hi

I plan to build a tiny fanless system to use as a home gateway/firewall/webserver

as a background I have used NSLU2/debians at home however 32MB RAM and 266Mhz CPU is useless for decent webserving

I was looking for a mini-itx or smaller system which has at least 3 gBe ports (overall) and a mini-PCI-E slot, where I can attach a Atheros-802.11n card later...

Also I am a Athlon+ fan, so that is preferable... but not nessessary.

There is no need of any graphics, audio, a serial port would be enough in absence of graphics, USB is a plus. (industrial/embeded type)

>1Ghz CPU and >1GB memory if possible with a 2.5" SATA/IDE HDD

also lowest cost/comparable to say the systems on AVS Forum HD-HTPC
(cannot post link yet)


Ghat

I think it would be far easier to just have one GbE port and use a separate GbE switch (of however many ports you want).


Overkill for the application, as a 500MHz Geode with 256MB would do you fine, but you can't get those with GbE (AFAIK). Since GbE is a requirement you will probably end up with a (semi-)modern processor whether you want it or not. I'd probably be looking at Via C5/C7 boards as they should have the lowest power consumption and are available fanless. Unfortunately, they are severely overpriced. Another option would be an Atom board with the 945GSE chipset (not 945GC chipset, as that is an energy hog). Sadly, they are equally overpriced. If having a super-small case weren't a concern, going with an undervolted Sempron on an AM2 board would get you similar power consumption at a much better price and could be fanless with a big enough heatsink.

Good quality switches cost a small fortune, whereas most NICs are fairly capable when used with a suitable OS.

gbe0=> WAN/uplink port -> home dsl/cable modem/fiber
gbe1=> secure LAN/gateway port
gbe2=> DMZ open LAN OR other uses

pci-e=>WLAN=>AP

usb=> Future WimaX etc...

will probably use
webmin+shorewall and apache+php with SSL

The box should work without any standards issues for 5-10 years...

Ghat

One thing no one mentioned is the security issue of both your firewall/gateway running on the same machine as your webserver.

Keep the 266 machine for firewall/gateway, and then just look into a machine to act as webserver. Also another vote for a separate Gb switch.

I can install dd-wrt/openwrt on a linksys/asus router and get away with it...
and then host the webserver on another server... hey but I am just a little bit more eager home user with some linux hobbies... I really dont want to host a number of servers in my home (I already have a big desktop, a HTPC and another machine for webserving is no good idea... also I dont want outside traffic entering inside my LAN.

basically so I am just looking for a router with bigger CPU, RAM and HDD. My webserving needs are not that great, the 266/32 machine does dumb when you run a perl-cgi or php... I just want a barebones mini-itx system with insignificant graphics, but oversignificant networking... nX gBE+WiFi

You don't need a managed switch. You just need something capable of wire-speed switching at GbE speeds. For 4-port, you are talking $50 or less. No way a 4-port NIC is cheaper than that. The idea here is that you attach the PC to the WAN port of the switch -- this basically turns it into an external NIC. The PC is still the router/firewall/whatever, the switch is just handling switching, nothing else.

No reason you can't do this configuration with an external switch. Hook the PC up to the WAN port and the switch basically becomes an external NIC. I think you could do exactly this configuration with most unmanaged switches, but worst case scenario is you might have to do some routing rather than keeping everything Level 2, but isn't that the whole point of running capable routing software rather than just using some box?

Actually.. I do. I don't know about the OP, but I do.



I get the feeling he intends to have two switches (or one switch, managed, with two VLANs).

I think you are misunderstanding what I mean by Managed Switch. When I use that term I am talking about something that is highly customizable, with perhaps even some, Level 3 features, and no need for any outside software for management. What I was proposing was to substitute a "dumb" switch for a NIC. The only purpose of this switch is to get switching between multiple ports -- everything else is handled by software on the attached PC. The switch does not need to be managed because everything it does, beyond port switching, will be controlled by the PC. In effect, it will be a managed switch, just not a Managed Switch. This does not preclude using other switches (managed or not) further down the chain. Again, I am merely talking about substituting a switch for a NIC in order to satisfy limitations of the mini-ITX formfactor and the OP's specific functionality requirements.

As for VLAN, I don't see why that is precluded by my proposed setup. All that stuff can be handled in software inside the PC. Again, just view the switch as an external NIC. From a hardware point of view the only difference I can think of between a switch and a NIC is that in one you communicate with the controller through an Ethernet interface and in the other through a PCI. Even if for some reason you can't quite do the VLAN setup you'd like, you still have the option of routing instead. For large networks this is undesirable because of the complexity of the tables, but we are just talking a home network. Routing might actually be the preferred way to go here, as it is far easier to track what is going on for trouble shooting -- but I am not an expert.

Unfortunately an unmanaged switch with a machine on one end is not a substitute for a managed switch with STP support on a complex network.

And I don't quite see how substituting an NIC for a switch will work when you need the NIC to connect to the switch.

Maybe. What managed switch functionality could not be duplicated on the host PC, though? Anyway, the key word here is complex. The OP was talking about a home network.


The OP will have a single port of Ethernet built-in to whatever motherboard he chooses. The issue is that he wants more than one port of Ethernet under the machine's control. One way to get this is to buy a MB with multiple ports. Another is to add a NIC (Network Interface Card). The big problem here is that the OP is concerned with cost and size. Having multiple Ethernet ports on the MB effects cost. Using a PCI card effects size. What I'm suggesting is that, since a NIC is just a dumb switch on a PCI card, a 3rd alternative would be to use an external switch connected to the single Ethernet port that comes with his MB. This way he saves money on the MB (more than the cost of a 4-port switch) and maintains the flexibility to use a case that is too small to accommodate a PCI card.

well, in this case, why is a third NIC (DMZ/other uses) a requirement? does not make much sense.
as far as I understand, you're looking for three different things: a kind of a gateway appliance, a webserver open for requests from WAN, and a fileserver serving the LAN.
I would not mix those all up on a single host. Your gateway is the most potentially exposed host on your network, so you _really_ don't want your data (filserver services) on this host. if your webserver is open to requests from the internet, then I would not consider putting it on the same host. even better -- keep it in a separated network, and do your ip filtering between this network and LAN wisely. this is, basically, what DMZ is good for in such a setup.
you could also consider running gateway services off one host, fileserver services off another one, and maybe running the webserver services off a virtual host running on the same physical host as your fileserver services. this would potentially give you some more control about what's happening than mixing it all up on the same host, but also would raise the hardware requirements a bit.
if the webserver services don't have to be open to the public, but instead only to you or to some controllable amount of clients 'outside', you could consider using some kind of a VPN setup, possibly even serving the web-stuff off your fileserver.
by the way, what kind of web services are you going to run?
another point to consider are the quite different requirements for those services -- it won't be easy to combine them all in one piece of hardware while keeping the price low.
Also, _do_ avoid the mentioned VIA EPIA SN10000EG board. it's heavily overpriced, has a crappy GbE NIC (RX locks up after some time if you'd increase MTU above 1500, at least with the via_velocity driver in a bunch of different kernels in the 2.6.27-2.6.30 range), SATA controller has mediocre performance and a severe bug in it's AHCI implementation, rendering _theoretically_ possible NCQ useless. the single nice feature to consider is crypto-acceleration stuff buit into the CPU, which may come in handy if you are running high-throughput VPN connections.

Uh, STP for starters.. And my network is a home network. Home != simple.



You can get ITX boards with more than one ethernet port. Trying to use a single port and a switch for the sort of setup he wants is not going to work. You need one port for WAN, and one for LAN. In his case he wants two seperate LANs, so he needs three ports.

Hey buddy, thanks for that info, I do see that most >1NIC mini itx''s are expensive....

Also, looking at the comments above, Home_Network => Home_Network_of_a_Linux_Enthusiast

I understand the above confusion, as there are very few boards available which can do such stuff, but my hope is there would be some industrial boards which I may not be aware of, but generally industrial => low volume => high price...

I guess I can do with 2 GBe interfaces for now, and can decide/forget about the third later...

How does this look...
http://www.google.com/products?hl=en&q= ... a=N&tab=wf

I wish the price is close to 100 though...I really dont need the 690G graphics...

Perhaps something like this would be more suitable: https://www.soekris.com/shop/product_in ... ucts_id=85

Unless you're one of the lucky few (I hate you if you are.) to have >100mbit fibre, you won't need gigabit.

If you like OpenWRT, Ubiquiti routerstation pro is just for you!

But for a small number of machines, why is VLAN superior to just using routing? You seem to value a particular implementation more so than actually achieving the desired functionality.


Why won't it work? He will have at least 3 ports available on the external switch. How are ports on a slaved switch different from ports on a motherboard or multiport NIC? The only difference I see is that in one case you are communicating over PCI and in the other over Ethernet. Again, you may have to do some control in Level 3 instead of Level 2, but I don't see how you are losing any actual functionality.

My desired functionality for the setup he suggested is physical isolation of networks.



Just how do you suggest you use a DHCP or PPPoE internet connection on a dumb switch shared with the rest of your network?

You can make jokes about this, but there is a real difference between a home network, no matter how complicated, and a serious enterprise network. Do you have > 10 users on your network? Do you have devices spread over multiple facilities miles apart? If not you have what is essentially a home network. This doesn't mean you shouldn't want the functionality you want. What it means is that you don't need to apply the same solution that someone serving hundreds of people across multiple facilities would. I think there is a simple choice here: be practical and go with the most cost effective route to get the desired functionality or have fun and do what you want to do -- cost and practicality be damned. Just don't claim you want to be practical and then cry if someone suggests something that meets your functionality but doesn't fit your vision of how you want to do things [not addressed to you specifically ghatothkach].

How does your solution physically isolate the networks? Isn't everything still going into one port or another on the PC he has setup as his router/firewall/server? I'm just suggesting putting these ports in an external box rather than the main chassis.


The PC setup as router/firewall/server connects to the Uplink port on the switch. The actual WAN connection as well as all the LAN connections use the normal LAN ports. All traffic goes through the router. The switch is just going to be used as an Ethernet Bridge. Set the switch to bridge mode and disable DHCP hosting and any other Level 3 functions in the switch, that will all be done by the router. The router will take the external IP assignment from your ISP and act as gateway. If your ISP uses PPPoE you will just need PPPoE Server software on your router -- pfSense includes this. Again, all traffic goes through the router. You will use routing to decide if a given IP address is allowed to access any other IP address, be it on LAN or off. Everything gets an IP address. Each port on the switch gets an IP address. You can still use DHCP, but you will have rules and specific ranges to use for different classes of user. This would be a problem in an environment where thousands of such assignments would have to be made, but it is not such an environment (thus my point about home networking). Level 2 techniques like MAC filtering should also still be possible, if you have a need.

[Edit -- I had been writing WAN port when I meant uplink port. Also, for some reason, the term Ethernet Bridge, which is what I was describing, had completely slipped my mind. Maybe after making these changes it is more clear what I am talking about.]

... Show me a common, consumer switch which can do any of that.

What switch can't? I've never had one that can't be put into bridge mode and DHCP server turned off. All the Level 3 stuff I described is done in your router (PC running software).

Jetway NC92-230-LF
http://www.logicsupply.com/products/nc92_230_lf
with a multi-NIC expansion card:
http://www.logicsupply.com/categories/m ... on_modules
and a PCI wireless card.

It's a 945GC, which uses more power that you'd like, but would be ok with a fan swap or better heat sink.

... *holds up every non-managed switch he's ever touched*

And what does a switch have to do with a DHCP server?

BS. Bridge mode is the the basic operating mode for a switch. If you have a device that cannot be put into this mode it is because it is already in bridge mode and that is the only mode it is capable of.

From Wikipedia: "In Ethernet networks, the term "bridge" formally means a device that behaves according to the IEEE 802.1D standard—this is most often referred to as a network switch in marketing literature." [emphasis mine]


I'm saying if you want to use one of the those ubiquitous home routers you will have to turn off the DHCP server. Maybe these are the only things that will have an actual setting to put them into bridge mode . . .

I'd really like to see a working setup as you've just described. One which doesn't take hours of fiddling to make two DHCP servers (WAN and LAN) co-exist on the same dumb switch.

Meanwhile, I'll go back to using two NICs..

hi

Monkeh16, Thanks for debating the topic with jessekopelman...

jessekopelman:
Can you please post links to some of the switches which can do what you are saying you can do.

xcuse me, but I am on Monkeh's side

I need to run 3 networks on the 3 different ports I am looking at
eg port 1=> 10.10.10.0/24
port2 => 192.168.10.0/24
port3=> DHCP client on ISP network

I dont see how I can do this using a single port ethernet on a linux computer and a consumer network switch... Next I will have to configure shorewall (www.shorewall.net) if you read through some of the documentation, I need to configure 3 interfaces with the software and setup the configuration. I am unable to understand how I will see the 3 or 4 interfaces on the consumer switch visible on the linux computer... which has only one interface...

Note that I am a linux enthusiast, so I am not having typical home network, but I am neither running a big corporate network at home...


Thanks for the link... I will look into it.. the price is right so is the CPU speed, not yet sure if I can install a HDD on to the board... but I guess will work through the USB... Also I will have to host my www server elsewhere as this is a perfect router board, but many not be powerful enough for a webserver, but definitely better than the NSLU2



I guess the following 2 could work....

http://www.logicsupply.com/products/nf76_n1gl_lf
http://www.logicsupply.com/products/ad3rtlang

But its EXPENSIVE....




Ghat

Could check out BrazilFW, it might do what you need. I use it as my firewall/gateway/router. On whatever old hardware you have laying around too.

OK so here is what I want to do in my "home network"
1. I have a Home Theater PC (XBMC on linux) which I use to watch
movies.
2. I have a desktop in my home-office, which is ubuntu jaunty, and I use this to work and also run a bittorent client, and as a mythtv-backend server. The machine also serves all my movies and media over my home network and also serves as a backup serve for all the laptops I have at home.
3. I personally have 2 laptops for myself, and my wife has one, and I have one from my office, we use all 4 laptopsn depending on the use...
4. I have a NSLU2 running one-wire network which monitors temperature
and humidity in my home (just for fun) and also I have written some software which actively grabs data from www.noaa.gov and tells how much rain has been falling on my plot so I have some guage as to whether I should water my lawn or not..
5. I have another NSLU which I am probably going to mod as a baby monitor webcam but I have not go to it yet...

plus, I want to host a website in the near future, I dont want to buy a hsting service and none of the the free hosting providers give me enough access to do what I want on thier shared-hosting server. My new website may be potentially hosting a cydia/iphne repo and also may be a andriod apps. not sure... .. so all in all thats how my "home network looks"

Ghat