Making sense of the various routing / firewall solutions that are available

I am currently running dd-wrt at home. Dd-wrt works pretty well, but I recently started to do some digging to see what other routing / firewall solutions existed. There are a bunch of routing / firewall gateway solutions available, and each one provides a unique experience. Some run on Linux, some on OpenBSD, and others on Linux. Most of the solutions have a GUI of some sorts to assist with configuring the device, but one or two require you to use the good old CLI. A number of solutions provide pretty visuals to review traffic and connectivity information, while others require you do use character-based tools to see what is up with your router. Of the various solutions I’ve look at, the following ones stood out:

IPcop – Linux firewall distribution with a web-based GUI.

pfsense – Customized FreeBSD distribution tailored for firewall / routing use.

Tomato – Replacement routing / firewalling firmware for Linsys and Buffalo routers.

dd-wrt – Replacement routing / firewalling firmware for various routers.

m0n0wall – Embedded firewall package for FreeBSD.

There are additional solutions out there, and I suspect the decision on which one to use really comes down to how customizable you need it to be and more importantly how much time do you want to devote to installing and maintaining it. There are also questions like do you want to dedicate a PC to routing and firewalling your networks? Will a cheap $50 router from Fry’s be able to handle your traffic? Maybe you want to fine tune everything about your firewall so rolling your own installation with OpenBSD or Linux is the only solution. I’ve been extremely content with dd-wrt, and about the only thing I could see myself doing is upgrading to a newer router that has a faster CPU, more memory and 802.11N. What routing / firewalling solution do you use? Any other quality firewall / routing gateways you would add to this list?

13 thoughts on “Making sense of the various routing / firewall solutions that are available”

  1. I personally use an old SunBlade 100 with 2 intel (fxp) cards running OpenBSD 4.8. Works pretty well for my needs.

  2. I use pfSense as a router on an Atom box, with a dual-port Intel NIC. It can handle 100 megabits of real internet traffic quite nicely, and power consumption is only around 20 watts. Wireless is done on a WNDR3700 running DD-WRT, but it’s not doing any routing; everything’s on the same subnet.

    Atom hardware is cheap (I got the board, disk-on-module, and power supply on sale for $150), and only a little more expensive than a router-in-a-box to run: 20W instead of 8 is only a few bucks a year. The flexibility and reliability I gain from having a full OS available is well worth it.

  3. @John — I used to use an Ultra5+OpenBSD before I switched over to a Linksys + dd-wrt. That combination worked great!

    @Will — Did you build your atom-based machine from scratch or buy a bare bones set up and add the parts?

  4. How about running something like Untangle on a fit-pc?

    I am currently running centOS 5 on fit-pc and it serves as my DHCP, Dynmic DNS, internal wiki, log server, ldap etc.

    For router/firewall I am running tomato on Linksys, but I feel like the hardware is under powered and the tomato firmware leaves much to be desired for.

    I recently acquired a nicely equipped Dell Dimension for free and currently playing around with Untangle.


  5. I’m using pfsense on Alix based systems or some atom based motherboard systems. It works well on most anything that freebsd will run on.

    I prefer it to dd-wrt as it was easier to setup, upgrade, manage and has more functionality. The new 2.0 version which is close to being release has some nice upgrades – the multi-wan stuff is quite good.

  6. Been using Solaris with IPFilter on various SPARC hardware for years. Runs great.

    There are just two config files, /etc/(opt)/ipf.conf and /etc/(opt)/ipnat.conf, depending on the Solaris release and IPFilter version (free versus bundled), and they can be easily packaged into SVR4 packages, making installation unbreakable and consistently repeatable, for example via JumpStart(TM).

    Both files are plain text ASCII files, and the syntax is easy to learn.

    IPFilter has been good to us for the past 15+ years. Would definitely recommend.

  7. openvpn support will not be enhanced in the future. they try to steer the user base towards SSTP (openvpn seems to be difficult to implement).

  8. I went with the Buffalo High Power Nfinity router. I wanted wireless, speed and GigE. Putting that together in a low-power solution would have been fairly pricey. The Buffalo system was less than $100 and you also had the option of running DD-WRT – which it ships with now. Price, speed, power consumption – I couldn’t beat it.

  9. @archer — nanonbsd looks pretty solid. Do you know if it runs on the soekris line of hardware? I’m going to play around with it over the Xmas break! Thanks for the link.

  10. I have just setup an Astaro Security Gateway,, using it for home use is supported and free, you can use an old PC box or prebuilt vmware appliance. I downloaded the software iso set it up then went to confirmed it was for home use, then simply download and install the never expire license file. Every you see on the web site is in the home version, its not a cutdown version.

Leave a Reply

Your email address will not be published. Required fields are marked *