Wall 2.0 programs, Not sure if I got 600 Mhz Duron or 400 Mhz Celeron with passive stock heat sink on 370 mobo. Duron would kick seriously Celeron's behind but you really don't need that much raw power for firewall.

Only thing I should buy new is probably case + PSU. One retailer here has combo of ATX case + 250W Hec PSU ( around 35€ for combo both new) which ought to be pretty quiet. My 350 W Hec is pretty darn quiet in my Duron set-up.

I think getting new parts for just firewall computer ( like motherboard and CPU ) is bit waiste of money. Firewalls can easily be Celeron's, AMD K6-2's or P2 or 3's. They're cheap and you can make them quiet even they are old hardware.

I use myself ZyXel P-336 Prestigue myself.

[jessekopelman]

For just building a residential grade firewall, the posters talking about using a NSLU2 or WRT54G and installing some open source build like m0n0wall or the equivalent are dead on. These devices are smaller, less expensive, quieter, and use less power than anything you are going to build yourself. For some reason, I thought the original poster was trying to build something powerful/enterprise grade based on the mention of "new" PC and needing two NIC. After rereading his post, it doesn't look like it . . .

[SinnerP]

Hi,

Thank you to everybody for the answers. I'm reading them and researching on the options you all explain.

For the record, this will be a home-office firewall, with port redirections, and all the nice stuff that PF allows.

Those off-the shelf systems with built-in firewalls... I;m sorry, but I don't trust them. Too many exploits on BugTraq, too many default settings that elave them open to anayone, and when the maker decides not to provide any further upgrade you must buy another one. As I have the knowledge, BSD/Linux is the way: configurable, upgradeable and doesn't require me to buy a new firewall every year.

About "New" vs "Used PC". Well, I used before a K-6-II, until the PSU died. And it was big and a noisy fellow I had before a P-II-450 fanless CPU But then, it was a huge box and I have limited space

Now, I was thinking in the lines of something more in the line of a PC. But now, you are recomemnding this?

LINKSYS WRT54G IEEE 802.3/3u, IEEE 802.11b/g Wireless-G Broadband Router
http://www.newegg.com/Product/Product.a ... 6833124010

For what Wikipedia says, the latest WRT54G are not Linux-friendly, having to hack both hardware and firmware. Not good

Then, the SLUG. Well, It has only one NIC, and the second one would have to be USB-2-Ethernet. And I distrust USB for something that has tu run 24x7.

This is why I look into a PC-like system.

I've been told as well that underclocked Sempron (without fan) works pretty well. I can only find 1 MoBo, and it's pricey!
http://www.newegg.com/Product/Product.a ... 6813170012 $299.99

The AMD Geode, unfortunately, has been discontinued
http://www.pcengines.ch/wrap.htm
But then, there is still one existing MoBo+CPU combo, although it comes with a fan :/
http://www.newegg.com/Product/Product.a ... 6813153052

VIA C3 looks kind of adted as a platform. On the other side, it has a fanless motherboard+cpu combo with no hacking at all:
http://www.newegg.com/Product/Product.a ... 6813181025 $109.99

VIA C7 looks better (SATA, modern RAM, FireWire), although it's more expensive.
http://www.newegg.com/Product/Product.a ... 6813153050 $154.99

And for mini-ITX, this one looks good:
http://www.newegg.com/Product/Product.a ... 6811165041 $89.99


What is your take on the aforementioned elements?


Salut,
Sinner

[jessekopelman]

Then, the SLUG. Well, It has only one NIC, and the second one would have to be USB-2-Ethernet. And I distrust USB for something that has tu run 24x7.

Well, use that one Ethernet port and plug it into a $20 4-port switch. Add the proper network configuration so that all traffic passes through the Slug, and you are all set.

For the kind of money you are going to spend building your on box ($200-$300) you can get a serious standalone firewall appliance. Newegg has this fairly serious piece for $230: http://www.newegg.com/Product/Product.a ... 6833339001.

If you are just looking for the fun of DIY: go with the fanless C3 board and mini-ITX case you found on Newegg. If you go with some sort of PXE boot scenario, you are saved the noise and cost of a HD. Another silent option would be to use this and a CF card (I know for m0n0wall a 64MB card would be sufficient). A third option would be to add a CD drive and boot from that -- only noisy those rare times you have to reboot. All that leaves is RAM and a second NIC. It seems to me that the whole package will set you back between $250 and $300, depending on boot method.

[IsaacKuo]

I'll bet you anything that that Geode motherboard will run just fine with the fan removed. That's a substantial CPU heatsink, and the Geode is a rather low power processor.

Still, why bother when that fanless Via C3 motherboard is less expensive? I second the recommendation for that one.

I can't agree with the PXE boot idea, though--to me it feels wrong for the firewall/router to depend upon first booting up a file server before it can boot up. In the meantime, that server has no internet connection...it feels ugly to me.

[nzimmers]

here's a good suggestion: MSI Axis 945GM barebone computer:

http://www.newegg.com/Product/Product.a ... 6856167011

for about $220, you get a
-Mini-itx MB with dual gigabit lan onboard
-integrated graphics
-case
-powersupply

all in a relatively small thin case. all you need is a CPU and some ram (buy a intel core solo (yonah) 1.5ghz will be plenty powerful and you can get them on ebay for $30-$60

I think this would make a great firewall

[jessekopelman]

here's a good suggestion: MSI Axis 945GM barebone computer:

http://www.newegg.com/Product/Product.a ... 6856167011

for about $220, you get a
-Mini-itx MB with dual gigabit lan onboard
-integrated graphics
-case
-powersupply

all in a relatively small thin case. all you need is a CPU and some ram (buy a intel core solo (yonah) 1.5ghz will be plenty powerful and you can get them on ebay for $30-$60

I think this would make a great firewall

There is a version of this called the Axis Lite that Newegg also carries that comes with a Via C7 CPU and only costs ~ $180. The problem in both instances is that the setup is not silent. The biggest source on noise is the hard to replace PSU. The mini-ITX case with external PSU and fanless mini-ITX C3 board I referenced earlier is silent. The much less powerful CPU is not going to be an issue for something that is only a firewall.

[jessekopelman]

I can't agree with the PXE boot idea, though--to me it feels wrong for the firewall/router to depend upon first booting up a file server before it can boot up. In the meantime, that server has no internet connection...it feels ugly to me.

Yes, but how often will this get rebooted? Once a year? Probably not even that often. Anyway, I provided other silent options like the CF-adapter or boot from CD (which is silent once you are done booting). I was just throwing PXE out there as a way to save $30 over the CF. CD drives must be practically free, but that is going to be a slower boot. An old HD would be silent enough, if it were set to go to sleep right after booting up, too. Really, it seems like we have an embarrassment of riches here. Sinner has no excuse for not getting this thing silent

[pelago]

why not just buy an off the shelf 4-port Ethernet switch? They all come with a built in firewall, are tiny, silent, and cost like $20.

What switch comes with a built-in firewall?

[sjoukew]

If I were you, I should go for a dedicated router. They cost almost nothing, almost do not use any power, compared to the PC-router builds, is tiny, fits everywhere and does everything you want, and has often a router built in for free as well.
But I should stay away from the linksys wrt54g. I had the V5 version. It couldn't maintain a wireless connection for 2 minutes with an intel wireless laptop about 1 meter, it couldn't port forward from the local network to it's external IP and back in, a basic operation. It did crash me every 2 hours and needed a hard reset , it was a horrible thing, never linksys for me again.
And if you buy a linux pc, it does cost more to buy, and it eats more electricity, so you have to pay therefore as well, and it is bigger, and you have to pay to get it silent.

[pipperoni]

If you're not afraid of Linux/BSD, the Soekris boards are always cute. Kind of like computer programability inside an ethernet switch sized box. Biggest downside is probably the price, espcially when you consider an off the shelf router with firewall (which offers less flexibility, but basically everything you've asked) would probably cost 1/5 of a Soekris board and case.

[SinnerP]

Hi jessekopelman, thank you for answering

For the kind of money you are going to spend building your on box ($200-$300) you can get a serious standalone firewall appliance. Newegg has this fairly serious piece for $230: http://www.newegg.com/Product/Product.a ... 6833339001.

Well, I don't trust those firewalls. And they are not fun to build

If you are just looking for the fun of DIY: go with the fanless C3 board and mini-ITX case you found on Newegg. If you go with some sort of PXE boot scenario, you are saved the noise and cost of a HD. Another silent option would be to use this and a CF card (I know for m0n0wall a 64MB card would be sufficient).

Yup, C3 sounds like a winer

That CF adapter is a very nice finding; didn't thought about it. Thank you!

Still, why bother when that fanless Via C3 motherboard is less expensive? I second the recommendation for that one.

True that.

here's a good suggestion: MSI Axis 945GM barebone computer

I have to agree with jessekopelman, does not sound that silent: cpu fan, psu fan. And I don't think I need all that power.

Thank you for the suggestion, though. If I need a small form factor PC that one looks pretty good

If I were you, I should go for a dedicated router.

I don't trust them, not so flexible, and no fun at all as a DIY project.

But I should stay away from the linksys wrt54g.

OK

And if you buy a linux pc, it does cost more to buy, and it eats more electricity, so you have to pay therefore as well, and it is bigger, and you have to pay to get it silent.

The prices are not that high, small PSUs don't eat that much power and are fun to build.

If you're not afraid of Linux/BSD, the Soekris boards are always cute.(...) Biggest downside is probably the price (...).

They are nice but pricey :/


Thank you all.

Salut,
Sinner

[jessekopelman]

What switch comes with a built-in firewall?

More like which one doesn't? Mind you, I'm talking about the stuff you buy at the consumer electronics store, not an enterprise grade switch. You know, Linksys, Netgear, D-Link, Belkin, Apple, and so on. I've yet to see one of these that does not come with both a DHCP server and a firewall.

[psiu]

Also, the retail wireless routers often can't handle heavy sustained loads. That's why I ended up with my BrazilFW router/firewall. Port-forwarding is a heavy load on them as well, and they like to overheat and reboot or drop connections after awhile.

Even in AP mode my Motorola (which is mostly a rebadged Linksys) will start running into trouble if I start streaming and heavy transferring. I really need to jam a 120mm fan on top of it

I would definitely go with the cheapest setup possible for this--it will be plenty of cpu horsepower for the application. Reuse anything possible, and shove it under/behind/in something.

[pelago]

What switch comes with a built-in firewall?

More like which one doesn't? Mind you, I'm talking about the stuff you buy at the consumer electronics store, not an enterprise grade switch. You know, Linksys, Netgear, D-Link, Belkin, Apple, and so on. I've yet to see one of these that does not come with both a DHCP server and a firewall.

Oh ok, I would describe those as routers, not switches. Any consumer-level box labelled as a 'switch' would not have a firewall, I'm sure.

[jessekopelman]

Oh ok, I would describe those as routers, not switches. Any consumer-level box labelled as a 'switch' would not have a firewall, I'm sure.

I know what you mean, but I don't understand why these things are called routers as they have little (if any) ability to do actual routing. What they certainly have is an Ethernet switch (sometimes Gigabit, these days), so that is what I call them. I picked up this habit from dealing with enterprise-grade IT, where routers (which are real routers) are far more expensive than switches and asking for a router when you only need a switch is a huge waste of money.

[loimlo]

VIA C3 looks kind of adted as a platform. On the other side, it has a fanless motherboard+cpu combo with no hacking at all:
http://www.newegg.com/Product/Product.a ... 6813181025 $109.99

I got a used one at a very attractive price(probably 15 USD). As for performance, VIA C3 533 was hopelessly slow. But stability is decent, my machine is always on with P2P usage, and I never have had a lock-up.

Get a additional PCI ethernet card, it'll cope with firewall very well.

[Beyonder]

Hi!

I'd like to get a new PC to act as a firewall. The current one is too loud for the missus, and probably eats too much power.

The desired specs:

* quiet!
* dual network (ethernet)
* low power!
* capable of running 24x7

No need for big CPU, lots of RAM, audio, etc, as it will run Linux, headless. I like to assemble my computers (done that since my 486), although I'm not opposed to a prebuilt system, if it exists.

A PC is a waste of money and electricity. Your best bet is a Linksys WRT54G router running DD-WRT firmware, or some other compatible router. There are actually a lot of different routers that can run this firmware.

They are totally silent, have multiple ethernet jacks, and my WRT54G (V4) consumes 3-5W. (measured by my kill-o-watt)

They're also running linux, so you can SSL or telnet into them and use all of the typical linux networking commands for custom configuration. They are also less than $50. My WRT54G combined with DD-WRT is by far the best router/firewall I have ever owned. Out of the box, it's going to blow the doors of anything you manage to piece together yourself.

[woodsman]

I am using a Linksys WRT54GL router flashed with DD-WRT, which is an open GNU/Linux derivative. The device is small; energy efficient; is accessible through a web browser, telnet, or SSH; comes with a 4-port switch, and wireless. Seems to work just fine. The code is open, therefore there is no need worry about vendor nonsense or lock-in.

Comparatively, a dedicated PC is an energy hog, but excels over an off-the-shelf router/firewall when traffic exceeds basic home usage or users want to add a caching proxy like Squid, which needs a hard drive.

[quielb]

Try http://www.soekris.com/

It's basically a 486. It can run may versions of linux or pre-built firewall distros like IP Cop

Never mind. Missed the reference to Soekris earlier in the thread. But you can find Soekris boards on E-Bay for pretty cheap.

[nzimmers]

the DD-wrt firmware even runs in a virtual machine, that's how I have mine setup.

works like a charm

[woodsman]

the DD-wrt firmware even runs in a virtual machine, that's how I have mine setup.

Fascinating! Would you please provide some details or links?

[tarvoke]

as was kindly mentioned, there's the WRAP which has been discontinued (my company built and sold tiny boxes based on those as a side bet)

but now pcengines are coming out with a new appliance ALIX which is in both a mini-itx form factor and also smaller like the original WRAP.

many many other options here, you could get a nortel contivity 100 off ebay (we got 3 brand new sealed in box for $22 each incl shipping lol) and plug in more memory better cpu and atheros pci card to bring it up to spec. or ditto ebay a wyse 9450xe and do similar. or nokia ip1xx.

basically you want to look for embedded-yet-intel type hardware, that could run m0n0wall and/or pfSense, and that has the capacity for extra network/wireless cards minipci or usb or otherwise.

[tarvoke]

hm newegg used to have the classic indefatigable asus terminator c3 barebones for around 80 bucks. (I have one from back in the days newegg used to throw in the cd drive, even) but I don't see it in their inventory anymore (which is weird 'cos I saw it last week)

terminator/c3 is modern enough and decent space for expansion, if largish for the purpose. even has q-fan in the bios makes it damnably quiet. mine graduated from firewall duty to FreeNAS these days.

but grab yourself a pcengines mini-itx or intel little valley, and istarusa barebones (newegg oos atm bleh) and have at it.

to reiterate: pfSense is truly awesome, we run it on an old ibm p3 1U but it will kick ass on any k6 or via c3/c7 or what have you. just remember in terms of *bsd/lunix wireless, atheros and ralink are your friend.